Conditions
Posted on Wed 07 August 2024 in ctf
This is a writeup of the blockchain challenge Conditions in the n00bz CTF 2024.
The attached file evm.txt contained the following hash:
5f600f607002610258525f60056096046090525f600760090A61FFFA526105396126aa18620bfabf52600361fffa5102620bfabf51013461025851600402016090510114604857ff00
Using https://evmd.xyz/ we are able to decompile the bytecode:
// SPDX-License-Identifier: MIT
pragma solidity >=0.8.0;
/// @title Decompiled Contract
/// @author Jonathan Becker <jonathan@jbecker.dev>
/// @custom:version heimdall-rs v0.8.3
///
/// @notice This contract was decompiled using the heimdall-rs decompiler.
/// It was generated directly by tracing the EVM opcodes from this contract.
/// As a result, it may not compile or even be valid solidity code.
/// Despite this, it should be obvious what each function does. Overall
/// logic should have been preserved throughout decompiling.
///
/// @custom:github You can find the open-source decompiler here:
/// https://heimdall.rs
contract DecompiledContract {
fallback() external payable {
var_a = 0x0690;
var_b = 0x1e;
var_c = 0x48fb79;
var_d = 0x2393;
if ((var_b + ((0x04 * var_a) + msg.value)) == (var_d + (var_c * 0x03))) {
selfdestruct(0);
}
}
}
We then have to solve the equation for the expected value in msg.value to retrieve the flag:
((var_b + ((0x04 * var_a) + msg.value)) == (var_d + (var_c * 0x03))
((0x1e + ((0x04 * 0x0690) + msg.value)) == (0x2393 + (0x48fb79 * 0x03)))
((0x1e + ((0x04 * 0x0690) + msg.value)) == (0x2393 + 0xdaf26b))
((0x1e + ((0x04 * 0x0690) + msg.value)) == 0xdb15fe)
((0x1e + 0x1a40 + msg.value) == 0xdb15fe)
(0x1a5e + msg.value == 0xdb15fe)
msg.value == 0xdb15fe - 0x1a5e
msg.value == 0xdafba0
The flag is therefore: n00bz{0xdafba0}