blockchain/evm-conditions

463 points

Writeup by Aryan

We are given some EVM runtime bytecode, and we need to find the value, in hex, to send in order to make the contract STOP and not self-destruct. The bytecode is quite long.

5f600f607002610258525f60056096046090525f600760090A61FFFA526105396126aa18620bfabf52600361fffa5102620bfabf51013461025851600402016090510114604857ff00

We can decompile the EVM using Dedaub, giving us some Assembly code.

0x0: PUSH0     
0x1: PUSH1     0xf
0x3: PUSH1     0x70
0x5: MUL       
0x6: PUSH2     0x258
0x9: MSTORE    
0xa: PUSH0     
0xb: PUSH1     0x5
0xd: PUSH1     0x96
0xf: DIV       
0x10: PUSH1     0x90
0x12: MSTORE    
0x13: PUSH0     
0x14: PUSH1     0x7
0x16: PUSH1     0x9
0x18: EXP       
0x19: PUSH2     0xfffa
0x1c: MSTORE    
0x1d: PUSH2     0x539
0x20: PUSH2     0x26aa
0x23: XOR       
0x24: PUSH3     0xbfabf
0x28: MSTORE    
0x29: PUSH1     0x3
0x2b: PUSH2     0xfffa
0x2e: MLOAD     
0x2f: MUL       
0x30: PUSH3     0xbfabf
0x34: MLOAD     
0x35: ADD       
0x36: CALLVALUE 
0x37: PUSH2     0x258
0x3a: MLOAD     
0x3b: PUSH1     0x4
0x3d: MUL       
0x3e: ADD       
0x3f: PUSH1     0x90
0x41: MLOAD     
0x42: ADD       
0x43: EQ        
0x44: PUSH1     0x48
0x46: JUMPI     
0x47: SELFDESTRUCT
0x48: STOP      

We can simulate the assembly by hand and create a trivial Python script to get the flag. I won't include the entire process of simulating here because I'm lazy. But basically, the final equation we get is 3 * (0x9 ** 0x7) = 0x4 * 0x690 + 0x1e + CALLVALUE, and we just re-arrange to find the value of CALLVALUE that makes the two statements equal.

Attached below is the final equation.

print(hex(int(3 * (0x9 ** 0x7) + (0x539 ^ 0x26aa)) - (4 * 0x690 + 0x1e)))

Flag: n00bz{0xdafba0}