The best part is that even if they had rolled a valid gift code by dumb luck, it wouldn't have detected it. There's a typo in the API call ("entitelemnts" instead of "entitlements") which will always return a 404.
what also fascinates me is HOW theyre generating them. the odds that a fully random string of letters is a nitro code is so unholily low, that if they were to put a minutes research in to see how nitro codes are compiled and try and systematically generate random codes, they would atleast have a chance at getting one.
@@ikyyntts7807 if the code is 6 letters long and it can be a combination of letters and numbers that would be 6 to the power of 12 more or less. It is very unlikely to say the least.
@@ikyyntts7807 I think these guys are in the range of being juuuuussssttt smart enough to write a scammy brute force code but just dumb enough to not put in any more effort in figuring out codes
@@fog- ah right, just an insight, apologies. but you could have also ACTUALLY utilised threading to have one thread continually generate codes and throw them into a pool, have a thread or two checking the codes. or something like that, either way the guy who made this one clearly doesn't have a clue what he's doing
I seriously think that ONLY underage discord users fall for nitro generators. Also, I still cant believe that such low human beings exist, USING kids that don't know anything to get nitro. What a disappointment.
Yeah… I once downloaded one and it was an exe, but it is on my phone. And it came up with nsfw pop ups but I didn’t click any of them. Then I downloaded malwarebytes and they got rid of it lol. It was back in 2020 I believe . But I’m 13+ now since my bday was months ago, joined discord in 2018 but probably earlier since I had another acc
This script is memory heavy (file writing) so if they would implement threading it wouldn't be great as threading is for I/O tasks (like API requests but without mass file open, writing, closing) for these memory heavy tasks they should use multiprocessing where a process on each CPU is spawned. However i assume that they are too stupid to understand multiprocessing, they also could use threading with the queue function and not directly writing to file.
@@electricz3045 It would definitely still have a performance benefit. I think you can spawn as many threads as your CPU supports without any performance hitch so at some point the threads would theoretically spawn on separate cores and max out the performance. Also, while sockets operate more internally (memory) for Windows, they are file-based I/O on Unix based systems (i.e. FreeBSD, macOS, Linux). Nevertheless, randomly generating a string based on random numbers seeded by time (standard random generator) is going to be wholly inefficient as it won't come near to producing similar results as a more complex cryptographically safe algorithm.
as a python programmer myself it's genuinely so funny to see a person try to encrypt their code only for it to be decrypted by a person who doesn't even code (much i think) hilarious. i want more of these videos.
@@SpaceKebab It's incredibly over-exaggerated on how hard it is to learn tbh, you just gotta get used to stupidly named functions and stupid symbols like >
This is honestly hilarious, I can't not imagine the thought process : "Hey let's bruteforce nitro links. But we'll make gullible kids do it for us instead." Genuinely a modern supervillain, I love it lmao
i love how they spend all this effort cloaking the code in like 3 layers as if anybody who will actually fall for the scam is going to look closely at the code
Hey No Text To Speech, I'm a big fan of your RU-vid channel. I love your informative and entertaining videos about Discord and other social media platforms. I'm also impressed by your commitment to helping people avoid scams and stay safe online. Keep up the great work! Sincerely, Bard
The method they're using technically does work, but only for the first few times you try the request. After that you'll get rate limited to hell and back, and sending even more requests (say, 999995 of them) might actually get your IP banned from Discord altogether.
its a situation where you lose no matter what. 1: you dont get a working code. 2: you get a working code, it is traced back to you. 3: its detected as a ddos, literally banning you from the website if the ip is found.
ive sent like 3000 requests to discord before, you dont get banned you just get heavily rate limited (which, if you think about it, is basically a temporary ip ban)
Theoretically, if this DOES actually get a few valid ones and sends it to the random skiddies, you could tweak the code a bit and actually send it to your own webhook, basically giving you an actual free nitro generator.
@@racapadexxa_ it does, it validates it through discords api until it finds a valid gift so yes you can just make it send to you instead of the webhook
this is like the guy from Willy Wonka making his workers find a golden ticket from millions of chocolate bars and they can't even keep it for themselves
Although you said the process was easy, the fact that you de-compiled all that code to prove why these "nitro generators" are scams is commendable. There definitely needs to be more awareness about said scams, as the phrase "don't accept random links from strangers" unfortunately isn't common knowledge...or not enough people care to double-check. Either way, feel free to keep making these kinds of videos; I'm gonna need this information at some point o-o _/ /
Btw in terms of this crypted code, that is pyarmor obfuscator and in some point in time it has all the code in string so i just run this in pycharm community with debug points at last lines and go line by line until it has a variable with the text It could also be rewritten a little to just spit out plain decoded text when ran
I like how this technically isn't really a scam. As in, it won't steal your token, join servers for you or something like that. In theory this can work although chances are probably very very small
its still a scam, just stealing your computers processing power to generate random nitro links. and spamming discords api in your name. it wouldn't be a scam if it gave you the code if it did find it, but it doesn't it just gives it to the programmer
These generators generate 16-character long links out of 60 possible characters. That's 60^16 possible links. That's 2,8 x 10^28 different codes. So if you have a server with 10000 users who all generate 100000 codes, that means the number is now 2,8 x 10^19. The likelyhood that you manage to get a real code is so tiny. But I do still think Discord could increase this by making the links 32 characters. Because while the likelyhood is already small, it's not small enough for these people. Making it 32 characters long, makes it so small that it's not even worth even trying.
That would be the case if there was only one code. Of cource there is way more but still, it will be extremly rare for someone to hit the jackpot and get nitro for free
man these nitro generators are absolutely hilarious By the by, some knowledge of ROT13 for the curious: ROT13 is not computer encoding but a _cipher._ If anyone here knows Caesar Cipher, it's that basically. For the uninitiated: It's an "encoding" where each letter is shifted a number of letters up or down. Take the case of the letter E, which is the fifth letter. If we say "shift three up", that means we need to find the third letter _after_ it, which is H. If we say "shift two down", that's the second letter _before_ it, which is C. ROT13 is a special form of these ciphers, since the ROT13 makes you find the thirteenth letter after it... which is also the thirteenth letter before it. That's because there are 26 letters in the alphabet, so you only need to find the letter of the ciphered letter's mirror position. (Example, if the ciphered letter is A, then the decoded letter is Z.)
I love videos like this because it takes away this façade hackers have, that they are some type of coding god or mastermind, but in reality its just garbage code packaged in a different way.
If I were in a situation like this, I would absolutely NOT spam their webhook. That would be a huge waste of time. Just tweak the code a little so it sends EVERY nitro link to the webhook instead of just the valid ones :)
absolute unnecessary bullshit, just change the exec, eval to print and the code will print out without going through any of these crap, interpreted python is a hot piece of garbage in terms of security
I'm not too completely sure on how this all works, but you explained it really well! It was also interesting to watch for some reason, and fulfilled the promise of it being satisfying. Thank you for entertaining 9 minutes of my day lol.
I'm not too completely sure on how this all works, but you explained it really well! It was also interesting to watch for some reason, and fulfilled the promise of it being satisfying. Thank you for entertaining 9 minutes of my day lol.
it has two steps: first code is just encoded junk filled with comments, he decodes and gets to actual code. then, second code just takes a random guests to find a random nitro gifts. they verify the gift code and if it actually works, it will sent to programmer instead it uses your computer as nitro code miner
So basically, the owners of the server got a random script from the internet, not knowing what it does and not knowing any code at all, and shares it with over 200 people, and it ends up scamming no one, as it doesnt work. Theres no winner or looser in this story.
Roockie mistake that verification system to the gift codes will just be timed out after like 5 tries. They should use some way to mask the ip. Also this type of system of brute force can run for a full year without find anything. Anyways great video!
the even bigger problem is that Discord did nothing to gives users more so that less likely they would want Nitro and so is the chance they fall into those scams.
8:05 OK but this does mean that if someone was really desperate for free nitro, they could rewrite the code to NOT send the valid codes to the webhook and instead have it print them. I know what I must do.
Nice explain, Shit like this happen really often and... Sometimes they send a software. I analysed it with the fantastic linux ubuntu terminal (i didn't decoded it cause i wanted to have some stuff like the pyinstaller), and it litteraly the same as this shit but in a software with a virus that litteraly take your discord token from your discord application. Well cya stay safe!
You could also just replace the last 'eval(compile(...))' with a print. Then running the code in replit would have it print out the deobfuscated version.
You must be new here, we don't take simple or easy way here we only use 500 websites and spread false news about coding since he doesn't know one thing he claims and has nothing to back him up
if you de-obfuscated it, couldn't you just remove the bit where it asks discord's api "Is this code legit" and treat EVERY code it generates as legit, such that they receive a bunch of useless links?
@@declan_youtube actually we have, you know if you have access to the webhook link you can send anything you want into it. You can do this by coding a script or by using tools like discohook
Well in this case, whoever 'developed' the program sucks at encrypting it and you can directly tell what cipher it is from the code. Everything else is basic python with a questionable generation method
Wait, so technically couldn’t you change the code and make it so you get the nitro? Update: I got it to work if you replace the webhook url with one of your own
@@universoul8929 Do not say it is mathematically impossible when it is not. Math can NOT calculate luck. On average, it would take more than hundreds of times the age off the entire universe, but it's also possible for you to get 20 codes in a minute, it's just that the probability is astronomically low.
The problem with this method is that it takes hundreds or thousands of years of compute time to even generate a code that matches, and the method of verifying is spamming discord. Using threading won't speed up anything. The bottleneck is sending requests to Discord, and Discord *will* throttle your request if it gets spammed like that. If you really wanted speed you wouldn't be using python anyways. Even funnier is that this is done on replit's servers since the browser doesn't run python. Your computer isn't running anything so there's no need to get other people to run it. Even if it was in javascript, the browser's cross origin security would block these requests.
I really love how satisfying it is to bruteforce poorly obfuscated code, i once did that with one of the exploits and it was poorly obfuscated that most of obfuscation was redirecting to unobfuscated source code. It's honestly funny seeing how their obfuscation just miserably fails and ends up exposing source code. Also, I'm pretty sure everyone know that you would never run something that's obfuscated so, it makes it even funnier.
@@giakhanhvn2mc yeah, altho it should be noted that VM languages like Java, Kotlin, C++, Dart and Lua are extremely easy to de-compile. I woulden't really ever use them for anything to do with security.
@element what are you talking about? VM languages are not easy to deobfuscate because unlike python they are not interpeted but compiled. Their bytecodes can be transformed back to regular code therefor being easy to break in on the source codes. Python is also extremely easy to deobfuscate seeing as it's interpeted and they can't hide any code from you.
@Sir Avian I wasn't talking about obfuscation but rather compilation. Lua is not interpeted like python but compiled and ran in a virtual machine like java or c#. You can very easily get the original source code from this compilation. The lua compiler also destroys all unused variables and dumb stuff that you write meaning all your obfuscation is completely useless.
"this is basic obfuscation", once you sit in the ghex editor and a bunch of shit to just try to find something wrong in a NES game. That said, nice video.
@@JamesRelok it does bc the youtuber claims that it could work occasionally were u not hearing or anything he never claimed it to be not working he just said the real nitro goes to person who makes the gift while the fake goes to u
When a nitro code is bought you have 48h to claim it. So if the code isnt claimed within 48h it will be regenerated and the chance of a script kiddie guessing it is 1 in 218,340,105,584,896.
You can also delete any webhook by its URL, if you send a HTTP request to the webhoook url with the 'DELETE" http method it will completely delete the webhook, its on the discord developers documentation
@@Twingamerdudes just no. This is not illegal and it isnt a ddos. First of all DDOS means Distributed Denial of service so this would be a DOS. If Discord wouldnt be able to handle that then they should not operate a Platform like that. This one is a very ineffective brutforce attack. Which is Not against any laws. Its Just against discords TOS
@@felixbemme7257 did some slight research if almost causing a DDOS is illegal, turns out it's not, still, pirating discord nitro is still illegal since you're meant to buy it or receive it as a gift. Not just get it for free (if not being gifted it)
the more funnier thing is that it's practically the same as a miner but there's a .01% chance of you actually getting anything, you're damaging the components of your own pc and receiving nothing for it