What format is that log in?
Were you running hacks while you were logging?
Ok, now thanks to Jetamay, I was able to get my DLL compiled. I got a cople strings from PB, and was wondering if anyone knows wether they are good, or bad strings (good as in, no hacks, and bad as in, something is detected.)
I hooked the PB Check function.
Here the strings i got so far (I wasnt kicked, i left.)
Code:B+1000 ff000 018B62AE302B24D0AD5DAAEA5D21ACFE B+100000 100000 76D396E0B14448B7D64444DC9E514E03 B+200000 100000 1424129BB6A2F91BDA71D849F6F0A5EE AMy dx C:\WINDOWS\system32\d3d8.dll size=1179648 md5=42803EC60803C1A0754671E9183458F1 B+300000 100000 BF26F6099AB0BEA2DDB01B7E0FABCEA0 B+400000 91fff 822ED0618B62EF08A5E517568E97076B B* \d3d8.dll 10347 1_8bff558bec6aff6858c1aa6d64a10000 Bmk OpenProcess 21 518D04245068********6A00FF15********50FF15 8bff558bec83ec208b45108945f88b45
What format is that log in?
Were you running hacks while you were logging?
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?
No hacks, just the logger.
Format?
I used my original function
I got a graduation party to go to. Ill be back in a few hours.Code:int _PBPerformCheck(int iEAX, size_t Count, char *Dest ){ int iReturn = pPBPerformCheck( iEAX , Count, Dest ); FILE * pFile; pFile = fopen ("C:/WarRock.txt","a"); if (pFile!=NULL) { fputs (Dest,pFile); fputs ("n",pFile); fclose (pFile); } return iReturn; }
Ah, I see, I thought you were logging all three params. Just a second, let me give this a go.
Wired, ofstream converted my output. Anyway, I ran until the kick
Obviously T9006 is the bad string, however, I'm going to logg the third param, GetTickCount 5 may be incorperated with pbcls memcheck second param.Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
T9006
Last edited by radnomguywfq3; 05-24-2008 at 11:26 AM.
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?
O, so you logged the first two parameters? Ill edit my code later to log all three...
The only thing is going through my mind, is, if the logging is detected (hopefully not =P, maybe use a DetourFunctionWithTrampoline()?) How are we suppose to know what strings are good?
Im thinking if we use a trampoline detour, then the information will still go through PB as if it were never touched, we just logged it. Maybe, but probably not, im starting off hacking this game late, obviously lol.
BTW, ofstream? I didnt use that, i just used fputs =P
The kicking is because when we hook the function, where not responding to some of PB's requests(Which doesn't make sense, as we are returning), so where not logging incorrect strings, I'm not sure, I'll log all three for now, and see what happens.
Heres My Logg :
T9006 Goes on for the rest. Anyway, I don't think the count is related to the third param at all. However, I think WR_US_18_2692364498 has something to do with the server I'm joining.count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 4
STRING : BC0
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : Dw"WR_US_18_2692364498" 9
---------------------------------
IEAX : 14878020
count : 26
STRING : T9006
---------------------------------
IEAX : 14878020
count : 26
STRING : T9006
---------------------------------
Last edited by radnomguywfq3; 05-24-2008 at 12:35 PM.
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?
I have to go to a wedding, I'll be back to help you guys with this in a couple of hours.
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?
You need to place a hook on get tick count...
if you placed a hook on get tick count, a bad string would be passed through that function. All you have to do to tell pb that everything is ok..
That will tell pb that there is no hook on that function and all the bytes were as they are suppose to be.Code:if(strstr(buffer, "Bmk GetTickCount 5 c9c9c9c9c9")){ strcpy(buffer, "Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390"); }
Credits to Strife
What if the strings get updated? Which i heard they are usually.
Also, i think, maybe, with the PB checks, that, it has its own like code, then the MD5 of the file. Since it has an MD5. So, maybe, if you find out that first "code", then find the original MD5 of WarRock.exe, then you always return that correct string? So... how do we find out what is the string for WarRock.exe AND the PBCL.dll?
Alright, well, i relogged, and got banned, once again LOL
Heres the log.
I *think* i remember just scanning the memory with cheat engine, and finding values, was not detected.Code:B+1000 ff000 018B62AE302B24D0AD5DAAEA5D21ACFE B+100000 100000 76D396E0B14448B7D64444DC9E514E03 B+200000 100000 1424129BB6A2F91BDA71D849F6F0A5EE AMy dx C:WINDOWSsystem32d3d8.dll size=1179648 md5=42803EC60803C1A0754671E9183458F1 B+300000 100000 BF26F6099AB0BEA2DDB01B7E0FABCEA0 B+400000 91fff 822ED0618B62EF08A5E517568E97076B B* d3d8.dll 10347 1_8bff558bec6aff6858c1aa6d64a10000 Bmk OpenProcess 21 518D04245068********6A00FF15********50FF15 8bff558bec83ec208b45108945f88b45 B+200000 100000 1424129BB6A2F91BDA71D849F6F0A5EE B+300000 100000 BF26F6099AB0BEA2DDB01B7E0FABCEA0 B+400000 91fff 822ED0618B62EF08A5E517568E97076B AMy dx C:WINDOWSsystem32d3d8.dll size=1179648 md5=42803EC60803C1A0754671E9183458F1 B* d3d8.dll 10347 1_8bff558bec6aff6858c1aa6d64a10000 Bmk OpenProcess 21 518D04245068********6A00FF15********50FF15 8bff558bec83ec208b45108945f88b45 Bmk GetTickCount 5 c9c9c9c9c9 ba0000fe7f8b02f762040facd018c390 B c 55FA0 E82B6F0100594050 xxxxxxxxxxyyyyxxxxxxxxxxxxxxxxxxxxxxxxxx F7D7C2E305C952605E179120A79DA84A
Maybe, we can find the value of the pointer that the strings are held under? And just log those somehow? VIA DLL injection and/or CE memory scan? Just a theory...
Last edited by *Marneus901*; 05-24-2008 at 09:31 PM.
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?
That string, i dont think is clean, because its the string that is right before i am banned, thats why i was saying, how do you know that it is clean? Besides, to bypass PB, you need the string for BOTH PBCL.dll AND WarRock.exe... hence your editing both things, for hacks + bypass...
When are you hooking these functions, first chance you get, or when you join a room, at lobby, when? I can't seem to get any decent ouputs.
There are two types of tragedies in life. One is not getting what you want, the other is getting it.
If you wake up at a different time in a different place, could you wake up as a different person?