weclome to ic0de.ws Check here


Thread Rating:
  • 1 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Writing a Simple Account Generator
#1
Code:
+-------------------+
|Simple Botting Tut |
|Author: backslash  |
|Twitter: backsla3h |
+-------------------+



> Part 0: Disclaimer

    Botting can violate the TOS of sites, be careful. This tutorial is 100% educational and is meant to demonstrate how it's performed. Also this tutorial is written in python, if you do not know python I highly recommend you watch this video: https://www.youtube.com/watch?v=rfscVS0vtbw to get the basics otherwise this tutorial will make very little sense when it comes to the code portion. Also in terms of setup you will need to install python along with the requests library using:
pip install requests


> Part 1: Web Requests

     When you access a website you are often times establishing a connection with a server where you send a request to get access to the website and the server will hopefully return you the requested data. When you use a browser such as chrome, edge, or Firefox you won't usually notice the requests being sent by you or the response from the server unless you use an external tool. For most browsers you can use the command "ctrl-shift-i" and it will open up the developer tools bar if you head over to the network tab and try to load a website it will give you a ton of data related to what is actually being sent back and forth:


This is by far one of the most important tools that I use while botting or creating webscrapers because it allows me to see what information I am sending to the site. When using it you can click on any of the loaded items and look at what these web requests look like.



As you can hopefully see by the image above the web request has some interesting things which you will end up hopefully using when botting, first off we have our "Request Url" this is pretty much the url of data in which we are sending. We also have something called the request method which is method in which we access that page, some of the most common web requests include:

     - GET = Getting information from target webpage
     - POST =  Sending data to the target website



I've also seen people use DELETE, UPDATE, and PUT for sending information, to a certain degree the method doesn't matter as long as you are aware of what data you are sending to the server just make sure that the method being used is consistent in your initial request (so from the image above since it's a get request we don't want to send a POST request because there is a chance the server will reject it and/or return an error code).





> Part 2: Botting our Site

    First we need our site I searched for a site that was gaming related and had a signin form since gaming sites tend to be pretty terrible when it comes to security/botting. The site I choose for this demo is: https://www.bigfishgames.com/. Lets first off navigate to the create an account page. I recommend you open up your developer tools (ctrl-shift-i). Once you load you developer tools make your way over to the network tab as described earlier. First send lets create an account you will see your network tab load a lot of unimportant information however if you look closely you will see something titled sign up. Lets click on that. It should look something like this:

'''

General:

  Request URL: https://susi.bigfishgames.com/ajax/signup
  Request Method: POST
  Status Code: 200 OK
  Remote Address: 23.78.32.158:443
  Referrer Policy: no-referrer-when-downgrade



Response Headers:

  Not going to show this all since its all stuff we wont need in this tutorial. However it can be important depending on the site.



Request Headers:

  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9,cy;q=0.8
  Connection: keep-alive
  Content-Length: 322
  Content-Type: application/x-www-form-urlencoded
  Cookie: longassbullshit
  DNT: 1
  Host: susi.bigfishgames.com
  Origin: https://susi.bigfishgames.com
  Referer: https://susi.bigfishgames.com/login?cookietest&l=XXSoKGxtAvZEi6-9Me2cexjBGBXrnHGqxWV6e2ixtQFD3LQd8jA7IP44K0o8fSAj_lZw3H-JsJgr_mRPDzQnM6phuJJqMuBa&ol=SCD8Gfc8RuIbWxxYdubfmA&sid=bd1RaILDpPd8qwPT5XNNbQ&lid=adfzcuBNBUd9kwu4Mo8dzw
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
  X-Requested-With: XMLHttpRequest



Form Data:

  action: reg
  reg_email: [email protected]
  reg_pass: example123!
  reg_pass_confirm: example123!
  reg_accept_tc: yes
  reg_persistent: yes
  cookietest: true
  l: XXSoKGxtAvZEi6-9Me2cexjBGBXrnHGqxWV6e2ixtQFD3LQd8jA7IP44K0o8fSAj_lZw3H-JsJgr_mRPDzQnM6phuJJqMuBa
  ol: SCD8Gfc8RuIbWxxYdubfmA
  sid: bd0RaILDpPd8qwPT5XNNbQ
  lid: adfzcuBNBUd9kwu4Mo8dzw

'''

alright now let's go through what this stuff really means. The request headers are all the things which we have in headers, which is like extra info that you send with your requests, since this site is poorly coded we don't need any of the info expect for the part that mentions that it accepts/json data. Something important that you will use in future botting is the user-agent. The user-agent specifies the potential device model being used which for some sites you will need to specify to bypass their anti botting mechanisms. Since the request we are making is post that means we are sending data to the site itself. In the request I made they have a ton of random stuff like sid which I assume means session id and lid since the devs are brain dead you can bypass there shitty cookie test which I assume is a method they are using to try and limit multiple account generation. Heres the modified data which you can send to the site and essentially create an account without trouble:

'''

          "action": "reg",
        "reg_email": email,
        "reg_pass": PASSWORD,
        "reg_pass_confirm": PASSWORD,
        "reg_username": full_username,
        "reg_optout_nl": "yes",
        "reg_accept_tc": "yes",
        "reg_persistent": "yes",
        "ol":""

'''

Now that we have an understanding of what we are sending to the site and the method we are using we can start writing the code. The language im using is python however you can code this in about any language.



'''python

import requests
import random
import string

'''

First we need to import the libraries which we intend to use, I will be using the requests library for sending web requests and the random + string library for random username generation.  After we have imported our code its important that we define some important strings such as the username base and the password for our bot accounts:

'''python

USERNAME_BASE = "BotAcc" #change this to whatever you want you could also use random_string to generate it
PASSWORD = "badPass123!" #For reference any site that requires you to keep your password between 5-12 chars is a bad website with poor security

'''

the username base was BotAcc for this demo however in a real-time application you would want to likely have a better form of username generation, the password was just badpass123! since they actually limit the string length of passwords which is always a bad sign when it comes to a websites security.

'''python

def random_string(length):
    str_config = string.digits
    rand_str = ''.join(random.choice(str_config) for i in range(length))
    return rand_str

'''



Afterwords we want to create a function (a block of code that can be reused and called) that generates a random string so we don't get the website telling us that this email/username has already been taken.

'''

def create_account():
    email = "%[email protected]" % random_string(8) #generate our random gmail
    full_username = "%s_%s" % (USERNAME_BASE, random_string(6)) #generate a random username using our username base + a randomly generated string
    acc_data = { #a dict with the data we want to send to our website
        "action": "reg", #the action of the webpage, in this case it's just reg
        "reg_email": email, #the email we use for registration
        "reg_pass": PASSWORD, #the account password
        "reg_pass_confirm": PASSWORD, #same thing for confirmation
        "reg_username": full_username, #account username
        "reg_optout_nl": "yes", #no clue but its a yes
        "reg_accept_tc": "yes", #accept terms of service
        "reg_persistent": "yes", #if you want login to persistent
        "ol":"" #no clue either
    }

    create_acc = requests.post("https://susi.bigfishgames.com/sallig/signup",  #send our post request to this website we use data=acc_data to send the info
        data=acc_data).json() #we use .json() at the end to make our data json formatted

    if str(create_acc["success"]) != "True": #if the response from creating our account isn't a success then it will print out the error
        print("> [ERROR] %s" % (create_acc))
        return

    print("> [Account Created] \n\tEmail: %s\n\tUsername: %s\n\tPassword: %s\n" % (email, full_username, PASSWORD)) #if the response is successfull it will print the details from the account

'''

I've added comments to the function above for creating the account anything with a hashtag is a python single line comment.

'''python



if __name__ == "__main__":
    while True:
        create_account()

'''

We use __name__ == "__main__" just for convention and for if we want to import this as a library and we dont want some code to be run by accident. This is pretty much the line of code which will call our function create_account() (which will create our account)



--- Full Code In Case you want to Copy paste ---

// this is the full code which you can copy and paste into a .py file and run it.

import requests
import random
import string


USERNAME_BASE = "BotAcc" #change this to whatever you want you could also use random_string to generate it
PASSWORD = "badPass123!" #For reference any site that requires you to keep your password between 5-12 chars is a bad website with poor security

def random_string(length):
    str_config = string.digits + string.ascii_lowercase
    rand_str = ''.join(random.choice(str_config) for i in range(length))
    return rand_str

def create_account():
    s = requests.Session()
    email = "%[email protected]" % random_string(8)
    full_username = "%s_%s" % (USERNAME_BASE, random_string(6))
    acc_data = {
        "action": "reg",
        "reg_email": email,
        "reg_pass": PASSWORD,
        "reg_pass_confirm": PASSWORD,
        "reg_username": full_username,
        "reg_optout_nl": "yes",
        "reg_accept_tc": "yes",
        "reg_persistent": "yes",
        "ol":""
    }
    create_acc = requests.post("https://susi.bigfishgames.com/sallig/signup",
        data=acc_data).json()
    if str(create_acc["success"]) != "True":
        print("> [ERROR] %s" % (create_acc))
        return
   
    print("> [Account Created] \n\tEmail: %s\n\tUsername: %s\n\tPassword: %s\n" % (email, full_username, PASSWORD))

if __name__ == "__main__":
    while True:
        create_account()


> Part 3: Conclusion

    In this botting example I did multiple things which I wouldn't normally do however since this is a tutorial I find them to be ok however I'd still like to make you aware on the things I would normally do. Normally I would implement a form of email authentication since that makes it incredibly hard for websites to mass ban bots, also I would cycle in the use of proxies which would make it even harder for limiting account generation requests and make it look like you are creating an account from a different web address. I would also highly recommend some sort of implementation with multithreading otherwise account generation could be incredibly slow. Regardless I hope this tutorial made some sense if you have any questions feel free to ask.



    - Happy Botting, backslash

[Image: f7a153930931a7e636d6e805546ae8e1.png]
[-] The following 1 user Likes Technic's post:
  • 0xadmin
Reply
#2
Please, excuse me for the spamy post, but: Your post is eskewed.

You wrapped the entire post in the CODE TAG.

If you don't mind: I'd like to edit it.
Discord moderator
[-] The following 1 user Likes Muted's post:
  • Xyt0
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)