Skip to content
This repository was archived by the owner on Oct 15, 2020. It is now read-only.
This repository was archived by the owner on Oct 15, 2020. It is now read-only.

Offtopic #608

@uBlock-user

Description

@uBlock-user

There's an inline-script which creates a connection to piguiqproxy.com and checks whether it's loaded or not and if not, then breaks the page/css to force the user to whitelist itself and all XHR connections it makes.

Script - https://gist.githubusercontent.com/uBlock-user/9b42abf47162460a8bfdbc566726760e/raw/a1fee86ff670bf5419995ba35c8889925be31db3/gistfile1.txt

List of websites already using it - https://publicwww.com/websites/var+_o%2C_i%2Ca%3D%5B%5D%3Bfor%28_o%3D0%3B_o%3C_a.length%3B_o%2B%2B%29for%28a%5B_o%5D%3D%22%22%2C_i%3D0%3B_i%3C_a%5B_o%5D.length%3B_i%2B%3D2%29a%5B_o%5D%2B%3DString.fromCharCode%28parseInt%28_a%5B_o%5D.substr%28_i%2C2%29%2C16%29%29/

So I would like to know how would I go around blocking this one, apart from blocking the entire inline-script which works in some cases but not in all as it would break the website. It's probably heavily obfuscated too.

Test URLs

http://watchcartoonsonline.eu/
https://torrentz2.eu/my

You will have to block piguiqproxy.com to be able to reproduce.

Activity

jspenguin2017

jspenguin2017 commented on Sep 20, 2017

@jspenguin2017
Owner

This is the decoded string payload:

["IMG","getElementsByTagName","length","src","","styleSheets","disabled","stop","toString","_orig","bind","now","performance","start","enumerable","configurable","writable","value","defineProperty","Object","script","createElement","async","textContent","appendChild","documentElement","removeChild","mzs__","substr","random","Math","(function(mz_str) {","})('","');","XMLHttpRequest","GET","open","responseType","text","load","addEventListener","error","send","var _a=\\[\"(.+)\"\\];","RegExp","match","\",\"","split","bf4bfd3ad268f00b1ac6fc8a32a5309a","parseInt","0","push","join","replace","document","tttZZZ2m","f4FFv","piguiqproxy.com/api","opener","_","callee","apply","tagName","IFRAME","target","contentWindow","removeEventListener","readyState","complete","write","writeln","docs","er_load","sc_load","er_listen","sc_listen","status","r","arg load fail, 204","log","console","href","location","session","vars","X-Meta-Request-Id","getResponseHeader","X-Location","proxy_host","host","URL","-","indexOf","responseText","=","encodeURIComponent","?","&","protocol","//","argon_enable=1","cookie","w","1","Apple","vendor","navigator","version/(\\d+)([0-9.]+) Safari","i","userAgent","dloaded","cr_el","<NO","FRA","MES>","close"]

Maybe you can hook onto it with abort-current-inline-script? Could have some race condition though.

uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author

How will we block it? Yes race condition will be prevalent as as it's the first inline script to be loaded for the browser.

uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author

##script:inject(abort-on-property-read.js, performance) needs to be tested. Should work as it's declarative against race condition.

uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author
uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author

@okiehsch any ideas ?

okiehsch

okiehsch commented on Sep 20, 2017

@okiehsch

I added a fix for kimcartoon.me a few days ago.
uBlockOrigin/uAssets@858e494

kimcartoon.me##script:inject(abort-current-inline-script.js, MutationObserver, 676574456c656d656e747342795461674e616d65)

deals with https://gist.githubusercontent.com/uBlock-user/9b42abf47162460a8bfdbc566726760e/raw/a1fee86ff670bf5419995ba35c8889925be31db3/gistfile1.txt

uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author

Unfortunately it doesn't have the desired effect. Connection to that proxy server is created when you change the player from the list OR delete all cache and cookies and refresh and then it trolls you by breaking the page/css.

okiehsch

okiehsch commented on Sep 20, 2017

@okiehsch

You mean the connetion to piguiqproxy.com/api?
You can just noop that request.
||piguiqproxy.com/api$xmlhttprequest,redirect=noopjs,domain=kimcartoon.me

uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author

I did that already too but it still trolls and breaks the page. We need to break the script execution.

okiehsch

okiehsch commented on Sep 20, 2017

@okiehsch

Hm, I just tried, the page is only broken if I block piguiqproxy.com/api, if I use
||piguiqproxy.com/api$xmlhttprequest,redirect=noopjs,domain=kimcartoon.me
the site works fine on my end.
Tested with Chrome and Firefox stable, same result, block it and you get an empty screen, noop it and the site works fine.

uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author

Why noopjs ? Wouldn't nooptext work ?

okiehsch

okiehsch commented on Sep 20, 2017

@okiehsch

nooptext does also work on my end you can redirect it to anything you like, even

||piguiqproxy.com/api$xmlhttprequest,redirect=googlesyndication.com/adsbygoogle.js,domain=kimcartoon.me

works for me.

uBlock-user

uBlock-user commented on Sep 20, 2017

@uBlock-user
Author

Works for me now, probably a cache issue before. Isn't there another alternative ? because they can always change the proxy server

okiehsch

okiehsch commented on Sep 20, 2017

@okiehsch

I have not looked in to that, my task was to prevent the pulling of ads through
https://gist.githubusercontent.com/uBlock-user/9b42abf47162460a8bfdbc566726760e/raw/a1fee86ff670bf5419995ba35c8889925be31db3/gistfile1.txt
and

example.com##script:inject(abort-current-inline-script.js, MutationObserver, 676574456c656d656e747342795461674e616d65)

does achieve that even if they someday use piguiqproxy1.com.

12 remaining items

uBlock-user

uBlock-user commented on Sep 21, 2017

@uBlock-user
Author

I think uBlock-user wants to be able to block all xhr-requests to piguiqproxy.com at the mentioned sites without breaking it, by disabling this script.

I want to stop the script execution before it does this - https://i.gyazo.com/a6c04079df52c0525311fb9585c0b1d3.png Am I the only one experiencing this ?

@okiehsch Your filter doesn't stop that on kimcartoon.me, so the issue is not solved, you would have to add that $redirect filter otherwise this will continue to happen until users are forced to whitelist that 3rd party server. Ads are no longer the problem but being trolled like this is.

and this script has already been used by some websites I regularly visit and others will be encouraged to use this script if we don't put a stop to it already.

Nevermind, blowing up performance works now, I have removed the $redirect filter. Closing the issue. Feel free to open the issue if you want to.

uBlock-user

uBlock-user commented on Sep 23, 2017

@uBlock-user
Author

@jspenguin2017 What tool did you use to deobfuscate that js ? I have few scripts I would like to use it on them too.

jspenguin2017

jspenguin2017 commented on Sep 23, 2017

@jspenguin2017
Owner

It's a custom... well, not really custom. But here it is:
https://jspenguin2017.github.io/JavaScriptDecompiler/
You'll need to manually run some code in the console to decode the code you shown in the opening.

You'll end up reading a lot of obfuscated code either way. Don't expect that you can figure it out in a short amount of time if you never done it before, learning a new thing isn't easy, and trying to read obfuscated code without previous programming experience is just going to make the learning process more painful.

uBlock-user

uBlock-user commented on Sep 23, 2017

@uBlock-user
Author

I figured out one decoded string but the rest seems like a pain. Also that one has lots of tools which one did you use ?

jspenguin2017

jspenguin2017 commented on Sep 23, 2017

@jspenguin2017
Owner

If the string has a lot of \x in it, use UnHex, if it has a custom encoding, then Unminify plus F12 console.
The most painful ones are encrypted strings where the key is different for each string, in that case you'll probably want to read over the code and decrypt whatever interests you instead of trying to decrypt everything.
For packed scripts, unpack it with JS UnPacker (or F12 console if that doesn't work) before doing further analysis. For JSFuck use JS Unfuck.
If you still can't find anything that looks like a string array, then they are probably using some proprietary obfuscation engine (free ones pretty much always create a string array), in that case, I recommend you to do runtime analysis instead.
Also, never run untrusted code in Node. Open a blank page and use the console, that is sandboxed.

uBlock-user

uBlock-user commented on Nov 6, 2017

@uBlock-user
Author

Update - Another source is served on Firefox Nighly which doesn't have this script present at all, which makes it seem that they detect userAgent and serve another copy specifically for Chromium based browsers as it works on Chromium only, so in other words a Chromium exploit, just like InstartLogic does.

jspenguin2017

jspenguin2017 commented on Nov 6, 2017

@jspenguin2017
Owner

Chromium has a powerful debugger, but it sometimes can cause user land code evaluation. Chromium team is considering to add a special button for "Pause JavaScript and open debugger", that'll solve the problem.
https://bugs.chromium.org/p/chromium/issues/detail?id=672625

uBlock-user

uBlock-user commented on Nov 6, 2017

@uBlock-user
Author

How does stopping the detection of devtools window answer this issue specifically ? Also I'm not opening devtools here at all. It simply serves a different source when it is Chromium. For example - try spoofing UA as FF 58 on https://postimg.org/image/3dv9z4fz0b/

A source without the above script is loaded.

jspenguin2017

jspenguin2017 commented on Nov 6, 2017

@jspenguin2017
Owner

Well, yea, you aren't opening DevTools, but if they serve it to an user agent that has a non-detectable DevTools, how do they stop you from debugging their script? Once it's served to your user agent it's too late.

uBlock-user

uBlock-user commented on Nov 7, 2017

@uBlock-user
Author

I also found the payload in one swoop via Chrome Debugger -

["IMG", "getElementsByTagName", "length", "src", "", "styleSheets", "disabled", "stop", "toString", "_orig", "bind", "now", "performance", "start", "enumerable", "configurable", "writable", "value", "defineProperty", "Object", "script", "createElement", "async", "textContent", "appendChild", "documentElement", "removeChild", "mzs__", "substr", "random", "Math", "(function(mz_str) {", "})('", "');", "XMLHttpRequest", "GET", "open", "responseType", "text", "load", "addEventListener", "error", "send", "var _a=\["(.+)"\];", "RegExp", "match", "","", "split", "bf4bfd3ad268f00b1ac6fc8a32a5309a", "parseInt", "0", "push", "join", "replace", "document", "tttZZZ2m", "f4FFv", "piguiqproxy.com/api", "opener", "_", "<NO", "FRA", "MES>", "writeln", "close", "callee", "apply", "tagName", "IFRAME", "target", "contentWindow", "removeEventListener", "readyState", "complete", "write", "docs", "er_load", "sc_load", "er_listen", "sc_listen", "status", "r", "arg load fail, 204", "log", "console", "href", "location", "session", "vars", "X-Meta-Request-Id", "getResponseHeader", "X-Location", "proxy_host", "host", "URL", "-", "indexOf", "responseText", "=", "encodeURIComponent", …]
added
ArchivedThis thread was archived, open new issues for similar problems.
on Aug 23, 2020
locked and limited conversation to collaborators on Aug 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    ArchivedThis thread was archived, open new issues for similar problems.Question And Suggestion

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @jspenguin2017@okiehsch@uBlock-user

        Issue actions