Ok wat can we use instead of code caving .. since its detected somehow by PB?

Thanks

Ok wat can we use instead of code caving .. since its detected somehow by PB?

Thanks

No you have only to codecave more largely if I'm write but it seams to be a bit difficult now and I think Pb will probably scans entirely RendDX9.dll in memory in the future :(
The only way that you've got is probably learn how to Hook DX9 API now or play legit ;)

punkbuster scans for dma

i doubt larger code caves would help either ... i saw KOSIRE's last update on scanranges (updated 15th July), and scans were not that huge compared to my former code caves.

And from other posts ... they say PB is using some different method to detect nametags, etc.

So what the next step/tutorial?

i doubt larger code caves would help either ... i saw KOSIRE's last update on scanranges (updated 15th July), and scans were not that huge compared to my former code caves.

And from other posts ... they say PB is using some different method to detect nametags, etc.

So what the next step/tutorial?

If what you want requires code modification make PB scan some other region instead of the one being changed. There are different ways of doing this. The best way is to change PB's TSS.CR3 to point to a cloned page directory, where you change relevant PDEs or even PTEs to point to some other region, where you have your virgin copy of the code.

The other approach is to install your own page fault handler hook, and mark the piece of memory with your modification as invalid in BF2.exe process PDT (page directory table). Make sure to limit your changes to one small 4Kb page to decrease performance penalty. Force your kernel to run in /NOPAE mode to further decrease performance penalty. Now, your page fault handler will be called whenever anybody tries accessing your page. If you see that caller EIP is within page bounds it means code on page was about to be executed and you can just let it go (load PTE with present bit set to ITLB). If, however, you see the EIP falls outside page linear address it means it was not execution but rather someone reading the page from the outside - most likely PB. In this case, load a different PTE to DTLB, pointing to some other page in memory. Since ITLB and DTLB can point to different regions you are good to go and page faults will occur rarely.

See here for a rather good description of how it works:
http://www.phrack.org/show.php?p=63&a=8
And see Intel Software Development Manual, System programming guide, Volume 3A, section 3 (if i recall), Page Mapping and section 2 (again, if i recall correctly, it has been a while since i read it) Protection.

If you are scared by kernel level stuff - dont be. Kernel level hacking is the inevitable future, since there is only that much you can hide in userland, and PB will sooner or later close all the remaining holes. On ring 0 level they are bound to IA-32 limitations, such as no fine grain access control in ring 0 context, memory aliasing, virtualisation, and other usefull stuff. For easy entry in kernel level hacking I recommend Hooglund's Subverting Windows Kernel, and Rusinovitch's Microsoft Windows Internals - fourth edition. And also IA-32 docs by Intel - the best read out there for anyone interested in serious reversing. And there is also a book by Kris Kaspersky (not that one) on Reversing - it is brilliant - here:

http://www.amazon.com/gp/product/1931769222/102-6054953-9510550?v=glance&n=283155

When I am done with my current project, I will write a tutorial on the topics mentioned above.

cheers,
Sine

i have little expertise in this sine and so i eagerly await you doing this. i'd be glad to package it with you and write the actual tutorial although i have very little knowlege to give in this area-

best,
cal

Can I still use VeeBee with the "kernel level stuff" hackxs? How bout TMK or C# ?

Nice stuff Sine, but really is pretty far-fetched for 99.9% of people here. There is still plenty of ways to subvert PunkBuster in Ring 3. Many of which I am certain will last until windows vista becomes mainstream.

Heck, there are still user level rootkits out there that cannot be detected by all public antivirus and scanners.

I went the Ring 0 way just to prove to myself that I could do it. It did take quite a while for me to set everything up for driver dev, and even longer to get comfortable with it.

IMO, the average decent coder should just use his imagination a bit and it's really pretty easy.

:rambo:

There is still plenty of ways to subvert PunkBuster in Ring 3. Many of which I am certain will last until windows vista becomes mainstream.


No doubt. Rootkit approach is good for hacks that are to become public and remain undetected, which is the reason I started researching the topic (i just want to make a proof of concept hack that would last undetected for long).

cheers,
Sine

i'll wait for the tutes fellas .. keep up the good work!

If i had an IT background, i would be following every step in assisting this project.
However, i have limited knowledge on intense software/hardware manipulations.

I did learn how to memory hack and code cave though :)
Thanks again for all you learned IT individuals for sharing your knowledge and simplifying it for us newbies.

Cant wait for the new tutes! Good luck.

Cheers.