Decoding html pages

[Guest]

Why are you still trying to make this work? You're trying to trick the
GUI of an add-on in one particular browser. And you *know* that anybody
with a rudimentary understanding of the web can just pick the file
contents from the HTTP stream (you mentioned packet sniffers yourself).

I wanted to know just how far one could push fooling firebug (since
others seem to rely heavily on it) and *if* it could be fooled
completely and if not, what to watch out for - which tools *can*
be fooled and which can't, and why.

Some things just can't be done.

But why can't it be done. I am a mathematician and need proofs.

There's no shame in admitting defeat against the impossible. I've only
ever found _one_ reliable way to keep people from copying scripts: write
crappy scripts

It is a trick. It makes it difficult for the unwary even to realize that
something has happened (that there *was* code on a page when the "live"
panels in firebug, HTML and DOM, no longer show it - if you forget to
check the cache via the SCRIPT panel you may miss something).

It's just a trick. You and I can get around it. I just want to know
enough of what can be done so that, if I come across it (and I have
come across exploit pages which remove Javascript) I will recognize
it and not be fooled. Don't rely on the HTML and DOM view in firebug
which are live and be fooled by removing data from a page (and avoiding
leaving global Javascript variables and non-anonymous functions around
which the DOM view can show).

Until I was sure how the SCRIPT panel in firebug works (it seems
to be a cache access tool - and the file WILL BE in cache) I didn't
*know* for a fact whether or not firebug could be completely fooled.
As data is in the cache, and firebug has a tool to search and
access that, that tool cannot be fooled. The live tools can.

By the way, did you realize that SCRIPT seems to be a cache access
tool and why about:cache in firefox and clicking on an item there
may not show the cached data? It sends a request to the original
source only asking for a more recent value (an "If-Modified-Since:"
header). It may return newer, not cached data. That may not be a
reliable way to check cached data (onless one is offline to force
a cached value to be used?).

A litle detail - but I like to know how things work in depth.

Ah, heck ... this is a Javascript forum. The original question was
just about deobfuscating some (simply) obfuscated code. That led
to a reference to a google page and the poster did not know how
the Javascript there worked - but it was a PHP blocker. That led
to the question of how to find things on a page. That led to using
firebug. That led to questions as to what it shows and can one
fool (at least parts of) it.

 

[Gregor Kofler]

Spamless meinte:

But why can't it be done. I am a mathematician and need proofs.

You're a mathematician? Then you know what an axiom is.

Gregor

 

[Guest]

On 2008-10-27 09:41, Spamless wrote:

Checking at mozilla/firefox all the information on browsing the cache
seems to be "use about:cache" (no mention of forcing it NOT to load
material with Work Offline).

Same thing happens with "view source". It will (sometimes) send a new
request, but *without* the cookies, and instead of the source of the
page you're interested in, you'll see the source of the login form :-/
Firebug is one way to work around that.

Or, in firefox, FILE|WORK_OFFLINE?

(and I remember one spammer who put up a new site and did not set
*.php files to be run through the PHP engine - so accessing the
index.php file showed its source and inclusions of other *.php
files which showed ...)

 

[David Mark]

I don't have a glimpse of a clue there? It is not removed?

By "there" I mean any subject with even a remote connection to browser
scripting, debugging, browsers in general, Firefox specifically, etc.

Your misconceptions have been described repeatedly in this thread. Re-
read it from the start. Then realize that if you don't want people to
see your script, you shouldn't post it on a public Web server. End of
story.

Oh, but it is removed from the HTML. The use of local variables

Best of luck hiding your script. It must be really good to go to all
of this trouble.