Why Did Full Tilt Need Your Windows Key?

Why Did Full Tilt Need Your Windows Key?

Ah yes, Full Tilt Poker. We all remember them, don’t we? A paragon of security, fairness, and timely payouts.

Well, we’ve been sitting on this information for awhile, and since they’re dead and gone, we thought it might be interesting to share with the end users just how… invasive Full Tilt’s reporting tools were.

Most of the technical details can be found below from an article/synopsis our Chief Technology Officer wrote some time ago, with a lot of the code and specifics scrubbed out for various reasons. Enjoy!

———————————

Here are some details about Full Tilt and their “fingerprinting” logic that we think the community might be interested in hearing!

Full Tilt hides personally identifying information inside several image files inside the Full Tilt directory. Specifically:

{Full Tilt Directory}/Graphics/Lobby/Backgrounds/LobbyMiddle.png
{Full Tilt Directory}/Graphics/Lobby/Backgrounds/LobbyCenter.png

The first 110 bytes of these images are the actual image data. The additional bytes contain identifying information hashed/processed by reading things from your computer. During the authentication stage of connecting to Full Tilt (either the 2nd or 3rd packet which is sent after connect which contains ~800 bytes of identifying information, I don’t remember the exact number now) the last 36 bytes of LobbyMiddle.png are sent as are the last 74 bytes of LobbyCenter.png.

It’s a lot harder to identify this now, since Full Tilt isn’t running at the moment, but you can fairly easily pick this up by doing a clean install of Full Tilt. You’ll initially see that LobbyMiddle.png is only 110 bytes. After running the program once, it enters a function which reads all sorts of various registry keys / hardware identifiers from the machine and then appends a shortened version of this to the image. Future runs of the program will read these bytes from the image instead of recalculating them.

In another part of the code the image will be read if the registry entry where the fingerprint has been stored doesn’t have the appropriate length or doesn’t exist.

But wait, there’s more! LobbyCenter.png will also have a good amount of random information written to disk. I haven’t analyzed it as much but one of the very interesting details about it is that the first 8 bytes written after the initial 110 are copied from a part of the FullTiltPoker.exe image that never changes.

This is where it gets really fun though, if you download the Full Tilt Poker installer from FTP (not sure if you can do this anymore, so you’ll have to take my word for it right now) from two separate computers (or even the same computer but at different times with your cache cleared) and do a binary diff of the files, you’ll find that they’re exactly the same…except for the 8 bytes which ultimately end up being B1F8D0 in FullTiltPoker.exe. The installers are fingerprinted at the time of download and that fingerprint is baked into your client. This means that if you do something like, copy a VM with an install, or just mass deploy from a single installer, FTP can tell. I’m not sure how this mechanism was ever used (it could have been purely for analytics purposes of detecting when a client is installed), but there’s some code in the client which does a bunch of random stuff with these 8 bytes (as well as other bytes in LobbyCenter.png) in sub_8709A0.

Finally, a few details about the GetMachineFingerprint(…) function that was discussed earlier. While the shortened version is written to disk, the extended version is sent to FTP over the wire, along with the shortened version. It could be that there’s some sort of hash comparison on the server side to detect tampering / new hardware that doesn’t match an old fingerprint. Here’s a few things they check for:

A bunch of registry keys like:

HKEY_CLASSES_ROOT\InternetExplorer.Application\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\{Windows NT or Windows, whichever one exists}\CurrentVersion\RegisteredOwner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\{Windows NT or Windows, whichever one exists}\CurrentVersion\ProductId - This is your Windows Product Key
Hardware descriptors like HLKM\Description\System\MultifunctionAdapter\{whatever number they can find\DiskController\0\DiskPeripheral\0\Identifier
HKLM\Software\Microsoft\Cryptography\MachineGuid (Every site checks this pretty much)

A few system calls via GetSystemInfo where they check for details like:

systemInfo.dwNumberOfProcessors
systemInfo.wProcessorRevision
systemInfo.dwOemId
System calls for GetCurrentHwProfileA, they then check the szHwProfileGuid

The fingerprinting also has code for calling CreateToolhelp32Snapshot and using it to examine some details of the application which launched FullTiltPoker. I’ve never seen this code called, but it’s there.

All of the data in this function gets sent over the wire to Full Tilt. All of it. Including your Windows Key.

The interesting thing here is how the shortened version of the fingerprint is stored in two separate areas – once in the registry and once in the image. Given that the information is stored in images as well, it’s easy to overlook the File I/O in a program like ProcMon since there’s normally a ton of images being read as part of loading the program. Whatever the case is though, there’s several failsafes in place to guarantee that this information is sent to the site every time – so it must be used for something slightly more important than just sales analytics.

2 Responses to “Why Did Full Tilt Need Your Windows Key?”

  1. PK says:

    This is a pretty common security technique known as the “device-print” and it’s one method that the gaming companies have of ensuring that people are not using multiple accounts from the same device.

    The windows key is a unique tag – so it’s useful for the purpose of comparison.

    It’s one of a number of methods to prevent scammers from fraudulent claims – as the gaming companies are able to pinpoint exactly which machines where used to login and when.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>