Exploiting Anno 1404

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.synacktiv.com/en/publications/exploiting-anno-1404.html
• Blog Title: Exploiting Anno 1404
• Suggested Section: HackTricks Main -> Pentesting Web/Generic Hacking (Archive Extraction Path Traversal / Arbitrary File Write) + Windows Local Privilege Escalation (DLL Hijacking) + Binary Exploitation (File format parsing / memory corruption primitives, heap grooming) + Generic Methodologies (Fuzzing/Reverse engineering with Frida for proprietary RPC/protocol surface enumeration)

🎯 Content Summary

Scope / target

The post analyzes Anno 1404: Venice (DRM-free v2.01.5010 from GOG), where only LAN multiplayer is available. Multiplayer supports save/resume via .sww save files: when a client joins a host running a saved game, the host automatically transfers the save file to clients. This implicit file transfer + proprietary asset formats create a remote attack surface that can be reached from within multiplayer.

The game pro...

🔧 Technical Details

Enumerating proprietary RPC-like UDP attack surfaces with Frida: When a protocol exposes an RPC dispatcher (e.g., RMC messages containing ID, Flags, Source, TargetObject, Method), brute-force object/class IDs and method IDs while instrumenting the client (e.g., frida -l explore-surface.js Addon.exe) to enumerate reachable handlers and identify risky primitives such as file transfer methods (OnSendFileInit, OnSendFileData, OnReceivedFileData, OnCancelSendFile).

Path traversal via peer-controlled filenames in automatic file transfer: If a receiver writes an incoming file using a filename supplied by a remote peer without sanitizing ..\ components, the sender can escape the intended directory and force arbitrary file writes constrained only by the receiver’s token/ACLs. This commonly chains into DLL search order hijacking<...

🤖 Agent Actions

I’m mapping the repo first and then I’ll read the closest existing pages for archive traversal, DLL hijacking, file-format exploitation, and Frida-based protocol enumeration before deciding on a single destination file.
I found an existing archive traversal page, but I still need to check whether the genuinely new material is better represented as a file-format exploitation update instead of another traversal example. Next I’m reading several nearby pages and looking for overlap with relocation-table corruption, heap shaping, and DLL hijack chaining.
I’ve read the closest existing pages. The traversal-to-DLL-hijack portion is already covered well, so the likely value-add is the GR2 relocation-table exploitation pattern: unchecked fixups, controlled section-pointer corruption, and heap shaping to convert a file-format parser bug into an arbitrary write.
The repo already contains a page for the GR2 relocation exploit, so I’m avoiding a redundant new page. I’m adding only the missing attack-surface discovery and delivery-chain context that the current file doesn’t yet capture: Frida enumeration of the proprietary RPC surface and the peer-controlled save-transfer filename primitive that feeds the asset exploit.
The edit is in place. I’m doing a final pass on the rendered structure and diff now to confirm it stays non-duplicative, keeps the references section at the end, and doesn’t spill the content into a second file.
Updated common-exploiting-problems-unsafe-relocation-fixups.md to capture the missing part of the Synacktiv chain without duplicating content already present elsewhere in HackTricks.

The file already documented the GR2 relocation-fixup exploitation itself, so I added only the missing setup: Frida-based enumeration of the proprietary RPC surface, identification of the auto file-transfer handlers, and the save-transfer filename traversal as the delivery path into the trojanized .rda/.gr2 asset attack. I reviewed the final markdown and kept everything confined to that single file with ## References still at the end.

Verification: reviewed the git diff and final file contents; no code/tests were applicable for this documentation-only change.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.synacktiv.com/en/publications/exploiting-anno-1404.html

Content Categories: Based on the analysis, this content was categorized under "HackTricks Main -> Pentesting Web/Generic Hacking (Archive Extraction Path Traversal / Arbitrary File Write) + Windows Local Privilege Escalation (DLL Hijacking) + Binary Exploitation (File format parsing / memory corruption primitives, heap grooming) + Generic Methodologies (Fuzzing/Reverse engineering with Frida for proprietary RPC/protocol surface enumeration)".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0