If anyone else wants to try to tackle PunkBuster with a similar project, here is the source for the DLL. Take note the hook is missing because it is used in other private hacks and the coder who leant it for this DLL asked for it not to be republished.



BOOL (WINAPI *p_DeviceIoControl)( HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped );
BOOL WINAPI h_DeviceIoControl( HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped )
{

BOOL out = p_DeviceIoControl( hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped );

char iotype[255];

if(dwIoControlCode == IOCTL_STORAGE_QUERY_PROPERTY) {
strcpy(iotype,"IOCTL_STORAGE_QUERY_PROPERTY");
} else if(dwIoControlCode == DFP_GET_VERSION) {
strcpy(iotype,"DFP_GET_VERSION");
} else if(dwIoControlCode == DFP_SEND_DRIVE_COMMAND) {
strcpy(iotype,"DFP_SEND_DRIVE_COMMAND");
} else if(dwIoControlCode == DFP_RECEIVE_DRIVE_DATA) {
strcpy(iotype,"DFP_RECEIVE_DRIVE_DATA");
} else {
sprintf(iotype,"UNKNOWN'%d'",dwIoControlCode);
}

add_log("DeviceIoControl(%08X,%s)==%d",hDevice, iotype, out);

if(out) {
// Listed in order as called by Punkbuster

if(dwIoControlCode == IOCTL_STORAGE_QUERY_PROPERTY) {
STORAGE_DEVICE_DESCRIPTOR* descrip = (STORAGE_DEVICE_DESCRIPTOR*)lpOutBuffer;
add_log("Results from IOCTL_STORAGE_QUERY_PROPERTY:");
if(descrip->VendorIdOffset) { add_log("VendorId=%s",descrip+descrip->VendorIdOffset); }
else { add_log("VendorId=[FAILED]"); }

if(descrip->ProductIdOffset) { add_log("ProductId=%s",(DWORD)descrip+descrip->ProductIdOffset); }
else { add_log("ProductIdOffset=[FAILED]"); }

if(descrip->SerialNumberOffset) {
char* serial = (char*)((DWORD)descrip+descrip->SerialNumberOffset);
add_log("SerialNumber=%s",serial);

for(int n = 0; n < 10; n++)
serial[n] = '0' + (rand() % 10);

add_log("New SerialNumber=%s",serial);
}
else { add_log("SerialNumber=[FAILED]"); }
} else if(dwIoControlCode == DFP_GET_VERSION) {
// Get version info about harddrive
// Do not need to hook this....
} else if(dwIoControlCode == DFP_SEND_DRIVE_COMMAND) {
// Not sure yet
} else if(dwIoControlCode == DFP_RECEIVE_DRIVE_DATA) {
// After looking at some sample code do not feel like coding this yet
memset(lpOutBuffer, '0', nOutBufferSize);
add_log("Failing DFP_RECEIVE_DRIVE_DATA...");
return 0;
}
}

return out;
}


HANDLE (WINAPI *p_CreateFileA)( LPCTSTR lpszName, DWORD fdwAccess, DWORD fdwShareMode, LPSECURITY_ATTRIBUTES lpsa, DWORD fdwCreate, DWORD fdwAttrsAndFlags, HANDLE hTemplateFile );
HANDLE WINAPI h_CreateFileA( LPCTSTR lpszName, DWORD fdwAccess, DWORD fdwShareMode, LPSECURITY_ATTRIBUTES lpsa, DWORD fdwCreate, DWORD fdwAttrsAndFlags, HANDLE hTemplateFile )
{
HANDLE out = p_CreateFileA( lpszName, fdwAccess, fdwShareMode, lpsa, fdwCreate, fdwAttrsAndFlags, hTemplateFile );

if (strstr(lpszName,"\\\\.\\")) {
if(out == (HANDLE)0xFFFFFFFF) {
add_log("Openning->%s [FAILED]",lpszName);
} else {
add_log("Openning->%s Handle->%08X",lpszName,out);
}
}

return out;
}

void HookStuffUp()
{
add_log("--HW SPOOFER---");
srand( (unsigned)time( NULL ) );
HookFunction((DWORD)DeviceIoControl,(DWORD)h_Devic eIoControl,(DWORD)&p_DeviceIoControl);
HookFunction((DWORD)CreateFileA,(DWORD)h_CreateFil eA,(DWORD)&p_CreateFileA);
MessageBox(0,"harddrive spoofer activated",0,0);
}


This code (for those who didn't know) is in C++, you n00bs can find great C++ tutorials on this site in the tutorials sectiopn if you want to try to make anything relevant to America's Army.

In addition to Eleethal's source code release, here is the source to my loader program that loads Eleethal's DLL. It's simple code and is written in Visual Basic.

Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Dim DLLID As Long

Private Sub Command1_Click()
DLLID = LoadLibrary(App.Path & "\HwSpoofer.dll")
If DLLID = 0 Then
MsgBox "DLL File 'HwSpoofer.dll' does not exist in root.", vbCritical, "Error"
Exit Sub
End If
End Sub

Private Sub Form_Load()
MsgBox "This is a beta DLL loader written by FEAR, and may or may not work. Make sure you place the proper DLL in the same folder as this program.", vbInformation, "AAU Loader"
End Sub

Private Sub Form_Unload(Cancel As Integer)
MsgBox "The DLL will now be unloaded to free memory.. to reload it, run this program again.", vbInformation, "Notice"
FreeLibrary DLLID
End Sub

This wont fully protect you from a hd ban. They use 2 different ways of querying the drive's information. The first one is by using IOCTL_STORAGE_QUERY_PROPERTY. The second one is using the drive's SMART capabilities. They first check if the drive is SMART capable by calling SMART_GET_VERSION. If that succeeds they enable smart for the drive by calling SMART_SEND_DRIVE_COMMAND with a command code of B0. Then they query the drive's information and read it with SMART_RCV_DRIVE_DATA. The best way to deal with the SMART stuff would be to fail SMART_GET_VERSION.
What you are doing is not very effective as you are operating in userspace and such hooks can be detected easily.
There is a kernel driver which does all of the above called hdprotector.exe. This can only be detected if pb goes kernel-mode too.

Greetings, Evilbert

I would definately listen to this man lol.


Good to see ya around EB. ;)

This wont fully protect you from a hd ban. They use 2 different ways of querying the drive's information. The first one is by using IOCTL_STORAGE_QUERY_PROPERTY. The second one is using the drive's SMART capabilities. They first check if the drive is SMART capable by calling SMART_GET_VERSION. If that succeeds they enable smart for the drive by calling SMART_SEND_DRIVE_COMMAND with a command code of B0. Then they query the drive's information and read it with SMART_RCV_DRIVE_DATA. The best way to deal with the SMART stuff would be to fail SMART_GET_VERSION.
What you are doing is not very effective as you are operating in userspace and such hooks can be detected easily.
There is a kernel driver which does all of the above called hdprotector.exe. This can only be detected if pb goes kernel-mode too.

Greetings, Evilbert


I'm so turned on right now.

Me too lol, Nice to see ya around EB :classic:

This wont fully protect you from a hd ban. They use 2 different ways of querying the drive's information. The first one is by using IOCTL_STORAGE_QUERY_PROPERTY. The second one is using the drive's SMART capabilities. They first check if the drive is SMART capable by calling SMART_GET_VERSION. If that succeeds they enable smart for the drive by calling SMART_SEND_DRIVE_COMMAND with a command code of B0. Then they query the drive's information and read it with SMART_RCV_DRIVE_DATA. The best way to deal with the SMART stuff would be to fail SMART_GET_VERSION.
What you are doing is not very effective as you are operating in userspace and such hooks can be detected easily.
There is a kernel driver which does all of the above called hdprotector.exe. This can only be detected if pb goes kernel-mode too.

Greetings, Evilbert

Thanks for the input evil, I am going to research everything you just said to make the next build better for the next version when I get the time.

This wont fully protect you from a hd ban. They use 2 different ways of querying the drive's information. The first one is by using IOCTL_STORAGE_QUERY_PROPERTY. The second one is using the drive's SMART capabilities. They first check if the drive is SMART capable by calling SMART_GET_VERSION. If that succeeds they enable smart for the drive by calling SMART_SEND_DRIVE_COMMAND with a command code of B0. Then they query the drive's information and read it with SMART_RCV_DRIVE_DATA. The best way to deal with the SMART stuff would be to fail SMART_GET_VERSION.
What you are doing is not very effective as you are operating in userspace and such hooks can be detected easily.
There is a kernel driver which does all of the above called hdprotector.exe. This can only be detected if pb goes kernel-mode too.

Greetings, Evilbert
Sweet Da Man is back good to cya back EB and thx 4 the info
EDIT: i should say good to cya posting under EB name again

OMG Evilbert is still alive!!!!!!!........HOLY SHAT!!!!!!!!

He has always been around just not making cheats right now.

nice thing about hdprotector is it randomizes the data.

can someone pm me and tell me how i can find this exe. thanks

i heard it (HDPROTECTOR.EXE) can also **** up your pc and makes your reformat... (uhm uhm barry).
so use it carefully..


Always good to read the "Greetings, Evilbert". stay tuned..

This dll cant **** up your computer and make you reformat? what the hell are you smoking kid?

This dll cant **** up your computer and make you reformat? what the hell are you smoking kid?


I used it once. Couldnt find a way to remove it from my registry. I decided to reformat since, and Im not saying its because of hdprotector, my computer was extremely slow. It was time to do it since so many sh*t was installed anyway.

errrrr, read the posts.. i was talking about hdprotector.exe .

And its none of your business what i am smoking :D

I didnt have any problems with HDProtector. But Im not HD banned so I dont know if it did anything lol. When I click on it it just takes a second and it creates an ini file with this info .......

[settings]
DriverName=xxxxxxx
VendorId=xxxxxx
ProductId=xxxxxx
ProductRevision=xxxxxx
SerialNumber=xxxxxxx


Lots of people are over looking this program. Evilbert said the HD spoofer will NOT protect you fully from a HD ban but HDProtector will.

hdprotector dont work for me.......

for(int n = 0; n < 10; n++)
serial[n] = '0' + (rand() % 10);

add_log("New SerialNumber=%s",serial);


Eleethal. I don’t know if you intended this but clearly each time PB attempt a serial query you return a different number thus the MD5 hash returned will always different. It will be trivial for PB to detect this when it evolves again.

hprotector serials, etc. persist for as long as it’s ini is unchanged. If you want to understand what evilbert is saying I suggest you investigate getting a hold of the Windows DDK hide the driver as part of the resource section of an exe file and use the undocumented NTLoadDriver API to load the sys driver dynamically. You could also use the undocumented ZwSetSystemInformation native API using the SystemLoadAndCallImage option.

Check out NTRootKit at http://www.rootkit.com/ and http://www.securityfocus.com/archive/1/79379/2002-11-30/2002-12-06/0. Unfortunately any public offerings are easy to detect now PB has gone kernel itself.

hmmm, i confused...

Oh man, just the thought of EVILBERT is making me weak.