You do not permission to view this directory or page

[DevFil]

McDonalds update systems

[ngschaider]

I already investigated a bit further.

Before the System updated I sniffed a couple of requests from my Android phone. Decrypting the x-vmob-uid header I know the UID that was used to generate the plexure key. Theoretically I should be able to decrypt the Plexure Key because I know the password (the uid) and the salt (last 8 bytes of plexure key), but I can't.

My code works because I generated a plexure key with McFux.java and also decrypted it successfully.

I really don't know if this is a problem or not.

[DevFil]

Can you teach me? Because i don't know how fix it.

[aeerso]

Seems that McD updated the deviceRegistration and token generation methods. Now they involve safetyNet on Android (I don't have a device to check if the methods have been updated as well on iOS) and they seems bound with other types of checks.

I will look into this maybe later, but I'm leaving this issue open for anyone to share infos.

[ngschaider]

@0xf77

Was there an update for the Android App itself? Until now i have no clue what to Look at but If you give me some starting point i can investigate this further.

EDIT: Okay, I was wrong in my first comment. The app did receive an update. In fact it is quite a huge update (version 2.0.1) is out. Will do some reversing and report back.

[DevFil]

I confirm that McDonald's has updated token generation methods and implemented SafetyNet, in this time there aren't new update in ios; i have a demostration video of the new bypass,if anyone wants to see it write me

[aeerso]

UPDATE: Since I have no hardware (moving house rn) for decompiling and search for new methods to exploit this new update, I'm tagging @ddekus and @giacomoferretti which they may have found a solution/working on it.

Still leaving this issue open for updates.

[giacomoferretti]

@0xf77 Actually I have already written a working PoC to bypass the new check using SafetyNet, but I can't publish it right now. I will leave a GIF demonstrating how it works.

EDIT: Here's the video/GIF: https://imgur.com/a/hx8FCwT (Direct)

[ngschaider]

If you can point me to the right class which implements the safetynet and token Generation i can Reverse it and make a Pull request for this repo

[agostinofiscale]

Am i the only one getting 401.2 error? I tried on a lot of physical devices and it worked on 1/3. And on emulators it doesn't work.

[giacomoferretti]

@ddekus you can't pass SafetyNet on emulators.

[agostinofiscale]

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

[Lameness]

Hello guys. I need help with Doing McDonalds sweden config. I need capture and working config that crack accs. Im paying. Discord is sqreway#0442, telegram is sqreway and my mail is sweeliaz@gmail.com

[Lameness]

@giacomoferretti and the other guys. Btw i never use mail so please contact om The other stuff or send me ur guys contact details

[AceOfWands]

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

(Hi guys) @ddekus can you share with me your dump of requests to android antiabuse and devicecheck?

[kaaetech]

If a campaign occurs in Denmark again I will update and release code to generate headers

[giacomoferretti]

Did you guys find something?

I can give you some help if you want.

[agostinofiscale]

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

(Hi guys) @ddekus can you share with me your dump of requests to android antiabuse and devicecheck?

Sorry, i haven't dump at moment, but if you need it i can try to get it again!

Did you guys find something?

I can give you some help if you want.

I would like some help, after reversed the app i don't fully understand where digest come from .

[giacomoferretti]

Sorry for the late response!

The digest header is simply the SHA256 of the body.

[AceOfWands]

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

(Hi guys) @ddekus can you share with me your dump of requests to android antiabuse and devicecheck?

Sorry, i haven't dump at moment, but if you need it i can try to get it again!

Did you guys find something? I can give you some help if you want.

I would like some help, after reversed the app i don't fully understand where digest come from .

I'd be really grateful if you did

[coolnickname]

Wow, I didn't know there were other people reverse engineering mcdonalds. Does anyone know how to generate the X-Dif-Authorization header?

[giacomoferretti]

To generate a token for the X-Dif-Authorization header you'll need:

• A working Android Device passing the SafetyNet test
• Some magic (Janus) to utilize the correct API KEY
• Know how to generate the correct nonce to pass in the SafetyNet attest
• Time and patience

[coolnickname]

So for every call that I want to make that contains the dif-auth header I need to run some code on an android device that passes safetynet? Or just once to get some type of token?

Also do you have an example to generate the nonce?

[giacomoferretti]

There are some tricks that allow you to generate only one token that you can utilize on all requests.

I will publish my code soon.

[giacomoferretti]

You can read more here: https://github.com/giacomoferretti/ffapi-project/tree/master/mcmod-poc

I'm sorry if the code is difficult to read, especially in the important part where it generates the SafetyNet token.

EDIT: I don't think it's possible to generate coupons without having a real device "farming" tokens.

[coolnickname]

@giacomoferretti Could you point me to the code that generates the dif-auth?

[giacomoferretti]

@coolnickname SafetyNet token: CouponFragment.java#L256 McDonald's request: CouponFragment.java#L95