Skip to content

My Nuclear Facebook Poking Bot

November 5, 2012





You can’t beat me in a Facebook poke battle. Here’s why…

I have been way too busy and it sucks. It sucks because:

Too much work means no free time
No free time means no time for fun little projects
No fun little projects means I go crazy
Going crazy means I can’t get work done

It’s a vicious cycle.

So what do I do while I suffer from coder’s block? I waste a good amount of time zoning out on Facebook.

The Conception

One of the most annoying Facebook features are the stupid/pointless pokes. After wasting a good 30 minutes on an intense back and forth poke battle, I decided it would be a good idea to make a poke bot. Can you imagine that? I could be drifting away in my swimming pool while my bots win all my poke battles for me!


The lack of enthusiasm only reassured my itch to build a nuclear facebook poke bot.

I have always shied away from making Facebook-related bots because Facebook works hard to prevent bots and I hear that Facebook bots are difficult to make. Oh well. Time to overcome my fears.

Hacking Facebook

First, I look at the Facebook page that gives me the list of all the people that poked me. That would be:
https://www.facebook.com/pokes?notif_t=poke
Next, I examine the “poke back” link. The links aren’t much help to me since Facebook “ajaxifies” the link. So, I fire up Firebug to examine the GET or POST requests my browser makes when I click “poke back”. Firebug reveals that it is a POST request to https://www.facebook.com/ajax/pokes/poke_inline.php with these parameters:


    __a = 1 
    __user = 556970868
    fb_dtsg = AQC_K43G
    nctr[_mod] = pagelet_pokes
    phstamp = 1658167957552517190
    pokeback = 1 
    uid = 1011739365

While logged into Facebook, I open up a new tab with a quick and dirty HTML form that posts to that URL with these parameters as hidden inputs. It works! Cool.

Next, I do the same Firebug probe on the homepage so I can find the necessary POST parameters to log into Facebook. To log into Facebook, Firebug shows me that I need these parameters:


charset_test    €,´,€,´,水,Д,Є
default_persistent  1
email   email
lgnjs   1352019805
lgnrnd  010313_fdAk
locale  en_US
lsd AVq9lE5u
pass    password
persistent  1
timezone    480 

Now, some of these values are dynamically generated, so the bot would first need to scrape and populate the post parameters before it can post. A similar process would be necessary to do the actual poking.

The Build

All I had left was to put it together. Here is the source code:

<?php
// your facebook credentials
$username = "email";
$password = "password";

// access to facebook home page (to get the cookies)
$curl = curl_init ();
curl_setopt ( $curl, CURLOPT_URL, "http://www.facebook.com" );
curl_setopt ( $curl, CURLOPT_FOLLOWLOCATION, 1 );
curl_setopt ( $curl, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt ( $curl, CURLOPT_ENCODING, "" );
curl_setopt ( $curl, CURLOPT_COOKIEJAR, getcwd () . '/cookies.txt' );
curl_setopt ( $curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)" );
$curlData = curl_exec ( $curl );
curl_close ( $curl );

// do get some parameters for login to facebook
$charsetTest = substr ( $curlData, strpos ( $curlData, "name=\"charset_test\"" ) );
$charsetTest = substr ( $charsetTest, strpos ( $charsetTest, "value=" ) + 7 );
$charsetTest = substr ( $charsetTest, 0, strpos ( $charsetTest, "\"" ) );

$default_persistent = 1;

$lgnjs = time();

$lgnrnd = substr($curlData, strpos($curlData, "name=\"lgnrnd\""));
$lgnrnd = substr($lgnrnd, strpos($lgnrnd, "value=")+7);
$lgnrnd = substr($lgnrnd, 0, strpos($lgnrnd,"\""));

$locale = substr ( $curlData, strpos ( $curlData, "name=\"locale\"" ) );
$locale = substr ( $locale, strpos ( $locale, "value=" ) + 7 );
$locale = substr ( $locale, 0, strpos ( $locale, "\"" ) );

$lsd = substr ( $curlData, strpos ( $curlData, "name=\"locale\"" ) );
$lsd = substr ( $lsd, strpos ( $lsd, "value=" ) + 7 );
$lsd = substr ( $lsd, 0, strpos ( $lsd, "\"" ) );

$persistent = 1;

$timezone = 480;

// login to facebook
$curl = curl_init ();
curl_setopt ( $curl, CURLOPT_URL, "https://login.facebook.com/login.php?login_attempt=1" );
curl_setopt ( $curl, CURLOPT_FOLLOWLOCATION, 1 );
curl_setopt ( $curl, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt ( $curl, CURLOPT_POST, 1 );
curl_setopt ( $curl, CURLOPT_SSL_VERIFYPEER, false );
curl_setopt ( $curl, CURLOPT_POSTFIELDS, "charset_test=" . $charsetTest . "&locale=" . $locale . "&email=" . $username . "&pass=" . $password . "&lsd=" . $lsd . "&default_persistent=" . $default_persistent . "&lgnjs=" . $lgnjs . "&lgnrnd=" . $lgnrnd . "&persistent=" . $persistent . "&timezone=" . $timezone);
curl_setopt ( $curl, CURLOPT_ENCODING, "" );
curl_setopt ( $curl, CURLOPT_COOKIEFILE, getcwd () . '/cookies.txt' );
curl_setopt ( $curl, CURLOPT_COOKIEJAR, getcwd () . '/cookies.txt' );
curl_setopt ( $curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)" );
$curlData = curl_exec ( $curl );
//echo $curlData;


// enter infinte poke loop
while(true){
    $curl = curl_init ();
    curl_setopt ( $curl, CURLOPT_URL, "https://www.facebook.com/pokes?notif_t=poke" );
    curl_setopt ( $curl, CURLOPT_FOLLOWLOCATION, 1 );
    curl_setopt ( $curl, CURLOPT_RETURNTRANSFER, 1 );
    curl_setopt ( $curl, CURLOPT_ENCODING, "" );
    curl_setopt ( $curl, CURLOPT_COOKIEFILE, getcwd () . '/cookies.txt' );
    curl_setopt ( $curl, CURLOPT_COOKIEJAR, getcwd () . '/cookies.txt' );
    curl_setopt ( $curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)" );
    $pokeData = curl_exec ( $curl );
    //echo $pokeData;

    preg_match_all("/<div class=\"pokeHeader fsl fwb fcb\"><a href=\"(.*?)\" data-hovercard=\"\/ajax\/hovercard\/user.php\?id
=([0-9]*)\">([^<]*)<\/a> has poked you.<\/div>/",$pokeData,$matches,PREG_SET_ORDER);

    if(sizeOf($matches)){
        $userid = substr ( $pokeData, strpos($pokeData, "\"user\":") + 8);
        $userid = substr ( $userid, 0, strpos($userid, "\""));

        $fb_dtsg = substr ( $pokeData, strpos ( $pokeData, "name=\"fb_dtsg\"" ) );
        $fb_dtsg = substr ( $fb_dtsg, strpos ( $fb_dtsg, "value=" ) + 7 );
        $fb_dtsg = substr ( $fb_dtsg, 0, strpos ( $fb_dtsg, "\"" ) );

        //echo $userid." ".$fb_dtsg;
        
        foreach($matches AS $val){
            //echo $val[0]."\n";
            //echo $val[1]."\n";
            //echo $val[2]."\n";
            $uid = $val[2];
            $curl = curl_init ();
            curl_setopt ( $curl, CURLOPT_URL, "https://www.facebook.com/ajax/pokes/poke_inline.php" );
            curl_setopt ( $curl, CURLOPT_FOLLOWLOCATION, 1 );
            curl_setopt ( $curl, CURLOPT_RETURNTRANSFER, 1 );
            curl_setopt ( $curl, CURLOPT_POST, 1 );
            curl_setopt ( $curl, CURLOPT_SSL_VERIFYPEER, false );
            curl_setopt ( $curl, CURLOPT_POSTFIELDS, "__a=1&nctr[_mod]=pagelet_pokes&pokeback=1&__user=" . $userid . "&fb_dtsg=" . $fb_dtsg . "&uid=" . $uid);
            curl_setopt ( $curl, CURLOPT_ENCODING, "" );
            curl_setopt ( $curl, CURLOPT_COOKIEFILE, getcwd () . '/cookies.txt' );
            curl_setopt ( $curl, CURLOPT_COOKIEJAR, getcwd () . '/cookies.txt' );
            curl_setopt ( $curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)" );
            $pokeresults = curl_exec ( $curl );
            echo "You poked ".$val[3]."!\n";
            //echo $pokeresults;
        }
    }
    empty($matches);
}
?>

Download my nuclear poke bot from git


Let me tell you, this bot is fast and obnoxious! Unlike the other lame poke bots you may find, this one is fast, it’s standalone, and it runs via command line. It will keep checking your poke notifications page. If somebody pokes you, it will immediately poke them back and notify you of whom you poked. I left it running all day. When I checked my computer and looked at the logs, I was able to see which of my poor friends were tenacious enough to put up a fight.


If you see this, it means you’re screwed.

Looking ahead… A simple alteration will allow me to poke bomb ALL of my friends. I may write a Python version, install it on my raspberry pi, and carry around a portable nuclear poking machine.🙂

In the end, was the 2 hours spent on developing this bot a waste of time? No. It was just what I needed to pull me out of this coding slump. Plus, I can now outpoke ANYBODY. 🙂

Winning!

From → Hacks

47 Comments
  1. My poke bot can out poke your poke bot! Initiate infinite poke-loop.

  2. Erik Eriksson permalink

    Could i get the python version?

  3. Larry permalink

    I’m new to programming and computers and I just want to stop my friends from winning poke wars with their smart phones. How to you run the poke bot?

    • Hi Larry. All you have to do is download the pokebot, edit the file and enter your facebook credentials, and execute the program.

      • Itan permalink

        I’ve done this but i keep getting a syntax error from cmd.exe it pops up for a split second and is gone, i am running it with, python launcher for windows(console)?

      • Hmm, can you see the error logs? Try running it from the command line.

      • Itan permalink

        Traceback (most recent call last):
        File “C:\Users\Dell\Desktop\Nuclear-Facebook-Poke-Bot-masterm\nuclearpokebot.py”, line 3, in
        import pycurl
        ImportError: No module named pycurl
        >>>

        is what shows up

      • Oh, you need to install pycurl. Look for the pycurl library for windows. Once that’s installed, it should work.

  4. Is it possible that the data/user-extracting isn’t quite working anymore? Or is it just me?
    Because for me both the php as the pythonscript are unable to actually poke anyone..:/

    • Hi Bo, I tried it again and it still works. Did you put in the proper credentials? Also, username actually means email address.

  5. I use Windows 7 and have no clue how to run .py or .php.. Tried looking around on the internet and got a little confused.. I downloaded the .php and added my credentials and tried to have firefox open the .php thinking that would work but no go.. Now I’m stuck.. I’d feel really accomplished if I figure this out though.. Is there a specific program a windows user should use to open/run .php or .py..?

  6. This is absolutely hilarious. Thank you.

  7. Heya i am for the first time here. I found this board and I
    find It really helpful & it helped me out a lot.
    I’m hoping to present one thing back and aid others like you aided me.

  8. can this run on google app engine? or some sort of hosting?
    i read that you were planning to put it on the Pi, why not host it?

    • Yes, you can host it. However, I found something out. I tried running it on amazon ec2 and facebook flagged my account and notified me that my account was attempting to log in from North Virginia.

      • AlbKT permalink

        thanks. i’ll try to host it and see what happens

  9. Jut wanted to let you know I love your blog!

  10. How do you install pycurl on windows??? Pleas help

  11. Advenio permalink

    Cool!!!! You own a great blog!

  12. Your own home is valueble for me personally. Thanks!…

  13. I’m curious to find out what blog platform you happen to be using? I’m having some minor security problems with my latest
    blog and I would like to find something more safeguarded.
    Do you have any solutions?

  14. Varad Kalyankar permalink

    how do we upload the bot after modifying?

  15. I your way of writing genuinely enjoying this website.

  16. Great work!!!
    I have a little problem here. Can you help me?
    That’s my error:

    postdata = ‘charset_test=’+charsettest[0]+’&locale=’+locale[0]+’&email=’+username+’&pass=’+password+’&lsd=’+lsd[0]+’&default_persistent=’+str(default_persistent)+’&lgnjs=’+str(lgnjs)+’&lgnrnd=’+lgnrnd[0]+’&persistent=’+str(persistent)+’&timezone=’+str(timezone)
    IndexError: list index out of range

  17. Hey there, You’ve done a fantastic job. I will definitely digg it and in my view recommend to my friends. I’m confident they’ll be benefited from this website.

  18. Hello there! I know this is kinda off topic however I’d figured I’d ask.

    Would you be interested in exchanging links or maybe guest writing a blog article
    or vice-versa? My website addresses a lot of the same
    topics as yours and I feel we could greatly benefit from each other.
    If you happen to be interested feel free to shoot me an email.
    I look forward to hearing from you! Superb blog by the way!

  19. Hey there this is kinda of off topic but I
    was wondering if blogs use WYSIWYG editors or if you
    have to manually code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get guidance from someone with experience. Any help would be enormously appreciated!

  20. If some one wants to be updated with newest technologies afterward he must be go to see this web page and be up to date every day.

  21. shando permalink

    Hello there! Is it possible to create a bot that like all photos to a certain user?

  22. PuN1sh3r permalink

    hey man i really like your bot check the project im working on a facebot https://github.com/pun1sh3r/facebot

  23. I Have been reading all your articles since day 1 and I
    Liked this one more better . Thankyou and keep posting.

  24. Everyone loves what you guys are up too. This
    kind of clever work and reporting! Keep up the great works guys
    I’ve incorporated you guys to blogroll.

  25. Molyokantibus permalink

    I have a problem. When i try to run the .py file, is shows me this error:

    File “C:\Users\Friedrich\Desktop\Pokebot.py”, line 32
    charsettest = re.findall(ur”name=\”charset_test\” velue=\”([^\”]*)”,curlData)
    SyntaxError: invalid syntax

    How can I fix this??

    • Abbas permalink

      I get the same error as you Molyokantibus. I changed the username and password fields with the correct credentials and still get the same error on line 32. Still no response?

Trackbacks & Pingbacks

  1. Say Hi To My Instagram Bots « cranklin.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: