La Folie du jeu : descente aux enfers
In this challenge, we are given a Solidity code (available here).
In this code, we first initialise the contract using the constructor and by giving it the _start value:
1
2
3
constructor(uint _start) {
currentState = _start;
}
This value is not known but can be found. Then when the contract is initialized, we can use the guess function to try guessing the correct value and get the flag. As we can see in the bellow code, we need to give a calculation of the _start value a, c and m:
1
2
3
4
5
function guess(uint _next) public returns (bool) {
currentState = (a * currentState + c) % m;
isSolved = (_next == currentState) || isSolved;
return isSolved;
}
To find the _start value, I found the website Try Ethernal. This allows us to see all the newly created blocks and to get the one with the _start value given to the constructor.
Now that we are all set, we can connect to the nc server to deploy the game. We get the JSON-RPC URL and the chain-id:
Now, we can deploy the Jeu contract and head back to Try Ethernal. We will see the newly created block. When we click on it, we can see the Contract Creation Data:
As we can see, at the bottom, the last line looks like 000000000000000000000000000000000000000000000000000000000c39b211. What comes after the 0s is the value given to the constructor. We now just have to send (a*0xc39b211+c)%m and we are done. To do so, I used a python code available here
Note that you could also have done a JS code to do that ore used the website Remix Ethereum
The flag we get by asking the nc server is 404CTF{r4Nd0Mn3ss_1S_NOt_s0_345y}