05.delegatecall @CounterStrike
2023-06-29 15:54:40 # 02.ChainflagCTF

delegatecall(CounterStrike)

contract

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
pragma solidity ^0.5.10;

contract EasyBomb{
bool private hasExplode = false;
address private launcher_address;
bytes32 private password;
bool public power_state = true;
bytes4 constant launcher_start_function_hash = bytes4(keccak256("setdeadline(uint256)"));
Launcher launcher;

constructor(address _launcher_address, bytes32 _fake_flag) public {
launcher_address = _launcher_address;
password = _fake_flag ;
}

modifier isOwner(){
require(msgPassword() == password);
require(msg.sender != tx.origin);
uint x;
assembly {
x := extcodesize(caller)
}
require(x == 0);
_;
}

modifier notExplodeYet(){
launcher = Launcher(launcher_address);
require(block.number < launcher.deadline());
hasExplode = true;
_;
}

function msgPassword() public returns (bytes32 result) {
bytes memory msg_data = msg.data;
if (msg_data.length == 0) {
return 0x0;
}
assembly {
result := mload(add(msg_data, add(0x20, 0x24)))
}
}

function setCountDownTimer(uint256 _deadline) public isOwner notExplodeYet {
launcher_address.delegatecall(abi.encodeWithSignature("setdeadline(uint256)",_deadline));
}
}

contract Launcher{
uint256 public deadline;

constructor() public {
deadline = block.number + 100;
}

function setdeadline(uint256 _deadline) public {
deadline = _deadline;
}
}

contract Setup {
EasyBomb public easyBomb;

constructor(bytes32 _password) public {
easyBomb = new EasyBomb(address(new Launcher()), _password);
}

function isSolved() public view returns (bool) {
return easyBomb.power_state() == false;
}
}

analyses

和本博客文章[security-03]一样

solve