区块链3道题目分析(主过程)

 

本文主要记录整个合约分析的过程。具体代码可以到各大区块链大佬的博客来找。

 

题目

数字经济CTF-COW区块链题目详解

这题是从先知社区上看到的题目,然后正在学区块链就来分析下。

因为编写脚本其实主要靠锻炼,重要的是整个过程的复现。找到payforflag的触发条件,以及锻炼整个的逆向合约的能力。

话不多说直接贴反汇编代码了。

contract Contract {
    function main() {
        memory[0x40:0x60] = 0x80;

        if (msg.data.length < 0x04) { revert(memory[0x00:0x00]); }

        var var0 = msg.data[0x00:0x20] / 0x0100000000000000000000000000000000000000000000000000000000 & 0xffffffff;

        if (var0 == 0x1a374399) {
            // Dispatch table entry for 0x1a374399 (unknown)
            var var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x00be;
            var var2 = func_02FA();
            var temp0 = memory[0x40:0x60];
            memory[temp0:temp0 + 0x20] = var2 & 0xffffffffffffffffffffffffffffffffffffffff;
            var temp1 = memory[0x40:0x60];
            return memory[temp1:temp1 + (temp0 + 0x20) - temp1];
        } else if (var0 == 0x1cee5d7a) {
            // Dispatch table entry for 0x1cee5d7a (unknown)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x0115;
            var2 = func_0320();
            var temp2 = memory[0x40:0x60];
            memory[temp2:temp2 + 0x20] = var2 & 0xffffffffffffffffffffffffffffffffffffffff;
            var temp3 = memory[0x40:0x60];
            return memory[temp3:temp3 + (temp2 + 0x20) - temp3];
        } else if (var0 == 0x6bc344bc) {
            // Dispatch table entry for payforflag(string)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x01be;
            var temp4 = msg.data[0x04:0x24] + 0x04;
            var temp5 = msg.data[temp4:temp4 + 0x20];
            var temp6 = memory[0x40:0x60];
            memory[0x40:0x60] = temp6 + (temp5 + 0x1f) / 0x20 * 0x20 + 0x20;
            memory[temp6:temp6 + 0x20] = temp5;
            memory[temp6 + 0x20:temp6 + 0x20 + temp5] = msg.data[temp4 + 0x20:temp4 + 0x20 + temp5];
            var2 = temp6;
            payforflag(var2);
            stop();
        } else if (var0 == 0x8da5cb5b) {
            // Dispatch table entry for owner()
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x01d5;
            var2 = owner();
            var temp7 = memory[0x40:0x60];
            memory[temp7:temp7 + 0x20] = var2 & 0xffffffffffffffffffffffffffffffffffffffff;
            var temp8 = memory[0x40:0x60];
            return memory[temp8:temp8 + (temp7 + 0x20) - temp8];
        } else if (var0 == 0x96c50336) {
            // Dispatch table entry for 0x96c50336 (unknown)
            var1 = 0x021f;
            func_059E();
            stop();

        } else if (var0 == 0x9ae5a2be) {
            // Dispatch table entry for 0x9ae5a2be (unknown)
            var1 = 0x0229;
            func_0654();
            stop();
        } else if (var0 == 0xd0d124c0) {
            // Dispatch table entry for 0xd0d124c0 (unknown)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x0240;
            var2 = func_0730();
            var temp9 = memory[0x40:0x60];
            memory[temp9:temp9 + 0x20] = var2 & 0xffffffffffffffffffffffffffffffffffffffff;
            var temp10 = memory[0x40:0x60];
            return memory[temp10:temp10 + (temp9 + 0x20) - temp10];
        } else if (var0 == 0xe3d670d7) {
            // Dispatch table entry for balance(address)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x02c3;
            var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
            var2 = balance(var2);
            var temp11 = memory[0x40:0x60];
            memory[temp11:temp11 + 0x20] = var2;
            var temp12 = memory[0x40:0x60];
            return memory[temp12:temp12 + (temp11 + 0x20) - temp12];
        } else if (var0 == 0xed6b8ff3) {
            // Dispatch table entry for 0xed6b8ff3 (unknown)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x02ee;
            func_076D();
            stop();
        } else if (var0 == 0xff2eff94) {
            // Dispatch table entry for Cow()
            var1 = 0x02f8;
            Cow();
            stop();
        } else { revert(memory[0x00:0x00]); }
    }

    function func_02FA() returns (var r0) { return storage[0x02] & 0xffffffffffffffffffffffffffffffffffffffff; }

    function func_0320() returns (var r0) { return storage[0x01] & 0xffffffffffffffffffffffffffffffffffffffff; }

    function payforflag(var arg0) {
        if (msg.sender != storage[0x00] & 0xffffffffffffffffffffffffffffffffffffffff) { revert(memory[0x00:0x00]); }

        if (msg.sender != storage[0x01] & 0xffffffffffffffffffffffffffffffffffffffff) { revert(memory[0x00:0x00]); }

        if (msg.sender != storage[0x02] & 0xffffffffffffffffffffffffffffffffffffffff) { revert(memory[0x00:0x00]); }
    //flag 要求就是 storage[0] storage[1] storage[2] 都是 msg.sender就成功了。 
        var temp0 = address(address(this)).balance;
        var temp1 = memory[0x40:0x60];
        var temp2;
        temp2, memory[temp1:temp1 + 0x00] = address(storage[0x03] & 0xffffffffffffffffffffffffffffffffffffffff).call.gas(!temp0 * 0x08fc).value(temp0)(memory[temp1:temp1 + memory[0x40:0x60] - temp1]);
        var var0 = !temp2;

        if (!var0) {
            var0 = 0x7c2413bb49085e565f72ec50a1fb0460b69cf327e0b0d882980385b356239ea5;
            var temp3 = arg0;
            var var1 = temp3;
            var temp4 = memory[0x40:0x60];
            var var2 = temp4;
            var var3 = var2;
            var temp5 = var3 + 0x20;
            memory[var3:var3 + 0x20] = temp5 - var3;
            memory[temp5:temp5 + 0x20] = memory[var1:var1 + 0x20];
            var var4 = temp5 + 0x20;
            var var6 = memory[var1:var1 + 0x20];
            var var5 = var1 + 0x20;
            var var7 = var6;
            var var8 = var4;
            var var9 = var5;
            var var10 = 0x00;

            if (var10 >= var7) {
            label_053B:
                var temp6 = var6;
                var4 = temp6 + var4;
                var5 = temp6 & 0x1f;

                if (!var5) {
                    var temp7 = memory[0x40:0x60];
                    log(memory[temp7:temp7 + var4 - temp7], [stack[-6]]);
                    return;
                } else {
                    var temp8 = var5;
                    var temp9 = var4 - temp8;
                    memory[temp9:temp9 + 0x20] = ~(0x0100 ** (0x20 - temp8) - 0x01) & memory[temp9:temp9 + 0x20];
                    var temp10 = memory[0x40:0x60];
                    log(memory[temp10:temp10 + (temp9 + 0x20) - temp10], [stack[-6]]);
                    return;
                }
            } else {
            label_0529:
                var temp11 = var10;
                memory[var8 + temp11:var8 + temp11 + 0x20] = memory[var9 + temp11:var9 + temp11 + 0x20];
                var10 = temp11 + 0x20;

                if (var10 >= var7) { goto label_053B; }
                else { goto label_0529; }
            }
        } else {
            var temp12 = returndata.length;
            memory[0x00:0x00 + temp12] = returndata[0x00:0x00 + temp12];
            revert(memory[0x00:0x00 + returndata.length]);
        }
    }

    function owner() returns (var r0) { return storage[0x03] & 0xffffffffffffffffffffffffffffffffffffffff; }

    function func_059E() {
        var var0 = 0x00;
        var var1 = var0;//0
        var var2 = 0x0de0b6b3a7640000;//1 ether
        var var3 = msg.value;

        if (!var2) { assert(); }

        var0 = var3 / var2;

        if (var0 >= 0x01) { //传入大于 1ether 
            var temp0 = var1 + 0x01; //temp0=1 
            storage[temp0] = msg.sender | (storage[temp0] & ~0xffffffffffffffffffffffffffffffffffffffff);
            //storage[1]=msg.sender
            return;
        } else {
            var1 = 0x05;
            storage[var1] = msg.sender | (storage[var1] & ~0xffffffffffffffffffffffffffffffffffffffff);
            return;
        }
    }

    function func_0654() {
        var var0 = 0x00;//0
        var var1 = 0x0de0b6b3a7640000;//1 ether
        var var2 = msg.value;

        if (!var1) { assert(); }

        var0 = var2 / var1;
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x04;
        var temp0 = keccak256(memory[0x00:0x40]);
        storage[temp0] = storage[temp0] + var0;

        if (msg.sender & 0xffff != 0x525b) { return; }//末尾为525b 

        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x04;
        var temp1 = keccak256(memory[0x00:0x40]);
        storage[temp1] = storage[temp1] - 0xb1b1; //x-=45489 溢出 
    }

    function func_0730() returns (var r0) { return storage[0x00] & 0xffffffffffffffffffffffffffffffffffffffff; }

    function balance(var arg0) returns (var arg0) {
        memory[0x20:0x40] = 0x04;
        memory[0x00:0x20] = arg0;
        return storage[keccak256(memory[0x00:0x40])];
    }

    function func_076D() {
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x04;

        if (storage[keccak256(memory[0x00:0x40])] <= 0x0f4240) //62016
        { revert(memory[0x00:0x00]); }

        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x04;
        storage[keccak256(memory[0x00:0x40])] = 0x00;
        storage[0x02] = msg.sender | (storage[0x02] & ~0xffffffffffffffffffffffffffffffffffffffff);//msg.sender 
        //msg.sender 
    }

    function Cow() {
        var var0 = 0x00;
        var var1 = 0x0de0b6b3a7640000;//1 ether
        var var2 = msg.value;

        if (!var1) { assert(); }

        var0 = var2 / var1;

        if (var0 != 0x01) { return; } //必须转账1 ether 
    //storage[0] 就满足要求。 
        storage[0x00] = msg.sender | (storage[0x00] & ~0xffffffffffffffffffffffffffffffffffffffff); // msg.sender
    }
}

代码中做了一定的注释。不过下面还是对具体的分析做流程。

  1. 寻找payforflag的条件。
  2. 从这里我们可以看出payforflag 3个条件就是让msg.sender == storage[0] storage[1] 和 storage[2]

然后我们只需要从下面的代码从修改stroage[0,1,2]的值开始入手即可。

func_059E() 中 我已经写了注释,其中要求传入var0>= 1 ether即可,就可以调整storage[temp0] 也就是storage[1]=msg.sender.

查看func_0654()

这里要求是一个传入的账户必需以525b结尾,然后最后给了一个storage[temp1]-=0xb1b1自然而然可以想到溢出 ,这里temp1是一个我们的特征值。可以理解为独立标志我们的一个mapping。

接着看

func_076D中,他对我们的散列进行了判断,也就是kccak256(memory[0x00:0x40]) 这里进行了判断,判断此值是否<=62016 ,这里我们自然而然可以想到之前的溢出,下溢之后就可以满足这里,从而使得storage[2]=msg.sender.

funtion Cow() 真不容易遇到了个能解析出来名字的(x

这里满足转账为1ether 就能实现 storage[0]=msg.sender.

至此三个条件均满足,可以进行payforflag了。

但是有个问题还没想通:等着问dalao了,如何保证转账账户结尾为525b呢 。 2333

PS : 解决了,找到了pikachu大佬的博客下有这样一篇博文,

https://hitcxy.com/2020/generate-address/

from ethereum import utils
import os, sys

# generate EOA with appendix 1b1b
def generate_eoa1():
    priv = utils.sha3(os.urandom(4096))
    addr = utils.checksum_encode(utils.privtoaddr(priv))

    while not addr.lower().endswith("1b1b"):
        priv = utils.sha3(os.urandom(4096))
        addr = utils.checksum_encode(utils.privtoaddr(priv))

    print('Address: {}\nPrivate Key: {}'.format(addr, priv.hex()))

# generate EOA with the ability to deploy contract with appendix 1b1b
def generate_eoa2():
    priv = utils.sha3(os.urandom(4096))
    addr = utils.checksum_encode(utils.privtoaddr(priv))

    while not utils.decode_addr(utils.mk_contract_address(addr, 0)).endswith("1b1b"):
        priv = utils.sha3(os.urandom(4096))
        addr = utils.checksum_encode(utils.privtoaddr(priv))

    print('Address: {}\nPrivate Key: {}'.format(addr, priv.hex()))

if __name__  == "__main__":
    if sys.argv[1] == "1":
        generate_eoa1()
    elif sys.argv[1] == "2":
        generate_eoa2()
    else:
        print("Please enter valid argument")
  • generate_eoa1 可以直接生成低四位为 1b1b 的外部账户
  • generate_eoa2 可以生成一个外部账户,该外部账户部署的第一个智能合约的地址低四位为 1b1b

数字经济CTF-RISE区块链题目详解

这是数字经济第二题,两题都是pikachu师傅出的,主要还是考察逆向出整个合约的逻辑。话不多说还是进行合约逆向。

contract Contract {
    function main() {
        memory[0x40:0x60] = 0x80;

        if (msg.data.length < 0x04) { revert(memory[0x00:0x00]); }

        var var0 = msg.data[0x00:0x20] / 0x0100000000000000000000000000000000000000000000000000000000 & 0xffffffff;

        if (var0 == 0x0dc8cca1) {
            // Dispatch table entry for 0x0dc8cca1 (unknown)
            var var1 = 0x00bc;
            var var2 = msg.data[0x04:0x24];
            func_0293(var2);
            stop();
        } else if (var0 == 0x132429ba) {
            // Dispatch table entry for 0x132429ba (unknown)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x00ff;
            var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
            func_03B2(var2);
            stop();
        } else if (var0 == 0x3884d635) {
            // Dispatch table entry for airdrop()
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x0116;
            airdrop();
            stop();
        } else if (var0 == 0x6bc344bc) {
            // Dispatch table entry for payforflag(string)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x017f;
            var temp0 = msg.data[0x04:0x24] + 0x04;
            var temp1 = msg.data[temp0:temp0 + 0x20];
            var temp2 = memory[0x40:0x60];
            memory[0x40:0x60] = temp2 + (temp1 + 0x1f) / 0x20 * 0x20 + 0x20;
            memory[temp2:temp2 + 0x20] = temp1;
            memory[temp2 + 0x20:temp2 + 0x20 + temp1] = msg.data[temp0 + 0x20:temp0 + 0x20 + temp1];
            var2 = temp2;
            payforflag(var2);
            stop();
        } else if (var0 == 0x8e2a219e) {
            // Dispatch table entry for 0x8e2a219e (unknown)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x01ac;
            var2 = msg.data[0x04:0x24];
            func_0860(var2);
            stop();
        } else if (var0 == 0x9ec1ebb8) {
            // Dispatch table entry for 0x9ec1ebb8 (unknown)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x01d9;
            var2 = msg.data[0x04:0x24];
            func_08C6(var2);
            stop();
        } else if (var0 == 0xcbfc4bce) {
            // Dispatch table entry for gift(address)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x021c;
            var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
            var2 = gift(var2);
            var temp3 = memory[0x40:0x60];
            memory[temp3:temp3 + 0x20] = var2;
            var temp4 = memory[0x40:0x60];
            return memory[temp4:temp4 + (temp3 + 0x20) - temp4];
        } else if (var0 == 0xd0e30db0) {
            // Dispatch table entry for deposit()
            var1 = 0x023a;
            deposit();
            stop();
        } else if (var0 == 0xe3d670d7) {
            // Dispatch table entry for balance(address)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x027d;
            var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
            var2 = balance(var2);
            var temp5 = memory[0x40:0x60];
            memory[temp5:temp5 + 0x20] = var2;
            var temp6 = memory[0x40:0x60];
            return memory[temp6:temp6 + (temp5 + 0x20) - temp6];
        } else { revert(memory[0x00:0x00]); }
    }

    function func_0293(var arg0) {       
        var var0 = 0x00;

        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x03;

        if (storage[keccak256(memory[0x00:0x40])] <= var0) { revert(memory[0x00:0x00]); }
    //如果没钱就滚了。  // storage[3]
        var var1 = 0x0de0b6b3a7640000;
        var var2 = msg.value;

        if (!var1) { assert(); }

        var0 = var2 / var1;

        if (arg0 != storage[0x01]) { //arg0 不是 storage[1] 
            memory[0x00:0x20] = msg.sender;
            memory[0x20:0x40] = 0x03;
            storage[keccak256(memory[0x00:0x40])] = 0x00; // //storage[sanlie(msg.sender)]=0
            storage[0x02] = 0x01;// storage[2]=1 ether
            return;
        } else {
            memory[0x00:0x20] = msg.sender; 
            memory[0x20:0x40] = 0x03;
            var temp0 = keccak256(memory[0x00:0x40]); // storage[sanlie(msg.sender)] 
            storage[temp0] = storage[temp0] + var0 * storage[0x02];//storage[sanlie(msg.sender)]=storage[sanlie(msg.sender)]+var0(传入以太币)*storage[2]
            storage[0x02] = 0x01;// storage[2]=1 ether
            return;
        }
    }

    function func_03B2(var arg0) {
        var var0 = 0x00;
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x03;

        if (storage[keccak256(memory[0x00:0x40])] <= var0)//<0
        //storage[3]<=0
         { revert(memory[0x00:0x00]); }
    //storage[sanlie(msg.sender)]<=0 返回 
        if (arg0  == 0x00) {
            var temp0 = var0;
            var temp1 = temp0;//var0
            storage[temp1] = msg.sender | (storage[temp1] & ~0xffffffffffffffffffffffffffffffffffffffff);
           // storage[0]=msg.sender
            memory[0x00:0x20] = msg.sender;
            memory[0x20:0x40] = 0x03;
            storage[temp0 + 0x01] = storage[keccak256(memory[0x00:0x40])];
            //storage[1]=storage[3]
            memory[0x00:0x20] = msg.sender;
            memory[0x20:0x40] = 0x03;
            storage[keccak256(memory[0x00:0x40])] = 0x00;
            //storage[3]=0
            return;
        } else {
            memory[0x00:0x20] = msg.sender;
            memory[0x20:0x40] = 0x03;
            var temp2 = storage[keccak256(memory[0x00:0x40])];
            //temp2 =   storage[3]
            memory[0x00:0x20] = arg0 & 0xffffffffffffffffffffffffffffffffffffffff;
            memory[0x20:0x40] = 0x03;
            storage[keccak256(memory[0x00:0x40])] = temp2;
            //storage[arg0]=storage[3];
            memory[0x00:0x20] = msg.sender;
            memory[0x20:0x40] = 0x03;
            storage[keccak256(memory[0x00:0x40])] = 0x00;
            //storage[3]=0
            return;
        }
    }

    function airdrop() {
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x04;

        if (storage[keccak256(memory[0x00:0x40])] != 0x00) { revert(memory[0x00:0x00]); } //不是0不给空投 

        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x04;
        //其实storage[4]一直没操作过。但是得调用 这个1000000次确实卡比。 
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x03;
        var temp0 = keccak256(memory[0x00:0x40]);
        storage[temp0] = storage[temp0] + 0x01; //给 1 ether 空投。 
       //storage[3]+=1 
    }

    function payforflag(var arg0) {
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x03;

        if (storage[keccak256(memory[0x00:0x40])] <= 0x0f4240) { revert(memory[0x00:0x00]); }
            //storage[sasnlie(msg.sender)]> 1000000
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x03;
        storage[keccak256(memory[0x00:0x40])] = 0x00;
        storage[0x02] = 0x01;
        var temp0 = address(address(this)).balance;
        var temp1 = memory[0x40:0x60];
        var temp2;
        temp2, 
        memory[temp1:temp1 + 0x00] = address(storage[0x05] & 0xffffffffffffffffffffffffffffffffffffffff).call.gas(!temp0 * 0x08fc).value(temp0)(memory[temp1:temp1 + memory[0x40:0x60] - temp1]);
        var var0 = !temp2;

        if (!var0) {
            var0 = 0x7c2413bb49085e565f72ec50a1fb0460b69cf327e0b0d882980385b356239ea5;
            var temp3 = arg0;
            var var1 = temp3;
            var temp4 = memory[0x40:0x60];
            var var2 = temp4;
            var var3 = var2;
            var temp5 = var3 + 0x20;
            memory[var3:var3 + 0x20] = temp5 - var3;
            memory[temp5:temp5 + 0x20] = memory[var1:var1 + 0x20];
            var var4 = temp5 + 0x20;
            var var6 = memory[var1:var1 + 0x20];
            var var5 = var1 + 0x20;
            var var7 = var6;
            var var8 = var4;
            var var9 = var5;
            var var10 = 0x00;

            if (var10 >= var7) {
            label_0823:
                var temp6 = var6;
                var4 = temp6 + var4;
                var5 = temp6 & 0x1f;

                if (!var5) {
                    var temp7 = memory[0x40:0x60];
                    log(memory[temp7:temp7 + var4 - temp7], [stack[-6]]);
                    return;
                } else {
                    var temp8 = var5;
                    var temp9 = var4 - temp8;
                    memory[temp9:temp9 + 0x20] = ~(0x0100 ** (0x20 - temp8) - 0x01) & memory[temp9:temp9 + 0x20];
                    var temp10 = memory[0x40:0x60];
                    log(memory[temp10:temp10 + (temp9 + 0x20) - temp10], [stack[-6]]);
                    return;
                }
            } else {
            label_0811:
                var temp11 = var10;
                memory[var8 + temp11:var8 + temp11 + 0x20] = memory[var9 + temp11:var9 + temp11 + 0x20];
                var10 = temp11 + 0x20;

                if (var10 >= var7) { goto label_0823; }
                else { goto label_0811; }
            }
        } else {
            var temp12 = returndata.length;
            memory[0x00:0x00 + temp12] = returndata[0x00:0x00 + temp12];
            revert(memory[0x00:0x00 + returndata.length]);
        }
    }

    function func_0860(var arg0) {
        if (msg.sender != storage[0x05] & 0xffffffffffffffffffffffffffffffffffffffff) { revert(memory[0x00:0x00]); }

        storage[0x01] = arg0;
        //storage[5]=msg.sender判断
        //storage[1]随便赋值 
    }

    function func_08C6(var arg0) {
        if (msg.sender != storage[0x00] & 0xffffffffffffffffffffffffffffffffffffffff) { revert(memory[0x00:0x00]); }

        storage[0x02] = arg0;
        //storage[0]=msg.sender;
        //storage[2]随便赋值。 
    }

    function gift(var arg0) returns (var arg0) {
        memory[0x20:0x40] = 0x04;
        memory[0x00:0x20] = arg0;
        return storage[keccak256(memory[0x00:0x40])];
        //storage[arg0] 返回对应地址storage[4] 
    }

    function deposit() {
        var var0 = 0x00;
        var var1 = 0x0de0b6b3a7640000; //1 ether 
        var var2 = msg.value;

        if (!var1) { assert(); }

        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x03;
        var temp0 = keccak256(memory[0x00:0x40]);
        storage[temp0] = storage[temp0] + var2 / var1;
        //捐钱 
    }

    function balance(var arg0) returns (var arg0) {
        memory[0x20:0x40] = 0x03;
        memory[0x00:0x20] = arg0;
        return storage[keccak256(memory[0x00:0x40])];
        //storage[3] 
    }
}

已经加过了注释。不过还是整体分析下

先看payforflag

逻辑很简单,就是storage[3]>1000000就可以得到flag了。

就是一个空投,没钱给你一个币。 因为这里的storage[4]他直接被storage[3]覆盖了,其实你要是牛逼你可以调用1000000次。

func_08C6 可以实现storage[0]=msg.sender. 并且让storage[2]随便填。

看这函数名就知道是捐款。 捐多少 storage[3]加多少。

用来拿钱的主要函数了。这里先会判断 storage[3]有没有钱。

传入的arg0是一个值,就是来判断 你是不是storage[1]里存的这个数。

如果是那么就可以执行一个storage[3]的任意赋值了,

storage[3]+=var0*storage[2];

var0=var2/var1 , var2=msg.value (就是你传了多少钱)

所以只需要让storage[2]大点。

这个需要你 msg.sender=storage[5]

然后storage[1]随便赋值。

另一个十分重要函数,传入arg0若有钱即storage[3]>0 且args=0 那么就storage[0]=msg.sender, Storage[1]=storage[3],storage[3]=0.

就是换了地址其实。

但是十分有用。

那么到现在整个解题链已经出了。

  • deposit() 传入value=1 ether
  • func_03B2(0)
  • func_08C6(1000000)
  • deposit() 传入value=2 ether
  • func_0293(1)
  • payforflag(b64email)

大概这样不是很直观。用excel画个图

deposit(). 传 1 ether

func_03B2(0)

func_08C6(1000000)

deposit() 传2 ether

func_0293(1)

storage[temp0] = storage[temp0] + var0 * storage[0x02]=storage[3] = storage[3] + 2 * 1000000;

这样就够了直接

payforflag()就结束了。


强网杯区块链题目—Babybank深入分析

还是老操作直接合约逆向贴代码了。

contract Contract {
    function main() {
        memory[0x40:0x60] = 0x80;

        if (msg.data.length < 0x04) { revert(memory[0x00:0x00]); }

        var var0 = msg.data[0x00:0x20] / 0x0100000000000000000000000000000000000000000000000000000000 & 0xffffffff;

        if (var0 == 0x2e1a7d4d) {
            // Dispatch table entry for withdraw(uint256)
            var var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x00aa;
            var var2 = msg.data[0x04:0x24];
            withdraw(var2);
            stop();
        } else if (var0 == 0x66d16cc3) {
            // Dispatch table entry for profit()
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x00aa;
            profit();
            stop();
        } else if (var0 == 0x8c0320de) {
            // Dispatch table entry for payforflag(string,string)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var temp0 = memory[0x40:0x60];
            var temp1 = msg.data[0x04:0x24];
            var temp2 = msg.data[temp1 + 0x04:temp1 + 0x04 + 0x20];
            memory[0x40:0x60] = temp0 + (temp2 + 0x1f) / 0x20 * 0x20 + 0x20;
            memory[temp0:temp0 + 0x20] = temp2;
            var1 = 0x00aa;
            memory[temp0 + 0x20:temp0 + 0x20 + temp2] = msg.data[temp1 + 0x24:temp1 + 0x24 + temp2];
            var temp3 = memory[0x40:0x60];
            var temp4 = msg.data[0x24:0x44] + 0x04;
            var temp5 = msg.data[temp4:temp4 + 0x20];
            memory[0x40:0x60] = temp3 + (temp5 + 0x1f) / 0x20 * 0x20 + 0x20;
            memory[temp3:temp3 + 0x20] = temp5;
            var2 = temp0;
            memory[temp3 + 0x20:temp3 + 0x20 + temp5] = msg.data[temp4 + 0x20:temp4 + 0x20 + temp5];
            var var3 = temp3;
            payforflag(var2, var3);
            stop();
        } else if (var0 == 0x8e2a219e) {
            // Dispatch table entry for 0x8e2a219e (unknown)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x00aa;
            var2 = msg.data[0x04:0x24];
            func_045C(var2);
            stop();
        } else if (var0 == 0x9189fec1) {
            // Dispatch table entry for guess(uint256)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x00aa;
            var2 = msg.data[0x04:0x24];
            guess(var2);
            stop();
        } else if (var0 == 0xa9059cbb) {
            // Dispatch table entry for transfer(address,uint256)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x00aa;
            var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
            var3 = msg.data[0x24:0x44];
            transfer(var2, var3);
            stop();
        } else if (var0 == 0xd41b6db6) {
            // Dispatch table entry for level(address)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x01e7;
            var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
            var2 = level(var2);

        label_01E7:
            var temp6 = memory[0x40:0x60];
            memory[temp6:temp6 + 0x20] = var2;
            var temp7 = memory[0x40:0x60];
            return memory[temp7:temp7 + temp6 - temp7 + 0x20];
        } else if (var0 == 0xe3d670d7) {
            // Dispatch table entry for balance(address)
            var1 = msg.value;

            if (var1) { revert(memory[0x00:0x00]); }

            var1 = 0x01e7;
            var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
            var2 = balance(var2);
            goto label_01E7;
        } else { revert(memory[0x00:0x00]); }
    }

    function withdraw(var arg0) {
        if (arg0 != 0x02) { revert(memory[0x00:0x00]); }
    // arg0==2 
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;

        if (arg0 > storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }
    // storage[msg.sender[0]]>=2
        var temp0 = memory[0x40:0x60];
        var temp1 = arg0;
        memory[temp0:temp0 + 0x00] = address(msg.sender).call.gas(msg.gas).value(temp1 * 0x5af3107a4000)(memory[temp0:temp0 + 0x00]);
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;
        var temp2 = keccak256(memory[0x00:0x40]);
        storage[temp2] = storage[temp2] - temp1;
        // storage[msg.sender[0]]-=arg0
    }

    function profit() {
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x01;
    //storage[msg.sender[1]]==0
        if (storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }

        if (msg.sender & 0xffff != 0xb1b1) { revert(memory[0x00:0x00]); }
    //msg.sender末尾b1b1    
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;
        var temp0 = keccak256(memory[0x00:0x40]);
        storage[temp0] = storage[temp0] + 0x01;
    //storage[msg.sender[0]]+=1
        memory[0x20:0x40] = 0x01;
        var temp1 = keccak256(memory[0x00:0x40]);
        storage[temp1] = storage[temp1] + 0x01;
    //storage[msg.sender[1]]+=1
    }

    function payforflag(var arg0, var arg1) {
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;

        if (0x02540be400 > storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }
    //storage[msg.sender[0]]>=10000000000
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;
        storage[keccak256(memory[0x00:0x40])] = 0x00;
        var temp0 = memory[0x40:0x60];
        var temp1 = address(address(this)).balance;
        var temp2;
        temp2, memory[temp0:temp0 + 0x00] = address(storage[0x02] & 0xffffffffffffffffffffffffffffffffffffffff).call.gas(!temp1 * 0x08fc).value(temp1)(memory[temp0:temp0 + 0x00]);
        var var0 = !temp2;

        if (!var0) {
            var0 = 0x6335b7f9c4dff99c3a870eaf18b802774df3aba4e21b72549f3a03b6bc974c90;
            var temp3 = arg0;
            var var1 = temp3;
            var var2 = arg1;
            var temp4 = memory[0x40:0x60];
            var var3 = temp4;
            var var4 = var3;
            var var5 = var4 + 0x20;
            var temp5 = var5 + 0x20;
            memory[var4:var4 + 0x20] = temp5 - var4;
            memory[temp5:temp5 + 0x20] = memory[var1:var1 + 0x20];
            var var6 = temp5 + 0x20;
            var var7 = var1 + 0x20;
            var var8 = memory[var1:var1 + 0x20];
            var var9 = var8;
            var var10 = var6;
            var var11 = var7;
            var var12 = 0x00;

            if (var12 >= var9) {
            label_03BC:
                var temp6 = var8;
                var6 = temp6 + var6;
                var7 = temp6 & 0x1f;

                if (!var7) {
                    var temp7 = var6;
                    memory[var5:var5 + 0x20] = temp7 - var3;
                    var temp8 = var2;
                    memory[temp7:temp7 + 0x20] = memory[temp8:temp8 + 0x20];
                    var6 = temp7 + 0x20;
                    var8 = memory[temp8:temp8 + 0x20];
                    var7 = temp8 + 0x20;
                    var9 = var8;
                    var10 = var6;
                    var11 = var7;
                    var12 = 0x00;

                    if (var12 >= var9) {
                    label_041C:
                        var temp9 = var8;
                        var6 = temp9 + var6;
                        var7 = temp9 & 0x1f;

                        if (!var7) {
                            var temp10 = memory[0x40:0x60];
                            log(memory[temp10:temp10 + var6 - temp10], [stack[-8]]);
                            return;
                        } else {
                            var temp11 = var7;
                            var temp12 = var6 - temp11;
                            memory[temp12:temp12 + 0x20] = ~(0x0100 ** (0x20 - temp11) - 0x01) & memory[temp12:temp12 + 0x20];
                            var temp13 = memory[0x40:0x60];
                            log(memory[temp13:temp13 + (temp12 + 0x20) - temp13], [stack[-8]]);
                            return;
                        }
                    } else {
                    label_040D:
                        var temp14 = var12;
                        memory[temp14 + var10:temp14 + var10 + 0x20] = memory[temp14 + var11:temp14 + var11 + 0x20];
                        var12 = temp14 + 0x20;

                        if (var12 >= var9) { goto label_041C; }
                        else { goto label_040D; }
                    }
                } else {
                    var temp15 = var7;
                    var temp16 = var6 - temp15;
                    memory[temp16:temp16 + 0x20] = ~(0x0100 ** (0x20 - temp15) - 0x01) & memory[temp16:temp16 + 0x20];
                    var temp17 = temp16 + 0x20;
                    memory[var5:var5 + 0x20] = temp17 - var3;
                    var temp18 = var2;
                    memory[temp17:temp17 + 0x20] = memory[temp18:temp18 + 0x20];
                    var6 = temp17 + 0x20;
                    var8 = memory[temp18:temp18 + 0x20];
                    var7 = temp18 + 0x20;
                    var9 = var8;
                    var10 = var6;
                    var11 = var7;
                    var12 = 0x00;

                    if (var12 >= var9) { goto label_041C; }
                    else { goto label_040D; }
                }
            } else {
            label_03AD:
                var temp19 = var12;
                memory[temp19 + var10:temp19 + var10 + 0x20] = memory[temp19 + var11:temp19 + var11 + 0x20];
                var12 = temp19 + 0x20;

                if (var12 >= var9) { goto label_03BC; }
                else { goto label_03AD; }
            }
        } else {
            var temp20 = returndata.length;
            memory[0x00:0x00 + temp20] = returndata[0x00:0x00 + temp20];
            revert(memory[0x00:0x00 + returndata.length]);
        }
    }

    function func_045C(var arg0) {

if (msg.sender != storage[0x02] & 0xffffffffffffffffffffffffffffffffffffffff) { revert(memory[0x00:0x00]); }
//msg.sender == storage[2] 那么 storage[3]=arg0;    
        storage[0x03] = arg0;
    }

    function guess(var arg0) {
        if (arg0 != storage[0x03]) { revert(memory[0x00:0x00]); }
    //arg0!=storage[3]  
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x01;
    //storage[msg.sender[1]]==1 
        if (storage[keccak256(memory[0x00:0x40])] != 0x01) { revert(memory[0x00:0x00]); }

        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;
        // storage[msg.sender[0]]+=1;
        var temp0 = keccak256(memory[0x00:0x40]);
        storage[temp0] = storage[temp0] + 0x01;
        memory[0x20:0x40] = 0x01;
        //storage[msg.sender[1]]+=1;
        var temp1 = keccak256(memory[0x00:0x40]);
        storage[temp1] = storage[temp1] + 0x01;
    }

    function transfer(var arg0, var arg1) {
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;

        if (arg1 > storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }
   //storage[msg.sender[0]]>=2    
        if (arg1 != 0x02) { revert(memory[0x00:0x00]); }

        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x01;

        if (storage[keccak256(memory[0x00:0x40])] != 0x02) { revert(memory[0x00:0x00]); }
    //storage[msg.sender[1]]==2
        memory[0x00:0x20] = msg.sender;
        memory[0x20:0x40] = 0x00;
        storage[keccak256(memory[0x00:0x40])] = 0x00;
    //storage[msg.sender[0]]=0
        memory[0x00:0x20] = arg0 & 0xffffffffffffffffffffffffffffffffffffffff;
        storage[keccak256(memory[0x00:0x40])] = arg1;
    //storage[arg0[0]]=arg1;
    }

    function level(var arg0) returns (var arg0) {
        memory[0x20:0x40] = 0x01;
        memory[0x00:0x20] = arg0;
        return storage[keccak256(memory[0x00:0x40])];
        //返回 storage[arg0[1]]  
    }

    function balance(var arg0) returns (var arg0) {
        memory[0x20:0x40] = 0x00;
        memory[0x00:0x20] = arg0;
        return storage[keccak256(memory[0x00:0x40])];
        //storage[arg0[0]]
    }
}

已经全都加过注释了。今天是纯自己分析一遍得到的,十分有收获。确实去年和今年题目的难度都是两种。。。233333

主要通过3个重要函数进行payforflag()

我们从而得知payforflag()条件就是 storage[msg.sender[0]]>10000000000

利用guess 猜数字,如果和storage[3]相等,且storage[msg.sender[1]]==1 的时候, storage[msg.sender[0]]+=1,storage[msg.sender[1]]+=1.

profit() , 要求 storage[msg.sender[1]]==0 之后 还要求账户末尾为b1b1 ,这个功能之前已经说过了。今天又看到了一个可以生成的在线网站 ,十分牛逼。https://vanity-eth.tk/

然后就可以使得storage[msg.sender[0]]+=1, storage[msg.sender[1]]+=1

withdraw () 这里限制了 storage[msg.sender[0]]>=2 然后他进行了 msg.call() 这里可以进行重入。 然后看下面, storage[msg.sender[0]]-=2 , 那么自然而然想到了payforflag()的条件。 所以我们可以想到使用这里来实现重入下溢, 从而得到payforflag()的条件。

那么就很显然了。

不过这个题在比赛时据说有坑。是因为出题人没有给原合约 币,所以就算你打通了也不会给你发flag, 所以我们需要先 创立个有币的合约来selfdestruct() 给这个合约。然后再用exp合约来攻击

调用顺序就是

profit() – > guess() -> 重入2次的withdraw()

因为2-2=0 , 0-2 = 2**256 -1 -2 溢出。 从而达到了payforflag的效果。

(完)