Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR : s = '0.' + ':'.join(x[0]) IndexError: list index out of range #2

Open
Hemadri43 opened this issue Jan 17, 2024 · 13 comments
Open

ERROR : s = '0.' + ':'.join(x[0]) IndexError: list index out of range #2

Hemadri43 opened this issue Jan 17, 2024 · 13 comments

Comments

@Hemadri43
Copy link

https://discord.com/cdn-cgi/challenge-platform/scripts/invisible.js 404 is the reason for this error
@Hemadri43 Hemadri43 closed this as not planned Won't fix, can't repro, duplicate, stale Jan 20, 2024
@Hemadri43 Hemadri43 reopened this Feb 21, 2024
@populated
Copy link

populated commented May 23, 2024
edited
Loading

URIs were changed:

CHALLENGE: str = "https://discord.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/main.js"
CLEARANCE: str = "https://discord.com/cdn-cgi/challenge-platform/h/b/jsd/r/"

CHALLENGE is for fetching the s, key, and ray. This is important; you need to get cf-ray from the response headers from the GET request to CHALLENGE: response.headers.get("cf-ray", "").split("-")[0]. Then, using the ray, you send a POST request to CLEARANCE with the ray: post(CLEARANCE + ray).

The other stuff for wp isn't required anymore. You can literally just send these with a blank payload:

json={
    "s": s,
    "wp": None
}

It also seems like even s isn't required. It's just a Discord Cloudflare problem; no other site really has the same issue.

@RabbitHol3
Copy link

RabbitHol3 commented Jun 16, 2024
edited
Loading

@alluding what is the best approach to create wp ? im doing for another site, i want to learn how to reverse the process to build a function where i can use it for another one. the js script on this repository is fixed, but everytime i request a new challenge the javascript function from /cdn-cgi/challenge-platform/scripts/jsd/main.js changes..

@populated
Copy link

@alluding what is the best approach to create wp ? im doing for another site, i want to learn how to reverse the process to build a function where i can use it for another one. the js script on this repository is fixed, but everytime i request a new challenge the javascript function from /cdn-cgi/challenge-platform/scripts/jsd/main.js changes..

The only thing dynamically changing is the obfuscation/format of the code. The functions i, g, and h pretty much remain the same. g is the actual compression function (used for compressing the WP into the string sent to the API). h, if you couldn't tell by the code in this repo, is literally just a util function for calling g with the data and key, compressing, and getting it. i is decompression.

@RabbitHol3
Copy link

@alluding what is the best approach to create wp ? im doing for another site, i want to learn how to reverse the process to build a function where i can use it for another one. the js script on this repository is fixed, but everytime i request a new challenge the javascript function from /cdn-cgi/challenge-platform/scripts/jsd/main.js changes..

The only thing dynamically changing is the obfuscation/format of the code. The functions i, g, and h pretty much remain the same. g is the actual compression function (used for compressing the WP into the string sent to the API). h, if you couldn't tell by the code in this repo, is literally just a util function for calling g with the data and key, compressing, and getting it. i is decompression.

got it, thank you.. ive been able to solve !

btw, ive been wondering in translate the js function to python since its a bit annoying to call node to make only this calcs

@populated
Copy link

@alluding what is the best approach to create wp ? im doing for another site, i want to learn how to reverse the process to build a function where i can use it for another one. the js script on this repository is fixed, but everytime i request a new challenge the javascript function from /cdn-cgi/challenge-platform/scripts/jsd/main.js changes..

The only thing dynamically changing is the obfuscation/format of the code. The functions i, g, and h pretty much remain the same. g is the actual compression function (used for compressing the WP into the string sent to the API). h, if you couldn't tell by the code in this repo, is literally just a util function for calling g with the data and key, compressing, and getting it. i is decompression.

got it, thank you.. ive been able to solve !

btw, ive been wondering in translate the js function to python since its a bit annoying to call node to make only this calcs

You can translate g - h to Python if you wish, whatever you want to do. I mean, if it would be easier to just use Node to call the function, it's whatever. Just try your best to optimize the call speed of the JS function.

@zxcvqwerasdf
Copy link

Do we need other cookies to get cf_clearance? (__dcfduid, __sdcfduid, __cfruid, _cfuvid) ?

@populated
Copy link

Do we need other cookies to get cf_clearance? (__dcfduid, __sdcfduid, __cfruid, _cfuvid) ?

Those cookies you specified are more of Discord's thing than Cloudflare's. I'm not worried about them, and it worked without cookies. However, if you're sending requests to Discord itself for any sort of task, I'd recommend keeping your request as realistic as possible. This means including the cookies (dynamically generate them), x-fingerprint (some requests include this), x-super-properties, etc.

@zxcvqwerasdf
Copy link

@alluding I can't understand how discord reg-in works now. Sometimes i need only email verify, sometimes phone + email and no verify needed.
I am trying from Сhrome browser on real mobile, Сhrome on Windows, Discord client on real mobile and Windows.
I can't understand the relationship between browser/client options and the need for account verification.
The only thing I noticed is that the latest version of Chrome on a real mobile device produces the best results when registering (out of 10 registrations, 6 did not require anything, 4 required an email)
And I can't understand why, maybe it's cloudflare tls fingerprint checking? Or it's hcaptcha?

@populated
Copy link

@alluding I can't understand how discord reg-in works now. Sometimes i need only email verify, sometimes phone + email and no verify needed. I am trying from Сhrome browser on real mobile, Сhrome on Windows, Discord client on real mobile and Windows. I can't understand the relationship between browser/client options and the need for account verification. The only thing I noticed is that the latest version of Chrome on a real mobile device produces the best results when registering (out of 10 registrations, 6 did not require anything, 4 required an email) And I can't understand why, maybe it's cloudflare tls fingerprint checking? Or it's hcaptcha?

I see what you mean. Yes, the register API is a bit sensitive. The reason browsers are more detected than mobile is because, usually, people assume using the browser API is much better and easier. Because of this, browser user agents, headers, cookies, etc., and devices are overall more detected since the chances of people using browsers for tools/bots are higher. This is why you get more verifications, etc., compared to when on a phone. Yes, it's still possible with an emulator of some sort, but that is much harder and way more time-consuming, and some people decide not to do it because not all can either. They know that this is the reason why browser-based registrations are much more prone to phone/email locks and captchas compared to if you signed up on mobile. This is why people try their best to emulate mobile devices instead of browsers.

@zxcvqwerasdf
Copy link

@alluding How do you think who has most impact on "bot score"? cloudflare challenge or hcaptcha? Discord can only check request headers.

@populated
Copy link

@alluding How do you think who has most impact on "bot score"? cloudflare challenge or hcaptcha? Discord can only check request headers.

Neither. The bot score is checked by hCaptcha, and Discord uses it to flag activity. However, the actual bot score is determined by your device and other factors. Discord doesn't only check the request headers; there is fingerprinting, device analysis, and more. If you didn't know, they can see quite a lot of information, including flagging your IP for suspicious activity if you're excessively interacting with the API. Therefore, the bot score isn't influenced by hCaptcha or Cloudflare. The hCaptcha challenge can flag activity, but Discord is the one checking the bot score and verifying it to decide if it should be flagged. It could just ignore it, say you got a valid captcha, and let you pass.

@zxcvqwerasdf
Copy link

@alluding So discord does tls fingerprinting and deep packet analysis? I created some accounts from different real devices, some of them was with added phone number. After 8 hours more than half was "ACCOUNT_PERMANENTLY_DISABLED", even with phone. I understood that the analysis of some data takes place with a delay, not immediately after reg-in.

@populated
Copy link

@alluding So discord does tls fingerprinting and deep packet analysis? I created some accounts from different real devices, some of them was with added phone number. After 8 hours more than half was "ACCOUNT_PERMANENTLY_DISABLED", even with phone. I understood that the analysis of some data takes place with a delay, not immediately after reg-in.

That is most likely a "silent flagged" account. A silent flagged account will let you do some things, and the account will be fine for a bit, but it will most likely be deleted or terminated after some time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RabbitHol3 @zxcvqwerasdf @Hemadri43 @populated