Evading JavaScript anti-debugging techniques(nullpt.rs) |
Evading JavaScript anti-debugging techniques(nullpt.rs) |
The reason for the websocket is that the browser console is also rendered inoperable due to the debugger statements and console clear commands emanating from the website JS. A websocket is then the only way to transfer actionable information (such as a password or a secret link). It's not an easy or quick process but, by inserting websocket calls in interesting places, it is possible to figure out what the JS is doing. It also helps a lot to prettify the JS in order to study it. There are websites that can do that for you. Unfortunately, the prettification of the JS may break it so you're still stuck with doing the modifications in the original JS.
I built my own proxy server for this task but I imagine that the same may be possible with a tool like HTTP Toolkit but that means getting the Pro version.
I maintain the vscode debugger and found both the article and your comment interesting--there's a large overlap between "programs with anti-debugger techniques" and "programs that are hard to debug."
What I'm saying is that we need a way to get that table (array) and perform the substitutions in order to recreate the original code as text instead of numbers. This is likely way beyond the scope of a debugging tool. Or is it?
Years ago I really wanted to disable the blink tag, so I just ran `perl -pie "s/blank/abcde/g"` on the binary and that worked well enough.
I'll bet you could so something similar with "debugger". On macOS, you'd break code signing, but you could re-sign it or strip the signing and let it run unsigned.
Example: https://i.imgur.com/BsphnEu.png
And before a developer for these commerce websites jumps up and says “ah but supreme are trying to prevent bots from buying up all of their merch and scalping it”:
Supreme are restricting supply so they can maximise profits.
They are selling on the web rather than through traditional retail outlets using this method not to reach a wider audience for the audience’s sake but to have a larger number of people who are willing to pay an even higher price.
The web, the system that brings free information to the masses requiring no knowledge of the underlying technologies, is too important to compromise for these e-commerce platforms attempting to have their cake and eat it to.
heavy handed approach. I have some moderate success intercepting setInterval/setTimeout and manually sifting to find that one call that starts the ball rolling. Things get old fast when the code you are looking at looks like
0[_0x199d1e(0x815*-0x2+0x1735+0x13f*-0x5)](_0x199d1e(0x3b3*0xa+0x1c1+-0x260d),_0x199d1e(0x2149*0x1+0x9f7+0x1*-0x29f5)))[_0xCould somebody here explain what that means, since the article doesn't? What's a debugger loop? What is the actual JavaScript code that somehow prevents debugging, and how does it accomplish that?
This only gets activated when the devtools window is opened, so placing this statement in a frequently executed piece code will continuously interrupt whatever you are doing in the devtools when you use them.
I assume in the past the tooling might not have had the necessary configuration options to suppress that, but nowadays you can just disable debugger statement breakpoints to avoid it.
What methods do they use to detect debugging tools and how do we defeat them?
It will also not work if the script is some initially obfuscated string that is passed to eval() or something more complex assembling the actual code on the fly.
As us "old school crackers" would say, "NOP those out!"
As for obfuscation, you can unpack the scripts in order to do the needful, then use the proxy to "transparent redirect" requests for them to your own locally hosted unpacked and modded version.
I've not seen anything like that. The integrity checks are generally limited to verifying the document location and the presence of certain elements in the DOM. Obfuscation techniques have become so sophisticated that integrity checks are not really necessary. Bot challenges (such as the one used by CloudFlare) may go so far as to test graphic elements like the canvas to ensure that the JS is actually running in a browser but I don't think this is a common thing for the average website that just wants to keep bots from scraping them.
Difficult to imagine any anti-debugging techniques that will work against something that just records an execution trace.
So the idea is store it in local Overrides, find the bad anti debug code and remove it, then you get back full control in devtools.
Sounds like we need a way to disable web site access to those commands.
Probably safe to assume they were mining cryptocurrency with your browser while you were watching the stream.
I did notice the ad serving infrastructure seemed quite sophisticated. There were so many domains and proxies and redirects. Luckily uBlock Origin blocks almost all of them. And usually, I can avoid any of the "bonus" features by opening the video player iframe in its own tab (but sometimes this isn't possible, or the video player tab has some scripts to make it annoying to run in isolation).
One thing I like to do during the commercial breaks is paste the URL of the site into GitHub Code Search. This always leads to interesting results, including blocklists, people's personal media scrapers, or sometimes even the (re-)publishing infrastructure of the sites themselves. It's also a great way to find alternative URLs or other streaming sites.
[x] only exists because it is underpriced relative to market demand.
A great question to ask after this is "would i be okay subjecting my child/mother/father to this experience?"
For example, there are 2 tennis courts available on a first come, first serve basis at a park in SF. Because they are free to reserve, and there's more demand than supply, people will bot all the courts at all given times during the day and scalp players for the free reservations.
Or, a car is available for [x] msrp price, plus a 25% "market adjustment" fee. Is this ethical for every dealer in the country to do the same?
Yes, if it means that a car that I want is in stock as opposed to having to wait for 6 months I would consider it ethical.
My memory of learning about "Wealth of Nations" style capitalism is there was an idea that people produce goods and services that other people find useful. So when they trade, both buyer and seller benefit. As opposed to scalpers, who interpose themselves between the two to the detriment of both the buyer and seller, and benefit only to the scalper.
Modern capitalist don't care if they make everything worse, only that someone is making money.
I appreciate you attempting to introduce some nuance to a discussion about goods. I would imagine that Supreme’s marketing team would be pretty savvy and know how to hit the mark.
My point is more about their determination to run obsfucated code on their users computers and the intersection between that and google’s vision for the browser.