Jump to content


Advanced Members
  • Posts

  • Joined

  • Days Won


Everything posted by XeR

  1. XeR

    Cannot complete CAPTCHA

    I think the CAPTCHA works. My setup probably has a score below xat's threshold. The problem is that, unlike the previous version of the captcha, there is nothing I can do to prove I am a human. See https://stackoverflow.com/questions/52546045/how-to-pass-recaptcha-v3 Mozilla Firefox (last version) with some privacy extensions. I do not use Google products (Search, Youtube, Gmail, etc.) and actively block trackers (Google Analytics, Google Tag Manager, Google Fonts) Here are all the requests my browser and the server exchange: GET to wss://wss.xatbox.com/v2 POST to https://xat.com/web_gear/chat/AreYouaHuman.php Response: POST to https://www.google.com/recaptcha/api2/reload?k=6LdBquAZAAAAADOcFT2FE6WuXn9IzWwtJ-nr8K9o At this point, the chat shows the "Failed to verify" pop-up. I can close the pop-up. The "Sign In" button reads "Connecting..." (despite the WS connection being closed by the server) I press the button again. GET to wss://wss.xatbox.com/v2 (same as before) POST to https://xat.com/web_gear/chat/AreYouaHuman.php (now with a g-recaptcha-response) Reponse: POST to https://www.google.com/recaptcha/api2/reload?k=6LdBquAZAAAAADOcFT2FE6WuXn9IzWwtJ-nr8K9o At this point, the pop-up briefly shows "Verification successful" with a green tick. The background becomes blank and something reloads (I'm not sure if the whole page refreshes or just the background) GET to wss://wss.xatbox.com/v2 (notice the j and k parameters) The sign-in button once again reads "Connecting...". Clicking it brings me back to the second websocket GET. I gave up after approximately 10 attempts.
  2. XeR

    Cannot complete CAPTCHA

    I can answer this challenge. It redirects me to a page that reads: It still won't let me connect to chats. I tried on Chat, HTML5 and Rubyyy. My browser makes a request to https://xat.com/web_gear/chat/AreYouaHuman.php with the following content: The server responds: Then my browser makes a request to https://www.google.com/recaptcha/api2/reload?k=... but I cannot make sense of what's being exchanged here
  3. The new version of ReCAPTCHA does not let users answer a challenge to prove they are human. The following error message is displayed. Refreshing the chat does not help. If a machine decides you are not a human enough, you cannot connect to any chat.
  4. I initially considered voting when I first saw this thread last week. When I saw the results of the vote and read the following quote, I dismissed the idea. I do not like the events power because it keeps a lot of information. This information is available to anyone who has the power or knows someone willing to use the power for them. I retrieved every events of the last 14 days from Chat. From these data I plotted the number of actions of each member of the staff over 24 hours. We can see on this image that Meow's activity drops sharply between 08 and 15 (UTC) We can thus assume that Meow: - is unemployed or is in holidays - lives in an American time zone (UTC-6 if we assume a sleep schedule of 02:00 to 09:00) I wanted to attach my spreadsheet, but the forum only accepts images. Sorry about that! By using the eventstats power, I can also look at the same data, grouped by days. Note that I still looked at the raw data I scraped with the events power for this. We can see on this image that Hessy made the 2020-11-14 (I checked the raw data to make sure it's not the 15th). That day was a Saturday. They made no action from Friday, 20:10:57 to Sunday, 19:06:36. We can assume that Hessy spent the week-end away from xat. We can also take a chat where a bot is configured to make every new user member. By filtering the events, we can know who went to a specific chat for the first time, and at what time. For example, I know that Enge went to Kulitz09 for the first time the 2020-11-20T11:53:03Z. I own a chat. I use it to idle and talk with my friends. It is unlisted and does not store messages. Outsiders are warmly welcomed with a free trip to the ban pool. By using the events power on my chat, you will see that Paraplum kicked somebody the 2020-11-19. You can assume that Paraplum is my friend. I am uncomfortable knowing that people I've never met could gather this kind of information about me. Former director of CIA and NSA General Michael Hayden said: “we kill people based on metadata”. By the way, I think these features are illegal in Europe under the GDPR: when did we give consent? How do we revoke this consent? I'm not a lawyer, so take that with a grain of salt. ;-) Correct me if I am wrong, but I think you cannot ban someone who has been offline on a chat for too long. As for the demotion: why not just ask? I (wrongly?) assume that people voted yes because : ... and not because they actually need the extra 14 days. Honest questions to chat managers who use events (I don't): - Have you ever been in a situation where you needed to look at more than 14 days of events? - How often does it happen?
  5. It used to be possible to log in anonymously to the forum. This feature would hide your name in the "Who's online" list. It would also hide your "last visited" date on your profile. This feature was present in the form of a checkbox on the login form ("Sign in anonymously"). This checkbox is no longer present (since the forum update ?) Edit : the option is still present, but it's hidden in the “Security and Privacy” settings https://forum.xat.com/settings/account-security/
  6. XeR

    BOTSTAT API & stuff

    Here is a bash script that puts the UTC date before your nick I have no idea how to run this on Windows. It might work on Mac, but I don't have one to confirm.
  7. XeR

    BOTSTAT API & stuff

    People expect a program to work when they are done configuring it I'd like to be able to check the user's token as soon as they provide it during the configuration phase (instead of having to wait for a status change) This way, I can print an error message telling the user their uid/token couple is invalid as soon as possible
  8. XeR

    BOTSTAT API & stuff

    Feel free to report bugs and improvements requests. https://github.com/XeR/vlc-np-xat/ If this doesn't work... you're holding it wrong! :-)
  9. XeR

    BOTSTAT API & stuff

    After playing a bit with the API, here are a few features I'd like to see added: Checking the token's validity by sending a request with no room and no info (?u=12345&k=deadbeefcafebabe) Specifying multiple chats in a single request (?r=123&r=5 or ?r[]=123&r[]=5) Specifying no chats to affect every chats the user is currently connected at Using chat names instead of id (?r=Chat or ?r=xat5) See you in 2020
  10. XeR

    BOTSTAT API & stuff

    First thing that comes to my mind : MSN-like ‘Now Playing’. The ‘What song are you listening to right now’ thread is the most-replied thread, and second most-viewed thread of the ‘General Discussion’ board. VLC Media Player allows you to add LUA plugins. It should not be too hard to build one that uses the API to update one's status. It should be especially easy given that there is already a similar plugin that writes current song's info to a file : https://addons.videolan.org/p/1172613/ In fact, take this post as a pledge that I will do it within a week if you release an API... as long as nobody beats me to it. :þ
  11. XeR

    494 BOTSTAT

    This looks like a great feature. :-) I haven't been excited by a power like this one for a while. Why ? I want to use this feature in my own RPG. I'd like to update players' name with their level. Why can't I use this feature ? What if I want to tell people what game I'm playing ? Running binaries from bot provider on my computer is a no-go. Are the changes temporary ? eg. do they roll back when I refresh ? Do they affect every chats I'm connected to, or only one chat ? Does this mean I need a xatbot, FEXbot and ARCbot accounts to ensure my power will work on most of the chats ?
  12. left column: count right column: id 9 2M 7 5M 5 24041993 5 1002 4 2200022 4 190301 4 121997 4 1111169 4 10301 4 1000070 3 900009 2 123456789 1 99224466 1 8080 1 80085 1 800815 1 80000008 1 78078 1 699999999 1 699999996 1 696969690 1 696900000 1 696000696 1 690690690 1 69000069 1 690000096 1 690000009 1 66778899 1 666999666 1 6666 1 6660666 1 666000999 1 666000666 1 66336633 1 66000000 1 600000069 1 600000009 1 50505050 1 5005005 1 44044044 1 440404044 1 440044 1 42M 1 40M 1 404044 1 4012005 1 400M 1 400404 1 40000 1 3737 1 3003003 1 3003 1 3000001 1 2B 1 24242424 1 24000024 1 23112017 1 231117 1 222222 1 22220000 1 2220222 1 221192 1 2075 1 2018 1 20032000 1 2002002 1 200000042 1 200000002 1 19992000 1 1999 1 1996 1 1995 1 1978 1 1910 1 190M 1 190342 1 19033091 1 189M 1 18121997 1 18101810 1 171M 1 1717 1 17017 1 16911691 1 169000169 1 16699 1 1661999 1 160699 1 157M 1 142005 1 13913 1 12222 1 12012 1 113113113 1 1111111111 1 110000 1 1100 1 10701 1 106901 1 10498 1 1042005 1 1041998 1 101997 1 101101 1 1011 1 101010101 1 100498 1 10041998 1 1001997 1 10013 1 10002020 1 1000113 1 10001113 1 1000085 1 10000084 1 1000000001
  13. There seems to be a bug with the (random) power. Using (random) as an avatar with a pcback does not display a random smiley. Instead, it displays (RANDOM) Source (xat wiki) Expected behaviour: avatar: (random) Current behaviour: avatar: (random)#
  14. I noticed this feature disappeared a few weeks ago. Any plans on getting it back ?
  15. Correct me if I'm wrong : nowhere in the rules it's stated that you have to give away the riddle you found. So congratulations everyone on spoiling your chats' riddles :-) (Or was it edited recently ?) Chatname: xat_test Answer to the riddle: https://xat.com/xat8 Username and ID: XeR (586552)
  16. @SlOom @Lamingtons You are right, this is doable by specifying a cn parameter. Cn probably stands for "connection". It's an integer that is used to comunicate between a chat and its sub-apps. The main problem is that if you open more than one chat with the same CN, it will not work. If you open two apps with the same CN, it will mess up too. I didn't manage to find a "user-friendly" way to deal with this. But to be honest, I barely use apps at all, so I didn't dig much. The best thing I manage to do is this, but it requires you to constantly have a console opened the random number written on it. :-( Generated by: lobby.bat @echo off SET flash=flashplayer_sa.exe SET url=https://www.xatech.com/web_gear/chat/chat2.swf SET chat=1 SET flags=14880 SET cn=%RANDOM% START %flash% "%url%?id=%chat%&xc=%flags%&cn=%cn%" echo "CN = %cn%" PAUSE trade.bat @echo off SET flash=flashplayer_sa.exe SET url=https://www.xatech.com/web_gear/flash/30008.swf SET /P cn="Enter CN number> " START %flash% "%url%?cn=%cn%" I'll edit first post once I -or someone- comes up with a decent solution.
  17. Hello everyone, I've been fed up with Flash Player for a while, and decided to remove it from my browser a few months ago: Flash is a technology that's bound to die. It was great a decade ago. Now it's only serving noisy ads and malware. However, there's a problem: Xat uses Flash. No Flash = No Xat. I had to find an alternative. Now that I'm confident it's working, I'll share it with you. That's what I've been using since 2016-05-15 (5 months) The trick is to use Flash's standalone player. This way it will ONLY run what YOU tell it to run. Here's what it looks like: Unfortunately, there are a few things that do not work, and this is therefore not suited for everyone's use (eg. traders) What works: Regular chatting Smileys Hugs Kisses Bumps Game bans Transfer What does not work: Are you a human (cannot join during raid protection) Apps: Trade Translate Smiley list Avatar list Games ... Rapid bulk connections may log you out. (eg, if you're using a loop to open multiple chats) It is possible to use side apps such as trade, but it is a pain to set up… I'll explain if you guys want it I'm looking for a more user-friendly way. How to install (Windows) This installation guide is for Windows-based operating systems: I do not own a Mac, and I doubt many people here use Linux. First, go to Adobe's FlashPlayer download page, right here: https://www.adobe.com/support/flashplayer/debug_downloads.html What you're looking for is the "Flash Player projector", no ActiveX, no NPAPI, no PPAPI, no debugger. People runing Windows 8.1 or higher may have to skip this. I don't have a single clue where Flash is installed. Put this file in a new folder. Open Windows's notepad, and paste the following code: @echo off SET flash=flashplayer_23_sa.exe SET url=https://www.xatech.com/web_gear/chat/chat2.swf SET chat=1 SET flags=12832 START %flash% "%url%?id=%chat%&xc=%flags%" File > Save as > change "Text file (*.txt)" to "Every files (*.*)", and name it as "lobby.bat" Move it in the folder you previously created, and double click it. If everything goes well, you will see a new window, and you'll be connected to Lobby. From there, you can /go to other chats (eg. /go xat5 or /go xat_test) Configuring the code @echo off will hide debug output. We don't need them. SET flash=... will set the "%flash%" variable to hold what's after the =. It must match Flash Player's executable name. SET url=... will tell what URL we want. chat2.swf will make every chat debug (blue ball) while chat1.swf will make every chat regular. SET chat=... will set the chat ID. Lobby is 1, chat is 123, xat5 is... 5. SET flags=... this one is hard to explain. It sets some configs. This value means "no radio, mute, disable auto login" Picking a chat ID You may want to use a different chat ID, because nobody wants to go to Lobby. This is simple : go to any xat, for example xat.com/XeR Click on the embed link, and look at the address bar. You'll see a number after "?id=...". This number is the chat ID. For XeR's chat, the chat ID is 171661491. I'm logged out ! How can I log in ? In a very similar maneer, you'll need to use this piece of code : @echo off SET flash=flashplayer_sa.exe SET url=https://www.xatech.com/web_gear/chat/chat2.swf SET user=<username> SET pass=$<number> %flash% "%url%?id=8&xc=%flags%&em=%user%&pw=%pass%" Log in as usual. When you're at the last step, when you can change your security settings, right click the page, and show its source code. Find "pw=$" (you can use ctrl-f to open a search box) DO NOT SHARE THIS NUMBER. WITH ANYONE. EVER. You should see a integer. Replace the $<number> with this integer in the previous script. Double click it, and you'll be logged in. :-) Feel free to tell me your impressions about this, and ask questions if you don't understand something.
  18. Every URL that contains "xat" is blocked. Try modifying the URL of your blog posts to replace xat with xt or x4t
  19. It seems like xat.com is the first Google result again
  20. Awwww come on, you've just gave away the keylogger prevention technique I've been using for the last few years There is absolutely no problem with Flash. The problem is that the login/register pages filters inputs to prevent attacks. You can see a similar behaviour on the search page: search for a$b, it will search for ab instead.
  21. Your account is your identity. It is ranked on chats you go, it is tied to the regname people knows, it keeps your friends in its friend list. Even if you don't have powers on it, it's a great part of you on xat. I own two accounts that I never use. No shortname, no powers, no xats, no days. I recently moved, and required an ISP update. With the new policy, I would have lost them. They are 5-digits and are worth much more than 1k xats. That doesn't make any sense! Nobody cares. Let's sumarize the information we have instead: People can create tickets to recover their account They can even if they are not paid user The account will not be recovered if it is considered worthless The volunteer crew was (is?) running low. Three volunteers have been recruited recently. I went to the General Support section Number of questions in June: 15 + 3 + 6 (as of 06-26, so not a full month) Number of questions in May: 41 + 3 + 7 Number of questions in April: 20 + 1 + 9 Number of questions in March: 18 + 2 + 4 Let's assume tickets number and support posts are proportional. June is similar to April and March. So tickets number is probably "average", with 3 more volunteers. Official twitter mentions the following: (Image courtesy of SlOom) My opinion: The tweet looks like a ban wave gone wrong. The new ticket policy may have been made to deny those targeted by this ban wave from getting access to their account. What would motivate a ban wave? Lots of phishing? Virus targetting xat? We saw that it is likely that the number of tickets is average, so probably not. Honnestly, I don't have the slightest idea. Maybe someone will manage to connect the dots by reading my message? An official statment from @Admin would be nice... (I can dream, Harold!) PS: This post took a while to write, that's why some part of it have already been said in previous posts.
  22. A while ago, someone mentioned that bot hosters will end up leaving, and that it would be a good thing if bot hosters could make a tutorial to explain how to create a bot from scratch. Since the main tool used to understand how xat works is considered a virus by most antiviruses, the project could not be endorsed by xat, and we were asked to use a different tool. In the end, nobody did it. Such a guide would probably not be endorsed by xat, because it encourages those who follow it to break the terms: "You will not modify, adapt, translate, or reverse engineer any portion of the service" (oh, and you're supposed to be supervised by your parents if you're under 18) (Don't take the rest of this post for yourself.) On second thought I think it's a very good thing: Runing a bot hoster requires a patience and skill. We've seen enough ephemeral hosters. Hosters that were run by greedy users who ran a script from the internet because "those guys make money". I don't want to see more of them. What's the point of offering a low quality service? If you couldn't figure out how to adapt a bot from an outdated source code -you get a bonus point if you start from scracth-, how will you add features? How will you fix bugs? You won't. And it will die. I spent countless hours working on the first Ocean versions, looking at packets, replaying them, emulating the behaviour of a real client, trying to figure out why chat kicks me out randomly, what E25 stands for… It teaches you a lot about how networking xat, and its protocol works. It's not something you can learn by watching a video. By following a tutorial you're going straight to the point, never failing. Poking at stuff and watching what happens is definitely the best way to learn. You have no idea how stupid and stubborn people can be. No really. Even when Ocean was a free service people were impatient and constantly complaining. ( This is the main reason I stopped working on Ocean. Why would you spend most of your free time working for ungrateful people? However, if you still want to run your company, keep in mind that it's all fun and games until they demand features. The great lines are: - Learn a programming language - Learn how networking works - Reverse and understand xat's protocol - Emulate the client's behaviour - Add features one at a time Good luck.
  23. Best bot ever Brace yourselves, people selling OceanProject with few additions (if any) are coming.
  24. Larry Page was mad because volunteers didn't anwer his tickets
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.