Imagine you walk into a casino, choose your slot machine, sit down, insert your first coin and press the start button. The wheels spin and you hit the jackpot! Wow, what a feeling, but wait, do you really have to leave the house? A quick search shows that you don’t have to, because there are plenty of casinos on the internet. And they are all available digitally in your browser, anytime, anywhere, on any device.
This article is structured a little differently than the previous ones. I do not yet know the outcome, nor do I know if we will be successful. So I will take you on a journey where we will try to bring the game luck on our side π
Warning notice
I would like to point out that I do not support gambling. It can very quickly become a very dangerous thing where you can lose everything. Casinos are neither your friends nor charities, in the end they want your money and they get it, ALWAYS. I will not mention any casinos by name because I do not want to endorse them. If you already have symptoms of addiction, so the following blog may trigger you, simply do not read it. There are many places that can help you, such as “responsiblegambling“. Take care of yourselves!
Reconnaissance
Now that this has been clarified, let’s move on to the first stage, which is research. As mentioned, there are quite a few online casinos out there. There are government-regulated casinos as well as Wild West casinos that do not play by the rules. Different countries have different laws and prohibitions, so be sure to check before visiting these sites.
Unlike real casinos, online casinos do not provide their own roulette tables or slot machines. They buy them from external suppliers or can get them on a rental model. This also means that they are usually the same or at least similar everywhere. A slot machine, for example, has a so-called “Return to Player” (RTP) value, which describes how much of the money played goes back to the player. This is usually between 90 and 95 percent, meaning that out of every $100, $90-$95 is returned to the player as a “win”, but wait, that doesn’t mean the money goes back to the player who played it, but to some other player at a random time. The remaining percentage goes to the casino, so only the casino can say “winner, winner, chicken dinner”.
So now we know what an RTP is, we know that casinos use third party services and we know that they are sure winners. But who are these third parties that provide these services? Again, there are a myriad of such providers who always offer a certain range of slot machines. Mostly in different variations, but always with the same basic principle. For example, one player wants a slot with the same free spins, another wants no free spins but more winning lines and so on. But both want a summer and a winter or a viking and a cowboy version so that the fun never gets old.
Most casinos will allow you to play for fun after you have registered. This means that you can play without being forced to play for real money. They are certainly not doing this for fun or because they mean well, they are just trying to get you hooked. But good for us, because it means we can analyse exactly how the slots work without gambling away our hard-earned cash. Of course, we also use a temporary email address for registration because we don’t want to receive SPAM, we’re smart. However, only the Wild West casinos offer this option, as the legitimate ones require a bunch of information (such as ID cards, driving licences and phone numbers) for verification.
So to summarise, RTP is known, the business model is known and basically how casinos make money is known. Now it’s time to hit the keys and try to make our own luck. All we need is our operating system, a tool to make API calls and a tool to manipulate requests or responses, it’s all digital π I will be using Postman (API) and the community edition of Burp Suit (traffic modification) for this all the time. For the temporary email address I use the service of internxt.com. Ahh and yes, Proton VPN is always on, of course.
Let’s try and error
All the tools are ready, and so are we, so let’s make a registration in the Wild West. As I said, I’m not going to tell you which casino I registered with, you’re resourceful enough to choose your own. After registering, let’s play one of the slots, starting with the classic Book of Dead (I have to name this one, otherwise it’s like fishing in the mud). This game has 3 lines of five columns each. There are 10 paylines and if a certain symbol (some sort of shrine, I don’t know how to describe it) appears three times, you get a bonus game with 10 free spins.
The first stage is a simple analysis using the DEV tools (press F12 in your browser) so that we can understand the process and the webcalls. It is noticeable that there is a lot of background noise from the casino website itself, which has nothing to do with the slot machine. Statistics, data collectors and much more. So it would be nice to find a way to eliminate this. After a bit of research I found the direct URL for the slot, which is embedded in the casino page as an IFrame. So from now on we will use the direct link to the game.
https://alvcw.playngonetwork.com/casino/ContainerLauncher?brand=&channel=desktop&gid=bookofdead&lang=en_GB&lobby=[casion]&origin=https://launcher-eu1.fh8labs.com&pid=[some data]&practice=0&ticket=[some data]But wait, this is real money game and I have none π Let’s try to shorten the URL as much as possible. After a few deletions here and there, an error here and there, I ended up with the following URL, which starts the game without a casino behind me monitoring it. Oh, and the real money game is nothing more than a parameter, but let’s have a closer look at it.
https://alvcw.playngonetwork.com/casino/ContainerLauncher?channel=desktop&demo=2&gid=bookofdead&lang=en_GB&pid=393&practice=1- channel has no influence, but probably controls where data is sent from.
- demo has no influence and I do not know what it does
- gid is the name of the game, might be interesting for later (name=id)
- lang the display language
- pid has no effect and I do not know what it does, but the game does not start without
- practice 0 real money, 1 play money
Now that we have that, let’s play a little and see the traffic generated. We are playing with one coin per line (remember there are 10 winning lines) which has a value of $0.20. This makes a bet of $2 per spin. When play is pressed, a POST request to the URL “https://alvflyp.playngonetwork.com” is sent in the background. Below are the request payloads of the first 3 spins.
# click one
d=7
26yTKH4pwnh!1874
1 1 10 20 1
# click two
d=8
26yTKH4pwnh!1874
1 1 10 20 1
# click three
d=9
26yTKH4pwnh!1874
1 1 10 20 1Ok, so it looks like this is not encrypted and is not a JSON or XML payload, it looks like plain text. The first line is probably some ID for the round we are playing (7/8/9), the second line could be a unique identifier for our session and the third line is probably what our stake is. Let’s test this out by changing the bet from $0.2 to $0.5 per coin and using 2 coins instead of just one, at least we’re only betting on five lines. Oh, and the slot has a pretty nasty timeout when nothing is done, so I had to reload a new session.
d=7
O0nTjiNOabg!1947
1 2 5 50 1The reload also confirms that the second line is an identifier for our session, as it has now changed π We also correctly guessed that the third line must have something to do with our bets. Of the values marked in red, the first is the number of coins we bet, the second is the number of winning lines and the third is the coin value. So we already understand the payload we send to the endpoint, now what about the response we receive?
# response one (was a lose)
d=1 2 5 50 6 0 2 0 3 1 5 9 2 6 0 2 8 3 4 0 0 3 4 2 0 1 0 1 8 1 6 3 1 0 0 0 1 6 0
52 99997000 0 0
# response two (was a lose)
d=1 2 5 50 0 7 2 9 4 5 3 2 8 2 0 5 0 4 7 0 0 6 4 3 3 0 0 6 4 5 0 3 1 0 0 0 1 6 0
52 99996500 0 0
# response three (was a win)
d=1 2 5 50 6 2 4 3 1 4 8 2 4 6 7 1 5 0 4 0 1 2 4 3 0 10 0 6 2 3 4 6 2 4 3 7
3 1 10 500 0 1We can see that the data differs between a winning and a losing response. Interesting! Let’s first look at the response in a losing round.
# response one
d=1 2 5 50 6 0 2 0 3 1 5 9 2 6 0 2 8 3 4 0 0 3 4 2 0 1 0 1 8 1 6 3 1 0 0 0 1 6 0
52 99997000 0 0
# response two
d=1 2 5 50 0 7 2 9 4 5 3 2 8 2 0 5 0 4 7 0 0 6 4 3 3 0 0 6 4 5 0 3 1 0 0 0 1 6 0
52 99996500 0 0The first thing we can notice is that in the first line, the values marked in yellow do not change. The first block of them is suspiciously similar to our value from the request payload. However, the purple values do change, and this may have something to do with which symbols are displayed? But this makes no sense at the moment, as only 15 symbols are displayed (3 lines of 5 rows each give 15 values), but 27 values change. The red values in the second row represent the balance available after the round is played. The other values in this row cannot be identified, but perhaps they indicate that a zero profit has been made? Let us compare this with a winning response.
# response two
d=1 2 5 50 0 7 2 9 4 5 3 2 8 2 0 5 0 4 7 0 0 6 4 3 3 0 0 6 4 5 0 3 1 0 0 0 1 6 0
52 99996500 0 0
# response three (was a win)
d=1 2 5 50 6 2 4 3 1 4 8 2 4 6 7 1 5 0 4 0 1 2 4 3 0 10 0 6 2 3 4 6 2 4 3 7
3 1 10 500 0 1There are a lot of changes, the value “3 1 0 0 1 6 0” at the end of both loser answers has completely disappeared, only the possible bet value in yellow at the beginning is still there. The second line now looks completely different. Ok, we need another win to compare the lines, $0.2 bet, one coin and 10 winning lines, let’s go. Wait a second, it may be necessary to know the Winning Line (WL) to interpret the second line, the game instructions say this
Fun fact, it would have taken 32 spins, so $64, to get that $6 “win”. Not something I would get excited about, if it was my money. But anyway, what do the response lines tell us?
# response win1 (1$) - WL 5
d=1 1 10 20 2 3 5 0 5 2 2 4 6 4 9 5 1 2 6 0 1 4 5 2 0 5 8 8 1 7 8 5 0 4 8 7
3 1 5 100 0 1
# response win2 (5$) - WL 5
d=1 1 10 20 6 0 2 8 2 4 2 4 8 0 2 7 4 6 1 0 1 4 2 4 0 25 3 4 4 0 5 2 6 1 3 2
3 1 25 500 0 1Now it is clear, the first 5 characters after the “d=” in the first line reflect our bet. In the second line, the first character, the “3”, must indicate that it is a win and the “1” a win by betting one coin. The third number in the second line (5/25) is the number of coins won and the fourth number is the actual win (100 = $1 / 500 = $5). Like Nicolas Cage in the film National Treasure, we are on the trail. One piece of the puzzle remains, what do the numbers that keep changing after the yellow block mean? let’s try to crack it. To do this, we take the display combination that the machine spits out and the numbers in the response and try to compare them. We will start by comparing two losing spins so that we have the same data to start with.
# response image 1
d=1 1 10 20 4 6 3 2 5 0 4 1 2 7 1 3 2 6 7 0 0 2 4 0 1 2 7 2 6 1 1 3 1 0 0 0 1 6 0
52 99999400 0 0
# response image 2
d=1 1 10 20 4 3 6 4 3 1 3 8 5 8 1 2 2 3 1 0 0 2 0 1 0 2 0 2 3 1 5 3 1 0 0 0 1 6 0
52 99999200 0 0If we now hide everything from the first line that we think we already know (yellow), something immediately jumps out at me, what does it look like to you? It is quite suspicious that in the first picture, the first column contains an ace, an anubis and a king, while the response is 4 6 3. In the second picture there is an ace, a king and an anubis in the first column, and 4 3 6 in the response. My goodness, we got lucky this time. So, to double check, there should be a 4 for an ace in the seventh position and a 3 for a king in the twelfth position for the first picture. Also a 4 for an ace should appear in the fourth position and a 3 for a king in the fifth position for the second picture. This is exactly the case, so it is clear that the first 15 digits, of the changing response, describe which symbol is being displayed.
At the end of this phase, let’s try to match the symbols with the numbers, this could help us in the Attack phase. We are lucky, according to the game instructions there are nine winning symbols and the bonus symbol, so exactly 0-9 numbers. (I was not sure about the bonus symbol, but I checked with a spin where this happened).
| Symbol | Response code |
 | 0 |
 | 1 |
 | 2 |
 | 3 |
 | 4 |
 | 5 |
 | 6 |
 | 7 |
 | 8 |
 | 9 |
Finally, it is important to note that after each win, another POST is sent to collect the winnings. The payload of the spin looks like this.
# request payload
d=11
WX0UdcU5E2j!44
1 1 10 20 1
# response
d=1 1 10 20 7 2 4 2 7 1 6 5 3 2 3 6 5 0 4 0 1 3 7 2 0 5 0 3 5 3 4 4 1 2 3 7
3 1 5 100 0 1And the payload of the second POST request to collect the winnings is as follows
# request payload
d=12
WX0UdcU5E2j!44
4 0
# response
d=5 5
6 100
52 99999100 0 0I think we have learnt enough for today about casinos, where they get their games and how they win. We have also learnt a lot about how our first slot machine works. Let’s let that sink in and think about it for a while and see how we can use this knowledge to our advantage. In particular, how to win every spin π
Thatβs it until here, stay tuned and see you soon
** midjourney string βcasino player standing at a slot machine and happy whit hands in the air and an extreme laugh that he wins the jackpot, cinematic lighting βar 1:2 –q 2“
