Step by step, teach you how to write farm ownership

First prepare 2 tools: HttpWatch (or HttpAnalyzer) and JSONViewer (http://www.codeplex.com/JsonViewer)
HttpWatch (or HttpAnalyzer) is a paid software, and JSONViewer is free. You can also install the JSONView plug-in of Firefox, or you do not need JSONViewer.

Write any WEB application plug-in. The first step is to log on. The subsequent operations can be continued only when the logon is correct.

Let's take HttpWatch to analyze the login process of Sohu Bai society.

Part 1: Logon
1. Open the http://bai.sohu.com, if you have logged in before, first exit to ask you to enter the email and password page
2. Press the Record button of HttpWatch, enter the Email address and password on the page, and click log on. Then you will go to the whitelist page. Now let's take a look at the HttpWatch recorded trajectory.
3. We can easily see the following paths recorded by HttpWatch:
Http://passport.sohu.com/sso/login.jsp? Userid = Your E-MAIL account & password = password string & appid = 1062 & persistentcookie = 1 & s = 1248665199215 & B = 2 & w = 1440 & pwdtype = 1
In the above address, userid is the email address you entered at login, password is a string encrypted by md5, and s is the time (the number of seconds from January 1, to the present, it should be the account registration time. The time () function can be used in the C language). w is the resolution in the X direction of the computer screen. persistentcookie indicates that the cookie is saved. B and pwdtype are constants, do not know the specific meaning (we do not need to care about it ).

OK. You can log on to the account by using the URL shown above.

Part 2: Entering sunshine farm
1. Open HttpWatch's Record and click "Sunshine ranch" on the left of the homepage. HttpWatch records the actions on each page. We can see that the actual address of sunshine farm is http://developer.sohu.com/app/farm /. In HttpWatch, select http://developer.sohu.com/app/farm/, and click the contentpage signature next to it,

2. You can copy the source code of this page and view it in dreamweaver or other editors. You will find that this page actually contains several iframe. There is an iframe, which is the real big flash Address of the sunshine farm in the middle:<Iframe src = "http: // sh_farm.rekoo.com/embed_swf /? So_sig_uid = 6 digit & so_sig_session_key = UXdkRmZMaUxFQjg9 & so_sig_sig = Hangzhou "frameborder =" 0 "width =" 796 "height =" 590 "scrolling =" no "> </iframe>
In the above address, so_sig_uid is your user ID on the Sohu white social website. This ID is useless for general users and is the ID of each user in the database. But it is very useful for writing plug-ins. Therefore, you need to save this ID for future use.

3. Enter http: // sh_farm.rekoo.com/embed_swf/? in the browser /? So_sig_uid = 6-digit number & so_sig_session_key = UXdkRmZMaUxFQjg9 & so_sig_sig = large. You will find that only the large flash in the middle we saw is left in the browser, and no other communication is available. It turns out that the iframe we found is correct. (Note: Do not forget to open HttpWatch's Record when performing this step)

4. Select the address above in HttpWatch and observe the returned Content:

5. In the highlighted section above, you can see some information such as session_name, session_value, and uid. One of the most important values is session_value. Anyone who has web development experience knows that after logging on to the site, there is a session on the client side that maintains some user information, and this session is a random string generated every time you log on, and has a certain validity period (configured by the management right ). Therefore, to simulate web operations, we need to obtain the correct session string, that is, the session_value we saw above.

As a matter of fact, most of our analysis work has been carried out so far. Summary:
We have done so many things above, most importantly, to achieve two goals:
(1) how to simulate User Logon
(2) obtain the correct UID and sessionid

In addition, there are other methods for obtaining sessionid. For example, if you are using Java, you can read sessionid from the cookie.

Part 3: analysis of various operations of sunshine farm
With the above foundation, the analysis below is easy.
1. Open the httpwatch record and set the above http: // sh_farm.rekoo.com/embed_swf /? So_sig_uid = 6 digit & so_sig_session_key = uxdkrmzmauxfqjg9 & so_sig_sig = 049fa15390e4c9acffbecac8870e83c1 refresh.
2. In httpwatch, you will see many such addresses: http: // sh_farm.rekoo.com/get_api/. This address is very important, almost all command requests are sent to this place.
3. Select http: // sh_farm.rekoo.com/get_api/. You can see it in the post data below:

It turns out that this is a standard http post request, and the complete URL is:Http: // sh_farm.rekoo.com/get_api /? Method = user. get_friends & rekoo_killer = your 6-bit UID & sessionid = session_value we just obtained from the page
Then, click the Content tab next to it. The Content returned by the server is as follows:

The above is a typical JSON data. I don't need to talk about it next. You can copy the preceding content to JSONViewer. It provides a tree structure for you to expand each node to analyze the parent-child relationship and the type of each node:

4. What we see above is a request for getting a list of friends, for example, getting store information, watering insects, seeding, harvesting ...... The request addresses are both http: // sh_farm.rekoo.com/get_api/, but the post parameters are different. Post the correct parameter to the server, and the server will return the JSON data of the corresponding operation to you. With this data, you can perform subsequent analysis and processing.

OK. Based on the above text, I believe you have understood how such a plug-in works. 4. What we see above is a request for getting a list of friends, for example, getting store information, watering insects, seeding, harvesting ...... The request addresses are both http: // sh_farm.rekoo.com/get_api/, but the post parameters are different. Post the correct parameter to the server, and the server will return the JSON data of the corresponding operation to you. With this data, you can perform subsequent analysis and processing.

4. What we see above is a request for getting a list of friends, for example, getting store information, watering insects, seeding, harvesting ...... The request addresses are both http: // sh_farm.rekoo.com/get_api/, but the post parameters are different. Post the correct parameter to the server, and the server will return the JSON data of the corresponding operation to you. With this data, you can perform subsequent analysis and processing.

OK. Based on the above text, I believe you have understood how such a plug-in works.