Last active
April 9, 2024 16:29
-
-
Save HarryR/cce52596ffebdff2744c5d790888015a to your computer and use it in GitHub Desktop.
ecrecover exploit example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "linkReferences": {}, | |
| "object": "6060604052341561000f57600080fd5b5b6102338061001f6000396000f300606060405263ffffffff7c0100000000000000000000000000000000000000000000000000000000600035041663eca135cb811461003d575b600080fd5b341561004857600080fd5b61009e60046024813581810190830135806020601f820181900481020160405190810160405281815292919060208401838380828437509496505060ff85351694602081013594506040013592506100a0915050565b005b60006001856040518082805190602001908083835b602083106100d557805182525b601f1990920191602091820191016100b5565b6001836020036101000a038019825116818451161790925250505091909101925060409150505180910390208585856040518060005260200160405260006040516020015260405193845260ff90921660208085019190915260408085019290925260608401929092526080909201915160208103908084039060008661646e5a03f1151561016357600080fd5b50506020604051035190503073ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff161415156101a857600080fd5b3373ffffffffffffffffffffffffffffffffffffffff166108fc3073ffffffffffffffffffffffffffffffffffffffff16319081150290604051600060405180830381858888f1935050505015156101ff57600080fd5b5b50505050505600a165627a7a72305820894f9e0a2e8adcd796e47061418ebbaeeda6b48dad3cd9ddbef68024fe2285760029", | |
| "opcodes": "PUSH1 0x60 PUSH1 0x40 MSTORE CALLVALUE ISZERO PUSH2 0xF JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST JUMPDEST PUSH2 0x233 DUP1 PUSH2 0x1F PUSH1 0x0 CODECOPY PUSH1 0x0 RETURN STOP PUSH1 0x60 PUSH1 0x40 MSTORE PUSH4 0xFFFFFFFF PUSH29 0x100000000000000000000000000000000000000000000000000000000 PUSH1 0x0 CALLDATALOAD DIV AND PUSH4 0xECA135CB DUP2 EQ PUSH2 0x3D JUMPI JUMPDEST PUSH1 0x0 DUP1 REVERT JUMPDEST CALLVALUE ISZERO PUSH2 0x48 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST PUSH2 0x9E PUSH1 0x4 PUSH1 0x24 DUP2 CALLDATALOAD DUP2 DUP2 ADD SWAP1 DUP4 ADD CALLDATALOAD DUP1 PUSH1 0x20 PUSH1 0x1F DUP3 ADD DUP2 SWAP1 DIV DUP2 MUL ADD PUSH1 0x40 MLOAD SWAP1 DUP2 ADD PUSH1 0x40 MSTORE DUP2 DUP2 MSTORE SWAP3 SWAP2 SWAP1 PUSH1 0x20 DUP5 ADD DUP4 DUP4 DUP1 DUP3 DUP5 CALLDATACOPY POP SWAP5 SWAP7 POP POP PUSH1 0xFF DUP6 CALLDATALOAD AND SWAP5 PUSH1 0x20 DUP2 ADD CALLDATALOAD SWAP5 POP PUSH1 0x40 ADD CALLDATALOAD SWAP3 POP PUSH2 0xA0 SWAP2 POP POP JUMP JUMPDEST STOP JUMPDEST PUSH1 0x0 PUSH1 0x1 DUP6 PUSH1 0x40 MLOAD DUP1 DUP3 DUP1 MLOAD SWAP1 PUSH1 0x20 ADD SWAP1 DUP1 DUP4 DUP4 JUMPDEST PUSH1 0x20 DUP4 LT PUSH2 0xD5 JUMPI DUP1 MLOAD DUP3 MSTORE JUMPDEST PUSH1 0x1F NOT SWAP1 SWAP3 ADD SWAP2 PUSH1 0x20 SWAP2 DUP3 ADD SWAP2 ADD PUSH2 0xB5 JUMP JUMPDEST PUSH1 0x1 DUP4 PUSH1 0x20 SUB PUSH2 0x100 EXP SUB DUP1 NOT DUP3 MLOAD AND DUP2 DUP5 MLOAD AND OR SWAP1 SWAP3 MSTORE POP POP POP SWAP2 SWAP1 SWAP2 ADD SWAP3 POP PUSH1 0x40 SWAP2 POP POP MLOAD DUP1 SWAP2 SUB SWAP1 KECCAK256 DUP6 DUP6 DUP6 PUSH1 0x40 MLOAD DUP1 PUSH1 0x0 MSTORE PUSH1 0x20 ADD PUSH1 0x40 MSTORE PUSH1 0x0 PUSH1 0x40 MLOAD PUSH1 0x20 ADD MSTORE PUSH1 0x40 MLOAD SWAP4 DUP5 MSTORE PUSH1 0xFF SWAP1 SWAP3 AND PUSH1 0x20 DUP1 DUP6 ADD SWAP2 SWAP1 SWAP2 MSTORE PUSH1 0x40 DUP1 DUP6 ADD SWAP3 SWAP1 SWAP3 MSTORE PUSH1 0x60 DUP5 ADD SWAP3 SWAP1 SWAP3 MSTORE PUSH1 0x80 SWAP1 SWAP3 ADD SWAP2 MLOAD PUSH1 0x20 DUP2 SUB SWAP1 DUP1 DUP5 SUB SWAP1 PUSH1 0x0 DUP7 PUSH2 0x646E GAS SUB CALL ISZERO ISZERO PUSH2 0x163 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST POP POP PUSH1 0x20 PUSH1 0x40 MLOAD SUB MLOAD SWAP1 POP ADDRESS PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND DUP2 PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND EQ ISZERO ISZERO PUSH2 0x1A8 JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST CALLER PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND PUSH2 0x8FC ADDRESS PUSH20 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AND BALANCE SWAP1 DUP2 ISZERO MUL SWAP1 PUSH1 0x40 MLOAD PUSH1 0x0 PUSH1 0x40 MLOAD DUP1 DUP4 SUB DUP2 DUP6 DUP9 DUP9 CALL SWAP4 POP POP POP POP ISZERO ISZERO PUSH2 0x1FF JUMPI PUSH1 0x0 DUP1 REVERT JUMPDEST JUMPDEST POP POP POP POP POP JUMP STOP LOG1 PUSH6 0x627A7A723058 KECCAK256 DUP10 0x4f SWAP15 EXP 0x2e DUP11 0xdc 0xd7 SWAP7 0xe4 PUSH17 0x61418EBBAEEDA6B48DAD3CD9DDBEF68024 INVALID 0x22 DUP6 PUSH23 0x29000000000000000000000000000000000000000000 ", | |
| "sourceMap": "25:290:0:-;;;;;;;;;;;;;;;;;;" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pragma solidity 0.4.13; | |
| contract EcRecoverExample | |
| { | |
| function example(bytes stuff2hash, uint8 v, bytes32 r, bytes32 s) | |
| public | |
| { | |
| address result = ecrecover(keccak256(stuff2hash), v, r, s); | |
| require( result == address(this) ); | |
| msg.sender.transfer(address(this).balance); | |
| } | |
| } |
Ok I think I got it, the input memory region of keccak256 would be the output region of the ecrecover.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Harry, sounds interesting. How would you be able to reverse keccak256 though? You need to generate stuff2hash such that address(sha3(stuff2hash)) == address(this)?