Luigi Auriemma

me@aluigi.org [PGP]

News QuickBMS Research MyToolz Advisories Proof-of-concepts Fake players bug Patches Password recovery MyMusic TestingToolz About... RSS feeds
aluigi.org zenhax old forum mirror   Twitter LinkedIn
SEARCH
papers.htm
papers.htm
    read the text file inside for additional information and options.
    use "gslist -R -n GAMENAME" (where gamename can be any of the games listed in "gslist -l") to retrieve the peerchat channels of a specific game.

  • GS Peerchat sniffer and decrypter 0.2 (peerchat_sniffer)
    the title already explains everything, it does the same job of "peerchat_proxy" but without the boring steps needed for using that tool.
    the only downside is that handling TCP connection through sniffing is not so easy so in some cases after some time the collected data could be visualized corrupted.
papers.htm
    the algorithm needed to decode and encode the Peerchat IP addresses visible with the IRC "whois" command inside the Peerchat server (through peerchat_irc).
    it supports also the decoding of the IP addresses associated to the users rooms as written in the previous description.

  • GS Peerchat proxy decrypter 0.3a (peerchat_proxy)
    a proxy utility useful for debugging.
    it decrypts and dumps in a log file all the commands sent and received by the games that use the Gamespy Peerchat server like example Gamespy Arcade and various other games like Tony Hawk Underground 1/2, Race Driver 1/2, all the Command and Conquer series, WarHammer and so on.
papers.htm
  • Protocols:

  • GS passenc/passwordenc decrypter/encrypter 0.1 (gspassenc)
    quick tool for decrypting and encrypting the passenc and passwordenc fields used for creating new users on Gamespy through the protocol used on gpcm.gamespy.com:29900 with the \newuser\ command.
    example: gspassenc e mypassword
papers.htm
papers.htm
papers.htm
papers.htm
    Half-Life:

  • Half-life DLL decrypter and rebuilder 0.2 (hldlldec)
    a decrypter and PE rebuilder for the Half-life encrypted DLLs like sw.dll, hw.dll and some client.dll (like that one of tfc16).
    note that although the generated dll is correct seems to exist some checks in it or something similar which avoid the usage of the decrypted dll instead of the encrypted one, for example the game will load correctly but will crash at the multiplayer menu.
papers.htm
    Halo:

  • Halo proxy data decrypter 0.1.2 (haloproxy)
    proxy server that sits between a client and a server and decrypts all the exchanged packets in real-time.
    the plain-text data in the Halo packets is stored in bitstream format but this tool decrypts only the packets (it's a decrypter, not a parser) and the main bitstream block, you must get the rest of the data manually.
papers.htm
papers.htm
    the algorithm for calculating the password hash introduced from version 2.3.0 of Ventrilo.
    this hashing code is used by the clients for logging in the server and for the EncPass field in the ventrilo_srv.usr file.

  • Ventrilo proxy data decrypter 0.3.3 (ventrilo_proxy)
    debugging tool able to decrypt and show and dump in real-time all the data exchanged between a Ventrilo client and server.
    this is THE tool for anyone interested in the Ventrilo protocol.
papers.htm
    the implementation about I refer is the one of Call of Duty World at War where is used an additional field called bdTicket which is encrypted and contains info about the license type, ID and user ID of the client.
    note that this research is not complete.

  • DemonWare auth network decrypter 0.1 (dwcryptonet)
    a testing tool I wrote in the 2009 and was linked only on my forum.
    although my research about the Demonware authentication/master server is not complete (and I highly doubt to continue due to the lack of interest) I guess I can link here a tool I wrote to "start" to analyze this data.
papers.htm
papers.htm
    support both ar03 and ar04 archives.

  • mmViewer mme dumper 0.1 (mmviewer_dumper)
    this is simply the original mmviewer.exe of mmViewer (version V110103) to which I added some binary code for converting it in a decrypter.
    launch mmdump.exe, select the mme file you want to decrypt and a file called x.z will be automatically generated in the same folder, rename as you wish with a ZIP extension and open it normally.

papers.htm
    tool for extracting the files from the ZPK/ZDX archives and for unpacking the DAT (aka ZOAGZIP) files of this game.
    the tool has also a rebuild option which could be useful with the recent patches (from the end of August 2009) of this game where seems no longer possible to use the extracted files in the game main folder.

  • Test Drive Unlimited savegames/files decrypter/encrypter 0.1 (tdudec)
    quick tool for decrypting and re-encrypting the files in the playersave folder of the user and the .btrq, .db and any other encrypted file of this game.
    remember to add the type 1 for decrypting/encrypting the non-savegame files, examples:
papers.htm
    - tdudec.exe d 246_Dino_GT.btrq 246_Dino_GT.btrq.new 1
    and remember also that the BNK files are archives so they must be extracted first with programs like Bnk Editor.

  • PartyGaming files decrypter 0.1 (partydec)
    decrypter for the encrypted files used in PartyPoker, PartyGammon, PartyCasino and so on like the various INI and BIN files (ARA.ini, GRA.ini, Sys.ini, NewTable.bin, poker.bin, Table.bin and so on).

papers.htm
papers.htm
papers.htm
papers.htm
papers.htm
papers.htm
papers.htm
    the tool allows also to send custom data (experimentally) for testing other types of commands and even to run a fake fesl server which becomes very useful in combination with gs_login_server and games like Red Alert 3 and Battlefield 2142.

  • Live for Speed setups dumper 0.1 (lfsdumpsetups)
    decrypter of the setups received from the server which allows to save the setups of the other players.
    practically in this game you can save the setup of another player only if he presses the "send setup" button (ss) near your nickname but in reality this is not needed because the setup is already received from the server when joined and everytime the other players change or modify their setup.
    as input the tool requires only the dumped tcp stream of the connection which can be capture with a sniffer like Wireshark, an example step-by-step is showed at runtime.
quickbms.htm
  • support for other alternative input/output interfaces like processes (included debugging and automatic breakpoint restoring), audio, video and Windows messages
  • support for the visualization and creation of various types of data like x86 assembly, IP addresses, time_t, FILETIME, ClassID and more
  • support for C-like structures and basic syntax for easy handling of file formats
  • support for any command-line decompressor/decrypter/anything_else via the EXECUTE method (Comtype and Encryption commands)
  • read and write operations
  • quickbms_4gb_files.exe is a native 32bit program with all the variables set as 64bit useful in some situations
quickbms.htm
mytoolz.htm
    the project is divided in two parts:
  • monitoring/sniffing: a CAP file in tcpdump format will be generated for any captured packet, this is the default operation
  • user's custom manipulation of the captured data: through a custom myproxocket.dll edited and created by the same user is possible to have control over the captured data like creating a rudimental firewall for a specific software or editing the data which will be passed to the main program on the fly or creating a decompressor/decrypter/protocol_analyzer and so on
     From version 0.1.8 I have introduced a trick to work with WSASend* and WSARecv* when lpOverlapped is used but it has some downsides so the following is the previous version (identical to 0.1.8 except for lpOverlapped):
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
  • PartyGaming password decrypter 0.2 (partypwd)
    decrypts any encrypted string in the PartyGaming and PartyGamingNet fields of the registry which includes PartyPoker, PartyPokerNet, PartyGammon, PartyCasino and so on (1.0.0.159)

  • PokerStars password decrypter 0.1 (pokerstarspwd)
    decrypts the PWD field in the user.ini file or any string passed as argument.
    the file user or user.ini can be located in the following folders: C:\Program Files\PokerStars or C:\Users\USERPROFILE\AppData\Local\PokerStars or %APPDATA%\PokerStars (6 build 6808)
pwdrec.htm
  • Ventrilo regkey decoder 0.1 (ventriloregdec)
    simple decoder of the registration key of Ventrilo client which is stored in the regkey registry key (3.0.5)

  • ISPQ sha1 password decrypter 0.1 (ispqpwd)
    decrypts the string in the registry (RecentLogin) containing the sha1 hash of the password.
    although it's only the sha1 hash it's used directly in the login (strLoginPassword) at the place of the original password (8.0)
pwdrec.htm
pwdrec.htm
    CRYPT stores the MD5 of the password.
    CRYPTEX stores the SHA1 of the MD5 of the password. (thanks Paolo Ruggero)

  • NewsLeecher files decrypter 0.1.1 (newsleechdec)
    decodes and decompress any DAT and BAK file located in %appdata%\NewsLeecher (v4.0 Beta 7)

pwdrec.htm
    works also from command-line allowing to pass directly the encrypted password and the needed key.
    the tool automatically tests the NoMachineSpecificPassphraseAvailable key if the provided/calculated one is wrong (1.0.0.0)

  • Winzip wjf xflags password decrypter 0.1 (wjfdec)
    decrypts all the xflags passwords in the job files (11.1)

pwdrec.htm
pwdrec.htm
pwdrec.htm
39 results found