By:
okidoki
Hi,
Here is a way to defeat punkbuster checks ( I used IDA Pro ).
First we need to find the "%c%c" or "%s NOT_FOUND" string in pbcl.dll:
PHP Code:
.rdata:1005DADC aCC db '%c%c',0
.rdata:1005DACC aSNot_found db '%s NOT_FOUND',0
Then go to the DATA XREF:
PHP Code:
.text:1002696E push offset aCC ; "%c%c"
.text:100269F1 push offset aSNot_found ; "%s NOT_FOUND"
Scroll up to the beginning of the function:
PHP Code:
int __cdecl sub_100250E0(struct _MEMORY_BASIC_INFORMATION Buffer)
Now we can detour it:
PHP Code:
typedef int ( *PBPerformCheck_t )( int iArg1, int iArg2, _MEMORY_BASIC_INFORMATION mbiArg3 );
PBPerformCheck_t pPBPerformCheck = 0;
int _PBPerformCheck( int iArg1, int iArg2, _MEMORY_BASIC_INFORMATION mbiArg3 )
{
return pPBPerformCheck( iArg1 , iArg2, mbiArg3 );
}
void Hook( )
{
DWORD dwPbclBase = ( DWORD )GetModuleHandle( "pbcl.dll" );
pPBPerformCheck = ( PBPerformCheck_t )DetourFunction( ( BYTE * )( dwPbclBase + 0x250E0 ), ( BYTE * )_PBPerformCheck, 6 );
}
Finally here is a method to filter/defeat the checks:
PHP Code:
char *pszCheckString;
int _PBPerformCheck( int iArg1, int iArg2, _MEMORY_BASIC_INFORMATION mbiArg3 )
{
_asm mov pszCheckString, esi;
// if the pszCheckString's first char is |: Files white list check
// if the pszCheckString's first char is B: Cvar check
// if the pszCheckString's first char is N: MD5 check
// if the pszCheckString's first char is E: Key bind check
// Remove stuff
int iReturn = pPBPerformCheck( iArg1 , iArg2, mbiArg3 );
// Re-apply stuff
return iReturn;
}
The string also contains the names of the modules/cvars/path ... checked, and this code is 100% working for up to date FarCry 1.4 punkbuster client.
Happy filtering
Regards.
Defeating punkbuster checks 
Linear Mode
