QIWI terminals. Dark side of the Moon

2013 was the year. I was quietly repairing computers in the countryside. Chasing teas and biting the season of the next series. Once, my boss suggested that we deal with payment terminals. A familiar entrepreneur gave them to him practically for nothing, plus he offered to install them at his own stores free of charge. By the way, they stood in the same place, just their owner was tired of messing with them.

At first I was against them, it would be necessary to dangle, to tear my ass from a warm chair. Anyway, I thought there would be a lot of fuss, and zero profit. Since they are beneficial only to store owners to attract customers. And the boss dreamed of millions; he had already seen several times how thick bundles of money were taken out of them. He said that inside there is the same hardware as on ordinary computers, and the same Windows.
“You can do it.”
- Well yes.
- Well, that’s all, you’ll receive a salary separately.

There was nothing to argue, besides, I already had experience supporting a similar Windows XP system, VPN, a garbage dump, plus one remote client on wi-fi, where it was important that the computer was always on and accessible.

The first thing they had to bring to us, clean, rearrange the system, install programs and check all the hardware. The terminals were heavy, in a vandal-resistant building, so that in order not to carry them around, the chief contracted local calderas that hang around the shops in eternal search for a sober. It was fun to watch them carry these heavy coffins and try to drag them up the stairs. Subsequently, we ourselves got the hang of it and calmly dragged them together. To the point, of course, carried by car.

Terminals under the QIWI brand. I know them too. There was a wallet and I used it for a very long time and successfully. QIWI itself does not deal with terminals, it only provides a shell and ready-made assemblies. So in the nearest major city they found their sub-dealer and entered into an agreement. They also received programs, keys and passwords. They configured everything themselves, I only provided them with remote access. At first it made my job a lot easier.

After a couple of weeks, the terminal was already working and we tested it at our point, and a couple of days later we took it to our native place. At first, there were few payments, but then it spun up and the flow of money began to move in our direction. More terminals appeared and I already showed the chief statistics on payments for a month or two. QIWI has its own statistics server, and I spent days monitoring the status of the terminals and where any payments go or do not go through. It turned out to be very interesting to be on the other side of the screen. Before, I only used the terminal and had little idea of ​​what was there and how. I even set up remote access through Radmin 2.2 (3.0 did not go, apparently, some kind of conflict with the QIWI program occurs) + Hamachi = Love forever. If there was no main work, I watched for hours how customers put money.

Barrel of tar in a spoon of honey


We have established a single commission for all payments, since the main task is to make money. But over time, I began to notice that some payments were made without commission. It turned out that these are mobile wallets, there is no commission for them, and not only for wallets, but for everything that passes through them - loans, transfers, etc. And such payments became more and more. In our area, lending has developed. Things got worse, big amounts. Many managed to accumulate debts, and then in bulk to spend in our terminals. There were so many such payments that more than half of the amount that we turned on the terminals was wasted. No, of course, QIWI paid for such payments, but so scanty percentages (hundredths) that it simply did not cover our expenses. Putting in a bank is even more profitable.

Contacted our dealer, he confirmed that yes, there is such a problem and you can not put a commission on them. In addition, we were at a time when QIWI announced an “amnesty” for everyone and now all 0% wallet replenishment. The dealer suggested, as an option, to limit the maximum amount of payment and use the built-in black list, block particularly arrogant customers. Each terminal has its own list and you need to go to each and enter the ill-fated number. After this news, I finally switched to the dark side.



About the heroes
In general, I like the negative characters in the style of Evil Genius. They have an inner core. They are persistent, hardworking, confidently go to their goal, despite all the failures. And they are ready to fight against the whole World, in order to achieve their dark plans. Not that these cute Superheroes who are always engaged in self-digging, whining for any reason, arrange tantrums from scratch. And they can’t take a decisive step without a good kick from behind.

A penny saves a ruble


For us, this phrase has become more relevant than ever. Limited denomination in bill acceptors. He began to block in a row all who were not acceptable, a real witch hunt, did not spare either big or small. The dealer talked about how entrepreneurs complain about QIWI. Many had kilometer-long footcloths with blocked numbers. It was a war, cruel and merciless, we fell into the very heat of it. And they lost, in their own field. Every morning, coming to work, the first thing I checked was yesterday’s payments, and if there were payments on QIWI, I immediately added them to the black list.

Of course, I did not go to each terminal and drive in manually. In the program folder I found whiteblacklist.xml - this is a common list for black and white. I made myself full file access to each terminal (hamachi drives) and automatically updated it with a bat-file. But that didn’t help, we have cunning people, they just go to the salon, buy new SIM cards and put 15,000 rubles on a new wallet. Damn, we had less turnover per day!

Joke in the subject
The programmer has died. I got to the last judgment. Judged, rowed - neither this, nor this.
- Where do you want it: to hell or to paradise?
- Can I see it?
They brought him to the huge CC. Around the machines of all kinds, nets - apparently invisible.
- This is paradise, you will be a user here.
- What the hell?
- And hell here - only a system specialist ...


Light ray of hope in the dark kingdom


But all this, of course, was an ordeal. Another minus of such locks is that if you add a number to the list, it is blocked everywhere. Those. the client couldn’t even put himself on the phone. But this black list did not affect loans at all. In short, wherever you throw, a wedge is everywhere. So I began to look for ways to make this commission myself, or to completely block such payments. Otherwise, we just lost the sense of holding terminals. I found commission.xml in the program folder there - that was what I needed.

Launched Delphi 7, it has been sitting idle for a long time, quickly throwing a program that parses this file and changes all the values ​​to what I need. Late in the evening I checked my guesses. And it worked, the commission on QIWI appeared. But a few days later she was gone. I looked at the file again and saw that everything was back as it was. It became clear that the program monitors its files and fixes it when updating. Okay. Again Delphi, we throw the timer on the form, quickly type it, and the new program now reads this file every minute, calculates the CRC amount and, if it does not match, parses the file, changes the values, remembers the new CRC amount and replaces the file with a new one. You can not parse the file, but simply replace it with the corrected one, but QIWI often has new providers, and the old ones disappear. So parse and edit more correctly. But my joy was not long, because I shared it with our dealer. He said that QIWI monitors payments and if we notice our manipulations, they will be fined, and they will. Everything had to be minimized. Of course, I still had an idea how to block these payments, but ... then it seemed to me so simple, obvious, but at the same time stupid and impossible, that I dropped it.

We create problems for ourselves and overcome them heroically right there


He began to look the other way. Namely - monitoring. I did not like him at all. There, you not only need to go to the site every time, and even use a special key. And all the time, manually update the page so as not to miss anything. As you know, I immediately decided to do my monitoring.

But the most important thing for me is to receive terminal status messages. Therefore, the first thing I got was SMS. I found a specialized site where you can connect your number and receive SMS on it, just sending an email. Each terminal has its own mailing address. I wrote a program that checked this mail, added the name of the terminal and sent it to the mailing address that this service issued. This is necessary in order to know which terminal the message came from. You can simply add your mailing address to all terminals, but in the letter there will be only the terminal number, which does not tell me anything. In parallel, the chief did the same notification.

I expanded my monitoring. At first I wanted to connect to the QIWI server and pull out the data from there, but the page was protected there and I could not download the data from the site. Everything is too complicated and there are no ready-made solutions.

So I approached the question from the other side. The QIWI application in the terminal writes everything in detail to the log. I wrote a server part that parsed this log and selected only the data I needed. As well as a client to receive messages and display on the screen. One of the terminals became the main one, it has a white IP and all other terminals sent data to it.

The client program did everything itself. In the corner of the screen a small form hung on top of all the windows, showed the current balance and the color showed the status of communication with the server. First of all, I threw it to my boss on the computer and he no longer asked how much money was left on the account. A brief look at the screen - and everything is clear.



Further more. Now, next to the balance line appeared from the log: errors of the bill acceptor, which bill he accepted, for which operator, payment amount, commission, etc. Nor do I need to press a single button. This is very convenient, especially when the whole day at the computer. You can immediately see if the terminals are working or in vain they are eating electricity. If I left the computer for a long time, then on arrival I clicked on the form and looked through the general log from all terminals.





Whatever the child would entertain, if only he would not cry


Even while writing monitoring for the computer, I came up with a new bright idea. Write a client for your Android phone. Its program from QIWI is not bad, but it is silent. And I want to receive a sound notification for any errors and just about payments. Attempts to install different SDKs were unsuccessful, they all lacked something. Yes, not knowledge of the language. And write both the server and the client for the computer and also for the phone. In general, I decided to speed up the process a little. Yeah ...

On w3bsit3-dns.com.ru I posted the idea of ​​my program and several people responded. But the first, having heard my budget, harshly criticized. So I was depressed. But the next one agreed to do at least a part. I was ready for that too. The chef paid me three thousand for terminal maintenance, so I offered this amount as payment. I sent him all my wishes and even drew a flowchart.

I did not say to him that this is a program for QIWI, I said only the general purpose: tracking computers, which in general was the essence of the program. And since my budget is small and out of my own pocket, I simplified the task as much as possible, plus made it more universal. It can be used in any project where you need to receive notifications on the phone. The communication protocol is simple: send a code, get a line, add to the table. Connects every 30 seconds. Application principle: the program is a logger, it shows a common message log from all terminals in one table. And also plays sounds. Each type of message is played only once per session, regardless of how many such messages were received. I divided the messages into different types: payment, bill acceptance, errors, etc. Each type has its own sound. For example: set errors on errors as in Windows, and on the accepted payment the sound of a falling coin. I don’t even have to get the phone, by the sounds you can determine what is happening in the terminals.

It took several months (!). As it turned out, it is even more difficult for programmers to understand each other. But in the end, we were able to make it and I enjoyed the first sounds of the payments received. I liked what happened in the end. And I suggested modifying the program further. Now you need to add another table at the top, it will show the current status of the terminals on the network / not on the network and so on. errors requiring immediate attention. Paid him the same amount, and he completed everything, well, and also corrected some of the shortcomings.



And now for the fun part. Since QIWI could not put a commission on payments, I decided to have fun. He marked them as a separate type and assigned a sound from the Sherlock series. Yes, yes, the same one that Miss Adler put on his phone. ABOUT! You can’t imagine how amusing it is to watch people's faces when a message arrives and a voice sounds loudly and clearly in the room. The funny thing is that even I could not say when he loses. When friends and acquaintances asked “what is this?”, I replied with a straight face that it was supposed to be from work. And in life you will not guess what kind of work this is.



Business before pleasure


I found myself a new entertainment. What does a person do when the terminal does not take a large bill? That's right, he goes to the cashier to the store and asks for a bargain. What am I doing? I'm sitting at the monitor. At this moment I see how the lines with errors replace each other below. They are immediately visible, since they are red. If it says that the bill is disabled, then quickly open the program and see where they are trying to put money. And if it is QIWI, then open another program and add the number to the black list, it is also visible in the logs. And run on the update. Who managed, he won! Of course, all this can be automated in a program on the server, she herself can do everything there and much faster than me ...



But how fun it is when you still drink coffee in the morning sleepy, and the phone begins to pour in with the sounds of errors. You run to the computer with burning eyes, with trembling hands, frantically click the keys, dialing a number (copying, of course, you are too lazy to do it too). Finally, click the cherished Enter button. Flickering windows with green lines against a dark background ... In general, Hollywood films about hackers are resting.

Advertising in QIWI


Well, entertainment is entertainment, but I wanted something else. At least use the terminals somehow. Because here they are in my hands, I can do anything with them, but at the same time I can not think of anything. A few sleepless nights yielded nothing, a Google search too. Either no one is interested in this, or they somehow use it, but they are silent. The only thing that occurred to me was banal advertising. Well, what, we have several different stores, the repair is the same, why not. A day there hundreds of people pass by. QIWI there and so twists the advertisement, but we are worse.

I turned to the dealer with my question, how there and what needs to be done so that our advertisement appears. But he replied that QIWI will not do this, they only work throughout Russia. And we are too small a company for this. Well, if the mountain does not go to Magomed ... We will draw the mountain ourselves!

He brought out a plate at the top of the screen, on it were three image containers with advertisements and they replaced each other in a circle. A few days later, a friend at the meeting said that he had seen our advertisement. He says no one is interested, no one is watching her. Not interesting, you say ... Well, well. I redid the program, now it hung secretly and watched the mouse. With any movement she jumped out like a devil out of a snuffbox. And it disappeared only after a minute - and then on condition that the mouse is not pulled.

Once, when the next terminal was standing in our cabin, a person stood for a long time near the terminal and did something there. At this time, I watched him in the camera, which stands in the cabin. Everything seemed suspicious to me, and I went into the hall to ask what was the matter. It turned out that he was trying to pay the loan, and my advertisement was stopping him. Previously, he said, there was a button and it could be hidden, but now you have to wait. And after all, he waited, and waited all those who tried to pay the loan, because they still glowed in my logs ...

Burn me in hell with a blue flame!

X-Files: Curse


The landlady of one of the stores turned to us with a proposal to put a terminal at her point. She was in a neighboring village. The road there is good, the village is rich, live in the forest. So I started assembling a new machine. There is no wired Internet there, so I added a USB modem from Megafon to the terminal. The native modem that came with the kit did not suit me, there is only EDGE, and I have increased traffic, so only 3G. At one time I used modems and I didn’t like the fact that the program always pops up on the screen during breaks. Therefore, I wrote a bat-file that monitored the network and reconnected itself during breaks, while doing everything silently and without interfering. So it came in handy here. As a result, everything was collected and taken to the point.

When installed in place, there were buyers. Naturally, they were interested in what it was and why. Of course, we explained that they can put money here on the phone. What some grandmother told us: Where are you there? Where do you live? If the money doesn’t come, we will come and have a drink ... m you! Hmm ... If the old woman is old, who is not standing on her feet, she is threatening us, what can we expect from the rest? Wild people. What to say.

For the first couple of months everything was fine. And then it began ... The first thing the Megafon station collapsed. There was no connection for several days. Okay, we fixed it by installing a Beeline modem. Then I altered my program on bat, now it switched between modems in the event of a break. But that didn't work either. Modems stupidly hung. Could not reconnect themselves with the base station. In order for the connection to appear, the terminal must be turned off, completely for about 15 minutes. And I often called sellers with a request to turn off the terminal, and then turn it on.

Started to fly off the sensor settings, jammed paper in the printer, chew bills. We went there almost every day. They could not understand what was the matter. Dismantled and cleaned the sensor, changed the printer, bill acceptor, even the sensor along with the monitor was changed. Changed the power supply inside the case, put a voltage regulator. The terminal was grounded, as it was shocking. They drove a pin into the ground, made a hole in the window frame and drew a wire to the terminal. Processes in the system hung, threw a bunch of monitoring scripts there. Bat on bat and taskkill drives. All for nothing.

Phoned the dealer, told our problem. They did not encounter this, they suggested changing the terminals in places. Changed. At a new point, the buggy terminal worked as if nothing had happened. And here again, problems. We thought maybe the locals are doing something. I put a webcam + Ivideon, but I didn’t see anything like that. As a joke, he suggested summoning the priest and the mullah for a couple. The place is clearly cursed.

They suffered for several months. As a result, we did not find out the reason for this abnormal behavior. But everything was decided very simply. The most important thing for us is to establish a connection, so we had ADSL Internet. All. All symptoms are completely removed. We recovered somewhere in two weeks. And the terminal works without problems. Trying to experiment and find out what was the matter, I did not, stop. Returned to a simple truth: works - do not touch.

The crisis


The end of 2014 brought a crisis to my abode. Virtual love, like real love, was not so eternal. Hamachi ordered a long life, closing all free accounts. And I scolded my laziness for a long time. After all, he knew that this day would come. It was necessary to prepare OpenVPN. But what is not, is not.

I downloaded the new version of OpenVPN and started testing on one of the terminals. They changed the GUI interface, but still left it miserable. Is it really so difficult to teach her to monitor the network and reconnect during breaks? You have to do everything yourself. Again I had to write a bat-file that pings the network and if there is no answer, it crashes all openvpn.exe processes and starts over. It took a couple of weeks to completely restore the network, I went to the terminals only along with the boss. Demolished Hamachi and installed OpenVPN. Also increased the commission at all terminals.

We have competitors, there are no terminals from the owners of new stores and commissions. They put them solely to attract customers. So for me it still remains a mystery who are all these people who put money in our terminals.

Empire strikes back


Earlier this year, I traveled to the city to speak with a dealer. I am interested in writing a QIWI monitoring program and I asked the dealer how others are doing. How they look at their terminals. Do I need a program like the one I wrote. He explained that where there are a lot of terminals, special people sit and follow through the site, so they are hardly interested. In addition, my program must be separately installed in each terminal. If everything is so complicated, it is not necessary for nothing. Much more important to them now QIWI payments - this is a headache for all owners.

Well, upon arrival home, I was already fully matured and was ready to implement any crazy idea that could block payments, if only it worked.

And I got down to business. Derived the most transparent form in the lower right corner. The size is such as to completely close the buttons that appear there. Now any click in this place was tracked by my program. When she clicked on the form, she took a screenshot of the screen, cut 2 parts from the image and compared pixel by pixel with the image that needs to be blocked. In this case, the QIWI wallet number input interface. And if it did, then the program moved the mouse cursor and clicked on the <Back> and <Home> buttons. I think the customers are a little awesome from this behavior of the mouse, they don’t see the form. If it didn’t match, then the program made its form completely transparent, then you can click on the form. Actually, she herself pressed where the client wanted to click. It worked, but not everywhere, the reason was in the depth of color,

I went on the offensive, but it turned out that not everything is blocked. These were transfers, through the same ill-fated wallet. The interface there is already different. Well, reluctantly, he added a second image for control. And there are images in BMP format of 3.5 MB! But then a third interface appeared ... The offensive failed, without really starting.

A knife is a tool, they can cut bread, or you can kill a person


We need to look for another solution, simple and less resource intensive. And this was found. Article on Habré - perceptual hash. Carried with him all weekend, staying up until night. But it was worth it. There was no code in the article. And in google ready-made solutions too. But the author painted everything well step by step. So part of the search, part of my mind I got my first hash, and then a matter of technology. I rewrote the program, now it has become much easier. She still cut out part of the image from the screenshot, but now it’s much larger and one, calculated the hash and compared it with the finished list. Even at the beginning of writing the program, I taught her how to save all screenshots in JPG format to disk and now I have easily collected all the hashes. For a perceptual hash, it does not matter in what format the image is and how compressed it is, the result is always the same. The program writes everything to the log: when I took a screenshot, what a hash. So even if something passes by, I just find this place in time and copy the finished hash. Before joining the battle again, I decided to check everything. I copied screenshots from the terminals and compared all the hashes with those that I blocked. To eliminate false positives. Everything went perfectly. Also changed the response of the program to the lock. The mouse now did not touch, but instead displayed the same inscription as with a blocked number. For an abandoned client, it looks as if his number is on the black list. I scattered the program through the terminals and reloaded them. For an abandoned client, it looks as if his number is on the black list. I scattered the program through the terminals and reloaded them. For an abandoned client, it looks as if his number is on the black list. I scattered the program through the terminals and reloaded them.

But everything didn’t work again! After much torment, it turned out that QIWI was to blame, or rather, how it started. A year ago, advocating for security, they changed the way they started their program. It replaced the standard Windows shell. And all the programs that are in Startup itself launched. Perhaps the launch of programs there is somewhat different than in the standard explorer.exe. Or maybe because of the transparency of my form. I didn’t find out, I just delayed the launch of my program. He wrote a simple bat-file that ran it a minute after himself. Everything worked as it should. The next day, I personally went to the terminal and checked the lock. Then a few days later, remotely, through Radmin, contemplated the work of his program. This is not necessary, everything can be read in the logs, but it is better to see once than hear a hundred times. The program does all the work clearly. The delay is minimal, and despite the fact that I did not optimize anything, even searching for a hash in the list was a dumb search. Now the list is small, but even if a hundred entries appear there, it will not greatly affect performance.

The black list was cleared of all lepers, becoming pristine. And I returned peace to the dark programming soul.



Meal'n'Real!


Well, my story ends, but the story continues. I'm tired of doing repairs, pulling out dead mice and butterflies from the system and sniffing toner like an avid cocaine man. I am waiting for a big bike trip to the south, hot and long summer with friends. Something like unlimited vacation. But I still have one more task that I set for myself. At the time of creating the advertisement, I had the idea of ​​showing video on the terminals. I have already removed that advertisement. Yes, it took a long time before I realized how useless it is. So now I have a new direction. Positive! I’ll be twisting a funny video after every payment I make. Or show a funny picture. The geniuses from QIWI made a delay before printing a check. All in order to keep attention on the next advertisement. Thank you, QIWI, I will take this moment to my advantage ...

Also popular now: