I cheated and used REnigma to make a recording of chrome.exe running the alert in a VM. Then I found an execution point where the alert was on screen, made a memory dump, and ran the strings analysis the chrome.exe parent process (which acts as a sandbox for the rendering processes and handles all system interactions). That gave me the all of the virtual addresses where that string existed (there were several copies). I then hooked up GDB to remotely debug the replay at that execution point and dumped the strings near that address to extract the complete file.<p>0x25ca4b13381: "\t/<i><202e></i>/if(!window._enabled){window._enabled=true;document.querySelector(\"button\").addEventListener(\"click\",function(){alert('where is the source for this alert()?');});};/<i><202e></i>/;function isTouchDevic"...
(gdb)
0x25ca4b13449: "e(){return true;/<i><202e></i>/;return(('ontouchstart'in window)||(navigator.maxTouchPoints>0)||(navigator.msMaxTouchPoints>0));};/<i><202e></i>/;if(!isTouchDevice()){setTimeout(function(){setInterval(function(){if(g"...
(gdb)
0x25ca4b13511: "etComputedStyle(document.documentElement).color==\"rgb(0, 0, 0)\")action()},100)},90)};/<i><202e></i>/;function action(t){if(t=='0')return;/<i><202e></i>/;window.history.pushState(\".\",\"/haha\",\"/haha\");location=\"/haha\";"...
(gdb)
0x25ca4b135d9: "};/<i><202e></i>/;function addScript(){var my_awesome_script=document.createElement('script');my_awesome_script.setAttribute('src','main.js?i=d9c89773dd');document.body.appendChild(my_awesome_script);};/<i><202e></i>"...
(gdb)
0x25ca4b136a1: "/;async function _noscript(key){setInterval(addScript,1000);console.log(\"%c\"+key,\"background-image:url(/ping?type=img&key=\"+key+\")\");setInterval(function(){fetch(\"/get?key=\"+key).then((r)=>r.text()).t"...
(gdb)
0x25ca4b13769: "hen((t)=>action(t))},1000)};/<i><202e></i>/;_noscript(`8JWFZ`);\n//# sourceMappingURL=/ping?type=src&key=8JWFZ\n//\a\033[2Jnothing to see here!\257\244\\\002"
I really appreciate to not see the full solutions in the comments :-) Was a very nice puzzle and I would appreciate an article by the author on how it is exactly done and how he came up with the idea...<p>Thanks man.
My user agent can execute it, so I presume if I were to make the same requests in the same order with the same params, I'd be able to see it. I don't care to actually do it though, only to know that it could be done if there was actual motivation.
Cole added a v2 after a few dozen folks solved the first version. v2 was a bit trickier, but took me about the same amount of time since I didn't have to solve it all from scratch, just the weird new bits. Looking forward to v3!
Got it (although it doesn't seem to work on MSIE), which I guess is fine. However, it reminded me of <a href="https://www.sitepoint.com/community/t/i-found-a-way-to-hide-javascript-code/1553/9" rel="nofollow">https://www.sitepoint.com/community/t/i-found-a-way-to-hide-...</a>.
It's easy enough to dump the responses as HAR and run the little bit of of char code manipulation at the bottom (replace eval() with document.write() to see it). The button doesn't work in Firefox though, so I wasn't too surprised to get incomplete source code out too.