This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug.
The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort:
// v: VM, o: array object, func: compare func
| Welcome to Jordan's grab-bag of common Binary Ninja Snippets. | |
| These snippest are meant to run with the Binary Ninja Snippets Plugin | |
| (http://github.com/Vector35/snippets) though they can all also be pasted | |
| directly into the python console or turned into stand-alone plugins if needed. | |
| To install the entire collection at once, just install the Snippets plugin via | |
| the plugin manager (CMD/CTL-SHIFT-M), confirm the Snippet Editor works | |
| (Tool/Snippets/Snippet Editor), and unzip this bundle (Download ZIP above) into | |
| your Snippets folder. |
