|
Title: Investigating the Bustabit.com API Post by: wunderwaffe on October 07, 2025, 03:22:38 PM In case you're as interested as I am about Bustabit, and the Bustabit API, I invite you to read the medium blog post I just made, where I disclose all the results of my research: https://medium.com/@biscofficecream/investigating-the-bustabit-api-and-all-of-its-mysteries-4f285fee0e5a
(if you don't know Bustabit, it's a behemoth of a Bitcoin gambling website that has generated billions in USD in revenue purely off promotion received from Bitcointalk) Title: Re: Investigating the Bustabit.com API Post by: TryNinja on October 07, 2025, 03:35:03 PM Interesting read. :)
Out of curiosity, what would be the next step for you if you managed to access the ws endpoint off the client? Title: Re: Investigating the Bustabit.com API Post by: wunderwaffe on October 07, 2025, 05:00:12 PM Interesting read. :) Out of curiosity, what would be the next step for you if you managed to access the ws endpoint off the client? Thank you! If I was able to access the WS endpoint off the client, the first thing I'd do is start looking for bugs. They have a great bug bounty program ;) Title: Re: Investigating the Bustabit.com API Post by: BattleDog on October 11, 2025, 07:54:42 PM This was great. The FlatBuffers sniff + raw WS decode was smooth.
Two add-ons from the trenches: You don't have to RE to automate, Bustabit ships a client-side "autobet" API in JS. Subscribe to GAME_STARTING, call engine.bet() / engine.cashOut(), read userInfo, and use the built-in provably-fair helpers (gameResultFromHash / ...Signature) to verify rolls. It's the safest supported path for bots. Their v1 server and web client are open on GitHub. Different era (Node+WS, pre-FlatBuffers) but it shows the original crash architecture and is a solid blueprint if you want to tinker or build your own. All-in-all good job on the write‑up. Looking forward to seeing if you find anything else interesting, especially around how they obfuscate the index-0e8b0ebf.js functions. |