Skip to content

Exploiting Anno 1404 #2106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+25 −0
Open

Exploiting Anno 1404 #2106

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,31 @@

{{#include ../banners/hacktricks-training.md}}

## Finding the parser attack surface first

In *Anno 1404: Venice* the interesting parser bug was reachable only after mapping the proprietary multiplayer surface. The useful pattern is:

1. Identify the RPC-style dispatcher in the network DLL and log the fields that select the handler (`ID`, `Flags`, `Source`, `TargetObject`, `Method`).
2. Brute-force object/class IDs and method IDs while instrumenting the process with **Frida** to recover the valid dispatcher surface.
3. Prioritise handlers that move attacker-controlled bytes into local storage or parser entry points.

Minimal workflow:

```bash
frida -l explore-surface.js Addon.exe
```

Useful output is not “all methods”, but the handlers that create a file-delivery or parser trigger. In this case the `Player` object exposed `OnSendFileInit`, `OnSendFileData`, `OnReceivedFileData`, and `OnCancelSendFile`, which immediately narrowed the audit to automatic save-file transfer.

## Delivery chain into the relocation bug

The remote entry point was not the `.gr2` parser directly. The host first abused the save-transfer feature by sending a peer-controlled filename containing traversal sequences, making the client write outside the intended save directory. That gives two practical follow-ons:

- **Delayed execution**: drop a DLL in the application directory and rely on normal Windows DLL search order on the next launch.
- **No-restart code execution**: overwrite a game asset archive (`.rda`) with a trojanized `.gr2` model so the vulnerable relocation handler processes attacker-controlled metadata during gameplay.

This is a useful general pattern in proprietary engines: first enumerate the RPC/file-transfer surface, then look for asset formats that are fetched or reloaded on demand and can be replaced through the file-write primitive.

## Why asset relocations matter

Many legacy game engines (Granny 3D, Gamebryo, etc.) load complex assets by:
Expand Down