Google Project Zero discussed the necessity of remote ASLR leaks for exploiting memory corruption bugs on Apple devices. This led to the discovery of a technique that could remotely leak a pointer without memory safety violations or timing attacks. The method applies to attack surfaces that deserialize, re-serialize, and return attacker-provided data. While no immediate real-world attack surface was identified on macOS/iOS, the technique was tested using an artificial case with NSKeyedArchiver. The issue was reported to Apple and fixed, though no public bug tracker entry was made due to the lack of demonstrated real-world impact. This novel technique builds upon prior work related to hash table collision attacks. Historically, hashDoS attacks exploited worst-case hash table performance to cause denial-of-service. Earlier research also hinted at using hash collisions to leak addresses. The hashDoS concept can be viewed as an attacker slowing down access to specific hash buckets. This principle was leveraged in Firefox to leak heap addresses through timing measurements of JavaScript Map insertions. Iterating over pointer-keyed data structures can also reveal information about object addresses. Serialization mechanisms, particularly those allowing arbitrary object graphs, can be unsafe. Apple's NSKeyedUnarchiver operates with an allowlist of deserializable classes. A specific test case aims to leak the shared cache pointer by deserializing and re-serializing attacker-supplied data using NSKeyedUnarchiver. The NSNull singleton object's hash, when not explicitly handled, defaults to its address, which is stored in the shared cache. NSNumber instances are hashed differently, depending on their numeric value. Dictionaries use hash codes modulo the number of buckets to manage key placement.