[daeken]

Yeah, so the approach I took to writing the core of the exploit (control over memory, basically) was very different than any other exploit I've seen for this vulnerability. Others smashed it with a bunch of buffers, with which you'd then attempt to get an overlap. Rather than that, I make a single ArrayBuffer and then a ton (2M) of Uint32Array views into that buffer. This makes controlling memory much more stable -- we have a 99.86% hit rate within the first 3 tries, all of which are automatic.

In terms of not crashing, it really comes down to appeasing the garbage collector. If there are non-object-objects on the heap (e.g. raw pointers just sitting there), the GC will explode and the whole thing crashes. So we take great care to ensure that only real JS objects exist at any point, outside of a few critical paths (which only last a few ms at worst). This leads to an insanely stable exploit base.

We're not really talking much about the execution environment yet, but what we can say is that it's really an upgraded (potentially rewritten?) 3DS OS.