Coindice,Johny1976 Scam. Sell script with bugs.

[coindicestand]

What happened::
We bought coindice script from Johny1976. B4 make order he told that his script is fully secured. Start our dice. We load 1 btc in coindice pot. After announce people start playing. I saw 2 players cheats. How it can be if script is secured i dont know. We lost 1 btc in short time. Player make impossible 200.0x blind and won all pot. Some blinds of this players are gone from admin panel. We stopped after lose all pot to this cheaters. I asked johny1976 how it can be if all secured. He told me that i just lose. lol its a fake bullshit. Ask me to give Apache log wich are optionaly disabled in my vps. now i ask admin turn it on. Then Johny told me that i want to fuck him. So i want to find who else was hacked with same method. Who bought this script. Who can fix bugs coz this game we bought just for fun. I want moneyback for script if it will be possible.

Scammers Profile Link:
https://bitcointalk.org/index.php?topic=507515.0
https://bitcointalk.org/index.php?action=profile;u=143958


Amount Scammed:
1.1 BTC for script
0.3 BTC vps domain hosting cost
1 BTC coindice pot

total 2.4 BTC
Payment Method:
bitcoin
Proof of Payment:
will give to any in PM
PM/Chat Logs:
I have got some stats from admin panel to see where was cheating. I give admin panel to anybody who wants to see proof. I can make screenshot. Now just text

see the difference
15997   Player_551   2015-05-10
04:52:41   0.0037 BTC   200.00x   <0.49   0.27   +0.73630000
15983   Player_532   2015-05-10
04:02:48   0.00000128 BTC   2.00x   <49.50   80.07   -0.00000128

how 200.0x blind was created?
 id's are gone dont know how ? 15983-15997 where is other blinds. they are gone from stats.


Stats
Number of bets:    15997
Total wagered:    14.26327901 BTC
Total profit:    -1.48723903 BTC
Real house edge:    -10.42705%
Wins:    8175
Losses:    7822
W/L ratio:    1.045
Invest Stats
Total Investors:   
Total Invested:    0.00000000 BTC
House Investment:    -0.53339727 BTC
Total Investor's Profit:    0.00000000 BTC
Total house profit:    0.00000000 BTC

negative house investment

Period    Real house edge    Profit
Last hour    +0.00000%    +0.00000000
Last 24h    +0.00000%    +0.00000000
Last 7d    -13.55505%    -1.55457783

other player 109 cheating too look

2015-05-10
00:37:05   Player_109   -0.12420200   746d61b6409511ab635eab31990fc2bae513820b73786a02a3a01c8a5fb08410
2015-05-10
00:34:51   Player_109   -0.56000000   8e3516b583caa4e69049e052825f2cf384e396fb7ad64939ebde28e87b73d1fe
2015-05-10
00:31:20   Player_109   +0.05000000   f4003246f50bfafff0adf641d247d39f5316b1df86c4c96ec91ea8606b0c1e22


9352   Player_448   2015-05-10
00:41:59   0.00000001 BTC   2.00x   <49.50   35.62   +0.00000001     where is others? 9352-9338
9338   Player_109   2015-05-10
00:36:50   0.003 BTC   2.00x   >50.50   67.41   +0.00300000
9337   Player_109   2015-05-10
00:36:48   0.003 BTC   2.00x   >50.50   53.02   +0.00300000
9336   Player_109   2015-05-10
00:36:46   0.003 BTC   2.00x   >50.50   82.95   +0.00300000
9335   Player_109   2015-05-10
00:36:25   0.003 BTC   10.00x   >90.10   91.10   +0.02700000
9334   Player_109   2015-05-10
00:36:23   0.003 BTC   10.00x   >90.10   27.33   -0.00300000
9333   Player_109   2015-05-10
00:36:22   0.003 BTC   10.00x   >90.10   10.17   -0.00300000
9332   Player_109   2015-05-10
00:36:21   0.003 BTC   10.00x   >90.10   66.17   -0.00300000
9331   Player_109   2015-05-10
00:36:19   0.003 BTC   10.00x   >90.10   32.61   -0.00300000
9330   Player_109   2015-05-10
00:36:18   0.003 BTC   10.00x   >90.10   23.82   -0.00300000
----------------------------
9309   Player_109   2015-05-10
00:35:32   0.003 BTC   10.00x   >90.10   27.90   -0.00300000
9308   Player_109   2015-05-10
00:35:30   0.003 BTC   10.00x   >90.10   39.65   -0.00300000
9307   Player_109   2015-05-10
00:35:29   0.003 BTC   10.00x   >90.10   32.21   -0.00300000
9306   Player_109   2015-05-10
00:35:27   0.003 BTC   10.00x   >90.10   39.38   -0.00300000
9303   Player_109   2015-05-10
00:34:34   0.0387 BTC   17.00x   >94.18   94.40   +0.61920000

Guys what do u think about it? Lets stop this bullshit on forum?

[Rmcdermott927]

The same thing happened to me but with the coinjack script.   Johny made up excuse after excuse to not pay his guarantee.  He even specifically told me to delete my VPS, then when I deleted it, he suddenly wanted access to the server again. 

[inBTCwetrust]

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just  ( 1% , 0.5% ) and win from his first roll  and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

[Vod]

Did you guys receive any guarantee with the product?

[elm]

I heard many stories like this and many postings in Johny's thread were deleted. why could no one find the exploit in the script before going online? is it really that difficult? I am asking this because I am not a coder.

[Vod]

I heard many stories like this and many postings in Johny's thread were deleted. why could no one find the exploit in the script before going online? is it really that difficult? I am asking this because I am not a coder.

It's possible the bug could be there on purpose, to allow the author to steal any deposits.

I've left a neutral feedback - can't leave negative if there was no guarantee the program would be bug free.   

[xetsr]

This script is known to have bugs and exploits. Johny deletes posts in his thread but they can be found elsewhere throughout the forum. A simple google search would have lead you to those threads and prevented this.

Why was the max win set so high? Next time set it much lower and you won't have to worry about 1 - 2 bets taking your entire balance. No solid evidence of cheating, could be luck but if they were to cheat it would have took longer and you probably could have caught it with the lower max bet / max profit.

I heard many stories like this and many postings in Johny's thread were deleted. why could no one find the exploit in the script before going online? is it really that difficult? I am asking this because I am not a coder.

From what I seen so far, most people running this script have little to no coding skills.

[kopipe]

I'd be happy to audit his script for free. If you were scammed by it, please send me a copy in PM, since there is no way I am going to pay him for a copy.

I have plenty of experience with the technologies mentioned, PHP and MySQL, since my site 8ch.net uses both.

[Rmcdermott927]

I heard many stories like this and many postings in Johny's thread were deleted. why could no one find the exploit in the script before going online? is it really that difficult? I am asking this because I am not a coder.

It's possible the bug could be there on purpose, to allow the author to steal any deposits.

I've left a neutral feedback - can't leave negative if there was no guarantee the program would be bug free.   

VOD, it was not specifically stated that the program would be "bug free", however it was specifically stated that if a user lost money due to bugged code that he would pay up to the price of the script.    He refused to honor his guarantee until I posted a long post about my situation.   It seems he is doing that again to OP.   I am still out the entire price of the script, but whatever.   At least I got a little back.

[Quickseller]

There have been a number of reports of various bugs in this script. Considering the amount of money being put into some bitcoin related casinos I am surprised that the script is not being looked at more closely prior to being put into production.

[kopipe]

Someone graciously sent me a copy, so now I am doing my audit. If you're reading this Johnny, I have no intention of stealing from you, I have no interest in running a dice site or copying it further.

I've already found a big problem with the script.

Here is how the hashes and server seeds are being generated (the author is Polish):

Code:

function generateHash($delka_retezce,$capt=false) {
  if ($capt==true) $mozne_znaky='123456789ABCDEFGHIJKLMNPQRSTUVWXYZ'; 
  else $mozne_znaky='abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ';
  $vystup='';
  for ($i=0;$i<$delka_retezce;$i++)  $vystup.=$mozne_znaky[mt_rand(0,strlen($mozne_znaky)-1)];
  return $vystup;
}

function generateServerSeed() {
  $rand_nr=mt_rand(0.01*100,99.99*100)/100;
  if (mt_rand(1,2)==2) $pre_rand=($rand_nr-0.01);
  else $pre_rand=($rand_nr+0.01);
  $str=generateHash(26).'-'.((double)(($pre_rand+0.001).mt_rand(1,99999999999999999999999999999)));
  return $str;
}

You can see that the main source of randomness is mt_rand. mt_rand is not cryptographically secure, according to PHP's own documentation!

This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.
Caution

The distribution of mt_rand() return values is biased towards even numbers on 64-bit builds of PHP when max is beyond 2^32. This is because if max is greater than the value returned by mt_getrandmax(), the output of the random number generator must be scaled up.

As you can see, max is 99999999999999999999999999999, far larger than 4294967296. The function generateServerSeed() also seems very fishy to me, why doesn't it just get cryptographically secure bytes? Why add/subtract 0.01 and 0.001?

Don't run/buy this script based on this alone. The hashing is NOT suitable for Bitcoin casinos which need cryptographically secure randomness.

[BitcoinDistributor]

Someone graciously sent me a copy, so now I am doing my audit. If you're reading this Johnny, I have no intention of stealing from you, I have no interest in running a dice site or copying it further.

I've already found a big problem with the script.

Here is how the hashes and server seeds are being generated (the author is Polish):

Code:

function generateHash($delka_retezce,$capt=false) {
  if ($capt==true) $mozne_znaky='123456789ABCDEFGHIJKLMNPQRSTUVWXYZ'; 
  else $mozne_znaky='abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ';
  $vystup='';
  for ($i=0;$i<$delka_retezce;$i++)  $vystup.=$mozne_znaky[mt_rand(0,strlen($mozne_znaky)-1)];
  return $vystup;
}

function generateServerSeed() {
  $rand_nr=mt_rand(0.01*100,99.99*100)/100;
  if (mt_rand(1,2)==2) $pre_rand=($rand_nr-0.01);
  else $pre_rand=($rand_nr+0.01);
  $str=generateHash(26).'-'.((double)(($pre_rand+0.001).mt_rand(1,99999999999999999999999999999)));
  return $str;
}

You can see that the main source of randomness is mt_rand. mt_rand is not cryptographically secure, according to PHP's own documentation!

This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.
Caution

The distribution of mt_rand() return values is biased towards even numbers on 64-bit builds of PHP when max is beyond 2^32. This is because if max is greater than the value returned by mt_getrandmax(), the output of the random number generator must be scaled up.

As you can see, max is 99999999999999999999999999999, far larger than 4294967296. The function generateServerSeed() also seems very fishy to me, why doesn't it just get cryptographically secure bytes? Why add/subtract 0.01 and 0.001?

Don't run/buy this script based on this alone. The hashing is NOT suitable for Bitcoin casinos which need cryptographically secure randomness.

Try to find the backdoor he installed. For many years people have said there is a backdoor which allows him to empty the owner's bank wallet and send it to a specified address within the code.

[coindicestand]

Hey guys! I see,not only me have same problems. Thanks for ur time! I can give this script to reverse and fix all bugs in audit or give u access. Pls if u can help to stop this scam bullshit dont stay away.
Pm me if i can help with someth. We should stop this together. Regards.

[johny1976]

I said to him in Skype conversation that we would give him everything he'd losted if he gave us any kind of proof (the Apache logs would be enough). He said that Apache by default has the logs off, which is a lie. I see something suspicious here.

We do have a compensation program for cases like this one. Sadly, no one gave us any proof, that it was caused by our script. He was the one setting up the server so he could possibly do something wrong.

As I said, it could be the problem in our script, but there's no evidence for us to confirm that claim.

[inBTCwetrust]

I said to him in Skype conversation that we would give him everything he'd losted if he gave us any kind of proof (the Apache logs would be enough). He said that Apache by default has the logs off, which is a lie. I see something suspicious here.

We do have a compensation program for cases like this one. Sadly, no one gave us any proof, that it was caused by our script. He was the one setting up the server so he could possibly do something wrong.

As I said, it could be the problem in our script, but there's no evidence for us to confirm that claim.

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just  ( 1% , 0.5% ) and win from his first roll  and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

[coindicestand]

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just  ( 1% , 0.5% ) and win from his first roll  and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

Yes man, same game. Anyway its a cheating. It cant be 100% if script is secured. We have same problem. try to find a statistic from admin panel and u see mb some blinds are lost..or see same stats of players like me. here can be an exploit or backdoor im not coder, i dont know. But tell US that we all cant setup script on safe server is a BULLSHIT FAKE AND LIE! I dont know what is Apache, i ask my admin to turn it on after hack. I was hacked in 2-3 hours after start dice. Thats johny and his guys. I think its time to ban this person. Or how we can get our moneyback?

Johny1976, I think ther is no way to tell us that ur script fully secured! Its a Lie. Think we find good guys who fix bugs and knock u out from this forum. I think not only 2 guys who was hacked. POPCORN and see who come here with same problems with same johny with same script.



i Can get prooflink to admin panel anyone who are compitent in this question.  can pay some bits for reversing this dice to fix bugs and so on. after we do all i think we can share this  script or else. nobody shoul be ripped more  what do u think guys?

[inBTCwetrust]

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just  ( 1% , 0.5% ) and win from his first roll  and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

Yes man, same game. Anyway its a cheating. It cant be 100% if script is secured. We have same problem. try to find a statistic from admin panel and u see mb some blinds are lost..or see same stats of players like me. here can be an exploit or backdoor im not coder, i dont know. But tell US that we all cant setup script on safe server is a BULLSHIT FAKE AND LIE! I dont know what is Apache, i ask my admin to turn it on after hack. I was hacked in 2-3 hours after start dice. Thats johny and his guys. I think its time to ban this person. Or how we can get our moneyback?

Johny1976, I think ther is no way to tell us that ur script fully secured! Its a Lie. Think we find good guys who fix bugs and knock u out from this forum. I think not only 2 guys who was hacked. POPCORN and see who come here with same problems with same johny with same script.



i Can get prooflink to admin panel anyone who are compitent in this question.  can pay some bits for reversing this dice to fix bugs and so on. after we do all i think we can share this  script or else. nobody shoul be ripped more  what do u think guys?

i think we should wait for him to fix this problem but first he have to confess that he have a problem on his script we all know that nothing is 100% secure he have to fix the problem because keeping such problem  on wild is not good for him or for the buyers

[coindicestand]

its ok, but u say u good server administrator. how can u see cheating i gameplay in your apache log? im not good in this, but i think will be no hack activity in apache we will know everything when we reverse script. soon.

[SebastianJu]

You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...

[BitcoinDistributor]

You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...

In all seriousness, new or old doesn't really matter anymore. Could take $50 and buy myself a two year senior account if I wanted.