This repository contains different toolz for having fun with the game Mafia

Idapython script for extracting key required for decyphering .dta files

Known Issues : some .dta files are not correctly handle.

Program for extracting .dta files, only work with few of them, tested on AB.dta to get all the music files (.ogg) :

• SOUNDS\MUSIC\05 - Calm.ogg
• SOUNDS\MUSIC\03 - Fate.ogg
• SOUNDS\MUSIC\14 - Success.ogg
• SOUNDS\MUSIC\Lake of Fire.ogg
• SOUNDS\MUSIC\mise02-ulicka.ogg
• SOUNDS\MUSIC\city_music_01.ogg
• SOUNDS\MUSIC\city_music_10.ogg
• SOUNDS\MUSIC\city_music_02.ogg
• SOUNDS\MUSIC\city_music_11.ogg
• SOUNDS\MUSIC\city_music_03.ogg
• SOUNDS\MUSIC\city_music_12.ogg
• SOUNDS\MUSIC\city_music_04.ogg
• SOUNDS\MUSIC\city_music_13.ogg
• SOUNDS\MUSIC\city_music_05.ogg
• SOUNDS\MUSIC\city_music_06.ogg
• SOUNDS\MUSIC\city_music_15.ogg
• SOUNDS\MUSIC\city_music_07.ogg
• SOUNDS\MUSIC\city_music_08.ogg
• SOUNDS\MUSIC\city_music_09.ogg
• SOUNDS\MUSIC\13 - Game Over.ogg
• SOUNDS\MUSIC\12_scene music.ogg
• SOUNDS\MUSIC\20 - Carchase 2.ogg
• SOUNDS\MUSIC\19 - Carchase 1.ogg
• SOUNDS\MUSIC\01 - Main Theme.ogg
• SOUNDS\MUSIC\15 - Surprise 1.ogg
• SOUNDS\MUSIC\16 - Surprise 2.ogg
• SOUNDS\MUSIC\18 - Escalation.ogg
• SOUNDS\MUSIC\17 - Saras Theme.ogg
• SOUNDS\MUSIC\11 - Night Psycho.ogg
• SOUNDS\MUSIC\06 - Briefing - Bad.ogg
• SOUNDS\MUSIC\08 - Briefing - Good.ogg
• SOUNDS\MUSIC\10 - Fighting theme 2.ogg
• SOUNDS\MUSIC\09 - Fighting theme 1.ogg
• SOUNDS\MUSIC\04 - Sorrow and Church.ogg
• SOUNDS\MUSIC\12 - Quiet Before Storm.ogg
• SOUNDS\MUSIC\07 - Briefing - Conspiracy.ogg
• SOUNDS\MUSIC\02 - Main Theme (short version).ogg

Exploit a stackoverflow in rw_data.dll

The vulnerability is in function called by :

003618A0 ; int __stdcall dtaOpen(LPCSTR lpFileName, char)

function sub_361B90 have an array of char on the :

00361B90 var_208= byte ptr -208h

When they read the "real name" of the file, they don't check the size to read (or only the & 0x7FFF) :

.text:00361E3F push    0               ; lpOverlapped
.text:00361E41 and     edx, 7FFFh
.text:00361E47 push    ecx             ; lpNumberOfBytesRead
.text:00361E48 push    edx             ; nNumberOfBytesToRead
.text:00361E49 mov     edx, [esi+eax]
.text:00361E4C lea     ecx, [esp+2E8h+var_208]
.text:00361E53 push    ecx             ; lpBuffer
.text:00361E54 push    edx             ; hFile
.text:00361E55 call    ebx ; ReadFile

Watch the extractor of .dta file for understand how the file format work.