Challenge:
Our eighth challenge is located in /puzzles/puzzle_8.json. Challenge 8 contains the following:
{
"code": "36600080373660006000F0600080808080945AF1600014601B57FD5B00",
"askForValue": false,
"askForData": true
}
Hint 1:
The corresponding EVM opcodes are:
CALLDATASIZE
PUSH1 00
DUP1
CALLDATACOPY
CALLDATASIZE
PUSH1 00
PUSH1 00
CREATE
PUSH1 00
DUP1
DUP1
DUP1
DUP1
SWAP5
GAS
CALL
PUSH1 00
EQ
PUSH1 1B
JUMPI
REVERT
JUMPDEST
STOP
Hint 2:
We have 3 new opcodes here: SWAP5, GAS, and CALL.
SWAP5 exchanges the positions of the 1st and 6th items
on the stack.
GAS takes the remaining gas and places it on top of the stack
CALL is the most complicated of the 3. It accepts the
following arguments from the stack as input (from EVM.codes)
1. gas: amount of gas to send to the sub context to execute.
The gas that is not used by the sub context is returned to this one.
2. address: the account which context to execute.
3. value: value in wei to send to the account.
4. argsOffset: byte offset in the memory in bytes, the calldata of the sub context.
5. argsSize: byte size to copy (size of the calldata).
6. retOffset: byte offset in the memory in bytes,
where to store the return data of the sub context.
7. retSize: byte size to copy (size of the return data).
CALL outputs a 0 on the stack if a revert occurred, else 1.
How can we JUMPI over the REVERT
opcode and land on the JUMPDEST?
Hint 3:
Looking at the code, we can tell that we want CALL to return a 0 value.
Using what we learned from the last puzzle, how can we deploy a contract
that will revert when called into?
Hint 4:
Here is what our stack looks like when we hit the CALL opcode:
_______
| G |
|_____|
| A |
|_____|
| 0 |
|_____|
| 0 |
|_____|
| 0 |
|_____|
| 0 |
|_____|
| 0 |
|_____|
(G = gas left)
(A = address of created contract)
We don't have to worry about arguments or return data.
Hint 5:
We did the heavy lifting here in the puzzle 7 when we went over
contract creation code. The key difference here is that instead
of worrying about the size of the runtime byte code, we want to
set the runtime bytecode of the created contract to produce a
REVERT.
Solution:
We are cooking up another contract!
If we want our RETURN opcode to have a single byte of return data,
we want the size value on the stack to be 01. This time, however,
we do care about what is in memory because we are using the
runtime bytecode when we CALL into it. Therefore, we want RETURN
to place a REVERT into the return data. A simple way to do this
is to have RETURN return only the REVERT opcode or 0xFD.
Putting this all together, our creation code can look like this:
PUSH1 FD
PUSH1 00
MSTORE8
PUSH1 01
PUSH1 00
RETURN
Thus an answer to this puzzle is: 0x60FD60005360016000F3.
With this, CREATE will be called with 0x60FD60005360016000F3.
This creation code returns the 0xFD or REVERT opcode. This serves
as the runtime code of the created contract. When the CALL opcode
executes the subcontext of our newly created contract, it will
therefore REVERT and place a 0 on the stack.
This lets us pass our next EQ comparison and JUMPI to our JUMPDEST.