Challenge:
Our fifth challenge is located in /puzzles/puzzle_6.json. Challenge 6 contains the following:
{
"code": "60003556FDFDFDFDFDFD5B00",
"askForValue": false,
"askForData": true
}
Hint 1:
The corresponding EVM opcodes are:
PUSH1 00
CALLDATALOAD
JUMP
REVERT
REVERT
REVERT
REVERT
REVERT
REVERT
JUMPDEST
STOP
Hint 2:
PUSH1 pushes 00 on to the top of the stack.
CALLDATALOAD uses the value on the top of the
stack as a byte offset in the calldata. From
this byte offset, all bytes afterwards are set to 0.
Examples :
Value on top of Stack:
0
Calldata:
0x0000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
CALLDATALOAD output placed on top of stack:
0x0000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Value on top of Stack:
31
Calldata:
0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
CALLDATALOAD output placed on top of stack:
0xFF00000000000000000000000000000000000000000000000000000000000000
How can we JUMP over the 6 REVERT
opcodes and land on the JUMPDEST?
Hint 3:
PUSH1 00 //Offset 0
CALLDATALOAD //Offset 2
JUMP //Offset 3
REVERT //Offset 4
REVERT //Offset 5
REVERT //Offset 6
REVERT //Offset 7
REVERT //Offset 8
REVERT //Offset 9
JUMPDEST //Offset a
STOP //Offset b
Solution:
We can see that the offset of JUMPDEST is 'a' and we
therefore want 'a' to be on the top of the stack
when we reach the JUMP opcode.
To start, PUSH1 places 0 on top of the stack which means
our CALLDATALOAD will use the offset of 0 and will place
all 32 bytes of calldata on top of the stack.
Knowing this, all we need to do is make our calldata 0x0a.
Since we are using 32 bytes, we will send 63 leading zeros:
0x000000000000000000000000000000000000000000000000000000000000000a
Now when we reach JUMP, 0x0a is on top of the stack, and JUMP
performs a valid jump over the REVERT calls to JUMPDEST.