Alex Beckenham (OP)
|
|
July 05, 2011, 02:00:29 PM |
|
Hi everyone, I've finally got a new game online... please check it out. Basically, you try to guess the combination to the safe and if you open it, you win 7 times your bet (Min/Max bet is 0.01/1.00 BTC). Each game is 100% verifiable (The combination to the safe is chosen before you play, and an MD5 displayed). Thanks, Alex
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 12:29:55 AM |
|
Sorry, I just realised this should be in the Gambling sub-forum...
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 01:36:10 AM |
|
So then move it there.
I didn't know I could. I thought only mods could do that. Edit: Wow, learned something new, thanks.
|
|
|
|
Hyperwyrm
Newbie
Offline
Activity: 11
Merit: 0
|
|
July 06, 2011, 04:01:28 AM |
|
"Nothing to withdraw" but I have 0.07BTC balance and 13 confirmations on the deposit? (Yeah I didn't bet much )
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 06:37:54 AM |
|
"Nothing to withdraw" but I have 0.07BTC balance and 13 confirmations on the deposit? (Yeah I didn't bet much ) Sorry, just a redirect bug, it should be taking you to Bitcoin Balance. I see your balance of 0.07... You can withdraw if you log in directly to: http://bitcoinbalance.com
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 03:20:44 PM Last edit: July 06, 2011, 04:13:00 PM by Alex Beckenham |
|
Someone just won THREE times in a row with exactly the same guess:
bet 0.97 on Left-Left-Left, won 6.79 btc bet 1.00 on Left-Left-Left, won 7.00 btc bet 1.00 on Left-Left-Left, won 7.00 btc
Looks pretty suspicious, so withdrawals are disabled until I figure out how this was hacked or if it just was an extremely lucky run.
(Player withdrew 11.78 so far, with 7.01 still in the site balance)
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 03:37:12 PM |
|
I'm a retard, I forgot to switch to random.org after testing: //get a random number for next game: /*$ch = curl_init('http://www.random.org/integers/?num=1&min=1&max=8&col=1&base=10&format=plain&rnd=new'); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); $randnum = trim(curl_exec($ch));*/
$randnum=rand(1,8); //temp
But that still doesn't explain to me how they could know rand() was going to return three 1's in a row.
|
|
|
|
dan_a
Newbie
Offline
Activity: 48
Merit: 0
|
|
July 06, 2011, 03:41:43 PM |
|
I'm a retard, I forgot to switch to random.org after testing: //get a random number for next game: /*$ch = curl_init('http://www.random.org/integers/?num=1&min=1&max=8&col=1&base=10&format=plain&rnd=new'); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); $randnum = trim(curl_exec($ch));*/
$randnum=rand(1,8); //temp
But that still doesn't explain to me how they could know rand() was going to return three 1's in a row. I might be being dumb here (I'm not logged on and don't have anything deposited,) but the MD5 on the page doesn't change when you refresh the page. That suggests that the same combination is coming up every time.
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 03:44:54 PM |
|
I'm a retard, I forgot to switch to random.org after testing: //get a random number for next game: /*$ch = curl_init('http://www.random.org/integers/?num=1&min=1&max=8&col=1&base=10&format=plain&rnd=new'); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); $randnum = trim(curl_exec($ch));*/
$randnum=rand(1,8); //temp
But that still doesn't explain to me how they could know rand() was going to return three 1's in a row. I might be being dumb here (I'm not logged on and don't have anything deposited,) but the MD5 on the page doesn't change when you refresh the page. That suggests that the same combination is coming up every time. That's only if you don't play... as soon as you play a game, it changes. (Well, it's supposed to... that's something worth checking - thanks)
|
|
|
|
dan_a
Newbie
Offline
Activity: 48
Merit: 0
|
|
July 06, 2011, 03:49:29 PM |
|
Oh, I think I might be able to see how this worked... Are you outputting something along the lines of md5sum("Left-Left-Right")? If so, it's a simple dictionary attack... the gambler computes the 15 possible different MD5sums in advance and then compares them to what displays.
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 03:50:47 PM Last edit: July 06, 2011, 04:08:51 PM by Alex Beckenham |
|
Hmm, there was an error causing it to use the same combo on certain occasions after a win.
Thanks Dan, I've sent you 1 btc 3 btc, that was very helpful.
Edit: Okay it's all fixed and back online, btcriches.com and bitcoinbalance.com.
Jeez that was an expensive coding error on my part.
Glad the site wasn't exactly 'hacked' though.
I just paid a heavy typo-tax.
|
|
|
|
Alex Beckenham (OP)
|
|
July 06, 2011, 04:19:53 PM |
|
Oh, I think I might be able to see how this worked... Are you outputting something along the lines of md5sum("Left-Left-Right")? If so, it's a simple dictionary attack... the gambler computes the 15 possible different MD5sums in advance and then compares them to what displays.
(Accidentally edited away my previous answer to this) It's not just left-left-right, but it also had a whole heap of random characters after that, and then hashes that total string. Also, there are only 8 possible combos, not 15.
|
|
|
|
SmokeAndMirrors
|
|
July 06, 2011, 11:32:30 PM |
|
Oh, I think I might be able to see how this worked... Are you outputting something along the lines of md5sum("Left-Left-Right")? If so, it's a simple dictionary attack... the gambler computes the 15 possible different MD5sums in advance and then compares them to what displays.
It's not just left-left-right, but it also had a whole heap of random characters after that, and then hashes that total string. This was the first thing I looked into.
|
Help Bitcoins by buying clothes, technology, books, etc. through people/stores that accept BTC. This will increase overall value of BTC as well as mitigate unnecessary bank transaction fees.
My address - 1EM9HGg1SEa5Bux1rVEPxGqGSfNTTc9EkC
|
|
|
|
tito13kfm
Newbie
Offline
Activity: 42
Merit: 0
|
|
July 07, 2011, 01:00:43 AM |
|
I'm not able to bet. I deposited 1BTC to 1FUYFiPw9zDJZ3iiawrPfehmmBtfSJMNYD, it shows up in my balance, but I put .1 in the box, put in my guess, and click Open and it just refreshes the page. Never attempts to open the safe, and never shows an outcome.
Edit: I just put in to withdrawal my 1BTC back out until the bugs are ironed out.
|
|
|
|
Alex Beckenham (OP)
|
|
July 07, 2011, 02:27:46 AM |
|
I'm not able to bet. I deposited 1BTC to 1FUYFiPw9zDJZ3iiawrPfehmmBtfSJMNYD, it shows up in my balance, but I put .1 in the box, put in my guess, and click Open and it just refreshes the page. Never attempts to open the safe, and never shows an outcome.
Edit: I just put in to withdrawal my 1BTC back out until the bugs are ironed out.
I just tried exactly that and it worked. Can you tell me what browser you're using, and what time you attempted it? Thank you.
|
|
|
|
tito13kfm
Newbie
Offline
Activity: 42
Merit: 0
|
|
July 07, 2011, 02:40:01 AM |
|
I'm not able to bet. I deposited 1BTC to 1FUYFiPw9zDJZ3iiawrPfehmmBtfSJMNYD, it shows up in my balance, but I put .1 in the box, put in my guess, and click Open and it just refreshes the page. Never attempts to open the safe, and never shows an outcome.
Edit: I just put in to withdrawal my 1BTC back out until the bugs are ironed out.
I just tried exactly that and it worked. Can you tell me what browser you're using, and what time you attempted it? Thank you. I tried with both Firefox 5.0 and ie9 Time was a minute or two before my last post.
|
|
|
|
Alex Beckenham (OP)
|
|
July 07, 2011, 02:57:16 AM |
|
I'm not able to bet. I deposited 1BTC to 1FUYFiPw9zDJZ3iiawrPfehmmBtfSJMNYD, it shows up in my balance, but I put .1 in the box, put in my guess, and click Open and it just refreshes the page. Never attempts to open the safe, and never shows an outcome.
Edit: I just put in to withdrawal my 1BTC back out until the bugs are ironed out.
I just tried exactly that and it worked. Can you tell me what browser you're using, and what time you attempted it? Thank you. I tried with both Firefox 5.0 and ie9 Time was a minute or two before my last post. Thanks, I can confirm it's not working in FF5 for me either, only Chrome for some reason.
|
|
|
|
Alex Beckenham (OP)
|
|
July 07, 2011, 03:02:44 AM |
|
Okay, found it. It seems FF doesn't send the value of an image input, whereas Chrome does: <input type="image" name="open" value="1"
$_POST['open'] is 1 in Chrome and NULL in Firefox. Fixed it now by using another hidden var.
|
|
|
|
TheBitMan
|
|
July 11, 2011, 03:39:28 PM |
|
Okay, found it. It seems FF doesn't send the value of an image input, whereas Chrome does: <input type="image" name="open" value="1"
$_POST['open'] is 1 in Chrome and NULL in Firefox. Fixed it now by using another hidden var. Are you the owner of bitcoinbalance.com?? I need to ask you something.
|
|
|
|
|