new.gdtot.me

[ghost]

Description: Redirects to another page most of the times

• Current behaviour:

//: # when i click download on https://new.gdtot.me/file/1946185734 Most of the time it redirects to https://new.gdtot.me/assets/img/yourlogo.png then i have to go to the page and if i click again then it forwards to correct page

Screenshot:

   

* **Expected behaviour**: [//]: # after i press download it should go a google login page if google account is not attached If u try on a private window then u can understand

Screenshot:


***Steps to reproduce the problem***: [//]: # press download on https://new.gdtot.me/file/1946185734 but it redirects to a different page other than intended ***System configuration*** **Filters:** [//]: # default adguard filters along with full oisd filters in dns filter section [//]: # (Please enter the correct values for your case to the table below) Information | Value --- | --- Operating system: android Operating system version (Android/iOS): android 9 Browser: Firefox stable 90 and chrome latest AdGuard version: 3.6.2 Filters enabled: default filters AdGuard mode (Android only): VPN Filtering quality (Android only): High-quality HTTPS filtering (Android only): | On (Default/Blacklist mode) / Off Simplified filters (iOS only) | On / Off AdGuard DNS: None Stealth mode options (Windows only) | ? Helpdesk ID (if exists): | ? [//]: # (This template is meant for missed ad/false positive reports, for other type of reports edit it accordingly) [//]: # (If this is a crash report, include the crashlog with https://gist.github.com/)

[ghost]

@Yuki2718 Sir still happening with the android application Attached the log Maybe u can find out the reason adguard_logs_3.6.23_3007_041153.zip

[Yuki2718]

Reproduced on the first visit, but after reload I get Cloudflare Error 522. I'll investigate after a while.

[ghost]

Reproduced on the first visit, but after reload I get Cloudflare Error 522. I'll investigate after a while.

The websites sometimes get automatically Use a vpn or cloudflare 1.1.1.1 app to access it

[Yuki2718]

@ameshkov I can reproduce if I click the button very quickly after or whilst page load, but can not if I waited enough before click. The behavior is same both on AG for Android v3.6.2 (23) and AG Extension 3.6.6 on Firefox (PC but UA set to mobile), but if I add new.gdtot.me$$script[tag-content="delete window"] the issue disappears so it seems "delete window" scriptlet is injected too late to be effective.

[ameshkov]

@Yuki2718 it seems that the String.fromCharCode function is not used in this inline script and that's why the scriptlet does nothing. You should try intercepting a different property, for instance window.atob.

[Yuki2718]

Yeah, I wrongly assumed all delete window scripts are same but sure no String.fromCharCode here. There's #%#//scriptlet("abort-current-inline-script", "Math", "delete window") below the line so I'll add to this (confirmed it's working).

@Alex-302 String.fromCharCode in delete window should be replaced with Math, I'm pretty sure all delete window scripts must rely on Math - not only because on uAssets ##+js(acis, Math, break;case $.) has been replacing ##+js(acis, String.fromCharCode, break, but also because their random nature. The delete window scripts, tho obfuscated, generates iframes of random paths different on each load. Such random generation won't be possible without Math.

[ameshkov]

Tbh, I think that window.atob is a safer choice. This function is rarely used by legitimate scripts, but it's used in almost every obfuscated script.

[Yuki2718]

Okay, checking other delete window now. If atob is used by all samples, I'll change to atob from String.fromCharCode.

[Alex-302]

Just break may be wide.Better more specific. Checked freedownloadmp3-mp4.top #%#//scriptlet("abort-current-inline-script", "String.fromCharCode", "delete window") can be replaced by #%#//scriptlet("abort-current-inline-script", "Math", "delete window")

[Yuki2718]

@ameshkov It turned out if I use atob, the scriptlet can't prevent calls to random iframes. An ex. link is http://mp3fusion.net/. If I use Math, no call to bochugho.net but if atob it's called.

[Yuki2718]

Both Math and atob seem to be always used, contrary String.fromCharCode is apparently no more used anywhere as far as delete window is concerned.

[Alex-302]

can be replaced by

I mean break;case or etc instead of delete window:)

[Yuki2718]

@Alex-302 If you mean uAssets' filter, it's break;case $. - space and $. is added so maybe okay.

[Alex-302]

@Yuki2718 If you want to change the rules, please do not lose the recently added domains.

[Yuki2718]

How can I loose domain if I just change String.fromCharCode to Math?

[Yuki2718]

Of note, I checked both the oldest and newest domain - no String.fromCharCode but Math is always used.

[Alex-302]

just warning. It can be done in few ways:)

[Alex-302]

If you mean uAssets' filter, it's break;case $. - space and $. is added so maybe okay.

I mean #%#//scriptlet("abort-current-inline-script", "Math", "/emZnbG9hZGVk|break;case \$\./") But not sure if emZnbG9hZGVk still required.

[Yuki2718]

https://github.com/AdguardTeam/AdguardFilters/commit/3c382ac6aff123a5bd8af6cfe15f1ac768c3391d

[Yuki2718]

I mean #%#//scriptlet("abort-current-inline-script", "Math", "/emZnbG9hZGVk|break;case \$\./") But not sure if emZnbG9hZGVk still required.

Need to be checked, but maybe it's okay to leave it as is for now.

[Yuki2718]

BTW why we don't add HTML filter counterpart for these rules? Maybe useful if race condition happened in scriptlet.

[Alex-302]

if race condition

need example.