Luigi Auriemma

me@aluigi.org [PGP]

News QuickBMS Research MyToolz Advisories Proof-of-concepts Fake players bug Patches Password recovery MyMusic TestingToolz About... RSS feeds
aluigi.org zenhax old forum mirror   Twitter LinkedIn
SEARCH
adv.htm
    zdi-12-187

    Call of Duty: Modern Warfare 3 NULL pointer dereference (game)
    13 Nov 2012:  paper
adv.htm
    poc - bwocxrun_1

    calloc integer overflow in MPlayer on Windows (media)
    02 Sep 2011:  adv -
adv.htm
    adv - inbatch_1

    Memory leak in Call of Duty Black Ops (game)
    18 Nov 2010:  adv -
adv.htm
    etqwcbof

    Exception in Chrome Engine 4 (game)
    Call of Juarez: Bound in Blood, Sniper: Ghost Warrior, ...
    17 Jun 2010:  adv -
adv.htm
    gem2bugs

    Denial of Service in PunkBuster (09 Aug 2009) (game)
    America's Army 2/3, Battlefield 2*, Call of Duty 1/2/4/5, Crysis, DOOM 3, Enemy Territory, ETQW, FEAR, Fuel of War, Need for Speed, Quake 3/4, RTCW, Soldier of Fortune II, Wolfenstein, ...
    09 Aug 2009:  reference -
adv.htm
    poc - sunagex

    Double Denial of Service in Call of Duty 4 1.7 (game)
    22 Jun 2008:  adv -
adv.htm
    adv - webmodz

    Denial of Service in Call of Duty 4 1.5 (game)
    02 May 2008:  adv -
adv.htm
adv.htm
    italiano - wawix

    In-game callvote map buffer-overflow in Call of Duty series (game)
    24 Sep 2006:  adv -
adv.htm
    q3cbof

    Buffer-overflow in the WebTool service of PunkBuster for servers (minor than v1.229) (game)
    America's Army 2, Battlefield 2*, Call of Duty 1/2, DOOM 3, Enemy Territory, FEAR, Quake 3/4, RTCW, Soldier of Fortune II, ...
    23 May 2006:  adv -
adv.htm
    poc - dualsbof

    BZFlag 2.0.4 server crash due to undelimited callsign (game)
    25 Dec 2005:  adv -
adv.htm
    poc - jamsgbof

    In-game server crash (buffer overrun) in Call of Duty 1.5b, United Offensive 1.51b, Call of Duty II 1.0 (game)
    02 Apr 2005:  adv -
adv.htm
    codmsgboom

    In-game players kicking in the Quake 3 engine (game)
    Call of Duty, Quake III Arena, Return to Castle Wolfenstein, Soldier of Fortune II, Star Wars Jedi Knight II: Jedi Outcast, Star Wars Jedi Knight: Jedi Academy and Wolfenstein: Enemy Territory
    02 Apr 2005:  adv -
adv.htm
    xinkaa

    Infostring crash and shutdown in the Quake 3 engine (game)
    Call of Duty, Quake III Arena, Return to Castle Wolfenstein, Soldier of Fortune II, Star Trek Voyager: Elite Force, Star Trek: Elite Force II, Star Wars Jedi Knight II: Jedi Outcast, Star Wars Jedi Knight: Jedi Academy, Wolfenstein: Enemy Territory, ...
    12 Feb 2005:  adv -
adv.htm
    poc - haloboom

    Broadcast shutdown in Call of Duty 1.4 (refer to q3infoboom too) (game)
    05 Sep 2004:  adv -
poc.htm
poc.htm
poc.htm
  • Quake 3 engine Cbuf_Execute commands execution universal proof-of-concept 0.1 (q3cbufexec)
    universal patcher which gets the original client executable of a game based on the Quake 3 engine and generates a new modified one which converts the ';' chars in the commands sent by the client to carriage-returns for testing a vulnerability which allows to execute server's game commands through a malformed callvote.
    details of the vulnerability are available here and here.
    examples of malformed callvote commands to use from the console of the modified game executable:
    /callvote map "none;rconpassword empty"
    /callvote timelimit "123;rconpassword none"
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
    This proof-of-concept should run versus all the games based on the Serious Sam engine using TCP protocol. Serious Same first and second encounter <= 1.05 are vulnerables (Second Sncounter 1.07 is NOT vulnerable because uses UDP)

  • Soldat permanent ban of a custom IP 0.1 (soldbanip)
    this simple proof-of-concept sends an incomplete spoofed UDP packet to join a server of the game called Soldat. The result is the permanent ban of the source IP (runs on GNU/Linux only)
    Remember to update the join packet because new game versions use different packets!

papers.htm
  • "experimental" web GUI: Gslist can be easily used through a web browser like any "classical" server browser but with the difference of being more simple to use and (optionally) supporting multiple users
  • can execute a program for each server of the list
  • filters for selecting only the servers with specific features like country, minimum/maximum number of players, maps, mods, type of game and so on
  • its list of supported games can be upgraded automatically (-u) or generate the database manually (-m/M)
  • can retrieve all the Gamespy Peerchat rooms "#GPG!" of a specific game (-R) which can be used with my GS peerchat IRC proxy
  • supports many options for redirecting and formatting its output so it can be used as back-end for any program or service
papers.htm
  • GS enctypeX servers list decoder/encoder 0.1.3b (enctypex_decoder)
    the algorithm used by ANY game for decrypting (and encrypting) the data from the Gamespy master server on ports 28900 (enctype 0, 1 and 2) and 28910 (enctype X).
    enctypeX in reality is not only an algorithm (technically a short version of that used for enctype1) but also a specific protocol for receiving various types of information from master servers like ut3pc.ms3.gamespy.com, battlefield2.ms3.gamespy.com, crysis.ms5.gamespy.com and many others for a total of 20 "ms" servers.
    from my tests with enctypeX is possible to:
papers.htm
    the only complete usage example of this code and the full protocol is available in Gslist, there is no additional documentation at the moment.
    for testing all the decryptions perfomed by enctypes 1, 2 and X with custom data (useful for programmers) is possible to use the Enctype decoder/tester, it's very good also for who wants to decrypt the encrypted data received from the Gamespy master server without programming a single line of the decryption code: call enctypedec.exe externally with the -l or -L option for doing the job.

  • GS enctype2 servers list decoder/encoder 0.1.2 (enctype2_decoder)
papers.htm

  • GS natneg client 0.2 (gsnatneg)
    function for the implementation of the client-side Gamespy natneg protocol for joining servers behind router or NAT.
    in short with the calling of this function in a program is possible to query and join any game server behind router/NAT which uses this Gamespy natneg feature.

  • Gamespy NAT negotiation plugin for Proxocket 0.1 (gsnatneg_proxocket)
papers.htm
    and the original disassembled decoding algorithm.

  • HLkeycheck 0.1 (hlkeycheck)
    this little tool simply lets you to know if a Half-Life CD-Key is locally valid (offline) or not.
    and this is the small piece of algorithm that does the check.

papers.htm

  • PunkBuster messenger 0.1 (pbmsgs)
    Note that EvenBalance has removed or limited such feature in almost all the games, so is still possible to send some types of messages but not multiple messages at too short intervals from outside, read the updates of this advisory for info about the flooding performed in-game.
    tool for sending anonymous external messages to any server which uses PunkBuster like America's Army, the Battlefield series, the Call of Duty series, DOOM 3, Enemy Territory and QUAKE Wars, the F.E.A.R. series, Medal of Honor: Airborne, Prey, Quake III Arena, Quake 4, the Rainbow Six series, Return to Castle Wolfenstein, Soldier of Fortune II and many others.

  • Punkbuster master server file downloader 0.1.1 (pbmsdown)
papers.htm
    and the relative proof-of-concept.

  • SOF2keycheck 0.1 (sof2keycheck)
    this little tool simply lets you to know if a Soldier of Fortune 2 cd-key is locally valid (offline) or not.
    and this is the small piece of algorithm that does the check.

papers.htm

  • Speed Challenge network encryption/decryption algorithm 0.2 (speed_challenge_net)
    this is the complete algorithm for the decryption and the encryption of the network data exchanged by this nice game.
    the algorithm seems called also CSimpleCrypt, but I have found no information about it or if it is used in other games.


papers.htm
papers.htm
  • XWB/ZWB files unpacker 0.3.6 (unxwb)
    great tool for extracting the data contained in the Xbox files with the XWB, ZWB and WBA extensions and any other file which contains the XWB archives.
    it works from both GUI (double-click on unxwb.exe) or command-line where supports various options.
    it automatically recognizes the codec, frequency and channels of the audio files and adds the needed headers and extensions for trying to make them ready to play with any player.
    the tool has also many options for the visualization of the files in the XWB archives, for the direct conversion of the files (executes a program for each one of them), direct stdout output and many debugging options.
    it also support both little and big endian archives.
papers.htm
papers.htm

  • mmViewer mme dumper 0.1 (mmviewer_dumper)
    this is simply the original mmviewer.exe of mmViewer (version V110103) to which I added some binary code for converting it in a decrypter.
    launch mmdump.exe, select the mme file you want to decrypt and a file called x.z will be automatically generated in the same folder, rename as you wish with a ZIP extension and open it normally.

  • OSRW anticheat logs decrypter 0.1.1 (osrwdec)
papers.htm
    the encryption algorithm used by the version of Molebox adopted in this game uses 16 bit code and is NOT compatible with the encryption used, for example, with the current trial version of Molebox (which looks more simple), so I don't know why there is this strange difference.
    instead the file format should be the same or similar for any Molebox version.
    the last argument of the command-line is the hexadecimal key that is located in the game's process near the ".BOX" signature.
    (this is exactly the tool previously called kepmboxext)

  • DefenseGrid dgp files hash calculator 0.2 (dgridhash)
papers.htm
  • decrypt lenc: ttarchext 55 c:\input_file.lenc c:\output_folder
  • encrypt lua: ttarchext -V 7 -e 0 55 c:\input_file.lua c:\output_folder remember that if you have modified only a couple of files (for example english.langdb and one or images) you don't need to rebuild the whole archive but it's enough to build a new one called 0.ttarch containing ONLY the files you modifed, it will be read by the game like a patch and will occupy only a minimal amount of space.
    note that the old versions of the TellTale games (so not those currently available on that website) are not supported because use different encryptions and sometimes format, and being old versions are NOT supported by me in any case.
    if the game uses version 7 or 8 and crashes when uses the rebuilt package try to rebuild the archive specifying the -x option.
papers.htm
papers.htm
    instead the ORC archives used in Might & Magic VI and Supernova don't need the list file.

  • orkdec filenames dumper 0.2 (orkdec_files)
    tool for loading the games which use the ORK archives and automatically dumps all the loaded filenames in a text file that can be used with orkdec for the subsequent extraction.
    compatible with any version and game (tested Armies of Exigo and WarHammer Mark of Chaos, both demo and retail), remember to use no-cd executables since are not encrypted.
    note that this is necessary only for the ORK archives, NOT the ORC ones.
papers.htm
    last update: 11 Aug 2013.

  • EAlist 0.1.5 (ealist)
    command-line servers browser based on the list of game servers provided by the Electronic Arts master servers commonly called fesl or theater and supporting various games for PC, Xbox 360 and PS3 like Battlefield Bad Company 2, Battlefield Heroes, the Need for Speed series, Skate and others for which don't exist alternative listers.
    the usage of the tool is the same of gslist.
    for using the tool is necessary an EA account (any account or any EA game is ok for all the supported games), note that the needed account doesn't seem the one with the mail address as username... anyway in doubt try it.
papers.htm

  • Live for Speed setups dumper 0.1 (lfsdumpsetups)
    decrypter of the setups received from the server which allows to save the setups of the other players.
    practically in this game you can save the setup of another player only if he presses the "send setup" button (ss) near your nickname but in reality this is not needed because the setup is already received from the server when joined and everytime the other players change or modify their setup.
    as input the tool requires only the dumped tcp stream of the connection which can be capture with a sniffer like Wireshark, an example step-by-step is showed at runtime.
    tested with Live for speed S2 Z.
papers.htm
    experimental tool/hooker for monitoring the reading and the writing of the network protocol used in the BF2 and BF2142 games.
    in short there is a loader for the clients and one for the servers which are compatible with both the two games and seems also with almost any known version.
    all you need to do is placing bf2_sniff_client.exe, bf2_sniff_server.exe and bf2_sniff.dll in the folder of your game and launching the needed bf2_sniff_* executable which will inject the dll in the loaded process (the loaders allow you to decide also the command and the dll to load in case you want to customize them without recompiling).
    all the bits read and wrote (received and sent) by your game will be automatically dumped in a text file which can be viewed and analyzed in any moment.
    if you want to understand the network protocol of this game engine, bf2_sniff will help a lot.

papers.htm

  • Qtracklist 0.1.1 (qtracklist)
    simple servers browser that uses the Qtracker master server. Supports also the option for executing specific programs for each IP.
    remember to check the following link periodically for possible updates to the games list:
    qtracklist.cfg (qtracklist)
    updated 13 Nov 2010 (corresponding to Qtracker 4.92)
papers.htm
papers.htm
quickbms.htm
  • support for tons of compression algorithms (over 700), even some proprietary ones
  • support for tons of hashing algorithms
  • support for other types of algorithms (like base64) and/or obfuscations (xor, rot and so on)
  • support for calling DLLs and raw dumped functions with almost any known calling convention
  • support for bits operation and switchable little/big endian
  • simple and dynamic language that allows to make many operations reducing the percentage of archives and formats that can't be supported easily
quickbms.htm
    How to use:
  • for a graphical step-by-step check this page
  • dump the compressed data in a new file, maybe using a hex editor (you can call this file dump.dat)
  • create a new folder (for example c:\output_folder)
  • put comtype_scan2.bat, comtype_scan2.bms and quickbms.exe in the same folder
quickbms.htm
    crc_scan.bms (0.1.2a)
    How to use:
  • dump the data on which you want to calculate the checksum in a new file, maybe using a hex editor (you can call this file dump.dat)
  • from the command-line type:
quickbms.htm
quickbms.htm
  • Yeti Engine YBIG (*.big)
    Ghost Recon Online, Ghost Recon Phatoms
  • War Inc. Battle Zone r3dFS (*.bin)
    WarZ/Infestation, DeadZ, StargateZ, SurvivalMMO, ApocalypseEnd, DevilZ, FightZ, InfestationMMO, WillYouSurvive, ForsakenZ, InfectionZ, InfectZ, StrongZ, Infestation Thailand and any other fan-made server and content
  • ZIP files (zip.bms)
    complete and very useful even with special zip archives like those of Xbox 360 (Forza Motorsport) or those protected with strange passwords that can't be copy&pasted
  • ZIP files (alternative way)
    get end of directory and parses central directory. currently this method is automatically implemented in the previous script
  • Xenesis File System (*.xfs)
    Wolf Team and maybe other AeriaGames titles
fakep.htm
  • DirectPlay 8 Fake Players DoS 0.1.3 (dplay8fp)
    this is a fake players proof-of-concept which works with any game that use DirectPlay 8.
    that version of DirectPlay is used by various games (DirectX 8/9, the older use DirectPlay 7) which can be easily recognized by the dpnsvr.exe process and/or the UDP port 6073 in listening mode when the server is running.
    it uses some files (called join_files) needed for each specific game because, except some of them, many games use some particulars parameters in the join packet which sometimes change even between different game versions.
    read the text file inside for all the needed information, details and examples.
    latest dp8games package: 30 Aug 2005
fakep.htm

  • Quake 3 engine fake players DoS 0.4.4e (q3fill)
    compatible with any game based on the Quake 3 engine (id Tech 3), like:
    - Call of Duty 1, UO, 2 and 4 (5/waw is supported if is supplied the correct server hash with -d)
    - Quake III Arena
    - Return to Castle Wolfenstein
fakep.htm
    - Star Wars Jedi Knight: Jedi Academy
    - Wolfenstein: Enemy Territory (2.60 too but requires a bit of practice, use -B ? for the info)
    - others
    the tool can be also used to test the so called "q3unban" bug automatically, which allows a client on a banned IP address to join the server.
    exists also a support for servers which require online authentication (like a valid online cdkey) but only Quake 3 Arena has been supported and tested.

mytoolz.htm
  • Offbreak 0.3.4 (offbreak)
    tool for monitoring the offsets of specific files read and written by a target program and breaks its execution for debugging it.
    Offbreak can set an INT3, set an hardware and software breakpoint, automatically attach the system debugger and display a MessageBox when the monitored files and offsets are handled by the target.
    to make the debugging more easy, Offbreak sets some registers to show the buffer containing the data read/written, the amount of bytes in the operation, name of the API and full name of the file.
    additional information are available at runtime.
mytoolz.htm
    - remove initial/final silence
    support for single wav file or a whole folder (that's how I cleaned all my collection)

  • x86 32bit calling conventions 0.2.2a (calling_conventions)
    set of wrapping functions for being able to use dumped functions that use particular calling conventions not available or not easy to implement in the own compiler.
    for example the stdcall and cdecl conventions are supported natively in almost any compiler but the others don't, and this is where this wrapper becomes useful.
mytoolz.htm

  • Executable's strings lister and replacer 0.2.3a (exestringz) .image.
    this tool has the main purpose of finding any ASCII and unicode string inside PE and ELF executables with the possibility of modifying them using any external text editor and re-injecting them in the original executable.
    technically the finding of the strings works in the following way: it disassembles all the executable sections of the input file (like .text, only x86 32 bit supported) and visualizes any string or any array of strings, so any instruction like push "string" or mov eax, "string" or mov eax, "[4*edx+array]" and so on is handled perfectly.
    instead the injecting of the modified strings back in the executable (ELF not supported) is performed through the adding of a new "stringz" section which contains all the new strings and the substituiting of all the pointers to those strings collected in the "finding" operation with the new ones (relocation).
    the tool can be also used as a quick and advanted strings program (the one available on *nix) with the difference that the strings found by exestringz are not casuals but are found and confirmed by the disassembled code avoiding false positives.
mytoolz.htm

  • Bynaryo 0.1 (bynaryo) .image.
    tool for converting binary strings to ASCII or to numbers of 8, 16, 32 and 64 bits (both big and little endian) and vice versa for example for converting "hello" in 0110100001100101011011000110110001101111 and then again in "hello".
    the tool is able to recognize the input automatically and so choosing the needed conversion, anyway there are various options available which allow to force a specific conversion, using a file as input or output, choosing if the input/output is a hex or decimal number or an ASCII char and doing the hex dump of the output.

  • hosts file/list DNS checker 0.1 (hostsdns) .image.
mytoolz.htm

  • BDE64 0.2.3 (bde64) .image.
    quick tool which performs base64 decoding and encoding.
    supports both stdin and stdout, automatic hex dump visualization if no output file has been specified, Gamespy base64 decoding, HTTP URL base64 decoding (%) and automatically ignores spaces, bad chars and uuencode's begin (like begin-base64 644 file).

  • Lanfile 0.1.6 (lanfile) .image.
mytoolz.htm

  • sendto_spoof.h 0.1.2 (sendto_spoof)
    a sendto() replacement which automatically enables the spoofing of the UDP packets in any existent program.
    compatible with both Windows and other operating systems and little/big endian CPU.
    read the header of the file for all the needed information.
pwdrec.htm
    decrypts the previousPW password in config.ini (1.500)

  • TrendMicro passwords decrypter 0.1.2 (trendmicropwd)
    automatically decrypts any password in the input file or the encrypted string passed as first parameter.
    it supports !CRYPT!, !CRYPTEX!, !CRYPTEX3! and the PWD.DLL!PWDDecrypt strings.
    as far as I know this type of encryptions is used mainly in OfficeScan but probably in other products too (8.0)
pwdrec.htm
    decrypts the passwords stored in the local ClientRegistry.blob file and the ConnectCache cookies in the registry.
    remember that Steam uses an unique key to encrypt the password so if you have reinstalled your Windows you could be not able to recover it, the only exception is with Vista where the key is usually ever the same due to some technical reasons.
    works also from command-line allowing to pass directly the encrypted password and the needed key.
    the tool automatically tests the NoMachineSpecificPassphraseAvailable key if the provided/calculated one is wrong (1.0.0.0)

  • Winzip wjf xflags password decrypter 0.1 (wjfdec)
pwdrec.htm
pwdrec.htm
pwdrec.htm
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
testz.htm
    I have decided to release it publicly because I no longer use it, read aluigifuzz.txt for additional information and examples.

  • ATInfo 0.1 (atinfo)
    simple tool for calling all the API provided by the ATI SDK for their graphic cards.

  • UDPSZ 0.3.4 (udpsz)
testz.htm

  • Webservers char tester 0.1.1 (webtestchr)
    a simple tool which has been very useful in all this time for the blind and quick testing of some vulnerabilities in software that uses the HTTP protocol.
    practically it scans all the 255 ascii chars and put them in some particular locations of the URI like before and after the slash or at the end of the URI and so on.
    usually the types of vulnerabilities which can be tested through this method are source disclosure (like for php and cgi files), security bypass (like folders or files which require specific rights or password), possible exceptions and others all dependent by the program to test.
    one of the recent advisories in which this tool was helpful was the source disclosure in Ruby WEBrick.
testz.htm
  • loDNS 0.1.1 (lodns)
    simple tool I wrote for my tests which emulates a basic DNS server and logs all the hostnames in the received requests and then replies with a fixed IP address (A type).
    it uses 127.0.0.1 as default IP address in which resolving the hostnames but it can be changed at command-line, if it's used the IP 0.0.0.0 the tool will not reply (monitoring only) while if you use 255.255.255.255 it will act like a proxy.
    it's a good way for resolving unknown hostnames locally while testing a program, it's only needed to set 127.0.0.1 as primary DNS and launching loDNS.

  • TFTP server tester 0.2a (tftpx)
testz.htm

  • ut2003fits 0.1 (ut2003fits)
    UT2003 fake information test server: this tool can be used to send custom information to the clients that search for multiplayer games (very funny if used when the real UT2003 server is running).
    this simple tool can be used in a lot of modes. For example you can launch UT2003heartbeat and then launching UT2003fits you will see all the players that are online because every player that goes in the multiplayer section of UT2003 will automatically request information to all the servers available and you can log all these players (for example for statistical purposes).

  • Half-Life testing server 0.1.2 (hlts)
81 results found