Jump to content

ArcticFoxie/NotHereToPlayGames -- 360Chrome v13.5.2036 rebuild 1

NotHereToPlayGames
 Share

Recommended Posts

D.Draker

D.Draker

Posted
Posted
11 hours ago, NotHereToPlayGames said:

I can only speak for my build (which is what this thread is here for).
I cannot do a full reverse-engineer of Humming Owl's release - but it connects to China!  (at bare minimum, it connects to China on the very first launch, can't say I ran it "all day" to see if it connects "repeatedly".)

edit - I cite this only as a caution, bring things from Humming Owl's release and "add" them to my release and you can be bringing in "unintended consequences".
I have no plans to reverse-engineer to see WHERE this connection to China is coming from.

 

image.thumb.png.53f48d8f51c3b1030cd86cf2a7a3e4bd.png

First and foremost, no such address in any of that files inside that zip folder! 

Second, even if consider your theory, the error page page is not even activated at the moment. The browser is at an empty page, which is not "errorpage.zip".

Third, I don't see such connection.

3
Link to comment
Share on other sites

NotHereToPlayGames

NotHereToPlayGames

Posted
  • Author
Posted
5 hours ago, D.Draker said:

First and foremost, no such address in any of that files inside that zip folder! 

That's not technically how it works.  But since this debate has already gone full circle, it really seems pointless to proceed.  Sometimes people only see what they want to see, hear what they want to hear.

Link to comment
Share on other sites
mockingbird

mockingbird

Posted
Posted

I could not get it to work with 13.5.2036.0.  I extracted it to the same directory with chrome.dll, but I still get the blank error page.  Is there another step that is necessary?  Thanks

On 8/21/2023 at 7:37 AM, D.Draker said:

Dave confirmed it works with his version. Is it not enough for you? Well, then here I attached another screenshot. The folder I uploaded also works with 1030  just fine, I'm ignoring the rest of the post.

Please let me know if you need any further assistance, here at MSFN - we aim to please.

 

Link to comment
Share on other sites
Dixel

Dixel

Posted
Posted
3 hours ago, mockingbird said:

I could not get it to work with 13.5.2036.0.  I extracted it to the same directory with chrome.dll, but I still get the blank error page.  Is there another step that is necessary?  Thanks

You don't need to extract it! Just place it there. Clear instructions are here.

4
Link to comment
Share on other sites
mockingbird

mockingbird

Posted
Posted
1 hour ago, Dixel said:

You don't need to extract it! Just place it there. Clear instructions are here.

Thanks!  It worked.  For anyone who is not clear:  Just place the ZIP file in the same directory where chrome.dll resides (for example: Chrome\Application\13.5.2036.0).  No need to extract it in the directory or in a subdirectory.  Just the raw zip.

Link to comment
Share on other sites
  • 2 weeks later...
WSC4

WSC4

Posted
Posted (edited)

I have been using the 360Chrome extension "Care Your Eyes" for a while.  It allows you to change a webpage's background colour to reseda or night mode in order to protect your eyes from the intensity of white backgrounds.

It was flagged as malware and the extension was removed from Chrome Web Store on 2023-05-24.

Risk impact: High risk impact
Risk likelihood: High risk likelihood

Does anyone use something similar to this and / or recommend an alternative.  My eyes can't stand white backgrounds.

Edited by WSC4
Link to comment
Share on other sites
NotHereToPlayGames

NotHereToPlayGames

Posted
  • Author
Posted (edited)

https://www.crx4chrome.com/crx/751/

But then extract, remove the malware, re-zip, rename .zip to .crx, then install into 360Chrome.

I did not spend a lot of time tracking down the malware "for you" (I do not use "dark mode"), but one obvious one is the addListener function in the bg.js file.
It adds a unique identification string ( &zid=109723600173 ) to a "phone-home" URL ( ht tp://sqxy.coolban.com/api/TBK/chaquan? ) [I added the space in ht tp].
Generally speaking, this sort of phone-home shenanigans can be disabled by simply replacing the http with hxxp.

There are also SEVERAL links to Chinese addresses in wb.js (intentionally non-secure http links versus secure https links should never be "trusted" inside ANY extension).
   - js.t.sinajs.cn
   - img.t.sinajs.cn
   - timg.sjs.sinajs.cn

I stopped hunting at this point (I do not use "dark mode").

Of course, if you "trusted" this in the past, then just download from .crx4chrome and use it "as-is" and continue to blindly "trust" as you were doing.
I mean, afterall, it did take the Chrome Web Store two and a half years to find this "high risk impact" and remove it from the Chrome Web Store.
Any damage that would have been done would have already been done in those two and a half years.

Edited by NotHereToPlayGames
Link to comment
Share on other sites
Dixel

Dixel

Posted
Posted
13 hours ago, WSC4 said:

I have been using the 360Chrome extension "Care Your Eyes" for a while.  It allows you to change a webpage's background colour to reseda or night mode in order to protect your eyes from the intensity of white backgrounds.

It was flagged as malware and the extension was removed from Chrome Web Store on 2023-05-24.

Risk impact: High risk impact
Risk likelihood: High risk likelihood

Does anyone use something similar to this and / or recommend an alternative.  My eyes can't stand white backgrounds.

Try Deluminate, it's even better, and Google doesn't flag it as Chinese malware.

https://chrome.google.com/webstore/detail/deluminate/iebboopaeangfpceklajfohhbpkkfiaa

3
Link to comment
Share on other sites
Dixel

Dixel

Posted
Posted
5 hours ago, NotHereToPlayGames said:

https://www.crx4chrome.com/crx/751/

But then extract, remove the malware, re-zip, rename .zip to .crx, then install into 360Chrome.

I did not spend a lot of time tracking down the malware "for you" (I do not use "dark mode"), but one obvious one is the addListener function in the bg.js file.
It adds a unique identification string ( &zid=109723600173 ) to a "phone-home" URL ( ht tp://sqxy.coolban.com/api/TBK/chaquan? ) [I added the space in ht tp].
Generally speaking, this sort of phone-home shenanigans can be disabled by simply replacing the http with hxxp.

There are also SEVERAL links to Chinese addresses in wb.js (intentionally non-secure http links versus secure https links should never be "trusted" inside ANY extension).
   - js.t.sinajs.cn
   - img.t.sinajs.cn
   - timg.sjs.sinajs.cn

I stopped hunting at this point (I do not use "dark mode").

Of course, if you "trusted" this in the past, then just download from .crx4chrome and use it "as-is" and continue to blindly "trust" as you were doing.
I mean, afterall, it did take the Chrome Web Store two and a half years to find this "high risk impact" and remove it from the Chrome Web Store.
Any damage that would have been done would have already been done in those two and a half years.

We don't know what info is sent to China. It's more about being on the safe side, not outright visible and directly seen damage. 

I searched for "sinajs", and the results mention the over-popularized HTTPS Everywhere. Just one example.

"HTTPS Everywhere currently rewrites requests to sinajs.cn (or its subdomains)."

https://atlas.eff.org/domains/sinajs.cn.html

Does Google also flag HTTPS Everywhere as Chinese malware?

3
Link to comment
Share on other sites
NotHereToPlayGames

NotHereToPlayGames

Posted
  • Author
Posted
24 minutes ago, Dixel said:

I searched for "sinajs", and the results mention the over-popularized HTTPS Everywhere.

There is an obvious flaw in just converting the http to https - you ALLOWED the telemetry/malware by doing so.

I'm not a fan of HTTPS Everywhere.  I have my router set up to block any-and-all http traffic.  While https isn't perfect, there really is no need to ever connect to http.

Granted, not all of my computers run through that router, so I can't confirm or deny if that is the perfect solution or not.

But anything that intentionally uses http versus https, yeah, it should be flagged as suspicious at the very least.

 

Link to comment
Share on other sites
Dixel

Dixel

Posted
Posted
3 hours ago, NotHereToPlayGames said:

Its .crx is password-protected.  That alone should make you NOT TRUST IT in my view. 

Wow! LOL> One super easy way to avoid being flagged/blocked as malware by Google.

4
Link to comment
Share on other sites
NotHereToPlayGames

NotHereToPlayGames

Posted
  • Author
Posted (edited)

I think we need a new extension.  HTTPS Everywhere was created when the internet was entirely different than it is now.  And as you say, over-popularized.

I'll even sign over "rights" for this new extension.  Let's call it HTTP Nowhere.  Don't redirect http to https, flatout BLOCK IT instead!

Edited by NotHereToPlayGames
Link to comment
Share on other sites
Dixel

Dixel

Posted
Posted
3 hours ago, NotHereToPlayGames said:

But to me it's also not about Chinese malware.  Malware is malware even if it originates in an "ally nation".

In these two exact cases, with both of them, all domains/addresses are Chinese.

The script sends data to China (not Holland or any other allied nation).

I'm not sure I understand why we need to pretend they're not.

Maybe folks need to report the second extension to Google?

Do you have a Google account? Maybe try to warn them about the password?

Give the link with that China domain. 

I never understood the purpose of "HTTPS Everywhere" (apart from leaking data to China).

Any somewhat modern browser can upgrade http to https.

3
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...