Results 1 to 11 of 11

Thread: Reverse Engineering: PokerStars

  1. #1
    Join Date
    Apr 2013
    Location
    Las Vegas
    Posts
    111
    Mentioned
    1 Post(s)
    Quoted
    35 Post(s)

    Default Reverse Engineering: PokerStars

    Recently SWIM has been attempting to somewhat reverse engineer the PokerStars client. Now it is possible that this doesn't even qualify as reverse engineering as the desired task is somewhat simple. SWIM's goal is to intercept PokerStars communication with their servers, more specifically in an attempt to find out what variables are sent to login, along with possible responses and what they indicate. Sounds simple enough?

    SWIM also thought it would be as simple as monitoring his network for outgoing packets which would hopefully contain which server ip & port the client connects to along with the login file location and data (GET, POST, etc.) that is sent to attempt a login. Well after 30 minutes of attempting to install various sniffers (Wireshark mainly, took forever to install WinPCap plugin as I had an old version from 2007 on my computer which prevented a new installation. SWIM bought his/her computer in 2011 but did eventually find the culprit, a wi-fi adapter), SWIM discovered that the server used SSL and needed a valid certificate. It turns out there is an option in WireShark that allows you to enter the RSA key which will then automatically decode all HTTPS packets sent out.

    Ok, so simple enough right? SWIM then proceeded to do some intense Googling and attempted to use OllyDBG to decode the Client to find the RSA key which he/she could then use to decode packets via WireShark. He/she found what they thought was the RSA key and put it into WireShark, but after failed results gave up an hour later.

    SWIM then discovered that the PokerStars client allows you to configure a proxy server so decided to give that a shot. He/she opened their Simba socket server from a while ago and attempted to turn it into a proxy and output all data that passed through the proxy. This worked perfectly up until it attempted to connect to a server on port 443 (SSL) and failed to do so. SWIM tried connecting to this server on a seperate client socket program but Simba doesn't support many advanced/multi-threaded features that other socket controls do, which resulted in a 'connection reset' error every time.

    SWIM has a few more ideas but decided to post for any answers here before proceeding with those ideas. If anyone has some feedback, experience or a ridiculously easy way of doing this that SWIM overlooked, please do post here so I can forward the message on to SWIM.


    On a somewhat unrelated note, SWIM did manage to intercept packets to/from his/her RuneScape bots while running WireShark. The contents were obviously nothing exploitable but were in plain-text and quite interesting.

  2. #2
    Join Date
    Jan 2012
    Posts
    1,596
    Mentioned
    78 Post(s)
    Quoted
    826 Post(s)

    Default

    To clarify to anyone who doesnt know what/who SWIM is, SWIM stands for someone who isnt me.

    Continuing on...
    The simba sockets stuff... iirc, simba cant handle ssl and such, as to why there is yet to be a 'sendmail' function that is solely through simba (as basically all smtp servers require SSL/etc.)

    You could possibly try talking to @Kasi as iirc he 'knew someone' who was trying to do some packet stuff with RS.

  3. #3
    Join Date
    Nov 2011
    Location
    England
    Posts
    3,072
    Mentioned
    296 Post(s)
    Quoted
    1094 Post(s)

    Default

    if im correct @n3ss3s has done alot with runescape packets before

  4. #4
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Lol.. Poker-stars is an exe. Not a Jar file.

    Backtrack + SSLStrip + ARPPoision > SSL.

    However, the packets for poker-stars might still be compressed using LZHL (according to google) in the first place so even if you break the SSL encryption, you still have to decompress each packet or vice-versa (Decompress before decrypting).


    Also you don't need any proxies to trap a connection.. You only need proxies or wireshark if you actually want to listen to the communication between the actual server and the client. If you want to see what the client is trying to do, just utilize your hosts file and trap it that way. Redirect it to 127.0.0.1:80 or w/e port number and address you want.. Then write a simple socket listener that listens on that port acting as the server. Open your poker stars and all outgoing information goes straight to your local host and that port where your listener should already be listening..

    Do w/e with the info you grabbed..
    This is essentially the very basics of starting to write a server emulator which you might end up writing (partially).. You'll have to figure out what each packet's OP code is after you break the encryption and decompress (if it is compressed still). The plaintext would help with that.
    Last edited by Brandon; 08-15-2013 at 05:13 PM.
    I am Ggzz..
    Hackintosher

  5. #5
    Join Date
    Apr 2013
    Location
    Las Vegas
    Posts
    111
    Mentioned
    1 Post(s)
    Quoted
    35 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    Lol.. Poker-stars is an exe. Not a Jar file.

    Backtrack + SSLStrip + ARPPoision > SSL.

    However, the packets for poker-stars might still be compressed using LZHL (according to google) in the first place so even if you break the SSL encryption, you still have to decompress each packet or vice-versa (Decompress before decrypting).


    Also you don't need any proxies to trap a connection.. You only need proxies or wireshark if you actually want to listen to the communication between the actual server and the client. If you want to see what the client is trying to do, just utilize your hosts file and trap it that way. Redirect it to 127.0.0.1:80 or w/e port number and address you want.. Then write a simple socket listener that listens on that port acting as the server. Open your poker stars and all outgoing information goes straight to your local host and that port where your listener should already be listening..

    Do w/e with the info you grabbed..
    This is essentially the very basics of starting to write a server emulator which you might end up writing (partially).. You'll have to figure out what each packet's OP code is after you break the encryption and decompress (if it is compressed still). The plaintext would help with that.
    Yes its a 8MB exe file. Who said it was .jar? I already created a program to listen to the localhost, here's a piece of the code. It works perfect for the updates.

    Simba Code:
    Procedure Thread(id: Integer);
    var
      Size, num, HTTP: Integer;
      update, host, port, data, head, page: String;
      Process: TStringArray;
    begin
    HTTP := InitializeHTTPClient(false);

    data := RecvSocket(id);
    Process := Explode (' ', data);

    writeln ('=============================================');
    writeln (Process[1]);
    writeln ('---------------------------------------------');

      update := GetHTTPPage (HTTP, Process[1]);
      update := GetRawHeaders(HTTP) + update;
      Sendsocket(id, update);
      writeln (data);

    CloseSocket (id);
    FreeSocket (id);

    end;

  6. #6
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by bob_dole View Post
    Yes its a 8MB exe file. Who said it was .jar? I already created a program to listen to the localhost, here's a piece of the code. It works perfect for the updates.

    Hmm then why did you bother to say "Someone who isn't me" and write in the third person, if you're the one trying to reverse the program?

    Jar comment wasn't directed at you. Would have been nice if you mentioned that you already detoured the connection using the hosts file.
    Not sure what relevance the Simba snippet you posted has because there is no "Accept Socket" or any listening going on there and you're closing the socket..

    If you already have working code then all that is left is to decompress and decrypt.. Since you already knew what algorithm it was compressed with then I'm not sure what help you actually need.

    You seem to already have things figured out.. However, using Simba for this kinda stuff is probably the worst idea in the world but continue on I guess..
    Last edited by Brandon; 08-16-2013 at 12:19 AM.
    I am Ggzz..
    Hackintosher

  7. #7
    Join Date
    Dec 2011
    Location
    Toronto, Ontario
    Posts
    6,424
    Mentioned
    84 Post(s)
    Quoted
    863 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    Hmm then why did you bother to say "Someone who isn't me" and write in the third person, if you're the one trying to reverse the program?

    Jar comment wasn't directed at you. Would have been nice if you mentioned that you already detoured the connection using the hosts file.
    Not sure what relevance the Simba snippet you posted has because there is no "Accept Socket" or any listening going on there and you're closing the socket..

    If you already have working code then all that is left is to decompress and decrypt.. Since you already knew what algorithm it was compressed with then I'm not sure what help you actually need.

    You seem to already have things figured out.. However, using Simba for this kinda stuff is probably the worst idea in the world but continue on I guess..
    He could get in really big shit since PokerStars is a multimillion dollar company.

  8. #8
    Join Date
    Jun 2012
    Posts
    4,867
    Mentioned
    74 Post(s)
    Quoted
    1663 Post(s)

    Default

    Quote Originally Posted by Sin View Post
    He could get in really big shit since PokerStars is a multimillion dollar company.
    Well he used the 1st person twice in the OP
    Wireshark mainly, took forever to install WinPCap plugin as I had an old version from 2007 on my computer which prevented a new installation.

  9. #9
    Join Date
    Aug 2013
    Location
    East Coast USA
    Posts
    14
    Mentioned
    0 Post(s)
    Quoted
    5 Post(s)

    Default

    fiddler2 is a good http proxy

  10. #10
    Join Date
    Apr 2013
    Location
    Las Vegas
    Posts
    111
    Mentioned
    1 Post(s)
    Quoted
    35 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    Hmm then why did you bother to say "Someone who isn't me" and write in the third person, if you're the one trying to reverse the program?

    Jar comment wasn't directed at you. Would have been nice if you mentioned that you already detoured the connection using the hosts file.
    Not sure what relevance the Simba snippet you posted has because there is no "Accept Socket" or any listening going on there and you're closing the socket..

    If you already have working code then all that is left is to decompress and decrypt.. Since you already knew what algorithm it was compressed with then I'm not sure what help you actually need.

    You seem to already have things figured out.. However, using Simba for this kinda stuff is probably the worst idea in the world but continue on I guess..
    Well since the simba snippet is not relevant I am willing to come out and admit it was I who coded that 'listener'.

    SWIM occasionally shares devices with me or he/she uses the university computers to do some of this. I watch and help with things unrelated to the actual acts of accessing pokerstars. I code occasional snippets or help with installations, but what he/she happens to use them for is up to his own personal judgement. If somehow I get dragged into this and charged the prosecutor should get a job offer for attorney general of U.S.

    SWIM's issue came when the client attempted to connect to the 443 server.

    On a side note, the amount of sketchy stuff pokerstars is involved in is rediculous. Accusations of 'statistically impossible' series of hands and other lawsuits against the company are scattered throughout the internet. What SWIM intends to use this for is considered insignificant due to the other stuff going on.

    It's the equivalent of Jagex going after someone in the U.S; expensive, time consuming, and arguably pointless. A 'cease and desist' phone call is much more likely.

    Decompressing and decrypting the data may also present an issue later on but after SWIM messes around I will report back the results.

    Quote Originally Posted by SWIM
    While I may later regret spilling the beans, PokerStars has no report functions for other players, no throttle control, and several thousands of players. Plus a look on any youtube poker video will show the competition for online poker leads is very high in demand. I've said all I can say without hand holding, drawing a pie-chart, or making an animated G rated film to spell it out.
    Edit:

    SWISWIM has an idea to possibly generate even more revenue quickly, however the fact that passwords must be 8 chars with a number may reduce efficiency of this idea. It is possible that this wasn't a requirement in the past though.

    Quote Originally Posted by b0bzilla View Post
    fiddler2 is a good http proxy
    SWIM says thanks. Saves SWIM the trouble of making one in Simba and has most of the features SWIM needs too.

    Edit #2 | 5:49AM PST 8/17/13:

    SWIM has isolated the issue down to retrieving the 2048 bit RSA key from the client. After SWIM manages to get this task done he/she should have all they need to continue. Any ideas for me to pass on to SWIM?

  11. #11
    Join Date
    Dec 2006
    Location
    Copy pastin to my C#
    Posts
    3,788
    Mentioned
    8 Post(s)
    Quoted
    29 Post(s)

    Default

    On a side note, the amount of sketchy stuff pokerstars is involved in is rediculous. Accusations of 'statistically impossible' series of hands and other lawsuits against the company are scattered throughout the internet.
    Keep in mind half (probably more, really) of their customer base is angry and addicted.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •