Doesn't work most of the time since 2 days ago

[Mandrakia]

Hi I've been using it successfully for the past couple of months, but since 2 days ago it stopped working on http://www.japscan.to/ I noticed an update so I updated it but it still only works like 1 out of 10 times.

When debugging all seems good except after posting the answer the 301 response doesn't contain the cf_clearance cookie just the usual _cfuid

[Mandrakia]

There was an issue with the toFixed, I fixed it but it still doesn't work all the time, I'm still investigating

[zhkrb]

Not in toFixed , i'm checking

[Mandrakia]

Found it ! The S query parameter needs to be Url Encoded.

Once I did it success rate went way up.

[zhkrb]

Yes that's the point. The pass and the s value has encoded. Now it fixed in latest version. And by the way , you need visit website for https , it will throw IOException: Cleartext HTTP traffic to xxx.x.xxx.xx not permitted when running in Android P for http

[Mandrakia]

And another crash now. They changed the script, lots of eval and other stuff now.

Problem is here :

List b = regex(str,varA+"\."+varB+"(.+?)\;");

It's not greedy enough now that they added function definitions etc.

Aaaand there's dom checking now. Inner scripts evals the value of t and k variables.

t is easy to define it's the host name k is the ID of a hidden div that contains some more binary values.

I'm working on it

I give up 👎

Implementing the getElementById.innerHtml(k) was easy enough, but the evals require some functions like atob and btoa which are not implemented in V8

[Freddy12]

They are using just atob which is basically decodes base64.

They are always the same: atob("ZG9jdW1l") - docume atob("aW5uZXJIVE1M") - innerHTML

[Mandrakia]

I'm trying to implement atob by doing some java callbacks It's still not enough even with atob lots of other stuff I don't quite understand "italics"/"fill" etc

[Mandrakia]

var t='www.japscan.to';var k='test';var document = {}; document.getElementById = function(elem){ return {innerHTML :'+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((+!![]+[])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(+!![])+(+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]))'};};var a=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![])+(+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!![]))/+((!+[]+!![]+!![]+!![]+[])+(+[])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));a-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+[])+(!+[]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));;a=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+!![]))/+((!+[]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(+[])+(+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]));;a+=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]));;a=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(+!![]));;a=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]));;a+=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));;a-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+[])+(+[])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]));;a=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]))/(+(+((!+[]+!![]+!![]+[])+(+[])+(!+[]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])))+(function(p){return eval((true+"")[0]+"."+([]["fill"]+"")[3]+(+(101))"to"+String["name"][1]+(false+"")[1]+(true+"")[1]+Function("return escape")()(("")["italics"]())[2]+(true+[]["fill"])[10]+(undefined+"")[2]+(true+"")[3]+(+[]+Array)[10]+(true+"")[0]+"("+p+")")}(+((!+[]+!![]+!![]+!![]+!![]+[])))));;a-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(+[]));;a+=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((+!![]+[])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]));;a-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]));;a-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]));;a*=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((!+[]+!![]+!![]+!![]+!![]+[])+(!+[]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+[]));;a-=+((!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![])+(+[])+(!+[]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]))/+((+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![])+(!+[]+!![]+!![])+(!+[]+!![]+!![]+!![]+!![]+!![])+(!+[]+!![]+!![])+(+[]));;

That's my script avec my modifications, it runs without issues in chrome and returns a double. In v8 it crashes due to some undefined method

[Freddy12]

It probably doesn't like something in this peace:

+(function(p){return eval((true+"")[0]+"."+([]["fill"]+"")[3]+(+(101))"to"+String["name"][1]+(false+"")[1]+(true+"")[1]+Function("return escape")()(("")"italics")[2]+(true+[]["fill"])[10]+(undefined+"")[2]+(true+"")[3]+(+[]+Array)[10]+(true+"")[0]+"("+p+")")}

It has "undefined" in the middle.

Maybe fill function acts differently in V8 then in browser?

[Mandrakia]

it encodes to t.charCodeAt(p) but I had to hardcode it because v8 was unable to get to that result. I don't know why.

[Mandrakia]

I get the code answer without a crash now, but it still doesn't work no clue as to why...

[Freddy12]

I'm working to solve this in my private project as well (my own implementation).

I basically at the same step as you.

If I get any luck will let you know.

[Mandrakia]

Great 👍 So far my steps from current version to where I am :

• Changed the script parsing (Replaced regex to be more greedy)
• Defined t,k variables in the script
• Defined a dummy getElementById.innerHTML to return the content of the hidden DIV
• Hardcoded a replace of the fill/escape/undefined string with t.charCodeAt(p)
• Made a Java callback for atob to return the decoded b64 string

So far it runs without a crash and generates a code. Problem is, it is not valid apparently.

I must be missing something.

[Freddy12]

I did the same steps and also missing something.

It seems that Java scrip engine (V8) is doing something differently than browser.

I did try to compare the answers which I get in Java and browser (giving browser 100% the same processed javascript code which I pass to Java script engine).

The browser gives one number, java slightly another (few decimals at the end are off).

Not sure why at the moment.

[Freddy12]

Nevermind, the numeric answers seems to be fine (same as in browser), but it still doesn't want to accept it.

[Freddy12]

It actually seems to work.

If you're getting 403 status -> it asks you to solve a captcha (after solving it finally gives correct webpage response).

If you're still getting 503 - something is wrong.

I'm still not sure why it asks to solve captcha since via browser there is no need for captcha.

[Freddy12]

I have noticed today they have changed the code back to old version.

Probably people were having too much problems with new version.

[zhkrb]

It looks like they are rolling back the code. In that code they use eval(t.charCodeAt()), only need to define t value(Website domain name) But I don't know why it wasn't work until now. The answer is the same as the browser , but still not set cf_clearance.

Until the last few minutes , it works fine????? So....sleep on it

[Freddy12]

Yeah, I wish I went to sleep earlier yesterday :)))

[Mandrakia]

Cloudflare just rolledback the changes, it's back to simple maths operations.

[tmxd09887]

Thank you all, very useful information

[Freddy12]

They again changed it to the more difficult version (with atob and other stuff).

Anyone got it working?

[zhkrb]

I have update the code. Now it can pass some test sites,but sometimes still not set the cookie.

Try to use latest version or View changes

[Freddy12]

For some sites after making GET request to that Cloudflare check (with correct answer) -> it gives 403 (not 503) and you just need to solve a Re-Captcha now. After solving the Re-Captcha is finally show the intended web page.

[zhkrb]

Yes, you need other code to bypass the Captcha page, try this

[Freddy12]

I wonder why they even give that 403 with captcha?

Via browser it never gives me any captcha challenge at all.

It seems like the request from java could still be improved so that they won't give any captcha (like via browser).

[Mandrakia]

On the website I use it for, (japscan.to) I managed to have it working as before, the last error was that the final value isn't answer+(host.length) but just the answer.

[zhkrb]

I commented out in the code in the last two vsersion，It worked well in my tests(http://www.japscan.to).

[Mandrakia]

Working well on android now, last step is my server (.Net) which despite having the same algorithm returns a captcha all the time :/

[Freddy12]

Anyone manage to make correct request to Cloudflare so they won't show any captcha?

Since they don't show any captcha via browser.

[Mandrakia]

My version of this project works fine but I tried to refactor it/change some logic a bit and now captcha all the time. I have absolutely no clue as to what triggers the captcha. Answser/Redirect URL is absolutely the same, the timing also. Only changes are some headers in the redirect call but still no idea what triggers the captcha.

[bercy46]

Last comment was in may, what's the status on this ? I was also using a refactored version of this code on the lowvig.ag web site (I'm not using Android, so basically had to replace TextUtils with StringUtils), and lately I too am always getting a captcha. Can anyone confirm that the code won't work on that web site ? Does anyone know of another way to beat Cloudflare ?

[zhkrb]

reCAPTCHA is using ip pool to verify user or bot. When an ip visit exceeds a certain range or reCAPTCHA think you are a robot, Cloudflare will return other types verification. You need to handle it yourself

[bercy46]

So, are you saying that solving the captcha manually once will unblock it for subsequent bot access, or that my ip address is burnt and I need to get another one ?

[zhkrb]

In fact, once you are considered to be problematic by reCAPTCHE, you will get other types verifications back more than once, Using other ip may be effective. And I found that cloudflare changed his code, But I don't have time to update the code now, so you may need to use another repo. sry