IChooseYou
03-12-2012, 09:22 AM
Alright, so in IDA you want to start here
.text:00767BF0 fb__PunkbusterScreenshot__screenshotDone proc near
.text:00767BF0 ; DATA XREF: .rdata:off_2096BBCo
.text:00767BF0
....
.text:00767C02 call PBsdk_receiveSS //<- follow
then here:
.text:0076A820 PBsdk_receiveSS proc near ; CODE XREF: fb__PunkbusterScreenshot__screenshotDone
+12p
.text:0076A820
....
.text:0076A83D call eax //<-- follow this it calls PBCL.dll 00441F34
.text:0076A83F add esp, 10h
.text:0076A842 mov dword_23425D4, 0
then in pbcl.dll you have this function:
.text:00441F34 sub_441F34 proc near ; DATA XREF: sub_445A75:loc_445AECo
.text:00441F34 ; sub_447929:loc_44794Ao
.text:00441F34
.text:00441F34 arg_0 = dword ptr 8
.text:00441F34 arg_4 = dword ptr 0Ch
.text:00441F34 arg_8 = dword ptr 10h
.text:00441F34 arg_C = dword ptr 14h
.text:00441F34
.text:00441F34 push ebp
.text:00441F35 mov ebp, esp
.text:00441F37 cmp dword_4B2301, 0
.text:00441F3E jz loc_441FD4 <-- change this to jmp
Source:
void PatchPBSS( )
{
DWORD PBbase = 0;
DWORD lpOldProtect = NULL;
while( !PBbase )
{
PBbase = (DWORD)GetModuleHandleA("pbcl.dll");
Sleep(50);
}
DWORD SSFunc = PBbase + 0x41F3E;
//0BBB1F37 833D 0123C20B 00 CMP DWORD PTR DS:[BC22301],0
//0BBB1F3E 0F84 90000000 JE pbcl.0BBB1FD4 ->
//0BBB1F3E E9 91000000 JMP pbcl.0BBB1FD4
//0BBB1F43 90 NOP
printf( "PB Base %p\n", PBbase );
printf( "PB Patch %p\n", SSFunc );
VirtualProtect( (PBYTE)SSFunc, 6, PAGE_EXECUTE_READWRITE, &lpOldProtect );
memcpy( (PBYTE)SSFunc, (void *)(PBYTE)"\xE9\x91\x00\x00\x00\x90", 6 );
VirtualProtect( (PBYTE)SSFunc, 6, lpOldProtect, 0 );
printf( "PBSS Patched\n" );
}
If you have your own server, execute "punkBuster.pb_sv_command pb_sv_getss"
and in your PB SS directory you should see
http://i.imgur.com/mhFXn.jpg
.text:00767BF0 fb__PunkbusterScreenshot__screenshotDone proc near
.text:00767BF0 ; DATA XREF: .rdata:off_2096BBCo
.text:00767BF0
....
.text:00767C02 call PBsdk_receiveSS //<- follow
then here:
.text:0076A820 PBsdk_receiveSS proc near ; CODE XREF: fb__PunkbusterScreenshot__screenshotDone
+12p
.text:0076A820
....
.text:0076A83D call eax //<-- follow this it calls PBCL.dll 00441F34
.text:0076A83F add esp, 10h
.text:0076A842 mov dword_23425D4, 0
then in pbcl.dll you have this function:
.text:00441F34 sub_441F34 proc near ; DATA XREF: sub_445A75:loc_445AECo
.text:00441F34 ; sub_447929:loc_44794Ao
.text:00441F34
.text:00441F34 arg_0 = dword ptr 8
.text:00441F34 arg_4 = dword ptr 0Ch
.text:00441F34 arg_8 = dword ptr 10h
.text:00441F34 arg_C = dword ptr 14h
.text:00441F34
.text:00441F34 push ebp
.text:00441F35 mov ebp, esp
.text:00441F37 cmp dword_4B2301, 0
.text:00441F3E jz loc_441FD4 <-- change this to jmp
Source:
void PatchPBSS( )
{
DWORD PBbase = 0;
DWORD lpOldProtect = NULL;
while( !PBbase )
{
PBbase = (DWORD)GetModuleHandleA("pbcl.dll");
Sleep(50);
}
DWORD SSFunc = PBbase + 0x41F3E;
//0BBB1F37 833D 0123C20B 00 CMP DWORD PTR DS:[BC22301],0
//0BBB1F3E 0F84 90000000 JE pbcl.0BBB1FD4 ->
//0BBB1F3E E9 91000000 JMP pbcl.0BBB1FD4
//0BBB1F43 90 NOP
printf( "PB Base %p\n", PBbase );
printf( "PB Patch %p\n", SSFunc );
VirtualProtect( (PBYTE)SSFunc, 6, PAGE_EXECUTE_READWRITE, &lpOldProtect );
memcpy( (PBYTE)SSFunc, (void *)(PBYTE)"\xE9\x91\x00\x00\x00\x90", 6 );
VirtualProtect( (PBYTE)SSFunc, 6, lpOldProtect, 0 );
printf( "PBSS Patched\n" );
}
If you have your own server, execute "punkBuster.pb_sv_command pb_sv_getss"
and in your PB SS directory you should see
http://i.imgur.com/mhFXn.jpg