Luigi Auriemma

me@aluigi.org


News
QuickBMS
Research
MyToolz
Advisories
Proof-of-concepts
Fake_players_bug
Patches
Password_recovery
MyMusic
TestingToolz
About...
RSS_feeds
Amiga_ADF
Forum
aluigi.org
mirror.aluigi.org
twitter
RESEARCH

Various research stuff for various software: algorithms, protocols, formats, documentation and more.
read here if you don't know how to use my stuff and tips for their recompiling



Sections:

QuickBMS:

now it has its own homepage.


Gslist:

  • Gslist 0.8.11a (gslist)
    Gslist is a game servers browser supporting an incredible amount of games (over 4000) for many different platforms like PC, Wii, Playstation and more.
    it can work in both command-line and an experimental web GUI mode, for this reason it's mainly designed for server admins, websites, advanced gamers and testers.
    in short a game server browser is a tool that retrieves the full list of servers (IP and port) of a specific game like Battlefield, Crysis, Unreal and so on.

    features:
    • tons of games supported and for various platforms: PC, Xbox360, Mac, Playstation 2, Playstation 3, PSP, Nintendo DS, Nintendo Wii, Dreamcast, iPhone and more
    • "experimental" web GUI: Gslist can be easily used through a web browser like any "classical" server browser but with the difference of being more simple to use and (optionally) supporting multiple users
    • can execute a program for each server of the list
    • filters for selecting only the servers with specific features like country, minimum/maximum number of players, maps, mods, type of game and so on
    • its list of supported games can be upgraded automatically (-u) or generate the database manually (-m/M)
    • can retrieve all the Gamespy Peerchat rooms "#GPG!" of a specific game (-R) which can be used with my GS peerchat IRC proxy
    • supports many options for redirecting and formatting its output so it can be used as back-end for any program or service
    • supports different types of queries for retrieving information from the servers and with -X is possible to receive these information directly from the master server without sending additional packets
    • optimized for speed and resources
    • experimental SQL option for dumping all the servers information in a SQL database
    • can send hearbeats for adding the own IP in the servers list
    • various other commands, options and customizations

    screenshots:
    video:
    read the text file inside the package for detailed information.
    note: you need zlib, GeoIP and the mysql libraries to compile it on Linux: apt-get install zlib1g zlib1g-dev libgeoip1 libgeoip-dev libmysqlclient15-dev.

  • Miscellaneous configuration files (NOT necessary for Gslist):
    gslist.cfg  gshkeys.txt  full.cfg  detection.cfg  gsfilters.htm (useful)

    note that all the entries in gslist.cfg come from Gamespy so I have no control over them.
    some entries (starting from about 2009) are listed but don't exist on the master server because these names are used by Gamespy probably for other things, like the case of battlefieldbadco2.



GameSpy:

  • Cd-key SDK and verification:

    • GSHsniff 0.3 (gshsniff)
      sniffer that checks any UDP packet from master.gamespy.com or another server of your choice and decodes the packets encoded with the "XOR gamespy" method.
      these packets are those of the games that use the Gamespy SDK for authenticating cdkeys and to know if a player is already playing in a server and other stuff.
      they are usually sent to port 29910 of the master server and contain commands like \auth\.

    • Online cd-key verifier for games that use the Gamespy cd-key SDK 0.1.2a (gskeycheck)
      very interesting tool that verifies if the cd-key of a specific game is valid online or is already in use or has other problems.
      the technique used by the tool is very simple, it does the same operations performed by the game servers when they receive a new connection from a client which passes its hashed cdkey for being authorized with the Gamespy master server. it could be useful to know immediately if an old key is still valid or if there are more detailed errors if it no longer works online.
      the supported games are all those that use the Gamespy cd-key SDK like Battlefield 1942, Battlefield2, Halo, Painkiller, Star Wars Battlefront and many others listed in that document.
      read the text file inside.

    • Explanation of the authentication method used by the Gamespy CD-Key SDK 0.1 (gskey-auth)

    • GS key challenge builder 0.1 (gskeychall)
      function needed to build the authorization string that must be sent to the game servers running the games that use the Gamespy authorization.
      it is also a practical example of the first part of the above "gskey-auth" document.
      here is available a simple usage example.

    • GSHinfo 0.1.2 (gshinfo)
      this tool is able to send all the 4 available queries uok, unok, ison and ucount to any game server which uses the Gamespy CD-Key SDK.
      these "hidden" queries are handled by the game servers to know if a specific player/cdkey is playing in a server or how many authorized players are playing in it.

    • explanation of the hidden functions and commands that are used in the Gamespy cd-key SDK implemented in various games (read the third section): english and italian.

    • Partial list of games that use the Gamespy cd-key SDK (gshlist)
      contains all the games of which I'm aware that use the Gamespy cd-key SDK, they are divided in 2 categories: those supporting the hidden queries (uok, unok, ison, ucount) and the rest that don't seem to support them directly.

  • Gsmsalg and enctype:

    • GS enctypeX servers list decoder/encoder 0.1.3b (enctypex_decoder)
      the algorithm used by ANY game for decrypting (and encrypting) the data from the Gamespy master server on ports 28900 (enctype 0, 1 and 2) and 28910 (enctype X).
      enctypeX in reality is not only an algorithm (technically a short version of that used for enctype1) but also a specific protocol for receiving various types of information from master servers like ut3pc.ms3.gamespy.com, battlefield2.ms3.gamespy.com, crysis.ms5.gamespy.com and many others for a total of 20 "ms" servers.
      from my tests with enctypeX is possible to:
      • receive the list of online servers of a specific game, including they external and internal (if via NAT) IP addresses and ports
      • receive NAT information about servers behind router/NAT
      • receive the details of each server directly from the master server which means that is not needed to query them because we already have all the needed information (gamename, gamemode, gametype, mapname, numplayers, maxplayers and so on)
      • receive the above details with or without the filtering of colors, non alphabetic chars and html/sql escape chars
      • receive the list of the Gamespy Peerchat IRC channels assigned to a specific game (for example #GPG!765 for Tony Hawk's Underground 2 PC)
      • encrypt a server list and so building the own customized LAN master server compatible with ALL the games which use the Gamespy one natively
      • many advantages than the old enctype methods
      the algorithm is also big endian compatible (so works on PPC too) and is designed for real-time decrypting so the data can be decrypted on the fly during the receiving.
      other than the main decryption/encryption code my set of functions includes also:
      • the one which generates the right ms.gamespy.com hostname to contact which is gamename dependent
      • a function which creates a random id/validate string
      • a multi purpose function which can:
        • tell the main program when the data received by the master server is terminated, because the master server doesn't close the connection (it's in keep-alive mode) so it sends only a marker for the defining the end of the data
        • create an IP:port list (4 bytes:2 bytes) from the received data which is more easy to handle from the main program
        • collect all the additional servers information in a text format like "IP:port \parameter\value\...\parameterN\valueN"
      the only complete usage example of this code and the full protocol is available in Gslist, there is no additional documentation at the moment.
      for testing all the decryptions perfomed by enctypes 1, 2 and X with custom data (useful for programmers) is possible to use the Enctype decoder/tester, it's very good also for who wants to decrypt the encrypted data received from the Gamespy master server without programming a single line of the decryption code: call enctypedec.exe externally with the -l or -L option for doing the job.

    • GS enctype2 servers list decoder/encoder 0.1.2 (enctype2_decoder)
      algorithm for decrypting and encrypting the servers list coming from the Gamespy master server encrypted with the enctype 2 method.
      this enctype was used only by the old RogerWilco application.

    • GS enctype1 servers list decoder 0.1a (enctype1_decoder)
      algorithm for decrypting the servers list coming from the Gamespy master server encrypted with the enctype 1 method.
      this enctype was used only by the old Gamespy 3d application and is the most complex of all the various enctypes.

    • Gsmsalg 0.3.3 (gsmsalg)
      this algorithm is an emulation of the one used by the Gamespy master server for handling the "secure" parameter sent by these servers.
      my implementation supports enctype 0, 1 and 2 (X doesn't use it) and can be used also for calculating the needed challenge-response string for the Gamespy Firewall probe packet and the heartbeat (the sending of a couple of UDP packets to port 27900 for allowing our IP:port to be added in the list of servers of a specific game, uses enctype 0).
      all the information are in the header of the code.

    • third party ports to other languages:
      the following is the list of ports of some of the gsmsalg and enctype 1, 2 or X code to other languages made by various people:
      - vb.net port of enctype X by NMGod
      - VB, C# and PHP port of enctype 2 by Tras, FordGT90Concept and UltimateSniper
      - Mirc script port of enctype 2 and master server query code by SkorpSSS
      - old PHP port (32bit systems only!) of enctype 1/2 by jan0 and the fixed 64bit compatible version by Atako

  • Peerchat:

    • GS peerchat IRC proxy 0.3.3b (peerchat_irc)
      useful tool that allows to use any IRC client to join the peerchat.gamespy.com chat server.
      indeed peerchat.gamespy.com is only a classical IRC server which uses a simple encryption (watch gs_peerchat), so this multi-client proxy gets the connection from the local IRC client and decrypts/encrypts the data in a completely transparent way:
      IRC client -> peerchat_irc -> peerchat.gamespy.com
      read the text file inside for additional information and options.
      use "gslist -R -n GAMENAME" (where gamename can be any of the games listed in "gslist -l") to retrieve the peerchat channels of a specific game.

    • GS Peerchat sniffer and decrypter 0.2 (peerchat_sniffer)
      the title already explains everything, it does the same job of "peerchat_proxy" but without the boring steps needed for using that tool.
      the only downside is that handling TCP connection through sniffing is not so easy so in some cases after some time the collected data could be visualized corrupted.
      both winpcap and gslist.cfg are needed.

    • GS peerchat server emulator 0.1.3b (peerchat_server)
      this proxy server transforms any normal IRC server in a Peerchat server.
      it works in a similar way to peerchat_irc but does the opposite job, so the clients of a game which use the Peerchat server can connect to a classical local or remote IRC server:
      game client -> peerchat_server -> IRC server
      the file gslist.cfg must be in the same folder of the tool and naturally is required an IRC server where connecting the players.
      obviously the players need to force the connection of their game clients to the peerchat_server IP, a classical way is modifying the hosts file as explained in the guide of the tool.
      read the text file inside.

    • Peerchat IP decoder/encoder 0.3 (peerchat_ip)
      tool for decoding and encoding the IP addresses of the users on the Peerchat server, visible with the classical /whois command (like X19s4Fp1DX).
      the tool can decode and encode also the IP addresses in the users channels/rooms (like #GSP!gamename!MD9NqJlJJM).
      for the room names decoding/encoding are needed other two parameters: a 0 (it could be the user's ID) and the server's port.

    • Peerchat IP encoding/decoding algorithm 0.2 (peerchat_ip)
      the algorithm needed to decode and encode the Peerchat IP addresses visible with the IRC "whois" command inside the Peerchat server (through peerchat_irc).
      it supports also the decoding of the IP addresses associated to the users rooms as written in the previous description.

    • GS Peerchat proxy decrypter 0.3a (peerchat_proxy)
      a proxy utility useful for debugging.
      it decrypts and dumps in a log file all the commands sent and received by the games that use the Gamespy Peerchat server like example Gamespy Arcade and various other games like Tony Hawk Underground 1/2, Race Driver 1/2, all the Command and Conquer series, WarHammer and so on.
      read the text file inside.

    • GS peerchat encryption/decryption algorithm 0.2a (gs_peerchat)
      algorithm for the encryption/decryption of the Gamespy Peerchat data.

  • Protocols:

    • GS passenc/passwordenc decrypter/encrypter 0.1 (gspassenc)
      quick tool for decrypting and encrypting the passenc and passwordenc fields used for creating new users on Gamespy through the protocol used on gpcm.gamespy.com:29900 with the \newuser\ command.
      example: gspassenc e mypassword
      example: gspassenc d e4uEk1iom8MLaw__

    • GS natneg client 0.2 (gsnatneg)
      function for the implementation of the client-side Gamespy natneg protocol for joining servers behind router or NAT.
      in short with the calling of this function in a program is possible to query and join any game server behind router/NAT which uses this Gamespy natneg feature.

    • Gamespy NAT negotiation plugin for Proxocket 0.1 (gsnatneg_proxocket)
      plugin for Proxocket for automatically applying the Gamespy NAT negotiation to existent tools.

    • GS login checker 0.1 (gslogincheck)
      simple tool which checks if a Gamespy account (username and password) is valid.
      naturally this works for the accounts created with and for any software and game which uses the Gamespy login (gpcm.gamespy.com:29900) like Gamespy Arcade, Battlefield 2 and so on.

    • GS login server emulator 0.2.3b (gs_login_server)
      quick and easy-to-use project for emulating a Gamespy login and stats server (gpcm, gpsp and gamestats) which works with any game that uses these protocols like Battlefield 2.
      it can be useful in LAN parties and indeed this tool is very used in Battlefield 2 just for this reason, in retro-gaming projects (the idea started for PBA2001 for Dreamcast) and for using custom nicknames online without having an account (should work with any of these games, tested Race Driver 2 and Battlefield 2).
      note that this tool is databaseless just because its job is only that of allowing the clients (any client) to "think" to be online and joining with any nickname and a fixed password (needed for technical reasons), so this is NOT a project for creating a real set of servers where users can interact with other users.
      read the text file for some details.
      Third-party projects:

    • Gsstats 0.1 (gsstats)
      retrieves the online player statistics of the games that use the Gamespy accounts to play online like Ground Control II, the Command and Conquer series and various others.
      remember to use also the Gsplayers tool and gslist.cfg to retrieve the needed profile IDs, the gamenames and the gamekeys.

    • gs_sesskey \authp\ resp 0.1 (gs_sesskey)
      simple function to calculate the needed text string from \sesskey\ (port 29920).

    • gs_chresp_num \auth\ response 0.1 (gs_chresp_num)
      simple function to calculate the needed number from \challenge\ (port 29920).

    • GSPlayers 0.1.1a (gsplayers)
      a simple and interesting tool for searching all the users that have a Gamespy account through their nickname, email, first/last name or ICQ UIN, then finds also all the people in the buddy list of a specific user and what online users have a specific game installed.
      the PIDs are available in gspids.txt.
      the updated detection.cfg file necessary to the tool can be downloaded directly from the Gamespy webserver, remember to rename it correctly.

    • Gs auth 29920 sniff 0.1 (gs29920sniff)
      a simple "old" sniffer that decodes any TCP connection versus the port 29920 of any host or one specified by the user. An example of game that uses this metod is Ground Control II.
      the data in the connection to that port are XORed with the string "GameSpy3D".

    • GS login response calculator 0.1.1 (gslogincalc)
      an example program that shows how to build the response string for gpcm.gamespy.com:29900.
      for another better and more complete example take a look to the above GS login checker tool.


  • Full list of multiplayer games and their PIDs on Gamespy (gspids)
    useful for the stats, for cd-key verification and probably more.
    rarely updated

  • GS SDK challenge-response algorithm 0.1 (gssdkcr)
    the challenge-response algorithm used by some of the games that use the Gamespy SDK for the initial handshake between client and server.
    some of these games are Halo, Soldier of Anarchy and Warhammer 40000 Dawn of War and others.

  • Master server disconnection: game servers can be removed from the online master server list using one spoofed packet 0.1 (gsmsdisc)
    a quick and short document that can be applied to ANY master server that uses unchecked UDP heartbeat packets.
    at the moment I don't know if this technique/bug is still active.

  • GS master server disconnector 0.1.2 (gsmsdisc)
    proof-of-concept of the above document for the games that use the Gamespy master server.
    successfully tested on Windows XP SP2 as admin and Linux as root, compatibility on other Windows is not guaranteed.
    unsupported

  • 2003's responses to Gamespy:



All Seeing Eye:

  • ASE UDP tracker packet sender 0.1 (asetracker)
    simple example tool which emulates the method used by ASE to join and leave tracker.udpsoft.com:27246 specifying the MotdIdLo, MotdIdHi and UserID values.

  • ASE UDP packets decoder 0.1 (aseudpdec)
    some lines of code for decoding any UDP packet that ASE sends and receives from the scanners, the tracker and the other servers.
    the packet to decode must be passed to the tool as a file containing its content.

  • All Seeing Eye UDP packets decoding/encoding algorithm 0.1 (ase_udp_decenc)
    the algorithm used to decode and encode the UDP packets sent and received from the various ASE servers.

  • ASE Ping 0.1.2 (aseping)
    simple tool to see remote servers information using the All-Seeing-Eye ping packet, used in games which support this protocol like Chrome, Purge and so on.
    this tool doesn't support the handling of multiple ping replies (I'm too lazy).

  • All Seeing Eye 'v' ping (aka scanner) algorithm 0.1 (ase_v_algo)
    the C algorithm used by some game servers (like Chrome and IGI2) supporting the ASE 'v' ping type that seems related to scanner servers.
    this type of ping doesn't seem to have any real practical and useful usage however it could be interesting for someone.
    more information inside the file.

  • OpenSource ASE Query SDK 0.1 (asequery_os_sdk)
    an opensource clone that emulates the ASE Query SDK Demo.
    all the information about how it works are naturally in the source code and in the documentation available in the original SDK from Udpsoft.
    currently the ASEQuery_status function works but is not fully complete.
    unsupported



COGS Gamearena:

  • COGS Gamearena IRC proxy 0.2.2a (cogs_irc)
    this tool acts as a proxy server that lets to use any IRC client to join the COGS chat on thearena-chat.gamearena.com.au:4445.
    note: if a channel requires a key, try with cogs, example: /join #quake4demo cogs
    read the text file inside.

  • COGS Gamearena IRC challenge algorithm 0.1 (cogs_irc_chall)
    this function is able to generate the needed CRYP response to send back to the COGS IRC server.

  • COGS Gamearena challenge algorithm 0.1.2 (cogs_chall)
    the algorithm for the calculation of the challenge response to send to the COGS server.



DirectPlay:



gMotor2:



Half-Life:

  • Half-life DLL decrypter and rebuilder 0.2 (hldlldec)
    a decrypter and PE rebuilder for the Half-life encrypted DLLs like sw.dll, hw.dll and some client.dll (like that one of tfc16).
    note that although the generated dll is correct seems to exist some checks in it or something similar which avoid the usage of the decrypted dll instead of the encrypted one, for example the game will load correctly but will crash at the multiplayer menu.
    so the main purpose is to analyze the clear dll.

  • Half-Life packets decoder sniffer 0.1.3 (hldec)
    tool (for both Win and Linux) for sniffing and decode the Half-Life packets on the fly. (Needs Winpcap on Windows) (note: Steam versions of the game now seems to use different methods or also compression).
    and the original disassembled encoding algorithm.

  • Half-Life packets encoding function 0.1.2 (hlenc)
    function for encoding the Half-Life packets (note: Steam versions of the game now seems to use different methods or also compression).

  • Half-Life packets decoding function 0.1.2 (hldec)
    function for decoding the for Half-Life packets (note: Steam versions of the game now seems to use different methods or also compression).
    and the original disassembled decoding algorithm.

  • HLkeycheck 0.1 (hlkeycheck)
    this little tool simply lets you to know if a Half-Life CD-Key is locally valid (offline) or not.
    and this is the small piece of algorithm that does the check.



Halo:

  • Halo proxy data decrypter 0.1.2 (haloproxy)
    proxy server that sits between a client and a server and decrypts all the exchanged packets in real-time.
    the plain-text data in the Halo packets is stored in bitstream format but this tool decrypts only the packets (it's a decrypter, not a parser) and the main bitstream block, you must get the rest of the data manually.

  • Halo packets decryption/encryption algorithm and keys builder 0.1.3 (halo_pck_algo)
    the asymmetric encryption algorithm used by the game Halo.
    this is a set of functions for handling the packets of this game (TEA algorithm), the keys needed to decrypt and encrypt them and the CRC at the end of each packet.

  • Halo PC music extractor and concatenator 0.2 (halomus)
    a simple tool for the fans of the music of the game Halo.
    it extracts all the pieces of music files from sounds.map and concatenate them. The output folder will contain about 60 megabytes of music.



PunkBuster:

  • Battlefield 2/2142 cdkey to PunkBuster GUID 0.1.1 (bf2guid)
    quick tool for calculating the PB GUID from any cdkey of these two games and others like Crysis and so on.
    for the other games is possible to use my Cdkey to Punkbuster GUID tester tool which is a testing tool for guessing the needed seeds and testing various combinations of seeds.

  • PunkBuster messenger 0.1 (pbmsgs)
    Note that EvenBalance has removed or limited such feature in almost all the games, so is still possible to send some types of messages but not multiple messages at too short intervals from outside, read the updates of this advisory for info about the flooding performed in-game.
    tool for sending anonymous external messages to any server which uses PunkBuster like America's Army, the Battlefield series, the Call of Duty series, DOOM 3, Enemy Territory and QUAKE Wars, the F.E.A.R. series, Medal of Honor: Airborne, Prey, Quake III Arena, Quake 4, the Rainbow Six series, Return to Castle Wolfenstein, Soldier of Fortune II and many others.

  • Punkbuster master server file downloader 0.1.1 (pbmsdown)
    a not so useful tool for downloading pbpat.1, pbsec.cl, pbsec.sv, pbq.4, pbq.5, htm\* and possibly other files for the games which use PunkBuster.

  • PunkBuster online GUID checker 0.1.16 (pbguidcheck)
    this tool verifies if a specific game GUID or list of GUIDs has been banned by PunkBuster.
    the list of GUIDs can be a classical sequence of GUIDs "one per line" or the html or txt/pbbans.dat version of the PunkBusted Master Ban Lists (the one selectable via Download).
    the result of the checks can be dumped in a file through the classical command-line redirection (> dump.txt).



Quake 3 engine:

  • Quakelive xmpp.quakelive.com password retriever 0.1.1 (quakelivexmpp)
    a basic tool and a text file which describe how to get the session password needed to use the own Quake Live account on the jabber/xmpp service of xmpp.quakelive.com from outside the game, so using any normal client supporting this open protocol (for example Pidgin):
    - Username: your username
    - Domain/server: xmpp.quakelive.com
    - Resource: quakelive
    - Password: the XAID password got with this tool/method

  • QuakeLive beta files decoder 0.1 (quakelivedec)
    simple decoder/encoder for the PK3 files of QuakeLive beta.

  • Multi engine RCON tool and password guesser 0.2.3d (multircon)
    useful tool, previously known as q3rcon, for sending RCON commands to servers which use different engines and support RCON (remote administration).
    currently it supports the Quake 3, Medal of Honor, Half-Life, IGI2, Doom 3 and Quake 2 engines (so not only these games but all the others derived by them too).
    the tool contains tons of options and features and also some password guessing functions which include brute forcing and wordlists.
    note about the password guessing function: some engines (quake 3) use an anti password guessing check (or is it a NT/XP workaround???) which allows only max two rcon commands at second and exist many reasons that can avoid to find the right password: packet lost, timeout, the previously mentioned check, possible firewall protections and more, without considering that could be needed months for a good scanning.
    this feature has been added only as proof-of-concept and not as a certain way for recovering the remote password.
    many people ask me how to use the password guessing function of this tool, the following are some examples:
    - password guessing using passwords of max 8 chars and with all the possible alphanumeric: multircon -i -b 8 azAZ09 SERVER PORT
    - recover an old password: multircon -i -B OLDPWD -b 8 azAZ09 SERVER PORT
    - wordlist: multircon -i -w WORDLIST.txt SERVER PORT
    - rcon DoS: multircon -x -i -b 10 09AZaz -d 100 SERVER PORT

  • Quake 3 engine cd-key to GUID 0.2 (q3key2guid)
    calculates the GUID ("cl_guid") of a Quake 3 cd-key.

  • Quake 3 engine GUID MD5 0.1 (q3_guid)
    the md5_init() modification used to calculate the cl_guid hash of cd-key (that contained in "cl_guid").

  • Online cd-key checker for Quake III 0.2.1 (q3onlinekeycheck)
    checks if your cd-key is valid offline and also online, in fact it simply contacts the server authorize.quake3arena.com and waits for a response.
    this new version has also a function letting you to use a text file containing all the keys you want to check (a key for each line) and if a key seems valid the program rechecks it to avoid false positives.

  • Quake 3 engine huffman algorithm 0.3 (q3huff)
    simple version of the Quake 3 huffman algorithm, ALL the code is from huffman.c of the Quake 3 1.32 GPL source code.
    I have only modified some variables and the prototype of the decompressing and compressing functions for a faster and simpler usage. An usage example is here.

  • How to disconnect a Quake 3 engine client using a single spoofed packet of at least 4 bytes (q3noclient)
    and the relative proof-of-concept.

  • SOF2keycheck 0.1 (sof2keycheck)
    this little tool simply lets you to know if a Soldier of Fortune 2 cd-key is locally valid (offline) or not.
    and this is the small piece of algorithm that does the check.

  • Q3keycheck 0.1 (q3keycheck)
    this little tool simply lets you to know if a Quake 3 CD-Key is valid or not locally (offline).
    and this is the small piece of the algorithm used for the check.



Race Driver (Codemasters):



Speed Challenge - Jacques Villeneuve's Racing Vision:

  • Speed Challenge proxy data decrypter 0.1 (scproxy)
    proxy server that decrypts any data exchanged between client and server.
    launch the server, launch this proxy tool specifying the IP and port of the server and another port to which you must connect your client and all the packets which will pass through it will be decrypted and displayed in real-time.
    example: scproxy 127.0.0.1 19800 1234

  • Speed Challenge network data checksum 0.1 (speed_challenge_net_cksum)
    the checksum algorithm used for calculating the big-endian 16 bits number at the beginning of each network data block.

  • Speed Challenge files decoder 0.1 (scfdec)
    decodes the files of the game like material.cfg and others.
    these decoded files can be modified and used without the need of reencoding them because the game can read them.

  • Speed Challenge network encryption/decryption algorithm 0.2 (speed_challenge_net)
    this is the complete algorithm for the decryption and the encryption of the network data exchanged by this nice game.
    the algorithm seems called also CSimpleCrypt, but I have found no information about it or if it is used in other games.



Steam:

  • steamuserip 0.1 (steamuserip)
    proof-of-concept that uses the P2P networking API to get the LAN and Internet IP addresses of any user when playing some games on Steam.
    very good results with DOTA2: steamuserip 570 7656119**********.
    additional information are available in the relative thread on the forum.

  • steamlobbylist 0.1 (steamlobbylist)
    retrieves all the remote lobbies of a game, or all your installed games or a range of games defined by their appID.

  • steamfilelist 0.1 (steamfilelist)
    lists and optionally downloads all the files located on the remoteStorage of a game, or all your installed games or a range of games defined by their appID.

  • Steamlist 0.1a (steamlist)
    simple servers browser that contacts the Steam master server.
    it supports also the option for executing specific commands or programs for each IP.
    please note that this is an old tool.



Ubi.com (aka GS4/Game Service/GamingZone):



Unreal engine:

  • Unreal engine packets plugin for sudppipe 0.2.2 (unreal_sudp)
    plugin for sudppipe which displays (and allows to edit) the content of the channels 1 and 3 of the packets of the games based on the Unreal engine:
    sudppipe -l unreal_sudp.dll SERVER 7777 1234
    then from the console of the game (~ key) type: open 127.0.0.1:1234


  • Unreal engine basic client and Fake Players DoS (unrealfp)
    link to the experimental client emulator tool available in the Fake Players section.
    it allows to send custom "control" commands to the servers based on the Unreal engine.

  • UMOD CRC calculation 0.2 (umodcrc)
    C header file containing the function to easily calculate the 32bit checksum of the umod package files, accepts filename or file descriptor as input.

  • UMOD file format 0.2.1 (umod)
    simple document containing the structure of the umod files.

  • UMOD extractor 0.3.3 (umodext)
    extracts all the files contained in the umod package files used by the Unreal engine based games (like UT, UT2003, UT2004 and so on). There are a lot of useful options and an automatic umod checksum calculator and fixer.

  • UnrIndex 0.1a (unrindex)
    old and simple tool which converts the numbers into the index type numbers used by the Unreal engine and viceversa.

  • Very very quick and practical explanation to the UnrealTournament 2003 heartbeat method 0.1.2 (ut2003ms)
    this document is an explained step by step about the authentication method used on the Unreal Tournament 2003 and 2004 master server (but with different server names).



Ventrilo:

  • Ventrilo port 5000 packet decoder 0.1 (vent5000dec)
    decoder for the packets sent to/from port 5000, a typical example are those for update.ventrilo.com and proinfo.ventrilo.com.

  • ventrilo3_handshake 0.3 (ventrilo3_handshake)
    set of functions for handling the centralized handshakes and the scrambled in-game keys used in Ventrilo 3.x.

  • Ventrilo RCon tool 0.2.9a (ventrcon)
    useful tool for sending rcon commands (both interactively and one-only) to Ventrilo servers.
    it contains also some custom commands which are /chan and /subchan for creating, deleting and listing all the available channels on the server and /user for creating new users.
    other options cover the possibility of executing all the commands in a file or sending commands through a local pipe file and various debugging functions.
    supports all the Ventrilo 2.x and 3.x versions.

  • Ventrilo status retriever 0.1 (ventstat)
    gets status information from the Ventrilo servers which has been implemented starting from version 2.1.2 of Ventrilo.
    it can be compared to the default "ventrilo_status" program included in Ventrilo but with support for any available command and a better handling of the input containing the target server (for example you can use URLs too).
    - Mark Veaudry has created a porting of the program and the algorithm to PHP.

  • Ventrilo UDP status algorithm 0.1 (ventrilo_udp)
    set of functions for decrypting and encrypting the UDP packets used to get the status information from Ventrilo server.

  • Ventrilo password hashing algorithm 0.1 (ventrilo_pwd_hash)
    the algorithm for calculating the password hash introduced from version 2.3.0 of Ventrilo.
    this hashing code is used by the clients for logging in the server and for the EncPass field in the ventrilo_srv.usr file.

  • Ventrilo proxy data decrypter 0.3.3 (ventrilo_proxy)
    debugging tool able to decrypt and show and dump in real-time all the data exchanged between a Ventrilo client and server.
    this is THE tool for anyone interested in the Ventrilo protocol.

  • Ventrilo encryption/decryption algorithm 0.2a (ventrilo_algo)
    the algorithm needed to decrypt and encrypt the connection between the Ventrilo client and server.
    very useful is also this data manipulation example 0.2b showing both decryption and encryption.



Xbox:

  • Xbox ADPCM plugin 0.1.3 (in_xbadpcm)
    Winamp plugin for playing the audio compressed with the Xbox ADPCM codec.
    supports the wave files with both tag 0x0069 and 0x0011 (used for ima adpcm which "seems" close to xbox adpcm) and XWB/WBA/XSD/XSH archives which are seen as an unique audio file and with the automatic skipping of WMA and PCM audio.

  • Xbox ADPCM decoder and player 0.2.3a (xbadpdec)
    versatile tool for creating WAV files from any audio file (WAV, raw and within raw files through some offset and size options) which uses the Xbox ADPCM codec.
    it has also other interesting options which can be used to play the files on any system without codecs (stdin/stdout pipes) or adding a wave header to raw data for listening the file with the Xbox adpcm codec and more.
    as the title suggests, this tool is also an audio player for the supported files encoded with the Xbox ADPCM codec.

  • TXboxAdpcmDecoder C 0.1.3 (uXboxAdpcmDecoder)
    deeply optimized C port of the TXboxAdpcmDecoder Delphi class written by Benjamin Haisch for decompressing the Xbox ADPCM audio.
    support both file-to-file and buffer-to-buffer decompression.

  • XWB/ZWB files unpacker 0.3.4 (unxwb)
    great tool for extracting the data contained in the Xbox files with the XWB, ZWB and WBA extensions and any other file which contains the XWB archives.
    it works from both GUI (double-click on unxwb.exe) or command-line where supports various options.
    it automatically recognizes the codec, frequency and channels of the audio files and adds the needed headers and extensions for trying to make them ready to play with any player.
    the tool has also many options for the visualization of the files in the XWB archives, for the direct conversion of the files (executes a program for each one of them), direct stdout output and many debugging options.
    it also support both little and big endian archives.
    in case of problems playing the output files try with VLC or MPlayer.
    the XMA files can be decoded with xmaencode: xmaencode.exe /X output.wav input_xma.wav



Others:
  • File extractors/decoders/decrypters:

    • Unigine ung files extractor 0.1 (uniginex)
      files extractor for the ung archives used by the Unigine game engine.

    • mmViewer mme dumper 0.1 (mmviewer_dumper)
      this is simply the original mmviewer.exe of mmViewer (version V110103) to which I added some binary code for converting it in a decrypter.
      launch mmdump.exe, select the mme file you want to decrypt and a file called x.z will be automatically generated in the same folder, rename as you wish with a ZIP extension and open it normally.

    • OSRW anticheat logs decrypter 0.1.1 (osrwdec)
      decrypter for the log files generated by the OSRW anticheat for rFactor (F1 rFactor 2010).
      these files have a rar extension and are located in the OSRW folder of the game.

    • Molebox2 files extractor 0.1 (molebox2ext)
      extractor for the archives of the games that use a particular version of Molebox for archiving their files like: Kingdom Elemental, Aquaria and others.
      the encryption algorithm used by the version of Molebox adopted in this game uses 16 bit code and is NOT compatible with the encryption used, for example, with the current trial version of Molebox (which looks more simple), so I don't know why there is this strange difference.
      instead the file format should be the same or similar for any Molebox version.
      the last argument of the command-line is the hexadecimal key that is located in the game's process near the ".BOX" signature.
      (this is exactly the tool previously called kepmboxext)

    • DefenseGrid dgp files hash calculator 0.2 (dgridhash)
      calculates, appends and replaces the hash at the end of the dgp files used in the game Defense Grid.
      works also with the files of the demo that use a modified sha1 algorithm.

    • SD Gundam Capsule Fighter Online ZPK/ZDX/DAT files extractor/rebuilder 0.4.2 (sdgundamext)
      tool for extracting the files from the ZPK/ZDX archives and for unpacking the DAT (aka ZOAGZIP) files of this game.
      the tool has also a rebuild option which could be useful with the recent patches (from the end of August 2009) of this game where seems no longer possible to use the extracted files in the game main folder.

    • Test Drive Unlimited savegames/files decrypter/encrypter 0.1 (tdudec)
      quick tool for decrypting and re-encrypting the files in the playersave folder of the user and the .btrq, .db and any other encrypted file of this game.
      remember to add the type 1 for decrypting/encrypting the non-savegame files, examples:
      - tdudec.exe d commondt.sav commondt.sav.new
      - tdudec.exe d 246_Dino_GT.btrq 246_Dino_GT.btrq.new 1
      and remember also that the BNK files are archives so they must be extracted first with programs like Bnk Editor.

    • PartyGaming files decrypter 0.1 (partydec)
      decrypter for the encrypted files used in PartyPoker, PartyGammon, PartyCasino and so on like the various INI and BIN files (ARA.ini, GRA.ini, Sys.ini, NewTable.bin, poker.bin, Table.bin and so on).

    • Telltale TTARCH files extractor/rebuilder 0.2.4 (ttarchext)
      tool for extracting and rebuilding the files archived in the ttarch archives used in the games developed by Telltale Games like:
      - Hector
      - Back to the Future
      - Poker Night at the Inventory
      - Sam & Max
      - Nelson Tethers: Puzzle Agent
      - Tales of Monkey Island
      - CSI series
      - Strong Bad's Cool Game for Attractive People
      - Wallace & Gromit's Grand Adventures
      - Bone
      - Telltale Texas Hold'em
      - Jurassik Park
      - The Walking Dead series
      - Poker Night 2
      - The Wolf Among Us
      - Tales from the Borderlands
      remember to use the -m option to dump the FONT and D3DTX files as DDS and the AUD as OGG but do NOT use this option if you plan to rebuild the ttarch archive!.
      the tool has also various options for listing the files without extracting them, overwriting the existent files, wildcards and other options (mainly debug stuff for myself).
      examples for "Tales of Monkey Island: Launch of the Screaming Narwhal":
      • extraction: ttarchext.exe 24 "C:\Program Files\Telltale Games\Tales of Monkey Island\Launch of the Screaming Narwhal\Pack\0_monkeyisland101_pc_launcheronly.ttarch" c:\output_folder
      • rebuilding: ttarchext.exe -b -V 7 24 "C:\Program Files\Telltale Games\Tales of Monkey Island\Launch of the Screaming Narwhal\Pack\0.ttarch" c:\input_folder
      • decrypt lenc: ttarchext 55 c:\input_file.lenc c:\output_folder
      • encrypt lua: ttarchext -V 7 -e 0 55 c:\input_file.lua c:\output_folder
      remember that if you have modified only a couple of files (for example english.langdb and one or images) you don't need to rebuild the whole archive but it's enough to build a new one called 0.ttarch containing ONLY the files you modifed, it will be read by the game like a patch and will occupy only a minimal amount of space.
      note that the old versions of the TellTale games (so not those currently available on that website) are not supported because use different encryptions and sometimes format, and being old versions are NOT supported by me in any case.
      if the game uses version 7 or 8 and crashes when uses the rebuilt package try to rebuild the archive specifying the -x option.

      Usually you don't need to create 0.ttarch if you modify only the landb file, you can leave that file in the pack folder.

    • Call of Duty series mpdata decrypter/encrypter 0.1.1a (codmpdatadec)
      decrypter and re-encrypter for the Profiles mpdata file used in Call of Duty 4 and Call of Duty 5 / World at War.

    • Asura engine "AsuraCmp" files decompressor 0.1 (asurauncmp)
      decompressor for the compressed data files used in the games based on the Asura engine like Sniper Elite, Rogue Trooper, Guard Shield and so on.
      these compressed files are easily recognizable due to the AsuraCmp signature at their beginning.
      the tool simply decompress the file, does not extract or handle its content.

    • Stainless Steel Studios SSA files extractor 0.1 (ssaext)
      an extractor which works with all the games developed by Stainless Steel Studios like Empire Earth, Empires: Dawn of the Modern World and Rise and Fall: Civilizations at War.

    • Canhel PAC->ZIP and ZIP->PAC converter 0.1 (canhelpaczip)
      converts the PAC files of this (beta) mmorpg in ZIP and viceversa.

    • Spike Girls SGP* files decoder 0.1a (sgpdec)
      simple decoder for the SGP* files of this game.

    • Ultima Online uodemo.dat extractor 0.1b (uodemoext)
      files extractor for the uodemo.dat file of Ultima Online Second Age, the tool could work with other encrypted files too.

    • Egosoft X series CAT/DAT files extractor 0.1 (egoxext)
      extractor for the CAT/DAT archives used in any of the X games developed by Egosoft: X, X2 and X3.

    • Cauldron FS files extractor 0.2a (cauldronext)
      extractor for the FS archives of the games developed by Cauldron like Battle Isle, Chaser, Gene Troopers, Civil War, Battle for the Pacific, Soldier of Fortune Payback, Secret Missions, Secret Service and so on.
      the tool allows also to specify (-x) the byte to use for XORing the compressed chunks of the demos, like 0x48 for the demo of Battle Isle and 0x44 for the Chaser one.

    • Big Scale Racing files decoder 0.1 (bsrdec)
      quick decoder for all the FSW, FS3, FSP and the other encoded files of this game.

    • MotorM4x files decoder 0.1.1 (motorm4xdec)
      decodes and re-encodes the files extracted from the ZIP archives with the MDL/DTF extensions of the game MotorM4x.

    • EipiX Pyroblazer packages/files extractor 0.1 (pyroblazerext)
      extractor for the Packages.dat archive of the game Pyroblazer.
      the tool "could" work also with other games developed by EipiX.

    • WorldShift XE/XP files extractor 0.1.2d (worldshiftext)
      tool for extracting the compressed/encrypted XE and XP archives used in the WorldShift game

    • WorldShift XE files rebuilder 0.1b (worldshiftbuild)
      tool for building the XE archives of this game, useful in case have been modified the original file and you want to re-import them in the game.

    • ShellShock Nam67 files extractor 0.1 (ssnam67ext)
      extractor for the "assets" data files of this game.

    • Milestone MIX files extractor 0.1.3 (msmixext)
      extractor for the MIX archives used in the Milestone games like S.C.A.R., Superbike 2000 and 2001, Evolution GT, MotoGP 08, SBK 08, SBK 09, SBX X, Superstars V8 Racing, Superstars V8 Next Challenge and more.

    • Falcom Ys NACCI savegame files decrypter/encrypter 0.1 (ysnacci)
      tool for decrypting and re-encrypting the savegames of Ys6, Ys Felghana/Ys3 and Ys Origin.

    • Falcom YS games XSO files extractor and rebuilder 0.1.1b (xsoext)
      tool for extracting and rebuilding the XSO files used in the YS game series of Falcom.
      the XSO are the files which contain all the dialogs of the games and this tool first dumps all them in a new text file very easy to edit with any text editor and AppLocale (AppLocale is needed for seeing the asian characters) and then recreates the new XSO files from that text file.

    • Falcom YS games NA/NI/Z files extractor and rebuilder 0.1.3b (ysext)
      complete tool for extracting and rebuilding (-r) or appending (-a) the NA/NI/Z archives used by the series of games developed by Falcom like Ys Origin, Ys Felghana, Ys VI and any other which uses these types of files.
      the tool supports also various options like listing all their content without extracting them, wildcards for specific files, decrypting and encrypting them without extracting their content, creating a Z file and so on.
      typical usage example for extracting all the files and creating a complete index/config file:
      • md c:\data
      • md c:\data_1101
      • ysext -n c:\data.txt "c:\program files\falcom\ys6_win\release\data.na" c:\data
      • ysext -n c:\data_1101.txt "c:\program files\falcom\ys6_win\release\data_1101.na" c:\data_1101
      • type c:\data.txt c:\data_1101.txt > c:\conf.txt
      • now enter in the folder c:\data_1101 and move all its files into c:\data
      • now c:\data contains all the updated files of the game and c:\conf.txt is the config file required for rebuilding/appending the files to the NI/NA file, while c:\data_1101, c:\data.txt and c:\data_1101.txt can be deleted

    • NCF/CCF packet format to tcpdump capture format 0.2 (ncf2cap)
      converts the CommView NCF and CCF dumps into the classical tcpdump/Wireshark CAP format.

    • ORK files decrypter and extractor 0.1.1 (orkdec)
      files extractor for the ORK archives used in the games developed by Black Hole Entertainment like Armies of Exigo and Warhammer Mark of Chaos (both demo and retail keys supported).
      note that you must know the full path of the files to extract otherwise you can do nothing, that's why exist the above "orkdec filenames dumper".

    • orkdec filenames dumper 0.1.1 (orkdec_files)
      tool for loading the games which use the ORK archives and automatically dumps all the loaded filenames in a text file that can be used with orkdec for the subsequent extraction.
      compatible with any version and game (tested Armies of Exigo and WarHammer Mark of Chaos, both demo and retail), remember to use no-cd executables since are not encrypted.

    • PS2/VXBG files extractor/rebuilder 0.1 (ps2ext)
      extractor and rebuilder for the files with the PS2 extention used in games like Syberia 1.

    • WPE packet format to Tcpdump capture format 0.2 (wpe2cap)
      simple tool for converting the files saved with Winsock Packet Editor (WPE) Pro, supports both PAC and TXT files and multiple TCP connections.

    • Vital engine files extractor 0.1 (vitalext)
      extractor for the GRP files used by the games based on the Vital engine like Codename Outbreak / Venom and Boiling Point.

    • THPS HED/WAD files extractor/builder 0.2a (hedwadext)
      simple extractor and rebuilder for the games which support the hed/wad files like Tony Hawk Pro Skater.
      doesn't seem to work on some of the most recent games so I need to classify it as unsupported.

    • BOR PAK extractor/builder 0.1a (borpak)
      a tool for extracting and building the PAK archives used in the game Beats of Rage.

    • BOR music player 0.1.1 (borplay)
      simple command-line player for the music files used in the Beats of Rage mods
      the tool supports both BOR and PAK files, many can be found here and here.
      BOR music files use the classical ADPCM codec so the source code of this tool can be modified just a bit for playing also other files encoded with the same algorithm.

    • Close Combat First to Fight files extractor 0.1 (ccftfext)
      files extractor for the BIN/XXX and PWD archives of this game and hopefully other similar games which contain various texture, script and audio files.

    • FSB files extractor 0.3.3 (fsbext)
      files extractor for the FSB (FMOD Sample Bank) archives used by the FMOD library.
      it supports FSB1, FSB2, FSB3, FSB3.1, FSB4 and FSB5 and also the encrypted archives that can be cracked easily because it's possible to see parts of the original password.
      the tool has also options for listing files, automatic big to little endian conversion for wave files, -a option for adding headers to the extracted files for playing them with VLC or vgmstream (fsbext generates the header for all the formats like pcm, ima-adpcm, vag, gcadpcm, xma, mp3, it214, it215 and so on) and even for rebuilding the original FSB archive.
      the FSB files are used in a huge number of PC, Xbox, Playstation and Nintendo games so if you have one of these files this is the tool for the job.
      the tool works from both command-line and minimalistic GUI on Windows when the exe is double-clicked.
      Note: the mp3/delta format used by Fmod is incompatible with the standard players, so from version 0.3.1 fsbext dumps only the first mono/stereo channel. this behaviour can be disabled with the -m option.

    • Nexus files extractor 0.1.1 (nexusext)
      tool for extracting or decrypting ALL the dat files used in the game Nexus - the Jupiter Incident aka Galaxy Andromeda and Imperium Galactica III: Genesis.

    • TNTFOLDER files decrypter/encrypter 0.3 (tnt2zip)
      tool for converting the encrypted .tntFolder files used in the games based on the TNT engine made by GSC Gameworld to the original ZIP files and viceversa.
      some of the games which use the tntFolder archives are HoveRace and FireStarter.

    • CBF files extractor 0.2.2 (cbfext)
      extracts any file contained in the .CBF archives of the games which use the Ptero-Engine like Flying Heroes, Vietcong and Vietcong 2.

    • Virtools .crypted files decrypter 0.1 (virtdec)
      decrypts the .crypted files usually located in the MediaCache folder in the Virtools directory, usually requires the usage of the "Virtools files unpacker" for retrieving the key from the objects file of the original VMO file.
      note that this tool does only the decrypting job, I don't know how to handle the read these files.

    • Virtools files unpacker 0.1.3 (unvirt)
      extracts the files contained in VMO, NMS, NMO, CMO, VBF (VXBG) and any other file of the same format created with the Virtools programs.
      note that this tool does only the extraction job, I don't know how to handle the components and objects files.

    • Zanzarah PAK files unpacker/repacker 0.1 (zanzapak)
      a simple unpacker/repacker written to patch this game for the traduction made by the "Figli di Gaucci" team.

    • GameGuard files decrypter 0.1 (gguardfile)
      simple and a bit useless (because files can't be re-encrypted) tool to decrypt the configuration and update files used by the NProtect GameGuard anti-cheat program (that used by some MMORPG games).
      read the text file inside for some examples and details.

    • Rome Total War sounds extractor 0.1.1 (rtwsndext)
      simple and old tool to extract any sound and moreover music from the IDX files in the Data\Sounds folder of the game Rome Total War.

    • Massive Assault Network files decoder/encoder 0.1 (manext)
      an useful tool to decode and re-encode the encoded files used by the game Massive Assault Network.

    • Lineage II files decoder/encoder 0.2.1 (lin2ed)
      this tool lets you to decode and re-encode the files of the MMORPG game Lineage II.
      supports the following encryption formats: 111, 121, 211 and 212.
      it is no longer supported due to the introduction of the 411/412/413/414 formats that use private keys so decryption is ok but is not possible to re-encrypt the files.
      so I highly suggest you to check the following website: http://dstuff.luftbrandzlung.org/l2asylum/.

  • Algorithms, functions and derivated tools:

  • Network based projects (listers, checkers, info retrievers):

    • Origin PIDs (origin_pids.txt)
      PIDs of the games available on EA Origin.
      last update: 11 Aug 2013.

    • EAlist 0.1.4 (ealist)
      command-line servers browser based on the list of game servers provided by the Electronic Arts master servers commonly called fesl or theater and supporting various games for PC, Xbox 360 and PS3 like Battlefield Bad Company 2, Battlefield Heroes, the Need for Speed series, Skate and others for which don't exist alternative listers.
      the usage of the tool is the same of gslist.
      for using the tool is necessary an EA account (any account or any EA game is ok for all the supported games), note that the needed account doesn't seem the one with the mail address as username... anyway in doubt try it.
      if you don't have one or something doesn't work using your existent one you can register a new account directly using the -A option and the mohair-pc gamename: ealist -a NEWUSER NEWPASS mohair-pc -A
      example for querying the Battlefield Bad Company 2 PC servers:
      ealist -n bfbc2-pc -a USERNAME PASSWORD mohair-pc
      the tool allows also to send custom data (experimentally) for testing other types of commands and even to run a fake fesl server which becomes very useful in combination with gs_login_server and games like Red Alert 3 and Battlefield 2142.

    • Live for Speed setups dumper 0.1 (lfsdumpsetups)
      decrypter of the setups received from the server which allows to save the setups of the other players.
      practically in this game you can save the setup of another player only if he presses the "send setup" button (ss) near your nickname but in reality this is not needed because the setup is already received from the server when joined and everytime the other players change or modify their setup.
      as input the tool requires only the dumped tcp stream of the connection which can be capture with a sniffer like Wireshark, an example step-by-step is showed at runtime.
      tested with Live for speed S2 Z.

    • America's Army 3 auth packets ssc_decrypt 0.2.1 (aa3authdec)
      simple tool for decrypting any encrypted communication and sniffed session (tcpdump format, like the files generated by Wireshark) with the authentication server of America's Army 3 auth.aa3.americasarmy.com and any other data encrypted with the ssc_encrypt function like, for example, the query packets implemented from version 3.0.5 of AA3.
      usage examples:
      - aa3authdec.exe "c:\Program Files\America's Army 3\Binaries\aa3.key.db" raw_dump.dat
      - aa3authdec.exe -o 10 c6mw4it2kg7sz5o0813d9qyufenhj query_dump.dat
      note that this tool probably works also with other games which use the Leverage library.

    • How to get the list of game servers from getgsc.com 0.1.3 (getgsc_list)
      quick example of how to retrieve the servers list of Total Gaming Client and GameTracker.

    • HLSWlist 0.1.1c (hlswlist)
      command-line servers browser based on the list of game servers provided by HLSW on multimaster.hlsw.org:12451 and with an usage similar to gslist (so syntax and options are the same).
      it supports all the games available on HLSW and which are partially listed here.

    • CameraWaREC 0.1 (camerawarec)
      command-line recorder, lister and thumbnails viewer/monitor for the webcams on CameraWare.
      does NOT need accounts to work.

    • CamFrog login tester example 0.1 (camfroglogin)
      practical example of the implemenation of my camfrogcrypt functions and basic tool for testing the login mechanism on the CamFrog servers.
      compatible with the current Camfrog protocol (5.1).

    • Battlefield 2 and 2142 bitstream sniffer 0.1.1 (bf2_sniff)
      experimental tool/hooker for monitoring the reading and the writing of the network protocol used in the BF2 and BF2142 games.
      in short there is a loader for the clients and one for the servers which are compatible with both the two games and seems also with almost any known version.
      all you need to do is placing bf2_sniff_client.exe, bf2_sniff_server.exe and bf2_sniff.dll in the folder of your game and launching the needed bf2_sniff_* executable which will inject the dll in the loaded process (the loaders allow you to decide also the command and the dll to load in case you want to customize them without recompiling).
      all the bits read and wrote (received and sent) by your game will be automatically dumped in a text file which can be viewed and analyzed in any moment.
      if you want to understand the network protocol of this game engine, bf2_sniff will help a lot.

    • Babo Violent 2 RCON 0.1 (bv2rcon)
      simple tool which works as a RCON client for the Babo Violent 2 servers, so is possible to send rcon commands to the own server.

    • JMeetREC 0.2d (jmeetrec)
      this easy-to-use tool allows the recording of a webcam video (frames) available on JMeeting.
      you can also watch the video in real-time or re-watch it in any other moment through two simple cross-platform html files (watch_ever.htm requires dom.disable_image_src_set disabled on Firefox).
      it contains many option and is possible to monitor multiple webcams at the same time through the watch_thumb.htm file.
      does NOT need accounts to work.

    • AWCamREC 0.2.1d (awcamrec)
      command-line recorder, lister and thumbnails viewer and monitor for the webcams on AnyWebcam.
      does NOT need accounts to work.

    • Ultima Online account checker 0.1 (uologin)
      verifies if an online Ultima Online account is valid or not.

    • Ultima Online login encryption algorithm 0.1 (uologin)
      the algorithm used to send the login information to the login.owo.com server of Ultima Online, it's based on the latest 5.00 encryption algorithm.

    • Teamspeaklist 0.1.1 (tspeaklist)
      allows to retrieve the list of online TeamSpeak servers through the usage of filters and has also other options like executing a specific program for each server found.

    • Neverwinter Nights account checker 0.1.1 (nwnlogin)
      tool for verifying if an username and a password are an existent Bioware NWN account.

    • Qtracklist 0.1.1 (qtracklist)
      simple servers browser that uses the Qtracker master server. Supports also the option for executing specific programs for each IP.
      remember to check the following link periodically for possible updates to the games list:
      qtracklist.cfg (qtracklist)
      updated 13 Nov 2010 (corresponding to Qtracker 4.92)

    • QtrackUP 0.1 (qtrackup)
      just a simple heartbeats sender for the Qtracker master server like the original QtUplink.
      qtrackup.cfg (qtrackup)
      updated 07 Nov 2005 (corresponding to QtUplink 1.52)

  • decompression functions:
    all used in QuickBMS where are located tons of other memory2memory algorithms.

    • uberflate 0.1.1 (uberflate)
      library for performing kzip+deflopt+defluff+deflopt without using files and achieving one of the best zlib/deflate compressions available, more info in uberflate.h.
      I have written a simple tool for testing the library using ubeflate_test.exe input_file output_file:
      uberflate_test

      the library is implemented in QuickBMS and can be tested using the following BMS script:
          comtype uberflate
          get SIZE asize
          clog "dump.dat" 0 SIZE SIZE

    • undflt 0.1 (undflt.c)
      an algorithm defined as DFLT used in LEGO Lord of the Rings and maybe other games of Traveller's Tales.

    • Simple LZSS used in SEGA 0.1 (unyakuza.h)
      Used in Yakuza 3 and Binary Domain.

    • hd2 (hd2.h)
      algorithm used in Hidden and Dangerous 2.

    • ntcompress (ntcompress.h)
      the algorithms for types 0x30 and 0x40 used in NTCompress.exe of Nintendo Wii Revolution SDK.

    • undk2 (undk2.h)
      algorithm used in the games of Electronic Arts.

    • un434a (un434a.h)

    • stalker_lza (stalker_lza.h)
      algorithm used in the game Stalker.

    • tzar_lzss (tzar_lzss.h)
      interesting algorithm used in the game Tzar.

    • un49g (un49g.h)
      algorithm used in the games developed by 49Games.

    • undarksector 0.1a (undarksector.h)
      a simple algorithm used in the game Dark Sector as ZIP type 64.

    • unlz2k 0.1a (unlz2k.h)
      an algorithm defined as LZ2K used in Transformers and LEGO Star Wars / Batman and maybe other games of Traveller's Tales.

    • unmeng 0.1 (unmeng.h)
      an algorithm used in DreamKiller (Mindware engine).

    • unrlew 0.1 (unrlew.h)
      an RLEW implementation.

    • Asura huffboh 0.1 (asura_huffboh.c)
      compression algorithm (huffman?) used in the Asura engine.
      I don't know what exact algorithm it is, anyway it gets the dictionary from the first 300 bytes of the data/file.

    • unthandor 0.1 (unthandor.c)
      decompression algorithm reversed from the game Thandor.
      I don't know what exact algorithm it is, anyway it gets the dictionary from the first 256 bytes of the data/file.

    • unlzwx 0.1 (unlzwx.c)
      an implementation of a LZW memory decompressor in use in the Milestone games.

    • unlzss 0.1 (unlzss.c)
      function for a LZSS memory decompression (the classical one).
      in QuickBMS I use a better and more versatile version.

    • unlzw 0.1.2 (unlzw.c)
      simple LZW memory decompression function in use on the Vietcong games, it seems compatible with the algorithm used in the compress (*.Z) utility.


  • MD5 hashes of the WADs for the Doom engine 0.2 (wad_md5.h)
    C style collection of MD5 hashes of tons of Doom/DoomII/Heretic/Hexen wads which were needed for some of my projects.

  • Westwood online chat password encoder 0.1 (wocenc)
    the encoding algorithm used by Westwood to encode the passwords used by the users to chat. probably useless... old stuff.



Information and games zip passwords:
this section collects all those small information (useful or totally useless) which don't lead to projects but can be interesting for some people for curiosity or need.
  • fsb password for Ji Feng Zhi Ren / Kritika Online is kri_tika_5050_
  • zip password for the pak file of Moment of Time Silentville is g1obu1in
  • zip password for the DATA file of Mini Robot Wars is EC?^!98$$%ab17
  • zip password for the bin files of Fruit Ninja HD is f83j#j;.!nZ+94(mB523+=+*vaeuq4TyU2bxoe,bcuy%zXz3719#YDWb531&^724h3#12b34
  • zip password used in some archives of RPGViewer / R2 Online is 4a3408a275b0343719ae2ab7250a8cab0c03b2178a58f2de
  • work-in-progress for the zip password of Devil 2 / Eligium / Magic World 2, is Mw2zd198703k plus a number
  • zip password for the bin archives of Hard Reset is 9dU36jSJ@h265^k0b1!jrx*945F1 and rNPXgxj12A#Ian@!K5qt%JSNx2I for the demo
  • zip password for dymok files of Iris Online is jZKCZ/aDV/ORScsYCEAK=n4BH (you need to use this bms script first)
  • zip password for upgrade.zip of YoYo Games GameMaker is 12#_p@o3w$ir_ADD-_$#
  • zip password for the pak files of 12 Labours of Hercules 1 and 2 is yE?objectives_episode_%02_cost_%02d
  • zip password for the pak files of Nevertales 2 and some other Mad Head Games titles is data.pak
  • zip password for the pak files of Reflections of Life: Tree of Dreams, Whispered Secrets and others from GrandMa Studios is aca7b3e6-50dc-5fae-9218-d9a8df85542d
  • zip password for Rite of Passage 3: Hide and Seek can be data.pak or 9LQje7FewPRsAnmnGxrOchL7QSY557VtaNmizOLvCzypY2umATpMwty2yx93 or 2uhL7Q7nGmNy2SY557Vtyx939LQjeaFezypYmizOmATpxrOcLvCwPRsAnMwt or 39nmzOmet2uhy2YLQjA5aFewL57VNzrOcLvCmiwPR7Q7SnGxypYsATpMtyx9
  • zip password for the pak files of Whispered Legends: Tales of Middleport (Gogii games) is ap7Eddz8bp6fppEz8f8vvG6fGa6EE6G9
  • zip password for the datapak file of Eschalon: Book III is 3\o46!:pK7lCL/u,sC
  • zip password of Bluebeard's Castle - Son of the Heartless (Shaman Games) is u7eFUxHb:\K6hgIg2
  • zip password of Arcanika is J3lG4DOMIKNn*265
  • zip password for data.pak of Cadenza - Music, Betrayal and Death is izOmATpM9LQjezypY2uhL7QSY557VtaFewPRsAnmNmwt7nGxrOcLvCy2yx93
  • zip password for the bin files of Hard Reset is rNPXgxj12A#Ian@!K5qt%JSNx2I
  • zip password for game.rfa of Adelantado Trilogy is XV34gd97WaP22
  • zip password for dat files of Druid Kingdom is UNZ_UNSUPPORTED_COMPRESSION_METHOD
  • zip password for the kek files of Baking Success is lm102030
  • zip password for the dat files of Defense Technica (and possibly other Kuno Interactive games) is Kunointer!1
  • zip password for Nevertales is 2uhL7Q7nGRsAnmNzypYmixrOcLvCy2LQjeaFewPzOmATpMwtSY557Vtyx939
  • zip password for Eipix Games (like Final Cut: Death on the Silver Screen, Amaranthine Voyage, Off the Record: Linden Shades, Myths of the World, Final Cut: Encore, Fearful Tales, Sea of Lies) is 7VtaFesmATpMwtiL7Q79nzOyx2mNzypYmwPR39LY55AuhGxrOcLvCy2SnQje
  • zip password for Rite of Passage 1/2: Child of the Forest is 2uhL7Q7nGxrOcLvCy2SY557Vtyx939LQjeaFewPRsAnmNzypYmizOmATpMwt
  • zip password for Rite of Passage: The Perfect Show is aFewPRsAnmNzypYmizOmATpMwt2uhL7Q7nGxrOcLvCy2SY557Vtyx939LQje
  • fsb password for Xuan Dou Zhi Wang / King of Combat is Xiayuwu69252.Sonicli81223#$*@*0
  • fsb password for Cyphers is @kdj43nKDN^k*kj3ndf02hd95nsl(NJG
  • zip password for the zip files of Farming Simulator 2008 is 411S6R5772V673kT
  • fsb password for Critter Crunch is j1$Mk0Libg3#apEr42mo
  • various zip passwords of games posted by me and other users: Hacking Zip Passwords (C9)
  • zip password for the pak archives of Mad Riders is TN2kTjNmBvn5axaS6tGX
    Almost identical password used for Call of Juares Gunslinger: TN2kTjNmBvn5axaS6tGY
  • fsb password for Gas Guzzlers: Combat Carnage is C5FA83EA64B34EC2BFE
  • zip password for the HIS*.res files of Heroes in the Sky is 9aa0c9335fc08bb6
  • zip password for data.ogf of Homura Combat is n5VPAlTw3eioOtKy0HWM
  • zip password for levels*.zip of AmenUs is mypassword
  • zip password for the sick files of SickBrick is ClusterFuck
  • zip password for bato.zip and blc.zip of Sacraboar is VVQ88CUB7YP3 or 3B6MF3ZVS6T7H
  • zip password for data.hef of is Project FPTD (First Person Tower Defence) is Zl:1sDxs|7!y
  • zip password for data.zip of Capoeira Legends: Path To Freedom is *+**cH()|)&M_$&()$_0t@R|0$**+*
  • zip password for the DataDoc file of Dark Parables: Rise of the Snow Queen Collector's Edition is ".=Welcome to Hong Kong, Detective!=. Please Send Your CV to blueteagames@gmail.com to Join our BIG Family." (without quotes)
  • zip password for data.zip of Jewel Quest 6: The Sapphire Dragon is h5BFrLsjn7T9VsMBcru6
  • zip password for the set and techSet files of LPGTECH Gas Setting / Autogan Green Setting is B59CAEFD5C564D28A1B7F93FD8BB247F
  • zip password for the files.pak file of Age of Enigma: The Secret of the Sixth Ghost is huA7NYfAr41JbMEwJ1cfTmUQjXL8XKts
  • zip password for the .nfe files of Eternal Night: Realm of Souls is NN@19330QMF
  • zip password for cooked.zip of Fallen Shadows is HappyMuff69
  • method for extracting the zip-passworded files with awa extension of the game AfterWorld
  • password for the fsb files of Need for Speed Shift 2 is p&oACY^c4LK5C2v^x5nIO6kg5vNH$tlj
  • password for the fsb files of Brutal Legend is DFm3t4lFTW
  • zip password for the content.kel file of Dead Meets Lead is 0c92k3kfwafn849wpfn95w8wgtkpf498fn5
  • rar password for the FlightForFight.wda file of Flight for Fight and _jjumper.wda of JetJumper and other Warlock Studio screensaves is wengine_200374
  • rar password for the ambx.dat file of Multiwinia is 4603891
  • zip password for the level.pak file of Motorama is 123456789
  • zip password for the game.pak file of Funny Miners is FunnyMiners
  • zip password for the Content.res file of Beat Hazard is lippylippy
  • zip password for the paq files used in the games developed by The Easy Company like The Mirror Mysteries, Grandpa's Candy Factory and Voodoo Whisperer: Curse of a Legend is "path33/p3?4&8, data" (without the " chars!)
  • zip password for data.zip of Galaxy Lander is zoozz123
  • zip password for data.zip of Gamebiz 2 and 3 is gB2DaTa
  • zip password for data.paq of Magic Sword Master is ssjds2008422
  • zip password for data.paq of Landed Demon is landeddemon2008422
  • zip password for the bin files of Words of Light is wOl07tIrEsWiNg
  • zip password for the resources.pak file of Amazing Pyramids is 2007Western2009
  • zip password for the dat files of Defense Of The Fortress is DS2010DS
  • zip password for AztecTribe.dat of Aztec Tribe New Land is {07E20C9A-D1BC-4e30-B40E-F5282C4B24D5}
  • zip password for AztecTribe.dat of Aztec Tribe is {0D8FD1A3-DEBF-4ef2-8A91-CDB0A105F6C0}
  • the archives with extension SFS starting with the signature AAMVHFSS must be extracted with SFSManager (or my mirror)
  • the files of the games developed by FlyWheel games (except The Curse of the Ring) are XORed with the byte 0xFA
  • zip password for data.pak of The Spirit of Wandering: The Legend, The Mystery of the Crystal Portal, Pharaoh`s Mystery and other Artogon games is __A_R_T_O_G_O_N_2006__
  • zip password for data.pak of Treasure Seekers: The Time Has Come, Follow the Ghosts and other Artogon games is fhnjujy200901101968
  • zip password for data.pak of The Mystery of the Crystal Portal: Beyond the Horizon, Treasure Seekers: The Enchanted Canvases and Visions of Gold and other Artogon games is fhnjujy200801101968
  • the password of data.zip used in Akhra: The Treasures is 2yKJ6KhRJKJ/18J5
  • QuakeLive servers list
  • the password of the PAK archives (they are common zip files) used in Pure3D Game Asset and Conference demo is fhFhD3dhFe83sdHDJ23kcne83Hds8HDF4pfgn4cvud
  • zip password for data.zip of Once upon a time is 6044370301
  • zip password for the datapak file of Eschalon: Book II is _Sr1g@As_!IzCE-"<;!Q for version 1.04/1.05 and vkqQ'Q$Q1hEI%W5$>k_I for 1.02
  • zip password for Rumors of War is U#n4&53iJaq6
  • the passwords of the DCP archives (they are common zip files) used in the game Bet and Race is Team6_73
  • zip password for Metal Drift is 11387432831984753294
  • previous zip password for Metal Drift was 37493752032567301837
  • How to retrieve the zip password from the Visual Patch (vpatch.exe) patches 0.1
  • zip password for Mishap an Accidental Haunting is Hobblepoop (info by "s")
  • zip password for Mob Ties Tokyo Mature (level1.zip to level38.zip) is mypassword (info by "s")
  • the password used in scriptsAndAssets\data.zip of the game Cyber-Wing is jIa*5NhT0Plg%ds2fTh$%nVfjMkfgQwe!3rNvZXhUIioMh
  • the password used in the cr archives (they are common zip files) used in the game Cricket Revolution is %3b%2a%30%33%7a%39%38%26%34%25%61%62%6b%33%33%30%33%38%34%37
  • the passwords of the data.bin archives (they are common zip files) used in the game Mad Tracks are GoldMasterVersion051215_4QRMA_U96GR_3YCRM_MMNMW for the retail and PublicDemoVersion051215_RT3SA_mon56_T90OI_MFC3z for the demo
  • the passwords used in FlashGet and stored in HKEY_CURRENT_USER\Software\JetCar\JetCar are simply XORed with the string Kevin (there are also references to kevinhyx12345 and hytzl but I don't know where they are used). the first byte is the length of the password.
  • the file TeamSpeak.Conf of TeamSpeak is simply XORed with the bytes "0xAD 0xA6 0x6D 0xAD" and the remaining bytes which don't fit a block (so file_length % 4) XORed with 0xAD
  • the password of the files in the Init.map zip file of the game Pro Duck Hunting is Goekhan1974 (tested the demo only)
  • how to bypass the Windows File Protection without registry hacks or files modifications: for example if you want to substituite notepad.exe it's enough to go in c:\windows\system32\dllcache and delete the notepad.exe file available there, then substituite the real notepad.exe and then click on CANCEL and then YES when Windows will ask you to insert the cdrom
  • the web access of Win-Spy can be easily bypassed using some fixed cookies like "bsup=F5DE0FF25D86C40F9778D8" or "bsup=88944B4EC605C2D0B50D6ADCCAFD" and then is possible to download any file from the remote computer through a directory traversal vulnerability, an example of HTTP query is available here (nc SERVER 80 -v -v < winspyweb.txt)
  • IpSwitch FTP log server (used by WS_FTP) logs sender 0.1 (wsftplogfun)
    source code of a simple tool for building packets for this logger server (0xaaaa, 0xaaab and 0xaaad)
  • steam:// URL parameters: purchase, install, uninstall, preload, run, rungameid, runsafe, updatenews, storeurl, open, backup, validate, store, browsemedia, advertise, defrag, store_demo, installaddon, removeaddon, appnews, guestpasses, openurl, connect, viewfriendsgame, support, ackMessage, paypal, clickandbuy, publisher, subscriptioninstall, settings, friends, hardwarepromo, url, AddNonSteamGame
  • if you receive the error "cstdio:170: error: '::snprintf' has not been declared& while compiling C++ stuff (it happened to me with WinVNC) add -D_GLIBCXX_USE_C99_DYNAMIC to the c++ command or _GLIBCXX_USE_C99_DYNAMIC in the Makefile
  • W32dasm bug: for example the bytes 66C78030A540000100 are disassembled as "mov word ptr [ebx+0040A530], 0001" which is wrong since it should be eax and not ebx... really a luck to find it eh eh eh
  • the links used by Winamp for getting the list of online radios and TVs: winamp-links.txt
  • the authentication on Steam happens with the sending of a SHA1 hash of the password plus two 32 bit numbers sent by the server at its left and right (N1passwordN2). Then the hash is encrypted using AES
  • the packets of the game Tony Hawk Underground 2 and other Tony Hawk games like American Wasteland are simply XORed with the first byte of the received packet
  • the All Seeing Eye master server uses a proprietary compression algorithm for the servers list, I think it's an updated version of that used in the Qizmo proxy
  • CloneCD... when a bad registry protection can be bypassed with a registry cleaner
  • Does really exist the password protection in Medieval Total War?
    funny document about a game with a server's password protection badly programmed
  • Why the Linux version of UnrealTournament crashes (signal 11) using the OpenGL or SDL driver
    I had this problem and it is incredibly simple to solve
  • chat of Jmeeting: irc://irc.jmeeting.com:8067
  • chat of Anywebcam: irc://chat.anywebcam.com:8080 (needs password)
  • chat of Dark Horizons: Lore: irc://irc.mgonetwork.com
  • UT2004 DEMO cd-key/hash:
    UT2004-UTDEMO-UTDEMO-UT2004 / 238c7dd4ec4a065e2314c1c8b4d41ca6
  • UT2003 DEMO cd-key/hash:
    UT2DEM-UT2DEM-UT2DEM-UT2DEM / c44a7b7b1624e9d459c22fac61dc9dcc


old and unsupported stuff:
  • Testing tool for RogerWilco 0.4 (wilco)
    a complete and useful testing suite for RogerWilco with a lot of functions, options and information
  • GSHlog 0.1 (gshlog)
    another logger/sniffer similar to GSHsniff but which looks only to encoded packets and only to those sent/received to a specific game port.
  • GSInfo 0.4 (gsinfo)
    retrieves information from all the servers that use the standard Gamespy queries like "\status\", "\players\" and many others plus the new query protocol (FE FD ...)
    use Gslist
  • HLInfo 0.1.6 (hlinfo)
    very basic tool to retrieve information from Half-Life servers
    use Gslist
  • IDInfo 0.2 (idinfo)
    retrieves information from servers that use the IDSoftware protocol (Quake, Q2, Q3, RTCW, SOF, SOF2 and many others)
    use Gslist
  • UnrealTournament 2003 online servers added to favorites 0.1 (ut2003fav)
    this simple program is like an experiment to automatically add the servers listed in the page http://ut2003master.epicgames.com/serverlist/full-all.txt with lower ping into the favorites section of UT2003. The tool can be used on both Win32 and GNU/Linux and must be launched by the UT2003\SYSTEM directory. I recommend you to do a backup copy of the file UT2003.ini and to test different maximum ping timeout. To clean your UT2003.ini file you must simply delete the text lines in it beginning with Favorites=
  • UnrealTournament 2003 servers list retriever 0.2 (ut2003ms)
    it is based on the web list available on http://ut2003master.epicgames.com/serverlist/full-all.txt
  • UnrCheck 0.2 (Package files checker) (unrcheck)
    old and no longer supported utility for finding possible errors in the package files used by the games based on the Unreal engine. I have created it when I found the bugs in the Unreal engine at February 2003
  • Unreal Tournament 2003 alternative network project 0.1.3 (ut2003altproj)
    inside the package there is a complete explanation, however it is a simple patch for the retail UT2003 version 2225 (both Win32 and Linux versions) letting the users to play in the DEMO network of UT2003 using their original retail copy. My idea is to create a parallel/alternative network for all the players having the full original game
    at the moment is possible to join the demo network but NOT to host in it, uses a manual method to host your server in this network (like Gslist)
  • Unreal Tournament 2004 alternative network project 0.2.1 (ut2004altproj)
    this project is a patch for Unreal Tournament 2004 v3369 (both Win32 and Linux) and allows the usage of your retail game on the demo network or the usage of the retail patch on the demo.
    it is just like the same project I did for UT2003 listed above.
    the old projects are available for the versions 3355, 3339 and 3236
    at the moment is possible to join the demo network but NOT to host in it, uses a manual method to host your server in this network (like Gslist)
  • Empires Dawn of the modern World: packets encoding/decoding algorithm 0.1 (empires_algo)
    the algorithm needed for the encoding and decoding of the packets exchanged by this strategic game
    note: it's not complete
  • Winziphide 0.3.1 (winziphide)
    this tool converts all the attributes of the files in the zip to directories attributes so Winzip and some other programs cannot show them (and viceversa for re-showing them)
  • Easy step-by-step to run Google Earth on Windows 98 0.1