unknowncheats uc-forum.com ucdownloads ucdownloads.com

Go Back   UC-Tutorials - Multiplayer Game Hacking and Cheat Tutorials > Anti-Cheat Bypass > PunkBuster
Reload this Page Clean punkbuster screenshots
- Sponsored Advertisement -
http://www.myfpscheats.com/


Reply
 
Thread Tools Display Modes
  #1  
Old 06-23-2007, 09:59 PM
zero_tolerance zero_tolerance is offline
Senior Member
  
Join Date: Dec 2006
Posts: 289
Default Clean punkbuster screenshots
By: Okidoki



Hi,

Here is a way for returning clean PB screenshots.

First we have to find the DirectDrawCreate call in pbcl.dll ( I used IDA Pro ), it should look like that:
PHP Code:
.text:1000C030                 mov     edx, [esp+560h+wndpl.rcNormalPosition.bottom]
.text:1000C034                 mov     ecx, [esp+560h+wndpl.rcNormalPosition.top]
.text:1000C038                 push    edi             pUnkOuter
.text:1000C039                 lea     eax, [esp+564h+lpDD]
.text:1000C03D                 push    eax             lplpDD
.text:1000C03E                 sub     edxecx
.text:1000C040                 push    edi             lpGUID
.text:1000C041                 mov     [ebp+1Eh], dx
.text:1000C045                 mov     [esp+56Ch+var_534], edi
.text:1000C049                 mov     [esp+56Ch+lpDD], edi
.text:1000C04D                 call    DirectDrawCreate 
Then scroll up to the begining of the function that calls DirectDrawCreate, and find from where its called from:
PHP Code:
.text:1000B920 int __stdcall sub_1000B920(int,int,__int16,__int16,int,char *hWnd,int
PHP Code:
.text:1000EDF2                 push    eax             hWnd
.text:1000EDF3                 push    ecx             int
.text:1000EDF4                 mov     ecx, [ebp+118h]
.text:1000EDFA                 push    esi             __int16
.text:1000EDFB                 push    edi             __int16
.text:1000EDFC                 push    ebx             int
.text:1000EDFD                 push    edx             int
.text:1000EDFE                 mov     [esp+0AB4h+var_A84], 0B0h
.text:1000EE06                 call    sub_1000B920 
Then scroll up to the beginning of the function:
PHP Code:
.text:1000E030 int __fastcall sub_1000E030(int,int,int,int,unsigned int
Now we can detour it:
PHP Code:
typedef int ( *PBScreenshotSetup_t )( int iArg1 int iArg2int iArg3int iArg4unsigned int uiArg5 );
PBScreenshotSetup_t pPBScreenshotSetup 0;

int _PBScreenshotSetupint iArg1 int iArg2int iArg3int iArg4unsigned int uiArg5 )
{
    int iReturn;

    return pPBScreenshotSetupiArg1 iArg2iArg3iArg4uiArg5 );
}

void Hook( )
{
    DWORD dwPbclBase = ( DWORD )GetModuleHandle"pbcl.dll" );

    pPBScreenshotSetup = ( PBScreenshotSetup_t )DetourFunction( ( BYTE * )( dwPbclBase 0xE030 ), ( BYTE * )_PBScreenshotSetup);

Now here is how to manage a clean screenshot using a modulo:
PHP Code:
bool bSafeScreen true;

int _PBScreenshotSetupint iArg1 int iArg2int iArg3int iArg4unsigned int uiArg5 )
{
    bSafeScreen false;

    static int iRequest 0;

    iRequest++;

    int iReturn;

    if( iRequest <= )
        iReturn 2;
    else
    {
        iReturn 2;
        
        if( iRequest 16 == )
        {
            iReturn pPBScreenshotSetupiArg1 iArg2iArg3iArg4uiArg5 );

            bSafeScreen true;

            iRequest 0;
        }
    }

    return iReturn;

Usage:
PHP Code:
if( bSafeScreen )
{
    // Apply your visual modifications

You can pause the screenshot function less or more by changing the modulo value (16).

This code is 100% working for up to date FarCry 1.4 punkbuster client.

Thanks to Roverturbo for the "iReturn = 2;" idea

Regards.
Reply With Quote
  #2  
Old 08-28-2011, 06:02 PM
Hooch Hooch is offline
Junior Member
  
Join Date: Sep 2010
Posts: 2
Default
I'm new,
Can you help me on understanding this part.

PHP Code:
int _PBScreenshotSetupint iArg1 int iArg2int iArg3int iArg4unsigned int uiArg5 

    bSafeScreen false//Because screenshot is requested we set it to false

    static int iRequest 0//???

    iRequest++;  // Is this number of times that pb makes screenshot? or number of times server requests screenshot?

    int iReturn

    if( iRequest <= //If requested first time?
        iReturn 2//Why 2?
    else 
    { 
        iReturn 2//Again, why 2?
         
        if( iRequest 16 == //Every 16th time do...
        
            iReturn pPBScreenshotSetupiArg1 iArg2iArg3iArg4uiArg5 ); //Allow pb to take screenshot

            bSafeScreen true//It is safe because we already sent clear ss?

            iRequest 0//Screenshot is made so we set it 0 requests
        
    } 

    return iReturn
If I understand it good server requests screenshot from us.
But our function is ignoring first 16 requests.
So whe have time (16 requests) to hide our hack.
And then after that time 16 requests we allow pb to make screenshot.

What happens if we ignore all requests?
why we are returning 2 if we ignore ss request?

Thanks for any help.
Reply With Quote
Reply

  • Submit Thread to Digg
  • Submit Thread to del.icio.us
  • Submit Thread to StumbleUpon
  • Submit Thread to Google
  • Submit Thread to Facebook
  • Submit Thread to My Yahoo!
  • Submit Thread to MySpace
  • Submit Thread to Twitter
  • Submit Thread to Reddit

Tags
clean, punkbuster, screenshots

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT. The time now is 10:34 AM.

Contact Us - Archive