Ferk, 7 months ago (edited 7 months ago)

That’s out of context. That snippet of code existing is not sufficient to understand when does that part of the code gets actually executed, right?

For all we know, that might have been taken from a piece of logic like this that adds the delay only for specific cases:

<span style="color:#323232;">if ( complex_obfuscated_logic_to_discriminate_users ) {
</span><span style="color:#323232;">
</span><span style="color:#323232;">    setTimeout(function() {
</span><span style="color:#323232;">        c();
</span><span style="color:#323232;">        a.resolve(1)
</span><span style="color:#323232;">    }, 5E3);
</span><span style="color:#323232;">
</span><span style="color:#323232;">} else {
</span><span style="color:#323232;">
</span><span style="color:#323232;">    c();
</span><span style="color:#323232;">    a.resolve(1)
</span><span style="color:#323232;">
</span><span style="color:#323232;">}
</span>

It’s possible that complex_obfuscated_logic_to_discriminate_users has some logic that changes based on user agent.

And I expect it’s likely more complex than just one if-else. I haven’t had the time to check it myself, but there’s probably a mess of extremely hard to read obfuscated code as result of some compilation steps purposefully designed to make it very hard to properly understand when are some paths actually being executed, as a way to make tampering more difficult.