10.air-hunting @babybet
2023-06-29 15:54:40 # 02.ChainflagCTF

air-hunting(babybet)

contract

1
0x6080604052600436106100775763ffffffff7c0100000000000000000000000000000000000000000000000000000000600035041663645b8b1b811461009857806366d16cc3146100d85780637365870b146100ef5780638c0320de14610107578063e3d670d71461019e578063f0d25268146101cc575b3360009081526020819052604090208054670de0b6b3a76400003404019055005b3480156100a457600080fd5b506100c673ffffffffffffffffffffffffffffffffffffffff600435166101fd565b60408051918252519081900360200190f35b3480156100e457600080fd5b506100ed61020f565b005b3480156100fb57600080fd5b506100ed60043561024c565b34801561011357600080fd5b506040805160206004803580820135601f81018490048402850184019095528484526100ed94369492936024939284019190819084018382808284375050604080516020601f89358b018035918201839004830284018301909452808352979a9998810197919650918201945092508291508401838280828437509497506102e29650505050505050565b3480156101aa57600080fd5b506100c673ffffffffffffffffffffffffffffffffffffffff6004351661047d565b3480156101d857600080fd5b506100ed73ffffffffffffffffffffffffffffffffffffffff6004351660243561048f565b60016020526000908152604090205481565b336000908152600160205260409020541561022957600080fd5b336000908152602081815260408083208054600a01905560019182905290912055565b336000908152602081905260408120548190600a111561026b57600080fd5b3360009081526001602052604090205460021161028757600080fd5b5050336000908152602081905260409020805460091901905543600019014060038106828114156102ca5733600090815260208190526040902080546103e80190555b50503360009081526001602052604090206002905550565b33600090815260208190526040902054620f4240111561030157600080fd5b60025473ffffffffffffffffffffffffffffffffffffffff16331461033157336000908152602081905260408120555b60025460405173ffffffffffffffffffffffffffffffffffffffff90911690303180156108fc02916000818181858888f19350505050158015610378573d6000803e3d6000fd5b507f6335b7f9c4dff99c3a870eaf18b802774df3aba4e21b72549f3a03b6bc974c908282604051808060200180602001838103835285818151815260200191508051906020019080838360005b838110156103dd5781810151838201526020016103c5565b50505050905090810190601f16801561040a5780820380516001836020036101000a031916815260200191505b50838103825284518152845160209182019186019080838360005b8381101561043d578181015183820152602001610425565b50505050905090810190601f16801561046a5780820380516001836020036101000a031916815260200191505b5094505050505060405180910390a15050565b60006020819052908152604090205481565b336000908152602081905260409020548111156104ab57600080fd5b336000908152602081905260408082208054849003905573ffffffffffffffffffffffffffffffffffffffff93909316815291909120805490910190555600a165627a7a723058207958bdc84ae120b218d0987fdff009a5dbca73d76271563852fd4b0550efa3790029

analyses

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
contract Contract {
function main() {
memory[0x40:0x60] = 0x80;

if (msg.data.length < 0x04) {
label_0077:
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;
var temp0 = keccak256(memory[0x00:0x40]);
storage[temp0] = msg.value / 0x0de0b6b3a7640000 + storage[temp0];
stop();
} else {
var var0 = msg.data[0x00:0x20] / 0x0100000000000000000000000000000000000000000000000000000000 & 0xffffffff;

if (var0 == 0x645b8b1b) {
// Dispatch table entry for status(address)
var var1 = msg.value;

if (var1) { revert(memory[0x00:0x00]); }

var1 = 0x00c6;
var var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
var2 = status(var2);

label_00C6:
var temp1 = memory[0x40:0x60];
memory[temp1:temp1 + 0x20] = var2;
var temp2 = memory[0x40:0x60];
return memory[temp2:temp2 + temp1 - temp2 + 0x20];
} else if (var0 == 0x66d16cc3) {
// Dispatch table entry for profit()
var1 = msg.value;

if (var1) { revert(memory[0x00:0x00]); }

var1 = 0x00ed;
profit();
stop();
} else if (var0 == 0x7365870b) {
// Dispatch table entry for bet(uint256)
var1 = msg.value;

if (var1) { revert(memory[0x00:0x00]); }

var1 = 0x00ed;
var2 = msg.data[0x04:0x24];
bet(var2);
stop();
} else if (var0 == 0x8c0320de) {
// Dispatch table entry for payforflag(string,string)
var1 = msg.value;

if (var1) { revert(memory[0x00:0x00]); }

var temp3 = memory[0x40:0x60];
var temp4 = msg.data[0x04:0x24];
var temp5 = msg.data[temp4 + 0x04:temp4 + 0x04 + 0x20];
memory[0x40:0x60] = temp3 + (temp5 + 0x1f) / 0x20 * 0x20 + 0x20;
memory[temp3:temp3 + 0x20] = temp5;
var1 = 0x00ed;
memory[temp3 + 0x20:temp3 + 0x20 + temp5] = msg.data[temp4 + 0x24:temp4 + 0x24 + temp5];
var temp6 = memory[0x40:0x60];
var temp7 = msg.data[0x24:0x44] + 0x04;
var temp8 = msg.data[temp7:temp7 + 0x20];
memory[0x40:0x60] = temp6 + (temp8 + 0x1f) / 0x20 * 0x20 + 0x20;
memory[temp6:temp6 + 0x20] = temp8;
var2 = temp3;
memory[temp6 + 0x20:temp6 + 0x20 + temp8] = msg.data[temp7 + 0x20:temp7 + 0x20 + temp8];
var var3 = temp6;
payforflag(var2, var3);
stop();
} else if (var0 == 0xe3d670d7) {
// Dispatch table entry for balance(address)
var1 = msg.value;

if (var1) { revert(memory[0x00:0x00]); }

var1 = 0x00c6;
var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
var2 = balance(var2);
goto label_00C6;
} else if (var0 == 0xf0d25268) {
// Dispatch table entry for transferbalance(address,uint256)
var1 = msg.value;

if (var1) { revert(memory[0x00:0x00]); }

var1 = 0x00ed;
var2 = msg.data[0x04:0x24] & 0xffffffffffffffffffffffffffffffffffffffff;
var3 = msg.data[0x24:0x44];
transferbalance(var2, var3);
stop();
} else { goto label_0077; }
}
}

function status(var arg0) returns (var arg0) {
memory[0x20:0x40] = 0x01;
memory[0x00:0x20] = arg0;
return storage[keccak256(memory[0x00:0x40])];
}

function profit() {
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x01;

if (storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }

memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;
var temp0 = keccak256(memory[0x00:0x40]);
storage[temp0] = storage[temp0] + 0x0a;
memory[0x20:0x40] = 0x01;
storage[keccak256(memory[0x00:0x40])] = 0x01;
}

function bet(var arg0) {
var var0 = 0x00;
memory[var0:var0 + 0x20] = msg.sender;
memory[0x20:0x40] = var0;
var var1 = var0;

if (0x0a > storage[keccak256(memory[var1:var1 + 0x40])]) { revert(memory[0x00:0x00]); }

memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x01;

if (0x02 <= storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }

memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;
var temp0 = keccak256(memory[0x00:0x40]);
storage[temp0] = storage[temp0] + ~0x09;
var0 = block.blockHash(block.number + ~0x00);
var1 = var0 % 0x03;

if (var1 != arg0) {
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x01;
storage[keccak256(memory[0x00:0x40])] = 0x02;
return;
} else {
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;
var temp1 = keccak256(memory[0x00:0x40]);
storage[temp1] = storage[temp1] + 0x03e8;
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x01;
storage[keccak256(memory[0x00:0x40])] = 0x02;
return;
}
}

function payforflag(var arg0, var arg1) {
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;

if (0x0f4240 > storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }

if (msg.sender == storage[0x02] & 0xffffffffffffffffffffffffffffffffffffffff) {
var temp0 = memory[0x40:0x60];
var temp1 = address(this).balance;
var temp2;
temp2, memory[temp0:temp0 + 0x00] = address(storage[0x02] & 0xffffffffffffffffffffffffffffffffffffffff).call.gas(!temp1 * 0x08fc).value(temp1)(memory[temp0:temp0 + 0x00]);
var var0 = !temp2;

if (!var0) {
label_0378:
var0 = 0x6335b7f9c4dff99c3a870eaf18b802774df3aba4e21b72549f3a03b6bc974c90;
var temp3 = arg0;
var var1 = temp3;
var var2 = arg1;
var temp4 = memory[0x40:0x60];
var var3 = temp4;
var var4 = var3;
var var5 = var4 + 0x20;
var temp5 = var5 + 0x20;
memory[var4:var4 + 0x20] = temp5 - var4;
memory[temp5:temp5 + 0x20] = memory[var1:var1 + 0x20];
var var6 = temp5 + 0x20;
var var7 = var1 + 0x20;
var var8 = memory[var1:var1 + 0x20];
var var9 = var8;
var var10 = var6;
var var11 = var7;
var var12 = 0x00;

if (var12 >= var9) {
label_03DD:
var temp6 = var8;
var6 = temp6 + var6;
var7 = temp6 & 0x1f;

if (!var7) {
var temp7 = var6;
memory[var5:var5 + 0x20] = temp7 - var3;
var temp8 = var2;
memory[temp7:temp7 + 0x20] = memory[temp8:temp8 + 0x20];
var6 = temp7 + 0x20;
var7 = temp8 + 0x20;
var8 = memory[temp8:temp8 + 0x20];
var9 = var8;
var10 = var6;
var11 = var7;
var12 = 0x00;

if (var12 >= var9) {
label_043D:
var temp9 = var8;
var6 = temp9 + var6;
var7 = temp9 & 0x1f;

if (!var7) {
var temp10 = memory[0x40:0x60];
log(memory[temp10:temp10 + var6 - temp10], [stack[-8]]);
return;
} else {
var temp11 = var7;
var temp12 = var6 - temp11;
memory[temp12:temp12 + 0x20] = ~(0x0100 ** (0x20 - temp11) - 0x01) & memory[temp12:temp12 + 0x20];
var temp13 = memory[0x40:0x60];
log(memory[temp13:temp13 + (temp12 + 0x20) - temp13], [stack[-8]]);
return;
}
} else {
label_042E:
var temp14 = var12;
memory[temp14 + var10:temp14 + var10 + 0x20] = memory[temp14 + var11:temp14 + var11 + 0x20];
var12 = temp14 + 0x20;

if (var12 >= var9) { goto label_043D; }
else { goto label_042E; }
}
} else {
var temp15 = var7;
var temp16 = var6 - temp15;
memory[temp16:temp16 + 0x20] = ~(0x0100 ** (0x20 - temp15) - 0x01) & memory[temp16:temp16 + 0x20];
var temp17 = temp16 + 0x20;
memory[var5:var5 + 0x20] = temp17 - var3;
var temp18 = var2;
memory[temp17:temp17 + 0x20] = memory[temp18:temp18 + 0x20];
var6 = temp17 + 0x20;
var7 = temp18 + 0x20;
var8 = memory[temp18:temp18 + 0x20];
var9 = var8;
var10 = var6;
var11 = var7;
var12 = 0x00;

if (var12 >= var9) { goto label_043D; }
else { goto label_042E; }
}
} else {
label_03CE:
var temp19 = var12;
memory[temp19 + var10:temp19 + var10 + 0x20] = memory[temp19 + var11:temp19 + var11 + 0x20];
var12 = temp19 + 0x20;

if (var12 >= var9) { goto label_03DD; }
else { goto label_03CE; }
}
} else {
label_036F:
var temp20 = returndata.length;
memory[0x00:0x00 + temp20] = returndata[0x00:0x00 + temp20];
revert(memory[0x00:0x00 + returndata.length]);
}
} else {
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;
storage[keccak256(memory[0x00:0x40])] = 0x00;
var temp21 = memory[0x40:0x60];
var temp22 = address(this).balance;
var temp23;
temp23, memory[temp21:temp21 + 0x00] = address(storage[0x02] & 0xffffffffffffffffffffffffffffffffffffffff).call.gas(!temp22 * 0x08fc).value(temp22)(memory[temp21:temp21 + 0x00]);
var0 = !temp23;

if (!var0) { goto label_0378; }
else { goto label_036F; }
}
}

function balance(var arg0) returns (var arg0) {
memory[0x20:0x40] = 0x00;
memory[0x00:0x20] = arg0;
return storage[keccak256(memory[0x00:0x40])];
}

function transferbalance(var arg0, var arg1) {
memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;

if (arg1 > storage[keccak256(memory[0x00:0x40])]) { revert(memory[0x00:0x00]); }

memory[0x00:0x20] = msg.sender;
memory[0x20:0x40] = 0x00;
var temp0 = keccak256(memory[0x00:0x40]);
var temp1 = arg1;
storage[temp0] = storage[temp0] - temp1;
memory[0x00:0x20] = arg0 & 0xffffffffffffffffffffffffffffffffffffffff;
var temp2 = keccak256(memory[0x00:0x40]);
storage[temp2] = temp1 + storage[temp2];
}
}

需要反编译知识、EVM知识、操作码知识才能做,先挖个坑,会了再回头写

solve