взлом игрового автомата PRNG ?

[Bazileu]

Здравствуйте, я недавно видел историю о том, как группа из Санкт-Петербурга мошенничала на игровых автоматах со своим телефоном. (снятие экрана, затем анализ спинов с помощью специального программного обеспечения, чтобы определить лучшее время для нажатия кнопки, чтобы выиграть).
История восходит к 2016 году, кто-нибудь знает, продается ли это программное обеспечение и где его можно найти? (извините за мой плохой русский, я использую онлайн-переводчик)

 

[DildoFagins]

Ничего (кроме глупости) не мешает онлайн казино периодически менять алгоритмы PRNG (или параметры одного алгоритма), чтобы исключать возможность анализа его внутреннего состояния. В автоматах, конечно, сложнее менять генератор, но не суть. Важно то, что тебе в любом случае понадобится достаточно большая выборка, чтобы производить анализ, даже если предполагать, что алгоритм PRNG (или генератор шума) всегда один и тот же, а его зерно зависит только от времени нажатия кнопки. То есть скорее всего придется спустить довольно круглую сумму для получения выборки достаточно размера.

 

[arsarsov]

Ничего (кроме глупости) не мешает онлайн казино периодически менять алгоритмы PRNG (или параметры одного алгоритма), чтобы исключать возможность анализа его внутреннего состояния. В автоматах, конечно, сложнее менять генератор, но не суть. Важно то, что тебе в любом случае понадобится достаточно большая выборка, чтобы производить анализ, даже если предполагать, что алгоритм PRNG (или генератор шума) всегда один и тот же, а его зерно зависит только от времени нажатия кнопки. То есть скорее всего придется спустить довольно круглую сумму для получения выборки достаточно размера.

Тут стоит упомянуть, что на некоторых площадках есть демо крутилки, где можно бесконечно крутить автомат бесплатно, то что ты выиграл ты забрать не можешь, просто замануха
Так вот если создатели рулетки не побеспокоились и заложили одинаковый алгоритм, что в демку что в основу, то можно анализировать на демке
Но скорее всего там демка чаще будет выдавать победу, что бы заманивать клиентов

 

[Bazileu]

Appendix: How Alex’s algorithm might work​

Let’s start with summarizing all that we know about his strategy:

• Alex required results of about 24 spins to predict future outcomes.
• Agents waited for the right time to press the spin button.
• Brendan Koerner managed to track the origins of the PRNG algorithm (from the mathematical evidence provided by Alex) to the book The Art of Computer Programming.

Disclaimer: the following technical analysis is just my speculation as to what engineers at Aristocrat could have done wrong, and how Alex could have exploited it. Despite the fact that I took all information available at the time into account, the real exploit could have differed in minor or major details.
Casino Guru is taking a closer look on Alex's case

The PRNG that might have been used in Aristocrat cabinets​

The simplest PRNG algorithm described in The Art of Computer Programming which gives satisfactory results is actually quite simple:
RNG = (a * PreviousRNG + c) mod m
This algorithm, known as Linear Congruential Generator (LCG), is still used as a default PRNG algorithm in many programming languages (e.g. Java).
Could Aristocrat slot machine developers simply have used the default PRNG algorithm provided by the programming language they used? Or could they have used the simplest PRNG which meets the requirement of uniformity?
I think that it’s possible scenario. This default algorithm works and meets the criteria of uniformity of generated random numbers. It might have met all the criteria programmers were working to in the requirements specification.

How to crack a simple PRNG​

Now let’s speculate on how bold Alex could have exploited this algorithm.

1. Decompilation​

The first step is to get to know the exact parameters of the algorithm (parameters a, c and m). This is the easy part, as these parameters are written in every slot machine. Alex just had to read the binary code from the cabinet memory and decompile it. This is a task which any specialist in microelectronics can do if he is equipped with the proper tools.
But knowing just the a, c and m parameters alone isn’t enough. With the decompilation, you can actually read the parameters of all PRNG algorithms – even the cryptographically secure ones. To be able to predict and exploit the RNG sequence in a real slot machine placed in a casino, you’ll also need to know something else – the current RNG seed value.

2. Finding the current RNG value​

The LCG PRNG algorithm is generally characterized as easily predictable. This means that just by knowing 3 random numbers you are able to calculate a, c, m parameters and easily predict the next numbers in the sequence.
Don’t be confused with that, as this wasn’t the exact task Alex was facing. Alex already knew a, c, and m parameters from the decompilation, but he didn’t know the current RNG state value. He was able to observe the produced random numbers indirectly by watching the positions where the reels stopped in recorded spins.
The key point is that logic of a slot game is deterministic and programmed inside the cabinet. So it can be decompiled, reverse-engineered and simulated somewhere else. The game logic usually takes a random number and uses some mathematical operations to determine where each reel should stop.
The slot machine reels usually have around 50 to 100 symbols, three of which are displayed on the screen. The combinations may sometimes repeat, and reels can have a different length, but let’s assume that there are 50 unique combinations on each reel. The random number selects one of these 50 combinations, so just by looking at the first reel in the first spin you can eliminate 49/50 (98%) of potential random numbers.

EXAMPLE
If the game has 5 reels, then on average just one of 312 million random numbers gives the exactly the same result as the one observed by a player.
If you know the outcome of many consecutive random (*) numbers, then you’ll very soon end up with just 1 initial random number which gives the desired outcome for all spins. In fact, the number of spins you need is proportional to the length of the initial random number.
So you just need to simulate all the possible random numbers and voilà… well, not that fast.
If a slot machine used random numbers which are 64 bits long, then simulating all of them would require too much computational power (544 years on my laptop). Alex still needed to get a little unintentional help from Aristocrat’s developers. I found 2 things they could have done to help Alex:

• Use a RNG state that is too short (32-bit).
• Use the random number in a way that it can be used to help find the current RNG state.

1. Too short (32 bit) RNG state​

Aristocrat MK IV cabinets were developed on a 32-bit ARM 250 processor. If the slot developers decided to also use a 32-bit random number seed, then there are just 4,294,967,296 possible RNG states. It may look like a lot, but current computers are very fast and this number of options can easily be examined by brute force (takes 4 seconds on my laptop).
However, I consider this option less likely. Moreover, a 32-bit random number is too short to cover all possible results in some games (5 reels * 90 symbols).

2. Using a random number in "an easy to exploit" way​

Let’s now assume that there was a 64-bit RNG state in use. How do you use a 64-bit number to deterministically stop 5 reels by 50 symbols each? The easiest approach which preserves uniformity would be the following:
Pos1 = RND modulo 50
Pos2 = (RND / 50) modulo 50
Pos3 = (RND / (50*50)) modulo 50
Pos4 = (RND / (50*50*50)) modulo 50
Pos5 = (RND / (50*50*50*50)) modulo 50
Each reel now uses its part of a random number, and there are no correlations among the individual reels. Provided the random numbers are uniform, then there is a uniform chance of any possible game outcome (**). Regulator approves.
Now the exploit:
If you know the reel positions, you can easily calculate the end of a random number (RND mod 50^5):
RndEnd = pos1 + pos2*50 + pos3*50*50 + pos4*50*50*50 + pos5*50*50*50*50
Will this help you to guess the current RNG state? It will, actually. It will help you a lot.
Now you don’t need to simulate all possible random numbers, but just those that end in RndEnd. Or, to be more specific, all random numbers which match the pattern RndEnd + X * 50^5:

• 1 * 312500000 + RndEnd
• 2 * 312500000 + RndEnd
• 3 * 312500000 + RndEnd
• …

Now out of 2^64 possible values (18466744073709551616), you’ll need to try just 59029581035. Both are huge amounts of possible values, but while on my laptop the simulation of the first would take 544 years, the simulation of second would be completed in 60 seconds. That’s a huge difference.
And that’s it. Now you know the random number and you can predict future spins.
The real RNG exploit Alex used could be different, but I bet it has a lot of common with the process I have described here.
(*) In reality Alex didn’t know the outcomes of consecutive random numbers, but he knew the outcomes of random numbers which were quite close in the sequence.
Alex’s agents had to wait for certain moment to press the spin button. This indicates that Aristocrat MK IV cabinet continuously generates random numbers with some frequency (in some jurisdictions it’s a legislative requirement). When a player presses the spin button, the current random number is used to determine the spin outcome.
Note that the frequency of generating random numbers must be also programmed inside a slot machine. Therefore, it can also be easily read and predicted after code decompilation.
Let’s assume that the random numbers in a slot machine are generated with a frequency of 100/second. Playing 24 rounds might take around 60 seconds, so there are about 6000 random numbers involved, out of which 24 have been used to calculate the spin outcome. The task then is to calculate the first random number which gives the outcome of the first spin, and also the outcomes of the remaining 23 spins when cycled further within the following 6000 cycles. This simulation is also easy to do; it just takes a few times more (with proper optimizations).
(**) To get perfect uniformity, you would have to throw away numbers which are greater than 2^64 – 2^64 mod (50^5).

Также стоит отметить, что в настоящее время существуют эмуляторы, способные запускать программное обеспечение Aristocrar MK IV, а также Novomatic Coolfire1, оба из которых были взломаны в прошлом. Теоретически вы можете использовать эмулятор для создания своих данных вместо реальной машины.
В моей стране эти машины все еще существуют, поэтому чит все еще может работать