maphez51
Hypervisor Developer
LEVEL 1
400 XP
Hello, I've made this so new config makers can understand using static variables (my pet peeve) doesn't work. I also want to help increase the quality of configs released on this forum, and of course, to stop config makers scamming new users with these shitty configs. I might add, this isn't a full blown guide, this is more to combat common misconceptions in the config making field. I don't baby you on how to make a config (just to get that out there).
Anyways, enjoy.
AKAMAI AND STATIC VARIABLES
Okay first offs, static variables are terrible. What I mean by this is static cookies, csrf tokens, AKAMAI COOKIES FOR FUCK SAKES, x-acf-sensor-data and shit like that. Some sites use static variables, but most don't. Take for instance this config:
As you can see, this "config maker" uses a static akamai cookie along with static akamai-bmp sensor data (red and dark blue). They're also using a static sig (light blue) and static unix (light blue). I'm not sure about the other headers as I haven't attempted Zalando before due to their akamai-bmp. The other headers may be static but as I said, I'm not sure. Anyways, in case you don't know what akamai is, it's an anti-bot that prevents us config makers from sending requests to the login api. You need a specific cookie or sensor data in this case. Sensor data is used for apps (I haven't seen it in a website before, correct me if I'm wrong) whereas akamai on a website uses cookies and some other shit. Zalando also contains a signature and unix like Onlyfans. Using static variables like this will work for maybe 3 requests, but after that, it won't work and it'll more than likely lock your accounts. If you're going to attempt a site with akamai or app, I recommend trying to find an alt api unless you have the bypass (obviously). This not only makes you look bad as a config maker, but proves you don't have much knowledge in the config scene which isn't what you want for obvious reasons. You'll also be mocked by other config makers. You can identify akamai by looking in your httpsdebugger under the cookies section of the api you're looking at. It'll have a cookie called _abck. Sometimes you might be able to get an unenforced akamai site where it isn't actually enforced on their site despite them having akamai on there. This was seen with a Panera config I made quite a while ago where they unenforced one of their api's and you got like 4k+ cpm.
PARSING
When you're parsing a csrf token, make sure you place the variable name CORRECTLY into the token thing. Lets say hypothetically I parse a csrf token with the name "t" then I go and place the variable name under the csrf token as "<T>". This'll just give you <T> because the variable names are case-sensitive and the site will give you a response "csrf token wrong" or something along those lines (unless the site is fucked/has silent-ban). You need to make sure you parse all variables correctly and use the correct variable name otherwise problems will arise within your config.
UNIX
Unix is the number of seconds that have elapsed since 00:00 UTC on 1 January 1970. It's used in some sites, including Zalando. Openbullet has a feature in the function block where you can generate the current unix time. You can spot it by looking at the first two numbers, most commonly it has 10 numbers, however, sometimes it has 13 since some sites include the milliseconds. For example, 1632555366233, I'd just remove the first ten numbers and put your variable and leave the last 3 (doesn't always work I don't think).
Omylord was kind enough to send some JS to generate 13 unix.
BEGIN SCRIPT JavaScript
var TIME = new Date().getTime();
END SCRIPT -> VARS "TIME"
The variable is <TIME>
Thanks Omylord!
PerimeterX
PerimeterX is sort of similar to akamai, however, they use (most commonly), a security where they redirect you to another page and make you solve a press & hold captcha and give you a cookie which gives you access to login. This is seen on many sites including Sams Club, StockX, Goat, Walmart, etc. As I said with akamai, I wouldn't try with it unless you have a bypass or you're trying to bypass it, just find an alt api. You can identify PerimeterX by looking at the cookies in your httpsdebugger. If the site has pxhd in the cookies, it has perimeterX. Very rarely, sites may have unenforced PX where you can send a request to the login api despite them having the PX cookie. That's extremely rare, but it doesn't hurt to try anyways.
Shape
I don't know much about shape, however, it's easy to identify. If you look in the headers, you'll see x-(a random string of letters)-a, followed by a fucking shit ton of characters. It's encrypted headers and it's whack, that's all I know.
Anyways, I hope this guide helps some config makers and most importantly, helps people when looking at configs they bought. WATCH OUT FOR STATIC SHIT. This took a while to make, I'd appreciate if y'all would drop a like, thank you! Also, if you have any other tips, leave them in the comments below and if I'm wrong about anything, also leave a comment below and I'll correct it. [img]
LEAVE A LIKE OR YOU'RE GAY This leak has been rated as working ]0 times this month. (1 times in total)
Anyways, enjoy.
AKAMAI AND STATIC VARIABLES
Okay first offs, static variables are terrible. What I mean by this is static cookies, csrf tokens, AKAMAI COOKIES FOR FUCK SAKES, x-acf-sensor-data and shit like that. Some sites use static variables, but most don't. Take for instance this config:
As you can see, this "config maker" uses a static akamai cookie along with static akamai-bmp sensor data (red and dark blue). They're also using a static sig (light blue) and static unix (light blue). I'm not sure about the other headers as I haven't attempted Zalando before due to their akamai-bmp. The other headers may be static but as I said, I'm not sure. Anyways, in case you don't know what akamai is, it's an anti-bot that prevents us config makers from sending requests to the login api. You need a specific cookie or sensor data in this case. Sensor data is used for apps (I haven't seen it in a website before, correct me if I'm wrong) whereas akamai on a website uses cookies and some other shit. Zalando also contains a signature and unix like Onlyfans. Using static variables like this will work for maybe 3 requests, but after that, it won't work and it'll more than likely lock your accounts. If you're going to attempt a site with akamai or app, I recommend trying to find an alt api unless you have the bypass (obviously). This not only makes you look bad as a config maker, but proves you don't have much knowledge in the config scene which isn't what you want for obvious reasons. You'll also be mocked by other config makers. You can identify akamai by looking in your httpsdebugger under the cookies section of the api you're looking at. It'll have a cookie called _abck. Sometimes you might be able to get an unenforced akamai site where it isn't actually enforced on their site despite them having akamai on there. This was seen with a Panera config I made quite a while ago where they unenforced one of their api's and you got like 4k+ cpm.
PARSING
When you're parsing a csrf token, make sure you place the variable name CORRECTLY into the token thing. Lets say hypothetically I parse a csrf token with the name "t" then I go and place the variable name under the csrf token as "<T>". This'll just give you <T> because the variable names are case-sensitive and the site will give you a response "csrf token wrong" or something along those lines (unless the site is fucked/has silent-ban). You need to make sure you parse all variables correctly and use the correct variable name otherwise problems will arise within your config.
UNIX
Unix is the number of seconds that have elapsed since 00:00 UTC on 1 January 1970. It's used in some sites, including Zalando. Openbullet has a feature in the function block where you can generate the current unix time. You can spot it by looking at the first two numbers, most commonly it has 10 numbers, however, sometimes it has 13 since some sites include the milliseconds. For example, 1632555366233, I'd just remove the first ten numbers and put your variable and leave the last 3 (doesn't always work I don't think).
Omylord was kind enough to send some JS to generate 13 unix.
BEGIN SCRIPT JavaScript
var TIME = new Date().getTime();
END SCRIPT -> VARS "TIME"
The variable is <TIME>
Thanks Omylord!
PerimeterX
PerimeterX is sort of similar to akamai, however, they use (most commonly), a security where they redirect you to another page and make you solve a press & hold captcha and give you a cookie which gives you access to login. This is seen on many sites including Sams Club, StockX, Goat, Walmart, etc. As I said with akamai, I wouldn't try with it unless you have a bypass or you're trying to bypass it, just find an alt api. You can identify PerimeterX by looking at the cookies in your httpsdebugger. If the site has pxhd in the cookies, it has perimeterX. Very rarely, sites may have unenforced PX where you can send a request to the login api despite them having the PX cookie. That's extremely rare, but it doesn't hurt to try anyways.
Shape
I don't know much about shape, however, it's easy to identify. If you look in the headers, you'll see x-(a random string of letters)-a, followed by a fucking shit ton of characters. It's encrypted headers and it's whack, that's all I know.
Anyways, I hope this guide helps some config makers and most importantly, helps people when looking at configs they bought. WATCH OUT FOR STATIC SHIT. This took a while to make, I'd appreciate if y'all would drop a like, thank you! Also, if you have any other tips, leave them in the comments below and if I'm wrong about anything, also leave a comment below and I'll correct it. [img]
LEAVE A LIKE OR YOU'RE GAY This leak has been rated as working ]0 times this month. (1 times in total)