Reverse engineering obfuscated JavaScript – PopUnder Chrome 59




In this video we figure out how to do a popunder in Chrome version 59, by using a trick. Hopefully Chrome fixes this, because I resent this kind of advertisement.

PoC: https://liveoverflow.com/poc/popunder.html

————————————–
Twitter: https://twitter.com/LiveOverflow
Website: http://liveoverflow.com/
Subreddit: https://www.reddit.com/r/LiveOverflow/
Facebook: https://www.facebook.com/LiveOverflow/

Original source


25 responses to “Reverse engineering obfuscated JavaScript – PopUnder Chrome 59”

  1. this guy sells a license for a js library that popunders chrome 🙁
    a debugger statement triggers a breakpoint, bastards
    cool i never knew about the pretty-print option
    whats up with the "minified file," description?
    etc host
    is there a "professional" way to write rubbish code? Like how do I do it myself?
    these calls are heavily obfuscated: window.open window.setTimeout createelement() and appendChild
    these api calls
    what is a deprecation warning?
    Notification api was definitely suspicious to me to!
    i tried to connect with my future self, my future self was in some sort of great pain
    there were no iframes inside
    whats going on with that chrome pdf viewer
    I need to learn more about proxy objects
    dynamically created iframe is simply a popup blocker bypass
    alert stops and blocks everything
    wow, that pdf was just a notification calling an alert
    productforums.google.com
    I LOVE base64

  2. Could a re-definition of the window.open function prevent you from analyzing the code? I'm thinking of:
    – You are re-defining the critical functions
    – JS files get loaded
    – On loading the iframe the developer puts in a re-defining of the functions to standard (like window.open = window.open)
    Then your initial re-defining of those functions would be set to normal again before executing the crucial code soooo….in the end your method would not work. Am I right?

  3. And they wonder why people started using adblockers. Well, it's precisely because of these reasons lol.

    EDIT: Surely this could be easily fixed by not allowing JS to be executed in a PDF file? I can't really think of a single reason why you'd want to allow that anyway. Seems kinda like a Trojan Horse idea to me.

  4. Do you have in yours plans make some video about JSMiner crypto attack. Similar like pop up but there are no ads but script start run mining some cryptocurrency on our computer 😀 for example coin-hive

Leave a Reply