 We just had our super-latest meeting on, what's the, oh, 420? No relation. And so now we're going to go through, like we went all the way through Scandia 2, I believe, and Scandia 3, so now we're going to walk through some of the other ones. So, somebody explain, I pray, to me. So, all you have to do is call parent.all-upper-case-window. Probably winning it. I'm guessing what I have in here is not right now. But before you do that, you probably need to, you should be getting, so if you look at the console, you should be getting an error on your console that says, you want sandbox access violation blocked. Yes. So, turn off sandbox checking. Turn off the same origin policy checking in your browser and then run the same thing. I said, I said, I said it was, it was, was it cheating? I have an alternative solution, but I haven't gotten it to work yet. I have an alternative possibility, I should say. Is that, I mean, It gets you to win, technically. It gets you to flack, but the, I mean, Yeah, I mean, even though it's called an alert function. Which is what I was doing for zero character. Yeah, exactly. Yeah. You figure out how the game works and do it that way. Oh, that makes sense. I tried that, I mean, I try to post, I try to post back or whatever. You go into the context of the iframe and they call alert and it just stops. Yeah, exactly. That makes sense to you. Yeah. That's the way to do zero on that one. Okay. So, I didn't say no. Okay. I don't know. There's an alternative that I haven't gotten to work yet, but it's possible. If you take that URL that they have there. Yeah. And copy it into your, just into a browser window. And replace for IAM with alph.new. It works. So. Oh, so maybe it was like what Yann was saying last time. We created a new iframe to this guy with JavaScript code that you can walk up parent to parent. Yeah, that was my hope. I haven't gotten to work yet though. When I got the other way to work, I was like, done. Ideally, the situation would be this is like running on someone else's server. Now, whatever we're doing. The solutions were the best solutions, 13 characters. So I don't, I did something. I think I ended up doing it that way. Yeah. This feels like a real way to do it is. Yeah. Super interested to see how, because you need what, is this injecting a frame in there? Well, so here's the, here's the other issue. Yeah. Is that your origin is set to null. And so that's the hang up that I got with doing it this way. But when I said, when I created a new iframe, that should have the new origin of this guy. It could. You could try it. Just do parent.window.top.alert. Well, inside of script tags, but you might as script URL. I do. Is that built in or is it? No, it's a custom thing. But you don't have to URL code. It says, untest this, which one? Inspect this. It shows us the iframe here. Document. So inside this document is another iframe, the 4im iframe inside there. Are you on HTTPS or HTTPS? Well, parent, parent's not enough. It needs to be like parent, parent, parent, parent, parent. Yeah. There's a lot. So you're just going to try top. Yeah. If you look at how their code actually works, it's embedded several times, which is all the clicking you have to do in them. Right. Okay. Look at it here. Yeah. Oh, it's inside of script tags. Oh, right. Because it auto adds a script tag. So just escape a script tag. You can see the iframe. But we're still not getting there. Did you do window.top or did you do? I just did top. Do I do window.top? I thought it was window.top, but it may not be. Are we getting the same origin error? The old window.top is not defined. Oh, yeah. You got to spell it right. Window. It's hard to spell. Oh, you know what? It's not... Try like three parents. It's not in top either. Winning's not in top. It's in... Yeah. See if that works. Maybe try one more. And keep going. Wait. I need to actually call it though, right? Yeah. That makes it... I'd start back in two. Maybe there's something special you could do. When you do window.parent, won't you be in the context of the 4i frame and won't be able to do .parent again due to same origin? Oh, yeah. So... Zero ID. You probably have to go top and then child. Yeah. Or top and then get element by... Or get element ID. Element. Or tag. Tag? Wait. I have two. Is there any... To do your own code in Emacs? I need the scripts. Well, you wrote up a good point. When you go to this next parent, you hit the... You're on the wi. You're on the other website. So, can you even go to parent? So, can you even go to parent? The context of the origin of 4i? So, you do top and then can you go backward? Yeah. That's what I've said. You have to go top, find the div. How is the same origin policy in force? Is it, like, attached to the elements themselves? Good question. I do not know. I mean, all it states that you can't run JavaScript from a different server on the current server. Yeah. But we have, like, this thing where it's our server, and then inside of it's the 4i, and then inside of that is ours. Right. Can we go top and then back down one? That's the question. Yeah. Does the iframe have, like, a name? Yes. Well, you can do a find by tag. Get an element by tag name. And then just find my iframe. Well, yeah. Just search for iframe then. Just search by iframe. On load equals e1. Do childab or child or something. Yeah. Sorry. Epic fail. I mean, it's a good workaround. I just don't, like, look right there. But I feel like this should be it. It should know, it should be able to figure out who's the caller, like, what caller the original object is in when it's accessing something. I feel like the SOP is enforced in the browser JavaScript engine. So, anyway, figures this out, they should probably email the list, because I think they'll move on. All right. T-SIM. All right. I feel like I got close on it, but... So you finished that? No, no, no, I didn't. No. No, no, no. I got iframe. No? When you were working on it, I spent so long working on this one, I thought I'd gotten it. And I was able to get, I was able to figure out a few things. So when it does the image source, it is executing whatever's in there. So if you have an HTTP request, which you have to to get there, it will execute it, but there's no way... Image source break only goes in fetches or something. So it will hit something. Well, it'll run a JavaScript as well. You don't think it will? Why would it fetch and not run? But you can't, you're not getting it into there. You have to have, you have to prepend it with alert. Yeah, with that. And so I think that the HTTP is over... Yeah. ...is setting, you know, it... Yeah, I believe with that. It's got to be the first... Yeah, JavaScript 3. RFC 4627. So this one was incredibly difficult. It took most of the time. The idea is we found this handy-dandy stacked overflow page that is invoking a function without using any parentheses. And then basically there are multiple methods in here, but the way that's very nice is you create an object and you have a value of property of that object. And so when it's added to something else, it will then call whatever function is there. And the important thing here is they gave us this function called the easy but expensive way out that we had to call with no... If we called it with no arguments, it would execute alert. And so the tricky thing here is you can only use these characters that are not within double quotes. So you can use any character within double quotes, but you can't use any of... Sorry, the rest of it can only be these specific characters. And so what we had to do was we had to use an object, call value of, create a value of property. Even though you can't use these characters inside double quotes, it still works and it still works for the object. Then we can do self. So the other thing I did was I ran a JavaScript function to evaluate this across all of the global objects in Windows. So then I saw that self-alert and there's one other one actually passed these checks. Was this self-pass? S, there's E, L, F. And I think S is between R and F. Oh, yeah. That means everything's from R to F. So then we called the easy but expensive way out and then I was going to pull my hair out because when you do this, it doesn't work. It gives you zero because you call the alert zero. So you have to then... It's brought back from the edge. And you can see it here in the output. The broom was the one we just saw before recording this. Oh, actually. Yes. You stop calling it twice. Can you, in the first half, you already have access to self and maybe you can somehow access I and set it equal to one. So possibly the key problem is I... So A, you can't use equal sign in here. So you can't use the equal sign. And then B, the important thing about I here is that I's scope is only in this function. So even if you set I equal to one, it's not going to change this specific I because the I that we refer to in this scope is going to be a global I that we just created. You may be able to do something weird. If you've got access to this, you may be able to access the closure because basically this function goes over this I variable and have a reference to it. So there may be some way to access it. But yeah, that would be a good other way to do it. It was incredibly difficult. Apparently JavaScript is this horrible syntax of interpreted strings. So luckily we used that same handy-dandy Stack Overflow in poking a function without parentheses. And this took us to template literals with one of these. So this one's really difficult because you can't use new lines. You can't use semi, you can't use slashes. So no slash U nonsense. No semicolons, no commas, no parentheses, no brackets, no left angle braces. And it turns out that there is this template literals where you can put string text and you can so the idea, I guess, looks to be like instead of creating strings like a catnating strings, you can do PHP and embed expressions inside of your strings using backticks. The other crazy thing is you can put, if you put a function before this tag, so here's this my tag and then we have a thing with backticks and that calls this my tag function and it passes parts of the string to that function. So that's what we're using essentially here with this string.fromCharacterCode. So this will return, this will pass the string 42 into the string.fromCharacterCode, which will then stuff, does stuff. What does it do? Has on doubt. Would you then... Oh, that will return the right parentheses character. But the trick is getting that to something that will actually execute and evaluate it. So if you try to pass that to eval, it won't work. Oh, if you try to pass it to alert, so the very first thing we did was... Yay! That doesn't... Oh, we have to do the classic escape. I think we're trying to type. Alert1 must be the number one and not a string one because that makes a ton of difference. So annoying. So you can't do that and if you try to do, so you think, oh, the next thing we do one plus zero in here. But now you get this alert thing, which is what it's doing. Show us a while to find out. So this templating thing, when you pass it to this tag, if you have any string interpretations, each string interpretation is passed as a second argument and then all the other strings are put into an array that's the first argument. So your first argument that you're passing to alert is essentially an empty array or an array of length two with two empty strings in it. And for whatever reason, when it turns that into a string, it turns it like this. So that's why you need this trick, basically. So the idea is because we can't control... We can't... We want to do the string interpretation because we want to concatenate a string together and build up a string dynamically. But we can't pass that to the first argument of a function. So we found the function argument. The function will put essentially the... One of them will be... One of its arguments will be this string that's here as the string interpretation. So here, then, inside the string interpretation, we do alert and then we concatenate a string from character code using another backtake interpretation inside of the backtake interpretation, which gives us the left quote, concatenate that with one, and then concatenate that with the right quote and somehow this works. KZK. So the first thing you do is just close the console.log. Instead of the slashes, just do a semi-colon. And then just go to JSF and then copy and paste. Oh, end it with a semi-colon and two slashes. Yeah, first two slashes. Well, you're not at 49. There seems to be a big difference here. Yes. But you did it with 86. Did you actually do it? No. It's getting somehow messed up when I tried to make it zero and it's like realizing there's an error and it's like using my old stuff and I don't know what's going on in the system. Were you just trying to do zero for all of them just to do it? Yeah. But it breaks stuff and starts using all their values for some reason. So probably using the tricks that we've learned about at these other two levels, you'll probably get this down to a reasonable size, but a no-vowels thing is weird. I just saw those. I was like, oh, they're not going to get rid of brackets. Exactly. Brackets. So there's multiple versions of this, right? Yeah. Yeah, they probably get harder and harder in that aspect. Regex for the second one. Replace what? X bar U00? Yeah. What is that? I don't know. You have to use a JavaScript parameter expression and things to figure out what it's actually looking for. How do you write expressions? U and Holborn. I don't remember what. Bar, square brace, 57, right brace. All right. Anybody have anything else to say? Goodbye.