fit.sh

[smed79]

Hello,
site not supported http://fit.sh/1w9

Thanks.

[devnoname120]

Could you please replace this in the script:

var interLink = '/go/' + m + '?a=' + window.location.hash.substr(1);

With:

var interLink = '/go/' + m + '?fa=15466&a=' + window.location.hash.substr(1);

Does it work with you? (If you use an Adblocker, please click on 'OK' after the alert appears).
This is stupid, but it could actually work.

Developer notes:

The skipping part is embedded in an external advertizing script.
http://server1.affiz.net/tracking/ads_display.php?nodiv=1&n=*many_digits*_a5fcb5c087&rdads=*random_number*

[smed79]

With you update working, the link redirect to ://streamingpsg.com/ch2.php
Without your update ...nothing ...redirect to ://fit.sh/go/OWY0YjI0Y2QzODBiZjdkZGU1M2Y1ZDZiZTllYjU3ZjN8MTQyNjYzMDQ1Nnwxdzk=?a=

About Adblocker i have already fix the anti-adblock on french list https://hg.adblockplus.org/listefr/rev/1b1bf7115787

Thank you.

[devnoname120]

OK, we should wait a few days to check whether it continues working or not (I don't know if the number changes or not).

Developers notes:

About skipping the 6-second timer (instead of this, we are currently delaying the $.openLink()):

The token that we extract is actually a base64-encoded string, whose components are separated by |.
Example of decoded string: 4e3b8b072bf250711428d00186394df3|1426632133|1w9

The first component is a hash, most likely MD5 (possibly salted, or MD4).
The second is a Unix timestamp in second (time at which the user accessed the page).
The last one is the link identifier (same as the one in the URL).

Remarks:

• The normal redirection works even if cookies are disabled
• I tried to change the timestamp on-the-fly so as to make the server believe that I accessed the page 10 seconds before. It didn't work, the server redirected to the current page.
• Changing the hash or putting a timestamp in the future make the server redirect to http://fit.sh/aid (which points to http://fitshr.com/search after normal waiting).
• Keeping the decoded string (hash|timestamp|id), and using it later works, even if it has been already utilized for skipping a link.

The fact that these 3 parameters alone allow to skip a link make me believe that the hash might be calculated from the timestamp and the id. I did a few attempts, but I couldn't easily find the relationship.

@legnaleurc Any thoughts?

An API is also available, but since it requires a private key, we are likely to be banned in no time after using it in the script.

[smed79]

Ok, thank you for your help and support.

[legnaleurc]

The fact that these 3 parameters alone allow to skip a link make me believe that the hash might be calculated from the timestamp and the id.

I guess so.
It should be fine to wait few seconds if we don't have better solution.

[legnaleurc]

@devnoname120 do you have something to push for this issue or I just write the patch here?
Just in case we won't have unnecessary commits.

[devnoname120]

I have already created the patch, but I don't have access to my computer right now.
Feel free to create it yourself, in case you want to publish a new release.