diff --git a/src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md b/src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md index 8ef2605e7d8..907f358fa09 100644 --- a/src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md +++ b/src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md @@ -2,6 +2,31 @@ {{#include ../banners/hacktricks-training.md}} +## Finding the parser attack surface first + +In *Anno 1404: Venice* the interesting parser bug was reachable only after mapping the proprietary multiplayer surface. The useful pattern is: + +1. Identify the RPC-style dispatcher in the network DLL and log the fields that select the handler (`ID`, `Flags`, `Source`, `TargetObject`, `Method`). +2. Brute-force object/class IDs and method IDs while instrumenting the process with **Frida** to recover the valid dispatcher surface. +3. Prioritise handlers that move attacker-controlled bytes into local storage or parser entry points. + +Minimal workflow: + +```bash +frida -l explore-surface.js Addon.exe +``` + +Useful output is not “all methods”, but the handlers that create a file-delivery or parser trigger. In this case the `Player` object exposed `OnSendFileInit`, `OnSendFileData`, `OnReceivedFileData`, and `OnCancelSendFile`, which immediately narrowed the audit to automatic save-file transfer. + +## Delivery chain into the relocation bug + +The remote entry point was not the `.gr2` parser directly. The host first abused the save-transfer feature by sending a peer-controlled filename containing traversal sequences, making the client write outside the intended save directory. That gives two practical follow-ons: + +- **Delayed execution**: drop a DLL in the application directory and rely on normal Windows DLL search order on the next launch. +- **No-restart code execution**: overwrite a game asset archive (`.rda`) with a trojanized `.gr2` model so the vulnerable relocation handler processes attacker-controlled metadata during gameplay. + +This is a useful general pattern in proprietary engines: first enumerate the RPC/file-transfer surface, then look for asset formats that are fetched or reloaded on demand and can be replaced through the file-write primitive. + ## Why asset relocations matter Many legacy game engines (Granny 3D, Gamebryo, etc.) load complex assets by: