theseanl

This javascirpt code was from http://exashare.com/48fbxtebg0a1, originally reported at https://forum.adguard.com/index.php?threads/exashare-com.15270/

I added #%#Object.defineProperty(window, 'admvpu', { set: function(){ throw new TypeError; } }); to sabotage this script which generates obnoxious popups without looking at its actual content, but this script had looked particularly suspicious, so I tried de-obfuscating it.

It turned out that this script is from "admaven" and doing "canvas fingerprinting". They look like absorbing every possible information from the user and use it to target ads :/

This is the first working example of canvas fingerprinting used by real ad network I've ever seen. Sharing as mentioned here. I hope this helps in developing Stealth mode.

By the way, they (http://ad-maven.com/) seems to be pretty new and bo

theseanl

// Original source: http://dpiw925yvtpfq.cloudfront.net/Bbm9BN1BRGyhTbVhecQFkWg%3D%3D
// http://ad-maven.com/

(function() {
    function m(b) {
        function c(b) {
            b = a(b, [0, b[0] >>> 1]);
            b = g(b, [4283543511, 3981806797]);
            b = a(b, [0, b[0] >>> 1]);
            b = g(b, [3301882366, 444984403]);

theseanl

Collecting popup/popunder scripts.

Obnoxious ones

1. dai0eej.bid, found in http://www.nowvideo.li/video/81e35ec6727ee
2. onclasrv.com, found in https://thehiddenbay.xyz/

Ordinary ones

1. watchmygf.me, found in http://www.watchmygf.me/

theseanl

In user interface, what users should see are two things: "What language is mostly used for websites you visit?", "What do you want to block?" Answers will be (English, Russian, Turkish) and (Ads, Social Widgets) etc.

Each filter rules will have two tags: Language and Function(?).

Language tags

common, common.eng, common.rus eng, rus, tur, ....

theseanl

try {
    var pv = 2
      , rpn = Math.floor(1e3 * Math.random()) + 1;
    if (rpn < pv) {
        !function(e, t, n, r, i, a, o) {
            e.GoogleAnalyticsObject = i,
            e[i] = e[i] || function() {
                (e[i].q = e[i].q || []).push(arguments)
            }
            ,

theseanl

var esprima = require('esprima');
var escodegen = require('escodegen');
var estraverse = require('estraverse');
var comm = require('./comm.js');
var SandboxEval = require('./sandboxeval.js');

/* Temporary, syntax should be improved */

deobfuscator = (function(){
    var fnLiterals = [], seval;

theseanl

<details><pre>(function(){var $gwt_version = "2.6.1";var $wnd = window;var $doc = $wnd.document;var $moduleName, $moduleBase;var $strongName = 'FC055534F842A1E02F06658AD5B30FED';var $stats = $wnd.__gwtStatsEvent ? function(a) {return $wnd.__gwtStatsEvent(a);} : null;var $sessionId = $wnd.__gwtStatsSessionId ? $wnd.__gwtStatsSessionId : null;$stats && $stats({moduleName:'PDK',sessionId:$sessionId,subSystem:'startup',evtGroup:'moduleStartup',millis:(new Date()).getTime(),type:'moduleEvalStart'});PDK.installCode = function(code) { eval(code) };var __gwtModuleFunction = PDK;
function kd(){}
function Ld(){}
function Pg(){}
function gh(){}
function Jh(){}
function En(){}
function Nn(){}
function io(){}
function wo(){}

theseanl

// ==UserScript==
// @name GitHub Show Recent Updated Issues By Default
// @namespace GitHub
// @description GitHub Show Recent Updated Issues By Default
// @match   https://github.com/*
// @version 0.0.0
// @grant   none
// @run-at  document-body
// ==/UserScript==

theseanl

Browsers built-in popup blocker test

Case 1

document.onclick = () => { setTimeout(() => { open('about:blank') , 1000}) }

Browser	result
Chrome	X

theseanl

<script src="./stealth.js"></script>
<script src="./pb.js"></script>