Narzędzia do reversingu w 2022

Zaktualizowana lista i przegląd narzędzi do reverse engineeringu z poprawionymi linkami oraz nowymi narzędziami.

https://www.pelock.com/pl/artykuly/przeglad-narzedzi-do-reverse-engineeringu

https://www.pelock.com/articles/reverse-engineering-tools-review

Jak na 2022 dodałem najnowsze osiągnięcie techniki, którego być może jeszcze nie znacie…

SoftIce

Odblokowanie pliku Excel

Jeśli kiedykolwiek natrafiliście na zablokowany arkusz/skoroszyt Excel na hasło lub numer seryjny, zachęcam do skorzystania z usługi odblokowanie pliku Excel.

Usługa dotyczy konkretnie popularnego zabezpieczania LockXLS, które pozwala zabezpieczyć arkusze XLS lub XLSM na hasło:

Odblokowanie arkusza Excel na hasło
Zabezpieczony arkusz Excela na hasło

Lub na numer seryjny:

Odblokowanie pliku Excel
Zablokowany skoroszyt Excela na numer seryjny

Usługa pozwala na odtworzenie źródłowego skoroszytu XLS lub XLSM (jeśli zawiera makra).

Więcej informacji na stronie:

https://www.pelock.com/pl/uslugi/inzynieria-wsteczna/odblokowanie-pliku-excel-xls-z-nieznanym-haslem-zabezpieczenie-lockxls

Antidebugging w aplikacjach Android

Dzisiaj analizowałem sobie jedną starszą aplikację i natknąłem się na ciekawy kod, sprawdzający kilka rzeczy, których autorzy sobie nie życzą (to nie jest koncert życzeń), marnie zakamuflowanych pod fałszywymi nazwami 😀

Sprawdzane są m.in.

  • Czy urządzenie było zrootowanie i czy dostępne są narzędzia takie jak np. komenda su.
  • Czy podpięty jest debugger
  • Czy zainstalowane są ehem wrogie aplikacje

Kod mówi więcej niż słowa, dlatego spójrzcie sami, może komuś ta wiedza się kiedyś przyda, z zastrzeżeniem, że to starsza aplikacja i kilka rzeczy mogło się już zmienić.

using System;
using System.Collections.Generic;
using System.IO;
using Android.App;
using Android.Content.PM;
using Android.OS;
using Xamarin.Forms;

namespace Abc
{
	// Token: 0x02000010 RID: 16
	public class CalendarService : ICalendarService
	{
		// Token: 0x06000044 RID: 68 RVA: 0x000080A5 File Offset: 0x000062A5
		public bool IsDateCorrect()
		{
			return this.IsDayCorrect() || this.IsProperUtcFormat() || this.IsMonthCorrect() || this.IsCurrentMonth() || this.IsItReallyCurrentYearAlready();
		}

		// Token: 0x06000045 RID: 69 RVA: 0x000080D0 File Offset: 0x000062D0
		public bool IsDayCorrect()
		{
			using (List<string>.Enumerator enumerator = new List<string>
			{
				"/system/app/Superuser.apk",
				"/sbin/su",
				"/system/bin/su",
				"/system/xbin/su",
				"/data/local/xbin/su",
				"/data/local/bin/su",
				"/system/sd/xbin/su",
				"/system/bin/failsafe/su",
				"/data/local/su",
				"/su/bin/su"
			}.GetEnumerator())
			{
				while (enumerator.MoveNext())
				{
					if (File.Exists(enumerator.Current))
					{
						return true;
					}
				}
			}
			string[] array = System.Environment.GetEnvironmentVariable("PATH").Split(':', StringSplitOptions.None);
			for (int i = 0; i < array.Length; i++)
			{
				if (File.Exists(Path.Combine(array[i], "su")))
				{
					return true;
				}
			}
			foreach (ActivityManager.RunningAppProcessInfo runningAppProcessInfo in ActivityManager.FromContext(Forms.Context).RunningAppProcesses)
			{
				if (runningAppProcessInfo.ProcessName.Contains("supersu") || runningAppProcessInfo.ProcessName.Contains("superuser"))
				{
					return true;
				}
			}
			return false;
		}

		// Token: 0x06000046 RID: 70 RVA: 0x00008240 File Offset: 0x00006440
		public bool IsProperUtcFormat()
		{
			return Build.Tags.Contains("test-keys");
		}

		// Token: 0x06000047 RID: 71 RVA: 0x00008251 File Offset: 0x00006451
		public bool IsMonthCorrect()
		{
			return (Forms.Context.ApplicationContext.ApplicationInfo.Flags & ApplicationInfoFlags.Debuggable) > ApplicationInfoFlags.None;
		}

		// Token: 0x06000048 RID: 72 RVA: 0x0000826C File Offset: 0x0000646C
		public bool IsCurrentMonth()
		{
			return Debug.IsDebuggerConnected;
		}

		// Token: 0x06000049 RID: 73 RVA: 0x00008274 File Offset: 0x00006474
		public bool IsItReallyCurrentYearAlready()
		{
			foreach (ApplicationInfo applicationInfo in Forms.Context.PackageManager.GetInstalledApplications(PackageInfoFlags.MetaData))
			{
				string packageName = applicationInfo.PackageName;
				if (packageName == "de.robv.android.xposed.installer" || packageName == "com.saurik.substrate" || packageName == "com.android.vending.billing.InAppBillingService.LUCK" || packageName == "com.android.vending.billing.InAppBillingService.CLON" || packageName == "com.android.vending.billing.InAppBillingService.COIN")
				{
					return true;
				}
			}
			return false;
		}
	}
}

JObfuscator – Obfuskator dla Javy

JObfuscator to mój nowy obfuskator dla kodów źródłowych języka Java.

Pozwala zabezpieczyć kody źródłowe oraz algorytmy w Java przez hakingiem, crackingiem, inżynierią wsteczną, dekompilacją i kradzieżą technologii.

Więcej informacji na stronie:

https://www.pelock.com/pl/produkty/jobfuscator

Interfejs online obfuskatora:

https://www.pelock.com/pl/jobfuscator/

Wersja dla Windows oraz Linuxa (GUI oraz wersja konsolowa):

https://www.pelock.com/pl/produkty/jobfuscator/pobierz

Automatyzacja obfuskacji z SDKs dla PHP i Pythona (plus ich kody źródłowe na GitHubie):

https://www.pelock.com/pl/produkty/jobfuscator/api

Zrzuty ekranu:

McAfee SECURE certification – śmiech na sali

Dzisiaj natrafiłem na ciekawy przypadek na stronie internetowej klienta, gdzie w sekcji <head> znalazłem tonę reguł CSS przypominających trochę działanie ad-blockerów.

W pierwszej chwili pomyślałem, że to jakiś spam, albo że strona została zhakowana.

Spójrzcie sami:

Wygląda dziwnie, wręcz podejrzanie z listą spamerskich domen… Po rozwinięciu:

:root a[href^="https://gamehag.com/r/"],
:root a[href^="http://affiliates.bet-at-home.com/processing/clickthrgh.asp"],
:root [href^="//ro88qcuy.com/"],
:root A[href*="beaffiliates.com/processing/clickthrgh.asp"],
:root img[alt="reklama"],
:root div#skapiec_ad,
:root ads-top-layer,
:root a[href^="https://www.solutions4ad.com/partner/scripts/click.php"],
:root a[href^="http://advmanager.techfun.pl/redirect/"],
:root a[href="http://www.likeplus.eu/clickback"],
:root a[href*="adnow.com/click"],
:root a[href*="://tracking.linktogame.com/aff_c"],
:root [id^="sponsorowany"],
:root [id^="slot_ad_billboard"],
:root [id^="pianoMediaBoxInfo"],
:root [id^="giercowniaAd"],
:root [id^="ceneoaffcontainer"],
:root [id^="bunyad_ads_widget"],
:root [id^="banner_900x"],
:root [id^="ad_box"],
:root [id^="AdsDetailsTop"],
:root [id*="-billboard-advert"],
:root ul.sharing-tools,
:root [href^="http://adserwer."],
:root [href*=".novem.pl/"],
:root [class^="adSrodek"],
:root IMG[title^="Sponsorowan"],
:root A[href*="/emisja.contentstream.pl/_/ctr/"],
:root a[href*="techmaniak.pl/www/gact/ckk.php"],
:root adblock-modal-component,
:root adblock-detect,
:root [class][data-sitename][data-header-version] > div[id^="detection-block"],
:root topadblock,
:root script[src^="http://free-shoutbox.net/app/webroot/shoutbox/sb.php?shoutbox="] + #freeshoutbox_content,
:root input[onclick^="window.open('http://www.FriendlyDuck.com/"],
:root img[alt^="Fuckbook"],
:root iframe[src^="http://static.mozo.com.au/strips/"],
:root div[jscontroller="U835zd"] + c-wiz[jsrenderer="YnuqN"],
:root div[id^="zergnet-widget"],
:root div[id^="traffective-ad-"],
:root div[id^="sticky_ad_"],
:root div[id^="rc-widget-"],
:root div[id^="q1-adset-"],
:root div[id^="proadszone-"],
:root div[id^="lazyad-"],
:root div[id^="gtm-ad-"],
:root div[id^="ezoic-pub-ad-"],
:root div[id^="dmRosAdWrapper"],
:root div[id^="div-adtech-ad-"],
:root div[id^="dfp-slot-"],
:root div[id^="dfp-ad-"],
:root div[id^="block-views-topheader-ad-block-"],
:root div[id^="advt-"],
:root div[id^="advads_"],
:root div[id^="ads300_600-widget"],
:root input[onclick^="window.open('http://www.friendlyduck.com/"],
:root div[id^="ads300_250-widget"],
:root div[id^="ads300_100-widget"],
:root div[id^="ads250_250-widget"],
:root div[id^="ads120_600-widget"],
:root [id$="reklamy"],
:root div[id^="adrotate_widgets-"],
:root div[id^="ad_script_"],
:root div[id^="ad_rect_"],
:root div[id^="ad_position_"],
:root div[id^="ad-server-"],
:root div[id^="ad-cid-"],
:root div[id^="acm-ad-tag-"],
:root div[id^="YFBMSN"],
:root div[id^="ADV-SLOT-"],
:root div[data-spotim-slot],
:root div[data-role="sidebarAd"],
:root div[data-native_ad],
:root div[data-mediatype="advertising"],
:root div[data-id-advertdfpconf],
:root div[data-crl="true"][data-id^="CarouselPLA-"],
:root div[data-content="Advertisement"],
:root div[data-adunit],
:root div[data-adunit-path],
:root div[data-adname],
:root div[class^="zn-sponsored-outbrain-"],
:root div[class^="proadszone-"],
:root div[class^="pane-google-admanager-"],
:root div[class^="lifeOnwerAd"],
:root div[class^="largeRectangleAd_"],
:root div[class^="kiwiad-popup"],
:root div[class^="kiwiad-desktop"],
:root div[class^="index_adBeforeContent_"],
:root div[class^="index_adAfterContent_"],
:root div[class^="index__adWrapper"],
:root div[class^="block-openx-"],
:root div[class^="backfill-taboola-home-slot-"],
:root div[class^="articleAdUnitMPU_"],
:root div[class^="advertisement-desktop"],
:root IMG[src^="http://www.audiostereo.pl/banery/"],
:root div[class^="adsbutt_wrapper_"],
:root div[class^="ads-partner-"],
:root div[class^="adbanner_"],
:root div[class^="ad_position_"],
:root div[class^="SponsoredAds"],
:root div[class^="ResponsiveAd-"],
:root div[class^="PreAd_"],
:root div[class^="Display_displayAd"],
:root div[class^="Directory__footerAds"],
:root div[class^="BannerAd_"],
:root div[class^="AdhesionAd_"],
:root div[class^="Ad__bigBox"],
:root div[class^="Ad__adContainer"],
:root div[id^="divAdvAD_"],
:root div[class^="ad_border_"],
:root div[class^="AdItem-"],
:root div[class^="AdEmbeded__AddWrapper"],
:root span[data-component-type="s-ads-metrics"],
:root div[class^="AdBannerWrapper-"],
:root div[class*="_AdInArticle_"],
:root div[class*="-storyBodyAd-"],
:root div[cel_widget_id="dpx-sponsored-products-detail_csm_instrumentation_wrapper"],
:root div[id^="adfox_"],
:root div#main > div.D1fz0e,
:root div > [class][onclick*=".updateAnalyticsEvents"],
:root bottomadblock,
:root aside[id^="tn_ads_widget-"],
:root a[href="http://upfiles.net/ref/"],
:root [class^="sponsorowany"],
:root aside[id^="adrotate_widgets-"],
:root amp-ad-custom,
:root a[target="_blank"][onmousedown="this.href^='http://paid.outbrain.com/network/redir?"],
:root a[target="_blank"][href^="http://api.taboola.com/"],
:root a[style="display:block;width:300px;min-height:250px"][href^="http://li.cnet.com/click?"],
:root div[class^="BlockAdvert-"],
:root a[src^="https://www.utherverse.com/net/"],
:root a[onmousedown^="this.href='http://paid.outbrain.com/network/redir?"][target="_blank"] + .ob_source,
:root a[onmousedown^="this.href='http://paid.outbrain.com/network/redir?"][target="_blank"],
:root div[role="navigation"] + c-wiz > script + div > .kxhcC,
:root a[onclick*="//m.economictimes.com/etmack/click.htm"],
:root a[href^="https://zononi.com/"],
:root a[href^="https://www.what-sexdating.com/"],
:root a[href^="https://www.vewwrmp.com/"],
:root a[href^="https://www.spyoff.com/"],
:root a[href^="https://www.share-online.biz/affiliate/"],
:root a[href^="https://www.securegfm.com/"],
:root a[href^="https://www.privateinternetaccess.com/"] > img,
:root a[href^="https://www.passeura.com/"],
:root div[id^="amzn-assoc-ad"],
:root a[href^="https://www.oboom.com/ref/"],
:root div[itemtype="http://schema.org/WPAdBlock"],
:root a[href^="https://www.nudeidols.com/cams/"],
:root a[href^="https://www.mypornstarcams.com/landing/click/"],
:root a[href^="https://www.kingsoffetish.com/tour?partner_id="],
:root div[data-adzone],
:root a[href^="https://www.iyalc.com/"],
:root a[href^="https://www.goldenfrog.com/vyprvpn?offer_id="][href*="&aff_id="],
:root a[href^="https://www.get-express-vpn.com/offer/"],
:root a[href^="https://www.gambling-affiliation.com/cpc/"],
:root a[href^="https://www.clicktraceclick.com/"],
:root a[href^="https://www.camyou.com/?cam="][href*="&track="],
:root a[href^="https://www.camsoda.com/enter.php?id="],
:root a[href^="https://www.brazzersnetwork.com/landing/"],
:root a[href^="https://mob1ledev1ces.com/"],
:root a[href^="https://www.bet365.com/"][href*="affiliate="],
:root a[href^="https://www.bebi.com"],
:root a[href^="https://www.awin1.com/cread.php?awinaffid="],
:root a[href^="https://www.adskeeper.co.uk/"],
:root a[href^="http://farm.plista.com/pets"],
:root a[href^="https://windscribe.com/promo/"],
:root a[href^="https://unreshiramor.com/"],
:root a[href^="http://ad-emea.doubleclick.net/"],
:root a[href^="https://understandsolar.com/signup/?lead_source="][href*="&tracking_code="],
:root div[id^="tms-ad-dfp-"],
:root a[href^="https://trust.zone/go/r.php?RID="],
:root a[href^="https://trf.bannerator.com/"],
:root a[href^="http://go.247traffic.com/"],
:root a[href^="https://bestcond1tions.com/"],
:root a[href^="https://trappist-1d.com/"],
:root a[href^="https://traffic.bannerator.com/"],
:root a[href^="https://tracking.truthfinder.com/?a="],
:root #rhs_block .xpdopen > ._OKe > div > .mod > ._yYf,
:root a[href^="https://tracking.gitads.io/"],
:root a[href^="https://track.ultravpn.com/"],
:root a[href^="https://www.adultempire.com/"][href*="?partner_id="],
:root a[href^="https://track.healthtrader.com/"],
:root a[href^="https://track.clickmoi.xyz/"],
:root [href*="://clickserve.dartsearch.net/link/click"],
:root a[href^="https://control.trafficfabrik.com/"],
:root a[href^="https://track.52zxzh.com/"],
:root .ra[align="right"][width="30%"],
:root a[href^="https://axdsz.pro/"],
:root a[href^="https://tour.mrskin.com/"],
:root a[href^="https://t.mobtya.com/"],
:root a[href^="https://t.hrtyj.com/"],
:root a[href^="https://t.hrtye.com/"],
:root a[href^="https://syndication.optimizesrv.com/splash.php?"],
:root a[href^="http://connectlinking6.com/"],
:root a[href^="http://cdn3.adexprts.com/"],
:root a[href^="https://spygasm.com/track?"],
:root div[id^="ad-div-"],
:root a[href^="https://secure.eveonline.com/ft/?aid="],
:root a[href^="https://secure.bstlnk.com/"],
:root div[class^="kiwi-ad-wrapper"],
:root a[href^="https://rev.adsession.com/"],
:root [href*=".trackmstr.com"],
:root a[href^="https://refpasrasw.world/"],
:root a[href^="https://refpaexhil.top/"],
:root AD-SLOT,
:root a[href^="https://pubads.g.doubleclick.net/"],
:root a[href^="https://prf.hn/click/"][href*="/camref:"],
:root a[href^="https://prf.hn/click/"][href*="/adref:"],
:root #rhs_block .mod > .gws-local-hotels__booking-module,
:root a[href^="http://www.my-dirty-hobby.com/?sub="],
:root a[href^="https://porndeals.com/?track="],
:root a[href^="https://offerforge.net/"],
:root div[id^="ad_head_celtra_"],
:root a[href^="https://t.grtyi.com/"],
:root a[href^="https://myusenet.xyz/"],
:root a[href^="https://my-movie.club/"],
:root a[href^="https://msecure117.com/"],
:root a[href^="https://mk-cdn.net/"],
:root a[href^="https://mk-ads.com/"],
:root a[href^="https://misspkl.com/"],
:root a[href^="https://medleyads.com/"],
:root iframe[src^="https://tpc.googlesyndication.com/"],
:root a[href*=".approvallamp.club/"],
:root a[href^="https://landing1.brazzersnetwork.com"],
:root a[href^="http://adrunnr.com/"],
:root a[href^="https://landing.brazzersplus.com/"],
:root a[href^="https://land.rk.com/landing/"],
:root .lads[width="100%"][style="background:#FFF8DD"],
:root a[href^="https://land.brazzersnetwork.com/landing/"],
:root a[href^="https://juicyads.in/"],
:root a[href^="https://join.virtuallust3d.com/"],
:root a[href^="http://www.uniblue.com/cm/"],
:root a[href^="https://join.sexworld3d.com/track/"],
:root a[href^="https://join.dreamsexworld.com/"],
:root a[href^="https://incisivetrk.cvtr.io/click?"],
:root a[href^="https://iactrivago.ampxdirect.com/"],
:root a[href^="https://iac.ampxdirect.com/"],
:root div[data-ismultirow="true"][data-id^="CarouselPLA-"],
:root a[href^="https://horny-pussies.com/tds"],
:root a[href^="https://graizoah.com/"],
:root td[valign="top"] > .mainmenu[style="padding:10px 0 0 0 !important;"],
:root a[href^="http://feedads.g.doubleclick.net/"],
:root a[href^="https://redsittalvetoft.pro/"],
:root a[href^="https://googleads.g.doubleclick.net/pcs/click"],
:root a[href^="http://cdn.adstract.com/"],
:root a[href^="https://gogoman.me/"],
:root div[jsdata*="CarouselPLA-"][data-id^="CarouselPLA-"],
:root a[href^="https://go.trackitalltheway.com/"],
:root a[href^="https://go.stripchat.com/"][href*="&campaignId="],
:root a[href^="https://go.julrdr.com/"],
:root a[href^="https://go.hpyrdr.com/"],
:root a[href^="https://adnetwrk.com/"],
:root a[href^="https://go.gldrdr.com/"],
:root div[id^="mainads"],
:root a[href^="https://go.currency.com/"],
:root a[href^="https://track.afftck.com/"],
:root a[href^="http://guideways.info/"],
:root a[href^="https://go.cmrdr.com/"],
:root a[href*=".inclk.com/"],
:root a[href^="https://go.ad2up.com/"],
:root a[href^="https://freeadult.games/"],
:root a[href^="https://fonts.fontplace9.com/"],
:root a[href^="http://clkmon.com/adServe/"],
:root a[href^="https://flirtaescopa.com/"],
:root a[href^="https://fleshlight.sjv.io/"],
:root a[href^="https://fakelay.com/"],
:root a[href^="https://earandmarketing.com/"],
:root [lazy-ad="leftthin_banner"],
:root a[href^="https://dynamicadx.com/"],
:root .GFYY1SVE2 > .GFYY1SVD2 > .GFYY1SVG5,
:root a[href^="https://djtcollectorclub.org/"][href*="?affiliate_id="],
:root a[href^="https://tc.tradetracker.net/"] > img,
:root a[href^="//srv.buysellads.com/"],
:root a[href^="https://dianches-inchor.com/"],
:root a[href^="http://adf.ly/?id="],
:root a[href^="https://uncensored3d.com/"],
:root a[href^="https://creacdn.top-convert.com/"],
:root a[href*="=exoclick"],
:root a[href^="https://www.chngtrack.com/"],
:root iframe[src^="https://pagead2.googlesyndication.com/"],
:root a[href^="https://retiremely.com/"],
:root a[href^="https://cpmspace.com/"],
:root .commercial-unit-mobile-top > .v7hl4d,
:root a[href^="https://click.plista.com/pets"],
:root a[href^="https://chaturbate.xyz/"],
:root a[href^="http://look.djfiln.com/"],
:root a[href^="https://chaturbate.jjgirls.com/"][href*="?tour="],
:root a[href^="https://chaturbate.com/in/?track="],
:root a[href^="https://chaturbate.com/in/?tour="],
:root a[href^="https://chaturbate.com/affiliates/"],
:root [href*="wap4dollar.com/"],
:root .__y_elastic .__y_item,
:root a[href^="https://mcdlks.com/"],
:root a[href^="https://bs.serving-sys.com"],
:root .mod > ._jH + .rscontainer,
:root a[href^="https://blackorange.go2cloud.org/"],
:root a[href^="https://affiliates.bet-at-home.com/processing/"],
:root a[href^="https://ads.ad4game.com/"],
:root a[href^="https://betway.com/"][href*="&a="],
:root a[href^="http://www.linkbucks.com/referral/"],
:root a[href^="https://azpresearch.club/"],
:root a[href^="https://awptjmp.com/"],
:root a[href^="http://www.fleshlight.com/"],
:root a[href^="https://aweptjmp.com/"],
:root a[href^="https://awentw.com/"],
:root a[href^="https://albionsoftwares.com/"],
:root a[href^="//postlnk.com/"],
:root a[href^="https://affiliate.rusvpn.com/click.php?"],
:root a[href^="//bwnjijl7w.com/"],
:root a[href^="https://adultfriendfinder.com/go/page/landing"],
:root a[href*="pussl3.com"],
:root a[href^="https://adswick.com/"],
:root .GKJYXHBF2 > .GKJYXHBE2 > .GKJYXHBH5,
:root ADS-RIGHT,
:root a[href^="https://adserver.adreactor.com/"],
:root a[href^="https://refpaano.host/"],
:root a[href^="https://meet-to-fuck.com/tds"],
:root a[href^="https://adhealers.com/"],
:root a[href^="https://static.fleshlight.com/images/banners/"],
:root app-advertisement,
:root a[href^="https://ad.doubleclick.net/"],
:root a[href^="http://zevera.com/afi.html"],
:root a[href^="http://go.oclaserver.com/"],
:root a[href^="https://ad.atdmt.com/"],
:root .trc_rbox .syndicatedItem,
:root a[href^="https://aaucwbe.com/"],
:root a[href^="http://xtgem.com/click?"],
:root a[href^="https://ads.trafficpoizon.com/"],
:root div[class^="local-feed-banner-ads"],
:root a[href^="http://wxdownloadmanager.com/dl/"],
:root a[href^="http://www.zergnet.com/i/"],
:root a[onmousedown^="this.href='http://staffpicks.outbrain.com/network/redir?"][target="_blank"] + .ob_source,
:root a[href^="http://www.usearchmedia.com/signup?"],
:root a[href^="http://www.torntv-downloader.com/"],
:root a[href^="http://www.tirerack.com/affiliates/"],
:root a[href^="http://www.text-link-ads.com/"],
:root a[href^="https://weedzy.co.uk/"][href*="&utm_"],
:root a[href^="http://pokershibes.com/index.php?ref="],
:root a[href^="https://usenetxs.website/"],
:root a[href^="https://gghf.mobi/"],
:root a[href^="http://www.terraclicks.com/"],
:root a[href^="https://ads-for-free.com/click.php?"],
:root a[href^="http://www.socialsex.com/"],
:root a[onmousedown^="this.href='https://paid.outbrain.com/network/redir?"][target="_blank"],
:root a[href^="http://www.sfippa.com/"],
:root a[href^="http://www.xmediaserve.com/"],
:root a[href^="http://www.sex.com/videos/?utm_"],
:root a[href^="http://paid.outbrain.com/network/redir?"],
:root a[href^="http://www.sex.com/?utm_"],
:root a[href^="http://secure.signup-page.com/"],
:root a[href^="http://www.quick-torrent.com/download.html?aff"],
:root a[href^="http://www.pinkvisualgames.com/?revid="],
:root a[href^="https://trklvs.com/"],
:root a[href^="http://www.paddypower.com/?AFF_ID="],
:root a[href^="http://www.onwebcam.com/random?t_link="],
:root a[href^="https://go.247traffic.com/"],
:root a[href^="http://www.freefilesdownloader.com/"],
:root a[href^="http://www.mysuperpharm.com/"],
:root .trc_rbox_border_elm .syndicatedItem,
:root a[href^="http://www.myfreepaysite.com/sfw_int.php?aid"],
:root a[href^="http://www.myfreepaysite.com/sfw.php?aid"],
:root .rhsvw[style="background-color:#fff;margin:0 0 14px;padding-bottom:1px;padding-top:1px;"],
:root a[href^="http://www.moneyducks.com/"],
:root a[href^="http://bcntrack.com/"],
:root a[href^="http://www.securegfm.com/"],
:root a[href^="http://www.liversely.net/"],
:root [href*="//trackmstr.com"],
:root [href*="prayuserparka.com/"],
:root a[href^="http://www.idownloadplay.com/"],
:root a[href^="http://www.hitcpm.com/"],
:root a[href^="http://fusionads.net"],
:root a[href^="http://www.hibids10.com/"],
:root div[class^="awpcp-random-ads"],
:root [href*="//securesafemembers.com"],
:root a[href^="http://www.graboid.com/affiliates/"],
:root a[href^="http://www.gamebookers.com/cgi-bin/intro.cgi?"],
:root div[id^="div_openx_ad_"],
:root a[href^="http://www.friendlyquacks.com/"],
:root a[href^="https://www.financeads.net/tc.php?"],
:root a[href*=".tfaln.com/"],
:root a[href^="http://www.friendlyduck.com/AF_"],
:root a[href^="https://content.oneindia.com/www/delivery/"],
:root a[href^="http://www.fpcTraffic2.com/blind/in.cgi?"],
:root a[href^="http://www.flashx.tv/downloadthis"],
:root .trc_rbox_div a[target="_blank"][href^="http://tab"],
:root a[href^="https://americafirstpolls.com/"],
:root a[href^="http://clickserv.sitescout.com/"],
:root a[href^="http://www.firstload.de/affiliate/"],
:root a[href^="http://www.twinplan.com/AF_"],
:root a[href^="http://www.fducks.com/"],
:root a[href^="http://www.easydownloadnow.com/"],
:root a[href^="http://www.duckssolutions.com/"],
:root a[href^="https://offers.refchamp.com/"],
:root a[href^="https://go.trkclick2.com/"],
:root a[href^="https://www.mrskin.com/account/"],
:root a[href^="http://www.duckcash.eu/"],
:root a[href^="http://go.seomojo.com/tracking202/"],
:root a[href^="http://www.downloadweb.org/"],
:root a[href^="http://www.down1oads.com/"],
:root [href^="https://ad-server.kei.pl/"],
:root a[href^="https://trafficmedia.center/"],
:root a[href^="http://www.dealcent.com/register.php?affid="],
:root a[href^="https://ad.zanox.com/ppc/"],
:root .rscontainer > .ellip,
:root a[href^="http://www.clkads.com/adServe/"],
:root a[href^="https://track.interactivegf.com/"],
:root div[class^="adpubs-"],
:root a[href*="deliver.trafficfabrik.com"],
:root a[href^="http://www.cash-duck.com/"],
:root a[href^="https://aff-ads.stickywilds.com/"],
:root a[href^="http://www.bitlord.me/share/"],
:root .grid > .container > #aside-promotion,
:root a[href^="http://www.babylon.com/welcome/index?affID"],
:root a[onmousedown^="this.href='/wp-content/embed-ad-content/"],
:root a[href^="//adbit.co/?a=Advertise&"],
:root a[href^="http://popup.taboola.com/"],
:root a[href^="https://fast-redirecting.com/"],
:root a[href^="http://www.sexgangsters.com/?pid="],
:root a[href^="http://www.amazon.co.uk/exec/obidos/external-search?"],
:root a[href^="http://go.ad2up.com/"],
:root a[href^="https://badoinkvr.com/"],
:root a[href*="/adServe/banners?"],
:root a[href^="http://www.adxpansion.com"],
:root .plistaList > .itemLinkPET,
:root a[href^="http://www.adbrite.com/mb/commerce/purchase_form.php?"],
:root a[href^="http://www.adultdvdempire.com/?partner_id="][href*="&utm_"],
:root a[href^="http://www.ragazzeinvendita.com/?rcid="],
:root a[href^="http://www.TwinPlan.com/AF_"],
:root a[href^="https://www.googleadservices.com/pagead/aclk?"],
:root a[href^="http://www.1clickdownloader.com/"],
:root [href*="://clkpl.tradedoubler.com/"],
:root a[href^="http://www.123-reg.co.uk/affiliate2.cgi"],
:root div[itemtype="http://www.schema.org/WPAdBlock"],
:root a[href^="http://wopertific.info/"],
:root a[href^="http://bodelen.com/"],
:root a[href^="http://wgpartner.com/"],
:root a[href^="http://web.adblade.com/"],
:root a[href^="https://go.onclasrv.com/"],
:root a[href^="http://wct.link/"],
:root a[href^="https://topoffers.com/"][href*="/?pid="],
:root a[href^="http://vinfdv6b4j.com/"],
:root a[href^="http://us.marketgid.com"],
:root a[href^="http://ul.to/ref/"],
:root a[href^="http://ucam.xxx/?utm_"],
:root a[href^="https://adsrv4k.com/"],
:root a[href^="http://trk.mdrtrck.com/"],
:root a[href^="http://traffic.tc-clicks.com/"],
:root a[href^="http://www.liutilities.com/"],
:root a[href^="http://www.dl-provider.com/search/"],
:root a[href^="http://tc.tradetracker.net/"] > img,
:root a[href^="http://tracking.deltamediallc.com/"],
:root div[aria-label="Ads"],
:root a[href^="http://axdsz.pro/"],
:root a[href^="https://go.ebrokerserve.com/"],
:root a[href^="http://galleries.securewebsiteaccess.com/"],
:root a[href^="http://stateresolver.link/"],
:root a[href^="http://sharesuper.info/"],
:root a[href^="https://awecrptjmp.com/"],
:root a[href^="http://server.cpmstar.com/click.aspx?poolid="],
:root a[href^="http://see.kmisln.com/"],
:root a[href^="//db52cc91beabf7e8.com/"],
:root a[href^="https://go.nordvpn.net/aff"] > img,
:root a[href^="http://secure.vivid.com/track/"],
:root a[href^="http://www.downloadthesefiles.com/"],
:root a[href^="http://secure.cbdpure.com/aff/"],
:root aside[id^="advads_ad_widget-"],
:root a[href^="http://lp.ezdownloadpro.info/"],
:root a[href^="http://uploaded.net/ref/"],
:root a[href^="https://www.nutaku.net/signup/landing/"],
:root a[href^="http://s9kkremkr0.com/"],
:root a[href^="http://azmobilestore.co/"],
:root a[href^="http://s5prou7ulr.com/"],
:root a[href^="https://easygamepromo.com/ef/custom_affiliate/"],
:root a[href^="http://record.betsafe.com/"],
:root a[href^="http://mo8mwxi1.com/"],
:root a[href^="https://bnsjb1ab1e.com/"],
:root a[href^="https://prf.hn/click/"][href*="/creativeref:"],
:root a[href^="//oardilin.com/"],
:root a[href^="http://pwrads.net/"],
:root a[href^="http://promos.bwin.com/"],
:root a[data-redirect^="https://paid.outbrain.com/network/redir?"],
:root a[href^="http://play4k.co/"],
:root a[href^="http://partner.sbaffiliates.com/"],
:root div[id^="ad-gpt-"],
:root a[href^="http://pan.adraccoon.com?"],
:root a[href*="//ezofferz.com/"],
:root a[href^="https://dltags.com/"],
:root a[href^="http://onclickads.net/"],
:root a[href^="http://n.admagnet.net/"],
:root a[href^="//awejmp.com/"],
:root a[href^="http://mob1ledev1ces.com/"],
:root a[href^="http://mmo123.co/"],
:root a[href^="http://media.paddypower.com/redirect.aspx?"],
:root a[href^="https://fileboom.me/pr/"],
:root a[href^="http://marketgid.com"],
:root a[href^="http://liversely.net/"],
:root div[id^="drudge-column-ads-"],
:root a[href^="http://tour.mrskin.com/"],
:root [src^="/Redirect.a2b?"],
:root a[href^="http://linksnappy.com/?ref="],
:root a[href^="https://deliver.ptgncdn.com/"],
:root a[href^="http://latestdownloads.net/download.php?"],
:root a[data-redirect^="http://click.plista.com/pets"],
:root .section-subheader > .section-hotel-prices-header,
:root a[href^="http://landingpagegenius.com/"],
:root a[href^="http://keep2share.cc/pr/"],
:root [src*="https://cdn.cloudimagesb.com/"],
:root a[href^="http://k2s.cc/pr/"],
:root a[href^="http://k2s.cc/code/"],
:root a[href^="http://www.revenuehits.com/"],
:root a[href^="http://install.securewebsiteaccess.com/"],
:root .widget-pane-section-result[data-result-ad-type],
:root a[href^="http://imads.integral-marketing.com/"],
:root div[id^="crt-"][style],
:root a[href^="http://igromir.info/"],
:root a[href^="https://intrev.co/"],
:root a[href^="http://https://www.get-express-vpn.com/offer/"],
:root a[href^="http://searchtabnew.com/"],
:root a[href*="?adlivk="][href*="&refer="],
:root a[href^="//look.djfiln.com/"],
:root a[href^="http://greensmoke.com/"],
:root a[href^="https://look.utndln.com/"],
:root a[href^="//5e1fcb75b6d662d.com/"],
:root #tads[aria-label],
:root a[href^="http://googleads.g.doubleclick.net/pcs/click"],
:root aside[itemtype="https://schema.org/WPAdBlock"],
:root a[href^="https://watchmygirlfriend.tv/"],
:root .nrelate .nr_partner,
:root a[href^="http://go.xtbaffiliates.com/"],
:root a[href^="http://go.mobisla.com/"],
:root a[href^="http://g1.v.fwmrm.net/ad/"],
:root a[href^="http://freesoftwarelive.com/"],
:root a[href^="http://adtrackone.eu/"],
:root a[href^="http://finaljuyu.com/"],
:root a[href^="http://fileloadr.com/"],
:root a[href^="http://delivery.clickonometrics.pl/campaign="],
:root a[href^="http://t.wowtrk.com/"],
:root a[href^="//syndication.dynsrvtbg.com/splash.php?"],
:root a[href^="http://extra.bet365.com/"][href*="?affiliate="],
:root a[href^="http://ethfw0370q.com/"],
:root a[href^="https://tracking.comfortclick.eu/"],
:root [id^="bunyad_ads_"],
:root a[href^="http://elitefuckbook.com/"],
:root a[href^="http://eclkmpsa.com/"],
:root a[href^="http://earandmarketing.com/"],
:root a[href*=".mfroute.com/"],
:root #content > #center > .dose > .dosesingle,
:root a[href^="http://campaign.bharatmatrimony.com/track/"],
:root a[href*="3wr110.xyz/"],
:root a[href^="http://d2.zedo.com/"],
:root a[href^="https://iqoption.com/lp/mobile-partner/"][href*="?aff="],
:root a[href^="http://cp.cbbp1.com"],
:root a[href^="http://codec.codecm.com/"],
:root a[href^="https://paid.outbrain.com/network/redir?"],
:root a[href^="http://www.downloadplayer1.com/"],
:root a[href^="http://clicks.binarypromos.com/"],
:root a[href^="https://dediseedbox.com/clients/aff.php?"],
:root [href^="/ucmini.php"],
:root a[href^="http://www.wantstraffic.com/"],
:root a[href^="http://databass.info/"],
:root div[class^="AdCard_"],
:root a[href^="http://www.urmediazone.com/signup"],
:root a[href^="http://click.plista.com/pets"],
:root a[href^="http://chaturbate.com/affiliates/"],
:root a[href^="http://www.firstload.com/affiliate/"],
:root a[href^="http://www.friendlyadvertisements.com/"],
:root a[href^="http://go.fpmarkets.com/"],
:root a[href^="//00ae8b5a9c1d597.com/"],
:root a[href^="http://cdn3.adbrau.com/"],
:root [href^="https://secure.bmtmicro.com/servlets/"],
:root a[href^="http://amzn.to/"] > img[src^="data"],
:root a[href^="http://bs.serving-sys.com/"],
:root a[href^="http://cpaway.afftrack.com/"],
:root a[href^="http://cdn.adsrvmedia.net/"],
:root [lazy-ad="top_banner"],
:root a[href^="http://360ads.go2cloud.org/"],
:root a[href^="http://dftrck.com/"],
:root a[href^="http://casino-x.com/?partner"],
:root a[href^="http://record.sportsbetaffiliates.com.au/"],
:root a[href^="http://campeeks.com/"][href*="&utm_"],
:root div[class^="index_displayAd_"],
:root a[href^="http://adultgames.xxx/"],
:root a[href^="https://s.zlink2.com/"],
:root a[href^="http://semi-cod.com/clicks/"],
:root a[href^="http://campaign.bharatmatrimony.com/cbstrack/"],
:root a[href^="http://istri.it/?"],
:root a[href^="https://gamescarousel.com/"],
:root a[href^="http://www.trizer.pl/?utm_source"],
:root a[href^="http://yads.zedo.com/"],
:root a[href^="https://bullads.net/get/"],
:root a[href^="http://down1oads.com/"],
:root a[href^="http://buysellads.com/"],
:root a[href^="https://uncensored.game/"],
:root a[href^="http://betahit.click/"],
:root a[href^="https://torguard.net/aff.php"] > img,
:root a[href^="http://bestorican.com/"],
:root a[href^="http://bcp.crwdcntrl.net/"],
:root a[href^="http://bc.vc/?r="],
:root a[href^="http://banners.victor.com/processing/"],
:root a[href^="http://www.fbooksluts.com/"],
:root [href^="https://aff.sendhub.pl/"],
:root a[href^="http://www.cdjapan.co.jp/aff/click.cgi/"],
:root a[href^="http://intent.bingads.com/"],
:root a[href^="//api.ad-goi.com/"],
:root a[href*="//ridingintractable.com/"],
:root a[href^="http://c.actiondesk.com/"],
:root a[href^="http://affiliate.glbtracker.com/"],
:root a[href^="https://transfer.xe.com/signup/track/redirect?"],
:root a[href^="http://anonymous-net.com/"],
:root a[href^="http://hotcandyland.com/partner/"],
:root a[href^="http://affiliates.thrixxx.com/"],
:root a[href^="http://affiliate.coral.co.uk/processing/"],
:root a[href^="http://aff.ironsocket.com/"],
:root a[href^="http://adsrv.keycaptcha.com"],
:root a[href^="https://secure.adnxs.com/clktrb?"],
:root a[href^="http://adserver.adtechus.com/"],
:root a[href^="http://adserver.adreactor.com/"],
:root a[href^="//go.onclasrv.com/"],
:root .GHOFUQ5BG2 > .GHOFUQ5BF2 > .GHOFUQ5BG5,
:root #\5f _mom_ad_2,
:root a[href^="http://ads.sprintrade.com/"],
:root a[href^="https://www.mrskin.com/tour"],
:root a[href^="http://adserver.adtech.de/"],
:root a[href^="http://cwcams.com/landing/click/"],
:root a[href^="http://ads.betfair.com/redirect.aspx?"],
:root a[href^="http://reallygoodlink.extremefreegames.com/"],
:root a[href^="http://adlev.neodatagroup.com/"],
:root a[href^="http://ad.doubleclick.net/"],
:root a[href^="https://k2s.cc/pr/"],
:root a[href^="http://ad.au.doubleclick.net/"],
:root a[href*=".directtl.xyz/"],
:root a[href^="https://clickadilla.com/"],
:root a[href^="http://websitedhoome.com/"],
:root .ob_container .item-container-obpd,
:root a[href^="http://www.adskeeper.co.uk/"],
:root a[href^="http://srvpub.com/"],
:root [data-dynamic-ads],
:root a[href^="http://a.adquantix.com/"],
:root a[href^="http://NowDownloadAll.com"],
:root a[href^="http://adtrack123.pl/"],
:root ad-desktop-sidebar,
:root [id*="MGWrap"],
:root a[href^="http://9amq5z4y1y.com/"],
:root a[href^="http://1phads.com/"],
:root a[href^="https://ismlks.com/"],
:root a[href^="//zenhppyad.com/"],
:root [href*="://affiliates-solutions.com/click/"],
:root a[href^="//www.pd-news.com/"],
:root [href*=".doubleclick-net.com"],
:root a[href^="//www.mgid.com/"],
:root a[href^="http://lp.ncdownloader.com/"],
:root a[href^="//pubads.g.doubleclick.net/"],
:root a[href^="https://www.travelzoo.com/oascampaignclick/"],
:root a[href^="https://see.kmisln.com/"],
:root a[href^="http://refer.webhostingbuzz.com/"],
:root a[onmousedown^="this.href='http://staffpicks.outbrain.com/network/redir?"][target="_blank"],
:root a[href^="//nlkdom.com/"],
:root a[href^="//medleyads.com/spot/"],
:root a[href^="https://ilovemyfreedoms.com/"][href*="?affiliate_id="],
:root [href*=".afftracks.online/"],
:root div[class^="Component-dfp-"],
:root a[href^="//healthaffiliate.center/"],
:root .l-container > #fishtank,
:root a[href^="http://www.ducksnetwork.com/"],
:root a[href^="//go.vedohd.org/"],
:root [onclick*="content.ad/"],
:root a[href^="https://clixtrac.com/"],
:root [id^="ad_iframe"],
:root a[href^="//4f6b2af479d337cf.com/"],
:root a[href^="//4c7og3qcob.com/"],
:root a[href^="https://www.arthrozene.com/"][href*="?tid="],
:root a[href^="http://tezfiles.com/pr/"],
:root #rhs_block > ol > .rhsvw > .kp-blk > .xpdopen > ._OKe > ol > ._DJe > .luhb-div,
:root a[href^=".vddfe.club/"],
:root [href^="/ucdownloader.php"],
:root a[href^="https://awejmp.com/"],
:root [href*="//go2page.net"],
:root a[href^=" http://www.sex.com/"][href*="&utm_"],
:root .GPMV2XEDA2 > .GPMV2XEDP1 > .GPMV2XEDJBB,
:root a[href*="onclkds."],
:root a[href^="https://adclick.g.doubleclick.net/"],
:root a[href*=".intab.fun/"],
:root a[href*="get-express-vpn.xyz"],
:root a[href*="=adscript"],
:root #mn #center_col > div > h2.spon:first-child,
:root a[href*="=Adtracker"],
:root a[href^="http://4c7og3qcob.com/"],
:root a[href^="https://trusted-click-host.com/"],
:root a[href^="https://members.linkifier.com/public/affiliateLanding?refCode="],
:root a[href^="https://jmp.awempire.com/"],
:root [href^="https://wct.link/"],
:root a[href^="https://track.totalav.com/"],
:root a[href^="http://ad-apac.doubleclick.net/"],
:root c-wiz[jsrenderer="YnuqN"] > div > div > .Rn1jbe,
:root a[href*="/servlet/click/zone?"],
:root a[href^="http://refpaano.host/"],
:root a[href*="/cmd.php?ad="],
:root a[href^="http://track.trkvluum.com/"],
:root #atvcap + #tvcap > .mnr-c > .commercial-unit-mobile-top,
:root a[href*="/adrotate-out.php?"],
:root a[href^="https://track.trkinator.com/"],
:root div[id^="ad-position-"],
:root a[data-redirect^="this.href='http://paid.outbrain.com/network/redir?"],
:root a[href^="http://liversely.com/"],
:root a[href^="http://www.firstclass-download.com/"],
:root a[href*="//bongacams7.com/track?"],
:root div[id^="advads-"],
:root a[href^="http://www.myfreecams.com/?co_id="][href*="&track="],
:root a[href^="https://track.afcpatrk.com/"],
:root a[href*="bbelements.com/please/"],
:root a[href*=".ad-center.com/"],
:root a[href*=".udncoeln.com/"],
:root a[href*=".trust.zone"],
:root a[href*=".surfmdia.com/"],
:root a[href*=".smartadserver.com"],
:root a[href^="https://a.bestcontentfood.top/"],
:root .commercial-unit-mobile-top .jackpot-main-content-container > .UpgKEd + .nZZLFc > div > .vci,
:root a[href*="delivery.trafficfabrik.com"],
:root #ads > .dose > .dosesingle,
:root a[href*=".revimedia.com/"],
:root .commercial-unit-desktop-rhs > div[jscontroller="YD5eo"],
:root [id^="div-gpt-ad"],
:root .__ywvr .__y_item,
:root #flowplayer > div[style="position: absolute; width: 300px; height: 275px; left: 222.5px; top: 85px; z-index: 999;"],
:root a[href^="http://www.on2url.com/app/adtrack.asp"],
:root a[href^="http://download-performance.com/"],
:root a[href^="https://farm.plista.com/pets"],
:root a[href*=".red90121.com/"],
:root a[href^="http://www.greenmangaming.com/?tap_a="],
:root a[href*=".opskln.com/"],
:root a[href^="http://z1.zedo.com/"],
:root a[href*=".irtyc.com/"],
:root div[id^="div_ad_stack_"],
:root a[href*=".ichlnk.com/"],
:root div[id^="ad_bigbox_"],
:root #content > #right > .dose > .dosesingle,
:root #assetsListings[style="display: block;"],
:root a[href^="http://9nl.es/"],
:root [lazy-ad="leftbottom_banner"],
:root a[href*=".fwd28.com/"],
:root div[id^="yandex_ad"],
:root a[href^="https://www.pornhat.com/"][rel="nofollow"],
:root a[href^="https://www.hotgirls4fuck.com/"],
:root a[href^="http://y1jxiqds7v.com/"],
:root a[href*=".frtyl.com/"],
:root a[href^="http://api.content.ad/"],
:root a[href*=".clkcln.com/"],
:root a[href^="http://www.badoink.com/go.php?"],
:root a[class="RBAd"],
:root a[href^="http://a63t9o1azf.com/"],
:root a[href*=".axdsz.pro/"],
:root div[class^="adUnit_"],
:root a[href^="https://deliver.tf2www.com/"],
:root a[href^="http://spygasm.com/track?"],
:root .ob_dual_right > .ob_ads_header ~ .odb_div,
:root [src*="//www.dianomi.com/smartads.epl"],
:root a[href*=".adk2x.com/"],
:root a[href*=".allsports4you.club"],
:root a[href^="https://track.bruceads.com/"],
:root div[data-adservice-param-tagid="contentad"],
:root #MAIN.ShowTopic > .ad,
:root a[id^="ads_banner_"],
:root a[href^="https://porngames.adult/?SID="],
:root a[href^="http://findersocket.com/"],
:root a[href^="https://m.do.co/c/"] > img,
:root [href*=".ltroute.com/"],
:root [id^="boxRegioPromoTab"],
:root div[class*="margin-Advert"],
:root #tads + div + .c,
:root a[href^="//jsmptjmp.com/"],
:root .commercial-unit-mobile-top .jackpot-main-content-container > .UpgKEd + .nZZLFc > .vci,
:root a[href^="https://financeads.net/tc.php?"],
:root #ssmiwdiv[jsdisplay],
:root a[href*=".adform.net/"],
:root a[href^="http://duckcash.eu/"],
:root a[href^="http://www.mobileandinternetadvertising.com/"],
:root a[href^="http://join3.bannedsextapes.com/track/"],
:root a[data-widget-outbrain-redirect^="http://paid.outbrain.com/network/redir?"],
:root .GB3L-QEDGY .GB3L-QEDF- > .GB3L-QEDE-,
:root a[data-url^="http://paid.outbrain.com/network/redir?"] + .author,
:root [href*=".jetx.info/"],
:root div[id^="cns_ads_"],
:root a[data-obtrack^="http://paid.outbrain.com/network/redir?"],
:root a[href^="http://www.getyourguide.com/?partner_id="],
:root [onclick^="window.open('https://www.brazzersnetwork.com/landing/"],
:root adblocker,
:root #resultspanel > #topads,
:root a[href^="http://admrotate.iplayer.org/"],
:root a[href^="http://espn.zlbu.net/"],
:root a[href^="https://vod09197d7.club/"],
:root [href^="/admdownload.php"],
:root [onclick^="window.open('window.open('//delivery.trafficfabrik.com/"],
:root a[href="http://www.livelooker.com"],
:root a[href^="https://keep2share.cc/pr/"],
:root [id*="MarketGid"],
:root a[href^="https://scurewall.co/"],
:root .commercial-unit-desktop-rhs > .iKidV > .Ee92ae + .P2mpm + .hp3sk,
:root div[class*="_browserAdOuterContainer_"],
:root [name^="google_ads_iframe"],
:root a[data-oburl^="http://paid.outbrain.com/network/redir?"],
:root a[href^="http://refpa.top/"],
:root a[href*="//bongacams.com/track?"],
:root a[href^="https://servedbyadbutler.com/"],
:root a[data-redirect^="http://paid.outbrain.com/network/redir?"],
:root a[href^="https://explore.findanswersnow.net/"],
:root [id^="adframe_wrap_"],
:root .mw > #rcnt > #center_col > #taw > #tvcap > .c,
:root a[href^="https://playuhd.host/"],
:root [href^="https://go.affiliatexe.com/"],
:root a[href^="http://mgid.com/"],
:root a[href*=".adsrv.eacdn.com/"] > img,
:root [href*="//etracking.pro"],
:root a[href^="http://www.fonts.com/BannerScript/"],
:root a[href^="http://c.ketads.com/"],
:root a[href^="http://6kup12tgxx.com/"],
:root [class^="ADbox"],
:root a[href^="http://www.roboform.com/php/land.php"],
:root a[href^="http://online.ladbrokes.com/promoRedirect?"],
:root a[href^="//mob1ledev1ces.com/"],
:root .ra[width="30%"][align="right"] + table[width="70%"][cellpadding="0"],
:root a[href^="http://www.coiwqe.site/"],
:root iframe[id^="google_ads_frame"],
:root a[href^="http://www.bet365.com/"][href*="affiliate="],
:root a[href^="http://www.bluehost.com/track/"] > img,
:root a[data-url^="http://paid.outbrain.com/network/redir?"],
:root a[href^="https://www.popads.net/users/"],
:root a[href^="http://adultfriendfinder.com/p/register.cgi?pid="],
:root a[href*="a2g-secure.com"],
:root #\5f _nq__hh[style="display:block!important"],
:root div[data-flt-ve="sponsored_search_ads"],
:root [href^="https://affect3dnetwork.com/track/"],
:root [href^="http://raboninco.com/"],
:root .GFYY1SVD2 > .GFYY1SVC2 > .GFYY1SVF5,
:root [href^="https://join3.bannedsextapes.com"],
:root [href^="https://bulletprofitsmartlink.com/"],
:root a[href^="http://www.pinkvisualpad.com/?revid="],
:root a[href^="https://www.oneclickroot.com/?tap_a="] > img,
:root DFP-AD,
:root a[href^="//porngames.adult/?SID="],
:root a[href^="https://www.friendlyduck.com/AF_"],
:root [href^="http://advertisesimple.info/"],
:root a[href^="http://secure.hostgator.com/~affiliat/"],
:root [onclick^="window.open('http://adultfriendfinder.com/search/"],
:root [href*=".revrtb.com/"],
:root .mod > .gws-local-promotions__border,
:root .icons-rss-feed + .icons-rss-feed div[class$="_item"],
:root a[data-oburl^="https://paid.outbrain.com/network/redir?"],
:root a[href^="http://affiliates.score-affiliates.com/"],
:root [href^="/ucdownload.php"],
:root a[href^="http://allaptair.club/"],
:root a[href^="http://affiliates.pinnaclesports.com/processing/"],
:root #header + #content > #left > #rlblock_left,
:root a[href^="http://partners.etoro.com/"],
:root [id^="google_ads_iframe"],
:root a[href^="https://www.g4mz.com/"],
:root a[href^="http://webgirlz.online/landing/"],
:root [href*="cadsecs.com/"],
:root a[href^="http://adserving.unibet.com/"],
:root [href*="//trackout.business"],
:root #rhs_block .mod > .luhb-div > div[data-async-type="updateHotelBookingModule"],
:root a[href^="http://adclick.g.doubleclick.net/"],
:root [href*="//mclick.net"],
:root [href^="https://refpahrwzjlv.top/"],
:root a[href^="http://czotra-32.com/"],
:root [id*="nokaut_ads_"],
:root div[role="navigation"] + c-wiz > div > .kxhcC,
:root a[href^="http://www.download-provider.org/"],
:root a[href*=".qertewrt.com/"],
:root [href*="//doubleclick-net.com"],
:root a[href^="http://deloplen.com/afu.php?zoneid="],
:root [id*="ScriptRoot"],
:root [href*=".xiloy.site/"],
:root [src^="http://api.lanistaads.com/ServeAd?"],
:root a[href^="http://webtrackerplus.com/"],
:root a[href^="https://ad13.adfarm1.adition.com/"],
:root a[href^="http://clickandjoinyourgirl.com/"],
:root a[href*=".xromp.com/landing/click/"],
:root #center_col > #res > #topstuff + #search > div > #ires > #rso > #flun,
:root [href*=".trackout.business"],
:root #center_col > #taw > #tvcap > .rscontainer,
:root [href*=".securesafemembers.com"],
:root [href*=".grtya.com/"],
:root .gbfwa > div[class$="_item"],
:root a[href^="https://goraps.com/"],
:root [href*=".etracking.pro"],
:root #main-content > [style="padding:10px 0 0 0 !important;"],
:root #center_col > #resultStats + div[style="border:1px solid #dedede;margin-bottom:11px;padding:5px 7px 5px 6px"],
:root a[href^="https://www.oboom.com/ad/"],
:root [href*=".adcampo.com/"],
:root [data-ad-module],
:root a[href^="http://get.slickvpn.com/"],
:root a[href^="https://track.themadtrcker.com/"],
:root a[href^="http://hyperlinksecure.com/go/"],
:root a[href^="http://xads.zedo.com/"],
:root a[href^="http://www.affiliates1128.com/processing/"],
:root a[href^="http://c.jumia.io/"],
:root [class^="div-gpt-ad"],
:root [href*=".go2page.net"],
:root a[href^="http://hd-plugins.com/download/"],
:root a[href^="//voyeurhit.com/cs/"],
:root a[href^="http://www.afgr3.com/"],
:root [ad-id^="googlead"],
:root .ra[align="left"][width="30%"],
:root a[href^="https://trackjs.com/?utm_source"],
:root AFS-AD,
:root [id^="ad-wrap-"],
:root #center_col > #\5f Emc,
:root a[href^="http://ads2.williamhill.com/redirect.aspx?"],
:root AD-TRIPLE-BOX,
:root #center_col > div[style="font-size:14px;margin-right:0;min-height:5px"] > div[style="font-size:14px;margin:0 4px;padding:1px 5px;background:#fff8e7"],
:root a[href*=".trck5.com/"],
:root .trc_rbox_div .syndicatedItem,
:root a[href^="http://www.streamate.com/exports/"],
:root [href*="maskip.co/"],
:root a[href^="https://www.firstload.com/affiliate/"],
:root .trc_related_container div[data-item-syndicated="true"],
:root a[href^="http://aflrm.com/"],
:root div[id^="google_dfp_"],
:root [href*="get-download.club/"],
:root .section-result[data-result-ad-type],
:root a[href^="https://syndication.exoclick.com/splash.php?"],
:root #mn div[style="position:relative"] > #center_col > div > ._dPg,
:root a[href*="//bongacams5.com/track?"],
:root FBS-AD,
:root a[href^="http://see-work.info/"],
:root .inlineNewsletterSubscription + .inlineNewsletterSubscription div[class$="_item"],
:root a[href*=".orange2258.com/"],
:root #taw > .med + div > #tvcap > .mnr-c:not(.qs-ic) > .commercial-unit-mobile-top,
:root .plista_widget_belowArticleRelaunch_item[data-type="pet"],
:root a[href*=".clksite.com/"],
:root a[href^="http://www.webtrackerplus.com/"],
:root .GJJKPX2N1 > .GJJKPX2M1 > .GJJKPX2P4,
:root a[href*=".bang.com/"][href*="&aff="],
:root #topstuff > #tads,
:root a[href*=".purple6401.com/"],
:root [id^="componentsPromotionsOffers"],
:root a[href^="http://goldmoney.com/?gmrefcode="],
:root a[href^="http://papi.mynativeplatform.com:80/pub2/"],
:root LEADERBOARD-AD,
:root #mn #center_col > div > h2.spon:first-child + ol:last-child,
:root a[href*=".cfm?fp="][href*="&prvtof="],
:root a[href*="n47adshostnet.com/"],
:root #center_col > #taw > #tvcap > .commercial-unit-desktop-top,
:root .plistaList > .plista_widget_underArticle_item[data-type="pet"],
:root a[href^="http://servicegetbook.net/"],
:root #rhs_block > #mbEnd,
:root a[href^="http://cinema.friendscout24.de?"],
:root [lazy-ad="lefttop_banner"],
:root a[href^="http://www.mrskin.com/tour"],
:root .jobs-information-call-to-action + .jobs-information-call-to-action div[class$="_item"],
:root a[href^="https://go.hpyjmp.com/"],
:root .vi-lb-placeholder[title="ADVERTISEMENT"],
:root a[href^="http://www.menaon.com/installs/"],
:root a[href^="http://taboola-"][href*="/redirect.php?app.type="],
:root .mw > #rcnt > #center_col > #taw > .c,
:root .commercial-unit-mobile-top > div[data-pla="1"],
:root #rhs_block > script + .c._oc._Ve.rhsvw,
:root #\5f _mom_ad_12,
:root .__zinit .__y_item,
:root TopTextAd,
:root .ch[onclick="ga(this,event)"],
:root .__ywl .__y_item,
:root div[id^="div-ads-"],
:root a[onmousedown^="this.href='https://paid.outbrain.com/network/redir?"][target="_blank"] + .ob_source,
:root a[href^="http://at.atwola.com/"],
:root #center_col > #resultStats + #tads,
:root .__yinit .__y_item,
:root a[href^="https://secure.cbdpure.com/aff/"],
:root a[href^="https://affiliate.bitbay.net/"],
:root AMP-AD,
:root iframe[src*="mellowads.com"],
:root .__y_inner > .__y_item,
:root a[href^="https://affiliate.geekbuying.com/gkbaffiliate.php?"],
:root #cnt #center_col > #res > #topstuff > .ts,
:root a[href^="https://landing.brazzersnetwork.com/"],
:root #cnt #center_col > #taw > #tvcap > .c._oc._Lp,
:root div[class^="hp-ad-rect-"],
:root a[href^="http://dwn.pushtraffic.net/"],
:root a[href$="/vghd.shtml"],
:root a[href^="https://a.adtng.com/"],
:root a[href^="http://static.fleshlight.com/images/banners/"],
:root #rhswrapper > #rhssection[border="0"][bgcolor="#ffffff"],
:root .Mpopup + #Mad > #MadZone,
:root a[href^="http://ads.expekt.com/affiliates/"],
:root a[href^="http://www.streamtunerhd.com/signup?"],
:root a[href^="http://www.seekbang.com/cs/"],
:root a[href^="http://syndication.exoclick.com/"],
:root a[href^="http://bluehost.com/track/"],
:root a[href^="http://fsoft4down.com/"],
:root a[href*="ad2upapp.com/"],
:root a[href^="https://www.adxtro.com/"],
:root a[href^="http://click.payserve.com/"],
:root iframe[src^="http://ad.yieldmanager.com/"],
:root a[href^="http://pubads.g.doubleclick.net/"],
:root a[href^="http://serve.williamhill.com/promoRedirect?"],
:root a[href^="http://www.gfrevenge.com/landing/"],
:root a[href^="http://hpn.houzz.com/"],
:root a[href^="http://45eijvhgj2.com/"],
:root [href*=".mclick.net"],
:root #center_col > #taw > #tvcap > .cu-container > .commercial-unit-desktop-top,
:root a[href*="//promo-bc.com/track?"] { display: none !important; }
:root a[href^="https://sexsimulator.game/tab/?SID="],
:root .rc-cta[data-target],
:root #rhs_block > .ts[cellspacing="0"][cellpadding="0"][style="padding:0"],
:root div[data-ad-underplayer],
:root #mbEnd[cellspacing="0"][cellpadding="0"],
:root a[href^="http://3wr110.net/"],
:root .trc_rbox_div .syndicatedItemUB,
:root a[href^="https://www.im88trk.com/"],
:root a[href^="http://ffxitrack.com/"],
:root #center_col > #main > .dfrd > .mnr-c > .c._oc._zs,
:root a[href^="https://squren.com/rotator/?atomid="],
:root div[id^="adspot-"],
:root #\5f _admvnlb_modal_container,
:root a[href^="//40ceexln7929.com/"],
:root #center_col > #resultStats + div + #res + #tads,
:root a[href^="//88d7b6aa44fb8eb.com/"],
:root a[href^="http://www.afgr2.com/"],
:root #mn div[style="position:relative"] > #center_col > ._Ak,
:root #tadsb[aria-label],
:root a[href*="//bongacams2.com/track?"],
:root #center_col > #resultStats + #tads + #res + #tads,
:root a[href^="//z6naousb.com/"],
:root a[href^="https://reachtrgt.com/"],
:root div[data-subscript="Advertising"],
:root div[class$="dealnews"] > .dealnews,
:root a[href^="http://t.mdn2015x2.com/"],
:root div[class^="Ad__container"],
:root a[href^="http://adprovider.adlure.net/"],
:root a[href^="http://rs-stripe.wsj.com/stripe/redirect"],
:root #main_col > #center_col div[style="font-size:14px;margin:0 4px;padding:1px 5px;background:#fff7ed"],
:root a[data-nvp*="'trafficUrl':'https://paid.outbrain.com/network/redir?"],
:root [href^="https://www.xvbelink.com/"],
:root a[href^="http://www.sex.com/pics/?utm_"],
:root a[href^="http://vo2.qrlsx.com/"],
:root a[href^="http://engine.newsmaxfeednetwork.com/"],
:root a[href^="http://ad.yieldmanager.com/"],
:root a[href^="http://www.plus500.com/?id="],
:root #flowplayer > div[style="z-index: 208; position: absolute; width: 300px; height: 275px; left: 222.5px; top: 85px;"],
:root a[href^="https://giftsale.co.uk/?utm_"],
:root a[href^="https://syndication.dynsrvtbg.com/splash.php?"] { display: none !important; }

Wyłączyłem adblockera (uBlock Origin), ale reguły dalej tkwiły na stronie klienta.

Pomyślałem może, że ukrywa faktyczne linki wstrzyknięte przez kod PHP dla samego SEO juice, ale to też nie było to…

Po krótkiej analizie w footerze strony znalazłem link do dziwnego skryptu JS na jeszcze dziwniejszej domenie:

<script type="text/javascript" src="https://cdn.ywxi.net/js/1.js" async></script>

Adres mi nic nie mówił, ale Google szybko znalazł, że skrypt należy do mechanizmu McAfee Secure “chroniącego” strony przed hakerami 😀

https://blog.trustedsite.com/2018/07/20/technical-implementation-of-mcafee-secure-certification/

Czyli, że jak ktoś Ci się włamie na stronę, zamieści linki do spamerskich stron, to dzielny skrypt firmy McAfee go wizualnie ukryje przed twoimi użytkownikami, wykorzystując regułę CSS:

{ display: none !important; }

Genialne… Ich tysiąc sztywnych reguł na pewno ochroni każdą zhakowaną stronę 😉

Dodatkowo zablokuje też reklamy na stronie jeśli takowe masz (i dzięki nim zarabiasz, albo zarabiałeś, dzielny skrypt McAfee upewni się, że twoi użytkownicy ich nie zobaczą):

:root img[alt="reklama"],
:root div#skapiec_ad,
:root ads-top-layer,
...
:root [id^="sponsorowany"],
:root [id^="slot_ad_billboard"],
:root [id^="pianoMediaBoxInfo"],
:root [id^="giercowniaAd"],
:root [id^="ceneoaffcontainer"],
:root [id^="bunyad_ads_widget"],
:root [id^="banner_900x"],
:root [id^="ad_box"],
:root [id^="AdsDetailsTop"],
:root [id*="-billboard-advert"],
:root ul.sharing-tools,
:root [href^="http://adserwer."],
:root [href*=".novem.pl/"],
:root [class^="adSrodek"],
:root IMG[title^="Sponsorowan"],
...

Koniec końców okazało się, że klient rok temu korzystał faktycznie z ich “certyfikacji” czy nawet płacił za to, ale porzucił to, zostawiając jednak ten nieszczęsny skrypt JS.

O ile blokowanie spamerskich stron ma jakiś tam sens, to sam mechanizm jest idiotyczny, spowalnia działanie samej strony, engine przeglądarki musi przerobić cały kod HTML tysiącami reguł, które i tak nic nie zrobią, a najbardziej nieetyczne jest blokowanie samych reklam, których po prostu właściciel strony chce mieć i nie ma to nic wspólnego z cyber bezpieczeństwem.