The reason for the websocket is that the browser console is also rendered inoperable due to the debugger statements and console clear commands emanating from the website JS. A websocket is then the only way to transfer actionable information (such as a password or a secret link). It's not an easy or quick process but, by inserting websocket calls in interesting places, it is possible to figure out what the JS is doing. It also helps a lot to prettify the JS in order to study it. There are websites that can do that for you. Unfortunately, the prettification of the JS may break it so you're still stuck with doing the modifications in the original JS.
I built my own proxy server for this task but I imagine that the same may be possible with a tool like HTTP Toolkit but that means getting the Pro version.
I maintain the vscode debugger and found both the article and your comment interesting--there's a large overlap between "programs with anti-debugger techniques" and "programs that are hard to debug."
What I'm saying is that we need a way to get that table (array) and perform the substitutions in order to recreate the original code as text instead of numbers. This is likely way beyond the scope of a debugging tool. Or is it?
Years ago I really wanted to disable the blink tag, so I just ran `perl -pie "s/blank/abcde/g"` on the binary and that worked well enough.
I'll bet you could so something similar with "debugger". On macOS, you'd break code signing, but you could re-sign it or strip the signing and let it run unsigned.
Example: https://i.imgur.com/BsphnEu.png
And before a developer for these commerce websites jumps up and says “ah but supreme are trying to prevent bots from buying up all of their merch and scalping it”:
Supreme are restricting supply so they can maximise profits.
They are selling on the web rather than through traditional retail outlets using this method not to reach a wider audience for the audience’s sake but to have a larger number of people who are willing to pay an even higher price.
The web, the system that brings free information to the masses requiring no knowledge of the underlying technologies, is too important to compromise for these e-commerce platforms attempting to have their cake and eat it to.
heavy handed approach. I have some moderate success intercepting setInterval/setTimeout and manually sifting to find that one call that starts the ball rolling. Things get old fast when the code you are looking at looks like
0[_0x199d1e(0x815*-0x2+0x1735+0x13f*-0x5)](_0x199d1e(0x3b3*0xa+0x1c1+-0x260d),_0x199d1e(0x2149*0x1+0x9f7+0x1*-0x29f5)))[_0xCould somebody here explain what that means, since the article doesn't? What's a debugger loop? What is the actual JavaScript code that somehow prevents debugging, and how does it accomplish that?
This only gets activated when the devtools window is opened, so placing this statement in a frequently executed piece code will continuously interrupt whatever you are doing in the devtools when you use them.
I assume in the past the tooling might not have had the necessary configuration options to suppress that, but nowadays you can just disable debugger statement breakpoints to avoid it.
What methods do they use to detect debugging tools and how do we defeat them?
It will also not work if the script is some initially obfuscated string that is passed to eval() or something more complex assembling the actual code on the fly.
As us "old school crackers" would say, "NOP those out!"
As for obfuscation, you can unpack the scripts in order to do the needful, then use the proxy to "transparent redirect" requests for them to your own locally hosted unpacked and modded version.
I've not seen anything like that. The integrity checks are generally limited to verifying the document location and the presence of certain elements in the DOM. Obfuscation techniques have become so sophisticated that integrity checks are not really necessary. Bot challenges (such as the one used by CloudFlare) may go so far as to test graphic elements like the canvas to ensure that the JS is actually running in a browser but I don't think this is a common thing for the average website that just wants to keep bots from scraping them.