Akamai Cookie

Generation
XVI Cookie Gen Guide v3

Author: XVI
XVI SOLUTIONS
 AUTHOR: XVI
VERSION 3
AKAMAI COOKIE GENERATION

1) Introduction
a) Purpose: Generate valid sensor data
b) Development Platform: Desktop => Windows 10/MacOS
c) General Info:
i) Antibot Systems
(1) Akamai (current version 1.63)
(2) How Akamai Works (all commands are evaluated in web console)
(a) Mouse motion/clicks, and other interaction are collected/updated with, bmak.cma(),
bmak.cdma(), etc.
(b) Send the bmak.aj_indx = parameter to indicate what Akamai wall you are on
(i) Ftl example: before atc aj_indx is 1, in cart aj_indx is 2, payment aj_indx is
(c) Send bmak.wr = ANGLE (your GPU here Direct3D11 ps_5_0 vs_5_0) to fake the GPU
(d) Finalize sensor data by sending bmak.bpd()
(e) Sensor Data => External Server => _abck (note: valid _abck cookies look different per site!)
(i) The external server looks at this data with an NN and if it looks like a bot then it won’t
distribute a valid cookie
(ii) The sensor data is all generated by a LOCAL JS script in the browser that is easy to de-
obfuscate (this repo should have it…)
(iii) Although valid cookies look different, they should have “=” at the end of the cookie
(f) if _abck is valid and matches the session cookie, then Akamai will let you into the endpoint
you are trying to access (checkout/cart/etc.)
(i) Some sites have multiple akamai “walls” (ex. Footlocker needs 3 cookies per task)
2) Description
a) Program Flow:
i) Method A (Good):
(1) Cookie gen can be done with ghost-cursor
(a) This is SEMI REQUESTS and more expensive
(2) Checkout is continued through pup or done by requests
(a) The important part is that a browser must be opened to get past akamai
ii) Method B (Better):
(1) Pre-generate sensor data before drop with puppeteer/ghost-cursor in our own page
(a) This is SEMI REQUESTS
(b) The sensor gen code can be used to make a
(2) edit timestamp of the sensor data to reflect current time
(3) open a browser once we pass splash page
(4) checkout and submit cookie & payment through puppeteer
(a) this means session spec cookie does not matter so less data being pushed
iii) Method C (Best)
(1) Pre-Generate cookies/session cookie with puppeteer/ghost-cursor
(2) Send to JSON file
(3) Read from JSON file and use in bot as needed
(a) YS cookies are good for a bit
(b) This is PURE REQUESTS
3) Things to Keep in Mind
a) The limit for generating cookies is 10 cookies per IP if your sensor data is bad
b) You can make about 5 requests per _abck cookie before it’s bad
c) There are better ways to do this, but browser gens are a good start
d) If you plan on making non-browser gens, cubic Bezier curves with intermediate points on one side of their
parent line are a good start. (and so is pytorch)
e) Sometimes TLS fingerprinting can ruin your day
f) “ping that mf endpoint”