Jump to content


Photo
- - - - -

PB Bypass


  • Please log in to reply
6 replies to this topic

#1 RiSiCO

RiSiCO

    DivineBanhammer

  • Crew
  • 1286 posts

Posted 18 April 2008 - 04:57 PM

this is kind of an updated tutorial from okiedoki.

ill start out with cod2 for example


The easiest way i found was to open up IDA or olly and search for the text "PB_P" and scroll up a few lines and u will find something like this..




.text:1004DD7C ; int __cdecl sub_1004DD7C(int, size_t Count, char *Dest)
.text:1004DD7C sub_1004DD7C    proc near               ; CODE XREF: sub_1004FFCB+B7p
.text:1004DD7C                                         ; sub_100544BE+E8p ...
.text:1004DD7C
.text:1004DD7C Src             = byte ptr -4B0h
.text:1004DD7C var_4AF         = byte ptr -4AFh
.text:1004DD7C var_4AE         = byte ptr -4AEh
.text:1004DD7C var_4AD         = byte ptr -4ADh
.text:1004DD7C Dst             = byte ptr -4ACh
.text:1004DD7C var_4AB         = byte ptr -4ABh
.text:1004DD7C var_4A8         = byte ptr -4A8h
.text:1004DD7C var_4A6         = byte ptr -4A6h
.text:1004DD7C arg_0           = dword ptr  8
.text:1004DD7C Count           = dword ptr  0Ch
.text:1004DD7C Dest            = dword ptr  10h
.text:1004DD7C
.text:1004DD7C                 push    ebp
.text:1004DD7D                 mov     ebp, esp
.text:1004DD7F                 sub     esp, 4B0h
.text:1004DD85                 cmp     dword_100A0448, 0
.text:1004DD8C                 jz      locret_1004E023
.text:1004DD92                 cmp     dword_1009FE80, 0Ah
.text:1004DD99                 push    ebx
.text:1004DD9A                 jbe     short loc_1004DDD5
.text:1004DD9C                 cmp     [ebp+Count], 0Fh
.text:1004DDA0                 jle     loc_1004E022
.text:1004DDA6                 push    232Eh
.text:1004DDAB                 push    54h             ; Args
.text:1004DDAD                 call    sub_1003CB85
.text:1004DDB2                 push    eax             ; Format
.text:1004DDB3                 push    [ebp+Count]     ; Count
.text:1004DDB6                 push    [ebp+Dest]      ; Dest
.text:1004DDB9                 call    sub_10004529
.text:1004DDBE                 mov     eax, [ebp+Dest]
.text:1004DDC1                 add     esp, 14h
.text:1004DDC4                 lea     ecx, [eax+1]
.text:1004DDC7
.text:1004DDC7 loc_1004DDC7:                           ; CODE XREF: sub_1004DD7C+50j
.text:1004DDC7                 mov     dl, [eax]
.text:1004DDC9                 inc     eax
.text:1004DDCA                 test    dl, dl
.text:1004DDCC                 jnz     short loc_1004DDC7
.text:1004DDCE                 sub     eax, ecx
.text:1004DDD0                 lea     ebx, [eax+1]
.text:1004DDD3                 jmp     short loc_1004DDD8


the code in blue is what you are looking for. So you hook that and ur offset is this 0x4DD7C notice where its found in the sub.

so hooking it is quite easy

int(*teh_Bypass)( int a1, size_t Count, char *Dest );
int Bypass_Hook( int a1, size_t Count, char *Dest )
{

//Your log code goes here.
	return orig_Bypass(a1,Count,Dest);
}

then in load library like so just call your function.



teh_Bypass		=	(int (__cdecl *)(int,size_t,char *))DetourFunction( ( PBYTE )pBase + 0x4DD7C,	( PBYTE )Bypass_Hook );
		__asm mov [ teh_Bypass ], eax;

all credits go to okiedokie i just updated from where he left off :) enjoy.
Please Read our Rules and WOGH Etiquette & Guidelines
Do not PM me for requests!

#2 southpole

southpole

    n00bie

  • Members
  • PipPip
  • 24 posts

Posted 23 April 2008 - 10:08 PM

wow nothin more simple!
[SIGPIC][/SIGPIC]IF YOU RESPECT ME PUT THIS PICTURE IN YOUR SIGNATURE.

#3 copyfilew

copyfilew

    n00bie

  • Members
  • PipPip
  • 13 posts

Posted 01 May 2008 - 10:17 AM

I'm pretty sure they have a check for this check.

Nice work though.

#4 Recreation

Recreation

    n00bie

  • Members
  • PipPip
  • 17 posts

Posted 08 June 2008 - 12:56 AM

Punkbuster seriously is too uptight...PunkBuster Killers dont work anymore because they have like 15,000,000,000,000 checks on checks on checks

#5 clippeR

clippeR

    n00bie

  • Members
  • 5 posts

Posted 27 November 2008 - 11:41 AM

yeah they even have a new scan , it scans your hole pc for names lile codhax bot winject or anything, so basically u can renam ur song ti aimbot.exe and you will get banned
Spyware master, take care about your msn and facebook passwords >:P

/cg_joke 1
0=disable
1=enable
2=crypt

#6 Cray-Z

Cray-Z

    n00bie

  • Members
  • 6 posts

Posted 30 November 2008 - 06:20 PM

uuhm a quick question what file did u open up whit ida?

#7 oriks

oriks

    n00bie

  • Members
  • 5 posts

Posted 12 August 2009 - 01:22 AM

Does this still work? I just tried to update my WarRock hack but for some reason PB had same offsets and everything. I'm somehow getting detected but wasn't 2 days ago.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users