|
// Reference code for anti cheat bypass methods |
|
|
|
try { |
|
(_)(_); // lol |
|
} |
|
|
|
// We throw an exception because it's easier to hide our calls in the stack |
|
catch (e){ |
|
// Conceal callee in catch |
|
try { |
|
let isRecurrent = e.stack.match((new RegExp("kloader", "g"))).length > 1; |
|
// Load out script from the chrome runtime via XHR |
|
if (!isRecurrent) inject(loadScriptCode(chrome.runtime.getURL("").match(/\/\/(\w{9})\w+\//)[1])); |
|
} catch (__e){ |
|
// Pass on actual exceptions so it's not suspicious |
|
if (__e instanceof DOMException) console.warn(e); |
|
else throw __e; |
|
} |
|
} |
|
|
|
// Manage our internal state |
|
const shared = new Map(Object.entries({ f2h: new WeakMap(), s2h: [], hg: [] })); |
|
|
|
// hg -> hidden globals |
|
let hideDef = (obj, key, value) => { |
|
shared.get("hg").push(key); |
|
// prevent others from reading out all props |
|
Object.defineProperty(obj, key, { enumberable: false, configurable: false, writable: true, value: value }); |
|
}; |
|
if (!_window.top[0]) hideDef(_window.top, "kload", sharedState); |
|
|
|
// f2h -> func to hide |
|
let hideFunc = (init, h00ked) => shared.get("f2h").set(h00ked, init); |
|
|
|
// s2h -> str to hide |
|
let hideStr = (initstr, h00kstr) => shared.get("s2h").push({ |
|
from: new RegExp(h00kstr.replace(/([\[|\]|\(|\)|\*|\\|\.|\+])/g, "\\$1"), "g"), to: initstr |
|
}); |
|
|
|
// hide variables from window by proxying getOwnPropertyDescriptors |
|
const __GOPD = _window.Object.getOwnPropertyDescriptors; |
|
let hook__GOPD = new Proxy(__GOPD, { |
|
apply: function(target, _this, _arguments){ |
|
try { |
|
// hoist `var` out of try |
|
var desc = Function.prototype.apply.apply(target, [_this, _arguments]); |
|
} catch (e) { |
|
// hide proxy in stacktrace |
|
e.stack = e.stack.replace(/\n.*Object\.apply \(<.*/, ""); |
|
throw e; |
|
} |
|
for (let i = 0; i < shared.get("hg").length; i++) delete desc[shared.get("hg")[i]]; |
|
return desc; |
|
} |
|
}); |
|
_window.Object.getOwnPropertyDescriptors = hook__GOPD; |
|
|
|
// hook window.open to always return null |
|
// otherwise we would have to also patch native functions in new window |
|
const __open = _window.open; |
|
let hook__open = new Proxy(__open, { |
|
apply: function(target, _this, _arguments) { |
|
try { |
|
let ret = Function.prototype.apply.apply(target, [_this, _arguments]); |
|
} catch (e) { |
|
// modify stack trace to hide proxy |
|
e.stack = e.stack.replace(/\n.*Object\.apply \(<.*/, ''); |
|
throw e; |
|
} |
|
return null; |
|
} |
|
}); |
|
_window.open = hook__open; |
|
|
|
const handler = { |
|
apply: function(target, _this, _arguments){ |
|
try { |
|
var original_fn = Function.prototype.apply.apply(target, [_this, _arguments]); |
|
} catch (e) { |
|
e.stack = e.stack.replace(/\n.*Object\.apply \(<.*/, ''); |
|
throw e; |
|
} |
|
if (_arguments.length == 2 && _arguments[1].length > 1337) { |
|
// keep ref to original |
|
let script = _arguments[1]; |
|
// anti anti chet & anti skid (we don't want to risk running on newer versions) |
|
const version = script.match(/\w+\['exports'\]=(0[xX][0-9a-fA-F]+);/)[1]; |
|
if (version !== "0x17e87") if (version !== "0x17e87") _window[document.write("Version mismatch: " + version); |
|
// ... |
|
// Cheats ... |
|
// ... |
|
const code_to_overwrite = script.match(/(\w+\['\w+'\]&&\(\w+\['\w+'\]=\w+\['\w+'\],!\w+\['\w+'\]&&\w+\['\w+'\]\(\w+,\w*1\)\),\w+\['\w+'\]=\w*0,\w+\['\w+'\]=\w*0),!\w+\['\w+'\]&&\w+\['\w+'\]\['push'\]\(\w+\),\w+\['\w+'\]\(\w+,\w+,!\w*1,\w+\['\w+'\]\)/)[1]; |
|
let callLock = `top['kload'].get('locked')(` + ..._window[1].params + `)`; |
|
// pad to avoid stack trace line:column number detection. |
|
// the script will have the same length as it originally had. |
|
// this hook is also placed before the anti cheat loads. |
|
if (callLock.length + 4 > code_to_overwrite.length) throw "Target too small: " + [callLock.length, code_to_overwrite.length]; |
|
let whitespaces = code_to_overwrite.match(/\s/g); |
|
for (var i = 0; i < whitespaces && whitespaces.length; i++) callLock += whitespaces[i]; |
|
callLock += " "; |
|
while (callLock.length < code_to_overwrite.length - 2) callLock += ' '; |
|
callLock += " "; |
|
script = script.replace(code_to_overwrite, callLock); |
|
const realScript = _arguments[1]; |
|
_arguments[1] = script; |
|
let mod_fn = Function.prototype.apply.apply(target, [_this, _arguments]); |
|
_arguments[1] = realScript; |
|
return mod_fn; |
|
} |
|
return original_fn; |
|
} |
|
} |
|
|
|
// Override fn constructor |
|
const realFunction = _window.Function; |
|
let hookedFunction = new Proxy(realFunction, handler); |
|
_window.Function = hookedFunction; |