# 内存排布

0x80所占的字节数是32字节，MSB是\x00，LSB是\x80，因为EVM是大端机，所以说MSB存储在低地址，也就是MSB从地址0x40开始存储，一直到0x5f地址处的字节为LSB\x80

# function type

Calling an internal function is realized by jumping to its entry label, just like when calling a function of the current contract internally.

# 调试

## web3py

web3py的原理是使用JSON-RPC（remote process communication）协议向节点发送指定的RPC操作，接收节点传回的数据。这里的节点就是我们用geth启动起来的。

# Exploit

## 实例分析

1. Calculate target = keccak256(keccak256(msg.sender||3)) + 2
计算.FailedAttempt 起始地址，+2是发生重叠的地址
2. Calculate base = keccak256(2).
计算safebox起始地址
0x405787fa12a823e0f2b7631cc41b3ba8828b3321ca811111fa75cd3aa3bb5ace
3. Calculate idx = (target - base) // 2.
0x26f45c99c6c0dbc5c3aa250b8321d7f68038b0d051dbb359b3bd07b0b00fc5c8
4. If (target - base) % 2 == 1, then idx += 2, and do step 7 twice. This happens when the triedPass of the first element of failedLogs does not overlap with the callback variable, so we choose the second element instead.
(nop)
5. If (msg.sender << (12*8)) < idx, then choose another player account, and restart from step 1. This happens when the overwritten length of safeboxes is not large enough to overlap with failedLogs.
(nop)
6. Call deposit(0x000000000000000000000000) with 1 ether.
满足safeboxes数组有一个元素，可以进入onlyPass
7. Call withdraw(0, 0x111111111111110000070f00).
进入onlyPass布置callback指针
8. Call withdraw(idx, 0x000000000000000000000000), and the SendFlag event will be emitted.
执行callback指针

• Retr_0
• tkmk
• pikachu