Google+按钮后面的逆向工程Javascript
[英]Reverse engineering Javascript behind Google+ button
问题描述
I am trying to simulate google+ button.In Somepart of code at LINK ,It converts the session id into Some kinda hash.What i found is session id name is SAPISID and the converted hash name is SAPISIDHASH, Can anyone tell me which part of code does the hash part. 
I am trying to simulate google+ button.In Somepart of code at LINK ,It converts the session id into Some kinda hash.What i found is session id name is SAPISID and the converted hash name is SAPISIDHASH, Can anyone tell me which part of code做 hash 部分。 Any help will be appreciated.i have spent 6 hours straight, still no clue:(任何帮助将不胜感激。我已经连续花了 6 个小时,仍然没有任何线索:(
For Example VUOyLIU22fNPz2ko/AbGsxW03_WHoGjaJq is SAPISID and f17aa630b9b9a105dad437b0fedcafe429f6fca2 is SAPISIDHASH .例如VUOyLIU22fNPz2ko/AbGsxW03_WHoGjaJq is SAPISID和f17aa630b9b9a105dad437b0fedcafe429f6fca2 is SAPISIDHASH 。 In php i tried all kind of hash..nothing matches.在 php 中,我尝试了所有类型的 hash.. 没有匹配项。
2 个解决方案
解决方案1
43 2015-08-18 06:43:11
VICTORY.胜利。 Well for me at least 😛 The SAPISIDHASH I was looking for was the one in the API console.至少对我来说好SAPISIDHASH我正在寻找的 SAPISIDHASH 是 API 控制台中的那个。 Automation for rather large job, totally legitimate.相当大的工作自动化,完全合法。 The one I found was a SHA1 on the current JavaScript milliseconds timestamp plus your current SAPISID from your cookie plus the domain origin.我发现的一个是当前 JavaScript 毫秒时间戳上的 SHA1 加上来自 cookie 的当前SAPISID加上域来源。 In order for my request to work I had to include the following headers in the request:为了使我的请求生效,我必须在请求中包含以下标头:
Authorization:SAPISIDHASH 1439879298823_<hidden sha1 hash value>
and:和:
X-Origin:https://console.developers.google.com
The first header I assume tells the server your timestamp and your SHA1 value.我假设的第一个 header 告诉服务器您的时间戳和您的 SHA1 值。 The second (breaks if you don't include it) tells it the origin to use in the SHA1 algorithm.第二个(如果你不包括它就中断)告诉它在 SHA1 算法中使用的来源。 I found the algorithm by digging through and debugging the hell out of tons of minified JS NOTE there are spaces appended between the values .我通过挖掘和调试大量缩小的 JS 找到了该算法。注意在值之间附加了空格。 The psuedo code is basically:伪代码基本上是:
sha1(new Date().getTime() + ' ' + SAPISID + ' ' + origin);
That is at least how I got my SAPISIDHASH value in my use case here in 2015 (few years later I know)... different from yours but maybe I will help some other young good hacker out there one day.至少这就是我在 2015 年(几年后我知道)在我的用例中获得SAPISIDHASH价值的方式......与你的不同,但也许有一天我会帮助其他一些年轻的优秀黑客。
解决方案2
7 2015-11-09 02:30:04
All credits to Dave Thomas.所有学分都归功于戴夫·托马斯。
I just want to clarify that for the X-Origin, or Origin, you do not include the "X-Origin:" or "Origin:"我只是想澄清一下,对于 X-Origin 或 Origin,您不包括“X-Origin:”或“Origin:”
Here is one example:这是一个例子:
public class SAPISIDHASH {
public static void main(String [] args) {
String sapisid = "b4qUZKO4943exo9W/AmP2OAZLWGDwTsuh1";
String origin = "https://hangouts.google.com";
String sapisidhash = "1447033700279" + " " + sapisid + " " + origin;
System.out.println("SAPISID:\n"+ hashString(sapisidhash));
System.out.println("Expecting:");
System.out.println("38cb670a2eaa2aca37edf07293150865121275cd");
}
private static String hashString(String password)
{
String sha1 = "";
try
{
MessageDigest crypt = MessageDigest.getInstance("SHA-1");
crypt.reset();
crypt.update(password.getBytes("UTF-8"));
sha1 = byteToHex(crypt.digest());
}
catch(NoSuchAlgorithmException e)
{
e.printStackTrace();
}
catch(UnsupportedEncodingException e)
{
e.printStackTrace();
}
return sha1;
}
private static String byteToHex(final byte[] hash)
{
Formatter formatter = new Formatter();
for (byte b : hash)
{
formatter.format("%02x", b);
}
String result = formatter.toString();
formatter.close();
return result;
}
}
source for sha1 in Java: Java String to SHA1 Java 中 sha1 的来源: Java 字符串到 SHA1
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.