Pages:
Author

Topic: Coindice,Johny1976 Scam. Sell script with bugs. - page 2. (Read 4626 times)

elm
legendary
Activity: 1050
Merit: 1000
When there are so many people complaining about the script, I wonder why someone just doesn't post the whole code of the latest script in public so that everyone can take a look at it and find existing bugs / backdoors. I'm a coder and security analyst myself, but not interested in running a dice site - still I would love to see if there are some bugs in the script that were put in there on purpose.

so maybe some script owner can give you the script for review. but to see that you jump in with your 1st post
doesn't smell that good either  IMO, no offense intended.
newbie
Activity: 2
Merit: 0
When there are so many people complaining about the script, I wonder why someone just doesn't post the whole code of the latest script in public so that everyone can take a look at it and find existing bugs / backdoors. I'm a coder and security analyst myself, but not interested in running a dice site - still I would love to see if there are some bugs in the script that were put in there on purpose.
elm
legendary
Activity: 1050
Merit: 1000
just for info............Johny deleted today 5 postings of mine. I didnt offend him at all I just asked some questions.

 Sad
elm
legendary
Activity: 1050
Merit: 1000


At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries.  Roll Eyes

so who could do a careful code review?

I dont know since normally you need to KNOW risky code parts. And thats something the average code developer not knows in detail.

Another thought i got is... didnt op mention that the max profit he sat was a big part of the house? Theres a reason why dooglus even sat the max profit down from 1% to 0.5% on justdice. The reason was that someone was able to win a big part of the house with 1%. Thats why you normally use the kelly criterion. And the kelly criterion says 1% is the best value for best profit. If you raise that value then the chance raise exponentially that you will lose big parts of the house. Or all of it. The reason is that its very hard to win back something lost if your house is, lets say halved already.

Thats mathematics. And maybe the script seller should point that out more aggressively.

Though thats only another thought as a possible problem.

agree with you but the seller is very quiet Sad until now
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile


At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries.  Roll Eyes

so who could do a careful code review?

I dont know since normally you need to KNOW risky code parts. And thats something the average code developer not knows in detail.

Another thought i got is... didnt op mention that the max profit he sat was a big part of the house? Theres a reason why dooglus even sat the max profit down from 1% to 0.5% on justdice. The reason was that someone was able to win a big part of the house with 1%. Thats why you normally use the kelly criterion. And the kelly criterion says 1% is the best value for best profit. If you raise that value then the chance raise exponentially that you will lose big parts of the house. Or all of it. The reason is that its very hard to win back something lost if your house is, lets say halved already.

Thats mathematics. And maybe the script seller should point that out more aggressively.

Though thats only another thought as a possible problem.
elm
legendary
Activity: 1050
Merit: 1000


At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries.  Roll Eyes

so who could do a careful code review?
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...
In all seriousness, new or old doesn't really matter anymore. Could take $50 and buy myself a two year senior account if I wanted.

Thats right... though theoretically it would be way easier to create a number of newbie accounts and tell a story about multiple scripts acting strange.

Though again... i dont accuse, i only point out that its hard to prove. And i wonder, how many scripts were sold and how many scripts wallets, out of that, were emptied?

At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries.  Roll Eyes
legendary
Activity: 2464
Merit: 3158
I bought a dice website which was using CoinDice. Since I was not the original script buyer, I didn't get any update and Johny never replied to my PM when I contacted him to look for a solution.
However, I asked a dev to audit the code before I put it in production. He said it was ok to run it, and that there is no backdoor.

Sure, there was no backdoor.
About 2 months later, someone found an exploit and managed to empty my hot wallets. Again, this was not a backdoor made on purpose.

What happened is that the hacker found a way to repeat some operations.
At the beginning, he repeated bets. [Screenshot] (see how the bet ID got reversed but the roll outcome is the same for all the bets... Disturbing isn't it ?)
But then, the exploiter managed to repeat withdrawals and made them happen several times in my wallet, while the script shows it processed them only once.

I have read a lot of thread about CoinDice being easily exploited. Overall, it seems poorly secured.
Because Johny didn't care at all about my messages, I won't buy, host or support a CoinDice script ever.

Buyers beware.
legendary
Activity: 1330
Merit: 1000
You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...

All those that I have talked to including me have had problems with the script.  I bought all versions and have just abandoned them all.

All updates are the same versions with 1-2 extra lines of code.  Multiple devs were reached to make modifications and most of them said that it was unworkable and it was much easier to start from scratch.

However I can say that I never ran into a backdoor in my versions (there's a lot of counterfeits that actually do include backdoors).
sr. member
Activity: 350
Merit: 250
You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...
In all seriousness, new or old doesn't really matter anymore. Could take $50 and buy myself a two year senior account if I wanted.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...
newbie
Activity: 15
Merit: 0
its ok, but u say u good server administrator. how can u see cheating i gameplay in your apache log? im not good in this, but i think will be no hack activity in apache we will know everything when we reverse script. soon.
newbie
Activity: 5
Merit: 0

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just  ( 1% , 0.5% ) and win from his first roll  and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

Yes man, same game. Anyway its a cheating. It cant be 100% if script is secured. We have same problem. try to find a statistic from admin panel and u see mb some blinds are lost..or see same stats of players like me. here can be an exploit or backdoor im not coder, i dont know. But tell US that we all cant setup script on safe server is a BULLSHIT FAKE AND LIE! I dont know what is Apache, i ask my admin to turn it on after hack. I was hacked in 2-3 hours after start dice. Thats johny and his guys. I think its time to ban this person. Or how we can get our moneyback?

Johny1976, I think ther is no way to tell us that ur script fully secured! Its a Lie. Think we find good guys who fix bugs and knock u out from this forum. I think not only 2 guys who was hacked. POPCORN and see who come here with same problems with same johny with same script.



i Can get prooflink to admin panel anyone who are compitent in this question.  can pay some bits for reversing this dice to fix bugs and so on. after we do all i think we can share this  script or else. nobody shoul be ripped more  what do u think guys?

i think we should wait for him to fix this problem but first he have to confess that he have a problem on his script we all know that nothing is 100% secure he have to fix the problem because keeping such problem  on wild is not good for him or for the buyers
newbie
Activity: 15
Merit: 0

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just  ( 1% , 0.5% ) and win from his first roll  and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

Yes man, same game. Anyway its a cheating. It cant be 100% if script is secured. We have same problem. try to find a statistic from admin panel and u see mb some blinds are lost..or see same stats of players like me. here can be an exploit or backdoor im not coder, i dont know. But tell US that we all cant setup script on safe server is a BULLSHIT FAKE AND LIE! I dont know what is Apache, i ask my admin to turn it on after hack. I was hacked in 2-3 hours after start dice. Thats johny and his guys. I think its time to ban this person. Or how we can get our moneyback?

Johny1976, I think ther is no way to tell us that ur script fully secured! Its a Lie. Think we find good guys who fix bugs and knock u out from this forum. I think not only 2 guys who was hacked. POPCORN and see who come here with same problems with same johny with same script.



i Can get prooflink to admin panel anyone who are compitent in this question.  can pay some bits for reversing this dice to fix bugs and so on. after we do all i think we can share this  script or else. nobody shoul be ripped more  what do u think guys?
newbie
Activity: 5
Merit: 0
I said to him in Skype conversation that we would give him everything he'd losted if he gave us any kind of proof (the Apache logs would be enough). He said that Apache by default has the logs off, which is a lie. I see something suspicious here.

We do have a compensation program for cases like this one. Sadly, no one gave us any proof, that it was caused by our script. He was the one setting up the server so he could possibly do something wrong.

As I said, it could be the problem in our script, but there's no evidence for us to confirm that claim.
and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just  ( 1% , 0.5% ) and win from his first roll  and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .
legendary
Activity: 1135
Merit: 1002
Developer
I said to him in Skype conversation that we would give him everything he'd losted if he gave us any kind of proof (the Apache logs would be enough). He said that Apache by default has the logs off, which is a lie. I see something suspicious here.

We do have a compensation program for cases like this one. Sadly, no one gave us any proof, that it was caused by our script. He was the one setting up the server so he could possibly do something wrong.

As I said, it could be the problem in our script, but there's no evidence for us to confirm that claim.
newbie
Activity: 15
Merit: 0
Hey guys! I see,not only me have same problems. Thanks for ur time! I can give this script to reverse and fix all bugs in audit or give u access. Pls if u can help to stop this scam bullshit dont stay away.
Pm me if i can help with someth. We should stop this together. Regards.
sr. member
Activity: 350
Merit: 250
Someone graciously sent me a copy, so now I am doing my audit. If you're reading this Johnny, I have no intention of stealing from you, I have no interest in running a dice site or copying it further.

I've already found a big problem with the script.

Here is how the hashes and server seeds are being generated (the author is Polish):

Code:
function generateHash($delka_retezce,$capt=false) {
  if ($capt==true) $mozne_znaky='123456789ABCDEFGHIJKLMNPQRSTUVWXYZ';
  else $mozne_znaky='abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ';
  $vystup='';
  for ($i=0;$i<$delka_retezce;$i++)  $vystup.=$mozne_znaky[mt_rand(0,strlen($mozne_znaky)-1)];
  return $vystup;
}

function generateServerSeed() {
  $rand_nr=mt_rand(0.01*100,99.99*100)/100;
  if (mt_rand(1,2)==2) $pre_rand=($rand_nr-0.01);
  else $pre_rand=($rand_nr+0.01);
  $str=generateHash(26).'-'.((double)(($pre_rand+0.001).mt_rand(1,99999999999999999999999999999)));
  return $str;
}

You can see that the main source of randomness is mt_rand. mt_rand is not cryptographically secure, according to PHP's own documentation!

Quote from: PHP docs
This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.
Caution

The distribution of mt_rand() return values is biased towards even numbers on 64-bit builds of PHP when max is beyond 2^32. This is because if max is greater than the value returned by mt_getrandmax(), the output of the random number generator must be scaled up.

As you can see, max is 99999999999999999999999999999, far larger than 4294967296. The function generateServerSeed() also seems very fishy to me, why doesn't it just get cryptographically secure bytes? Why add/subtract 0.01 and 0.001?

Don't run/buy this script based on this alone. The hashing is NOT suitable for Bitcoin casinos which need cryptographically secure randomness.
Try to find the backdoor he installed. For many years people have said there is a backdoor which allows him to empty the owner's bank wallet and send it to a specified address within the code.
full member
Activity: 245
Merit: 124
Someone graciously sent me a copy, so now I am doing my audit. If you're reading this Johnny, I have no intention of stealing from you, I have no interest in running a dice site or copying it further.

I've already found a big problem with the script.

Here is how the hashes and server seeds are being generated (the author is Polish):

Code:
function generateHash($delka_retezce,$capt=false) {
  if ($capt==true) $mozne_znaky='123456789ABCDEFGHIJKLMNPQRSTUVWXYZ';
  else $mozne_znaky='abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ';
  $vystup='';
  for ($i=0;$i<$delka_retezce;$i++)  $vystup.=$mozne_znaky[mt_rand(0,strlen($mozne_znaky)-1)];
  return $vystup;
}

function generateServerSeed() {
  $rand_nr=mt_rand(0.01*100,99.99*100)/100;
  if (mt_rand(1,2)==2) $pre_rand=($rand_nr-0.01);
  else $pre_rand=($rand_nr+0.01);
  $str=generateHash(26).'-'.((double)(($pre_rand+0.001).mt_rand(1,99999999999999999999999999999)));
  return $str;
}

You can see that the main source of randomness is mt_rand. mt_rand is not cryptographically secure, according to PHP's own documentation!

Quote from: PHP docs
This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.
Caution

The distribution of mt_rand() return values is biased towards even numbers on 64-bit builds of PHP when max is beyond 2^32. This is because if max is greater than the value returned by mt_getrandmax(), the output of the random number generator must be scaled up.

As you can see, max is 99999999999999999999999999999, far larger than 4294967296. The function generateServerSeed() also seems very fishy to me, why doesn't it just get cryptographically secure bytes? Why add/subtract 0.01 and 0.001?

Don't run/buy this script based on this alone. The hashing is NOT suitable for Bitcoin casinos which need cryptographically secure randomness.
copper member
Activity: 2996
Merit: 2374
There have been a number of reports of various bugs in this script. Considering the amount of money being put into some bitcoin related casinos I am surprised that the script is not being looked at more closely prior to being put into production.
Pages:
Jump to: