That was actually done a few upgrades ago (6.12), I just didn't announce it. The EXE now validates its own digital signature. That will fail if any modification has been made, including the embedded JS client code, and the program will shut down. But code running on the hacker's own hardware can always be hacked and patched, such that those protections are stripped out. So there are no guarantees.Originally Posted by Johnaudi
Actually I did: http://www.briggsoft.com/forums/view...php?f=7&t=2830
This is interesting, perhaps assembled code, is that working on resources as well? As it has compiled with no issues. (Server running as well)
I can provide an example of patched exe to you privately if that is in your interest.
Hmm, now that I look at that code it appears I'm only checking that the signature belongs to Briggs Softworks and not if the code has been modified. Could have sworn I tested that. Anyway, I'll fix that in 6.15. Note that this will not protect against a passive memory scan for the card deck, which is what would be required to know the community cards in advance (if that claim is true).
Dan, I just listened to the section of your podcast where this was being discussed and wanted to address a few things you mentioned. When I said that a code injection into the client could be easily detected, I meant easily detected by any player who knew what to look for, not the site operator. When you load the client interface, the HTML and Javascript is now all in your browser. You can see it by pressing Ctrl-U in most browsers. And you can even save it to a file on your local drive. Also when I said that you can run a free packet sniffer like Wireshark to see if the browser is making external connections, it's the player that can do that themselves so they can detect if they have a modified client that is sending their decrypted hole cards back to a shady operator.
The other issue is that you thought the server module could be written in some tamperproof way via encryption. Not really. Before I was into poker I was really into cryptography and still sell a couple of crypto apps. A talented hacker that has the server program running on their hardware can reverse engineer the machine code, line by line. The cards have to exist in plaintext form at some point before the encryption can occur. Given enough time, patience, and skill, said hacker could find this point. The best the code author could do is throw in a bunch of obfuscation points to make it more difficult to find but obfuscation is not real security.
One last comment about established poker sites running proprietary software. If the site operators were corrupt, that proprietary software would be the easiest to corrupt because they wrote it themselves. They have the source code and could put the cheating system in as a feature. And no one would know because no one else is going be running around trying to sell the hack. The only system that you know for certain is on the up-and-up is one you run yourself.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Reply With Quote