Luigi Auriemma

me@aluigi.org [PGP]

News QuickBMS Research MyToolz Advisories Proof-of-concepts Fake players bug Patches Password recovery MyMusic TestingToolz About... RSS feeds
aluigi.org zenhax old forum mirror   Twitter LinkedIn
SEARCH
adv.htm
    adv - realityserver_1

    Some vulnerabilities in third parties servers for Minecraft (game)
    27 Jun 2011:  adv -
adv.htm
    adv - lstnpsx

    Format string and DoS in Opium OPI and cyanPrintIP servers 4.10.x (enterprise)
    11 Feb 2008:  adv -
adv.htm
    italiano - q3cbof

    Buffer-overflow in the WebTool service of PunkBuster for servers (minor than v1.229) (game)
    America's Army 2, Battlefield 2*, Call of Duty 1/2, DOOM 3, Enemy Territory, FEAR, Quake 3/4, RTCW, Soldier of Fortune II, ...
    23 May 2006: 
adv.htm
    poc - mohaabof

    Remote crash of Half-Life servers and clients (versions before the 07 July 2004) (game)
    12 Jul 2004:  adv -
adv.htm
    poc - rfcbof

    Games servers crash and possible small privacy problem caused by Gamespy cd-key SDK (game)
    several games vulnerables (before March 2004 but also some recents)
    Battlefield 1942, Contract Jack, Gore, Halo, Hidden & Dangerous 2, IGI 2: Covert Strike, Need For Speed Hot Pursuit 2, Tribes: Vengeance, TRON 2.0, ...
adv.htm
    italiano - hlmods

    Half-Life servers: buffer-overflow and freeze (versions 1.1.1.0, 4.1.1.1c1 and 3.1.1.1c1) (game)
    29 Jul 2003:  adv -
adv.htm
    poc - edonkey

    Some game master servers can be used as amplifiers (game)
    20 Feb 2003:  adv -
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
    how to disconnect a client based on the Quake 3 engine with only one spoofed packet

  • Half-Life server buffer overflow and freeze 0.2.2 (hlbof-server)
    Simple proof-of-concept for testing the vulnerable Half-Life servers. It will shows a message in console if you test the dedicated server 1.1.1.0 likewise the return address will be overwritten by 0x063c27f5
    01 Mar 2004: Greuff (greuff@void.at) has released an exploit about this vulnerability: http://www.void.at/greuff/hoagie_hlserver.c

papers.htm

  • Gslist 0.8.11a (gslist)
    Gslist is a game servers browser supporting an incredible amount of games (over 4000) for many different platforms like PC, Wii, Playstation and more.
    it can work in both command-line and an experimental web GUI mode, for this reason it's mainly designed for server admins, websites, advanced gamers and testers.
    in short a game server browser is a tool that retrieves the full list of servers (IP and port) of a specific game like Battlefield, Crysis, Unreal and so on.
papers.htm
  • tons of games supported and for various platforms: PC, Xbox360, Mac, Playstation 2, Playstation 3, PSP, Nintendo DS, Nintendo Wii, Dreamcast, iPhone and more
  • "experimental" web GUI: Gslist can be easily used through a web browser like any "classical" server browser but with the difference of being more simple to use and (optionally) supporting multiple users
  • can execute a program for each server of the list
  • filters for selecting only the servers with specific features like country, minimum/maximum number of players, maps, mods, type of game and so on
  • its list of supported games can be upgraded automatically (-u) or generate the database manually (-m/M)
  • can retrieve all the Gamespy Peerchat rooms "#GPG!" of a specific game (-R) which can be used with my GS peerchat IRC proxy
papers.htm
  • supports many options for redirecting and formatting its output so it can be used as back-end for any program or service
  • supports different types of queries for retrieving information from the servers and with -X is possible to receive these information directly from the master server without sending additional packets
  • optimized for speed and resources
  • experimental SQL option for dumping all the servers information in a SQL database
  • can send hearbeats for adding the own IP in the servers list
  • various other commands, options and customizations
papers.htm
papers.htm

  • Online cd-key verifier for games that use the Gamespy cd-key SDK 0.1.2a (gskeycheck)
    very interesting tool that verifies if the cd-key of a specific game is valid online or is already in use or has other problems.
    the technique used by the tool is very simple, it does the same operations performed by the game servers when they receive a new connection from a client which passes its hashed cdkey for being authorized with the Gamespy master server. it could be useful to know immediately if an old key is still valid or if there are more detailed errors if it no longer works online.
    the supported games are all those that use the Gamespy cd-key SDK like Battlefield 1942, Battlefield2, Halo, Painkiller, Star Wars Battlefront and many others listed in that document.
papers.htm
papers.htm

  • GSHinfo 0.1.2 (gshinfo)
    this tool is able to send all the 4 available queries uok, unok, ison and ucount to any game server which uses the Gamespy CD-Key SDK.
    these "hidden" queries are handled by the game servers to know if a specific player/cdkey is playing in a server or how many authorized players are playing in it.

  • explanation of the hidden functions and commands that are used in the Gamespy cd-key SDK implemented in various games (read the third section): english and italian.
papers.htm
  • Gsmsalg and enctype:

  • GS enctypeX servers list decoder/encoder 0.1.3b (enctypex_decoder)
    the algorithm used by ANY game for decrypting (and encrypting) the data from the Gamespy master server on ports 28900 (enctype 0, 1 and 2) and 28910 (enctype X).
    enctypeX in reality is not only an algorithm (technically a short version of that used for enctype1) but also a specific protocol for receiving various types of information from master servers like ut3pc.ms3.gamespy.com, battlefield2.ms3.gamespy.com, crysis.ms5.gamespy.com and many others for a total of 20 "ms" servers.
papers.htm
    enctypeX in reality is not only an algorithm (technically a short version of that used for enctype1) but also a specific protocol for receiving various types of information from master servers like ut3pc.ms3.gamespy.com, battlefield2.ms3.gamespy.com, crysis.ms5.gamespy.com and many others for a total of 20 "ms" servers.
    from my tests with enctypeX is possible to:
  • receive the list of online servers of a specific game, including they external and internal (if via NAT) IP addresses and ports
  • receive NAT information about servers behind router/NAT
  • receive the details of each server directly from the master server which means that is not needed to query them because we already have all the needed information (gamename, gamemode, gametype, mapname, numplayers, maxplayers and so on)
papers.htm
  • tell the main program when the data received by the master server is terminated, because the master server doesn't close the connection (it's in keep-alive mode) so it sends only a marker for the defining the end of the data
  • create an IP:port list (4 bytes:2 bytes) from the received data which is more easy to handle from the main program
  • collect all the additional servers information in a text format like "IP:port \parameter\value\...\parameterN\valueN"
papers.htm
    the only complete usage example of this code and the full protocol is available in Gslist, there is no additional documentation at the moment.
    for testing all the decryptions perfomed by enctypes 1, 2 and X with custom data (useful for programmers) is possible to use the Enctype decoder/tester, it's very good also for who wants to decrypt the encrypted data received from the Gamespy master server without programming a single line of the decryption code: call enctypedec.exe externally with the -l or -L option for doing the job.

  • GS enctype2 servers list decoder/encoder 0.1.2 (enctype2_decoder)
    algorithm for decrypting and encrypting the servers list coming from the Gamespy master server encrypted with the enctype 2 method.
    this enctype was used only by the old RogerWilco application.
papers.htm
    this enctype was used only by the old RogerWilco application.

  • GS enctype1 servers list decoder 0.1a (enctype1_decoder)
    algorithm for decrypting the servers list coming from the Gamespy master server encrypted with the enctype 1 method.
    this enctype was used only by the old Gamespy 3d application and is the most complex of all the various enctypes.

papers.htm

  • Gsmsalg 0.3.3 (gsmsalg)
    this algorithm is an emulation of the one used by the Gamespy master server for handling the "secure" parameter sent by these servers.
    my implementation supports enctype 0, 1 and 2 (X doesn't use it) and can be used also for calculating the needed challenge-response string for the Gamespy Firewall probe packet and the heartbeat (the sending of a couple of UDP packets to port 27900 for allowing our IP:port to be added in the list of servers of a specific game, uses enctype 0).
    all the information are in the header of the code.

papers.htm
    example: gspassenc d e4uEk1iom8MLaw__

  • GS natneg client 0.2 (gsnatneg)
    function for the implementation of the client-side Gamespy natneg protocol for joining servers behind router or NAT.
    in short with the calling of this function in a program is possible to query and join any game server behind router/NAT which uses this Gamespy natneg feature.

papers.htm
  • GS login server emulator 0.2.3b (gs_login_server)
    quick and easy-to-use project for emulating a Gamespy login and stats server (gpcm, gpsp and gamestats) which works with any game that uses these protocols like Battlefield 2.
    it can be useful in LAN parties and indeed this tool is very used in Battlefield 2 just for this reason, in retro-gaming projects (the idea started for PBA2001 for Dreamcast) and for using custom nicknames online without having an account (should work with any of these games, tested Race Driver 2 and Battlefield 2).
    note that this tool is databaseless just because its job is only that of allowing the clients (any client) to "think" to be online and joining with any nickname and a fixed password (needed for technical reasons), so this is NOT a project for creating a real set of servers where users can interact with other users.
    read the text file for some details.
    Third-party projects:
papers.htm
papers.htm
    successfully tested on Windows XP SP2 as admin and Linux as root, compatibility on other Windows is not guaranteed.
    unsupported
    gslist -n gore -b 27778 (adds your IP to the servers list of the game Gore, break it after the first packet)
    gslist -n gore (check if your IP has been successfully added)
    gsmsdisc gore yourIP 27778 (removes that IP)
papers.htm
    simple example tool which emulates the method used by ASE to join and leave tracker.udpsoft.com:27246 specifying the MotdIdLo, MotdIdHi and UserID values.

  • ASE UDP packets decoder 0.1 (aseudpdec)
    some lines of code for decoding any UDP packet that ASE sends and receives from the scanners, the tracker and the other servers.
    the packet to decode must be passed to the tool as a file containing its content.

papers.htm
    the algorithm used to decode and encode the UDP packets sent and received from the various ASE servers.

  • ASE Ping 0.1.2 (aseping)
    simple tool to see remote servers information using the All-Seeing-Eye ping packet, used in games which support this protocol like Chrome, Purge and so on.
    this tool doesn't support the handling of multiple ping replies (I'm too lazy).

papers.htm
papers.htm
    simple decoder/encoder for the PK3 files of QuakeLive beta.

  • Multi engine RCON tool and password guesser 0.2.3d (multircon)
    useful tool, previously known as q3rcon, for sending RCON commands to servers which use different engines and support RCON (remote administration).
    currently it supports the Quake 3, Medal of Honor, Half-Life, IGI2, Doom 3 and Quake 2 engines (so not only these games but all the others derived by them too).
    the tool contains tons of options and features and also some password guessing functions which include brute forcing and wordlists.
papers.htm
papers.htm
    lists and optionally downloads all the files located on the remoteStorage of a game, or all your installed games or a range of games defined by their appID.

  • Steamlist 0.1a (steamlist)
    simple servers browser that contacts the Steam master server.
    it supports also the option for executing specific commands or programs for each IP.
    please note that this is an old tool.
papers.htm
    proxy-like tool which decodes the IRC data exchanged between Ubi.com client and gschat.ubisoft.com in real-time, practically your Ubi.com client will connect to localhost where runs this proxy server that automatically contacts the gschat server.

  • Ubi.com decoding algorithm 0.2 (ubi_algo)
    the algorithm for decoding the Ubi.com data sent and received from the Ubi.com servers.

  • Ubi.com real-time packets decoder 0.2 (ubisniff)
papers.htm
papers.htm
    set of functions for handling the centralized handshakes and the scrambled in-game keys used in Ventrilo 3.x.

  • Ventrilo RCon tool 0.2.9a (ventrcon)
    useful tool for sending rcon commands (both interactively and one-only) to Ventrilo servers.
    it contains also some custom commands which are /chan and /subchan for creating, deleting and listing all the available channels on the server and /user for creating new users.
    other options cover the possibility of executing all the commands in a file or sending commands through a local pipe file and various debugging functions.
papers.htm
    supports all the Ventrilo 2.x and 3.x versions.

  • Ventrilo status retriever 0.1 (ventstat)
    gets status information from the Ventrilo servers which has been implemented starting from version 2.1.2 of Ventrilo.
    it can be compared to the default "ventrilo_status" program included in Ventrilo but with support for any available command and a better handling of the input containing the target server (for example you can use URLs too).
    - Mark Veaudry has created a porting of the program and the algorithm to PHP.
papers.htm
papers.htm
papers.htm
    the ssc_decrypt, ssc_encrypt, ascii_calculate_hash and ascii_calculate_key_hash functions used in the Leverage library adopted in games like America's Army 3, America's Army 2, ARCA Sim Racing, Jabara and others.

  • CamFrog encryption/decryption algorithm 0.2 (camfrogcrypt)
    the needed functions and algorithm for getting and generating the keys for encrypting and decrypting the data exchanged with the login and main CamFrog servers.
    a practical example which shows both the login mechanism and the subsequent joining of the main server is available here.

papers.htm
    last update: 11 Aug 2013.

  • EAlist 0.1.5 (ealist)
    command-line servers browser based on the list of game servers provided by the Electronic Arts master servers commonly called fesl or theater and supporting various games for PC, Xbox 360 and PS3 like Battlefield Bad Company 2, Battlefield Heroes, the Need for Speed series, Skate and others for which don't exist alternative listers.
    the usage of the tool is the same of gslist.
    for using the tool is necessary an EA account (any account or any EA game is ok for all the supported games), note that the needed account doesn't seem the one with the mail address as username... anyway in doubt try it.
papers.htm
papers.htm
papers.htm

  • Battlefield 2 and 2142 bitstream sniffer 0.1.1 (bf2_sniff)
    experimental tool/hooker for monitoring the reading and the writing of the network protocol used in the BF2 and BF2142 games.
    in short there is a loader for the clients and one for the servers which are compatible with both the two games and seems also with almost any known version.
    all you need to do is placing bf2_sniff_client.exe, bf2_sniff_server.exe and bf2_sniff.dll in the folder of your game and launching the needed bf2_sniff_* executable which will inject the dll in the loaded process (the loaders allow you to decide also the command and the dll to load in case you want to customize them without recompiling).
    all the bits read and wrote (received and sent) by your game will be automatically dumped in a text file which can be viewed and analyzed in any moment.
papers.htm
    if you want to understand the network protocol of this game engine, bf2_sniff will help a lot.

  • Babo Violent 2 RCON 0.1 (bv2rcon)
    simple tool which works as a RCON client for the Babo Violent 2 servers, so is possible to send rcon commands to the own server.

  • JMeetREC 0.2d (jmeetrec)
papers.htm
papers.htm
    tool for verifying if an username and a password are an existent Bioware NWN account.

  • Qtracklist 0.1.1 (qtracklist)
    simple servers browser that uses the Qtracker master server. Supports also the option for executing specific programs for each IP.
    remember to check the following link periodically for possible updates to the games list:
    qtracklist.cfg (qtracklist)
papers.htm
papers.htm
papers.htm
  • GSHlog 0.1 (gshlog)
    another logger/sniffer similar to GSHsniff but which looks only to encoded packets and only to those sent/received to a specific game port.
  • GSInfo 0.4 (gsinfo)
    retrieves information from all the servers that use the standard Gamespy queries like "\status\", "\players\" and many others plus the new query protocol (FE FD ...)
    use Gslist
  • HLInfo 0.1.6 (hlinfo)
papers.htm
papers.htm
fakep.htm
  • Generic TCP Fake Players DoS 0.2.2a (tcpfp)
    basic tool which creates multiple simultaneous connections to a specific host and port, something similar to a simple "for(;;) connect();" supports also some options for adapting it to specific types of servers through the sending of custom data (-f option).
    it's interesting to notice that various programs which accept TCP connections suffer of some negative effects caused by their stressing through this simple tool.

fakep.htm
fakep.htm
    - many others
    - does not work with Klingon Honor Guard and probably other old games while others just crash completely due to their bugged netcode.
    Notes:
    - depending by the version of the engine, it can test passworded servers without knowing the keyword.
    - with the games based on the Unreal 3 engine and where is possible to use the JOINSPLIT command (Unreal Tournament 3, America's Army 3 and so on), it's enough to specify such command for testing the filling of the entire server slots using only one player: unrealfp -1 -x 2 -s JOINSPLIT 1 64 -l "ui_bink_master?Name=player?team=0?Face=0" 127.0.0.1 7777

fakep.htm
    experimental tester for Flashchat (a Flash based chat).

  • Armed Assault Fake Players DoS 0.1.1 (armafp)
    works perfectly in LAN but probably requires something like authorization for testing the internet servers.
    for both ArmA and ArmA2.

fakep.htm
  • Live for Speed Fake Players DoS 0.2.3 (lfsfp)

  • Half-Life fake players bug (no auth) 0.3.2 (hlfill)
    works only with servers without authentication (WON/Steam) and implements the testing of all the hlfreeze/hl-headnut/csdos/Born_to_be_pig vulnerabilities.
    try using "-p 1 -r steam" or "-p 4 -r valve" or "-p 2 -r 00000000000000000000000000000000" (substituiting that hash with your valid Steam "raw" hash) for Steam and Valve authenticated servers or directly the -x option for testing all the bugs (the manual testing is preferred).

fakep.htm
fakep.htm
fakep.htm
fakep.htm
fakep.htm

  • FunLabs games Fake Players DoS 0.1a (funlabsfp)
    this tool should work with all the games developed by FunLabs: 4X4 Off-road Adventure III, Cabela's Big Game Hunter 2004 Season, Cabela's Big Game Hunter 2005, Cabela's Deer Hunt 2005 Season, Cabela's Dangerous Hunts, Revolution, Secret Service - In harm's Way, Shadow Force: Razor Unit, US Most Wanted: Nowhere To Hide and possibly others.
    works partially also with servers protected by password without knowing the keyword.

  • Chaser Fake Players DoS and clients disconnector 0.1a (chaserfp)
fakep.htm
fakep.htm
fakep.htm
fakep.htm
fakep.htm
    causes a crash of the games that use the UDP protocol.

  • Lithtech engine Fake Players DoS 0.3 (lithfp)
    can test servers protected by password without knowing the keyword
    compatible with almost any existent game based on the Lithtech engine and other can be added easily through their GUID at command-line:
    - Alien vs Predator 2
fakep.htm
fakep.htm
fakep.htm
    - Wolfenstein: Enemy Territory (2.60 too but requires a bit of practice, use -B ? for the info)
    - others
    the tool can be also used to test the so called "q3unban" bug automatically, which allows a client on a banned IP address to join the server.
    exists also a support for servers which require online authentication (like a valid online cdkey) but only Quake 3 Arena has been supported and tested.

  • Tribes 1 (Starsiege) fake players DoS 0.1a (tribes1fake)
mytoolz.htm
  • hosts file/list DNS checker 0.1 (hostsdns) .image.
    tool which checks if the hostnames listed in a file or contained in a hosts file can be resolved or not.
    supports multi-threading, logging, delay between each query and allows to choose the type of primary query (A record by default) and a backup one in case the first fails (for example A and then NS).
    thanx a lot to Andrew Short of Global Advert Servers Blocklist for all the ideas, suggestions and testing of the tool on over 100000 hosts.

  • webimgms 0.1.2b (webimgms)
mytoolz.htm
    tool for indexing recursively any file available inside a FTP server or one of its folders.
    it has options for verbose output, full or relative URL, fields to visualize and HTML output.
    I wrote it because sometimes happens to need a specific file or a set of files available on a FTP server but we don't know in what folder they are located or if exist different and most updated versions and copies of that program/file, so this tool lists all the names and sizes of the files inside a specific FTP directory or just in the entire server for allowing an easy searching of these files in the local list.
    note: the tool works only with *nix servers and at the moment is no longer supported.

  • Proxymini 0.2.3 (proxymini) .image.
mytoolz.htm
    simple tool for XORing an input file with a byte or a key chosen by the user, which can be a file, a string or a sequence of hex bytes.

  • Zipweb 0.4.1 (zipweb) .image.
    utility for viewing the index of remote ZIP packages located on HTTP servers without downloading them.
    the program supports proxy and automatic keep-alive and has a lot of options and useful functions as the interactive download of the files in the ZIP package or their download based on part of filenames (so for example is possible to download a text file of 2 kilobytes from a ZIP file of 3 gigabytes in a couple of seconds) and the CRC32 comparison between the remote files in the ZIP and the local files on the disk.
    it works with both ZIP and auto-extracting ZIP files so use it also with EXE files and can be used also to show only the size of any remote file.
mytoolz.htm
    unsupported

  • GetHEAD 0.1.2 (gethead)
    simple tool to see the HTTP headers of the web servers.
    unsupported

mytoolz.htm

  • Pdown 0.1.5 (pdown)
    this useful tool is a sequential file downloader to download sequential files from each sequential directory specified by the user.
    supports HTTP proxy servers, download recovery and starting of downloads by a specific byte of the file (this option is very useful if you want to download only a part of a file instead of all!). For sequential filenames uses C language formatters as %d, %02d, %x, and so on.
    unsupported

mytoolz.htm
    unsupported

  • POPrmft 0.1.1 (poprmft)
    the long name is "POP3 remove mails FROM and TO": this tool is useful to remove a range of mails from mailboxes on POP3 servers. It also supports APOP (secure authentication).
    note that this tool is old and I wrote it only for an occasion in which I needed a similar program.
    unsupported
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
pwdrec.htm
testz.htm
testz.htm
  • UDD files quick informations 0.1 (uddinfo)
    quick and basic tool which show some information contained in the UDD files used in Ollydbg like the various breakpoints and the comments.

  • Webservers char tester 0.1.1 (webtestchr)
    a simple tool which has been very useful in all this time for the blind and quick testing of some vulnerabilities in software that uses the HTTP protocol.
    practically it scans all the 255 ascii chars and put them in some particular locations of the URI like before and after the slash or at the end of the URI and so on.
testz.htm
    nice tool that acts like TFTP client with some advanced feature.

  • Generic custom HTTP file uploader 0.2a (myhttpup)
    simple tool for uploading files (POST + mime) choosing the name of the destination file, useful for testing directory traversal vulnerabilities in web servers and components which allow to upload files.

testz.htm
    a simple JavaScript example for animating many sequential image files.

  • Webpostmem 0.1 (webpostmem)
    This tool can be used to check the POST attacks on webservers as for example memory and sockets that are not freed if the client sends less data than how much specified in Content-Lenght. It is the same proof-of-concept I have used for the bugs in Goahead webserver, NULLhttpd and WWW Fileshare Pro.

  • Q3huffdecenc 0.2 (q3huffdecenc)
testz.htm
    a very simple tool to create GIF files with customized headers.

    This tool does a basic http authorization with user and password given by the user. I have released it because it can be useful to find possible bugs in some webservers.

    -->
  • HLspfed 0.1.1a (hlspfed)
testz.htm

  • ut2003fits 0.1 (ut2003fits)
    UT2003 fake information test server: this tool can be used to send custom information to the clients that search for multiplayer games (very funny if used when the real UT2003 server is running).
    this simple tool can be used in a lot of modes. For example you can launch UT2003heartbeat and then launching UT2003fits you will see all the players that are online because every player that goes in the multiplayer section of UT2003 will automatically request information to all the servers available and you can log all these players (for example for statistical purposes).

  • Half-Life testing server 0.1.2 (hlts)
testz.htm
    this server answers to the Half-Life queries. It supports: ping, infostring, details, getchallenge, players, rules, challenge rcon and connect.

  • UT2003 heartbeat emulator 0.1 (ut2003heartbeat)
    heartbeat protocol emulator for UT2003. With this little code you can add your IP address to the official Epic UT2003 servers list (http://ut2003master.epicgames.com/serverlist/full-all.txt and demo-all.txt).
    HERE there is the explanation of the protocol.

98 results found