Beat PunkBusters Anti Debug Protection

Hacking Any Battlefield Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Beat PunkBusters Anti Debug Protection

Postby run32dll » Thu Sep 25, 2008 8:19 pm

I tried to debug the latest Punkbuster for Battlefield 1942 the last days.
current PB Version is 2.110 - pbcl.dll 759.153 bytes
(check ... bf1942.php)

The Problem: as soon as I attach any Debugger BF1942 closes instantly

I used google a lot to find informations abaut that:
-I know PB does NOT use the API function "is Debuggerpresent"
-I know PB uses "ZwQueryObject" because I found an old sourcecode for an anti-PB dll. But I injected the .dll into BF1942, PnkBstrA.exe and PnkBstrB.exe and it didn't work. The Game still closes when I try to attach any debugger. The strange thing is I opened pbcl.dll with IDA and could not find "ZwQueryObject" in the import table.

My Goal is to detour the Screenshot function of Punkbuster (I already had this working for an old PB Version). May be its possible to fake the Guid too. I read it is possible to send a faked Guid to the PB Server only.

I tried some OllyDebug Plugins to hide the Debugger but they did not work.
If anyone has information on how I can debug Punkbuster please post it here.

PS: hope my english isn't to bad :roll:

The source of the .dll I was talking about (I did not code it): ...
The compiled release version of the .dll: ... b.dll.html

EDIT2: I tried another dll-injector now that tells me the dllinjection to bf1942.exe fails
Asus A8N-SLI Deluxe
AMD Athlon 64 X2 Dual Core 4200+ 2.2Ghz (upgrade)
AC97 onboard Sound
Winfast NVidia GeForce 8800 GTA 320MB (upgrade)
SyncMaster 244T 24"-Monitor
Windows XP 64 Pro SP 1
# running stable 24/7 since 26.09.2005 #
User avatar
I Have A Few Questions
Posts: 5
Joined: Mon Aug 18, 2008 3:58 pm
Location: Germany

Postby L. Spiro » Fri Sep 26, 2008 12:13 am

ZwQueryObject() does not need to be in the import table for it to use it.
It can get the function address via MmGetSystemRoutineAddress().

Code: Select all
UNICODE_STRING               FuncName;
RtlInitUnicodeString( &FuncName, L"ZwQueryObject" );
g_apiZwQueryObject = MmGetSystemRoutineAddress( &FuncName );

The string will probably be encrypted, however.

L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
Posts: 3128
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Return to Battlefield *

Who is online

Users browsing this forum: No registered users and 1 guest