Emanuele Ricci
EVM Puzzle 4 solution
This is Part 4 of the “Let’s play EVM Puzzles” series, where I will explain how to solve each puzzle challenge.
EVM Puzzles is a project developed by Franco Victorio (@fvictorio_nan) that a perfect fit if you are in the process of learning how the Ethereum EVM works and you want to apply some of the knowledge you have just acquired.
EVM Puzzle 4
00 34 CALLVALUE
01 38 CODESIZE
02 18 XOR
03 56 JUMP
04 FD REVERT
05 FD REVERT
06 FD REVERT
07 FD REVERT
08 FD REVERT
09 FD REVERT
0A 5B JUMPDEST
0B 00 STOP
Similar to the previous challenges, we need to find the correct CALLVALUE value to pass to the contract to make the JUMP jump to the valid JUMPDEST opcode at the instruction 10 (0A in hex)
Let's review each opcode before the JUMP:
CALLVALUEpush in the stack themsg.valueinweipassed along the transactionCODESIZE: push in the stack the byte size of the contract's code- XOR: pop the first and second element from the stack and perform the bitwise XOR operation between them. The result will be pushed back to the stack.
Remember that the Stack is a LIFO queue, so when the XOR will be applied it would be like this: XOR(CODESIZE, CALLVALUE)
Solution
The first valid JUMPDEST operation is at position 10 so XOR(CODESIZE, CALLVALUE) == 10.
In our case, CODESIZE is 12 bytes, so we know that XOR(12, CALLVALUE) must equal to 10.
The correct value of CALLVALUE will be 6!
Here's the link to the solution of Puzzle 4 on EVM Codes website to simulate it.