未包含sendAction的智能合约
pragma solidity >=0.4.22 <0.7.0;
contract creatObject {
function mapSet(uint actionNum) public payable {
address a = 0x114330783bb97174154dfae5d1c677c724317aa4;
a.transfer(msg.value);
}
}
对应字节码
部署代码:
608060405234801561001057600080fd5b5060c08061001f6000396000f300
runtime code:
608060405260043610603e5763ffffffff7c01000000000000000000000000000000000000000000000000000000006000350416635983671f81146043575b600080fd5b604c600435604e565b005b60405173114330783bb97174154dfae5d1c677c724317aa49081903480156108fc02916000818181858888f19350505050158015608f573d6000803e3d6000fd5b5050505600
Auxdata
a165627a7a723058203367ecb3ff444b417e07778454743a97ec108c35856766fb2b12671240f3dc1c0029
添加完sendAction方法后的合约
pragma solidity >=0.4.22 <0.7.0;
contract creatObject {
function mapSet(uint actionNum) public payable {
address a = 0x114330783bb97174154dfae5d1c677c724317aa4;
a.transfer(msg.value);
}
function sendAction(uint actionNum)public payable{
address a = 0x114330783bb97174154dfae5d1c677c724317aa4;
}
}
对应字节码
部署代码
608060405234801561001057600080fd5b5060d68061001f6000396000f300
与未添加sendAction合约的字节码对比
不同原因为入栈参数不同,我推断这应该为跳转函数在字节码中的位置
runtime code
60806040526004361060485763ffffffff7c01000000000000000000000000000000000000000000000000000000006000350416633c8291f08114604d5780635983671f146058575b600080fd5b60566004356061565b005b60566004356064565b50565b60405173114330783bb97174154dfae5d1c677c724317aa49081903480156108fc02916000818181858888f1935050505015801560a5573d6000803e3d6000fd5b5050505600
与未添加sendAction合约的字节码对比
这改变太多看不出来,看一下指令
函数跳转的更改
对函数进行比较,这里的不同应该添加sendAction方法的前四个自己的hash,图片左边因没有该方法所以只需对比唯一的函数hash即可,图片右边应该比较两个
Auxdata(不用考虑)
a165627a7a72305820cddd9dd32ba8f4b03f0abfb740a811198db513d7b17158f7141823124f8a08e90029
与未添加sendAction合约的字节码对比
抵押代码的更改
runtimecode函数执行
栈状态
改完字节码之后
608060405234801561001057600080fd5b5060c08061001f6000396000f300608060405260043610603e5763ffffffff7c01000000000000000000000000000000000000000000000000000000006000350416635983671f81146043575b600080fd5b604c600435604e565b005b60405173114330783bb97174154dfae5d1c677c724317aa49081903480156108fc0291600081818185888b89fb93505050501580156090573d6000803e3d6000fd5b5050505600a165627a7a7230582033762faeb1bbe5e3c52ebcc8311e43cfb5ef1137eb231c0c1e046ab1b584d21f0029
其更改部分处为
其逻辑为,我们需要比call多出栈一个参数,此参数为typeNum,所以将typeNum在栈里弄到相应位置,此合约更改为第一处更改在dup9(字节码指令为88)后添加一个dup12(8b)并将后边的dup9改为dup10(字节码指令由88改为89),后边将函数返回地址由ox8f改为0x90(由于多加了一个dup12指令,所以应将返回地址向后移一位)。