Sparten
18th January 2006, 19:47
Punkbuster Hardware Info.
Made by: PizzaPan.
Credits: Tetsuo, RunningBon, Rob, Xen, h1web, BlackDove, Sparten, Kosire.
I will allow this to be replicated word for word, to mpc forum, but only to be posted by Sparten, and no where else, simply link here
http://forum.gamedeception.net/showthread.php?t=8435 if you want to.
Part 0: Usermode.
There are only 3 hashes made in usermode:
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "t" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan and no installed nic cards.
I have seen all 3 hash's combined, and then hashed again, no idea if this single is sent to the server, but i assume it is, if they base hardware bans on this changing any one hardware, would change the final hash, so i also have to assume they send all of them seperate also.
Part 1: Drivers Galore.
There are currently 3 Versions of the punkbuster driver floating around.
This does not include the very first set of drivers, we can call them unstable etc., and were upgraded fast to detect hwspoofers, and various bugs.
You could break them down as follows:
Size - Version:
16KB v0
22KB v7 (As sent by pbcl.dll)
26KB v71 (As Sent by pbcl.dll)
As of writing this, and current pbcl.dll versions.
v0 is in use by: bf1942, bfv, doom3, farcry, joint ops
v7 is in use by: bf2, cod1, et, rvs, rtcw, sof2
v71 is in use by: aao
Cod1 includes United Offensive.
The following games from what I can see do not contain a driver: moh
The following games from what I can see CONTAINS but doesn't USE the driver: quake4
In v0, the drivers' results, are compared with usermode results.
In v7, v71 the drivers' results are encrypted a second time (PB_E) and sent to the server.
v0: A Total of 3 hashes are used.
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "t" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan, and no installed nic cards.
A returned string will look like the following if the user has 1 HDD and onboard lan with no nic cards installed:
sfffffffffffffffffffffffffffffff tfffffffffffffffffffffffffffffff ecf0d0b2
A returned string will look like the following if the user has 2 HDDs with a nic card installed:
sfffffffffffffffffffffffffffffff tfffffffffffffffffffffffffffffff sfffffffffffffffffffffffffffffff tfffffffffffffffffffffffffffffff mfffffffffffffffffffffffffffffff ecf0d0b2
To become unbanned from a v0 Game, simply change your hdds (Change to Raid or buy new ones etc.) & your Mac Address.
v7: A Total or 4 hashes are used, hash 't' is renamed to hash 'r'
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "r" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan and no installed nic cards.
1 Hash is generated by various hardware from your pc. The entire pci chain is queried for info via direct hardware i/o access.
PUSH ECX
PUSH EBX
PUSH ESI
PUSH EDI
PUSHAW
PUSHAD
PUSH ES
PUSH DS
PUSH FS
PUSH GS
MOV AX,8000
MOV AL,BYTE PTR SS:[ESP+5C]
SHL EAX,10
MOV AX,WORD PTR SS:[ESP+60]
AND AX,0FC
MOV AH,BYTE PTR SS:[ESP+54]
SHL AH,3
ADD AH,BYTE PTR SS:[ESP+58]
MOV DX,0CF8 ; 0xCF8 = PCI_INDEX
OUT DX,EAX ; I/O command
MOV AX,WORD PTR SS:[ESP+60]
AND AX,3
MOV BL,8
MUL BL
MOV CX,AX
MOV DX,0CFC
IN EAX,DX ; I/O command
SHR EAX,CL
MOV BYTE PTR SS:[ESP+4F],AL
MOV DWORD PTR DS:[3977F4],0
XOR EAX,EAX
MOV DX,0CF8 ; 0xCFC = PCI_DATA
OUT DX,EAX ; I/O command
POP GS ; Modification of segment register
POP FS ; Modification of segment register
POP DS ; Modification of segment register
POP ES ; Modification of segment register
POPAD
POPAW
MOV AL,BYTE PTR SS:[ESP+F]
POP EDI
POP ESI
POP EBX
POP ECX
RETN 10
Hash Begin: "p":
After the in/out commands are completed eax, will contain a 32bit value for example:
EAX: 11063205
EAX: -> 1106 (Vendor ID)
AX: -> 3205 (Device ID)
Maybe at first glance it doesnt look too bad, however looking at http://www.pcidatabase.com/ we can plugin the values:
11063205 -> Vendor ID: 1106 -> Device ID: 3205
0x1106: VIA Technologies Inc
0x3205: CPU to PCI Bridge
KM400 chipset
1106b198 -> Vendor ID: 1106 -> Device ID: b198
0x1106: VIA Technologies Inc
0xB198: PCI-to-PCI Bridge (AGP 2.0/3.0)
ProSavageDDR P4X600 chipset
10110019 -> Vendor ID: 1011 -> Device ID: 0019
0x1011: Digital Equipment Corporation
0x0019: DC21142/3 / PCI/CardBus 10/100 Mbit Ethernet Ctlr
12745880 -> Vendor ID: 1274 -> Device ID: 5880
0x1274: Ensoniq
0x5880: 5880, AudioPci
Used on Sound Blaster 16 PCI and SoundBlaster 4.1 Digital (eat my 16bit sound card!)
11063104 -> Vendor ID: 1106 -> Device ID: 3104
0x1106: VIA Technologies Inc
0x3104: VT6202 / USB 2.0 Enhanced Host Controller
11063038 -> Vendor ID: 1106 -> Device ID: 3038
0x1106: VIA Technologies Inc
0x3038: VT6212L / 4 x USB2.0 PCI controller
11063038 -> Vendor ID: 1106 -> Device ID: 3038
0x1106: VIA Technologies Inc
0x3038: VT6212L / 4 x USB2.0 PCI controller
11063038 -> Vendor ID: 1106 -> Device ID: 3038
0x1106: VIA Technologies Inc
0x3038: VT6212L / 4 x USB2.0 PCI controller
11063177 -> Vendor ID: 1106 -> Device ID: 3177
0x1106: VIA Technologies Inc
0x3177: VT8235 / PCI to ISA Bridge
11060571 -> Vendor ID: 1106 -> Device ID: 0571
0x1106: VIA Technologies Inc
0x0571: VT82C596 / PCI IDE Controller
10024e48 -> Vendor ID: 1002 -> Device ID: 4e48
0x1002: ATI Technologies Inc.
0x4e48: R360 / Radeon 9800 Pro
Saaphire Radeon 9800 PRO 256Mb Antlantis (R360)
10024e68 -> Vendor ID: 1002 -> Device ID: 4e68
0x1002: ATI Technologies Inc.
0x4e68: R350 / Radeon 9800 Pro - Secondary
The return actually looks more like:
11063205 1106b198 10110019 12745880 11063104 11063038 11063038 11063038 11063177 11060571 10024e48 10024e68
That is then hashed and becomes the 4th hash.
A returned string will look like the following if the user has 1 HDD and onboard lan with no nic cards installed:
v7 s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff p9ffffffffffffffffffffffffffffff ecf0d0b2
A returned string will look like the following if the user has 2 HDDs with a nic card installed:
v7 s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff mfffffffffffffffffffffffffffffff p9ffffffffffffffffffffffffffffff ecf0d0b2
To become unbanned from a v7 game is a little more difficult, follow the steps for a v0 game, and then read below:
At the current time I am not too sure if changing the order of such hardware would change the p hash.
As I don't own more than one pci card I couldn't swap the slots to see if the order of returned pci info changed.
Your best bet is to either remove a card or add a card and hope for the best.
As you can see they are grabbing a LOT of info.
v71 Consists of 4 hashes
It's identical to v7, but reintroduces direct hardware i/o via the ide chain to retrive hardisk info, and from what I could see either:
a) the pci info is not used (but is grabbed)
b) the pci info is used, and combined with the info from the hdds (which would be retarded seeing as changing a hdd would damage their pci results, but hey its pb!)
1 hash is generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: 'i' Generated via direct hardware i/o for all drives present (maybe includes pci info)
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "r" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan and no installed nic cards.
A returned string will look like the following if the user has 1 HDD and onboard lan with no nic cards installed:
v71 i9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff ecf0d0b2
A returned string will look like the following if the user has 2 HDDs with a nic card installed:
v7 i9ffffffffffffffffffffffffffffff i9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff mfffffffffffffffffffffffffffffff ecf0d0b2
To become unbanned from a v71 game Id try the changing hdds method (setup raid, buy new hdds, remember each one needs to be replaced), this should disrupt the 'i' hashes, plus 's' and 'r', then a simple mac change should fix 'm'.
Part2: Common Myths.
1.) Sent in from a Kid named Ralf.
Q.) If I am banned and replace partial hardware my other hardware 'X' will be banned ?
A.) False, the 'X' hardware is not automatically banned unless you get another hwban.
2.) Sent in from our good friend "Spontaneous" from MPC.
Q.) PB ONLY uses Mac addresses and harddrive serials, PB does NOT use DVDroms, CDroms, DVDWriters, CDWriters, sound card, video card, motherboard, cpu, floppy, IDE/SATA controlers, or anything along those lines.
A.) Sounds more like he's telling us what happens, rather than a question, but I think my complete reversal of 13 Game Drivers gives me the edge. Anyways as you can see from v7, and v71 games, I'd say just about the entire set of hardware is used and this includes IDE/SATA controllers, vidocard, soundcard, etc.
3.) Sent in from a Kid named Peter.
Q.) When i do receive a hardware ban, which hash's are used in the ban?
A.) Without actually receiving a ban my self, i couldn't really say my self, i would assume they ban your entire set of hardware, and have a type of counter like if UserX has X amount of banned hardware, drop him, so replacing as much of the banned hardware as possible, could prevent this, but like i said, i never have had a hw ban, so i cant say for sure.
4.) Feel free to ask, if I don't know it, I'll reverse the driver till I do know it!
Regards PizzaPan & Sparten
Made by: PizzaPan.
Credits: Tetsuo, RunningBon, Rob, Xen, h1web, BlackDove, Sparten, Kosire.
I will allow this to be replicated word for word, to mpc forum, but only to be posted by Sparten, and no where else, simply link here
http://forum.gamedeception.net/showthread.php?t=8435 if you want to.
Part 0: Usermode.
There are only 3 hashes made in usermode:
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "t" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan and no installed nic cards.
I have seen all 3 hash's combined, and then hashed again, no idea if this single is sent to the server, but i assume it is, if they base hardware bans on this changing any one hardware, would change the final hash, so i also have to assume they send all of them seperate also.
Part 1: Drivers Galore.
There are currently 3 Versions of the punkbuster driver floating around.
This does not include the very first set of drivers, we can call them unstable etc., and were upgraded fast to detect hwspoofers, and various bugs.
You could break them down as follows:
Size - Version:
16KB v0
22KB v7 (As sent by pbcl.dll)
26KB v71 (As Sent by pbcl.dll)
As of writing this, and current pbcl.dll versions.
v0 is in use by: bf1942, bfv, doom3, farcry, joint ops
v7 is in use by: bf2, cod1, et, rvs, rtcw, sof2
v71 is in use by: aao
Cod1 includes United Offensive.
The following games from what I can see do not contain a driver: moh
The following games from what I can see CONTAINS but doesn't USE the driver: quake4
In v0, the drivers' results, are compared with usermode results.
In v7, v71 the drivers' results are encrypted a second time (PB_E) and sent to the server.
v0: A Total of 3 hashes are used.
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "t" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan, and no installed nic cards.
A returned string will look like the following if the user has 1 HDD and onboard lan with no nic cards installed:
sfffffffffffffffffffffffffffffff tfffffffffffffffffffffffffffffff ecf0d0b2
A returned string will look like the following if the user has 2 HDDs with a nic card installed:
sfffffffffffffffffffffffffffffff tfffffffffffffffffffffffffffffff sfffffffffffffffffffffffffffffff tfffffffffffffffffffffffffffffff mfffffffffffffffffffffffffffffff ecf0d0b2
To become unbanned from a v0 Game, simply change your hdds (Change to Raid or buy new ones etc.) & your Mac Address.
v7: A Total or 4 hashes are used, hash 't' is renamed to hash 'r'
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "r" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan and no installed nic cards.
1 Hash is generated by various hardware from your pc. The entire pci chain is queried for info via direct hardware i/o access.
PUSH ECX
PUSH EBX
PUSH ESI
PUSH EDI
PUSHAW
PUSHAD
PUSH ES
PUSH DS
PUSH FS
PUSH GS
MOV AX,8000
MOV AL,BYTE PTR SS:[ESP+5C]
SHL EAX,10
MOV AX,WORD PTR SS:[ESP+60]
AND AX,0FC
MOV AH,BYTE PTR SS:[ESP+54]
SHL AH,3
ADD AH,BYTE PTR SS:[ESP+58]
MOV DX,0CF8 ; 0xCF8 = PCI_INDEX
OUT DX,EAX ; I/O command
MOV AX,WORD PTR SS:[ESP+60]
AND AX,3
MOV BL,8
MUL BL
MOV CX,AX
MOV DX,0CFC
IN EAX,DX ; I/O command
SHR EAX,CL
MOV BYTE PTR SS:[ESP+4F],AL
MOV DWORD PTR DS:[3977F4],0
XOR EAX,EAX
MOV DX,0CF8 ; 0xCFC = PCI_DATA
OUT DX,EAX ; I/O command
POP GS ; Modification of segment register
POP FS ; Modification of segment register
POP DS ; Modification of segment register
POP ES ; Modification of segment register
POPAD
POPAW
MOV AL,BYTE PTR SS:[ESP+F]
POP EDI
POP ESI
POP EBX
POP ECX
RETN 10
Hash Begin: "p":
After the in/out commands are completed eax, will contain a 32bit value for example:
EAX: 11063205
EAX: -> 1106 (Vendor ID)
AX: -> 3205 (Device ID)
Maybe at first glance it doesnt look too bad, however looking at http://www.pcidatabase.com/ we can plugin the values:
11063205 -> Vendor ID: 1106 -> Device ID: 3205
0x1106: VIA Technologies Inc
0x3205: CPU to PCI Bridge
KM400 chipset
1106b198 -> Vendor ID: 1106 -> Device ID: b198
0x1106: VIA Technologies Inc
0xB198: PCI-to-PCI Bridge (AGP 2.0/3.0)
ProSavageDDR P4X600 chipset
10110019 -> Vendor ID: 1011 -> Device ID: 0019
0x1011: Digital Equipment Corporation
0x0019: DC21142/3 / PCI/CardBus 10/100 Mbit Ethernet Ctlr
12745880 -> Vendor ID: 1274 -> Device ID: 5880
0x1274: Ensoniq
0x5880: 5880, AudioPci
Used on Sound Blaster 16 PCI and SoundBlaster 4.1 Digital (eat my 16bit sound card!)
11063104 -> Vendor ID: 1106 -> Device ID: 3104
0x1106: VIA Technologies Inc
0x3104: VT6202 / USB 2.0 Enhanced Host Controller
11063038 -> Vendor ID: 1106 -> Device ID: 3038
0x1106: VIA Technologies Inc
0x3038: VT6212L / 4 x USB2.0 PCI controller
11063038 -> Vendor ID: 1106 -> Device ID: 3038
0x1106: VIA Technologies Inc
0x3038: VT6212L / 4 x USB2.0 PCI controller
11063038 -> Vendor ID: 1106 -> Device ID: 3038
0x1106: VIA Technologies Inc
0x3038: VT6212L / 4 x USB2.0 PCI controller
11063177 -> Vendor ID: 1106 -> Device ID: 3177
0x1106: VIA Technologies Inc
0x3177: VT8235 / PCI to ISA Bridge
11060571 -> Vendor ID: 1106 -> Device ID: 0571
0x1106: VIA Technologies Inc
0x0571: VT82C596 / PCI IDE Controller
10024e48 -> Vendor ID: 1002 -> Device ID: 4e48
0x1002: ATI Technologies Inc.
0x4e48: R360 / Radeon 9800 Pro
Saaphire Radeon 9800 PRO 256Mb Antlantis (R360)
10024e68 -> Vendor ID: 1002 -> Device ID: 4e68
0x1002: ATI Technologies Inc.
0x4e68: R350 / Radeon 9800 Pro - Secondary
The return actually looks more like:
11063205 1106b198 10110019 12745880 11063104 11063038 11063038 11063038 11063177 11060571 10024e48 10024e68
That is then hashed and becomes the 4th hash.
A returned string will look like the following if the user has 1 HDD and onboard lan with no nic cards installed:
v7 s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff p9ffffffffffffffffffffffffffffff ecf0d0b2
A returned string will look like the following if the user has 2 HDDs with a nic card installed:
v7 s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff mfffffffffffffffffffffffffffffff p9ffffffffffffffffffffffffffffff ecf0d0b2
To become unbanned from a v7 game is a little more difficult, follow the steps for a v0 game, and then read below:
At the current time I am not too sure if changing the order of such hardware would change the p hash.
As I don't own more than one pci card I couldn't swap the slots to see if the order of returned pci info changed.
Your best bet is to either remove a card or add a card and hope for the best.
As you can see they are grabbing a LOT of info.
v71 Consists of 4 hashes
It's identical to v7, but reintroduces direct hardware i/o via the ide chain to retrive hardisk info, and from what I could see either:
a) the pci info is not used (but is grabbed)
b) the pci info is used, and combined with the info from the hdds (which would be retarded seeing as changing a hdd would damage their pci results, but hey its pb!)
1 hash is generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: 'i' Generated via direct hardware i/o for all drives present (maybe includes pci info)
2 hashes are generated by the amount of hdds you have, with a maximum of 16 Drives.
Hash Begin: "s" Generated from IOCTL_STORAGE_QUERY_PROPERTY
Hash Begin: "r" Generated from SMART_RCV_DRIVE_DATA
1 Hash is generated from various networking properties:
Hash Begin: "m" generated by the combined info of:
a) Hardware NIC via IOCTL_NDIS_QUERY_GLOBAL_STATS
b) MAC Address
^^ The following Hash will not be used if you have onboard lan and no installed nic cards.
A returned string will look like the following if the user has 1 HDD and onboard lan with no nic cards installed:
v71 i9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff ecf0d0b2
A returned string will look like the following if the user has 2 HDDs with a nic card installed:
v7 i9ffffffffffffffffffffffffffffff i9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff s9ffffffffffffffffffffffffffffff r9ffffffffffffffffffffffffffffff mfffffffffffffffffffffffffffffff ecf0d0b2
To become unbanned from a v71 game Id try the changing hdds method (setup raid, buy new hdds, remember each one needs to be replaced), this should disrupt the 'i' hashes, plus 's' and 'r', then a simple mac change should fix 'm'.
Part2: Common Myths.
1.) Sent in from a Kid named Ralf.
Q.) If I am banned and replace partial hardware my other hardware 'X' will be banned ?
A.) False, the 'X' hardware is not automatically banned unless you get another hwban.
2.) Sent in from our good friend "Spontaneous" from MPC.
Q.) PB ONLY uses Mac addresses and harddrive serials, PB does NOT use DVDroms, CDroms, DVDWriters, CDWriters, sound card, video card, motherboard, cpu, floppy, IDE/SATA controlers, or anything along those lines.
A.) Sounds more like he's telling us what happens, rather than a question, but I think my complete reversal of 13 Game Drivers gives me the edge. Anyways as you can see from v7, and v71 games, I'd say just about the entire set of hardware is used and this includes IDE/SATA controllers, vidocard, soundcard, etc.
3.) Sent in from a Kid named Peter.
Q.) When i do receive a hardware ban, which hash's are used in the ban?
A.) Without actually receiving a ban my self, i couldn't really say my self, i would assume they ban your entire set of hardware, and have a type of counter like if UserX has X amount of banned hardware, drop him, so replacing as much of the banned hardware as possible, could prevent this, but like i said, i never have had a hw ban, so i cant say for sure.
4.) Feel free to ask, if I don't know it, I'll reverse the driver till I do know it!
Regards PizzaPan & Sparten