Feb 10, 2018

Turok 4 Multiplayer – Part 1

To start this off I suppose I should explain what Turok 4 Multiplayer is, Put simply it’s actually a modification for the original Turok 4: Evolution game which was released on PC with no multiplayer support. It introduces Multiplayer Online via means of reverse engineering, programming, and injecting custom code into the game engine.

The idea of this series of posts will be to go over the various hurdles and challenges I went through and am still going through while creating this modification with the hope in mind that it will help others learn this stuff or even create a similar project of their own for their own game, the caveat here is that Turok 4: Evolution on PC did have some local multiplayer code available within the binary this was a huge step towards already having existing Multiplayer content usable and reduced the amount of work needed drastically.

If we look at other games such as Grand Theft Auto 3 or Grand Theft Auto: San Andres while there was no multiplayer support initially there was a wide open world and tons of NPCs to control or replace, that task (replacing NPCs with players, or dynamically spawning them) should have been relatively straight forward once some initial reversing was done… I’ll get into that later in the article/series though.

The idea when I obtained Turok 4 was the same; I had no idea I was walking into a game where Multiplayer modes would exist but there would be no way to control other players, disable the split-screen modes, among other things including various bugs and crashes to overcome.

So the question I had to ask myself before even having the game was where to start; I’ll get into that next but first I want to note that this series will assume the reader has some prior reverse engineering and game hacking knowledge as well as some understanding of the tools such as Cheat Engine/MHS, IDA Pro + Hex Rays Decompiler/OllyDBG, and ReClass.

The first part of this article won’t be super technical as it’s an introduction to the project and initial steps taken; if you’re looking for more technical information in terms of how classes were able to be discovered, player spawning functionality, or the networking put in place please tune-in at a later period this part of the series probably isn’t for you.


If you’re just into the source-code and not interested in the reading of how this came to be this is for you:


A video of the current progress of this project can be seen here:


As promised though, here’s a series part by part on how the Turok 4: Multiplayer modification took place what the code contains how it works and etc.

Continue reading »

Jan 7, 2017

DNS-Rebinding Part # 2

Coming into this and learning of DNS Rebinding I had decided I wanted  to make my own attack platform,

After doing research it was apparent that this could be quite deadly getting a victim’s LAN IP is trivial, and port scanning from a browser is even more trivial via websockets.

The idea that if I was able to identify LAN based services and generate payloads (even bypassing CSRF tokens when DNS Rebinding) was just something I couldn’t resist admittedly I had done minimal research on the matter before deciding I was going to write said platform only to discover now that BeEF project (which I haven’t used since 2013) supports exactly this and achieves the kind of crazy I was only dreaming of ( Reverse-shell from a web browser with nothing more then javascript ).

Funny enough I feel that when I was more active in the information security industry / scene that XSS/CSRF were not taken seriously enough and I feel a lot of developers still do not take them seriously when it seems they can lead to full-scale network compromise and it’s been proven time and time again that if enough payloads were distributed for common networks you’d be able to achieve MITM attacks on routers, reverse-shells on insecure systems and more.

Some software and users seem to rely on the idea that if it’s running on the same system they’re accessing it on that authorization shouldn’t be needed (If they access from with attacks like this however we overcome the fact that things are running on the in-side of the network so chaining things together such as CSRF and code exec issues in systems leads to actual network compromise.

Continue reading »

Dec 21, 2016

Hijacking a Victim’s DNS with DNS-Rebinding


Thanks to Kurt over at DWF I was able to get a CVE assigned for the OSSEC SQL-Injection detailed in my previous post CVE-2016-1000266 / CVE-2016-1000265

Was happy to help the guys over at OSSEC patch the problem and I’m glad it’s getting some acknowledgement.

Hijacking a Victim’s DNS with Anti DNS-Pinning(DNS Re-binding)

Last night I got on the kick of router/modem security considering the recent attacks we’ve had going on I thought it might be nice to jump on the bandwagon of researchers and check it out for myself.

With this I thought I’d simulate an attack I was able to perform in a penetration test because a router had remote management enabled, which was hijacking the victim’s DNS requests via DNSChef and getting a MITM to steal the victim’s credentials as they logged into a specific website.

That was all achieved by simply changing the victim’s DNS settings on their router,

So the question became what’s stopping me from doing this to my own modem via a web browser on an internet facing URL.

Immediately I started looking for any code which may not enforce the Same-origin policy to explain briefly the Same-origin policy was created to protect against attacks where web code attempts to make a request to a server where it’s unauthorized to do so (meaning local network resources as well like modems and routers).

Continue reading »

Aug 18, 2016

OSSEC let me down…

First let me explain what OSSEC is and why a vulnerability in this system is important.

OSSEC is an host based open-source intrusion detection system…

Most recently there’s been a few vulnerabilities found and disclosed in it that have gotten rather concerning to me

These become a larger issue when the vulnerability I’ve found requires you to have access to the agent at a level where you can modify the configuration file, I consider what I’ve found to be slightly more severe in larger environments because depending on the configuration of the server system it could allow a full-scale breach instead of a single agent being compromised.

In theory once someone was to exploit/hack or gain access to an agent in any way the only thing you’re concerned with is that agent where the SQL injection takes place in the central server where the agents report to, in some cases this central server is within a corporate network that’s meant to be segregated from the rest of the agents… in theory once one was to compromise the central server of something like this access to additional systems or all of the systems/agents is to follow…

The idea of someone gaining access to an entire enterprise network, but because the system itself is meant to detect intrusions… with the SQL injection that I’ve discovered it would be possible to wipe evidence and make sure people weren’t able to see it given they weren’t recording to email regardless I feel it nearly renders the system useless in a sense.

More concerning is that a lot of people are recommended to use this system post-failure of PCI audits ( Meaning consumer credit card data should be protected by a system with vulnerabilities in it ).

I’ve also since writing this article submitted a pull-request to attempt to fix the vulnerability mentioned in this article (https://github.com/ossec/ossec-hids/pull/923), and requested a CVE which I’ll add to this article once I have it.

All of that aside…
A few days ago I’m upgrading OSSEC on some machines and install a non-stable development/release candidate on one of the systems connecting back to my 2.8.3 (Latest stable/release instance) immediately I notice that my agent isn’t reporting…
I check logs and notice SQL syntax errors, now at first I think nothing of this, it’s strange but not alarming yet….
Then I notice what the syntax errors are actually being caused by and I find that I’ve just discovered an SQL Injection in OSSEC’s server system when using a database (Yes this includes Postgresql).

2016/08/17 12:52:03 ossec-dbd(5203): ERROR: Error executing query ‘SELECT id FROM location WHERE name = ‘thedefaced->netstat -tan |grep LISTEN |grep -v ‘’ | sort’ AND server_id = ‘1’ LIMIT 1′. Error: ‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ | sort’ AND server_id = ‘1’ LIMIT 1′ at line 1′.

That being said I’ve done some research on this and even attempted exploiting it to gain a proof of concept considering the latest release candidate ships with the configuration file that caused this ordeal in the first place I would assume that the latest version is patched against this, yet was not back ported to the latest stable release…

To start lets discuss what could happen with this,
Continue reading »

Jun 29, 2016

Your mail box is getting full… Story of a phisher.

Your mail box is full


I had recently been inspired by a video from a man who goes by the alias “Scamalot” in this video series he responds to spam emails and simply “trolls” the scammers, phishers, or spammers the series is great, and I highly recommend checking it out if you haven’t ( https://www.youtube.com/watch?v=dSoXEtFPTfI ).

Well due to being inspired by this I decided to take it upon myself to start attempting to “troll” or annoy these spammers, scammers, and phishers myself as it seemed to be my duty at this point considering the amount of spam I regularly receive it was a great idea.

Coming into this the last thing that I expected to do is take over a phish page and leave a warning for those who clicked on it in the future but, that’s exactly what I ended up doing….

Continue reading »

Mar 2, 2016

Project Cartographer has a homepage!

Project Cartographer ( which I’m referring to as H2V:Online from here on ) now has a homepage where pretty soon you’ll be able to find a download link for the mod!

There’s still tons of things that can be done and I plan to write about and release tons more information on this project as well as put more time and effort into improving the overall game play experience as much as I can, In other news FishPhD is now in charge of coding the launcher for the game and the ‘official’ community of Project Cartographer Aka H2V:Online is now halo.cafe.

You can find the new H2V:Online homepage here.

Dec 13, 2015

Turok 4: Evolution Multiplayer aka T4MP – PC

A long time ago a friend(DarkCoder) and I embarked on attempting to turn a (random) game into a multiplayer Online one, the original intention was to find a single player only game and determine how we could make it into a multiplayer online game instead.

While searching for a game to do this with we ran into Turok 4: Evolution and thus began T4MP remnants of such can still be seen here

Development didn’t get very far though we had a lot of the basic bugs fixed, we had most of the player data structures reverse engineered and the data was syncing between the games.

There were still a ton of issues for starters we had no idea how the hell to program a Multiplayer game at the time so most of our data sending was based on loops which constantly updated the information on the clients about the players.

Now that you know the history of the project I’m glad to say I’ve decided to start working on it again and I’ve made minor progress reverse engineering the event/cause/links/scripts inside of the ati files of the game and have got the game going back into the local multiplayer split-screen mode again.

I’ve had to start over completely as I’ve lost my original code.

But here’s a video demonstrating progress so far,

And here’s one showing issues with the depth buffering that I’m currently attempting to fix,

Nov 22, 2015

Did someone say GunGame (Arms Race)?

After long hours of sitting around reversing script functions and getting help from both kornman00 and xbox7887 on various research they had from xbox versions of the game,

I managed to complete a simple quick gun game setup as a first attempt at creating a custom game type, right now it’s all written¬† in the C but the idea is to add lua support to things and actually re-write it in lua as a PoC as what will be possible with the extended external scripting of the game.

The main issue here is determining when to load these scripts (most likely we’ll have options to do it when a specific variant is selected),

The idea is to allow anyone to actually make similar crazy game types for the game and allow people with even no programming experience to help make the game better.

I leave you with a quick video of us testing out gun-game.

Nov 13, 2015

Re-writes improve everything don’t they?


The network handling code has been re-written from the ground up on the client side and it seems to have eliminated all performance issues I also eliminated some memory leaks that were present before and I’m happy to say, The state of project Cartographer is STABLE!.

So what’s next on the agenda?

Let’s take a look at what’s currently done.

Continue reading »

Nov 5, 2015

Performance issues are no fun!


During my previous fix I changed things around so much that I actually introduced major performance issues the processing time of each packet went up and part of which seemed to also have introduced some sort of memory leak.

Over all the current state of project cartographer is unplayable and unstable with that said we still need people to test once in awhile and lately it’s been hard finding anyone around (in Teamspeak) enough to do so we have 1 or 2 dedicated people willing to test through the agony of lag, crashes, and random other events with us.

Right now what needs to happen is a complete re-write of all packet handling systems there’s tons of inefficient and poorly done things which I’m just now re-thinking and re-structuring.

What I’m constantly seeing from people though is the misunderstanding that this project is currently in a state where we’re even looking for bug reports, or that you can even use it.

If you download this to test with us please do not report things like,
“I crash”,”It doesn’t work”, “It’s laggy”,”Help me”.

These things do not help us improve the code for you and the rest of the community these things only begin to frustrate me and misdirect my attention to issues other then what’s important which is creating a playable stable solution for everyone to play their games with.

Hopefully I have more news soon for the community and here’s to it being good news once I complete this re-write of the whole user handling system, another late night in coming.