//-------------------------------------------------------------------------------------------------------
// Copyright (C) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------

function get_n_copies_of(ch, n)
{
    var powers = new Array();

    powers[0] = ch;
    for (var i = 1; (1<<i) < n; i++)
    {
        powers[i] = powers[i-1] + powers[i-1];
    }

    var out = '';

    for (var i = powers.length-1; i >= 0; i--)
    {
        if ((1 << i) > n)
            continue;

        out += powers[i];
        n -= (1 << i);
    }

    return out;
}

function exploit()
{
    // The choice of character is somewhat important -- we need
    // something that expands out to 3 bytes in UTF-8 encoding.
    // In this case, U+20AC satisfies that requirement.
    var s1 = "\u20ac";
    var ss;
 
    try
    {
        ss = get_n_copies_of(s1, 477218589);
    }
    catch (e)
    {
        WScript.Echo("You don't have enough free memory or VA to run this -- you'll need as much as possible.");
        return;
    }
    
    WScript.Echo("SS length = " + ss.length + "<br/>");

    // encodeURI sums (3 * [number of UTF-8 bytes required]) for each character
    // Since we use a char with 3 bytes required, that means the encodeURI memory
    // allocation is 3 * 3 * 477218589 = 0x100000005.
    // This truncates when fit into a ulong to just 5.
    WScript.Echo(encodeURI(ss).length);
}

try {
exploit();
}
catch (e)
{
   WScript.Echo("Message: " + e.message);
}