Probably asked before(Common question)

Hello, i know you maybe asked this question  before, But I was wondering is it possible to replicate chess.com https APP request. i know they use SHA1 hash encryption after every request. But did anyone of you kind people manage to decrypt and understand the process?

Интересно!

Send me a specific message of what exactly you are trying to accomplish and I can likely help. Your question is vague and leads to many questions on what you are trying to accomplish, what software you are using ie. Burpsuite, BS4, et cetera.

... Wireshark, SSL Proxy

Така трябва!

Sure, I can explain better. So chess.com app on android uses API v1.  Now 'api.chess.com/v1/' uses this method of encrypting every URL with a unique hash at the end of the URL. Example '&signed=Androidx.x.x-(SHA1 hash)'.  Does anyone of you tried or know how they encrypt the hash? 

It sounds like some sort of param to allow the app to bypass rate limiter rules or maybe to handle version-specific requests etc. The actual value is likely just the `Androidx.x.x` string hashed with some key that they verify on the backend to ensure authenticity.

They definitely encrypt the whole URL with some sort of secret, because the hash is unique and works only for that particular page you requesting. 
The solution is in the code, of course, it's just I'm not good at reverse engineering.

I don't want to get in trouble with TOS but from what I can tell you should be on other forums that can help you better through reversing. Check out SSL proxies and also the app's source code(with chesscoms) permission of course. Ghidra is my fav but there are many others.

there is projects like jadx on GitHub for stuff like that. no need for Ghidra. Again I'm searching for people who already did the research themself and know how chess.com encrypts the hash.

Recently I saw on their OAuth application how they 'Step 1: Generate a code verifier and challenge' using Base64UrlEncode(SHA256Hash(code_verifier)). It's probably something similar.

Ah, gotcha. Yeah I'd definitely recommend waiting on a staff/moderator response before continuing to publicly discuss reverse engineering their security stuff lol.

This is just an unrelated OAuth2 standard called PKCE that's often used in mobile/browser-based login flows. More on that here if you're interested in how it works.

I'm just interested in 'Signed' parameter since we are the ones signing the request through mobile phone. I don't see any harm in this, because we also use 'loginToken' anyways(which expires pretty fast). It's not like suddenly millions of user company gonna be flooded with infinity requests... I think they should allow us, developers, to use their v1 API.

Not sure if you're still interested but here's my answer: It's definitely possible to replicate those https requests (which usually come from some client software, browsers or mobile apps). But the point of security is that only chess.com can decrypt (and authenticate) the requests. The algorithm is irrelevant - the server probably supports a number of different ones. What you don't have is the private key which is necessary for the decryption. If the requests are sent to chess.com, then only chess.com is supposed to be authorized to see them.