Monday, February 2, 2015

Create Unlimited Spotify Premium Account Free - Working 03-2015

1:39 AM Posted by Peter Nguyen , 6 comments


Updated: new method working 03-2015

I sell this tut on Hackforums for prolly 15$, made enough money so I share it here and everyone can profit from it.

This method doesn't include any carding methods, blackhat or cracking accounts. Everything is legal and you can probably make one premium account in just 30 secs.

You may want to start your own shop selling Spotify premium account with this. This tut is for reference only, i take no responsibility or anything relates to it.

Your Account will be upgraded to premium and you can do it unlimited times, no worries.




 First, head off to https://www.spotify.com/us/ and register a new account. Then choose Upgrade.




... Since there are a lot of leaks from this method, i manage to hide the rest of it in this link. Use the link below to read the read of the method and let me know whether its still working on not. Tested working on March-05...

http://downloadconfirm.net/file/05h7658

Sunday, February 1, 2015

Google Earth Pro Free - Auto Register Script (400$ value software)

12:06 PM Posted by Peter Nguyen , , No comments






So today Google Earth are putting out their promotion for Google Earth Pro (which is $400 value). It's my free Sunday without any homework so yeah i'm making an automatic script to auto register for this product.

Here is the promotion link: https://geoauth.google.com/gev0/free_trial.html

The idea to just to use the aliases of each Gmail in order to keep registering without getting new email. What alias is? So let's say you have an email address like abc@gmail.com, Gmail allows you to use aliases such as a.bc, a.b.c, ab.c in order to alternate for your main inbox. Whenever an email is sent to those alias inboxes, you can receive, read and reply from your own inbox abc@gmail.com

Taking advantage of it, I reuse my own class method to generate the alias it. It seems to be easy but th algorithm is a little bit confusing at first for me. So let's do a simple counting problem.

Supposed your username has x characters:
x = 3 => 3 aliases
x = 4 => 7 aliases
x = 5 => 15 aliases...

So there is a (x - 1) dots in total. Because dot can just be "on" or "off" so let consider them as binary string. Eg: 101 for a.bc.d . So in order to count how many aliases we have we just can simply count how many binary strings that we can generate from (n -1) chars. Since binary can only be represented as 1 or 0, so we have (n-1)^2 for the number of binary string. Wait, I forgot, let's exclude 0000 which is the original email address. So the total is (n-1)^ - 1. That's the counting and idea part. How can we turn it into python code?

Pretty much we just need to generate the list of that binary string first. There is a nice lib that can help which is itertools. What I did was :

lst = map(list, itertools.product([0, 1], repeat=len(username)-1))

Now we need to map each binary character into it corresponding position in the original username. We can iterate 1 by 1 and then insert the dot into the corresponding position in the username. 2 things to keep in mind that the first dot starts at index + 1 and the last dot ends at len-1. The second thing is that when you insert a dot, the original length changes so you need to keep track of the length of the string.

All put together, you can find my code at: https://github.com/nguyenph88/Google-Earth-Pro-Auto-Register/

Not sure when this promotion ends but I've created a hundred of licences so hit me up if you still need one :)

Cheers



Saturday, January 17, 2015

Blogger - How to hide post-body in main page

11:09 AM Posted by Peter Nguyen No comments

I was doing another blog editor when I suddenly ran into a task that I need to hide the post-content in blogger mainpage, here is how you should do it properly:class='post-body entry-content'

Search for ALL, there may be more than 1 depends on what template you are using:
class='post-body entry-content'
Inside that <div> tag you will find this:
<data:post.body/>
 Add these lines of code exactly below it:
<b:if cond='data:blog.pageType != "item"'>
    <style type='text/css'>
        .hidden {
            display: none;
        }
    </style>
</b:if>
 Then, whenever you want to hide all post content, or just part of the post, just wrap it with the tag: hidden: (post it in HTML mode)
 <div class="hidden">
Something you want to hide from main
</div>

Sunday, January 11, 2015

How to use Google Voice to avoid unwanted calls

1:34 PM Posted by Peter Nguyen No comments




As a part of my project, I sometimes need to register or buy some products that requires phone verification or text messages. Even though it's a guarantee from them that they will never "use your phone number for commercial purpose", but who knows. I've been receiving a lot of phone call, especially from those domain/hosting providers like 1and1, dreamhost, digitalocean etc... and a lot from other advertising firms that I don't really care.

Knowing that it would happen sooner or later, I've prepared myself by using Google Voice (sound like i'm advertizing for them ^^ but i've tried Skype before and they didn't meet my expectation). So instead of giving out your real phone number, you could get yourself a google voice number.

How it register? Well just follow all the step on Google Voice service, and link your phone to a Google Voice Number which you can choose. (good thing about this is you can actually search for your actual sequences that you like - So like my last name is NGUYEN, which corresponds to 64896, I searched for that sequences and got myself a nice 555-666-4896, or 555-66-NGUYEN.)

How does it help you to avoid unwanted call? So whenever you are registering for a product that requires a phone or text verification, just use your google voice, they will actually reach your voice mail or text you by the number that you have registered with Google. Sometimes they call and you don't want to listen, then just listen to the voice mail only :). You can actually translate those voice messages into text, which is really cool, or just simply give them a call back / text by using that google voice number. :D

Hope it helped!

Tuesday, January 6, 2015

How to run Python Selenium with Flask on a VPS using PhantomJS

11:13 AM Posted by Peter Nguyen No comments





I love automation and web testing/bot making, the problem is I just can only run it on my local computer or make a GUI app. This week I tried to expand the use of it to the world-wide-web to get more audiences. Tired of doing "python __init__.py", then why not do "http://www.yourwebsite.com/script/" ???

I'm not going into detail how to do each part, you are required to have a general idea and a common sense how to debug and fix the problem. It took me prolly 2 weeks to figure out how to run the server correctly and fix all the basic bugs. Let's start.

1. You need to have a VPS, I'll recommend DigitalOcean.com for the cheap and free 2 months VPS. If you decide to register then please register under my referral link so I can get an earning from you and you can get 2 free months.

2.Install either LAMP stack or ngix on your VPS. I'm using LAMP stack so if you decidde to use ngix you have to figure out the problem on your own. (Note: I tried ngix, there is 1 problem that because the script usually takes longer to finish thna normal, so you always be timed-out.) The framework I use it Flask.

How to install LAMP stack on your VPS: https://www.digitalocean.com/community/tutorials/how-to-deploy-a-flask-application-on-an-ubuntu-vps
How to install Ngix/Unicorn on your VPS: https://realpython.com/blog/python/kickstarting-flask-on-ubuntu-setup-and-deployment/

Just follow all the setup and you will be ready to run python on a web. From now on I will just give instruction based on LAMP stack (Apache) only.

3. Make sure you are logged as root, now do "source venv/bin/activate", then "pip install selenium".

4. Now follow this to install PhantomJS, make sure you have a copy of the executable bin in your current "yourweb" folder. https://gist.github.com/julionc/7476620

5. PhantomJS needs a ghostdriver.log file in order to run, you have to create a customize log file because visitors cannot trigger the script to create that file in the system. So now in "yourweb", let create a blank "ghostdriver.log"

6. Supposed your web is in "var/www/yourweb/" then you have to set the group to www-data in order to let visitors execute the script. Just do "chown -R root:www-data /var/www/yourweb/".

Now up to setting permission, this problem took me a whole week to figure out how to do that:

7. Now you have "phantomjs" and "ghostdriver.log" inside "yourwebsite", let do chmod 750 for phantomjs and ghostdriver.log

8. Keep in mind, in order for visitors to run those files, all related folders have to be set to 750 also. Now do chmod 750 for "yourwebsite" AND "WWW"  <== I didn't chmod the "www" folder and It drove me crazy for couple days.

9. Now open /etc/sudoers, add these lines:
apache ALL=NOPASSWD: /var/www/yourweb/ghostdriver.log
apache ALL=NOPASSWD: /var/www/yourweb/phantomjs

I'm not quite understand the cause here, but if you don't do that you cannot run phantomjs and ghost driver correctly.

10. Now you are set and ready to go, make a simple Flaskapp and test it. Remember that your webdriver has to be customized to:

br = webdriver.PhantomJS(service_log_path='somewhere/ghostdriver.log', executable_path="somewhere/phantomjs")

Where somewhere is your absolute path to the folder that those files reside.

If you run into any problem, the log file will be saved in "/etc/log/apache2/error.log", just refer to the file.

Hope you could run selenium with flask on the website, and make an awesome app :D PM me if you need any help.

Saturday, December 13, 2014

Javascript Pop up with dim and darker background

11:57 AM Posted by Peter Nguyen No comments





So today I was running into a small talk that  I need to dim the background when the web page started. In a very simple and naive way you would think of javascript that appends an action to a <div> that contains your message.

However the box will lock bored and ugly. There is a fast and efficient way to do it without any extra work, that is to use jquery style and UI.

For example at the jfiddle right here: http://jsfiddle.net/pmw57/jmPaC/1/

That library from Jquery has saved me a lot of time in styling and coding :)

Thursday, December 4, 2014

Facebook App Access Token Exploit

1:22 PM Posted by Peter Nguyen , , No comments


Last week, I was opening my Dayz Game Servers (checkout my post here)  so it was an urge for me to advertise the server in order get more players. Facebook and Twitter are the 2 social networks that came in mind first. It also came to my attention that there are a lot of people selling Facebook Fanpage Like/Subscribe and Twitter's Follow, Fiverr also offers a 5 bucks service for 1000 likes on anything on facebook (i'm selling mine Fiverr 5 bucks for 1000 likes :) order if you need).

Of course as how curious I am, I won't let them take money away from me but in fact utilize that idea to benefit from. I did a Google search but mostly the code that people share around does not actually work, or pretty much attached with backdoor and shell scripts. Think about it, you work hard for your meal so you do not want anyone to take it away from you. However, sometimes you let them taste a little bit of it after you spoiled it :). I'm pretty much working on the code again for a public website. In the meantime, i will share my knowledge which I've been gathering in order to do the Auto Facebook Like.

The idea comes from the API call of Facebook App using Access Token.

For the nature of this article which is just to share my knowledge, I will not show you the work around how to avoid warning message from facebook or how to hide your link and make it look real.

Consider the URI below:

<Shorten URL>

 What it does is simply take you to your facebook, then connect to the HTC Mobile App which is a real (or may not) app. It's not suspicious until you look closer at the parameter where it asks for the: publish_action, user_likes, user_status, user_photos etc ... Beside asking you to join and use the HTC facebook app, it also asks to use all your info such as: user_notes, user_photos, user_status etc ... Note the the app can never access those information unless you click "Allow". Let's try to login using my fake account:


As you can see it will ask to access my facebook to post, I will now let them do everything in the nature of this article, just keep clicking "Okay" till you get this warning.


If you have paid enough attention to the screen, you will see before the warning message appears, it was an URL with your access token and just a "Success" message. Since we are now seeing the message, we are ensured that Facebook actually knows how people take advantage of their system to do something in the shadow. *There is a way to work around this problem but it's not necessary for me to say it here*

Now in order to see your token, just right click on the URL website and choose "undo". Now you can see your token which is the remaining of #access_token=.... (without &expires_in=0 at the end)




As now you are having our own token, supposed that you give it to someone else or some website, let's see what other people can do with "your" access token. You can experience it by copy your token and use any other PC/laptops, or at your current PC if you know what I'm talking about :)

With your token, you can now see which app is actually accessing your profile. Now copy this link to your browser and paste your token after access_token=... JSON format.

App Info:
https://graph.facebook.com/app?access_token=


This URL will give you the permissions that you have granted the app:

Permission Granted:
https://graph.facebook.com/me/permissions?access_token=


More interestingly, let submit the next query (change the limit if you want to see more):

User's status (limit=x):
https://graph.facebook.com/me/statuses?limit=1?&access_token=


Now that's creepy. It is your statuses, the IDs, messages or even the long/lat coordinates where you posted. Supposed that there is no restriction, everyone could be able to see them. You get the idea, let see how other people can access your profile:

User Info:
https://graph.fb.me/me?access_token=


To sum up, I wouldn't say this is a very big exploit that is harmful to your facebook account. It is, in fact, some API calls from GraphAPI that facebook provided, but through the hands of many advantageous and clever people, it may come in handy. Knowing how Facebook API works, we can manipulate the access token and lets it do the work for us, such as: Like, Subscribe, Follow etc ... And yes people using it to make money from the SEO world