Custom Chromium Build to Reverse Engineer Pop-Under Trick
Вставка
- Опубліковано 12 вер 2024
- I wanted to compile a custom Chromium 68 build to totally ignore the obfuscated JavaScript. That was a cool experience, but in the end not necessary - the trick was super simple and works on Mac, Windows and Linux.
Chromium Issue 833148: bugs.chromium....
=[ 🔴 Stuff I use ]=
→ Microphone:* geni.us/ntg3b
→ Graphics tablet:* geni.us/wacom-...
→ Camera#1 for streaming:* geni.us/sony-c...
→ Lens for streaming:* geni.us/sony-l...
→ Connect Camera#1 to PC:* geni.us/cam-link
→ Keyboard:* geni.us/mech-k...
→ Old Microphone:* geni.us/mic-at...
US Store Front:* www.amazon.com...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#ReverseEngineering
The popunder developer is gonna put a hit on you
HAHAHAHAHAHAHAHAH made my day
Except that by showing people how to go about reverse engineering these things, then there will be too many people to put a hit out on. One less programmer won't make a dent, the beauty of sharing the details (assuming it can't help anyone else that might be malicious during the time the bug is being fixed).
@@threeMetreJim it was clearly a joke but ok
could say he is going to POP a cap 🕶
They're gonna pop a vein lol
I can't help but admire those people for finding these bugs again and again.
Reverse engineering them is one thing, but actually discovering them is really impressive.
Don't get me wrong, I hate popunders as much as everyone here.
Nono I get that. I’m impressed too! Hating pop under doesn’t mean I can’t appreciate finding crazy creative bugs to do it ;)
@@LiveOverflow one question how download all files in the devtools ?i can save one file a time but i need save all files and if only one a time is very bad, is possible multi save files in menu sources?
@@manuellopes1269 Not sure if it's possible in dev tools. I usually use a separate tool. For MacOS there is Site Sucker that clones the entire site. I remember linux had a few similar tools available as part of Kali Linux
@@andrisb1 thanks bro , i not have linus only win10
For that debugger trap you can use the "never pause here " feature of the of chromes debugger by right clicking on the line number with the debugger statement.
Wow, they really are giving the malware developers the finger. Good.
@@Anonymouspock The Chrome dev tools are incredible and most people use less than 1% of what they offer.
haha thx google xD
that's fairly easy to bypass with a simple call to eval() since it creates a new "script" for that every time.
This actually taught me how to debug JavaScript properly 😂!! win win
Thinking about this makes me realize that there is "battle" between greedy programmers who just want to find exploits to earn money (people who make those pop-under javascript libraries) and guys like you who try their best to quickly figure out their exploits and report them so that they get fixed. Now, every time pop-up/pop-under gets introduced I'll remember this, browsing the internet will never be the same again, at least for me. Thank you for your hard work!
Also partly why bug bounty programs are so important!
Aleksandar Delic
Who also get paid when they report it hmmmmm
Yes, security software engineers are constantly at war with greedy software engineers.
Reverse engineering is fun, you should try it. It can even end up doing your homework for you, if your homework is on a site that doesn't have properly written code like iready if you have the world's most tedious tests to do too.
Hansbald Chromium is open source. It would also help the community
Aleksandar Delic
Very loose usage of the word "earn" don't you think?
@LiveOverflow. Funny thing is that back in 2012 a ticket was opened to discuss if it would be possible to pass user gestures over postMessage. Back in 2012 it was quickly dismissed as too difficult to implement and too easy to exploit. Fast forward a couple of years and a couple of replies later this feature was implemented regardless and merged into master. So that discussion back in 2012 lead to this exact and predicted issue. bugs.chromium.org/p/chromium/issues/detail?id=161068.
that's amazing! thanks for the background info
Simply put, the user gesture is a token that can be used to verify a event is initiated by the user. These tokens are thrown onto a stack from which privileged actions simply pop the first available token. If the stack is empty then the gesture was already consumed or the method was not user initiated. This verification becomes more difficult when your call stack is asynchronous and running in a diferent context (visualized at ~ 4:55 in the video ).
yeah, that's kind of how I imagined it to work. keeping track of that is easy in a synchronous call, but as soon as it could run at anytime, it gets awful.
For anyone interested, the full scope of this issue can be in the following google doc. It also great practical information on how race conditions are created and the problems cause. docs.google.com/document/d/16BfnRRzCtd5nEyTp7vTI8qbCBMFAls0EKz5s0nJ5vKc/edit#heading=h.tkbr16in6mdm
You are a pure genius!
I'm sure those people who make library flips all the table in their office by now.
Great job! Thank you for sharing it 😄
They are already thinking about a new way, I'm pretty sure, since there is big money involved. It's a constant war
Seem like they having a hard time keeping up 😄😄
But we're just having as much fun as they are
As of December 2018 they are still using tab unders in Chrome 71. Nice work.
Even after watching so many of your videos , I'm still boggled by the way you think and approach security, bugs and programming in general. It just seems like second nature .... You find out what is to be done and boom! It's implemented.
As a beginner , I still get stuck in implementing simplest of tasks, not able to "get" how I can implement something I want to in code , especially when I'm not familiar with the language ...It's highly motivating to watch experienced people like you as it inspires me to work hard till the time I can be as fluent as you are ...till the time code becomes second nature.
Amazing video :)
It is just experience over a long time ;)
@@LiveOverflow How long, if I may ask? Is it too late to start at 23?
If you clone the repo using --depth 1 arg you will end up with much smaller source code. ~4.5 GB
Thank you for that interesting video! And some people i'm sure are angry for that, but keep up the good work!!
I mean, the people getting angry would also probably be going directly against the ToS and what the developers of the software want to have happen. So yeah, anger them; help out the devs.
I'm no developer, but i'm glad this video popped under my recommendations.
Pope Ocelot not yet!
If I'm not mistaken you can right click on the number of the line in the dev tools and and choose "Never stop here" to get rid of the debugger
It’s dynamically created (eval) code. Unfortunately this doesn’t work there
LO - That totally makes sense! How didn't i understand that earlier?
Me - Yeah, damn right. *Molten brain dripping down to floor*
Yeah, and I thought it was L0, not LO, so short for "level 0" (like a ring 0 message) until I read your comment. :/
Not many people on UA-cam can say this but you actually make the internet a better place. Thank you
You are the hero we need, but not the one we deserve!
Not only are you doing good work by finding these bugs. But you are also explaining and educating the process to get there. This so so entertaining and interesting! Thank you so much for sharing your thought process.
Oh wow such a simple but effective method, was also expecting something completely insane.
Whoever is finding these chrome pop-under exploits - full respect. I would never think of anything like that.
In-page push is an extremely interesting ad format! I use MonadPlug in-page push, and cannot believe how much I am making just on this ad format only. Its most certainly the ad format of the future!!
I am somewhat sorry to hear that you went through all the trouble of compiling chrome. Still pretty cool :) Also subscribed - Guess I will watch more from you now.
Don’t be! I was happy to have a reason to try it. Learned more stuff!
Thats the best reply one could have given by far. Good view on such things :)
The amount of work that you put into these video's is incredible. You are probably my favourite channel on UA-cam right now. I'm currently studying cyber security and recommending your channel to everyone!
Wow already fixed and integrated into chrome 67. Too few big players respond to bug reports that quick. Really nice to see.
The library makers now need to sell as much licences as they can before chrome 67 hits :D
Awesome!! Just in time when I should study for my finals!
I admire the bravery in diving into Chrome source code but FYI you should always assume its unnecessary. window/document/elements are all instances of the EventTarget prototype.
So you can intercept every event listener with just:
const orig = EventTarget.prototype.addEventListener;
EventTarget.prototype.addEventListener = function(){
const [eventName, fn, capture] = arguments;
console.log('someone tried to create event listener', eventName, 'for', this, 'with function ', fn);
orig.apply(this, arguments);
}
If you run this in a userscript (with tampermoney) with @run-at document-start, it will capture event listeners before any other javascript has had a chance to load. I use this technique to modify web-based games.
I've always thought something like Chromium source code is for gurus only. But when I watch how you just casually say "So I've decided to look into Chromium source code to figure out what's happening" and then actually make something useful out of this idea not knowing how it even works inside I get stunned. You seem to view it not as source code, but as a tree of abstractions. And you find and use these abstractions really well. My approach here would be to look for some articles on how Chromium works internally, maybe read Chromium docs, try to finally look at the source code and fail miserably. It's just too big. Plus I'm extremely unexperienced, maybe that's the reason I still look at source code with a bit of uncertainty and frustration. "Will I understand how it works? Do the devs provide good documentation? What if the source code is a mess" and so on. But watching your videos made me think about how I approach such tasks. Thank you, great work!
I totally understand! I stopped being afraid of code and just looked into it. Sometimes it can be very complex and then I give up, but most of the time there is a simple function with a logical name somewhere.
It looks like it helps a lot knowing about frameworks like dom so that, when the dev's use them at least, you don't have to try guessing what such and such dev' decided to call it.
Usually the way I approach it is to look bottom-up and top-down, and try to guess and fill the in between, when trying to figure out how unknown code base works. Very similar to sources and sinks mindset.
Most programmers look at other code and read about programming, so there tends to be a common mindset about how to write and structure software. If you think about how you would structure your project if you were to try and build something similar, the result is quite likely going to be rather close to the thing you're trying to mimic.
Also, if you look at class names and a few methods, you can often spot a few design concepts and then work from there.
Well, he knew he needed DOM, so he looked up what chromium's dom engine was and found that file. Then he ctrl f'd for create element. Code is usually broken up into pieces and it becomes a lot easier to understand after you isolate down to the level you need.
80gb of disk space to build chromium? that is insane! i haven't built it in years, but it was never this bad - at least on linux.
I love your explanation process, each step is very detailed and your thinking methodology is well documented. Keep up the good work!
I always feel so ashamed when i overlook something obvious like the async functions.. glad to see it happens to the best :)
I'll be honest, I was quick in figuring out it was an async callback trick (as soon as I fully comprehended the timeline shown at 4:00). I expected you to look into using postMessage to open the popups as soon as you found it as the originator at 6:53. Very nice work though, keep it up.
1 minute of video watched and a quick glance at your other videos earned you an instant subscribe. This stuff is awesome.
LO was like, "I better download & build Chromium" and then "Oh cool, I didn't need it after all". I'd have been outraged :P
Also, since you checked out Chromium, you are able to fix it up for yourself :D
That's why I used custom builds all the time (when I can).. it lets me get around DEBUG checks and lets me control how much detail I can view.
Awsome! Although I'm suspecting this type of videos will become a popular and requested entry in your channel
While I agree with you saying that you hate pop-unders, I still love them because I love seeing you reverse engineer obfuscated JS.
You are doing God's work. People who lean on these techniques to 'advertise' are the scum of the earth. Seriously, who has ever, ever, made a purchase from a pop under ad? The lengths they go to these days makes me have zero sympathy for sites I use ad block on. Your methods of advertisement via annoying and tricking the end user are just reprehensible. Site owners that rely on ads need to reevaluate their designs that rely on these shady techniques.
I know this is old, but you can use Burp to remove any debugger() statements so you can still use the Chrome debugger functionality
aweosme and unique tutorials...thanks for these videos...when most channels focus on using the pentesting tools...this channel really teaches us what underlying hacking is all about...one of my best channels on UA-cam
These videos are so interesting, you should make more videos where you try to look at malicious code that is obfuscated and try to recreate it like this.
For the longest time, I've wanted a setting in browsers that would suppress ALL open tab/window functions no matter where the call came from. This setting should be easily accessible so I can allow popup for say, the bank or better yet, create a white list of domains for it.
Thought of hacking it together into a custom built Firefox, but then I got lazy because I thought of all the FF updates and I'd have to rebuild and maintain the feature.
this is easily doable with built-in blocker rules, I suppose
Yeah I know about that feature, but it still lets a lot of popups through. My implementation would be more blunt by just returning from window.open() method in C++ codebase without executing anything at all.
You can probably do that with a plugin or something that inserts window.open equal to some function that doesn't do anything at the top of every page visited. Also, if you actually did have to custom build Firefox, the process of merging new changes, rebuilding and installing the updates on your PC could be largely automated.
You mean "Permissions" on JavaScript? Do it!
78 GB of source code???? holy crap.... holy crap man. and god bless you for finding that annoyance, you are a hero!
pure source code is much less. But you need this much disk space to build/compile it. It will generate massive amounts of intermediate build stages.
Yayyy, Popunder is just tab-under now.
This was so good. You're the batman of pop under bugs.
You are the hero the world needs!
Why not call the original setTimeout function in the modified one, so that you log the function call and also do not break the code. This can also be applied to other interesting JavaScript functions, to get something like JavaScript instrumentation.
Amazing work!
JS can be really tricky, especially when trying to secure websites :)
ignoring the pop-up blocker? you are a genius
3:50 I would then call the actual timeout function, but only when it's not calling debugger. There's many ways you can identify the unwanted calls. Maybe just ignoring the calls with 5000 ms.
(editing comment as I watch the video)
7:00 That's obviously a web worker.
14:25 Huh, no web worker necessary?
Another option that might have been possible is to break the link to the script doing the popup (e.g. rename the key/function it's under) and hope whatever is referencing it to be triggered later aborts with an error.
Doing gods work right here!
Very interesting video, I like how you present your thoughts and how your process information. Nice work !
This website teaches me more practical stuff than my university
You could modify V8 to change the debugger keyword to something else, the anti-debugger wouldn't work and you could add the custom keyword to trigger the debugger
yeah, that was also an Idea I had. Maybe looking into that next time ;)
Do it.
Awesome work! Thanks for your contribution to us all chrome users.
nice i think they might just updated it unless it already been out awhile just got the green update required sign on chrome =) i got it almost instantly while watching this video, great content as always!
doing the lords work son
U are incredibly strong into Brower Code and technnics gg can't wait to see what will be next
Cat and mouse in the browser ;-) awesome detective work
Amazing work, dear!
His code is obfuscated with an open source obfuscation engine, there are a few template that the engine uses to detect unminimization and tampering of anti-debugging code, the templates are here, could help you recognize a few code pattern that this engine generates: github.com/javascript-obfuscator/javascript-obfuscator/tree/master/src/templates
Basically, the code will match a few small functions with RegExp and enters an infinite loop or just throw an error if the test fails. The template code tries to decoy itself as a library (e.g. cookie manipulation functions), also sometimes it uses Unicode to mask difference in two strings, a lot of good tricks.
Well done mate, that was some good investigation work. Keep at it :)
Amazing to see your thinking way, but also poor people who use this script and don't know all the security problems they create by using postmessage
Nearly 100k subs! I thought I'd better sub and help you on your way!
Great content.
I would like to see one of your videos about code virtualization and obfuscation. For example VMProtect on windows or any other software that virtualize and obfuscate the assebly of an executable. I obiously don't ask for a guide to reverse it, but just a quick analisys and explaination on how they works. It would be interesting to me. Thank you and great work with this channel.
Amazing work!
Aaand 5 days after the initial report there's a patch commited to the repo... Props to all.
I love this continuing battle between popunder libraries and LiveOverflow.
Great video! Nice find
This channel is so much fun!
"Fixed, will request a merge to M67 on Monday."
doing gods work here
Advertising agencies will truly hate you :D
Amazing work and write-up. You are a hero :)
You really inspire me, thank you for making videos
dude. just create a stack trace in settimeout and check if it matches the debugger location. you could also tostring the callback and check if it matches.
Man this is amazing. Great video.
Amazing work as always Sir !
The war for the popunder
What font were you using in Sublime?
You are so cool LiveOverflow. Amazing video.
@LiveOverflow why dont you use Alert() as an breakpoint when the script stops the debugger?
Mmhmhmhmmhmhmhhmhmmhmhmmhm. Never thought about that :D
removing debugger break behavior would be handy but keeping up with the repo updates could be a pain
It has some limitations. After you call alert native events stops propagating. It might be true for postMessage too.
Why can't you just do a search & replace of all debugger statements and delete them?
The debugger statements are inside obfuscated strings that get decrypted and evaled etc.
Awesome game of cat and mouse going on, GOOD WORK!
What do I say. I got to watch behind the scene of reporting a bug
The popunder "owner " must hate you really badly for doing this 😆
fixed now Good job!
That's just one awesome video :) Thank you
Really great work, highly aprreciate it =)
I really like your content
That's some crazy build time, about 5 times of firefox on my I 975k
You are a beast! Great video 😄
the real MVP
Super awesome. How much time did it take to find the whole popunder bypass for u ?
maybe ~6h... there is a lot of trial and error, repeating stuff, waiting for compilation, ... etc
If you want to see how painfully slow I am, you can checkout the popunder livestream I did a while ago.
Sure I will check it out. But 6h is super less maybe. For me it would have taken days.
Got curious if popupunder works for current chrome v77 but I cant find its homepage. :D Hilarious! Good work!
Fabian God mode activated ✔️
chromium/src/third-party/blink/renderer/core/dom DAMN!
For something as common as the dom, it's crazy haha
if you ever tried to read the DOM spec even like level 1, its kinda expected because it is really really big
thx man, now let me abuse this while i still can
Great find! (and a nice trick)
Awesome, simple but awesome
hehe youre going to shit on the same guy again, cant wait :D
great video!!
Wow, nice work 👍