-
Notifications
You must be signed in to change notification settings - Fork 82
Offtopic #608
Activity
This is the decoded string payload:
["IMG","getElementsByTagName","length","src","","styleSheets","disabled","stop","toString","_orig","bind","now","performance","start","enumerable","configurable","writable","value","defineProperty","Object","script","createElement","async","textContent","appendChild","documentElement","removeChild","mzs__","substr","random","Math","(function(mz_str) {","})('","');","XMLHttpRequest","GET","open","responseType","text","load","addEventListener","error","send","var _a=\\[\"(.+)\"\\];","RegExp","match","\",\"","split","bf4bfd3ad268f00b1ac6fc8a32a5309a","parseInt","0","push","join","replace","document","tttZZZ2m","f4FFv","piguiqproxy.com/api","opener","_","callee","apply","tagName","IFRAME","target","contentWindow","removeEventListener","readyState","complete","write","writeln","docs","er_load","sc_load","er_listen","sc_listen","status","r","arg load fail, 204","log","console","href","location","session","vars","X-Meta-Request-Id","getResponseHeader","X-Location","proxy_host","host","URL","-","indexOf","responseText","=","encodeURIComponent","?","&","protocol","//","argon_enable=1","cookie","w","1","Apple","vendor","navigator","version/(\\d+)([0-9.]+) Safari","i","userAgent","dloaded","cr_el","<NO","FRA","MES>","close"]
Maybe you can hook onto it with abort-current-inline-script? Could have some race condition though.
How will we block it? Yes race condition will be prevalent as as it's the first inline script to be loaded for the browser.
##script:inject(abort-on-property-read.js, performance) needs to be tested. Should work as it's declarative against race condition.
Nope not working here - http://kimcartoon.me/Cartoon/Elena-of-Avalor-Season-2/Episode-1?id=76985&s=beta breaks the play button :(
@okiehsch any ideas ?
I added a fix for kimcartoon.me a few days ago.
uBlockOrigin/uAssets@858e494
kimcartoon.me##script:inject(abort-current-inline-script.js, MutationObserver, 676574456c656d656e747342795461674e616d65)
Unfortunately it doesn't have the desired effect. Connection to that proxy server is created when you change the player from the list OR delete all cache and cookies and refresh and then it trolls you by breaking the page/css.
You mean the connetion to piguiqproxy.com/api?
You can just noop that request.
||piguiqproxy.com/api$xmlhttprequest,redirect=noopjs,domain=kimcartoon.me
I did that already too but it still trolls and breaks the page. We need to break the script execution.
Hm, I just tried, the page is only broken if I block piguiqproxy.com/api, if I use
||piguiqproxy.com/api$xmlhttprequest,redirect=noopjs,domain=kimcartoon.me
the site works fine on my end.
Tested with Chrome and Firefox stable, same result, block it and you get an empty screen, noop it and the site works fine.
nooptext does also work on my end you can redirect it to anything you like, even
||piguiqproxy.com/api$xmlhttprequest,redirect=googlesyndication.com/adsbygoogle.js,domain=kimcartoon.me
works for me.
Works for me now, probably a cache issue before. Isn't there another alternative ? because they can always change the proxy server
I have not looked in to that, my task was to prevent the pulling of ads through
https://gist.githubusercontent.com/uBlock-user/9b42abf47162460a8bfdbc566726760e/raw/a1fee86ff670bf5419995ba35c8889925be31db3/gistfile1.txt
and
example.com##script:inject(abort-current-inline-script.js, MutationObserver, 676574456c656d656e747342795461674e616d65)
does achieve that even if they someday use piguiqproxy1.com.
12 remaining items
I think uBlock-user wants to be able to block all xhr-requests to piguiqproxy.com at the mentioned sites without breaking it, by disabling this script.
I want to stop the script execution before it does this - https://i.gyazo.com/a6c04079df52c0525311fb9585c0b1d3.png Am I the only one experiencing this ?
@okiehsch Your filter doesn't stop that on kimcartoon.me, so the issue is not solved, you would have to add that $redirect filter otherwise this will continue to happen until users are forced to whitelist that 3rd party server. Ads are no longer the problem but being trolled like this is.
and this script has already been used by some websites I regularly visit and others will be encouraged to use this script if we don't put a stop to it already.
Nevermind, blowing up performance works now, I have removed the $redirect filter. Closing the issue. Feel free to open the issue if you want to.
@jspenguin2017 What tool did you use to deobfuscate that js ? I have few scripts I would like to use it on them too.
It's a custom... well, not really custom. But here it is:
https://jspenguin2017.github.io/JavaScriptDecompiler/
You'll need to manually run some code in the console to decode the code you shown in the opening.
You'll end up reading a lot of obfuscated code either way. Don't expect that you can figure it out in a short amount of time if you never done it before, learning a new thing isn't easy, and trying to read obfuscated code without previous programming experience is just going to make the learning process more painful.
I figured out one decoded string but the rest seems like a pain. Also that one has lots of tools which one did you use ?
If the string has a lot of \x in it, use UnHex, if it has a custom encoding, then Unminify plus F12 console.
The most painful ones are encrypted strings where the key is different for each string, in that case you'll probably want to read over the code and decrypt whatever interests you instead of trying to decrypt everything.
For packed scripts, unpack it with JS UnPacker (or F12 console if that doesn't work) before doing further analysis. For JSFuck use JS Unfuck.
If you still can't find anything that looks like a string array, then they are probably using some proprietary obfuscation engine (free ones pretty much always create a string array), in that case, I recommend you to do runtime analysis instead.
Also, never run untrusted code in Node. Open a blank page and use the console, that is sandboxed.
Update - Another source is served on Firefox Nighly which doesn't have this script present at all, which makes it seem that they detect userAgent and serve another copy specifically for Chromium based browsers as it works on Chromium only, so in other words a Chromium exploit, just like InstartLogic does.
Chromium has a powerful debugger, but it sometimes can cause user land code evaluation. Chromium team is considering to add a special button for "Pause JavaScript and open debugger", that'll solve the problem.
https://bugs.chromium.org/p/chromium/issues/detail?id=672625
How does stopping the detection of devtools window answer this issue specifically ? Also I'm not opening devtools here at all. It simply serves a different source when it is Chromium. For example - try spoofing UA as FF 58 on https://postimg.org/image/3dv9z4fz0b/
A source without the above script is loaded.
Well, yea, you aren't opening DevTools, but if they serve it to an user agent that has a non-detectable DevTools, how do they stop you from debugging their script? Once it's served to your user agent it's too late.
I also found the payload in one swoop via Chrome Debugger -
["IMG", "getElementsByTagName", "length", "src", "", "styleSheets", "disabled", "stop", "toString", "_orig", "bind", "now", "performance", "start", "enumerable", "configurable", "writable", "value", "defineProperty", "Object", "script", "createElement", "async", "textContent", "appendChild", "documentElement", "removeChild", "mzs__", "substr", "random", "Math", "(function(mz_str) {", "})('", "');", "XMLHttpRequest", "GET", "open", "responseType", "text", "load", "addEventListener", "error", "send", "var _a=\["(.+)"\];", "RegExp", "match", "","", "split", "bf4bfd3ad268f00b1ac6fc8a32a5309a", "parseInt", "0", "push", "join", "replace", "document", "tttZZZ2m", "f4FFv", "piguiqproxy.com/api", "opener", "_", "<NO", "FRA", "MES>", "writeln", "close", "callee", "apply", "tagName", "IFRAME", "target", "contentWindow", "removeEventListener", "readyState", "complete", "write", "docs", "er_load", "sc_load", "er_listen", "sc_listen", "status", "r", "arg load fail, 204", "log", "console", "href", "location", "session", "vars", "X-Meta-Request-Id", "getResponseHeader", "X-Location", "proxy_host", "host", "URL", "-", "indexOf", "responseText", "=", "encodeURIComponent", …]
There's an inline-script which creates a connection to
piguiqproxy.comand checks whether it's loaded or not and if not, then breaks the page/css to force the user to whitelist itself and allXHRconnections it makes.Script - https://gist.githubusercontent.com/uBlock-user/9b42abf47162460a8bfdbc566726760e/raw/a1fee86ff670bf5419995ba35c8889925be31db3/gistfile1.txt
List of websites already using it - https://publicwww.com/websites/var+_o%2C_i%2Ca%3D%5B%5D%3Bfor%28_o%3D0%3B_o%3C_a.length%3B_o%2B%2B%29for%28a%5B_o%5D%3D%22%22%2C_i%3D0%3B_i%3C_a%5B_o%5D.length%3B_i%2B%3D2%29a%5B_o%5D%2B%3DString.fromCharCode%28parseInt%28_a%5B_o%5D.substr%28_i%2C2%29%2C16%29%29/
So I would like to know how would I go around blocking this one, apart from blocking the entire inline-script which works in some cases but not in all as it would break the website. It's probably heavily obfuscated too.
Test URLs
http://watchcartoonsonline.eu/https://torrentz2.eu/myYou will have to block
piguiqproxy.comto be able to reproduce.