mcfux icon indicating copy to clipboard operation
mcfux copied to clipboard

Published 20 hours ago verified publisher icon aeerso

You do not permission to view this directory or page

Open DevFil opened this issue 5 years ago • 26 comments

McDonalds update systems

DevFil avatar Aug 22 '19 10:08 DevFil

I already investigated a bit further.

Before the System updated I sniffed a couple of requests from my Android phone. Decrypting the x-vmob-uid header I know the UID that was used to generate the plexure key. Theoretically I should be able to decrypt the Plexure Key because I know the password (the uid) and the salt (last 8 bytes of plexure key), but I can't.

My code works because I generated a plexure key with McFux.java and also decrypted it successfully.

I really don't know if this is a problem or not.

ngschaider avatar Aug 22 '19 11:08 ngschaider

Can you teach me? Because i don't know how fix it.

DevFil avatar Aug 22 '19 14:08 DevFil

Seems that McD updated the deviceRegistration and token generation methods. Now they involve safetyNet on Android (I don't have a device to check if the methods have been updated as well on iOS) and they seems bound with other types of checks.

I will look into this maybe later, but I'm leaving this issue open for anyone to share infos.

aeerso avatar Aug 22 '19 15:08 aeerso

@0xf77

Was there an update for the Android App itself? Until now i have no clue what to Look at but If you give me some starting point i can investigate this further.

EDIT: Okay, I was wrong in my first comment. The app did receive an update. In fact it is quite a huge update (version 2.0.1) is out. Will do some reversing and report back.

ngschaider avatar Aug 22 '19 19:08 ngschaider

I confirm that McDonald's has updated token generation methods and implemented SafetyNet, in this time there aren't new update in ios; i have a demostration video of the new bypass,if anyone wants to see it write me

DevFil avatar Aug 23 '19 09:08 DevFil

UPDATE: Since I have no hardware (moving house rn) for decompiling and search for new methods to exploit this new update, I'm tagging @ddekus and @giacomoferretti which they may have found a solution/working on it.

Still leaving this issue open for updates.

aeerso avatar Aug 24 '19 18:08 aeerso

@0xf77 Actually I have already written a working PoC to bypass the new check using SafetyNet, but I can't publish it right now. I will leave a GIF demonstrating how it works.

EDIT: Here's the video/GIF: https://imgur.com/a/hx8FCwT (Direct)

giacomoferretti avatar Aug 24 '19 18:08 giacomoferretti

If you can point me to the right class which implements the safetynet and token Generation i can Reverse it and make a Pull request for this repo

ngschaider avatar Aug 24 '19 18:08 ngschaider

Am i the only one getting 401.2 error? I tried on a lot of physical devices and it worked on 1/3. And on emulators it doesn't work.

agostinofiscale avatar Aug 25 '19 01:08 agostinofiscale

@ddekus you can't pass SafetyNet on emulators.

giacomoferretti avatar Aug 25 '19 10:08 giacomoferretti

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

agostinofiscale avatar Aug 26 '19 14:08 agostinofiscale

Hello guys. I need help with Doing McDonalds sweden config. I need capture and working config that crack accs. Im paying. Discord is sqreway#0442, telegram is sqreway and my mail is [email protected]

Lameness avatar Aug 28 '19 22:08 Lameness

@giacomoferretti and the other guys. Btw i never use mail so please contact om The other stuff or send me ur guys contact details

Lameness avatar Aug 28 '19 22:08 Lameness

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

(Hi guys) @ddekus can you share with me your dump of requests to android antiabuse and devicecheck?

AceOfWands avatar Aug 29 '19 03:08 AceOfWands

If a campaign occurs in Denmark again I will update and release code to generate headers

kaaetech avatar Aug 29 '19 09:08 kaaetech

Did you guys find something?

I can give you some help if you want.

giacomoferretti avatar Sep 04 '19 21:09 giacomoferretti

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

(Hi guys) @ddekus can you share with me your dump of requests to android antiabuse and devicecheck?

Sorry, i haven't dump at moment, but if you need it i can try to get it again!

Did you guys find something?

I can give you some help if you want.

I would like some help, after reversed the app i don't fully understand where digest come from .

agostinofiscale avatar Sep 04 '19 22:09 agostinofiscale

Sorry for the late response!

The digest header is simply the SHA256 of the body.

giacomoferretti avatar Sep 06 '19 13:09 giacomoferretti

@ddekus you can't pass SafetyNet on emulators.

Thank you for this information. I used my old phone with Magisk with patcheD SafetyNet and SSLUnpinning from Xposed to intercept request. I found that they are similiar with two new headers: X-Dif-Authorization and Digest that seems to be just a way to check other sent information. If someone else is working on this we can cooperate :)

(Hi guys) @ddekus can you share with me your dump of requests to android antiabuse and devicecheck?

Sorry, i haven't dump at moment, but if you need it i can try to get it again!

Did you guys find something? I can give you some help if you want.

I would like some help, after reversed the app i don't fully understand where digest come from .

I'd be really grateful if you did

AceOfWands avatar Sep 08 '19 12:09 AceOfWands

Wow, I didn't know there were other people reverse engineering mcdonalds. Does anyone know how to generate the X-Dif-Authorization header?

coolnickname avatar Sep 08 '19 14:09 coolnickname

To generate a token for the X-Dif-Authorization header you'll need:

  • A working Android Device passing the SafetyNet test
  • Some magic (Janus) to utilize the correct API KEY
  • Know how to generate the correct nonce to pass in the SafetyNet attest
  • Time and patience

giacomoferretti avatar Sep 08 '19 14:09 giacomoferretti

So for every call that I want to make that contains the dif-auth header I need to run some code on an android device that passes safetynet? Or just once to get some type of token?

Also do you have an example to generate the nonce?

coolnickname avatar Sep 08 '19 15:09 coolnickname

There are some tricks that allow you to generate only one token that you can utilize on all requests.

I will publish my code soon.

giacomoferretti avatar Sep 08 '19 15:09 giacomoferretti

You can read more here: https://github.com/giacomoferretti/ffapi-project/tree/master/mcmod-poc

I'm sorry if the code is difficult to read, especially in the important part where it generates the SafetyNet token.

EDIT: I don't think it's possible to generate coupons without having a real device "farming" tokens.

giacomoferretti avatar Sep 18 '19 23:09 giacomoferretti

@giacomoferretti Could you point me to the code that generates the dif-auth?

coolnickname avatar Sep 20 '19 11:09 coolnickname

@coolnickname SafetyNet token: CouponFragment.java#L256 McDonald's request: CouponFragment.java#L95

giacomoferretti avatar Sep 22 '19 12:09 giacomoferretti