A Project Zero team discussion sparked the idea of searching for remote ASLR leaks, particularly on Apple devices. The goal was to find a way to leak a pointer remotely without memory safety violations or timing attacks. The focus was on attack surfaces that deserialize, re-serialize, and return attacker-provided data. While no specific macOS/iOS attack surface was identified, the author created a test case using NSKeyedArchiver serialization. This test case demonstrated a novel technique for potentially leaking pointers. The issue was reported to Apple and fixed in their March 2025 security releases. The post describes how the technique works, referring to the outdated, unfixed code. The technique is related to previous findings on partial pointer leaks and pointer ordering. It highlights how pointer-keyed data structures can leak addresses under specific conditions. The author shares these findings due to their interesting nature and potential broader application. This offers valuable insights into memory analysis and security vulnerabilities.