exrapidleech.info

[spvkgn]

http://www.exrapidleech.info/index.php

Firefox 52 + uBO + TM

Update from jspenguin2017: Workaround found by @lain566 : https://github.com/jspenguin2017/AdBlockProtector/issues/167#issuecomment-301210741

[jspenguin2017]

@bup4gr Hum, that seems to be an iframe that AAK script injects... I'll investigate.

[ghajini]

Can we turn off adblocking extensions and see how site behaving (reverse engineer)

[jspenguin2017]

@ghajini What ever helps.

[lain566]

@jspenguin2017 I made some custom rules, so that adblock is not detected. But, allowing some JavaScript files. I do not know if it will please you

[jspenguin2017]

@lain566 Oh, that's fine, we can use some redirect tricks later. Can you share your rules?

[lain566]

Fixed

[jspenguin2017]

@lain566 Alright thanks. I think the situation is pretty clear that some code in this website is checking for integrity of pop.js that are loaded. We need to pin that down.

[lain566]

@jspenguin2017 With those rules, I do not see ads, are blocked

[jspenguin2017]

@lain566 OK, in that case, that would be acceptable as workaround.

[lain566]

I see ads from this domain bidvertiser.com is found in Easylist and Adblock Protector List You should block this domain

[jspenguin2017]

@lain566 Can you provide a test link and screenshot?

[lain566]

@jspenguin2017 Here you have it, sometimes a banner is shown This usually happens when you access the site several times. Maybe the biggest fault is easylist

[ghajini]

@jspenguin2017 ,can we do like click ads function (in order to counter popads on this site) from adnauseam project......

[jspenguin2017]

@lain566 I removed that entry, looks like nothing else is broken. This is the only entry, right?

[jspenguin2017]

I see what's going on with popads, all uBO did is apply throw on write to those properties, it didn't implement a fake API.

[ghajini]

Hi it may be bumping the topic.....if clickads feature of adnauseam can be utilised in adblock protector....just wanna feedback

[jspenguin2017]

@ghajini Sorry I missed your comment... The problem is that will still open a popup, wouldn't it?

[lain566]

@jspenguin2017 anyway, the question marks are annoying

[jspenguin2017]

I can probably make the question marks transparent, but we need to fix the bigger problem first.

[lain566]

I know. It might take longer than you expect to be issued a visa.

[jspenguin2017]

That detection code is hidden pretty deep, I had to use some debugger; hat trick to grab it: This makes sense now...

[jspenguin2017]

Hey guys, I am able to prevent the redirect to the verify page without white listing those servers: Script:

if (a.domCmp(["exrapidleech.info"])) {
    a.readOnly("PopAds", "this is a string");
    a.ready(() => {
        a.$(".alert-danger.lead:contains('block')").remove();
        a.$("p:contains('Please disable ads block')").remove();
        a.$("p:contains('Please turn on popup')").remove();
    });
}

List:

||bidvertiser.com$important,domain=exrapidleech.info

However, aren't we suppose to get some sort of download link? It sends me back to home page without giving me anything more.

[lain566]

Great work! :blush: But...I keep getting redirected to verify, popcash still blocked Can you see popcash request? after resolving recaptcha index.php

[jspenguin2017]

@lain566 No... It didn't request popcash in my tests. I'll test it again tomorrow, I guess it changes from time to time.

[lain566]

@jspenguin2017 It's found in index.php, after resolving recaptcha

[jspenguin2017]

@lain566 The problem is even if we are not redirected to the verify page, we still don't get the download link.

[lain566]

cdn.popcash.net/pop.js

function encode64(a){a=escape(a);var c,d,f,g,h,b="",e="",i="",j=0;do{c=a.charCodeAt(j++),d=a.charCodeAt(j++),e=a.charCodeAt(j++),f=c>>2,g=(3&c)<<4|d>>4,h=(15&d)<<2|e>>6,i=63&e,isNaN(d)?h=i=64:isNaN(e)&&(i=64),b=b+keyStr.charAt(f)+keyStr.charAt(g)+keyStr.charAt(h)+keyStr.charAt(i),c=d=e="",f=g=h=i=""}while(j<a.length);return b}function jsPopunder(a,b){function c(){try{q=Math.floor(document.cookie.split(r+"Cap=")[1].split(";")[0])}catch(a){}return p<=q||-1!==document.cookie.indexOf(r+"=")}function d(a,b,d,f,g,j){if(!c()){var k="toolbar=no,scrollbars=yes,location=yes,statusbar=yes,menubar=no,resizable=1,width="+d.toString()+",height="+f.toString()+",screenX="+g+",screenY="+j;document.onclick=function(){if(!c()&&(window.open("javascript:window.focus();","_self",""),i=h.window.open(a,b,k))){var d=new Date;document.cookie=r+"=1;expires="+new Date(d.setTime(d.getTime()+o)).toGMTString()+";path=/",d=new Date,document.cookie=r+"Cap="+(q+1)+";expires="+new Date(d.setTime(d.getTime()+846e5)).toGMTString()+";path=/",e()}}}}function e(){try{i.blur(),i.opener.window.focus(),window.self.window.blur(),window.focus(),s.firefox&&f(),s.webkit&&g()}catch(a){}}function f(){var a=window.open("about:blank");a.focus(),a.close()}function g(){var a=document.createElement("a");a.href="about:blank",a.target="PopHelper",document.getElementsByTagName("body")[0].appendChild(a),a.parentNode.removeChild(a);var b=document.createEvent("MouseEvents");b.initMouseEvent("click",!0,!0,window,0,0,0,0,0,!0,!1,!1,!0,0,null),a.dispatchEvent(b),window.open(a.href,a.target).close()}var h=top!=self&&"string"==typeof top.document.location.toString()?top:self,i=null;b=b||{};var j=b.name||Math.floor(1e3*Math.random()+1),k=b.width||window.outerWidth||window.innerWidth,l=b.height||window.outerHeight-100||window.innerHeight,m=void 0!==b.left?b.left.toString():window.screenX,n=void 0!==b.top?b.top.toString():window.screenY,o=b.wait||3600;o*=1e3;var p=b.cap||2,q=0,r=b.cookie||"__.popunder",s=function(){var a=navigator.userAgent.toLowerCase(),b={webkit:/webkit/.test(a),mozilla:/mozilla/.test(a)&&!/(compatible|webkit)/.test(a),chrome:/chrome/.test(a),msie:/msie/.test(a)&&!/opera/.test(a),firefox:/firefox/.test(a),safari:/safari/.test(a)&&!/chrome/.test(a),opera:/opera/.test(a)};return b.version=b.safari?(a.match(/.+(?:ri)[\/: ]([\d.]+)/)||[])[1]:(a.match(/.+(?:ox|me|ra|ie)[\/: ]([\d.]+)/)||[])[1],b}();c()||d(a,j,k,l,m,n)}if(!uid)var uid=0;if(!wid)var wid=0;var keyStr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",cb=1e16*Math.random();jsPopunder("http://popcash.net/world/go/"+uid+"/"+wid+"/"+encode64(document.URL)+"?cb="+cb,{name:"pop",width:screen.width,height:screen.height,top:0,left:0,cookie:"popcashpu",wait:86400,cap:1});

@jspenguin2017 Cookies are required popcashpu and popcashpuCap Without cookies you can not download

Old script

      exrapidleech_info : {
        // by: Alexander255, Reek, Giwayume
        // patch: http://pastebin.com/Q664diQ2
        // issue: https://github.com/reek/anti-adblock-killer/issues?q=exrapidleech
        // source: http://pastebin.com/5e27syjA
        host : ['exrapidleech.info'],
        onStart : function () {

          var tomorrow = new Date();
          tomorrow.setDate(tomorrow.getDate() + 1);

          // prevent popup
          Aak.setCookie('popcashpuCap', 1);
          Aak.setCookie('popcashpu', 1);
          Aak.setCookie('nopopatall', tomorrow.getTime().toString());
          Aak.setCookie('noadvtday', 0);
          //Aak.setCookie('bv_DSKskdck_s1d', 'bvDSKskdcks1d');

          // hide notice
          Aak.addStyle('div.alert.alert-danger.lead {opacity:0;}');

          // prevent redirect to verify page
          Aak.setReadOnly('bdvbnr_pid', []);
          Aak.setReadOnly('PopAds', 1);

          Aak.addScript(function () {
            (function () {
              // prevent popup
              window.open = function () {};

              // prevent redirect to verify page
              var frame1 = document.createElement('iframe');
              frame1.src = 'http://bdfrm.bidvertiser.com/BidVertiser.dbm?pid=383865&bid=1737418&RD=';
              frame1.id = 'bdvi';
              frame1.style = 'display:none';
              document.documentElement.appendChild(frame1);
            })();
          });
        }
      }

[jspenguin2017]

@lain566 I set those cookies to 1, and it didn't help...

This is the unminified code:

```JavaScript function encode64(a) { a = escape(a); var c, d, f, g, h, b = "", e = "", i = "", j = 0; do { c = a.charCodeAt(j++), d = a.charCodeAt(j++), e = a.charCodeAt(j++), f = c >> 2, g = (3 & c) << 4 | d >> 4, h = (15 & d) << 2 | e >> 6, i = 63 & e, isNaN(d) ? h = i = 64 : isNaN(e) && (i = 64), b = b + keyStr.charAt(f) + keyStr.charAt(g) + keyStr.charAt(h) + keyStr.charAt(i), c = d = e = "", f = g = h = i = "" } while (j < a.length); return b } function jsPopunder(a, b) { function c() { try { q = Math.floor(document.cookie.split(r + "Cap=")[1].split(";")[0]) } catch (a) {} return p <= q || -1 !== document.cookie.indexOf(r + "=") } function d(a, b, d, f, g, j) { if (!c()) { var k = "toolbar=no,scrollbars=yes,location=yes,statusbar=yes,menubar=no,resizable=1,width=" + d.toString() + ",height=" + f.toString() + ",screenX=" + g + ",screenY=" + j; document.onclick = function() { if (!c() && (window.open("javascript:window.focus();", "_self", ""), i = h.window.open(a, b, k))) { var d = new Date; document.cookie = r + "=1;expires=" + new Date(d.setTime(d.getTime() + o)).toGMTString() + ";path=/", d = new Date, document.cookie = r + "Cap=" + (q + 1) + ";expires=" + new Date(d.setTime(d.getTime() + 846e5)).toGMTString() + ";path=/", e() } } } } function e() { try { i.blur(), i.opener.window.focus(), window.self.window.blur(), window.focus(), s.firefox && f(), s.webkit && g() } catch (a) {} } function f() { var a = window.open("about:blank"); a.focus(), a.close() } function g() { var a = document.createElement("a"); a.href = "about:blank", a.target = "PopHelper", document.getElementsByTagName("body")[0].appendChild(a), a.parentNode.removeChild(a); var b = document.createEvent("MouseEvents"); b.initMouseEvent("click", !0, !0, window, 0, 0, 0, 0, 0, !0, !1, !1, !0, 0, null), a.dispatchEvent(b), window.open(a.href, a.target).close() } var h = top != self && "string" == typeof top.document.location.toString() ? top : self, i = null; b = b || {}; var j = b.name || Math.floor(1e3 * Math.random() + 1), k = b.width || window.outerWidth || window.innerWidth, l = b.height || window.outerHeight - 100 || window.innerHeight, m = void 0 !== b.left ? b.left.toString() : window.screenX, n = void 0 !== b.top ? b.top.toString() : window.screenY, o = b.wait || 3600; o *= 1e3; var p = b.cap || 2, q = 0, r = b.cookie || "__.popunder", s = function() { var a = navigator.userAgent.toLowerCase(), b = { webkit: /webkit/.test(a), mozilla: /mozilla/.test(a) && !/(compatible|webkit)/.test(a), chrome: /chrome/.test(a), msie: /msie/.test(a) && !/opera/.test(a), firefox: /firefox/.test(a), safari: /safari/.test(a) && !/chrome/.test(a), opera: /opera/.test(a) }; return b.version = b.safari ? (a.match(/.+(?:ri)[\/: ]([\d.]+)/) || [])[1] : (a.match(/.+(?:ox|me|ra|ie)[\/: ]([\d.]+)/) || [])[1], b }(); c() || d(a, j, k, l, m, n) } if (!uid) var uid = 0; if (!wid) var wid = 0; var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", cb = 1e16 * Math.random(); jsPopunder("http://popcash.net/world/go/" + uid + "/" + wid + "/" + encode64(document.URL) + "?cb=" + cb, { name: "pop", width: screen.width, height: screen.height, top: 0, left: 0, cookie: "popcashpu", wait: 86400, cap: 1 }); ```

[lain566]

@jspenguin2017 Try these cookies

Name               Value                                           Domain                     Path

verified           f53bf11cf92c6f1eb9e30932cd8168c79c782846        www.exrapidleech.info       /
popcashpuCap       1                                               www.exrapidleech.info       /
popcashpu          1                                               www.exrapidleech.info       /

[jspenguin2017]

I think verified changes with each visit... I set the cookie like so:

a.cookie("popcashpuCap", "1");
a.cookie("popcashpu", "1");

And I'm still not getting the link...

[lain566]

@jspenguin2017 What do you get?

[jspenguin2017]

@lain566 I'm sent back to the home page, that's it, just the original home page...

[lain566]

@jspenguin2017 Using AAK Script to get the cookies popcashpu and popcashpuCap

Watch this video https://puu.sh/vWhHE/ac07471484.webm

[jspenguin2017]

@lain566 Oh, so you have to paste the link again... I didn't know that......

[jspenguin2017]

I guess the service is pretty sketchy... Anyway, thanks a lot @lain566 , this is now fixed thanks to you 😄

[lain566]

@jspenguin2017 Yes, it works! :grin:

[jspenguin2017]

Looks like it's still working. Closing. Let me know if it breaks.

[ghajini]

@uBlock-user pls convert these rules into ubo specific as iam using Firefox android so I unable to use standard setup......

exrapidleech.info#%#if (document.location.href.indexOf('index.php') > 0) { window.eval = function() {}; }

exrapidleech.info#%#document.cookie = 'popcashpuCap=1';

exrapidleech.info#%#document.cookie = 'popcashpu=1';

exrapidleech.info#%#window.PopAds = "hi!";

[jspenguin2017]

@ghajini You can't, got to use Userscript.

[ghajini]

Above script solution that you relesed not working for me for following setup

Hi @jspenguin2017 iam using unsupported setup you mentioned..... Firefox for android Your script and list USI for Firefox android

Can I use aak-cont

[jspenguin2017]

Yep, head over to AAK-Cont. I don't have a VM for your setup though, you would need to wait for someone else to test it.

[ghajini]

@jspenguin2017 ,If this is also similar to exrapidleech.....

http://www.publicleech.xyz/index.php

[jspenguin2017]

@ghajini I think Rapidleech is an engine, and these are actual websites that uses the engine.