Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CALL signature not obvious #2

Open
MatthiasEgli-chainsecurity opened this issue Jan 13, 2019 · 2 comments
Open

CALL signature not obvious #2

MatthiasEgli-chainsecurity opened this issue Jan 13, 2019 · 2 comments

Comments

@MatthiasEgli-chainsecurity
Copy link

The signature of CALL is not obvious. As an example, this is the one from the withdrawEther function of the binance (0xB8c77482e45F1F44dE1745F52C74426C631bDD52) token:

[
  "CALL",
  [
    "MUL",
    2300,
    [
      "ISZERO",
      [
        "cd",
        4
      ]
    ]
  ],
  [
    "MASK_SHL",
    160,
    0,
    0,
    [
      "STORAGE",
      160,
      0,
      4
    ]
  ],
  [
    "cd",
    4
  ],
  96,
  0,
  96,
  0,
  0,
  0
]

The operands on the EVM level are gas, to, value, in offset, in size, out offset, out size, but those don't match the numbers here.
@kolinko
Copy link
Collaborator

kolinko commented Jan 14, 2019

The order is almost identical in Eveem, but with two extra parameters at the end:

('CALL', gas, addr, wei, arg_start, arg_len, ret_start, ret_len, fname, fparams)

fname is the name/4-byte descriptor of the function being called (if possible to figure this out), and fparams are the function call parameters (if possible to figure out).

They may be zero in two cases - when in_size = 0, or when in_size > 0, but the decompiler couldn't figure out what exactly the memory contains (happens very rarely).

In the case you specified:

gas == 2300 * !param0
to == addr(storage4) (== ownerAddress in case of Binance)
value == param0 (== _amount)
in_offset = out_offset = 96
in_size = out_size = 0

Does it sound right?

And yeah, it needs docs :)

@Hotspot00
Copy link

The order is almost identical in Eveem, but with two extra parameters at the end:

('CALL', gas, addr, wei, arg_start, arg_len, ret_start, ret_len, fname, fparams)

fname is the name/4-byte descriptor of the function being called (if possible to figure this out), and fparams are the function call parameters (if possible to figure out).

They may be zero in two cases - when in_size = 0, or when in_size > 0, but the decompiler couldn't figure out what exactly the memory contains (happens very rarely).

In the case you specified:


gas == 2300 * !param0

to == addr(storage4) (== ownerAddress in case of Binance)

value == param0 (== _amount)

in_offset = out_offset = 96

in_size = out_size = 0

Does it sound right?

And yeah, it needs docs :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kolinko @MatthiasEgli-chainsecurity @Hotspot00 and others