From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=8.23.224.61; helo=out.smtp-auth.no-ip.com; envelope-from=kevin@carhart.net; receiver= Received: from out.smtp-auth.no-ip.com (smtp-auth.no-ip.com [8.23.224.61]) by hurricane.the-brannons.com (Postfix) with ESMTPS id A5EB377DE8 for ; Wed, 27 Sep 2017 20:44:19 -0700 (PDT) X-No-IP: carhart.net@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from carhart.net (unknown [99.52.200.227]) (Authenticated sender: carhart.net@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTPA id 8ED5F540; Wed, 27 Sep 2017 20:46:01 -0700 (PDT) Received: from carhart.net (localhost [127.0.0.1]) by carhart.net (8.13.8/8.13.8) with ESMTP id v8S3jwfG031069; Wed, 27 Sep 2017 20:45:59 -0700 Received: from localhost (kevin@localhost) by carhart.net (8.13.8/8.13.8/Submit) with ESMTP id v8S3jvPT031063; Wed, 27 Sep 2017 20:45:58 -0700 Date: Wed, 27 Sep 2017 20:45:57 -0700 (PDT) From: Kevin Carhart To: Karl Dahlke cc: edbrowse-dev@lists.the-brannons.com In-Reply-To: <20170827064819.eklhad@comcast.net> Message-ID: References: <20170827064819.eklhad@comcast.net> User-Agent: Alpine 2.03 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: [Edbrowse-dev] amazon X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.24 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 03:44:19 -0000 > Instead of try catch I created the style object, if it was missing, and also log that it is not there. Thank you.. the homepage of amazon now reports no errors at all! The login page still reports a couple. Logging in doesn't work yet. There's something quite remarkable......... If you want to experience this for yourself, do this.. b http://amazon.com 11 {the line with the login link} demin g2 {Now the login page is loaded} jdb showscripts() {scripts[9] is the big one. either echo document.scripts[9].data or export it to a file} This code, called fwcim._CB516154953_.js, is impressively obfuscated. Not something you run across every day. I hope we will be able to just point edbrowse at it and will not need to think about its inner workings, unless anyone knows about deobfuscation or has the appetite for a huge substitution cipher: var _z2sz = function (_Zs$2, _iLLLl, _111LI) { var _ooO0O = [ 'FwcimObfusca', 'nod', 'te', 'hBStatement', 'has', 'e', 39801 ]; var _ZS$2z = _ooO0O[1] + _ooO0O[5] + (_ooO0O[0] + _ooO0O[2]), _2szSs = _ooO0O[6]; There is more to do here.. I've just been reading a blog post by Ricky Lalwani, who has succesfully done just what we are trying to do. The problem involves an http request variable called 'metadata1', which is generated on the fly. And a remarkable amount of work goes in to building this thing. https://ricky.lalwani.me/programming/logging-in-to-amazon-part-2/ So the good news is that others have tried to log in to amazon over http tools. The bad news is that it appears to be an industrial strength challenge..