util.getBda returns faulty bda on sites having custom data property in game type 4

[gordianbahri]

Hi, @noahcoolboy.

I really appreciate this open source project and the time you spent to hot-fix detection problems. Thanks!

I've used this project successfully until recent changes in funcaptchas API. I'm talking about the changes that resulted in this commit 0138a40d8714b6e02d9a085264396eda7f728541 to address these changes and handle them properly.

Furthermore, I use this project to solve game type 4 and 3 on Twitter. Within the aforementioned change of funcaptchas API, Twitter has added the property &data[blob]=undefined to the body of the MY_SURL/fc/gt2/public_key/MY_PUBLIC_KEY endpoint.

The specified call of fun.getToken() in my test script is:

const token = await fun.getToken({
  pkey: "2CB16598-CB82-4CF7-B332-5990DB66F3AB",
  surl: "https://client-api.arkoselabs.com",
  data: {
    blob: "undefined",
  },
  headers: {
    "User-Agent":
      "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0",
    Accept: "*/*",
    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
    "Accept-Encoding": "gzip, deflate, br",
    Referer:
      "https://client-api.arkoselabs.com/v2/1.5.5/enforcement.fbfc14b0d793c6ef8359e0e4b4a91f67.html",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    Origin: "https://client-api.arkoselabs.com",
    DNT: "1",
    Connection: "keep-alive",
    Cookie:
      "_cfuvid=XXX; timestamp=169554800907859",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    TE: "trailers",
  },
  site: "https://twitter.com/i/flow/signup",
})

Note that I wiped the _cfuvid cookie for security reasons. Within the registration pipeline of Twitter these headers are the exact headers that funcaptcha uses when calling the endpoint MY_SURL/fc/gt2/public_key/MY_PUBLIC_KEY (this can be inspected using Chrome Dev Tools or Fiddler). I changed the res variable of api.js (line 26) to include these headers accordingly in my use case.

The resulting bda of util.getBda is around 8350 characters long. Unfortunately, when using it, this silently returns a captcha that is either never solvable or requires 10 or more iterations to succeed and usually has the game version that requires to identify two elements connected by a dotted line. When extracting a bda directly via browser (again using Chrome Dev Tools or Fiddler) everything works just fine, and I receive an easier game type, where it's required to find X elements of a kind.

I noticed that these bdas that weren't generated by util.getBda but directly from funcaptcha have a length of around 9486 characters, which seems to be significantly longer than the ones generated by util.getBda.

Due to multiple hours of investigating this, I could already find out that the problem seems to have something to do with how util.getBda creates the bdas, as again everything works like a charm when using an “original” bda from funcaptcha within the exact same pipeline.

[noahcoolboy]

Thanks for the info. Multiple users have reported issues with Twitter and this is most likely due to the bda.

The way I have always done it is replacing certain values from the generated bda with ones from the real bda and seeing which ones work. As I'm a little busy, I won't be fixing this myself for now, but you are free to open a pull request which fixes this very issue.

[gordianbahri]

Thanks for the clarification @noahcoolboy.

How did you know which values are in the real bda? Are you talking about simply copying parts of the base64 encoded string, the ct, iv and s parts of the base64 decoded string, or have you managed to decrypt that as well? From what I know, some kind of decryption key is needed, and the one generated by the encrypt function from the crypt module does not seem to work with the real bdas... or am I missing something?

[noahcoolboy]

See util.ts and fingerprint.ts for bda generation crypt.ts for encryption functions

Found the values with a lot of reverse engineering

[gordianbahri]

Alright, I noticed that the creation of the bda is handled client side within funcaptcha_api.js, which is sent right before the initial call to the /gt2/ endpoint. As the structured file contains over 9000 lines of code, a “perfect” deobfuscation of it would be quite time-consuming.

As I don't have the time, or access to GPT-4, I will rely on real bdas until I have time to fix this within a pull request.

[ItsCEED]

@gordianbahri if you don't know what BDA holds, you won't be able to fix it. To start with, you need to modify the current bda builder as is made for Roblox, and not for twitter.

Anyway, not a single solver out there solves all the challenges given by the signup endpoint so what you're going to do is worthless.

[ItsCEED]

Also ill add up that youll need hella lot of ips (ipv6 works tho), otherwise youll get banned in no time.

[gordianbahri]

Anyway, not a single solver out there solves all the challenges given by the signup endpoint so what you're going to do is worthless.

I'm not sure what you're talking about, but mine worked just fine until the update.

@gordianbahri if you don't know what BDA holds, you won't be able to fix it. To start with, you need to modify the current bda builder as is made for Roblox, and not for twitter.

It's not about what the bda holds, but how it's computed. Reverse engineering the client side code for that will result in working bdas. The computation of baseFe and enhancedFe is very similar, if not the same, on every site.