Gamerz Online

Use this as you will, it's simply a proof of conept PB still sux IMO.

I see a lot of people having issues and here's something to get you started.

Basically I was doing some Breakpointing in PB and stumbled upon this lovely buffer outside the code area of pbcl. It seems they are still only using pbcl to do certain things and the service APPEARS to scan simply d3d and the game itself.

For those of you wanting to get rid of teh PB kick "Unknown API" here's the code how.

Simply setup a global buffer:

Code:

char    *Strings;

Setup the function Hook itself:

Code:

void ( *orig_API_Scanner )( );
void __declspec( naked ) API_Scanner( )
{
    _asm
    {
        //Grab Strings From The Stack
        mov Strings, eax

        //Preserve the stack
        pushad
    }

    Log( "API String: [ %s ]", Strings );

    _asm
    {
        //Preserve the stack
        popad

        //Push the strings back to PB now we've edited
        mov eax, Strings

        //Return the original :)
        jmp [ orig_API_Scanner ]
    }
}

You will need to hook inside pbcl.dll itself, so do it via a hwbp to avoid detection. As far as i'm aware PBCL DOESN'T scan outside it's own code area but that could change anytime So don't blame me if you get busted!

Hook with my fantastic pattern i've made you below ( Yes this works with ALL pb games tested to date )

Code:

DWORD dwApiScan  = FindPattern( ( DWORD )GetModuleHandle( "pbcl.dll" ), 0xFFFFFFF, ( BYTE* )"\x6A\x00\x50\x50\x33\xF1\xFF\x55\xC8\x59\x40\x50\xFF\x75\x08", "xxxxxxxxxxxxxxx" );

orig_API_Scanner = (void (__cdecl *)(void))DetourFunction((PBYTE)dwApiScan, (PBYTE)API_Scanner );

Now go ingame and log. Make sure there are no hooks but this one, it's very important as your need to log clean untouched values!! It may take several minutes before any log appears, this is normal. Once loged your see all the api's with original / clean MD5's. save this log file. below i'll give you an example of bypassing the scan itself.

Code:

void ( *orig_API_Scanner )( );
void __declspec( naked ) API_Scanner( )
{
    _asm
    {
        //Grab Strings From The Stack
        mov Strings, eax

        //Preserve the stack
        pushad
    }

    //Bypass Direct3DCreate9 Hook
    if( strstr( Strings, "Bmd Direct3DCreate9 5" ) )
    {
        strcpy( Strings, "Bmd Direct3DCreate9 5 c9c9c9c9c9 8bff558bec81ec08010000a120c2f54f" );
    }

    _asm
    {
        //Preserve the stack
        popad

        //Push the strings back to PB now we've edited
        mov eax, Strings

        //Return the original :)
        jmp [ orig_API_Scanner ]
    }
}

Simple eh? Only check a little of the wording then give the cleanly logged string in return. Now you can hook that API and PB will pass you as clear . Each game differs in the MD5 value it checks for, so you will need to log each game seperately to bypass.

The main issue you might get is withe the size of the module in the pattern. I use a function I didn't post which returns the size of the module as they do vary. Either just change the size in the pattern of the module, or put a stupidly high search size like 0xFFFFFFFF.

Also the asm shouldn't matter as it's a naked hook with no stack code unless you do a HWWBP then you will need to add a single line to the asm. And also you could always add more to the pattern to guarentee the right one everytime.

Another thing is to also go to the offset and set some breakpoints on some other areas around it, you might find some other usefull things there