Jump to content

trading bot mobile auth


Ghost

Recommended Posts

I love bots so much :wub: when you want to sell or buy something, there's always a bot ready to do the trade in seconds :wub:
I wanted to make a trade bot from scratch in python, just for the fun (i love programming too), im already close to finishing it but what i really can't understand is how to make the mobile authentication automated :wacko:

I know that there are some softwares already made to autoaccept trade confirmations but not only that's dangerous until the bot is completely bug-free, i also wanted to implement the confirmation inside the bot instead of using third-party programs and almost they all require to "create a new authenticator" wich means 7 days of waiting, and that's too much for me <_<

I've found some tutorials on how to extract the key from my mobile auth but what i really cant find is the requests that the steam app does, after all seems like the mobile authenticator is a browser showing normal pages, wich obviously will do some http requests passing some variables to receive the "trades waiting confirmation" list and another request to accept them.

Does anyone know what urls they are? if they are GET or POST? wich variables they require? wich cookies (if any)? etc?

Link to comment
Share on other sites

I'm glad your interested in automation! As am I, and Python is by far my favorite language to make them in. However, your putting to much work on yourself. To skip strait to the bot making part, I suggest trying my steam library to interact with trading, which you can find here. If you have an issue with the library, just make an issue on the repo.

Link to comment
Share on other sites

4 hours ago, Zwork101 said:

I'm glad your interested in automation! As am I, and Python is by far my favorite language to make them in. However, your putting to much work on yourself. To skip strait to the bot making part, I suggest trying my steam library to interact with trading, which you can find here. If you have an issue with the library, just make an issue on the repo.

Isn't really worth at all at this point using any library, it is already able to check trade offers, accept them, make counter offers and even give change in it, it is also able to be remotely controlled via Telegram for any need, so i can say is 99% complete, what i really can't understand is how to make the mobile auth work, i was thinking of setting up some proxy to decrypt the https and sniff the requests to see wich urls they are and wich variables are sent but before doing so i'm looking for someone who already did and has all the informations i may need, that would be much, much quicker :unsure:

Link to comment
Share on other sites

1 minute ago, Ghost said:

Isn't really worth at all at this point using any library, it is already able to check trade offers, accept them, make counter offers and even give change in it, it is also able to be remotely controlled via Telegram for any need, so i can say is 99% complete, what i really can't understand is how to make the mobile auth work, i was thinking of setting up some proxy to decrypt the https and sniff the requests to see wich urls they are and wich variables are sent but before doing so i'm looking for someone who already did and has all the informations i may need, that would be much, much quicker :unsure:

Alrighty then, you can look at the source of my lib, there in the confirmations file, that's where all the code for confirming trade offers is.

Link to comment
Share on other sites

1 minute ago, Zwork101 said:

Alrighty then, you can look at the source of my lib, there in the confirmations file, that's where all the code for confirming trade offers is.

Yeah i was already checking it, such a polished script, much better than my spaghetti coding :lol: ahah even tho the lack of comments means reverse engineering a script that does something that i dont know how it works in first place, ain't gonna be easy :( ahah

If you want/have time/etc i would really really apreciate a simple explanation of the structure of the requests (urls, variables and cookies) and a suggestion on how to  extract the secret identity key (hopefully without rooting the phone) :D

Link to comment
Share on other sites

I believe there are ways to get it without rooting your phone, and there are plenty of tutorials on how to do so. If you join the backpack.tf discord server, I'd be happy to help you there.

Link to comment
Share on other sites

5 minutes ago, Zwork101 said:

I believe there are ways to get it without rooting your phone, and there are plenty of tutorials on how to do so. If you join the backpack.tf discord server, I'd be happy to help you there.

I'd love to but atm im getting off and probably won't come back in few hours, next time absolutely, that'd be great! Tomorrow or whenever i'll be able to hop on discord i'll send you a message (here or on steam) :D:D:pinkheart:

Link to comment
Share on other sites

4 hours ago, Axle Change said:

Thanks for the link but i can't understand javascript :P Btw, i was looking for the way the requests are composed rather than reverse engineering already made scripts specially when uncommented or made in languages that i dont understand :P

I'll give an example to make clearer what im saying, let's say accepting a trade request:

  • First you make a request to https://steamcommunity.com/tradeoffer/*TRADEID*/ where *TRADEID* is the trade id to accept, with as cookies sessionid, steamLogin, steamLoginSecure, these cookies change approximately every 12 hours, so when you receive cookies back you may save and use them for the next requests.
  • Into the received page you want to look for the variables g_ulTradePartnerSteamID and g_sessionID and store them for later.
  • After that, to accept it, you need to make a POST request to https://steamcommunity.com/tradeoffer/*TRADEID*/accept with into the headers the referer as: https://steamcommunity.com/tradeoffer/*TRADEID*/ and as post data: sessionid as the g_sessionID variable you previously stored, serverid as 1, tradeofferid as the trade id and partner as the g_ulTradePartnerSteamID you previously stored, the cookies should be as always sessionid, steamLogin, steamLoginSecure just like the previous request.
  • After doing this you should see your trade accepted and pending mobile authorization.

See what i mean? Now, in this case for accepting a trade, one can make it in any language he wants, he can make a library or can directly implement it into his code, somebody could even directly do it from the browser, the instructions are complete and clear, anybody can reproduce it in any way he wants.

This is what im looking for regarding the mobile auth but seems like nobody EVER wrote how these requests are structured in the mobile authentication, there's only a ton of pre-made scripts in a huge array of different languages, oftenly not commented and very compressed, making reverse engineering probably more difficult than setting up a proxy and checking personally wich requests is the steam app doing and what's receiving back.

Link to comment
Share on other sites

9 hours ago, Ghost said:

-snip-

I know exactly what you mean, unfortunately I don't know anything about the request pages used aside from reverse engineering other scripts because it does not seem to be documented anywhere.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...