HomeHome  CalendarCalendar  FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  Log inLog in  

Share | 

 [Reverse Engine] Exploiting PB checks to read client memory

Go down 

Posts : 57
Join date : 2009-10-10
Location : Istanbul/Turkey

PostSubject: [Reverse Engine] Exploiting PB checks to read client memory   Sat Oct 17, 2009 7:36 am

For educational purposes only, of course.

Original plan was to make a public Proof Of Concept for stealing CDKEYS using punkbuster, but eventually it became a problem reading 2nd part of the cdkey, so I gave up for now. Will eventually try on some games other than COD4.

ET example:
<p> 5 81079 "*ET 2.60" 1000 7F000 4AEC4E6FC2116FD95C87E260269EA46E 8838E43F1788E89417A55B932B274EA8
<p> 5 81080 "*ET 2.60" 80000 88920 DB269FF768EB3E73EB3A47A99E9878E9 E5A47C9D26F9ED4BBDA11114B5B3321C

You can add more of these if you hook pbsv.dll - and you can modify these requests. The last two hashes are because ET 2.60 has two versions, plain version and 2.60b, so they list 2 allowed checksums. Btw, this is part of the big list-of-checks string that master server(s) send to the gameserver (pbsv) which then passes the requests to clients.

In the first check I quoted above, 1000 is the start offset - that is, ET.exe (0x00400000 + 0x1000), and 7F000 is length of the block to be checksummed (0x7F000). You can request MD5 of any memory block where start address is aligned to 0x10 (i.e. must end on 0) and length is also aligned to 0x10.

In many games cdkey is stored in parts of 4 characters each and they have their string buffers which are usually larger than 5 (the minimum needed to store a string of 4 chars). If you're lucky, you can request MD5 of such a memory block and then you need to only MD5 bruteforce the 4 characters of the guid to find out what it looks like (since the other characters are static in this case -- all zeroes).

So I can read last 8 characters of a cdkey of a connected client on COD4, but the first 12 are a problem, and I don't have time to continue atm. Of course, I didn't mean to do this for the actual CDKEY stealing, but to make a public PoC to hurt PB's reputation more. More PB supported games need to be tested, but like I said, I don't have time for it.

If somebody wants, you can continue working on this and eventually succeed. Perhaps it can be combined with engine related security holes and what not.

COD4 1.7 memory block where key is stored with other never-changing data:
0x00724B80 - 00724BAF
0x00724B80 - 0x00724B8F -- first 12 characters + 4 never-changing bytes, hard to crack md5, impossible that is
0x00724B90 - 0x00724B9F -- next 4 characters + 12 never-changing bytes, crackable within a second
0x00724BA0 - 0x00724BAF -- the last 4 characters + 12 never-changing bytes, crackable within a second

Thanks to chaplex
Back to top Go down
View user profile
[Reverse Engine] Exploiting PB checks to read client memory
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
LUDIX-BoT Forum :: Coding :: General Coding-
Jump to: