1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Yahoo Account Creation Help

Discussion in 'General Programming Chat' started by wbio3, Apr 13, 2010.

  1. wbio3

    wbio3 Newbie

    Joined:
    Feb 19, 2009
    Messages:
    15
    Likes Received:
    9
    I'm working on a program to make Yahoo accounts and I want to do it without using the WebBrowser control, so I need to know the header info to pass. Here is what the header looks like (Note that I've put asterisks beside the random_field part, those asterisks aren't in the actual header):
    Code:
    .parentreg=&ko=re3&origIntl=&u=2k7n70h5s91en&dracs=&t=Sg2k_QPsGBLH0S54aHbPV9btLd
    jEg5oWsTAKLUXJNy0GVWfe1KNbvV80xnNg4i2GyE7lGHpo6ukwoGCx2t4nofHt9B7neb19fxit0Z.BT8m2j.3Qk3dKAUU
    EkpoYUbtw.6N2ff.l6zktu2r_m7UkPo8.Hx79DZ.V8tyB573bPHTyHkd8gUj_dRx0jY_uV71W1K_rase.Ytutj7z5LC_OgV
    nGm.SAMYOj_ibopZeA5pXUXCdjohPpS_fhAv5qqOgOBQNiaeCa0zl81L6kPEUrEU04K_024AyFmfsjYTzwu94x.Hzu7G
    MwJP3kxcXp8g8qad0LMqdYtK8-%7EB&done=http%3A%2F%2Fmail.yahoo.com&last=
    &partner=yahoo_default&intl=us&src=ym&.scrumb=&jsenabled=1&exitSurveyEnabled=0
    &regType=yidreg&firstname=Johnny&secondname=Appleseed&gender=m&mm=4&dd=14
    &yyyy=1947&country=us&postalcode=27514&yahooid=jappleseed3245&domain=yahoo.com
    &password=blackhatworld&passwordconfirm=blackhatworld&altemail=&secquestion=What
    +is+your+oldest+cousin%27s+name%3F&customsecquestion1=&secquestionanswer=Tommy&
    secquestion2=What+was+your+first+pet%27s+name%3F&customsecquestion2=
    &secquestionanswer2=Fluffy&cword=u68Ld5&cdata=tt_rj.JZFelA6jeKsqbzmlPLSG1iG0lJH_1
    Yfr0tRzZHPw2dbquF1102FJOQOaYHIEUGlS59oFFGIiCLfkPVcaxOXJmMWCajqC9B&cadata=h4zXTuJZFekz9q6Og
    Z8ERQPKnOwUzSJgyJo6pd8AFmcAuj8uNXlMF_y4NTwnXxCEyR7UJfXY4_5ctPechmw4vu24xDkOSlmIw4S0zA--
    &showc=1&tos_agreed=y&IAgreeBtn=Create+My+Account&tmps=true&binMapFld=1792894
    &audioCaptchaClicked=0&audioCaptchaReplayClicked=0
    [B]*****&random_field=138d1f14c331b1c8e1a87c07508fa276
    [/B]&d_i=10.0.32%3B32%3B728%3B1024%3B768%3B1024%3B32%3Btrue%3BTuesday%2C+April+13%2C+2010
    +10%3A59%3A06+AM%3Btrue%3BMozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-
    US%3B+rv%3A1.9.1.9%29+Gecko%2F20100315+Firefox%2F3.5.9%3B27%3B
    &d_i_h=761e707bab15bd4f08c36956f22f8c68&timeSpent=firstname%232307%3Bsecondname%233530%3Bgender%231524%3Bmm%232090%3Bdd%231
    168%3Byyyy%237382%3Bpostalcode%237101%3Byahooid%2314197%3Bpassword%236493%3Bpasswor
    dconfirm%234494%3Bsecquestion%234147%3Bsecquestionanswer%237888%3Bsecquestion%235979%3B
    secquestionanswer%233110%3Bsecquestion2%238173%3Bsecquestionanswer2%2310061%3Bsecquestio
    n2%236450%3Bsecquestionanswer2%237213%3Bcword%239416%3Bcword%238%3Btotal_time%23124522
    I have all of it figured out except the "random_field" value. It's an MD5 hash of something, but I can't figure out what. Here is the code of interest in that regard:
    Code:
    <input type="text" name="yahooid" id="yahooid" value="" size="32" maxlength="32" class="" autocomplete="off">
    
    var pageConfig = {
    
        enableYidHelper:true,
        showCaptcha:1,
        cURL: "https://ab.login.yahoo.com/img/tt_rj.JZFelA6jeKsqbzmlPLSG1iG0lJH_1Yfr0tRzZHPw2dbquF1102FJOQOaYHIEUGlS59oFFGIiCLfkPVcaxOXJmMWCajqC9B.jpg",
        xyz: 0,
        enableSocRegUAValidation : false,
        rtlIntl : "",
        tmpdata: "hRlT4C1L_LK_ZC2VewXdORvWHDUdJ16Sm4z6qdrfC6azTFCeChWR0NyQYoURTlsBaBZjXQz.uh.HZpp_DvHnUDu7TS1hrI5Sv1vMPJYVu3uXezB5laJKJPJBg.aHa8Rz~B",
        displayCustomQuestion1 : false,
        displayCustomQuestion2 : false,
        isZipValidatorEnabled : true,
        setValue: true,
        enabledFLvlRep: false,
        isCustomQuestionsEnabled : true,
        noZipCountryList : "al,at,sn,ae,af,ag,ai,an,ao,aw,bb,be,bf,bi,bj,bn,bo,bs,bt,bw,bz,cd,cf,cg,ci,ck,cl,cm,co,cu,cv,dj,dm,do,ec,eh,er,et,fi,fj,fk,ga,gd,gh,gi,gm,gn,gq,gs,gy,ie,io,iq,jm,kh,ki,km,kn,kp,kw,ky,lb,lc,lr,ls,ly,ml,mm,mr,ms,mu.mw,na,ne,ng,ni,nl,nr,nu,pa,pe,pi,pn,qa,rw,sa,sb,sc,sh,sl,so,st,sy,tc,td,tg,tk,to,tt,tv,tz,vc,vg,vn,vu,ws,xd,xe,xx,ye,zw,ug,hk,tf,sj,aq,bv,hm,mo,sr,ua,kr",
        random_field:"yahooid",
        intl : "us"
              
    };
    As you can see, it says that the random_field will be yahooid, but I've tried all sorts of things involving the yahooid (jappleseed3245) and can't seem to figure out what exactly is being used for the MD5 hash. If anyone has any experience with this or can help me with this I would really appreciate it. I've attached the HTML of the registration page as well as the header info in a .txt file if that is easier for you to read. Thank you for your help.
     

    Attached Files:

    Last edited: Apr 13, 2010
  2. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    78
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    Code:
    <input type="text" name="yahooid" id="yahooid" value="" size="32" maxlength="32" class="" autocomplete="off">
    
    i would venture to say that the secret value is a hash of the characters in the ID field.

    looks like at the bottom of the page they are using a small js to register an onload event that inserts a link to some more js files. typically this is done to avoid null object references since the script will only be activated to register the other script libraries after, or just as the page has finished loading. this ensures that all controls the js files may be interacting with are rendered and present in the page.

    my advice would be to write a quick function to hash a string using md5. then packet log the submit of a yahoo page and write down the "secret" value. then run the user id you have just submitted through YOUR md5 hash function and see if the hashed values match. if they do, you know you've got the right hashing. if they don't match try removing the @domain.com and just hashing the username. if that doesn't work, then try replacing the md5 hash with a sha1 hash.

    - edit -

    it is possible (however unlikely) that they are salting their hash. try to locate all the client script libraries they are registering in that page to see if you can track down which function(s) are being used and how the page is being altered once it reaches the client.

    you could also just shut off javascript all together and packet log a registration without the client side scripting enabled to see what it does.
     
    Last edited: Apr 13, 2010
  3. wbio3

    wbio3 Newbie

    Joined:
    Feb 19, 2009
    Messages:
    15
    Likes Received:
    9
    Hey smack, thanks for the response. I've tried using the yahoo id (jappleseed3245) with and without the yahoo.com but the hashes don't match up (with MD5 or SHA-1). I think it must be salted, but can't figure out what it's salted with.
    I tried disabling javascript but yahoo won't let you register an account with javascript disabled so that didn't work out. This is really frustrating me because it's the only thing I'm missing to create my accounts.

    EDIT: I just realized I hadn't uploaded the files (registration page HTML and the HTTP Post info when the form is submitted) in my first post, so I went back and uploaded those.
     
    Last edited: Apr 13, 2010
  4. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    78
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    hey, are you still having trouble with this?

    i have your solution. let me put together a post.
     
  5. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    78
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    ok so here is what is is going on with the secret value.

    the secret value field is written to the page using a client side script. the ID of the ID field is then combined with another value on the page that is dynamic. hashed with md5, and propagated to the secret field so it can be sent along with the post data.

    the main js functions file is:

    Code:
    https://s.yimg.com/lq/lib/membership/ns/js/registration_start_min_waf_203063.js
    so i searched through that file for "random_field"

    here is what i found:

    Code:
    ymem_reg.attachRF=function(){if(ymem_reg.config.random_field=="none"){return}var c=document.createElement("input");var d=document.getElementById("regFormBody");c.setAttribute("type","hidden");c.setAttribute("name","random_field");c.setAttribute("id","random_field");var a=ymem_reg.config.random_field;var b=document.getElementById("u").value;a=MD5(a+b);c.setAttribute("value",a);d.appendChild(c)};
    now you can see in the js there that it is creating the hidden field with an ID and name of "random_field". the linchpin to the whole script though is this line:

    Code:
    b=document.getElementById("u").value;a=MD5(a+b)
    what this is doing, is declaring a variable, "b", then assigning its value to the value of another hidden form field named "u".

    looking at the html of the page u is defined as follows:

    Code:
    <input type="hidden" id="u" name="u" value="a8hf4vh5sgtic">
    so this js function is taking the value of the variable "a" which is defined as follows:

    Code:
    var a=ymem_reg.config.random_field
    then it does "a+b" (in js you can use + for string concatenation). so in this case the string it is creating would be "yahooida8hf4vh5sgtic".

    it then takes this string value and hashes it with md5 to produce:

    9a742ed2247d8535d1bf691077f8001a

    this is the value that is being sent in the post data of the packet.

    the "u" value changes each time the page is requested, so what you want to do is parse out the value of the "u" field and tack it on to the end of the string value for the id field which is "yahooid".

    then hash it, and send it. :)

    in vb.net an example of an md5 hash function would look something like this:

    Code:
    Imports System.Security.Cryptography
    Function getMd5Hash(ByVal input As String) As String
            ' Create a new instance of the MD5 object.
            Dim md5Hasher As MD5 = MD5.Create()
    
            ' Convert the input string to a byte array and compute the hash.
            Dim data As Byte() = md5Hasher.ComputeHash(Encoding.Default.GetBytes(input))
    
            ' Create a new Stringbuilder to collect the bytes
            ' and create a string.
            Dim sBuilder As New StringBuilder()
    
            ' Loop through each byte of the hashed data 
            ' and format each one as a hexadecimal string.
            Dim i As Integer
            For i = 0 To data.Length - 1
                sBuilder.Append(data(i).ToString("x2"))
            Next i
    
            ' Return the hexadecimal string.
            Return sBuilder.ToString()
    
        End Function
    i haven't tested this with a full signup, but i have hashed and compared the values and they match. this should solve your problem.

    mahalo.
     
    • Thanks Thanks x 1
  6. wbio3

    wbio3 Newbie

    Joined:
    Feb 19, 2009
    Messages:
    15
    Likes Received:
    9
    WOW, thank you SO much. This is a great explanation of everything. I haven't had a chance to try it out yet, but I can't see why this wouldn't work. Thank you so much for taking the time to figure this out, I really, really appreciate it. I'm going to try it out later today and I'll let you know how it goes. Thank you again!

    EDIT: Hmm, I'm trying to give you +rep but for some reason the Give Rep button doesn't appear. Maybe I don't have enough posts? Well, just know that I would give you +rep if I could, haha.
     
    Last edited: Apr 16, 2010
  7. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    78
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    hey no problem man. this stuck in my craw a bit and have had it on the back burner for a couple days now, i finally got around to investigating it further.

    i know what it is like to run in to a strange problem that creates a roadblock for your entire application, and it sucks. so glad i could lend a hand.

    cheers!
     
    • Thanks Thanks x 1