Punkbuster Strings

Ok, now thanks to Jetamay, I was able to get my DLL compiled. I got a cople strings from PB, and was wondering if anyone knows wether they are good, or bad strings (good as in, no hacks, and bad as in, something is detected.)

I hooked the PB Check function.

Here the strings i got so far (I wasnt kicked, i left.)

Code:

B+1000 ff000 018B62AE302B24D0AD5DAAEA5D21ACFE
B+100000 100000 76D396E0B14448B7D64444DC9E514E03
B+200000 100000 1424129BB6A2F91BDA71D849F6F0A5EE
AMy dx C:\WINDOWS\system32\d3d8.dll size=1179648 md5=42803EC60803C1A0754671E9183458F1
B+300000 100000 BF26F6099AB0BEA2DDB01B7E0FABCEA0
B+400000 91fff 822ED0618B62EF08A5E517568E97076B
B* \d3d8.dll 10347  1_8bff558bec6aff6858c1aa6d64a10000
Bmk OpenProcess 21 518D04245068********6A00FF15********50FF15 8bff558bec83ec208b45108945f88b45

What format is that log in?
Were you running hacks while you were logging?

No hacks, just the logger.
Format?
I used my original function

Code:

int _PBPerformCheck(int iEAX, size_t Count, char *Dest ){
	int iReturn = pPBPerformCheck( iEAX , Count, Dest );
		FILE * pFile;
		pFile = fopen ("C:/WarRock.txt","a");
		if (pFile!=NULL)
		{
		fputs (Dest,pFile);
		fputs ("n",pFile);
		fclose (pFile);
	}
	return iReturn;
}

I got a graduation party to go to. Ill be back in a few hours.

Ah, I see, I thought you were logging all three params. Just a second, let me give this a go.

Wired, ofstream converted my output. Anyway, I ran until the kick

Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006

Obviously T9006 is the bad string, however, I'm going to logg the third param, GetTickCount 5 may be incorperated with pbcls memcheck second param.

O, so you logged the first two parameters? Ill edit my code later to log all three...
The only thing is going through my mind, is, if the logging is detected (hopefully not =P, maybe use a DetourFunctionWithTrampoline()?) How are we suppose to know what strings are good?

Im thinking if we use a trampoline detour, then the information will still go through PB as if it were never touched, we just logged it. Maybe, but probably not, im starting off hacking this game late, obviously lol.

BTW, ofstream? I didnt use that, i just used fputs =P

Originally Posted by *Marneus901*

I tried it with trampoline small time ago and i got kicked :F patching strings should do it

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 4
STRING : BC0
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------

IEAX : 14878020

count : 26
STRING : T9006
---------------------------------

IEAX : 14878020

count : 26
STRING : T9006
---------------------------------

T9006 Goes on for the rest. Anyway, I don't think the count is related to the third param at all. However, I think WR_US_18_2692364498 has something to do with the server I'm joining.

Originally Posted by Jetamay

The kicking is because when we hook the function, where not responding to some of PB's requests(Which doesn't make sense, as we are returning), so where not logging incorrect strings, I'm not sure, I'll log all three for now, and see what happens.

Heres My Logg :

T9006 Goes on for the rest. Anyway, I don't think the count is related to the third param at all. However, I think WR_US_18_2692364498 has something to do with the server I'm joining.

God, I dont know nothing about these strings, but its like you have to patch those dirty strings with clean ones? I'm trying one other anti-kick method, I'll let you know if its success.

I have to go to a wedding, I'll be back to help you guys with this in a couple of hours.

You need to place a hook on get tick count...
if you placed a hook on get tick count, a bad string would be passed through that function. All you have to do to tell pb that everything is ok..

Code:

if(strstr(buffer, "Bmk GetTickCount 5 c9c9c9c9c9")){
      strcpy(buffer, "Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390");
}

That will tell pb that there is no hook on that function and all the bytes were as they are suppose to be.

Credits to Strife

Originally Posted by masterboy120

You need to place a hook on get tick count...
if you placed a hook on get tick count, a bad string would be passed through that function. All you have to do to tell pb that everything is ok..

Code:

if(strstr(buffer, "Bmk GetTickCount 5 c9c9c9c9c9")){
      strcpy(buffer, "Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390");
}

That will tell pb that there is no hook on that function and all the bytes were as they are suppose to be.

Credits to Strife

But wont this just tell pb that theres no hook at gettickcount? Shouldn't it be different for checks? Or should I stop coding and go back to gym?

Originally Posted by masterboy120

You need to place a hook on get tick count...
if you placed a hook on get tick count, a bad string would be passed through that function. All you have to do to tell pb that everything is ok..

Code:

if(strstr(buffer, "Bmk GetTickCount 5 c9c9c9c9c9")){
      strcpy(buffer, "Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390");
}

That will tell pb that there is no hook on that function and all the bytes were as they are suppose to be.

Credits to Strife

What if the strings get updated? Which i heard they are usually.

Also, i think, maybe, with the PB checks, that, it has its own like code, then the MD5 of the file. Since it has an MD5. So, maybe, if you find out that first "code", then find the original MD5 of WarRock.exe, then you always return that correct string? So... how do we find out what is the string for WarRock.exe AND the PBCL.dll?

Alright, well, i relogged, and got banned, once again LOL
Heres the log.

Code:

B+1000 ff000 018B62AE302B24D0AD5DAAEA5D21ACFE
B+100000 100000 76D396E0B14448B7D64444DC9E514E03
B+200000 100000 1424129BB6A2F91BDA71D849F6F0A5EE
AMy dx C:WINDOWSsystem32d3d8.dll size=1179648 md5=42803EC60803C1A0754671E9183458F1
B+300000 100000 BF26F6099AB0BEA2DDB01B7E0FABCEA0
B+400000 91fff 822ED0618B62EF08A5E517568E97076B
B* d3d8.dll 10347  1_8bff558bec6aff6858c1aa6d64a10000
Bmk OpenProcess 21 518D04245068********6A00FF15********50FF15 8bff558bec83ec208b45108945f88b45
B+200000 100000 1424129BB6A2F91BDA71D849F6F0A5EE
B+300000 100000 BF26F6099AB0BEA2DDB01B7E0FABCEA0
B+400000 91fff 822ED0618B62EF08A5E517568E97076B
AMy dx C:WINDOWSsystem32d3d8.dll size=1179648 md5=42803EC60803C1A0754671E9183458F1
B* d3d8.dll 10347  1_8bff558bec6aff6858c1aa6d64a10000
Bmk OpenProcess 21 518D04245068********6A00FF15********50FF15 8bff558bec83ec208b45108945f88b45
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
B	c 55FA0 E82B6F0100594050 xxxxxxxxxxyyyyxxxxxxxxxxxxxxxxxxxxxxxxxx F7D7C2E305C952605E179120A79DA84A

I *think* i remember just scanning the memory with cheat engine, and finding values, was not detected.
Maybe, we can find the value of the pointer that the strings are held under? And just log those somehow? VIA DLL injection and/or CE memory scan? Just a theory...

Originally Posted by masterboy120

You need to place a hook on get tick count...
if you placed a hook on get tick count, a bad string would be passed through that function. All you have to do to tell pb that everything is ok..

Code:

if(strstr(buffer, "Bmk GetTickCount 5 c9c9c9c9c9")){
      strcpy(buffer, "Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390");
}

That will tell pb that there is no hook on that function and all the bytes were as they are suppose to be.

Credits to Strife

Doesn't seem to be working for me, I'm going to ask dave how this string patching method works.

Originally Posted by Jetamay

Doesn't seem to be working for me, I'm going to ask dave how this string patching method works.

That string, i dont think is clean, because its the string that is right before i am banned, thats why i was saying, how do you know that it is clean? Besides, to bypass PB, you need the string for BOTH PBCL.dll AND WarRock.exe... hence your editing both things, for hacks + bypass...

When are you hooking these functions, first chance you get, or when you join a room, at lobby, when? I can't seem to get any decent ouputs.

Punkbuster Strings

Post a Reply

Similar Threads

Tags for this Thread