profile/9869IMG_20201018_172618.jpg
Agbalagba22

[GUIDE] Multi Accounting & Botting
~11.4 mins read
INTRODUCTION
1. My aim with this post
This guide is for everyone who wishes to learn about multi-accounting and botting. Throughout this guide, I have tried to cover everything there is to know about this world. It doesn't matter if you are a beginner; my attempt with this post is to share everything I know so that you can start your journey as fast as possible and get an overview of what to look out for, possible hurdles you might face and how to overcome them. I have worked in this niche for about three years, making complex bots, scrapers, and numerous reverse engineering projects for clients, myself, and sometimes just for fun! My goal with sharing this is to contribute to the community and possibly create an environment (thread) to discuss a more modern approach for stealth botting and multi-accounting.

2. Overview
Here's a quick look at all the chapters I've discussed in this post.
Feel free to jump to a specific topic if you are familiar with most things and just interested in something specific.

Chapter 01: Tracking
Chapter 02: Network OPSEC
Chapter 03: Virtual Machines (VMs)
Chapter 04: Containers
Chapter 05: Normal Browsers
Chapter 06: Anti-Detect Browsers
Chapter 07: Mobile & Mobile Farms
Chapter 08: Automation & Botting
Chapter 09: Private API & Reverse Engineering
Chapter 10: Final Thoughts
Chapter 11: References


CHAPTER ONE
TRACKING
1. What is tracking?
What is stopping you from registering a thousand accounts and automating them? Knowing who your opponents are is always a sane idea so you can make informed and logical decisions instead of simply shooting arrows blindly. I highly recommend you go through this section first so that when we discuss actual methods, you can make informed choices for the amount of stealth you require based on your needs. Depending on the website or app, you might deal with all, some, or none of the hurdles I've discussed in this section. The only way to get it right is to experiment with the bare minimum first (tools you have in hand), then maybe try out an overblown setup (premium proxies, etc.) if the bare minimum doesn't work, and then finally land somewhere in between by experimenting and making logical decisions to start scaling.

2. Footprints
These are user-generated traces meant to track and identify spammy behaviours and bots. Below are some of the most common footprints and how to deal with them.

a) Content metadata & hashes
Any media you upload, download, or capture has metadata attached. It can be used to identify various things like geolocation, content sources, etc. Most social media also store a hash of the content, which can be used to determine if the same content is being re-uploaded.
To deal with metadata, you can strip it using various tools and libraries or, even better, spoof the metadata with a new one so it looks more organic.
To deal with hash, you can do several things like pixel manipulation, colour manipulation, cropping, etc.

b) Usage patterns
How an account is being used matters a lot. If you keep following random people on Instagram 24/7, then it's an obvious giveaway. Websites also limit how many actions can be executed in a given timeframe. You may also stand out if your actions don't align with the millions of other users they have on their platform. To counter this, be as human as possible. Be random enough, but not too random. For example, to farm Gmail accounts, you must first farm out cookies by visiting random websites, doing Google searches, watching YouTube, etc. We will cover this in more depth under the passive fingerprinting section.

3. Fingerprints
Fingerprinting involves collecting numerous meta-data from the device to create a unique hash that can be used to identify whether two or more accounts are co-related or whether an account/profile can be trusted. Fingerprinting can roughly be divided into two sub-categories.

a) Active
Raw device metrics actively collected by apps and websites make active fingerprints. Depending on the platform (browser or Mobile), it can collect anything like user agent, battery percentage, CPU count, canvas, WebGL, GPU metadata, audio metadata, language, timezone, screen properties, and much more! In further sections, we will discuss how this can be spoofed.

b) Passive
Browser history, browser profile age, typing speed, and mouse movements can also tracked/monitored by background agents to generate a trust score. In rare cases, everything matters, including how many social accounts are made with an email and its resulting fraud score. You would have a terrible time if your trust score is low and or fraud score is high. To counter this, be as human as possible; I can't stress this enough! Age your profiles and cookies! If you are targeting multiple platforms, create an alias that interacts with all socials (like a human) instead of explicitly targeting one.


CHAPTER TWO
NETWORK OPSEC
1. Proxy
Websites can also track where requests come from and which accounts are associated with which IPs and subnets. They might also know if you are using an IP whose subnet has been flagged, has a low trust score or if the IPs are public/datacentre. As a first measure, you should always use a good proxy. There are roughly three types of proxy: Datacenter, Residential, and Mobile. They can further be bifurcated into static and rotating.

Datacenter proxies are usually the cheapest but won't work for most social media. There are many debates between residential and mobile proxies for social media, and I'd say it depends on the use case. If you wish to register many accounts and don't care about using them instantly, residential proxies should be good enough, although the same can be done using mobile proxies. But if you wish to use accounts actively (automated or manual), then mobile proxies are your best bet! Simply register/log in, use the account, rotate the IP, and repeat the cycle with a new account. For social media applications, you'd ideally use a mobile proxy that would rotate IPs within the same subnet. Accounts jumping from country to country are obviously suspicious.

Some use VPNs, but I can't comment on this as I have never tried it and am biased towards mobile proxies. Feel free to experiment with this for your specific use case.

2. WebRTC
When using proxies with browsers, you should mask or spoof webRTC leaks. WebRTC reveals your IP even when a proxy is active. You would install an extension that disables webRTC for a regular browser. Anti-Detect browsers usually support webRTC spoofing; you just need to enable it in profile settings. When using H3-compatible clients and proxies, you won't need to worry about this, as UDP will be proxied, and your IP will be masked completely.

3. HTTP/3
Many websites are now moving to HTTP/3, a new request protocol. Most proxy providers don't support it, and even if they do, your client most likely doesn't support proxying H3 requests. Proxing the H3 protocol is a must for platforms like Instagram.
To counter this, first, you'd need a proxy provider that supports UDP or any VPN protocols like ShadowSocks or OpenVPN. These protocols proxy UDP natively when using supported clients. If your proxy supports UDP, you can use software like ProxyCAP to route TCP and UDP traffic through your proxy. For VPN protocols, you'd use their recommended client to route traffic.

3. TCP/IP Fingerprint
Yes, your IPs leak fingerprints, too! Websites can know what OS you use by your TCP fingerprint and cross-check it with your user agent. When using a proxy, this will generally say Linux, regardless of your OS. You might also need to spoof these fingerprints for some rare use cases. This can only be spoofed by your proxy provider, and some rare providers support OS spoofing for their proxies.


CHAPTER THREE
VIRTUAL MACHINES (VMs)
1. Introduction
This age-old method involves simply using any hypervisor software to create a dedicated environment for a new profile. You must still mask your IP using a proxy, but the hypervisor does most of the spoofing for you. You can create VMs with varying system specifications to create accounts.

a) Websites
Many popular hypervisors, such as Virtual Box, VMware, Proxmox, and QEMU, can be used to create dedicated VMs for accounts.
There's also Qubes OS, where every browser instance you initialize starts within a new, fresh VM.

b) Apps
For mobile apps, you can use emulators like bluestacks.

2. My thoughts on this method
This method is okay if you need quick disposable accounts but don't wish to pay for anti-detect browsers. However, VMs are resource-hungry and slow to boot, so I won't suggest using them for any operation that requires scaling.


CHAPTER FOUR
CONTAINERS
1. Introduction
This method revolves around containerization technology, which is available primarily on Linux. Containers are nothing but very lightweight VMs. One of the most popular ways of using this tech is by using Docker.
You can start browser instances within containers, forward the WSS port and connect your automation script directly to the browser instance within the container. You may also enclose your automation script within the container and connect directly to the browser from within the container. There are projects like docker-android that you can emulate android within docker itself.

2. My thoughts on this method
This method is okay where medium scaling is required, as containers are lightweight, but browsers are not. But it's also not as complex as reverse engineering and faster to prototype. However, you must also consider that the environment is lost once the container is killed, so you should mostly use it when reproducing the os environment is not necessary. Once I created a solution for Zoom bots, since Zoom doesn't require login to join a meeting, no state was required to be maintained. This was the perfect situation for using this method. At one point, we had about 10k bots running in parallel using this method. We could quickly scale this to any amount of bots based on demand as long as we have enough proxies and resources available.


CHAPTER FIVE
NORMAL BROWSERS
1. Introduction
For some platforms, a normal Firefox browser should be enough, with a few extra plugins for stealth. If you wish to use Chrome, you can look into projects like Ungoogled Chromium. But you'd have to do a lot of spoofing by yourself manually. There's a project called FakeBrowser and FakeChrome that no longer works, but if you know how to read some code, you should be able to rewrite most of the evasions referring to that project. There's also a new tool in the market called fingerprint switcher. You might look into it, but it only supports Windows at the time of writing this.

2. My thoughts on this method
This method is okay where medium scaling is required cause, again, this is a browser. This allows quick prototyping but is slightly complex as you handle stealth yourself. However, it's much faster and easier than reverse engineering. I developed a solution based on this for an SMM panel company a while back; once the hurdle of stealth was overcome, developing and maintaining the rest of the product was a breeze.


CHAPTER SIX
ANTI-DETECT BROWSERS
1. Introduction
If you don't care much about doing things yourself and are fine paying someone to handle all the complexities, you can go with anti-detect browsers. Note that anti-detect browsers have their limitations and might not work for some platforms.

2. My thoughts on this method
This is an excellent solution if you only care about creating and/or managing a limited set of accounts. However, it might become costly at scale. Not all anti-detect browsers support automation, so this is something to look out for.


CHAPTER SEVEN
MOBILE & MOBILE FARMS
1. Introduction
This is a goldmine if you can figure out how to make it work. Some of the highest-quality accounts can be created and maintained using mobile farms. You would need a jailbroken mobile and use some tools to modify its specs on the fly to create multiple accounts on the same device, one after the other. Scale this setup to 500 or 1000 devices?! I have never gone down this path, but I know two journeys here that I'd recommend you go through to learn more.
a) AllOutAnime's Journey
b) evex's Journey

2. My thoughts on this method
It can be costly compared to other methods, but it's also the only way to automate some platforms like Instagram.


CHAPTER EIGHT
AUTOMATION & BOTTING
1. Browser Automation
Several frameworks exist for browser automation, including Selenium, Puppeteer, and Playwright. Their documentation is pretty straightforward. My favourite is Playwright, and I highly recommend you avoid Selenium (it is possible to make it work, but still, a lot of work).

2. Android Automation
I've used Appium before, but nothing is in production yet, so please refer to the journeys I've mentioned under the Mobile & Mobile Farms chapter.

3. GUI Automation
You can use ADB (optional because some apps check if developer options are enabled) and any GUI automation frameworks like AutoIt or pywin32 to automate Android emulators. This automation heavily depends on screen capturing, OCR, and image recognition, but it is very effective. A while ago, I made an Instagram registration script using this method. You can even hook into bluestacks and launch new profiles with different configs by modifying some Windows registry keys.


CHAPTER NINE
PRIVATE API & REVERSE ENGINEERING
1. Introduction
It is the act of intercepting and extracting private APIs from any app or website and replaying it by modifying the request. Some payloads might contain encrypted data, so you might need to go through the source code to reproduce its functionality.

2. Reverse Engineering Web Apps
There is not much to say; Chrome dev tools are your friend! You can also use tools like Burp Suite or HTTP Toolkit to intercept the requests, as they have more advanced filtering methods. Depending on the situation, you can use various methods to extract specific functionality. Sometimes, a Chrome debugger is enough; other times, you would need to write a deobfuscator yourself.

3. Reverse Engineering Mobile Apps
The biggest hurdle is SSL Pinning. You can easily bypass it using Frida. If that doesn't work, decompile and modify the app to trust user certificates. Recompile the app, sign, install, and intercept requests as always with Burpsuite, Proxyman, or HTTP Toolkit. Get into the habit of reading smali code to do static analysis when required. Using Frida, you can hook into functions and understand their behaviour to replicate their functionality.

4. My thoughts on this method
This is my personal favourite. The end implementation is very lightweight and, hence, very scalable. But it is also tremendously difficult, depending on the website of social you target.


CHAPTER TEN
FINAL THOUGHTS​

There is no correct answer for botting and multi-accounting. It depends on your needs, the scale of your operation, and the app/website you are targeting. But everything covered here should hopefully give you a good picture of everything you might need to look out for and make a decision that meets your requirements.


CHAPTER ELEVEN
REFERENCES
+ Reverse Engineering
- Github: jamiebuilds/babel-handbook
- Github: iddoeldor/frida-snippets

+ Stealth Evasion
- Github: CheshireCaat/browser-with-fingerprints
- Github: kkoooqq/fakebrowser
- Github: kkoooqq/fakechrome
- Github: ungoogled-software/ungoogled-chromium
- Github: apify/fingerprint-suite

+ Emulator Automation
- Github: SergeyPotapov01/bot_Clash_Royale
- Github: MyBotRun/MyBot
profile/3696FB_IMG_166154600052001842.jpg
Ndoma

Alleged Insult On Igbos: Apologise Within 7 Days Or Face Our Gods – Group Warns Wike
~0.8 mins read
The Chairman, Igbo Community Assembly, Apo in Abuja, Ositadinma Patrick Nwoye, has asked the Minister of the Federal Capital Territory, FCT, Nyesom Wike, to apologize over alleged derogatory comments he made against the Igbos during the demolition of a housing estate belonging to Prince Nicholas Ukachukwu.
The group gave Wike a seven-day ultimatum to issue a public apology to the Igbos or face the wrath of all Igbos and the gods of Igbo land.

Addressing newsmen in Abuja on Wednesday, Nwoye pointed out that Wike allegedly said ‘Why should an Igbo man be given such massive land there?’ and that he has dealt with Igbos in Port Harcourt, that he will do same here in Abuja.
He stressed that such negative comments was not in the best interest of the country where there is an urgent need for peace and unity.

“It has come to our notice about the alleged derogatory statement of Hon. Minister of Federal Capital Territory Nyesom Ezenwo Wike when he went to demolish the property of one of our illustrious sons in person of Hon. Evangelist Prince Nicholas Chukwujekwu Ukachukwu.

Source: daily post.ng
Foodie

A Blender

Tools You Must Have In Your Kitchen
~0.5 mins read

Non-stick Pan

Blender: 
Required for several recipes in the book. You do not need an overly expensive blender, a good quality small blender will do just fine. The trick to blending successfully is approaching the task in parts, do not overload the blender.

Measuring Cups & Spoons: 
These are essential for portion control. You will find them wherever baking goods are sold.

Non-stick Pan: 
This allows you to cook with minimal oil without burning the food. What makes them special is the Teflon coating they have on the cooking surface. A great alternative is cast iron pan (koko irin ) You will find them wherever cookwares are sold.

Culled from Lose It Nigerian (9jafoodie.com) 
profile/77472022-04-2111.51.236893984385103261713.jpg.webp
JustJokes

Intellectual Jokes For The Smart. Part Three
~0.9 mins read
Q: What do you call a pig that does karate?
A: A pork chop.

Q: Why was six afraid of seven?
A: Because seven eight nine.

Q: What do you call a fish with no eye?
A: A fsh.

Q: What do gymnasts, acrobats, and bananas all have in common?
A: They can all do splits.

Q: What’s a frog’s favorite game?
A: Hopscotch.

Q: What dies but never lives?
A: A battery.

Q: What day of the week does the potato look forward to the least?
A: Fry-day.

Q: What do you call a seagull that flies over the bay?
A: A bagel.

Q: What is Dracula’s favorite fruit?
A: Neck-tarines.

Q: What is Dracula’s favorite fruit?
A: Neck-tarines.

Q: What does a skeleton order for dinner?
A: Spare ribs.

Hey did you smile? don't laugh alone. Share this post with your friends and loved ones to keep everyone smiling

Culled from 200 kid-friendly Joke from the classroom
profile/5139fa2019.jpg
Isa

Human Anatomy

Anatomy Mnemonics For The Cranial Nerves
~0.5 mins read
The 12 CRANIAL NERVES:
I - Optic nerve 
II - Olfactory nerve 
III - Oculomotor nerve
IV - Trochlear nerve
V - Trigeminal nerve
VI - Abducens nerve
VII - Facial nerve
VIII - Acoustic (vestibulocochlear) nerve 
IX - Glossophrayngeal nerve
X - Vagus nerve
XI - Spinal accessory nerve 
XII - Hypoglossal nerve

Remember the 12 nerves in the following order
On Old Olympus Towering Tops, A Finn And German Viewed Some Hops

If you confuse which comes first (Optic or Olfactory) remember:
• You have I nose. You have II eyes. (I - Olfactory; II -- Optic)

Current_Affairs_Naija

The Nigerian National Anthem
~0.2 mins read
Arise, O Compatriots, Nigeria’s call obey
To serve our fatherland
With love and strength and faith.
The labour of our hero’s past
Shall never be in vain
To serve with heart and Might
One nation bound in freedom,
Peace and unity.
Loading...