Arma2 BattleEye Info [Darky.HAX][Learn about battleEye to bypass it]

[jjhend]

The info on this thread is for Arma2 OA 1.62 and possibly future versions.

Credit goes to Darky.HAX, I did not make this, All credit goes to him.


- Arma2 OA / BattleEye Script Detection -

How script detection works:

The way script detection works is by Arma2 calling a BattlEye callback function notifying it with that a script was executed, and then BattlEye sends the script to the server, and in the server some analysis are done based on a blacklist, in order to determine if the script is legit or not.

Here's how it works under-the-hood:

1.60 Version: When a player presses OK/Continue in the lobby, Arma2 Loads BEClient.dll

1. When a player joins a server Arma2 Loads BEClient.dll

2. When the load is done Arma2 Calls the BattleEye exported Init Function:

Code:

                                                                                      
.text:004BAF08                 push    offset ProcName ; "Init"
.text:004BAF0D                 push    dword ptr [ebx] ; hModule
.text:004BAF0F                 call    ds:GetProcAddress
.text:004BAF15                 mov     [ebp+var_4], eax
.text:004BAF18                 mov     eax, [ebp+arg_0]
.text:004BAF1B                 mov     ecx, [eax+194h]
.text:004BAF21                 mov     eax, [ecx]
.text:004BAF23                 lea     edx, [ebp+var_18]
.text:004BAF26                 push    edx
.text:004BAF27                 call    dword ptr [eax+28h]
.text:004BAF2A                 mov     ecx, [ebp+var_14]
.text:004BAF2D                 lea     eax, [ebx+50h]
.text:004BAF30                 mov     [eax], ecx
.text:004BAF32                 mov     cx, [ebp+var_16]
.text:004BAF36                 mov     esi, 0A4h
.text:004BAF3B                 mov     [ebx+54h], cx
.text:004BAF3F                 mov     dword ptr [ebx+58h], offset sub_4B6DEE
.text:004BAF46                 cmp     [ebp+var_8], esi
.text:004BAF49                 jl      short loc_4BAF68
.text:004BAF4B                 cmp     [ebp+var_4], edi
.text:004BAF4E                 jz      short loc_4BAF68
.text:004BAF50                 lea     ecx, [ebx+5Ch]
.text:004BAF53                 push    ecx
.text:004BAF54                 push    eax
.text:004BAF55                 push    edi
.text:004BAF56                 call    [ebp+var_4] // Call Init Function

Here's the Init function decompiled:

BEClient.dll (1.168) - Init Partial decompiled

Code:

char __cdecl Init(int a1, int a2, int a3)
{
  char result; // al@2
  int v4; // eax@3
  void *v5; // esi@3
  HMODULE v6; // eax@8
  unsigned int v7; // eax@10

  if ( !InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000000u) )
    return 0;
  EnterCriticalSection(&CriticalSection);
  v4 = operator new(0x20u);
  v5 = (void *)v4;
  if ( !v4 )
    goto LABEL_6;
  if ( !sub_10004930(v4) )
  {
    j__free(v5);
LABEL_6:
    v5 = 0;
  }
  dword_1001A644 = v5;
  if ( v5
    && ((v6 = GetModuleHandleA("wsock32.dll"), (dword_1001A558 = (int)GetProcAddress(v6, "recvfrom")) == 0)
     || (dword_1001A63C = (void *)sub_10004C90(sub_100039D0)) != 0) )
  {
    v7 = GetTickCount();
    srand(v7);
    if ( FindWindowA("ArmA 2 OA", 0) )
      dword_100184A4 = 1;
    else
      dword_100184A4 = FindWindowA("Ironfront", 0) != 0 ? 2 : 0;
    *(_DWORD *)&to.sa_data[2] = *(_DWORD *)a2;
    *(_WORD *)&to.sa_data[0] = *(_WORD *)(a2 + 4);
    dword_10017BF8 = *(_DWORD *)(a2 + 8);
    *(_DWORD *)a3 = sub_10003BE0;
    *(_DWORD *)(a3 + 4) = sub_10003D90;
    *(_DWORD *)(a3 + 8) = sub_100040B0;
    *(_DWORD *)(a3 + 12) = sub_10004150;
    sub_10001000("Initialized (v%u.%03u)", 1);
    LeaveCriticalSection(&CriticalSection);
    result = 1;
  }
  else
  {
    LeaveCriticalSection(&CriticalSection);
    sub_10003BE0();
    result = 0;
  }
  return result;
}

BEClient.dll (1.168) - Init Fully decompiled

Code:

char __cdecl Init(int Unknown, BE_GameData *GameData, BE_Callback *pCallback)
{
  char result; // al@2
  const void *pTrampoline_recvfrom; // eax@3
  void *p2Trampoline_recvfrom; // esi@3
  HMODULE hMod; // eax@8
  FARPROC proc_recvfrom2; // eax@8
  unsigned int seed; // eax@10

  if ( !InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000000u) )
    return 0;
  EnterCriticalSection(&CriticalSection);
  pTrampoline_recvfrom = (const void *)operator new(0x20u);
  p2Trampoline_recvfrom = (void *)pTrampoline_recvfrom;
  if ( !pTrampoline_recvfrom )
    goto HookFail;
  if ( !JMP_Hook((int)recvfrom_hook, recvfrom, pTrampoline_recvfrom) )
  {
    j__free(p2Trampoline_recvfrom);
HookFail:
    p2Trampoline_recvfrom = 0;
  }
  g_Trampoline_recvfrom = p2Trampoline_recvfrom;// Global var to recvfrom trampoline
  if ( p2Trampoline_recvfrom
    && ((hMod = GetModuleHandleA("wsock32.dll"),
         proc_recvfrom2 = GetProcAddress(hMod, "recvfrom"),
         (dword_1001A558 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))proc_recvfrom2) == 0)
     || (g_Trampoline_wsock32_recvfrom = JMP_HookEx(proc_recvfrom2, (int)wsock32_recvfrom_hook)) != 0) )
  {
    seed = GetTickCount();
    srand(seed);
    if ( FindWindowA("ArmA 2 OA", 0) )
      GameType = 1;
    else
      GameType = FindWindowA("Ironfront", 0) != 0 ? 2 : 0;
    *(_DWORD *)&to.sa_data[2] = GameData->locIP;// local ip
    *(_WORD *)&to.sa_data[0] = GameData->locPort;// port
    ChatPrint = (int (__cdecl *)(_DWORD))GameData->pChatPrint;
    pCallback->pBE_Unload = (DWORD)BE_Unload;   // unload function - called to free battleye resources
    pCallback->pBE_Update = (DWORD)BE_Update;   // be update callback
    pCallback->pBE_DisplayInfo = (DWORD)BE_DisplayInfo;// called when you type #beclient guid, to display your guid or #beclient players
    pCallback->pBE_BE_ScriptCallBack = (DWORD)BE_ScriptCallBack;// BE_ScriptCallBack Function
    BE_ChatPrintf("Initialized (v%u.%03u)", 1, 168);
    LeaveCriticalSection(&CriticalSection);
    result = 1;
  }
  else
  {
    LeaveCriticalSection(&CriticalSection);
    BE_Unload();
    result = 0;
  }
  return result;
}

Init Structures:

Code:

#pragma pack(push, 4)
struct BE_Callback
{
  DWORD pBE_Unload;
  DWORD pBE_Update;
  DWORD pBE_DisplayInfo;
  DWORD pBE_BE_ScriptCallBack;
};
#pragma pack(pop)

#pragma pack(push, 4)
struct BE_GameData
{
  DWORD locIP;
  WORD locPort;
  int (__cdecl *pChatPrint)(char *Text);
};
#pragma pack(pop)

4. When it's all done and script's are executed an Arma2 Function calls the BattlEye Callback Function with the script code

Here's the Function decompiled:

Code:

// Function Addr (1.62): 
// 00AB09C9     55                      PUSH EBP
// 
// RVA: 0x6b09c9 <- 1.62
// 
// Sig: \x55\x8B\xEC\x51\x51\x53\x56\x57\x8B\xF9\x8B\x57\x68
// Mask: xxxxxxxxxxxxx
char __thiscall sub_AB09C9(int this, signed __int32 *a2)
{
  int v2; // edi@1
  int v3; // edx@1
  bool v4; // zf@1
  struct _RTL_CRITICAL_SECTION *v5; // ebx@2
  signed __int32 *v6; // eax@2
  signed __int32 *v7; // eax@5
  signed __int32 *v8; // eax@8
  int v10; // ebx@17
  void (__cdecl *BattleEye_ScriptCallBack)(_DWORD); // edi@20
  signed __int32 *scriptcode; // eax@22
  bool v13; // bl@26
  signed __int32 *v14; // [sp+Ch] [bp-8h]@10
  int v15; // [sp+10h] [bp-4h]@8

  v2 = this;
  v3 = *(_DWORD *)(this + 104);
  v4 = v3 == 0;
  if ( v3 )
  {
    v5 = &stru_E0CF88;
    v6 = a2 + 2;
    if ( !a2 )
      v6 = (signed __int32 *)&stru_E0CF88;
    if ( v6 )
    {
      v7 = a2 + 2;
      if ( !a2 )
        v7 = (signed __int32 *)&stru_E0CF88;
      if ( *(_BYTE *)v7 )
      {
        v15 = 0;
        v8 = a2 + 2;
        if ( !a2 )
          v8 = (signed __int32 *)&stru_E0CF88;
        v14 = v8;
        if ( !(unsigned __int8)sub_AB04EA(v8, &v15) )
        {
          sub_4AE9BD(&v14);
          if ( *(_DWORD *)(v2 + 72) > 200 )
          {
            v10 = **(_DWORD **)(v2 + 68);
            sub_57C82D(0, 1);
            sub_AB0567(v10, 0);
            v5 = &stru_E0CF88;
          }
          if ( a2 )
            _InterlockedExchangeAdd(a2, 1u);
          sub_AB0834(a2, 0);
          BattleEye_ScriptCallBack = *(void (__cdecl **)(_DWORD))(v2 + 104);// make a prototype
          if ( BattleEye_ScriptCallBack )
          {
            if ( a2 )
              scriptcode = a2 + 2;
            else
              scriptcode = (signed __int32 *)v5;
            BattleEye_ScriptCallBack(scriptcode);// call the be callback function with the script code
          }
        }
        if ( v15 )
          sub_44FD00(v15);
        if ( a2 )
          sub_44FD00(a2);
        return 1;
      }
    }
    v4 = v3 == 0;
  }
  v13 = v4;
  if ( a2 )
    sub_44FD00(a2);
  return v13;
}

6. You press abort disconnect and BattlEye is unloaded and so the process repeats.


- Player ID -

Code:

// Function Addr (1.62): 
// 00A52508     55                      PUSH EBP
// 
// RVA: 0x652508 <- 1.62
// 
// Sig: \x55\x8B\xEC\x81\xEC\x00\x00\x00\x00\x53\x56\x57\x8B\x3D\x00\x00\x00\x00\x33\xDB\x8D\x45\xF4\x53\x50
// Mask: xxxxx????xxxxx????xxxxxxx
int __cdecl sub_A52508(int a1)
{
  int v1; // edi@1
  DWORD v2; // ebx@1
  DWORD v3; // ebx@5
  unsigned __int8 v4; // dl@14
  int Int_PlayerID; // eax@14
  signed int v6; // esi@14
  unsigned __int8 v7; // cl@15
  signed int v8; // edi@15
  char v9; // bl@16
  int v10; // eax@20
  const void *v11; // edx@20
  char v12; // cl@21
  unsigned int v13; // eax@22
  void *v14; // edi@22
  char v15; // cl@23
  char v17; // [sp+Bh] [bp-11Dh]@22
  char Out_PlayerID; // [sp+Ch] [bp-11Ch]@20
  BYTE *v19; // [sp+10Ch] [bp-1Ch]@5
  DWORD v20; // [sp+110h] [bp-18h]@5
  BYTE pbData[4]; // [sp+114h] [bp-14h]@1
  DWORD pdwDataLen; // [sp+118h] [bp-10h]@4
  HCRYPTPROV phProv; // [sp+11Ch] [bp-Ch]@1
  HCRYPTHASH hHash; // [sp+120h] [bp-8h]@2
  BYTE v25; // [sp+127h] [bp-1h]@1

  v1 = dword_E0ABB7;
  v2 = 0;
  *(_DWORD *)pbData = dword_E0ABB7;
  v25 = 0;
  phProv = 0;
  if ( (unsigned __int8)sub_B75A8C(&phProv, 0) )
  {
    hHash = 0;
    if ( CryptCreateHash(phProv, 0x8004u, 0, 0, &hHash) )
    {
      if ( CryptHashData(hHash, pbData, 4u, 0) )
      {
        pdwDataLen = 0;
        if ( CryptGetHashParam(hHash, 2u, 0, &pdwDataLen, 0) )
        {
          v3 = pdwDataLen;
          v19 = (BYTE *)(*((int (__stdcall **)(_DWORD))*off_DBD264[0] + 1))(pdwDataLen);
          v20 = v3;
          if ( CryptGetHashParam(hHash, 2u, v19, &pdwDataLen, 0) )
            v25 = *v19;
          sub_524DC0(&v19);
          v2 = 0;
        }
      }
    }
    if ( hHash != v2 )
      CryptDestroyHash(hHash);
  }
  if ( phProv != v2 )
    CryptReleaseContext(phProv, v2);
  if ( v25 != byte_E0ABBB )
    byte_E08C8B = 1;
  v4 = 0;
  Int_PlayerID = v1 & 0xFFFFFFF;
  v6 = 0;
  do
  {
    v7 = *((_BYTE *)&dword_E0ABB7 + v6);
    v8 = 8;
    do
    {
      v9 = v4 ^ v7;
      v4 >>= 1;
      if ( v9 & 1 )
        v4 ^= 0x8Cu;
      v7 >>= 1;
      --v8;
    }
    while ( v8 );
    ++v6;
  }
  while ( v6 < 14 );
  _i64toa(Int_PlayerID, &Out_PlayerID, 10);     // Converts an integer (Player ID) to a string
  v10 = sub_B75AE1();
  v11 = (const void *)v10;
  do
    v12 = *(_BYTE *)v10++;
  while ( v12 );
  v13 = v10 - (_DWORD)v11;
  v14 = &v17;
  do
  {
    v15 = *((_BYTE *)v14 + 1);
    v14 = (char *)v14 + 1;
  }
  while ( v15 );
  memcpy(v14, v11, v13);
  sub_44F610(&Out_PlayerID);
  return a1;
}

NOTE to all: Player ID is not the GUID, GUID is 32 in length.
NOTE 3: Player ID can be spoofed and sometimes random.
NOTE 4: DayZ DataBase bans are based on Player ID (https://community.bistudio.com/wiki/getPlayerUID)
NOTE 5: Server bans can be both Player ID and BattleEye GUID.


Click this bar to view the full image.


- Arma2 Packets -

NOTE: Arma2 OA 1.61/1.62 these packets are encrypted/compressed



Arma2 Packet Header:

Code:

typedef struct
{
    short FullLen;
    char Type;
    char subType;
    long Checksum; // <- CRC32 of the whole packet data

}Arma2CorePkt, *pArma2CorePkt; // 8 bytes

Arma2 Connect Packet:

Code:

#pragma pack(push,1)
typedef struct
{
    short FullLen;
    char Type; // 1
    char subType; // 8
    long Checksum; // <- CRC32 of the whole packet data

    long unknown1;
    long unknown2;
    long unknown3;
    long unknown4;
    long unknown5;    // this is 0xCCCA1E12
    long ver;
    char nickname[40];
    char password[40];
    char datafile[80];
    long GameID;    // 0xA0 - Arma2 OA 1.60
    long GameVers;    // 0xA0 - Arma2 OA 1.60
    short unknown8; // 0
    long unknown9;    // 1

    long unknown10;    // time(0)
}Arma2ConnectPkt, *pArma2ConnectPkt; // 210 bytes
#pragma pack(pop)

Packet Header Credits: alugi (old struct Arma II), me (updated+extra reversing)

Here's an example how to create a connect packet:

crc32.c

Code:

static uint32_t crc_tab[256] = { /* CRC polynomial 0xedb88320 */
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c,
0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423,
0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106,
0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d,
0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7,
0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa,
0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81,
0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84,
0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e,
0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55,
0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28,
0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f,
0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc,
0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
};

/* crc32buf() -- to a given block, this one calculates the
 *                crc32-checksum until the length is
 *                reached. the crc32-checksum will be
 *                the result.
 */
uint32_t crc32buf(unsigned char *block, size_t length)
{
   register unsigned long crc;
   unsigned long i;

   crc = 0xFFFFFFFF;
   for (i = 0; i < length; i++)
   {
      crc = ((crc >> 8) & 0x00FFFFFF) ^ crc_tab[(crc ^ *block++) & 0xFF];
   }
   return (crc ^ 0xFFFFFFFF);
}

/* crc32gentab() --      to a global crc_tab[256], this one will
 *                calculate the crcTable for crc32-checksums.
 *                it is generated to the polynom [..]
 */

void crc32gentab()
{
   unsigned long crc, poly;
   int i, j;

   poly = 0xEDB88320L;
   for (i = 0; i < 256; i++)
   {
        crc = i;
        for (j = 8; j > 0; j--)
          {
            if (crc & 1){
                crc = (crc >> 1) ^ poly;
             }
             else{
                crc >>= 1;
             }
          }
        crc_tab[i] = crc;
   }
}

Code:

#pragma pack(push,1)
typedef struct
{
    short FullLen;
    char Type; // 1
    char subType; // 8
    long Checksum; // <- CRC32 of the whole packet data

    long unknown1;
    long unknown2;
    long unknown3;
    long unknown4;
    long unknown5;    // this is 0xCCCA1E12
    long ver;
    char nickname[40];
    char password[40];
    char datafile[80];
    long GameID;      // 0xA0 - Arma2 OA 1.60
    long GameVers;    // 0xA0 - Arma2 OA 1.60
    short unknown8;   // 0
    long unknown9;    // 1

    long unknown10;   // time(0)
}Arma2ConnectPkt, *pArma2ConnectPkt; // 210 bytes
#pragma pack(pop)

#define Arma2OA_CO_dat "CC15E928BA1CA9CA2CC5658BE67FE4AA642AE47F"

int Create_ConnectPacket(pArma2ConnectPkt Out_ConnectPkt, char* NickName, char* Password="", char* DataFile=Arma2OA_CO_dat)
{
    Out_ConnectPkt->FullLen = sizeof(Arma2ConnectPkt);
    Out_ConnectPkt->Type = 1;
    Out_ConnectPkt->subType = 8;
    Out_ConnectPkt->unknown1 = 1;
    Out_ConnectPkt->unknown2 = 1;
    Out_ConnectPkt->unknown3 = 0;
    Out_ConnectPkt->unknown4 = 0;
    Out_ConnectPkt->unknown5 = 0xCCCA1E12;
    Out_ConnectPkt->ver = 0x25252525;
    
    if (NickName != NULL){
        strcpy_s(Out_ConnectPkt->nickname, 40, NickName);
    }

    if (Password != NULL){
        strcpy_s(Out_ConnectPkt->password, 40, Password);
    }

    if (DataFile != NULL){
        strcpy_s(Out_ConnectPkt->datafile, 80, DataFile);
    }

    Out_ConnectPkt->GameID = 0xA2;        // 1.62
    Out_ConnectPkt->GameVers = 0xA2;    // 1.62


    Out_ConnectPkt->unknown8 = 0x7410;
    Out_ConnectPkt->unknown9 = 1;
    Out_ConnectPkt->unknown10 = time(NULL);

    // Calculate the checksum
    Out_ConnectPkt->Checksum = 0;
    uint32_t tempCRC = crc32buf((unsigned char *)Out_ConnectPkt, Out_ConnectPkt->FullLen);

    Out_ConnectPkt->Checksum = tempCRC;

    return 1;
}

- Arma2 OA PBO Packet -

Code:

#pragma pack(push,1)
typedef struct
{
    short FullLen;
    char Type;
    char subType;
    long Checksum; // <- CRC32 of the whole packet data

    long unknown1;
    long unknown2;
    long unknown3;
    long unknown4;
    char unknown5;
    char unknown6;
    char unknown7;
    char unknown8;
    char unknown9;
    char unknown10;
    char unknown11;

    char pboName;
}Arma2PBOPacket, *pArma2PBOPacket;
#pragma pack(pop)

The pbo packet is dynamic:

Reading the pbo name:

Code:

&myPBO->pboName

Reading the SigVersion:

Code:

(&myPBO+myPBO->FullLen)-1

Result means:
0 = Bisign v1
2 = Bisign v2

Reading the PBO Sig:

Code:

(&myPBO+myPBO->FullLen)-1-32

Result is a 32 length Sig.

NOTE: Don't forget to fix the Packet Checksum (CRC32) or BattleEye will slap you...


- Bypassing BattleEye RPM Pattern Scans -

Status: Unknown

BattleEye does pattern scans on all running process looking for cheat engine, wpe or other hack tools.

To bypass it you just need to hook OpenProcess (OpenProcess function) , then SetLastError(5) and return 0.

Do_ExternalScans Function:

Code:

  
// RVA: BEClient.dll + 0x1840
signed __int16 __cdecl Do_ExternalScans()

This may be out of date but the same rule still applies. I thought this would stop all of the threads asking "How do i make a bypass" since this will put into magnitude how much work/skill goes into making one.

[RyanH100]

In before all the noobs start posting on how to make a bypasser with this, I will answer it. You need to be able to code, or understand how to use it.

[jjhend]

In before all the noobs start posting on how to make a bypasser with this, I will answer it. You need to be able to code, or understand how to use it.

Thankyou, I kinda stated that at the bottom, Maybe i should make the font bigger :P

[RyanH100]

Thankyou, I kinda stated that at the bottom, Maybe i should make the font bigger :P

Oh sorry, I did not see that. I will edit my post if you want me to?

[jjhend]

No, Thats fine. If the noobs dont catch that they will see your post.

[tepee07]

Nice copy and pasting skills will help some people out alot.

[jjhend]

We have a winner! yes i did copy and paste/edit it some but i just did this to stop the "OMG TEAHC ME HOWSZ TO MAEK A BYPAZZ"