Help with config header



  • Hi guys!
    So I have this problem with a config for a streaming site (doing the android api). I could spam login on the phone and just get wrong password (401 unauthorized), but testing my config I get 400 error, "captcha required". Afaik theres no captcha when using the app, at all, so I just take it as somethings wrong in the header.
    Tried everything and the only thing that varies between each post request is this one header:
    client-id: (constant):(currentunixtime):(64characterSHA256)

    So I parsed the currentunixtime in OB but from what I see the only problem is the SHA256 hash right after it. I tried encoding the unixtime to sha256, tried all the combinations with the unixtime, email, and pass to sha256, nothing seems to work, still the same 400 error.

    Anyone have an idea? Theres also an auth bearer but it does not change at all. Appreciate any help!


  • Donator

    maybe invisible recaptcha which gets invoked when pressing the login button
    https://developers.google.com/recaptcha/docs/invisible
    but it should normally be somewhere in the headers or post payload

    you need to decompile the app to see and find the hashing funciton and then replicate it



  • @Itamai
    So it is the hash after unixtime thats the missing piece? It does look like the invisible captcha makes sense, any chance I could add you on telegram or discord for more help?


  • Donator

    Hmm maybe but maybe not because its just a header to identify the user most apps dont even care about that you could probably use the same one.
    Can you post your whole payload with headers?
    i mean it literally gives you as response captcha required so there needs to be a header or value in the post data
    And i can help you here no need to switch to discord



  • @Itamai What do you mean by payload? The response?



  • Still need help with this! Appreciate the help


Log in to reply