specki there is so many softwares that allows it. On another hand we don't hear of hacks using that door that often so it must be a dead end.

oh you are soooo wrong :D javascript in PDFs has ben abused many many times ;) example: insert-script.blogspot.de/2014/12/multiple-pdf-vulnerabilites-text-and.html

LiveOverflow thanks for the link ! I guess I have had too much up to date version ;) Edit : haha ! Wrong again :/ Seems like it still vulnerable. Well that makes me think of PDF reader differently.

*injects PDF with JS to do very evil things, mwhahaha*

specki Depends on the viewer. Adobe Reader (and Chrome, it seems) is one of the few viewers that supports JS.

A better technique is post it, provide a wrong answer, watch people give you the best answer in desperation to correct you. People tend to give you more information in correcting than answering.

I actually do that. lmao

Script kiddie

DarkOverFlow Overflow its a joke

@@DarkOverFlowOverflow sometimes you need to ask for help

but which link I have to download to hackard that so I make sure i can get not any popunders?!

Not really. His business is to provide a uniform API for all browsers where the advertisers do not have to take care of making the bypasses themselves. As you saw on the video, some functionality will be deprecated in september. They need to create a new bypass until then.

Benedikt Tröster true

Yea, but fuck that guy.

Well we all know how to reverse engineer his code which is cool.

I totally approve of ruining that guy. Fuck him for ruining the internet.

I don't think it is courteous to self-promote on someone else's video

Well, you should add one to your KZbin profile at least. I'm always looking for good sources of this type of information.

U helped me a bit for this challange btw www.hackthebox.eu //sing in xD

Reverse engineering is legal in EU, AFAIK, and no damages were done. The business model cannot be argued here, they are attempting to sell something that circumvents usual behavior and has a very short shelf life. They don't have any basis to argue on: no code was copied or distributed, no copyright infringement. And no libel, he never said 'this company sucks, don't buy from them'. But you can sue and C&D on any grounds, doesn't mean you'll win. I'm more worried about possible exploits every time I use my browser for important stuff. Especially with the trend of some companies buying established chrome extensions and adding adware/spyware to them.

Think of it like a very detailed product review...

There's nothing illegal with what he did, he didn't steal any of the code, he reverse engineered the programme for learning purposes and created a video that showcased his workflow. The initial code he created was not profitted upon, It's similar to somebody opening a console to see how it ticks and documenting it, big companies probably want this illegalised but that doesn't mean it is.

A really good lawyer could make the case that it was a trade secret, and it could probably get _into_ court, but it would ultimately be frivolous since reverse-engineering is a legal method of acquiring trade secrets. That being said, since I'm in the future I can say with confidence that didn't happen.

@@zyrohnmng lmfao that made my day

well the licensed code is much more optimized and works way better than my simple PoC. And the code also has options for Edge and Firefox, as well as support. So I did not reverse engineer the whole library or the licensing. My PoC is worthless in comparison ;)

Well, and even knowing the secret building and maintaining a custom solution is probably more expensive than just buying it outright

not realy. the original works cross platform.

romanemul1, Lol You do know he pays his bills with the money he gets from KZbin ads. Why in the world would he make an Ad Blocker??

I don’t earn anything from YT. And I encourage you to use an Ad Blocker!

LiveOverflow i love good teachers thx:) aloot

reverse engineer hunting?

you have to open the popup window before doing the trick with the alert boxes. So that the user doesn't notice the opening of this window, it's hidden in the bottom right. And the size is changed back after the popunder was successful.

Oh I see. Thanks for sharing!

+Nathan Mack wat? VPN? We are using here a javascript proxy object. It has nothing to do with network proxies. Just used it as a comparison.

It gets called so much, that we are not able to debug anything else. It’s too annoying

@@LiveOverflow I agree. What do they do to make it get invoked so often?

It should work. It's a timing thing and I did not spend the time to optimise it. If the notification permission request and the alert are shown at the same time it should work.

Ok i just tested it without changing anything :D

Woah! :D I got it pretty good! :D

hasnieking you can do this: window.setInterval(function () { debugger(); }, 1); That calls the debugger function every 1 millisecond, but only has an affect on a browser when the devtools are open.

debugger is not a function tho its just debugger;

@@victornpb Some keywords are also functions, like typeof, instanceof, and debugger.

It's not. Next!

a) the typing system b) semicolons after curly brackets c) implied globals d) the _this_ keyword e) typeof NaN and null JS has an ambiguous and counterintuitive syntax and behaviour for many basic things. Obfuscation consists in making code as ambiguous and counterintuitive as possible. I was joking saying JS is actually obfuscated in nature, but it remains true that it's not because you're used to its shortcomings that they aren't there.

You sound like someone who has barely scratched the surface of Javascript and are labeling it bad out of frustration. It's a very dynamic and powerful language if you know it properly. a) Javascript has only 7 data types: Boolean, Null, Undefined, Number, String, Symbol, and Object. Everything else (including Arrays and Functions!) inherits the Object type; This allows you to add properties/methods to any data (inhering Object), which cleans up the variable namespace and makes Javascript dynamic and multi-paradigmatic. The prototype pattern is a keyword here. b) Javascript doesn't require you to have semicolons after curly brackets. In fact, semicolons aren't required anywhere in Javascript except for for-loops afaik. The only reason they're part of Javascript is for extra verbosity and in cases were you want to have multiple statements in one line (look up Javascript minifiers). I myself never write the semicolons because of readability. c) Javascript doesn't have implied globals if you're writing good Javascript code. That means declaring variables before assigning or using them. If this is an issue you should enable strict mode in your code, which requires you to declare variables using the _var_ or _let_ keyword. This set the variable's scope and implicit globals becomes non-existent. I highly recommend you to always enable strict mode because it forces you to write code in a manner that avoids quirky problems like implicit globals. The only reason strict mode isn't on by default is because of backward compatibility, unfortunately. d) The _this_ keyword exists in everything inheriting Object and allows self-reference within methods. If you've done any Object-oriented programming it's very self-explanatory. e) These values exists because Javascript is very fluid and dynamic when it comes to data types. NaN is a Number which doesn't represents a valid number. This occurs when operations expected to return a number fails (e.g. multiplying a Number with a String; 1 * "a"). Null is very self-explanatory, it's simply a value that represents nothing.

Agreed, and also NaN allows JS to handle calculus in a very cool way, like for example, 2^Infinity = Infinity, but 1^Infinity = NaN, which is true and any mathematician would really dig that =)

Mostly agree with Hati_ here, although semicolons are actually required to avoid ambiguity, mainly after an expression when the next line starts with '(' (i.e. an IIFE), '[' (i.e. array destructuring), or some other characters like '+' or '-' that could also be the continuation of the previous expression. In those cases I just put a semicolon at the beginning of the next line, it looks a bit weird at first but it avoids refactoring mishaps. Also NaN is defined in IEEE-754, which is used basically everywhere for floating-point numbers, so NaN is also a float and/or a double in C, C++, Java, and so on, not just JS. On the other hand, typeof null === 'object' is a quirk from the early days of JS that many people would like to see fixed, but that likely won’t happen because of backwards compatibility.

+dash deck because my Proxy is only set on the one page. And the code creates an iFrame, which is a new page. The javascript is separated for that iFrame, do. when they call open from there, my proxy won't catch it

You don't have to, some of the apis that where used are now depricated and will not work.

Not necessarily. One thing I do when proxying base functions is archiving the original function (e.g. `window._open = window.open` before redefining the original window.open), so I can then see what I want first

because it is tied to a user interaction. A pop-up is allowed if the user intended to open one. For example after a click. So it becomes very complex to build a pop-up blocker that allows that, but prevents malicious popups.

LiveOverflow but the iFrame itself never got any interaction, so that pop up should fail basically because of this, which would make this iFrame chaos much harder. I liked it how Firefox in the early days just popped in a yellow bar noting the pop-up, even if it's a click more, it would be awesome to have that as a setting

did you watch the video? The popup is opened on the click... The is used for something else. It is used to render a .pdf, which triggers an alert, to get focus back to the main window and leave the popup in the background. So the popup is perfectly legal - triggered by your click.

LiveOverflow 8:49 window open is in an iFrame that didn't even exist while the user interaction started but rather was created upon that, so one cant proxy the window open. The thing is while the site got an interaction and might be able to open a pop-up, imo the iFrame should not have that because it didn't get any interaction

No... it just defines a function there to call window open. The call to that function is then coming from the user's click. It's basically just a method to get a clean reference to window.open. The call is in a function in the , but the function is called from a user's click coming from the main page. If you look at my minimised PoC at the end, I'm not using that method because it's not necessary to make it work.

+Robin Ebers thanks! But nothing fancy. Simple AT2020 USB mic on a stand with a pop filter.

nvm got it working

Why would you have to go that far? Compiling your own version of some browser and hooking APIs would suffice...

you didn't even have the time to watch it all!

LiveOverflow I guess the video is just that good :). Srly thou these type of videos are a great insight into the mindset of problem solving.

I dont need to see it to know if it is a good video. I learn more watching your videos than in my university, keep up the work its excelent! :)

+yaj126 prison? Another voice doppelganger?

Prismo bruh from adventure time, the voice actors name is... kumail nanjiani? Not sure if you'll agree but I was pretty baked 23 hrs ago