i wonder if the recent kicks with punkbuster are because certain variables in the game (like viewdistance, fog, etc.) are being checked by punkbuster and then it is kicking because the variables within the client don't match the server variables...

i need to do some testing but i wonder if this is the case-

anyone else want to chime in?

best,
cal

Prolly how they are detecting Sticky Tags. /shrug

sticky tags isnt detected.

sticky tags isnt detected. Yes it is! It is a "corrupt File/Memory Error" w/ a 0minute kick.

i wonder if the recent kicks with punkbuster are because certain variables in the game (like viewdistance, fog, etc.) are being checked by punkbuster and then it is kicking because the variables within the client don't match the server variables...

i need to do some testing but i wonder if this is the case-

anyone else want to chime in?

best,
cal Hello Cal, I do believe you are very much on the right track. I'm very new to this however I do alot of "exploring" into this computer and have found changes in certain areas that are noticeably different while hacks are in the game versus when they are not. Some of these areas are within the scope of search that PB scans for. I specifically became interested in this after "Sticky Tags" was released because I was impressed with the authors ability to do this and PB not have it detected within 72 hours of its release. Unfortunately I have a very difficult time putting my findings and locations here in the forums cause I dont know alot of the technical specific "names" and "locations" but if I could access you to ventrillo or teamspeak or msn mgr for an audio link I could explain my findings to you or others and I know you can translate my findings into what might be helpful. Then again you may have found this already. Please understand I'm trying to learn these concepts and have recently started doing it but was inspired by yours and Alaxul's efforts and TuTs to bring this field of design to a level for all who wish to learn. You are without a doubt a great inspiration as well as a huge credit to this community. In fact I believe I would finance any research you were doing cause I know you could move mountains with the results

well, i don't know this for sure as i am at work and i cannot test it right now but my theory is that many of the techniques to avoid detection by the PB scanner are still working. however, certain parts of people's hacks are changing things like the variables that control the fog, the viewdistance, the distance that tags are visible, etc. and this is what PB is detecting, not the overall hide from the scanner of memory chunks. what i think is going on now is that PB is also doing variable bounds checks and or comparing the client variables to the server. however, there could be much more going on here.

lastly, i appreciate all of the props and credit people give me but i want to say here plainly that alot of my "skillz" or percieved knowledge about stuff isn't from just me personally. from way back, people like Dr. K and also ALOT of credit goes to folks like Sparten who, without which, i wouldn't have had any working hacks through some of the PB updates. i think alot of the unsung heroes and real leet coders are not well recognized and aren't given enough credit. there's alot of them out there and here's to them. probably lots of them are playing online now with no problems with their hacks (unlike myself) or already working on a way around things. my hats off to them and major props. i appreciate the thanks and the respect but i am not as "leet" as perhaps some people think. at any rate i know enough to be dangerous and help out and work my way through things eventually.

perhaps we will know more with time. if i find anything useful i'll post it here.

best,
cal

Nah they aren't checking variables like viewdistance. I don't yet know how they detected sticky tags but maybe the offset RendDX9 + 0x25651C will mean more to Drunken Cheetah than to me.

As for those doing DirectX hacks, find another way to hook the interface without hooking SetRenderState.

Nah they aren't checking variables like viewdistance. I don't yet know how they detected sticky tags but maybe the offset RendDX9 + 0x25651C will mean more to Drunken Cheetah than to me.

As for those doing DirectX hacks, find another way to hook the interface without hooking SetRenderState.

need to make simple test with change viewdistance and other variables, but I'm curious why they can't detect changes (if they can't). It's very simple coz some variables like Fade time for name tags enemy and friendly distance etc. are always same, in DC change them to 0(Fades variables) and rest for 9999999. I hope they not check it.

B.r.

A possible way... How about changing directly registers in memory when a certain address is reached ? Survey execution of process RendDX9.dll until the needed address is not reached, do a sort of breakpoint when this address comes like olly does, change the value of the register to be compared before the JE and let the process continues. If it is possible no more code changes needed and of course no corrupted memory/files detected by PB :D But I haven't time and capabilities to do that :cry:

A possible way... How about changing directly registers in memory when a certain address is reached ? Survey execution of process RendDX9.dll until the needed address is not reached, do a sort of breakpoint when this address comes like olly does, change the value of the register to be compared before the JE and let the process continues. If it is possible no more code changes needed and of course no corrupted memory/files detected by PB :D But I haven't time and capabilities to do that :cry:

because PB probably detect HW breakpoints. Without breakpoint set U can't change registers values.

b.r.

I have noticed that even changing the DMA addresses for things like Fog and View Distance get detected. This would play along with Cal's thearies on doing bounds checking on client side values vers the servers. Though I am running a TAGS hack that was writen by XR8 and Tony Soprano, that has no issues with being detected. Though I havn't looked how they did it.

I have noticed that even changing the DMA addresses for things like Fog and View Distance get detected. This would play along with Cal's thearies on doing bounds checking on client side values vers the servers. Though I am running a TAGS hack that was writen by XR8 and Tony Soprano, that has no issues with being detected. Though I havn't looked how they did it.

It's 100% info? I mean did U test it or U thinking?
If it's 100% then U know what other DMA addresses are checked?

b.r.

You know, I think PB is kinda swatting at flies with a toothpick. Now as I have observed in game, you can go to any spot on the map and as long as you dont encounter any enemy you wont get the error and kick message. HELP me out here CAL in case I stumble please! I know my thought but have a difficult time putting it here for all to understand.............Anyway.........I went into the game and changed my resolution and view distance and just stayed off to the side of the map and face the "out of bounds area" with sticky tags "on" and never got kicked for the entire map (approx. 15minutes). I did this 3 times without any "kick" then I positioned myself so as I would only encounter perhaps 2-3 opponents and unless I looked in their direction and caused only one to fall into my FOV I still was able to play without a kick but if I put myself in the middle of it all and caused multiple exposures of the opponent to appear I would get kicked in a minute or less. This leads me to believe that they cannot see (detect) the hack unless you actually put it to use. I'm dont know if this is relevent to the scan that is being performed but seems PB doesnt really know what it is so hence the 0 minute kick. Some of you vetrens probably know what or why this is happening but I just wanted to share. Thankyou

maybe cheetah can use this info=

for now i haven't been able to test much of anything at this point. i am backed up at the office here due to being off the 4th of july week and so games have been put down the stack. thanks to all for keeping this thread alive and for all the info. it helps when going back to the drawing board to try and get around this latest update-

best,
cal

You know, I think PB is kinda swatting at flies with a toothpick. Now as I have observed in game, you can go to any spot on the map and as long as you dont encounter any enemy you wont get the error and kick message. HELP me out here CAL in case I stumble please! I know my thought but have a difficult time putting it here for all to understand.............Anyway.........I went into the game and changed my resolution and view distance and just stayed off to the side of the map and face the "out of bounds area" with sticky tags "on" and never got kicked for the entire map (approx. 15minutes). I did this 3 times without any "kick" then I positioned myself so as I would only encounter perhaps 2-3 opponents and unless I looked in their direction and caused only one to fall into my FOV I still was able to play without a kick but if I put myself in the middle of it all and caused multiple exposures of the opponent to appear I would get kicked in a minute or less. This leads me to believe that they cannot see (detect) the hack unless you actually put it to use. I'm dont know if this is relevent to the scan that is being performed but seems PB doesnt really know what it is so hence the 0 minute kick. Some of you vetrens probably know what or why this is happening but I just wanted to share. Thankyou

So very strange. Looks like they don't check variable value directly but value transfered from variable and used as counter(enemy name tag fade out time for example), coz it's used only when U aim on enemy. No idea, just thinking that.

b.r.

who can for sure verify that the viewdistance and fog cause a kick if the variables are changed?

best,
cal

who can for sure verify that the viewdistance and fog cause a kick if the variables are changed?

best,
cal

Me. I just make PB tests. It's 100% kick when viewdistance,fog or nametags variables changed. Also it kick even when enemy is not in aim range or view etc. as dennis53 wroted. I check all without any player connected. So definitively:

- PB check agains changed variables like: Fog,viewdistance,name tags(all who know will know what name tags variables are)
- PB didn't check other variables changes (Tested 20 min without kick)
- PB didn't check commander flag,supply,etc.
- PB didn't check other variables what give other helpful hacks.

So final words: variables changing for fog,viewdistance,name tags are killed by PB.

this helps to some degree. i will personally check this as well when i have time. can you give the kick code that pb gives you?

best,
cal

this helps to some degree. i will personally check this as well when i have time. can you give the kick code that pb gives you?

best,
cal

Kick code: 81153.
Strange is that sometimes PB didn't kick. So I checked why. I run dedicated server at my pc and I see that sometimes PB don't update PB for server. When I close server and run again then PB ver for server is old and from this point PB start to update or not. When will not update then PB don't kick.

b.r.

its 100% confirmed that they do varible checks
table at renddx9 base + 2379fd. is checked for changes, also some other tables are checked.

102379FC . 00001643 DD FLOAT 150.0000
10237A00 . 00004041 DD 41400000
10237A04 . 58FF7F3F DD 3F7FFF58
10237A08 . 000000000000F03F DQ FLOAT 1.000000000000000
10237A10 . 000000000000F03F DQ FLOAT 1.000000000000000
10237A18 . 000000000000F03F DQ FLOAT 1.000000000000000
10237A20 . 0000000000004440 DQ FLOAT 40.00000000000000
10237A28 . 0000C842 DD FLOAT 100.0000
10237A2C . 0000F042 DD FLOAT 120.0000
10237A30 . 6666E63E DD 3EE66666
10237A34 . 3333B33E DD 3EB33333
10237A38 . 00006041 DD FLOAT 14.00000
10237A3C . 9A99193F DD FLOAT 0.6000000
10237A40 . 00008028 DD FLOAT 1.421085e-14

Could you provide some info on how you found this information? I have quite a few ideas for some work arounds.

such as NOPing the checks themselves (assuming PB wasnt smart enough to check the checks themselves for changes)

perhaps caving the checks so they always return the default values while playing the game off of a different set.

thanks for the update sparten. i was afraid of that- maybe after work today i can do a little more on my own. i tried to make copies of certain functions (like the minimap) but to no avail since the code that calls that function is a direct call (doesn't use dynamic address to a virtual function). the tags section of code in the renddx9.dll doesn't appear to be easily called as a virtual funtion best i can tell so this is a dead end. i wish there was more positive info in here today-

best,
cal

today they seem to be scanning for nametags am i right ? becaus i got kicked for it quite bs with an 350 + code cave

ok..

can someone please put this detection talk in newb language .. :p

so i got kicked today for:
corrupt File/Memory Error .. 0 mins ..

Is that because my code cave is not big enough? Or is it a new reason.
Its a Name Tag hack with 800m viewable. Thats all i use.

Thanks for the help.

Cheers.

PS: Anyway to get around this?


-EDIT-
Also tried WITHOUT poking the +237A2C to 800m (hence left it with default 120m) and still got kicked for same reason ..
Like i mentioned earlier, all i am using is a simple nametag hack caved largely.
-EDIT-

Its a Name Tag hack with 800m viewable. Thats all i use.
Thats all it takes to get detected. OK so it is EZ to understand please read Spartens post # 19 above. You will see that the scan range includes the codes that you have in your hack. I believe. No?

-EDIT-
Also tried WITHOUT poking the +237A2C to 800m (hence left it with default 120m) and still got kicked for same reason ..
Like i mentioned earlier, all i am using is a simple nametag hack caved largely.
-EDIT-[/QUOTE]

As I posted yesterday, there was a major scanrange update (for me, anyway!). My nametag, commander, nofog, and distance hacks all became detected at once, despite being placed a long way from the old scanranges, private, and undetected for months.

As I posted yesterday, there was a major scanrange update (for me, anyway!). My nametag, commander, nofog, and distance hacks all became detected at once, despite being placed a long way from the old scanranges, private, and undetected for months.


So does that mean we have to CAVE even larger now? say for eg. 500+ bytes?

So does that mean we have to CAVE even larger now? say for eg. 500+ bytes?

I guess so. I'd like to see what the updated scanranges actually are, though.

look on unknowncheats.com in the bf2 section

its 100% confirmed that they do varible checks
table at renddx9 base + 2379fd. is checked for changes, also some other tables are checked.

102379FC . 00001643 DD FLOAT 150.0000
10237A00 . 00004041 DD 41400000
10237A04 . 58FF7F3F DD 3F7FFF58
10237A08 . 000000000000F03F DQ FLOAT 1.000000000000000
10237A10 . 000000000000F03F DQ FLOAT 1.000000000000000
10237A18 . 000000000000F03F DQ FLOAT 1.000000000000000
10237A20 . 0000000000004440 DQ FLOAT 40.00000000000000
10237A28 . 0000C842 DD FLOAT 100.0000
10237A2C . 0000F042 DD FLOAT 120.0000
10237A30 . 6666E63E DD 3EE66666
10237A34 . 3333B33E DD 3EB33333
10237A38 . 00006041 DD FLOAT 14.00000
10237A3C . 9A99193F DD FLOAT 0.6000000
10237A40 . 00008028 DD FLOAT 1.421085e-14


Hi,

Are these the only varriable checks they are doing or are there more?

Cheers.

Cal, I messeged you earlier with the solution. But to assit this thread, if you adjust the opacity levels, you can get everything to repear just as before.