Reversing Pokerstars online poker client (I hope they aren’t from Vegas !!!)

Today I bring you something from the old projects trunk. Like many other millions of people I enjoy playing online Texas Hold’em Poker. I started with Pokerstars three years ago, and after a while, diabolical ideas came to my head about reversing the client to have a peek into their communication protocol (what else were you expecting? I love to break things!).

The project was on hold for a long time (started when Windows was my daily OS). Today, I had a smile when I saw an article about reversing pokerstars protocol. It’s entitled Reversing The Pokerstars Protocol, Part 1: Compression and transport basics. The author already implemented the MITM proxy, the step where I stopped. I did had a peek at the communications protocol since it’s pretty easy to hijack the code before it’s crypted and after it’s decrypted (Windows browser trojans and keyloggers use that technique). I even remember that I was about to hijack the OpenSSL library because the first versions of the Mac client were linked against the external OpenSSL library, so it was trivial for example to recompile OpenSSL with a printf dumping everything. This hole was closed on newer versions but it’s still very easy to attach the debugger and it should be even easier with Dtrace (haven’t tried yet!). It’s much easier to hijack the data before it’s crypted then to code the MITM proxy and reverse the compression and so on.

Since someone gave the first public step I will release a rather useless piece of code that allows you to crypt and decrypt the ini files. The algorithm is still the same since 2006 and it works in Windows and Mac. It’s pretty easy to reverse! The ini files are gzipped, so you first decrypt and then gunzip or you gzip and then crypt. There’s not much info to peek inside the ini files but it might be useful in the future. Maybe one day I will get back to it… I would love to find any vulnerabilities into their protocols!

I hope the Vegas guys don’t come after me (yeahhh too much Vegas movies, damn American movies hehehe).

The GDB bug from previous post is still not over! The dynamic linker, dyld, has problems and it crashes with some values. I didn’t spot this one on time for the post because I wasn’t executing my test program, just loading into GDB so I could track the bug. I’m trying to track the bug inside dyld (this is when it’s great to have open source code by Apple).

That’s it!

SHA1(Decrypter.c)= dd0ebc2e75f512710f9f992048254bb012af5824
SHA1(Crypter.c)= a3ae440b6b78a50bd73ac446b51a626206405d6f