Chat with me
Published on

How to decode fingerprint BDA of FunCaptcha

Authors

1. What is BDA?

BDA is a concept used by FunCaptcha. BDA stands for Browser Data Analysis. This is a technique used by FunCaptcha to collect and identify browser fingerprint information.

So why does FunCaptcha need to use BDA? One of the most important meanings in using BDA is to prevent fraud and prevent BOT.

Therefore, if you want to build automatic captcha solving tools, you need to understand the meaning of the information that FunCaptcha collects inside the BDA technique.

1.1. What information is collected inside BDA?

FunCaptcha gathers a wide range of browser and device-related data points, including:

  • Browser user agent (UA)
  • Screen resolution
  • Time zone
  • Installed fonts and plugins
  • Touch/click patterns
  • WebGL fingerprints
  • Browser history length
  • Information about the operating system, audio and video fingerprints and many other information.

It can be seen that almost all information about the user's browser and device will be collected and analyzed.

1.2. Is the data collected by BDA encrypted?

The answer is definitely yes. Without encryption, developers can easily reverse engineer and decode the structure, thereby easily generating a bunch of funcaptcha tokens. So you came to this article to learn how to decode BDA, right?

After collecting all the information as I listed in section 1.1, Funcaptcha will encrypt them and create BDA tokens, then based on this information they will create Funcaptcha tokens.

1.3. Why is BDA Important in FunCaptcha?

BDA is definitely the most important in funcaptcha. Well, I will list the 2 most important reasons and this is the purpose that FunCaptcha designed BDA:

  • Bot Mitigation: By analyzing a wide range of behavioral and environmental data, FunCaptcha's BDA can help identify bots based on their interaction with the browser and system.
  • Security: BDA ensures that even advanced bots, which might try to mimic human-like interactions, find it challenging to generate a valid BDA token.

There are many more theories but I'm sure you don't care much, LOL. So let's move on to part 2, which is how to decode the encoded parameters in BDA.

2. Decode BDA with NodeJS

To decode and reverse engineer BDA, of course, the BDA Token value is indispensable, right? But that's not enough, you need another important parameter, and without it, don't even think about reverse engineering.

And that important information is ... User Agent!

2.1. How to get BDA token and user agent information?

I will give a specific example in the case you register a Twitter/X account. Now turn on F12 on your browser, access x.com to try to register a new account and wait until the captcha authentication is displayed.

Switch to the Network tab and find the API with a path similar to: https://client-api.arkoselabs.com/fc/gt2/public_key/2CB16598-CB82-4CF7-B332-5990DB66F3AB

Note that the value 2CB16598-CB82-4CF7-B332-5990DB66F3AB represents the Twitter page and the desktop registration. This public key value will vary depending on the website using FunCaptcha.

How to get BDA token and user agent information?

Now click on the Payload tab of this API to extract the BDA token and user agent:

How to get BDA token and user agent information?

As you can see, the BDA token is an encrypted string. Now copy the BDA and user agent to start decoding.

2.2. Decode BDA token.

I have prepared a project written in NodeJS to run the decoding, it is publicly available on Github, download it to your computer to run.

Copy the BDA token value and save it to the bda.txt file, do the same with the user agent and save it to the useragent.txt file.

How to get BDA token and user agent information?

If you run on Windows, you can use the available bat file. First run install.bat to install the necessary node_modules.

Then run start.bat to start decoding. The decoding result will be saved to the decode.txt file.

What if you use MacOS or an operating system other than Windows?

Simply type the following two commands into the terminal:

# Install node_modules, ignore if you have already installed
$ npm install

# Run code
$ node index.js

And here is the result... (note that it is formatted to display in JSON format for easy reading as shown below)

How to get BDA token and user agent information?

There, the decoding is done, you can see that there is a lot of information such as WebGL fingerprint, font, time zone, screen size. Some other information is still encrypted (will learn gradually).

Later, if I have time, I will share more series of articles to build a complete FunCaptcha token generator tool. The article is long, see you in the next content.

If you find it useful, please support me by sharing the article or reading my other posts.