EVM Puzzles 2 Walk-Through

EVM puzzles gives us byte code and asks us for a value that will succeed as a transaction.

If you missed my original post that goes more in detail about how to decipher the Opcodes and the tools we are using, see it here.

EVM Puzzle 2

Puzzle 2 introduces us to some new Opcodes, as well as some we saw in the previous puzzle.
Let’s start by breaking down the new codes; [38] CODESIZE & [03] SUB.

CODESIZE

[38] CODESIZE is described as getting the size of the code running in the current environment.

SUB

[03] SUB is the code for subtraction of two integer values.

And the codes that we have previously seen are: [34] CALLVALUE, [56] JUMP, [FD] REVERT, [5B] JUMPDEST & [00] STOP.
(See Puzzle 1 if you need a refresher)

So I’ve copied the bytecode into evm.code’s playground and now I’m going to send a test transaction of 1 wei to see how the contract reacts.

bytecode with test transaction

As we step through each instruction there is a box underneath that tracks the stack, this is going to be the important part since we learned earlier that we are going to be subtracting a from b, or index 1 of the stack minus index 2.

So run our transaction with 1 Wei and step through the first instruction.

CALLVALUE

CALLVALUE takes the value (1 wei) of our call and pushes it to the top of the stack.
Step again.

CODESIZE

CODESIZE takes the byte size of our code and pushes it to the top of the stack.
a = 10 converting from hexadecimal to decimal.
Next step.

SUB

SUB is going to take that stack and subtract the first integer from the second or 10-1, making our new stack 9.
The next step we learned in puzzle 1, JUMP will then jump to the value it is passed (in this case 9), but that byte must be a JUMPDEST.

Error

But now that we know the math we can look back at the contract and figure out what value we need to pass it to solve!

  • SUB is going to subtract our value from CODESIZE which is 10.
  • The JUMPDEST we are after is at 6.

I believe we need to try a value of 4 wei for our transaction in the playground.

4 wei stack result

The transaction’s stack at the SUB phase looks more promising this time.
Stepping on we get a result of 6 and JUMP.

JUMPDEST

With a smooth landing at our JUMPDEST we have solved this challenge, let’s had back to the terminal and submit it.

Puzzle 2 Solved

That’s it for puzzle 2, see you in the next one.

DAVE

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top