nike SNKRS风控协议分析

“ 分析nike snkrs风控策略。”

大家好，好久未更新，这是年前对NIKE SNKRS的风控策略的分析。可能大部分朋友对NIKE SNKRS不够熟悉，但一定对炒鞋有所了解。SNKRS是nike用来发售抽签的一款软件，也就是炒鞋的源头。

SNKRS能实现下单、抽签等功能。每次SNKRS新鞋发售时，专业的抢鞋人士使用大量的账号来进行抽签，以提高中签几率。为防止抢鞋，当然SNKRS会有些风控策略，对SNKRS协议分析的过程，就是分析风控的过程。

NIKE对SNKRS的实现过程中，使用了Akamai的风控，这个风控的关键是一段sensor_data的生成。

本文对SNKRS的风控策略和登录过程进行分析，登录能过风控，其它操作当然也可以，逻辑都是一套。

01 sensor_data

在登录之前，需要发送sensor_data，来获取风控的新“_abck”cookies字段，sensor_data大概像下面的这样：

{"sensor_data":"7a74G7m23Vrp0o5c9039121.45-1,2,-94,-100,Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0,uaend,11059,20100101,en-US,Gecko,0,0,0,0,388594,8199782,1920,1040,1920,1080,1920,716,1936,,cpen:0,i1:0,dm:0,cwen:0,non:1,opc:0,fc:1,sc:0,wrc:1,isc:74,vib:1,bat:0,x11:0,x12:1,5511,0.689185033344,789674099894,loc:-1,2,-94,-101,do_en,dm_en,t_dis-1,2,-94,-105,-1,2,-94,-102,-1,2,-94,-108,-1,2,-94,-110,0,1,6,807,702;1,1,3811,613,702;2,1,3872,645,664;3,1,3877,694,593;4,1,3910,713,561;5,1,3929,724,543;6,1,3944,735,531;7,1,3961,745,521;8,1,3977,749,517;9,1,3994,763,504;10,1,4010,770,499;11,1,4027,775,496;12,1,4044,777,494;-1,2,-94,-117,-1,2,-94,-111,-1,2,-94,-109,-1,2,-94,-114,-1,2,-94,-103,-1,2,-94,-112,https://www.nike.com/cn/zh-Hans/checkout-1,2,-94,-115,1,64291,0,0,0,0,64290,4059,0,1579348199788,6,16895,0,13,2815,0,0,4060,47362,0,F89D11D8CFF1DA94E432C83A3F002E03~-1~YAAQTf2Yc0G3Q5NvAQAAFf98uAM8474BuzsjQQmR8RtA21VgCJ5igKQ8IPCoNC7E4j4pIqQJ/16r8veY5+RgI+KeW1cYwySsYtPidpJI+K5e8C3r2bnVSBYAZ2LcGtlEPn6HH1h41R+N7gVayC0idA5h1tzR8g2d83PJqeuGIWARp0H5yz20km/hoLsWzaHcqMD+Z0Aot54KSztefizL/jAGMCcYp2eE3UYskELUjL42qtsUuqIMcP3/7XtOGrGxF+zRT5h0Wbk5Z1JUSTgP9NQsATzhzSLL54VtR+RPuMEBsKRmTp1K/Btj3EGGxvlglPeEVqCAc4F+h1ADqlVRHs6lFA==~-1~||1-deNOGtDFFK-2500-100-3000-2||~-1,33473,292,614601331,26067385-1,2,-94,-106,8,2-1,2,-94,-119,200,0,0,200,0,400,0,0,0,200,0,0,200,400,-1,2,-94,-122,0,0,0,0,1,0,0-1,2,-94,-123,-1,2,-94,-124,0.172159c78b8f2,0.7ebc3bdf70dbf,0.6526f167991fb8,0.4fcbc0942360c8,0.e4ecd39bd638f,0.fc7b36857861,0.1c3995601243b8,0.6ea01e2477e9c,0.8da78f42fc8bc,0.088f790a1fcb88;39,59,17,48,5,36,17,22,16,11;2363,4546,1597,3346,358,3280,1483,2074,1214,997;F89D11D8CFF1DA94E432C83A3F002E03,1579348199788,deNOGtDFFK,F89D11D8CFF1DA94E432C83A3F002E031579348199788deNOGtDFFK,2500,2500,0.172159c78b8f2,F89D11D8CFF1DA94E432C83A3F002E031579348199788deNOGtDFFK25000.172159c78b8f2,34,49,25,207,93,75,16,232,191,204,60,100,140,100,102,85,193,146,121,152;-1,2,-94,-125,-1,2,-94,-70,-719743499;dis;;true;true;true;-480;true;24;24;true;false;unspecified-1,2,-94,-80,5893-1,2,-94,-116,73798023-1,2,-94,-118,121170-1,2,-94,-121,;1;9;0"}

nike SNKRS的sensor_data由一个加密的js生成，这个js的位置是https://www.nike.com/static/xxxxxxx。地址每个版本不同。

这里列出数据包含的内容如下：

  '-1,2,-94,-100,': 'user_agent', 
  '-1,2,-94,-101,': 'sensor_status',
  '-1,2,-94,-105,': 'inform_info_pre',
  '-1,2,-94,-102,': 'inform_info', 
  '-1,2,-94,-108,': 'keyboard_action',
  '-1,2,-94,-110,': 'mouse_action',
  '-1,2,-94,-117,': 'touch_action',
  '-1,2,-94,-111,': 'device_orientation',
  '-1,2,-94,-109,': 'device_motion',
  '-1,2,-94,-114,': 'pointer_action',
  '-1,2,-94,-103,': 'display_change',
  '-1,2,-94,-112,': 'current_url',
  '-1,2,-94,-115,': 'cookies',
  '-1,2,-94,-106,': 'aj_counter',
  '-1,2,-94,-119,': 'performance',
  '-1,2,-94,-122,': 'env_config',
  '-1,2,-94,-123,': 'mn_r_1',
  '-1,2,-94,-124,': 'mn_r_2',
  '-1,2,-94,-125,': 'mn_r_3',
  '-1,2,-94,-70,': 'fp_val',
  '-1,2,-94,-80,': 'fp_val_enc',
  '-1,2,-94,-116,': 'start_time', 
  '-1,2,-94,-118,': 'sensor_env',
  '-1,2,-94,-121,': 'footer',

数据内部有不少校验、时间和动作检测，构造正确的数据，是过风控的第一步，不过，部分检测比较菜，只是走过场。

下面是翻译出的sensor_data最终生成代码：

bmak["sensor_data"] = bmak["ver"] + "-1,2,-94,-100," + n + "-1,2,-94,-101," + i + "-1,2,-94,-105," + bmak["informinfo"] + "-1,2,-94,-102," + c + "-1,2,-94,-108," + bmak["kact"] + "-1,2,-94,-110," + bmak["mact"] + "-1,2,-94,-117," + bmak["tact"] + "-1,2,-94,-111," + bmak["doact"] + "-1,2,-94,-109," + bmak["dmact"] + "-1,2,-94,-114," + bmak["pact"] + "-1,2,-94,-103," + bmak["vcact"] + "-1,2,-94,-112," + b + "-1,2,-94,-115," + f + "-1,2,-94,-106," + d,
bmak["sensor_data"] = bmak["sensor_data"] + "-1,2,-94,-119," + bmak["mr"] + "-1,2,-94,-122," + v + "-1,2,-94,-123," + h + "-1,2,-94,-124," + g + "-1,2,-94,-125," + w;
var y = bmak["ab"](bmak["sensor_data"]);
bmak["sensor_data"] = bmak["sensor_data"] + "-1,2,-94,-70," + bmak["fpcf"]["fpValstr"] + "-1,2,-94,-80," + p + "-1,2,-94,-116," + bmak["o9"] + "-1,2,-94,-118," + y + "-1,2,-94,-121,",

var C = bmak["od"](bmak["cs"], bmak["api_public_key"])["slice"](0, 16),
S = Math["floor"](bmak["get_cf_date"]() / 36e5),
j = bmak["get_cf_date"](),
E = C + bmak["od"](S, C) + bmak["sensor_data"];
bmak["sensor_data"] = E + ";" + (bmak["get_cf_date"]() - a) + ";" + bmak["tst"] + ";" + (bmak["get_cf_date"]() - j)

这个里面，user_agent和cookies两个字段的内容比较多，其它的内容就比较少了，如果想要分析协议，最好是把它的生成过程跟一遍，这里就没必要详细写了，后面会有一篇详细的文章，讲如何将sensor_data生成代码翻译成人话。

02 登录

上一步的sensor_data是否通过校验，决定了登录是否能够成功，登陆是向https://unite.nike.com/login?发送数据，query字段如下：

{'appVersion': 660,
 'experienceVersion': 660,
 'uxid': ux_id,
 'locale': 'zh_CN',
 'backendEnvironment': 'identity',
 'browser': browser,
 'os': 'undefined',
 'mobile': 'false',
 'native': 'false',
 'visit': 1,
 'visitor': uuid}

数据体字段如下：

{"username": username,  
 "password": password, 
 "client_id": client_id,
 "ux_id": ux_id,
 "grant_type": "password"}

登陆成功则返回一个json数据，包括access_token、expires_in、token_type、rrefresh_token、user_id等。

如果服务器返回403 Access denied，大概率是风控没通过。

整个过程中的cookies里比较重要的是bm_sv和_abck。

登录成功后会向https://unite.nike.com/account/user/v1发起请求，获取账号的基本信息。

到这里，还需要设置一个unite_session的cookies，设置好后就畅通无阻了。这个cookies需要向https://unite.nike.com/auth/unite_session_cookies/v1发送登录成功返回的json数据，该服务器直接将数据加入cookies返回，需要注意，构造的请求体里面别带不必要的空格，否则会返回错误。

如果返回类似下面的这段内容，就是成功了。

HTTP/2 200 OKcontent-type: application/octet-streamset-cookie: unite_session=xxxxx

03 后记

这里是老版本的sensor_data，新的版本应该变了不少，希望对大家有点启发，少走弯路。

这个sensor_data的值，每个版本都会增加东西，很头疼，当然，还有些别的数据。

依稀记得，春节期间，我把这个版本的风控过了之后，很是开心，然后风控版本更新，我就再也过不去了，没找到具体原因，再搞了一阵，就放弃了，希望大家好运。

如果有兴趣，我这里有当时几个版本的资料，比较乱，但是还是可以勉强分享下的。

---

长按进行关注，时刻进行交流。