From: Kevin Carhart <kevin@carhart.net>
To: Chuck Hallenbeck <chuckhallenbeck@gmail.com>
Cc: Dominique Martinet <asmadeus@codewreck.org>,
Edbrowse Development <edbrowse-dev@lists.the-brannons.com>
Subject: Re: [Edbrowse-dev] Signing into my Amazon account
Date: Fri, 5 Jan 2018 14:19:43 -0800 (PST) [thread overview]
Message-ID: <alpine.LRH.2.03.1801051405260.15068@carhart.net> (raw)
In-Reply-To: <alpine.DEB.2.21.1801051548070.6341@debian.pulsar.com>
I really want to support amazon.com. We have quite a hardcore javascript
challenge ahead of us. Back in September, I found out something jaw
dropping about what amazon does on their login page.
If you want to experience this for yourself, do this..
b http://amazon.com
11
{the line with the login link}
demin
g2
{Now the login page is loaded}
jdb
showscripts()
{scripts[9] is the big one. either echo document.scripts[9].data or export
it to a file}
This code, called fwcim._CB516154953_.js, is impressively obfuscated like
this:
var _z2sz = function (_Zs$2, _iLLLl, _111LI) {
var _ooO0O = [
'FwcimObfusca',
'nod',
'te',
'hBStatement',
'has',
'e',
39801
];
var _ZS$2z = _ooO0O[1] + _ooO0O[5] +
(_ooO0O[0] + _ooO0O[2]), 2szSs = _ooO0O[6];
Someone called Ricky Lalwani has also worked on this. His own angle is
that he wants to generate text-to-speech. He wrote about it at length in
a two-part post. Here's part two:
https://ricky.lalwani.me/programming/logging-in-to-amazon-part-2/
The problem involves an http request variable called 'metadata1', which is
generated on the fly. And a remarkable amount of work goes in to
building this thing, including bitwise transformation operators and hex
encoding. Amazon has put a lot of effort into making it difficult to get
an accurate value for metadata1, and they reject you without it.
Can the geniuses and genius-botherers of edbrowse-dev crack this code?
I hope we can do it!
On Fri, 5 Jan 2018, Chuck Hallenbeck wrote:
> Hi Dominique,
>
> Many thanks. I'll recompile edbrowse as you suggest and be able to use gdb
> for later checks.
>
> I'm much relieved to know this problem is reproducible. I have two others
> waiting in the wings <smile>
>
> Chuck
>
>
> Chuck
>
> --
> Here In Northeast Ohio also, The Moon is Waning Gibbous (81% of Full)
> When your only tool is a hammer, everything looks like a nail.
> Sent from Vernon's iPhone.
> _______________________________________________
> Edbrowse-dev mailing list
> Edbrowse-dev@lists.the-brannons.com
> http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
>
--------
Kevin Carhart * 415 225 5306 * The Ten Ninety Nihilists
next prev parent reply other threads:[~2018-01-05 22:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-05 19:54 Chuck Hallenbeck
2018-01-05 20:35 ` Dominique Martinet
2018-01-05 20:53 ` Chuck Hallenbeck
2018-01-05 22:19 ` Kevin Carhart [this message]
2018-01-05 22:04 ` Karl Dahlke
2018-01-05 22:55 ` Kevin Carhart
2018-01-05 23:40 ` Chuck Hallenbeck
2018-01-06 12:12 ` Chuck Hallenbeck
2018-01-06 12:20 ` Dominique Martinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.03.1801051405260.15068@carhart.net \
--to=kevin@carhart.net \
--cc=asmadeus@codewreck.org \
--cc=chuckhallenbeck@gmail.com \
--cc=edbrowse-dev@lists.the-brannons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).