✅Puzzle 8
GAS, CALL
Puzzle
Solution
Equivalent to CALLDATACOPY(0, 0, calldata_size).
Equivalent to CREATE(0, 0, calldata_size). Again, this means create a new contract and deposits 0 wei into it. The initialization code is at memory offset 0 and the length is the size of calldata.
This chunk pushes 5 0x00 onto the stack and swap the topmost element with the bottommost element. Recall that the bottommost element is the result of CREATE(0, 0, calldata_size), which is the new contract's address. Now new contract's address is at the top of the stack, following 5 0x00 underneath it.
After that we encounter a new opcode GAS:
It just pushes remaining gas onto the stack. Next, we have another new opcode CALL:
Now this is equivalent to CALL(remaining_gas, new_contract_address, 0, 0, 0, 0, 0). Basically it will just call the new contract with the remaining gas and the argument is empty. This call will push 1 onto the stack if it was successful, otherwise it will push 0 onto the stack. We shall call it result.
If result == 0, the control flow will goto address 0x1B, which is our destination. In other words, we want CALL(remaining_gas, new_contract_address, 0, 0, 0, 0, 0) fail.
Building calldata
The easiest way to fail the CALL is creating a new contract containing only the REVERT instruction. The same idea appeared in Ethernaut "King".
Just modify the calldata from previous level:
Bytecode:
Last updated
