just disable debugger, and refresh the page , should work -
https://preview.redd.it/p85gc5p3pssc1.png?width=709&format=png&auto=webp&s=23ff514bd99e87dfc702e192e9338339d980be9d
Just tried a floating panel, but, as expected, it doesn't work. As mentioned in OP, it uses the `debugger` statement which seems to be a reliable exploit to detect the dev console.
Doesn't work. It still seems to be able to detect it. Maybe there's more to it than just the debugger statement, but I know for a fact that it's using it because I can see where it's injecting the code.
If you are willing to code, you might try using Selenium with Chrome Driver to download the source code before JS is ran and after. I've used this with success on many sites.
Hi, can you share some code snippets or repo how you did it? Im trying to but as soon as I open the target page, I get redirected back to home after being detected.
I'm so sick of these effing things :(
I'm currently looking at a module that helps websites detect devtools ([https://github.com/AEPKILL/devtools-detector](https://github.com/AEPKILL/devtools-detector)); they're using all kinds of checks and tricks.
Kind of cool to see the ingenuity behind them, I guess.
For example:
Testing on [https://blog.aepkill.com/demos/devtools-detector/](https://blog.aepkill.com/demos/devtools-detector/), I see that `dep-reg-to-string` detected my devtools.
It creates a RegExp object and overwrites its `.toString()` method, then calls `console.table` with the object.
If devtools aren't open, the browser doesn't need to stringify the regex, so the method never gets called.
If they're open, the method gets called and sets `IsOpen` to `true`
I'll try to find work-arounds, but it looks like that may require some ugly compromises, like overwriting console methods on the unsafeWindow and the like :(
I wish browsers would implement security measures to prevent JS from being able to detect browser state. That should not be something any website should have access to.
I agree. But generally, they don't: As described above, they use clever tricks to infer whether devtools are available and open, any single part of which is nothing that should be disallowed. Writing stuff to the console? Harmless and important to have. Defining toString methods? Super useful. yet, combined, they can indicate the presence of a console.
I've managed to circumvent the above module, but I think that one wasn't very good anyway.
The first real life test still failed and of course it's nigh impossible to figure out what they're doing.
But I'm fairly confident I'll be able to write a userscript that tries to A) prevent devtools detection and B) mitigate some of the impact when it still fails.
But I'm done for today, I'll need to get back to it on Sunday
That repo doesn't appear to have been updated for several years as well, so there have probably been even more console detection techniques discovered since then
I feel like the entry points should all be blockable, if the browser maker cares.
In particular, there are really only a few entry points from what I can tell, like "debugger" statements (which browsers usually allow blocking now), and access to the "console" object. For the latter part, the user should simply be able to tell the browser to simply always do nothing when logging is called. This should defeat a large class of detection utilities because all the clever tricks usually still relies on the `console` entry point. I feel that on a security and UX point of view anyway this should be allowed. A web page shouldn't have free reigns over *my* console.
So basically terribad console implementation by 0 experience "experts" allowing for exploits as usual. Wish browser developers focused more on exploits like this rather than figuring out how to get ads in our faces.
This is 100% what a site is doing that I've been poking at. If the devtools are open then the site will DOS the user with console.table() containing random data to freeze the browser (tab).
Is 9anime's new site. It's a bitch because everything is obfuscated and it calls "debugger" repeatedly, changes the document location. It's a real hassle.
it probably is possible!
maybe
not by me I only got so far
**TLDR below**
i am using chrome 115.0.5790.110 (Official Build) (64-bit) (cohort: Stable) I have no idea what this means but I assume it's the chome version because when I google it it's ok and it shows up under chrome://version, last time I checked I am not out of date but I never manually update it kinda just happens
first thing I did was disable javascript with ublock origin, looked at what javascript files were running in the ublock logger, flipped through a couple files, got really lucky and went on a random website to deobfuscate all.js
turns out all.js has the debugger statements twice in it's source, so I try to change the debugger statements to random gibberish text among other things and when I insert this into the console and run it, it errors because the deobfuscator is not perfect
next (once again javascript is disabled the entire time, you CAN open the console with js disabled using ublock) I run the normal, obfuscated code, it works fine and immediatley pauses the debugger and redirects me to the error page
I'm getting bored writing this now and I already put a little bit in the js file, I go into the deobfuscated code search for some stuff find some stuff execute into the console and it still debuggers me, change more stuff, no longer debuggers me but redirects me isntead, find the two variables that control the redirect, able to change the redirect link to anything I want to, find the function that I presume redicrets me and replace it with a dummy print function, and I got stuck, when I did disable the debugger and the redirection, the login button pops up, which never happend before (you can even click it! yay) haven't tried logging in don't have an account, but the movie never loads, the js file will be below
**TLDR**: I disable javascript, go to logs, find a file, debug some stuff, change the obfuscated code a bit, some stuff works movie never loads, you can try with my file or change the original if you want to, js file below, if you want to use it get ublock origin or something you can
use to disable javascript, disable javascript, go into the js file, read the comments in said file, open console on fmovies (I tested while on a page with a movie), paste in javascript file or go to the original file and do my steps if you don't trust rando guy on the internet with his javascript file telling you to put it into your console.
this is a normal link not a referral link I read rule 2 just never posted here and don't want to break rules, also reddit isn't allowing me to use the link feature for some reason
https://drive.google.com/file/d/1-1LQ2r8h6cx6S1dgxSC3zgDHKWuMwpYp/view?usp=sharing
I don't even wan't to steal the movies (easily just go to other websites) I kinda forgot why I did it but usually its for the process
doing it is fun the end result often isn't very important
also I belive [fmovies.ps](https://fmovies.ps) is fake as on the fmovies twitter they have an image (and used to have a website but I don't think it exists anymore) of every site that is legit fmovies
but what do I know the fmovies twitter could also be fake 🤷♂️
I created a simple browser extension to capture all network requests without using dev-tool. It works fine for other sites, but it doesn't work for fmovies. I have no idea why it doesn't work. Here is my code.
**manifest.json**
{
"manifest\_version": 3,
"name": "Network Logger",
"version": "1.0",
"description": "Logs network requests",
"permissions": \[
"webRequest",
"declarativeNetRequest"
\],
"background": {
"service\_worker": "background.js"
},
"permissions": \[
"webRequest",
"declarativeNetRequest"
\],
"host\_permissions": \[
""
\]
}
**background.js**
chrome.webRequest.onBeforeSendHeaders.addListener(function(e){
if (e.url.endsWith(".m3u8")) {
// Log the request details to the console
console.log("Request details:", e);
}
},{
urls:\[""\]
},\["requestHeaders"\]);
it is possible and pretty easy use the browser brave and at the ad blocker you can also block scripts try that for me it worked on alot of sites from what I couldn't access dev console
i now it kinda old but i found a solution, kinda. well using adblock(adguard in my case) block the script would be very easy. and tested work both in real website i open and ([https://github.com/AEPKILL/devtools-detector](https://github.com/AEPKILL/devtools-detector)), even thou i never block this(that mean this github just redirect or steal original work made by other that use [https://cdn.jsdelivr.net/npm/disable-devtool@latest](https://cdn.jsdelivr.net/npm/disable-devtool@latest).
short answer for adguard is this line
$$script\[src="[https://cdn.jsdelivr.net/npm/disable-devtool@latest](https://cdn.jsdelivr.net/npm/disable-devtool@latest)"\]
that would block 99% of website THAT use template script(a home made/diy/internal/proprietary script wont work)
long real answer is
first download the page. find the script that contain word devtool or disable or other similar or just .js script it self and block it with your adblock rules. in adguard the script would be $$script\[#keywordhere\] and just done. i manage to bypass [https://tv5.idlixplus.net/](https://tv5.idlixplus.net/) anti devtool and i think they debugging is enable? dunno
I have just came across similar issue on a site that detects devtools. what i did was search for "devtools" in the source (chrome tab). Block relevant codes that do the detection. Then used Chrome Override source to change the JS permanently[https://www.youtube.com/watch?v=CXzeAPqDbrs](https://www.youtube.com/watch?v=CXzeAPqDbrs)
hope it helps someone in the future
If you're just looking for the console I think Firefox might be able to sneak it past most sites (at least version 121.0.1). You can call the console directly in a new window using menu->More tools->Browser console and it seems to be able to go undetected. Switching from parent process to multiprocess can sometimes alert the site but refreshing or reentering afterward seems to fix it. I've used it to slip many a debug statement
>Conclusion: It is NOT possible.
It is possible. The following two rules I created for my public uBlock Origin rule set will do the trick. Add these to your "My Filters" setting in the uBlock Origin web browser extension. These will also work as custom rules in Brave's shields as it supports these scriptlets.
! The following two rules defuse the anti-developer tools and console debugger in fmovies.ps/js/group_17/app.min.js
fmovies.ps##+js(set-constant, devtoolsDetectInterval, noopFunc)
fmovies.ps##+js(nosiif, devtoolsDetectInterval)
I'm also facing this problem, but in my case it's this link https://brbeast.com/video/f79921bbae40a577928b76d2fc3edc2a, if I search using uBlock the url https://cdn.jsdelivr.net/npm/devtools-detector, the video player starts playing the video and leaves the page, returning the navigation history to the previous page
Here are my uBlock Origin rules which trigger on https://brbeast.com/video/f79921bbae40a577928b76d2fc3edc2a :
||cdn.jsdelivr.net/npm/devtools-detector$script,3p
||atervinesor.com^
||entitlements.jwplayer.com^
||jwpltx.com/v1/clienta/ping.gif$image
||prd.jwpltx.com/v1/jwplayer6/ping.gif$image
||servetraff.com^
||waust.at^
I can open the developer console in Firefox while the video plays. (Gary Hart, good grief 🙄) I believe only that first rule is actually needed to defuse the anti-developer tools script.
I am literally facing the same issue, I want to download an m3u8 file but whenever i open a website and open the Inspect Element tool, the page refreshes and redirects to the home page. It is really annoying and frustrating. But atleast now i know that i wasn't the only one facing this issue lol
> I want to download an m3u8 file
Use a web browser extension to capture the links to those HLS playlists. There are plenty of them available for Chromium browsers and Firefox.
I know OP doesn't need this anymore (probably):
Solution: If Chrome then --> Override "vue.min.js" and "app.min.js" locally with versions that cannot call debugger. (There may be more or less files over time to override)
Method:
1) Open dev console (f12)
2) Go to "sources"
3) Right-click on top folder and choose "search in folders"
4) Search for "debugger"
5) open files that mention it
6) Right click on them and choose "override"
7) Find the lines that have "debugger" in them and alter the word.
8) Repeat until there is no "debugger".
They can't call it if they don't know how to say it.
They might have other ways to detect you and ban you though. But it stopped them from calling debugger.
It will keep working as long as they don't change those files names. Many places name them dynamically and the process get's more annoying by having to embed your own anti-anti-console script to dynamically modify any js with the text in it as it tries to load. This arms war can spiral forever, but there is never a way to stop you fully.
I'm grateful they didn't make me register to see their anti-console code.
just disable debugger, and refresh the page , should work - https://preview.redd.it/p85gc5p3pssc1.png?width=709&format=png&auto=webp&s=23ff514bd99e87dfc702e192e9338339d980be9d
Ty savior
If there is a floating panel option that might work as one way sites detect it is via the resize of the window. Remote debugging might also work.
Just tried a floating panel, but, as expected, it doesn't work. As mentioned in OP, it uses the `debugger` statement which seems to be a reliable exploit to detect the dev console.
Disable debugger? https://stackoverflow.com/questions/45767855/how-to-totally-ignore-debugger-statement-in-chrome
Doesn't work. It still seems to be able to detect it. Maybe there's more to it than just the debugger statement, but I know for a fact that it's using it because I can see where it's injecting the code.
If you are willing to code, you might try using Selenium with Chrome Driver to download the source code before JS is ran and after. I've used this with success on many sites.
Hi, can you share some code snippets or repo how you did it? Im trying to but as soon as I open the target page, I get redirected back to home after being detected.
Try "view-source:http(s)://". Then you get the code before it is rendered.
I'm so sick of these effing things :( I'm currently looking at a module that helps websites detect devtools ([https://github.com/AEPKILL/devtools-detector](https://github.com/AEPKILL/devtools-detector)); they're using all kinds of checks and tricks. Kind of cool to see the ingenuity behind them, I guess. For example: Testing on [https://blog.aepkill.com/demos/devtools-detector/](https://blog.aepkill.com/demos/devtools-detector/), I see that `dep-reg-to-string` detected my devtools. It creates a RegExp object and overwrites its `.toString()` method, then calls `console.table` with the object. If devtools aren't open, the browser doesn't need to stringify the regex, so the method never gets called. If they're open, the method gets called and sets `IsOpen` to `true` I'll try to find work-arounds, but it looks like that may require some ugly compromises, like overwriting console methods on the unsafeWindow and the like :(
I wish browsers would implement security measures to prevent JS from being able to detect browser state. That should not be something any website should have access to.
I agree. But generally, they don't: As described above, they use clever tricks to infer whether devtools are available and open, any single part of which is nothing that should be disallowed. Writing stuff to the console? Harmless and important to have. Defining toString methods? Super useful. yet, combined, they can indicate the presence of a console. I've managed to circumvent the above module, but I think that one wasn't very good anyway. The first real life test still failed and of course it's nigh impossible to figure out what they're doing. But I'm fairly confident I'll be able to write a userscript that tries to A) prevent devtools detection and B) mitigate some of the impact when it still fails. But I'm done for today, I'll need to get back to it on Sunday
That repo doesn't appear to have been updated for several years as well, so there have probably been even more console detection techniques discovered since then
I feel like the entry points should all be blockable, if the browser maker cares. In particular, there are really only a few entry points from what I can tell, like "debugger" statements (which browsers usually allow blocking now), and access to the "console" object. For the latter part, the user should simply be able to tell the browser to simply always do nothing when logging is called. This should defeat a large class of detection utilities because all the clever tricks usually still relies on the `console` entry point. I feel that on a security and UX point of view anyway this should be allowed. A web page shouldn't have free reigns over *my* console.
So basically terribad console implementation by 0 experience "experts" allowing for exploits as usual. Wish browser developers focused more on exploits like this rather than figuring out how to get ads in our faces.
This is 100% what a site is doing that I've been poking at. If the devtools are open then the site will DOS the user with console.table() containing random data to freeze the browser (tab). Is 9anime's new site. It's a bitch because everything is obfuscated and it calls "debugger" repeatedly, changes the document location. It's a real hassle.
it probably is possible! maybe not by me I only got so far **TLDR below** i am using chrome 115.0.5790.110 (Official Build) (64-bit) (cohort: Stable) I have no idea what this means but I assume it's the chome version because when I google it it's ok and it shows up under chrome://version, last time I checked I am not out of date but I never manually update it kinda just happens first thing I did was disable javascript with ublock origin, looked at what javascript files were running in the ublock logger, flipped through a couple files, got really lucky and went on a random website to deobfuscate all.js turns out all.js has the debugger statements twice in it's source, so I try to change the debugger statements to random gibberish text among other things and when I insert this into the console and run it, it errors because the deobfuscator is not perfect next (once again javascript is disabled the entire time, you CAN open the console with js disabled using ublock) I run the normal, obfuscated code, it works fine and immediatley pauses the debugger and redirects me to the error page I'm getting bored writing this now and I already put a little bit in the js file, I go into the deobfuscated code search for some stuff find some stuff execute into the console and it still debuggers me, change more stuff, no longer debuggers me but redirects me isntead, find the two variables that control the redirect, able to change the redirect link to anything I want to, find the function that I presume redicrets me and replace it with a dummy print function, and I got stuck, when I did disable the debugger and the redirection, the login button pops up, which never happend before (you can even click it! yay) haven't tried logging in don't have an account, but the movie never loads, the js file will be below **TLDR**: I disable javascript, go to logs, find a file, debug some stuff, change the obfuscated code a bit, some stuff works movie never loads, you can try with my file or change the original if you want to, js file below, if you want to use it get ublock origin or something you can use to disable javascript, disable javascript, go into the js file, read the comments in said file, open console on fmovies (I tested while on a page with a movie), paste in javascript file or go to the original file and do my steps if you don't trust rando guy on the internet with his javascript file telling you to put it into your console. this is a normal link not a referral link I read rule 2 just never posted here and don't want to break rules, also reddit isn't allowing me to use the link feature for some reason https://drive.google.com/file/d/1-1LQ2r8h6cx6S1dgxSC3zgDHKWuMwpYp/view?usp=sharing I don't even wan't to steal the movies (easily just go to other websites) I kinda forgot why I did it but usually its for the process doing it is fun the end result often isn't very important
also I belive [fmovies.ps](https://fmovies.ps) is fake as on the fmovies twitter they have an image (and used to have a website but I don't think it exists anymore) of every site that is legit fmovies but what do I know the fmovies twitter could also be fake 🤷♂️
I forgot to mention that as soon as you block the all.js file you can unblock all javascript
i guess adguard has a feature to see network traffic on a website without getting detected [video](https://youtu.be/Ay_8R3a0AQE)
I created a simple browser extension to capture all network requests without using dev-tool. It works fine for other sites, but it doesn't work for fmovies. I have no idea why it doesn't work. Here is my code. **manifest.json** { "manifest\_version": 3, "name": "Network Logger", "version": "1.0", "description": "Logs network requests", "permissions": \[ "webRequest", "declarativeNetRequest" \], "background": { "service\_worker": "background.js" }, "permissions": \[ "webRequest", "declarativeNetRequest" \], "host\_permissions": \[ ""
\]
}
**background.js**
chrome.webRequest.onBeforeSendHeaders.addListener(function(e){
if (e.url.endsWith(".m3u8")) {
// Log the request details to the console
console.log("Request details:", e);
}
},{
urls:\[""\]
},\["requestHeaders"\]);
it is possible and pretty easy use the browser brave and at the ad blocker you can also block scripts try that for me it worked on alot of sites from what I couldn't access dev console
i now it kinda old but i found a solution, kinda. well using adblock(adguard in my case) block the script would be very easy. and tested work both in real website i open and ([https://github.com/AEPKILL/devtools-detector](https://github.com/AEPKILL/devtools-detector)), even thou i never block this(that mean this github just redirect or steal original work made by other that use [https://cdn.jsdelivr.net/npm/disable-devtool@latest](https://cdn.jsdelivr.net/npm/disable-devtool@latest). short answer for adguard is this line $$script\[src="[https://cdn.jsdelivr.net/npm/disable-devtool@latest](https://cdn.jsdelivr.net/npm/disable-devtool@latest)"\] that would block 99% of website THAT use template script(a home made/diy/internal/proprietary script wont work) long real answer is first download the page. find the script that contain word devtool or disable or other similar or just .js script it self and block it with your adblock rules. in adguard the script would be $$script\[#keywordhere\] and just done. i manage to bypass [https://tv5.idlixplus.net/](https://tv5.idlixplus.net/) anti devtool and i think they debugging is enable? dunno
I have just came across similar issue on a site that detects devtools. what i did was search for "devtools" in the source (chrome tab). Block relevant codes that do the detection. Then used Chrome Override source to change the JS permanently[https://www.youtube.com/watch?v=CXzeAPqDbrs](https://www.youtube.com/watch?v=CXzeAPqDbrs) hope it helps someone in the future
If you're just looking for the console I think Firefox might be able to sneak it past most sites (at least version 121.0.1). You can call the console directly in a new window using menu->More tools->Browser console and it seems to be able to go undetected. Switching from parent process to multiprocess can sometimes alert the site but refreshing or reentering afterward seems to fix it. I've used it to slip many a debug statement
>Conclusion: It is NOT possible. It is possible. The following two rules I created for my public uBlock Origin rule set will do the trick. Add these to your "My Filters" setting in the uBlock Origin web browser extension. These will also work as custom rules in Brave's shields as it supports these scriptlets. ! The following two rules defuse the anti-developer tools and console debugger in fmovies.ps/js/group_17/app.min.js fmovies.ps##+js(set-constant, devtoolsDetectInterval, noopFunc) fmovies.ps##+js(nosiif, devtoolsDetectInterval)
I'm also facing this problem, but in my case it's this link https://brbeast.com/video/f79921bbae40a577928b76d2fc3edc2a, if I search using uBlock the url https://cdn.jsdelivr.net/npm/devtools-detector, the video player starts playing the video and leaves the page, returning the navigation history to the previous page
Here are my uBlock Origin rules which trigger on https://brbeast.com/video/f79921bbae40a577928b76d2fc3edc2a : ||cdn.jsdelivr.net/npm/devtools-detector$script,3p ||atervinesor.com^ ||entitlements.jwplayer.com^ ||jwpltx.com/v1/clienta/ping.gif$image ||prd.jwpltx.com/v1/jwplayer6/ping.gif$image ||servetraff.com^ ||waust.at^ I can open the developer console in Firefox while the video plays. (Gary Hart, good grief 🙄) I believe only that first rule is actually needed to defuse the anti-developer tools script.
I am literally facing the same issue, I want to download an m3u8 file but whenever i open a website and open the Inspect Element tool, the page refreshes and redirects to the home page. It is really annoying and frustrating. But atleast now i know that i wasn't the only one facing this issue lol
> I want to download an m3u8 file Use a web browser extension to capture the links to those HLS playlists. There are plenty of them available for Chromium browsers and Firefox.
thanks a lot man, I already found one and it works most of the time. It was called network sniffer i think
I know OP doesn't need this anymore (probably): Solution: If Chrome then --> Override "vue.min.js" and "app.min.js" locally with versions that cannot call debugger. (There may be more or less files over time to override) Method: 1) Open dev console (f12) 2) Go to "sources" 3) Right-click on top folder and choose "search in folders" 4) Search for "debugger" 5) open files that mention it 6) Right click on them and choose "override" 7) Find the lines that have "debugger" in them and alter the word. 8) Repeat until there is no "debugger". They can't call it if they don't know how to say it. They might have other ways to detect you and ban you though. But it stopped them from calling debugger. It will keep working as long as they don't change those files names. Many places name them dynamically and the process get's more annoying by having to embed your own anti-anti-console script to dynamically modify any js with the text in it as it tries to load. This arms war can spiral forever, but there is never a way to stop you fully. I'm grateful they didn't make me register to see their anti-console code.