summaryrefslogtreecommitdiff
path: root/src/js/primitives/mem.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/primitives/mem.js')
-rw-r--r--src/js/primitives/mem.js33
1 files changed, 32 insertions, 1 deletions
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index 6e21fb0..b5078eb 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -257,6 +257,37 @@ function _sptr(s) {
return global_sptr_addy - s.length;
}
+
+/*
+ * _sptr is meant to give you a pointer to a specified string
+ * remember your nul's!
+ */
+function shit_heap(v) {
+ if ((sptr_len + v) >= sptr_size) {
+ /*
+ * expand sptr heap if it's too small
+ * this will technically fail if the string is over 1MB, and will then
+ * cause a heap overflow, but eh whatever
+ *
+ * sometimes it's fun to include esoteric bugs that are unlikely to
+ * cause real harm, to add an exploitation challenge. :P
+ */
+ var dlsym_addy = read_u32(reserve_addr + 24 + slid);
+ var shc_slide = read_u32(reserve_addr + 20 + slid);
+ write_str(0x150000, "realloc\0");
+ sptr_size += 0x100000;
+ var addy = call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x150000, 0, 0);
+ global_sptr_addy = call4arg(addy, global_sptr_addy, sptr_size, 0, 0);
+ }
+// write_str(global_sptr_addy, s);
+ global_sptr_addy += v;
+ return global_sptr_addy - v;
+}
+
+function shit_heap_free(v) {
+ return;
+}
+
/*
* sptr but with nul
*/
@@ -310,4 +341,4 @@ function setup_fancy_rw() {
fancy_rw = true;
printf("%08x\n", u8x4_to_u32([parent[0x5000], parent[0x5001], parent[0x5002], parent[0x5003]]));
-} \ No newline at end of file
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 22:17:23 +0000