Challenge:
Our seventh challenge is located in /puzzles/puzzle_7.json. Challenge 7 contains the following:
{
"code": "36600080373660006000F03B600114601357FD5B00",
"askForValue": false,
"askForData": true
}
Hint 1:
The corresponding EVM opcodes are:
CALLDATASIZE
PUSH1 00
DUP1
CALLDATACOPY
CALLDATASIZE
PUSH1 00
PUSH1 00
CREATE
EXTCODESIZE
PUSH1 01
EQ
PUSH1 13
JUMPI
REVERT
JUMPDEST
STOP
Hint 2:
CALLDATASIZE takes size of the calldata
and places it on top of the stack.
PUSH1 pushes 00 on to the top of the stack.
DUP1 duplicates the value at the top of the stack
and places the duplicate on top of the original.
CALLDATACOPY takes 3 arguments from the stack in
the following order (from EVM.codes):
1. destOffset: byte offset in the memory where the result will be copied.
2. offset: byte offset in the calldata to copy.
3. size: byte size to copy.
Example:
Stack:
_______
| 0 |
|_____|
| 3 |
|_____|
| 29 |
|_____|
Calldata:
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Output in memory:
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA000000
CALLDATASIZE takes size of the calldata
and places it on top of the stack.
CREATE takes the following 3 inputs off of the stack in order
(from EVM.codes):
1. value: value in wei to send to the new account.
2. offset: byte offset in the memory in bytes, the instructions of the new account.
3. size: byte size to copy (size of the instructions).
and outputs the address of the deployed contract to the top of the stack.
EXTCODESIZE takes an address at the top of the stack as input
and places the size in bytes of the code at that address on the
top of the stack.
PUSH 01 places 01 on the stack and then EQ checks if the value below
01 in the stack is equal to 01.
Finally, JUMPI will take the jump to the JUMPDEST if the equal
comparison is true.
How can we JUMPI over the REVERT
opcode and land on the JUMPDEST?
Hint 3:
CREATE does not expect the runtime byte code to be in memory,
but rather the creation code itself.
Creation code is used to set the new contract’s initial state
and importantly for this challenge, it also returns a copy the
new contract's runtime code.
Therefore, we want to call CREATE on a section in memory that contains
the instructions for returning a single byte of data.
Hint 4:
We cannot control the section of memory that we will be reading from
as that is handled by the other opcodes in the puzzle. Specifically,
the stack will be:
_______
| 0 |
|_____|
| 0 |
|_____|
| CS |
|_____|
(CS == call data size)
In conjunction, whatever we put in for calldata will also be
placed in memory at offset 0. So, the exact instructions we pass
into calldata will be used by CREATE. We want to pass in creation
code that will return a copy of the new contract's runtime code.
We would like the returned runtime code to be 1 byte long.
Hint 5:
The RETURN opcode takes the following two values on the stack as input:
1. offset: byte offset in the memory in bytes, to copy what will be
the return data of this context.
2. size: byte size to copy (size of the return data).
The copied value is placed into the return data. What values on the stack
would make RETURN place a single byte in the return data?
Solution:
This one was a bit trickier than the ones before it.
As mentioned in the hints, we need to have our creation code
return a single byte. What that byte is is not important.
If we want our RETURN opcode to have a single byte of
return data, we want the size value on the stack to be 01.
The offset value does not matter, as we are only concerned about
reading a single byte and we have already initialized our memory
in this puzzle, so even values we haven't explicitly set will be
readable (it will default to 0).
Putting this all together, our creation code can look like this:
PUSH1 01
PUSH1 XX
RETURN
Thus an answer to this puzzle is: 0x600160FFF3.
With this, CREATE will be called with 0x600160FFF3 (creation code that
returns a single byte) in memory, and thanks to the arguments on the stack,
it will use the entire creation code to create a contract at a new address.
This address will be placed on the stack and used by the EXTCODESIZE opcode
which in turn will place a 1 on the stack as that is how many bytes are
returned by the creation code (and therefore the expected runtime bytes)
of the new contract.
This lets us pass our next comparisons and JUMPI to our JUMPDEST.
Voila!