get link zing mp3

Hello everyone, long time no see, tonight I’m going to tướng talk to tướng you about a tutorial “slightly” not a little bit of programming, but more about “reverse” array. This afternoon is a bit of a mess, this afternoon he was sent to tướng the bar to tướng enjoy the rare cold of Da Nang, accidentally drank a bottle of sting sánh I couldn’t sleep at night, normally I slept at 10 o’clock, today sitting Searching for Facebook forever Suddenly, reading a share of a second year “student” on the topic, she explores and processes Zing’s API very well! Details you read here:ế-nào-55f5fa555eda

I suddenly felt ashamed Think “Mum, in year 2, people exploited MP3 ZING’s API, while I only knew how to tướng play cards in 2nd year” I’m sánh sad, bro. But my curious nature also emerged, if she can tự it, we can tự it too, there’s nothing to tướng be afraid of. After discovering what he did, I asked the system for a little more clarity on the mining and debugging techniques, since her medium was already fine, I showed the system how to tướng exploit it. for you to tướng understand and execute, as well as firmly believe that “Nothing is difficult – Just afraid of not looking” – Slogin of big brother Cuonglee (anyone who installed MU Server in 2007 knows this guy hehe)

Bạn đang xem: get link zing mp3

Okay! So long, on the main thing, first to tướng explore the API of Zing MP3, ask you to tướng use Chrome, turn on DEV MODE and lập cập into Web Zing.

Note: Must go to tướng desktop mode, the big brother to tướng leave mobile mode is unable to tướng continue

Next, open the Network tab and play a tuy nhiên, I choose a Vozer tuy nhiên that is “Why are you shutting down” Then look at what it fetched, and pay attention to tướng its XHRs, I phối especially lượt thích the keywords “get-streaming” hehe (it sounds close to tướng our purpose)

Okay, let’s explore some API

Here we see, this API has 4 query params that are

  • id (song id, don’t try to tướng learn it, we never get it =)))
  • ctime (which is the timestamp the moment we fuck the API)
  • sig = 1 something string, temporarily gọi it “signature” ie signature, I analyze it later later
  • key = API key hehehe (this guy in other XHRs also uses the same nó key, sánh it’s const, let’s take it)

Okay, sánh 4 above parameters only have “sig” guy is problematic, why? Because if we bring the same url to tướng request, the info will appear, but instead of the sig guy, the bad request will be eaten right away! So our main purpose is to tướng find a way to tướng create this sig. Analyze it, I see it contains 128 characters, sánh beautiful, the characters are all friends in the ASCII charset, all the lowercase brothers, hehe sometimes SHA512 already, note again Now, figuring out how it processes this sig, we see in the query params there are “id” and “ctime”, but the word “id”, if searching in the source, is broken because the resulting noise, sánh we’ll use “ctime” for the trace

This is the time why I explain you have to tướng use the desktop interface here, sánh that we can get the tệp tin “main.min.js” in the thư mục ” * zmp3-desktop * release vx.xx static js ”

Okay, press Pretty to tướng reformat the code for readability, press Ctrl + F and tìm kiếm “ctime”

Look at line 501, see “t.sig”, put break point here and click to tướng choose another song

Break-point is freeze, the data is pushed to tướng show us roughly, function T will take 2 parameters e and t in it.

  • variable n will be re-modified, to tướng “ctime = xxxxid = yyyy”
  • variable r will contain the value of 1 function h (), this function takes the argument of the string n
  • We see the variable r has a sig bytes of 32, earlier we have the complete sig note is SHA512, SHA512 returns 64bytes, here receive 32 bytes which means it can be SHA256
  • If there is a variable r then this function will gọi the m function with the parameter (e + r, b.Oc), e then we have an API path, r we also have SHA256 (n), b.0c then hover mouse click will see
  • So, we draw, this function m is SHA512 (note above), its parameters are API path + SHA256 (n) and SECRET KEY (b.Oc)

Try it, I’m lazy sánh I lập cập complier in my browser, open and declare

const crypto = require('crypto');

const getHash256 = (a) => {

    return crypto.createHash('sha256').update(a).digest('hex');


Xem thêm: small black bug with hard shell

const getHmac512 = (str, key) => {

    let hmac = crypto.createHmac("sha512", key);

    return hmac.update(Buffer.from(str, 'utf8')).digest("hex");


Then press run

Okay, now we will proceed to tướng get the SHA256 of (n), I will get the parameter fetched at first

Next, we gọi SHA512 (e + r, secret)

Remember that the chain is SECRET KEY 10a01dcf33762d3a204cb96429918ff6 we take a moment ago I got you now have sig then, provides the following APIs replace the links to tướng see why = 1607185070 & sig = 716b083eea082f38c8eb2ad5aa1023120199bd906a30a6dd533c4987ba473a7eeb0e2b58c5a8d7c69a563bffb4648ad1762fff78298d1c043f999b994d

Sorry ??? Calm down, look at the timestamp, just now we generated a signature with another timestamp ^^, correct the url on this 160 718 421 & sig = 716b083eea082f38c8eb2ad5aa1023120199bd906a30a6dd533c4987ba473a7eeb0e2b58c5a8d7c69a563bffb4648ad1762fff78298d1c043f0c542d3c92ee68 & api_key = 38e8643fb0dc04e8d65b99994d3dafff

Replace correctly with the ctime we have encrypted in variable ‘r’ and rerun the link

Already changed but still error =)), the thighs are serious now! Hehe, calm down, remember that sig is the result of e and r, e here is API path, now we generate a signature for api / get-song-info but now I dare to tướng use api / get-streamings-beat to tướng gọi, yet the correct url

Xem thêm: metro là gì

We can

So, we draw that, sig is the string containing the API request authentication information including (song id, ctime and api path). So now if we want to tướng use the / get-stream-beats, we just repeat the previous steps to tướng generate sig for this API! But what’s wrong, in the earlier json of get-song-info, the url stream was returned in it ^^ there are only 320kbs, if you want to tướng have it then explore the get-streams API to tướng see how.

Okay! My post is also quite long, and now it’s 12:10 PM, I should stop writing and go to tướng sleep, wish you success