某巴克咖啡APPzc分析成果，主要是设备指纹算法的分析

yshell

最近定制区很火的某巴克注册分析
首先看下注册包

1. {"birthday":"01/05/1985","device":{"app_version":"7.2.0","device_external_code":"hnISk9rMhqf6QfvEN4arIQu4MrUFVl7gYGChItYkc7SPbUwC0CiN_ZXyT3QaZJq7B34FRCeTwdEFqRxlPlEIa42m_L5EcQsioWjaMgO2Wogr03yESrca4JAQ7AkXRn-LkkZuasYvkTTFoWNYGU5MjnIzNOIOXNSk","id":"dcoqgmhcxqmiy6b","language":"zh","latitude":31.887948,"longitude":117.304802,"manufacturer":"OnePlus","model":"ONE E1001","os_name":"Android","os_version":"6.0.1","timezone":"Asia/Shanghai","user_agent":"Android com.starbucks.cn/7.2.0 (ONE E1001; 6.0.1)"},"firstName":"即使","gender":"Male","language":"","lastName":"","optOut":"0","password":"密码","cellPhone":"13897546827","sourceCode":"APP","userName":"4a1563994124","token":"U_TOKEN_4a1563994124"}

复制代码

这里主要是分析  device_external_code
这个是之前的封包返回的

返回结果:callbackFunction('{"exp":"1564161017827","UDID":"NHKIBr8hHcElBSSR3r2puSdnO1SR231q","dfp":"hnISk9rMhqf6QfvEN4arIQu4MrUFVl7gYGChItYkc7SPbUwC0CiN_ZXyT3QaZJq7B34FRCeTwdEFqRxlPlEIa42m_L5EcQsioWjaMgO2Wogr03yESrca4JAQ7AkXRn-LkkZuasYvkTTFoWNYGU5MjnIzNOIOXNSk"}')

搜索找到cn.com.bsfit.dfp.android包下的FRMS类
getFingerPrint调用了 cn.com.bsfit.dfp.android.client.b.a.a().a((long) i, this.mContext, z, dFPCallback);
一步步跟踪
new cn.com.bsfit.dfp.android.client.c.b(context).a(new JSONObject(cn.com.bsfit.dfp.android.obj.a.a(a(b(context)))), "AND", dFPCallback, j);

这个jsonhook一下 就是设备信息的json格式
跟到这个a方法,重点来了

1.   @SuppressLint({"SetJavaScriptEnabled", "AddJavascriptInterface"})
   
2.     public void a(JSONObject jSONObject, String str, DFPCallback dFPCallback, long j) {
   
3.         a.a = true;
   
4.         final DFPCallback dFPCallback2 = dFPCallback;
   
5.         final JSONObject jSONObject2 = jSONObject;
   
6.         final String str2 = str;
   
7.         final long j2 = j;
   
8.         new Handler(Looper.getMainLooper()).post(new Runnable() {
   
9.             public void run() {
   
10.                 try {
    
11.                     if (b.this.a == null) {
    
12.                         b.this.a = new WebView(b.this.b);
    
13.                         WebSettings settings = b.this.a.getSettings();
    
14.                         settings.setJavaScriptEnabled(true);
    
15.                         settings.setCacheMode(-1);
    
16.                     }
    
17.                     b.this.a.loadUrl("file:///android_asset/dfp/test.html");
    
18.                     b.this.a.addJavascriptInterface(new a(b.this.b, dFPCallback2), "JS");
    
19.                     b.this.a.setWebViewClient(new c(jSONObject2, str2));
    
20.                     b.this.c = new C0017b(j2, 500, dFPCallback2);
    
21.                     b.this.c.start();
    
22.                 } catch (Throwable th) {
    
23.                     a.b = true;
    
24.                     if (a.a && dFPCallback2 != null) {
    
25.                         a.a = false;
    
26.                         dFPCallback2.onFailed("当前手机没有webview");
    
27.                     }
    
28.                 }
    
29.             }
    
30.         });
    
31.     }
    

复制代码

首先加载 loadUrl("file:///android_asset/dfp/test.html");
然后调用 javascript:inputFields('" + this.a + "','" + this.b + "','" + b.e + "')
这个js是test.html里面的JS方法
hook下参数
inputFields('{"device":"bullhead","currentWifi":"[几时,4a:45:20:1d:eb:c4]","sensorList":"b83fa1ed287568e8","user":"android-build","timeZone":"[GMT+08:00,Asia\/Shanghai]","sdkVersion":"4.4.0","id":"MHC19Q","version":"6.0.1","uevent":"MAJOR10MINOR50DEVNAMEcpu_dma_latency","serial":"025282fee5a40b66","manufacturer":"LGE","ppp":"isContent","type":"user","rooted":"1","networkType":"WiFi","host":"vpec3.mtv.corp.google.com","totalSD":"0","totalSystem":"11454181376","fingerprint":"google\/bullhead\/bullhead:6.0.1\/MHC19Q\/2705526:user\/release-keys","misc":"2c0acfd2827311ba","platform":"AND","syncookies":"notExist","availableMemory":"559005696","brightness":"78","product":"bullhead","cellularIP":"192.168.155.2","existPipe":"0","packageName":"com.starbucks.cn","startupTime":"1563577938","isProxy":"0","cpufreq":"isContent","bootloader":"BHZ10m","appVersion":"7.2.0","isVPN":"0","availableSD":"0","availableSystem":"9372737536","tags":"release-keys","cpuABI":"armeabi-v7aarmeabi","battery":"[5,100]","bluetooth":"a0:91:69:94:1a:d4","stat":"isContent","wifiMacAddress":"64:bc:0c:2d:8a:71","switch":"isContent","parameters":"notExist","radio":"unknown","board":"bullhead","brand":"google","displayRom":"MHC19Q","resolution":"[2.625,1080,1794,2.625,422.03,424.069]","totalMemory":"1901912064","userAgent":"Dalvik\/2.1.0(Linux;U;Android6.0.1;Nexus5XBuild\/MHC19Q)","hardware":"bullhead","custID":"ato","adb":"notExist","model":"Nexus5X","existQemu":"0"}', 'AND', 'https://dfp.arm.starbucks.com.cn/public/downloads/frms-fingerprint.js?custID=ato&serviceUrl=https://dfp.arm.starbucks.com.cn/public/generate/jsonp&channel=AND&loadSource=script');
好了知道原理了
把/android_asset/dfp/拖出来到我们的浏览器运行，当然你得把上面的inputFields方法手动写进去，
我们发现，计算好了，上面抓包的那些参数，并且ajax提交这个参数与设备签名返回给你真确的udid和dfp参数


如果我们要在易语言中调用，最简单的就是用wke浏览器框架加载这个test.html，然后执行js方法inputFields

JS设备指纹改写。这个设备指纹算法是开源项目
Fingerprintjs2 不过这个app有有修改过的，动态js，并且动态返回Fingerprintjs2的两个版本1.4.2与2.1，自定义签名算法，每次方法名都不一样，改写还是有一定的复杂度

帖上改写后的测试图



当然搞定了 设备算法，不代表你能注册成功，依旧被风控。根据网络上的文章猜测用了威胁猎人的 黑卡检测 与 黑ip检测， 注册成功率低到可怕.


另外，请勿根据此分析来做违法事情，只用来交流学习，如果有办法过这个风控，欢迎交流..

菜菜小白

牛啊阿啊阿啊紫薯布丁

单身帝

lsjmll 发表于 2019-9-29 17:16
666  设备我过不了  黑卡和黑IP能解决

设备可过 能合作？

德友

有没有一起学习的小伙伴

lsjmll

666  设备我过不了  黑卡和黑IP能解决

肚子白

66666 大佬，学习了！ cn.com.bsfit.dfp.android  啧啧 原来星爸爸用的是邦盛的

yshell

用代理IP+多米公开对接项目，成功率10%-20%之间

bboyesc

6666666666666666666