Skip to content

Fix typos #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix typos #3

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
89a22df
Fix typos
bradp Jan 25, 2024
608b417
Fix typo
bradp Jan 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions content/post/whiteops-data.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,15 @@ This very obfuscated script does many things, including (this is an incomplete l
return String.fromCharCode(e.charCodeAt(0) - o--)
})
```
- this evaluates to `res://ieframe.dll/acr.js`, but only on IE. This string has only one purpose, exploiting the fact that you can put arbitrary HTML in the hash part of the URL and have it get evaluated, I beleive in a privledged context of some sort. This file actually resolves in IE to a internal Windows system file, which is only accessible in JS due to a bug.
- this evaluates to `res://ieframe.dll/acr.js`, but only on IE. This string has only one purpose, exploiting the fact that you can put arbitrary HTML in the hash part of the URL and have it get evaluated, I believe in a privileged context of some sort. This file actually resolves in IE to a internal Windows system file, which is only accessible in JS due to a bug.
- tries to run VBScript:
```js
execScript("e71012934811a=false::On Error Resume Next::" + e + "::if Err.Number=-2147024891 or Err.Number=5002 then e71012934811a=true::Err.Clear", "VBScript"), t = "e71012934811a" in window ? window.e71012934811a ? o.EXISTS : o.MISSING : o.UNKNOWN
```
- checks for these strings on window (de-obfuscated, I also have the original obfuscated ones in case you are also looking through the source):
- `boltsWebViewAppLinkResolverResult`, `GoogleJsInterface`, `googleAdsJsInterface`, `accessibilityTraversal`, `accessibility`, `FbPlayableAd`, `__REACT_WEB_VIEW_BRIDGE`
- obfuscated in code as `obygfJroIvrjNccYvaxErfbyireErfhyg`, `TbbtyrWfVagresnpr`, `tbbtyrNqfWfVagresnpr`, `npprffvovyvglGenirefny`, `npprffvovyvgl`, `SoCynlnoyrNq`, `__ERNPG_JRO_IVRJ_OEVQTR`
- checks the screen's `availHeight`, `availWidth`, `width`, and `height
- checks the screen's `availHeight`, `availWidth`, `width`, and `height`
- checks the screen's `colorDepth`, `pixelDepth`, and `devicePixelRatio`
- checks for these automation-related properties on `window`: `domAutomation`, `domAutomationController`, `_WEBDRIVER_ELEM_CACHE`, `_phantom`, `callPhantom`, `window.chrome._commandLineAPI`, `window.Debug.debuggerEnabled`, `__BROWSERTOOLS_CONSOLE`, `window._FirebugCommandLine`, and also if `document.documentElement.hasAttribute("webdriver")` is true
- checks if `"function () { return Function.apply.call(x.log, x, arguments); }" == window.console.log.toString()` (also to check for browser automation I guess
Expand Down