Explore
1

jump
jump

Category

EVM

Description

nahamcon ctf - The challenge is to bypass the impossible conditions with the help of a function which alters the memory to point to a different jump location

Summary

The challenge is to withdraw funds from the contract by passing the two impossible require statements by jumping with the help of the function which changes the memory. This is my first ctf to achieve first blood which has been solved by 7 other teams.

Introduction to challenge

Initializing script This script checks the last deployed jump contract's balance should be equal to 0 to solve the challenge. Jump contract While looking at the contract, withdraw() and breakIt() functions grabs the attention. The withdraw function checks the value sent to be 0 to transfer the balance whereas the breakIt checks the value sent to be not equal to 0. Notice that the withdraw is a private function so we cannot call it from outside. Let's dig deeper...
The struct Func maps a internal function to it. frwd is a internal function which calls withdraw. Now back to breakIt, the struct is initialized here and frwd is passed in the place of internal func in func.f Everything's fine breakIt calls the internal function frwd which in turn calls the withdraw function.
But, how do we jump the require statements ?
Robot meme Time for low level, the mstore takes a offset as its first argument and value as its second and stores it in the next 32 bytes in memory. mstore opcode Here the offset is struct function location in memory 0x80 and value is callvalue (msg.value) sent.
Let us remove the require statement in the breakIt function to see how it works without finding the solution yet... Memory slots the memory slot 0x80 contains the value 0xb3 which is location of frwd that was initialized.
Before going further, let's understand this Jump opcodes Function call is nothing but a unconditional jump, it jumps to the function location and runs that part. On the other hand require statement is conditional jump which jumps to the instruction location when the condition is satisfied.
Here struct Func.f points to the function location frwd which differs. So, by changing the destination of Func.f to the transfer instruction in withdraw function we would able to drain all the funds. debugger in remix By debugging the breakIt function's transaction we know that the jumpi points to the destination - 100 and with the condition - 1 in stack. The only possible way to change the destination is by using callvalue. The assembly adds 0xb3 which is location of frwd and the call value should be 0x100 - 0xb3 = 77. So, the call value should be 77 wei to drain all the funds. Now let's remove the require statements to try it. Success Success, we drained all the funds.
I am NoobI am NoobI am Noob
Next project
1

jump
jump

Category

EVM

Description

nahamcon ctf - The challenge is to bypass the impossible conditions with the help of a function which alters the memory to point to a different jump location

 Next project
2

evmvm
evmvm

Category

EVM

Description

la ctf - the challenge is to call the Setup contract using another deployed contract which lets you execute one opcode for each call with a weird behaviour of functions inside assembly.

 Next project
3

tetToken
tetToken

Category

EVM

Description

tet ctf - This challenge contains both web and web3 part in it. The web3 contains a simple re-entrancy.