06.AdultOtter
2023-10-06 15:16:04 # 23.0xHackedCTF

AdultOtter

又是一道算法题,如下是分析:

1
2
3
4
(1)2 ** 255刚好能被2**64除断。
(2)对b[i]展开:b[i]=(2 ** 255 + code[i] - 7 *i ** i * code[i]+ b[i-1]) % 2**64;
(3)b[15] = 15 *2 ** 255 + code[15] - 7 *i ** i * code[15] + code[14] - 7 *i ** i * code[14] + ...... code[1] - 7 *i**i * code[1] + b[0]
(4)那么使 code[15] - 7 *i ** i * code[15] + code[14] - 7 *i** i * code[14] + ...... code[1] - 7 *i ** i * code[1]+ b[0] 为2**64倍数即可。

最终构造出来的结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

interface IAdultOtter {
function pwn(uint[16] memory code) external;
}

contract Exploit{

function exploit() public {
address addr = 0x6D40aCf2EF8F8F99247666AEE922E79CB605DE3B;
uint[16] memory DataNumber;
DataNumber[0] = 11;
DataNumber[1] = 1513;
DataNumber[2] = 3859;
DataNumber[3] = 5192;
DataNumber[4] = 6112;
DataNumber[5] = 7966;
DataNumber[6] = 9263;
DataNumber[7] = 10432;
DataNumber[8] = 11709;
DataNumber[9] = 13320;
DataNumber[10] = 14564;
DataNumber[11] = 15480;
DataNumber[12] = 16614;
DataNumber[13] = 18200;
DataNumber[14] = 19485;
DataNumber[15] = 21344;
IAdultOtter(addr).pwn(DataNumber);
}

}