# Walkthrough: Huff Challenge #4 By [PraneshASP ⚡](https://paragraph.com/@praneshasp) · 2023-07-12 --- In this article, we are going to explore the solution to the [Huff Challenge 4.](https://twitter.com/huff_language/status/1583894073487654913) You can find walkthroughs for other challenges below: * [Challenge #1](https://seshanth.xyz/huff-challenge-1) * [Challenge #2](https://seshanth.xyz/huff-challenge-2) * [Challenge #3](https://mirror.xyz/dashboard/edit/zKE1HE3W4zadoOTBs23LfE9HAoBf5WRHqyWznBAO7OY) Also if you are new to huff and wanna learn how to test and deploy Huff contracts, [check out this article](https://mirror.xyz/0xF314e9Cc3D5F382669eeB01d31f421aF931b9eBB/H9-kta5z47jO-_Fg9Hv93D6xHcPCFgvfxCIQ26zI5hk). Alright let’s dive in. The Problem Statement: ====================== In this challenge, we're tasked with writing a Huff smart contract that reverses the calldata that it receives. Essentially, if you send data to this contract, it should be able to return the same data, but in reverse order. For those who don’t know, `calldata` is a type of input data that is sent along with a transaction. It's stored outside of the EVM's storage and memory, making it cheaper to use. Solution: ========= There can be multiple valid solutions to this challenge. I’m going to use one of the solutions posted by [@philogy](https://twitter.com/real_philogy/status/1583911587768766464) for this walkthrough. #define constant NEG1 = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff #define macro GET_CALLDATA_BYTE() = takes(1) returns(1) { calldataload 0xf8 shr } #define macro MAIN() = takes(0) returns(0) { calldatasize not_empty jumpi returndatasize returndatasize return not_empty: calldatasize returndatasize copy_bytes_iter: // [i, j + 1] swap1 // [j + 1, i] [NEG1] add // [j, i] dup2 dup2 // [j, i, j, i] dup2 GET_CALLDATA_BYTE() // [cd[i], j, i, j, i] dup2 GET_CALLDATA_BYTE() // [cd[j], cd[i], j, i, j, i] swap2 // [j, cd[i], cd[j], i, j, i] mstore8 // [cd[j], i, j, i] swap1 mstore8 // [j, i] swap1 0x1 add // [i', j' + 1] dup2 dup2 // [i', j' + 1, i', j' + 1] lt copy_bytes_iter jumpi calldatasize returndatasize return } Let me break it down for you. Firstly, the constant `NEG1`, a 256-bit number representing -1 in two's complement form. This constant will be useful for offsetting indexes. #define constant NEG1 = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff Next, a macro called `GET_CALLDATA_BYTE()` is defined. This macro fetches one byte of calldata at a specified index. `calldataload` is an EVM [opcode](https://www.evm.codes/) that loads 32 bytes of calldata from a specific index. However, we're only interested in a single byte, so we shift right (`shr`) by 248 bits (`0xf8`) to isolate the byte we need. #define macro GET_CALLDATA_BYTE() = takes(1) returns(1) { calldataload 0xf8 shr } Next comes the `MAIN()` macro. The first part of `MAIN()` is a short check for whether any calldata is present: calldatasize not_empty jumpi returndatasize returndatasize return Here, `calldatasize` gets the size of the calldata. If the size is non-zero (meaning calldata is present), the control jumps to the `not_empty` label. If the size is zero (no calldata), then it immediately returns. After confirming that calldata is present, the size of the calldata is fetched and pushed to the stack. not_empty: calldatasize returndatasize Next comes the spiciest part. The logic to reverse the calldata, one byte at a time. Let's divide the `copy_bytes_iter` block into smaller chunks and discuss each one: **Block 1: Index preparation and byte retrieval** copy_bytes_iter: // [i, j + 1] swap1 // [j + 1, i] [NEG1] add // [j, i] dup2 dup2 // [j, i, j, i] dup2 GET_CALLDATA_BYTE() // [cd[i], j, i, j, i] dup2 GET_CALLDATA_BYTE() // [cd[j], cd[i], j, i, j, i] In this first block, we prepare the indices and retrieve the bytes to be swapped. We first swap `i` and `j + 1` then subtract 1 from `j + 1` to get `j`. After duplicating `j` and `i` for later use, the `GET_CALLDATA_BYTE()` macro is invoked twice to get the `i`th and `j`th bytes (`cd[i]` and `cd[j]`) from the calldata. **Block 2: Byte swapping** swap2 // [j, cd[i], cd[j], i, j, i] mstore8 // [cd[j], i, j, i] swap1 mstore8 // [j, i] In the second block, the swapping of the bytes takes place. The contract swaps `cd[i]` and `j`, then uses `mstore8` to store `cd[j]` at the `i`th position and `cd[i]` at the `j`th position. At the end of this block, `j` and `i` are left on the stack. **Block 3: Loop iteration and continuation** swap1 0x1 add // [i', j' + 1] dup2 dup2 // [i', j' + 1, i', j' + 1] lt copy_bytes_iter jumpi In the third block, `i` is incremented to move on to the next byte from the start. The indices `i'` and `j' + 1` are then duplicated for comparison. If `i'` is less than `j' + 1`, the loop continues and jumps back to `copy_bytes_iter`. Otherwise, the loop terminates, and the contract proceeds to the next stage. By repeating these steps, the `copy_bytes_iter` block swaps all pairs of bytes in the calldata until all bytes are reversed. **GitHub link to the PoC:** [https://github.com/minaminao/ctf-blockchain/tree/main/src/HuffChallenge/challenge4](https://github.com/minaminao/ctf-blockchain/tree/main/src/HuffChallenge/challenge4) --- *Originally published on [PraneshASP ⚡](https://paragraph.com/@praneshasp/walkthrough-huff-challenge-4)*