Closed prplwtf closed 8 months ago
What does this obfuscated code do: how can you prove that its a backdoor? (not that I'm doubting it might be)
This is not a backdoor, it is the AFK page script that has been the exact same since Dashactyl 0.x You can check the file in all forks of Heliactyl and previous versions, and Dashactyl too to confirm this
Two chose to obfuscate it as "coins" was a unique feature to Dashactyl back in 2020/2021 I have the unobfuscated version somewhere and all it does is create a websocket and a few other things
Do actual research next time
This file is used for AFK credits from what I've been able to see, what is the file in /stuff
supposed to be?
Could you compare the hashes of both files? (Heliactyl/Dashactyl)
Dashactyl AFK script: https://github.com/Votion-Development/Dashactyl-0.4/blob/main/api/arcio.js
just compare them yourself, it's the exact same thing also keep in mind, the script is used on the frontend - there is no way that it could be a backdoor
I no longer maintain public Heliactyl 12 and will not be unobfuscating it for the reassurance of people that don't even use the project
Feel free to contact Two or anyone that was involved with Dashactyl to confirm that we are using the same AFK system as them In early versions of Heliactyl 10 and 11, it used a different system but we changed it to the original as a websocket was better
He wants the hash to the obfuscated code
He wants the hash to the obfuscated code
he can ask two for that & any more info, not my problem though I doubt he cares
He wants the hash to the obfuscated code
he can ask two for that & any more info, not my problem though I doubt he cares
Mr XBT. if it wasnt doing anything malitious why would it be encrypted + using random variable names etc
first of all, learn english second, read everything I said above
you clearly do not understand how obfuscation works and its not "encrypted"
According to mr. lordwolfy (lordwlfyy / 1163168310607753418), the code compares to
\ \_xd37QzgererWB_xa3bciseu04edato_xec9CE_IC0d7a_x4de0640okZw_x064054f iwab_x3cdnq_xf71BUJapyIAINeun/ ){_xc4f03db_xd1c(^](+325LdX hs+"0254jqVnpn }ydhi_x099irm997Ojf iwdf1Yej0a0finrTL03a6icue_xe70um_xe90tTalCBAf$*_x9910458_xdfa035b_xc18038a_x55d23CBJrigie08681194OBfIY_xc8a015chht0249_x4d50276_x57bone_xd41l164MXqhtssrniy03f3_xd1905501626aXG05a7:/oain01d075GZiedritmrve-p_ntyelsNm421PzX0187rerOT_x4dd026b_x7f7033e2LgTQuw^]))[et0337_x07a?r=OI0209_x8cfig0167_x72crtcl03b1_x4f00236he_xf6404a7cl_x07304b2saebeZyZ0683_xf48r-faelA\\ (:/rier_x00c055acntut_x1970403_x65703ea_xa6a03b5gtlmnocoe03ac/0337r0187retplfnto az-_]09-AZ_x7b002c2_x5b403d9inu_x5b4_x730soainlctohsnm:ot_x7460276_x4de02d0_xcf701cd_xec904b5inrTL0167doninrTL055a_x657r-oprIAINT?r=DLCE_x07an03eaicueotoain02c9ONCElctohe_xc480550IRl0a0fsrn_xc4fFelnt_x493eu04a7_xf64wie(r_x3030d0c_xc8a0374ryd045egtlmnrgr74'));else{function _0x1888f5(){return![];}}}}}_0x16770a(++_0x3b1e70);}else{function _0x786634(){const _0x3113bf=_0x1677e5?function(){const _0x10d1fa=_0x202e;if(_0x290e47){const _0x3a0a7c=_0x1b7d74[_0x10d1fa(0xec)](_0x370ee1,arguments);return _0xa40b90=null,_0x3a0a7c;}}:function(){};return _0x29cb1f=![],_0x3113bf;}}}try{if(_0x552a63)return _0x16770a;else{if(_0x192ea5(0x79)===_0x3c0fc0[_0x192ea5(0xe6)]){function _0xea01a6(){const _0x9c2b29=_0x1d10d3?function(){const _0x1ec816=_0x202e;if(_0x5a0ae3){const _0xcdbff5=_0x5109f5[_0x1ec816(0xec)](_0x2794d5,arguments);return _0x18511d=null,_0xcdbff5;}}:function(){};return _0x296b13=![],_0x9c2b29;}}else _0x3c0fc0[_0x192ea5(0xa8)](_0x16770a,0x176e+-0x1*-0x3b9+-0x1b27);}}catch(_0x30eb8c){}}`;")
I mean from what the information I've now been told in this pull request, it seems a little less sketchy. However, I would still prefer to receive additional information on this.
I mean from what the information I've now been told in this pull request, it seems less like a backdoor. However, I would still prefer to receive additional information on this.
I don't have any info as I haven't touched the AFK earning system since 2021 I didn't say anything about it as Two is a reputable person and wouldn't somehow put a backdoor in a basic script used in the frontend, I've seen absolutely no claims of a "backdoor" being in Heliactyl before this
If it isn't a backdoor then that begs the question: why is this code obfuscated? Obfucated code is almost impossible for a human to figure out what it does by themselves, making it harder for it to be patched, fixed or modified in any way. You should consider rewriting this part of the code in plain javascript to make it more clear what it does
He wants the hash to the obfuscated code
he can ask two for that & any more info, not my problem though I doubt he cares
Mr XBT. if it wasnt doing anything malitious why would it be encrypted + using random variable names etc
first of all, learn english second, read everything I said above you clearly do not understand how obfuscation works and its not "encrypted"
still. if it wasnt doing anything malitious why would it need to be obfuscated? concidering that is the only file that is obfuscated makes it seem even more its doing something it shouldnt
Read what I said, Two obfuscated it as Dashactyl's AFK earning feature was unique to only Dashactyl and he didn't want other client areas copying it (I believe)
and as I said, I no longer maintain Heliactyl 12 I won't be doing anything about it and I don't care enough to, only free hosts use Heliactyl
The AFK earning has been replaced in Heliactyl 14 with Palladium's AFK endpoints & script
If you believe it's a backdoor for any reason, feel free to rewrite the code as the rest is unobfuscated and is plain JS
I do think, in this case, it's justified that @layerxbt doesn't want to have to do much with this issue. They no longer maintain/contribute to this project and don't have any obligation to continue doing so.
He wants the hash to the obfuscated code
he can ask two for that & any more info, not my problem though I doubt he cares
Mr XBT. if it wasnt doing anything malitious why would it be encrypted + using random variable names etc
first of all, learn english second, read everything I said above you clearly do not understand how obfuscation works and its not "encrypted"
still. if it wasnt doing anything malitious why would it need to be obfuscated? concidering that is the only file that is obfuscated makes it seem even more its doing something it shouldnt
Read what I said, Two obfuscated it as Dashactyl's AFK earning feature was unique to only Dashactyl and he didn't want other client areas copying it (I believe) and as I said, I no longer maintain Heliactyl 12 I won't be doing anything about it and I don't care enough to, only free hosts use Heliactyl The AFK earning has been replaced in Heliactyl 14 with Palladium's AFK endpoints & script
or. your trying to avoid deobfuscating a backdoor in the code.
Any proof of this? It's obvious that the code cannot be a backdoor All it does is create a websocket and update 3 elements in the HTML
People have used Heliactyl since 2020 and it has had the same exact AFK script for the majority of that time, when has anyone questioned the code or said anything about it? (answer is not once, for obvious reasons)
Kindly contact Two if you want any more info as he is the one who wrote the code
He wants the hash to the obfuscated code
he can ask two for that & any more info, not my problem though I doubt he cares
Mr XBT. if it wasnt doing anything malitious why would it be encrypted + using random variable names etc
first of all, learn english second, read everything I said above you clearly do not understand how obfuscation works and its not "encrypted"
still. if it wasnt doing anything malitious why would it need to be obfuscated? concidering that is the only file that is obfuscated makes it seem even more its doing something it shouldnt
Read what I said, Two obfuscated it as Dashactyl's AFK earning feature was unique to only Dashactyl and he didn't want other client areas copying it (I believe) and as I said, I no longer maintain Heliactyl 12 I won't be doing anything about it and I don't care enough to, only free hosts use Heliactyl The AFK earning has been replaced in Heliactyl 14 with Palladium's AFK endpoints & script
or. your trying to avoid deobfuscating a backdoor in the code.
Any proof of this? It's obvious that the code cannot be a backdoor All it does is create a websocket and update 3 elements in the HTML People have used Heliactyl since 2020 and it has had the same exact AFK script for the majority of that time, when has anyone questioned the code or said anything about it? (answer is not once, for obvious reasons) Kindly contact Two if you want any more info as he is the one who wrote the code
then why are you avoiding deobfuscating it to prove were wrong?
How am I supposed to deobfuscate it? Do you not understand how obfuscation works
@layerxbt has not obfuscated the code, from what I've read.
Two is the one that wrote the code and obfuscated it, we simply copied his AFK system from Dashactyl and used it here (this was a long time ago though, if Heliactyl 12 is ever maintained again, it will use Palladium's AFK endpoints & script as I said)
He sent the unobfuscated version in a group once (back in 2022), though I don't have the code anymore I can at least confirm that the code is not malicious
@real2two has obfuscated the code. Heliactyl 12 will be/is already deprecated. Heliactyl 14 is now the standard. @layerxbt would you be so kind to post Heliactyl 14 somewhere?
It will be available on GitHub by the end of January (or when I finish the frontend)
12 is still fine, no exploits (afaik)
this is funny
Ok
hi geo
hi hogun
Also, I'd just like to apologize. It was never my intention to start a drama or a unfriendly environment, I should have acted better and have thought a bit more before opening this PR.
wassup geo
I don't know if this is the exact code Dashactyl uses (since it could be an earlier version), but I digged through my Discord DMs with somebody and found a (earlier or current) version of the AFK source code.
Here's the (formatted) leaked source code for the AFK page:
let scheme = "ws";
if (document.location.protocol === "https:") {
scheme += "s";
}
let connection = new WebSocket(scheme + "://" + document.location.hostname + "/" + arciopath);
connection.onopen = function(evt) {
setInterval(() => {
connection.send(JSON.stringify({
type: "ping",
}));
}, 5000);
};
connection.onclose = function(evt) {
window.location.href = "arcioerror";
};
let timer = everywhat;
let hascoin = 0;
setInterval(
async function() {
timer--;
if (timer < 1) {
hascoin = hascoin + gaincoins;
document.getElementById("arciogainedcoins").innerHTML = hascoin;
timer = everywhat;
}
document.getElementById("arciotimer").innerHTML = timer;
}, 1000
)
setInterval(function() {
arcdetecter();
function arcdetecter() {
let iframe = document.getElementById('arc-widget-launcher-iframe');
if (iframe == null) {
setTimeout(() => {
arcdetecter()
}, 50);
} else {
let innerDoc = iframe.contentDocument || iframe.contentWindow.document;
setTimeout(() => {
getarcstatus(innerDoc)
}, 500);
};
};
function getarcstatus(innerDoc) {
let arcwidgetdiv = innerDoc.getElementById("launcher")
if (arcwidgetdiv == null) {
setTimeout(() => {
arcdetecter()
}, 50);
} else {
let arcwidgetstatus = arcwidgetdiv.className;
if (arcwidgetstatus == "is-opted-out") {
window.location.href = "arcioerror";
} else if (arcwidgetstatus == "") {
return undefined
} else {
};
};
};
}, 1000);
Head repository has been removed as it just removes the file in
/stuff
.
I'm not taking sides here, but you do realise it's really damn easy to deobfuscate the code and see it? Like hell, you can just find a deobfuscator on google to deob it, you don't even need to do anything yourself
Head repository has been removed as it just removes the file in
/stuff
.I'm not taking sides here, but you do realise it's really damn easy to deobfuscate the code and see it? Like hell, you can just find a deobfuscator on google to deob it, you don't even need to do anything yourself
Indeed, which is why I have tried to deobfuscate this file on over 10+ different websites (without success) before making this PR.
Head repository has been removed as it just removes the file in
/stuff
.I'm not taking sides here, but you do realise it's really damn easy to deobfuscate the code and see it? Like hell, you can just find a deobfuscator on google to deob it, you don't even need to do anything yourself
Indeed, which is why I have tried to deobfuscate this file on over 10+ different websites (without success) before making this PR.
I'm not in the mood to argue, but if you know how to deobfuscate, you could do it, it's just obfsucator.io probably, nothing special. that's all I'm gonna say /shrug
Head repository has been removed as it just removes the file in
/stuff
.I'm not taking sides here, but you do realise it's really damn easy to deobfuscate the code and see it? Like hell, you can just find a deobfuscator on google to deob it, you don't even need to do anything yourself
I don't know if this is the exact code Dashactyl uses (since it could be an earlier version), but I digged through my Discord DMs with somebody and found a (earlier or current) version of the AFK source code.
Here's the (formatted) leaked source code for the AFK page:
let scheme = "ws"; if (document.location.protocol === "https:") { scheme += "s"; } let connection = new WebSocket(scheme + "://" + document.location.hostname + "/" + arciopath); connection.onopen = function(evt) { setInterval(() => { connection.send(JSON.stringify({ type: "ping", })); }, 5000); }; connection.onclose = function(evt) { window.location.href = "arcioerror"; }; let timer = everywhat; let hascoin = 0; setInterval( async function() { timer--; if (timer < 1) { hascoin = hascoin + gaincoins; document.getElementById("arciogainedcoins").innerHTML = hascoin; timer = everywhat; } document.getElementById("arciotimer").innerHTML = timer; }, 1000 ) setInterval(function() { arcdetecter(); function arcdetecter() { let iframe = document.getElementById('arc-widget-launcher-iframe'); if (iframe == null) { setTimeout(() => { arcdetecter() }, 50); } else { let innerDoc = iframe.contentDocument || iframe.contentWindow.document; setTimeout(() => { getarcstatus(innerDoc) }, 500); }; }; function getarcstatus(innerDoc) { let arcwidgetdiv = innerDoc.getElementById("launcher") if (arcwidgetdiv == null) { setTimeout(() => { arcdetecter() }, 50); } else { let arcwidgetstatus = arcwidgetdiv.className; if (arcwidgetstatus == "is-opted-out") { window.location.href = "arcioerror"; } else if (arcwidgetstatus == "") { return undefined } else { }; }; }; }, 1000);
If anyone here still uses Heliactyl 12 and is concerned about the script, swap it out for this. It should work fine (haven't tested it though)
Reminder:
Hosts should probably not be using Heliactyl 12 in 2024, even though it has no exploits* The code quality is atrocious, I'm not touching this again
I reckon a few host owners will be watching this after the dontabuse announcement so it's worth saying
I knew layer wasn't a skid!!!!
I knew layer wasn't a skid!!!!
always artem
Also, I'd just like to apologize. It was never my intention to start a drama or a unfriendly environment, I should have acted better and have thought a bit more before opening this PR.
you should have known before.
you should have known before.
In my defense, the unobfuscated code wasn't publicly available before making this PR.
mate what it was in dashactyl you should have opened a PR there
On Wed, 10 Jan 2024 at 22:35, purple @.***> wrote:
you should have known before.
In my defense, the unobfuscated code wasn't available before this PR.
— Reply to this email directly, view it on GitHub https://github.com/OpenHeliactyl/Heliactyl/pull/18#issuecomment-1885851334, or unsubscribe https://github.com/notifications/unsubscribe-auth/AS362Z6MQL4NIOTIQOGBWL3YN4JSHAVCNFSM6AAAAABBTWT6ICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVHA2TCMZTGQ . You are receiving this because you commented.Message ID: @.***>
Heliactyl has been far more popular than Dashactyl since 2021, I guess it makes sense to make a PR here
mate what it was in dashactyl you should have opened a PR there … On Wed, 10 Jan 2024 at 22:35, purple @.> wrote: you should have known before. In my defense, the unobfuscated code wasn't available before this PR. — Reply to this email directly, view it on GitHub <#18 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AS362Z6MQL4NIOTIQOGBWL3YN4JSHAVCNFSM6AAAAABBTWT6ICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVHA2TCMZTGQ . You are receiving this because you commented.Message ID: @.>
Not possible. I believe the original repository was marked archived, which prevents anyone from creating issues or PRs.
Head repository has been removed as it just removes the file in
/stuff
.