Geek Answers Handbook

Javascript reverse engineering behind the Google+ button

I am trying to simulate a google + button. In some part of the LINK code, it converts the session identifier into some kind of hash. What I found is the session identifier name is SAPISID, and the converted hash name is SAPISIDHASH. Can someone tell me which part of the code the hash part does. Any help would be appreciated. I spent 6 hours in a row, still do not understand :(

Example VUOyLIU22fNPz2ko/AbGsxW03_WHoGjaJq is SAPISID and f17aa630b9b9a105dad437b0fedcafe429f6fca2 is SAPISIDHASH . In php, I tried all kinds of hashes .. no matches.

+7
source share
2 answers

VICTORY! For me, at least for the SAPISIDHASH that I was looking for was the one that was on the api console. Automation for quite a lot of work, completely legal.

Anyway -> the one I found was SHA1 in the current javascript millisecond tag plus your current SAPISID from your cookie plus domain source

For my request to work, I had to include the following Authorization:SAPISIDHASH 1439879298823_<hidden sha1 hash value> headers in the request Authorization:SAPISIDHASH 1439879298823_<hidden sha1 hash value> as well as X-Origin:https://console.developers.google.com

The first heading, I assume, tells the server your timestamp and the value sha1. The second (breaks if you do not turn it on) reports that the source is used in the sha1 algorithm.

I found an algorithm by digging and debugging hell out of a ton of mini-js NOTE. Between values

Psuedo basiclly code>

sha1(new Date().getTime() + " " + SAPISID + " " + origin)

At least this is how I got my SAPISIDHASH value in my use case here in 2015 (after a few years I know) ... is different from yours, but maybe one day I will help another young good hacker

+6
source

All loans to Dave Thomas.

I just want to make it clear that for X-Origin or Origin you do not include "X-Origin:" or "Origin:"

Here is one example:

 public class SAPISIDHASH { public static void main(String [] args) { String sapisid = "b4qUZKO4943exo9W/AmP2OAZLWGDwTsuh1"; String origin = "https://hangouts.google.com"; String sapisidhash = "1447033700279" + " " + sapisid + " " + origin; System.out.println("SAPISID:\n"+ hashString(sapisidhash)); System.out.println("Expecting:"); System.out.println("38cb670a2eaa2aca37edf07293150865121275cd"); } private static String hashString(String password) { String sha1 = ""; try { MessageDigest crypt = MessageDigest.getInstance("SHA-1"); crypt.reset(); crypt.update(password.getBytes("UTF-8")); sha1 = byteToHex(crypt.digest()); } catch(NoSuchAlgorithmException e) { e.printStackTrace(); } catch(UnsupportedEncodingException e) { e.printStackTrace(); } return sha1; } private static String byteToHex(final byte[] hash) { Formatter formatter = new Formatter(); for (byte b : hash) { formatter.format("%02x", b); } String result = formatter.toString(); formatter.close(); return result; } }

source for sha1 in Java: Java String to SHA1

+2
source

More articles:


All Articles