Beat PunkBusters Anti Debug Protection
Posted: Thu Sep 25, 2008 8:19 pmI tried to debug the latest Punkbuster for Battlefield 1942 the last days.
current PB Version is 2.110 - pbcl.dll 759.153 bytes
(check http://evenbalance.com/index.php?page=s ... bf1942.php)
The Problem: as soon as I attach any Debugger BF1942 closes instantly
I used google a lot to find informations abaut that:
-I know PB does NOT use the API function "is Debuggerpresent"
-I know PB uses "ZwQueryObject" because I found an old sourcecode for an anti-PB dll. But I injected the .dll into BF1942, PnkBstrA.exe and PnkBstrB.exe and it didn't work. The Game still closes when I try to attach any debugger. The strange thing is I opened pbcl.dll with IDA and could not find "ZwQueryObject" in the import table.
My Goal is to detour the Screenshot function of Punkbuster (I already had this working for an old PB Version). May be its possible to fake the Guid too. I read it is possible to send a faked Guid to the PB Server only.
I tried some OllyDebug Plugins to hide the Debugger but they did not work.
If anyone has information on how I can debug Punkbuster please post it here.
PS: hope my english isn't to bad
EDIT:
The source of the .dll I was talking about (I did not code it):
http://www.file-upload.net/download-113 ... B.zip.html
The compiled release version of the .dll:
http://www.file-upload.net/download-113 ... b.dll.html
EDIT2: I tried another dll-injector now that tells me the dllinjection to bf1942.exe fails
current PB Version is 2.110 - pbcl.dll 759.153 bytes
(check http://evenbalance.com/index.php?page=s ... bf1942.php)
The Problem: as soon as I attach any Debugger BF1942 closes instantly
I used google a lot to find informations abaut that:
-I know PB does NOT use the API function "is Debuggerpresent"
-I know PB uses "ZwQueryObject" because I found an old sourcecode for an anti-PB dll. But I injected the .dll into BF1942, PnkBstrA.exe and PnkBstrB.exe and it didn't work. The Game still closes when I try to attach any debugger. The strange thing is I opened pbcl.dll with IDA and could not find "ZwQueryObject" in the import table.
My Goal is to detour the Screenshot function of Punkbuster (I already had this working for an old PB Version). May be its possible to fake the Guid too. I read it is possible to send a faked Guid to the PB Server only.
I tried some OllyDebug Plugins to hide the Debugger but they did not work.
If anyone has information on how I can debug Punkbuster please post it here.
PS: hope my english isn't to bad
EDIT:
The source of the .dll I was talking about (I did not code it):
http://www.file-upload.net/download-113 ... B.zip.html
The compiled release version of the .dll:
http://www.file-upload.net/download-113 ... b.dll.html
EDIT2: I tried another dll-injector now that tells me the dllinjection to bf1942.exe fails