abelrguezr/unsafe-relocation-exploitation
skills/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups/SKILL.md
Analyze and exploit unsafe relocation fixup vulnerabilities in asset loaders. Use this skill when investigating binary vulnerabilities in game engines, asset parsers, or any software that applies relocation tables to loaded data. Trigger when the user mentions relocation tables, asset loaders, heap corruption, pointer fixups, section arrays, or similar binary exploitation concepts. Make sure to use this skill whenever analyzing asset loading code, relocation handlers, or when the user is researching heap-based exploitation techniques in legacy software.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills unsafe-relocation-exploitationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:09 AM21.3s2 files scanned
SKILL.md
- name:
- unsafe-relocation-exploitation
- description:
- Analyze and exploit unsafe relocation fixup vulnerabilities in asset loaders. Use this skill when investigating binary vulnerabilities in game engines, asset parsers, or any software that applies relocation tables to loaded data. Trigger when the user mentions relocation tables, asset loaders, heap corruption, pointer fixups, section arrays, or similar binary exploitation concepts. Make sure to use this skill whenever analyzing asset loading code, relocation handlers, or when the user is researching heap-based exploitation techniques in legacy software.
Unsafe Relocation Fixup Exploitation
A skill for analyzing and exploiting unsafe relocation fixup vulnerabilities in asset loaders and binary parsers.
Overview
Unsafe relocation fixups occur when asset loaders blindly trust attacker-controlled metadata to patch pointers within loaded data. This creates arbitrary read/write primitives that can be weaponized for RCE.
Vulnerability Pattern
The classic unsafe relocation handler:
int *GrannyGRNFixUp_0(DWORD RelocationCount,
Relocation *PointerFixupArray,
int *SectionArray,
char *destination)
{
while (RelocationCount--) {
int target_base = SectionArray[PointerFixupArray->SectionNumber]; // UNCHECKED
int *patch_site = (int *)(destination + PointerFixupArray->SectionOffset); // UNCHECKED
*patch_site = target_base;
if (target_base)
*patch_site = target_base + PointerFixupArray->Offset;
++PointerFixupArray;
}
return SectionArray;
}
Critical flaws:
SectionNumberindex is never bounds-checkedSectionOffsetis never validated against section size- Negative offsets allow walking backwards into allocator metadata
- Oversized indices allow walking outside the section array
Exploitation Methodology
Stage 1: Write Backwards into Loader Metadata
Goal: Use negative offsets to corrupt the section pointer array itself.
Key insight: Custom allocators prepend headers to allocations. By calculating the exact distance between:
- Start of first section buffer
- Section pointer array (stored before first section)
You can craft relocations that write into the pointer array.
Calculation example:
0x20 (header) + 0x20 (section descriptors)
+ n * 1 (section types) + n * 1 (flags)
+ n * 4 (pointer table) = 0x4000
Solving for n gives the number of sections needed to position metadata at a specific offset.
Stage 2: Deterministic Heap Layout
Windows 10 NT Heap behavior:
- Allocations ≤ 0x4000 → randomized LFH (Large Free Heap)
- Allocations > 0x4000 → deterministic backend allocator
Strategy:
- Inflate metadata (many empty sections) until allocation > 0x4000
- Preload malicious assets to "prime" heap layout
- Force predictable placement of:
- Allocation #1: metadata + section pointer arrays
- Allocation #2: section 0 contents
- Allocation #3: section 1 contents
Stage 3: Convert to RCE
- Corrupt SectionContentArray[1] using negative offset relocation
- Recycle the corrupted pointer - Section 1's relocation table now uses your injected pointer
- Hit reliable dispatchers - Overwrite function pointers that fire during normal operation:
- Allocator callbacks (Malloc/Free)
- Virtual tables
- Animation dispatchers
- Rendering callbacks
Analysis Checklist
When investigating potential unsafe relocation vulnerabilities:
- Identify asset loaders that maintain SectionArray/relocation tables
- Diff relocation handlers for missing bounds on indices/offsets
- Measure allocator headers from both game wrapper and OS heap
- Calculate backwards offsets precisely
- Force deterministic placement by inflating metadata
- Identify reliable targets - function pointers that will fire
Defensive Considerations
- Always bounds-check relocation indices
- Validate offsets against section sizes
- Use safe integer arithmetic
- Consider ASLR/DEP hardening
- Validate asset metadata before processing
References
- Synacktiv – Exploiting Anno 1404
- W. Yason – Windows 10 Segment Heap Internals
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026