Tuesday, March 20, 2012

A Quick Look at Punk Busters Installation.

I don't want to get my gaming machine's hardware or my personal account banned, so I've setup a target game in virtualization software to insulate myself:
Free Windows XP images: Microsoft IE App Compat.
Free Virtualization software with 3d support: VMWare Player (I'm using Workstation however). You'll need to enable 3d acceleration for any DirectX game to start.
Free Kernel debugger: Microsoft's WinDBG.
Free Target game to hack: EA's Battlefield play4free.

I had to convert the IE Compat Virtual PC images to VMWare using VMWare's free image converter tool. The next step was getting the kernel debugger hooked up from my host system to the XP image.
This requires 4 easy steps:
1. Create a named pipe in VMware. From the VM settings -> Add -> Serial Port -> Named Pipe -> \\.\pipe\com_1 or whatever you want to call it.
2. Modify the boot.ini in XP to map a COM port for debugging. The config should look like this.

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional - Debug" /fastdetect /debug /debugport=com1 /baudrate=115200

3. Reboot XP, select Microsoft Windows XP Professional - Debug
4. Start windbg with the following command line or make a shortcut like I did: "C:\Program Files (x86)\Debugging Tools for Windows (x86)\windbg.exe" -b -k com:pipe,port=\\.\pipe\com_1,resets=0

If everything went right you should see something like this:
WinDBG connected to our VMWare image and the PnkBstrK.sys module loaded (or rather, unloaded)
If everything *isn't* working you'll probably want to read this link on how to setup vmware for windbg debugging.

While I was installing the Battlefield Play4Free game I loaded up filemon.exe from Sysinternals to see what files got placed on the system. During the "Installing PunkBuster" splash screen I noticed the following files were installed:
- C:\windows\system32\drivers\PnkBstrK.sys - The kernel driver, appears to be partially obfuscated using XOR.
- C:\windows\system32\PnkBstrA.exe - The Punk Buster service A. (I think this just downloads B, will RE to confirm).
- C:\windows\system32\PnkBstrB.exe - The Punk Buster service B.
- C:\windows\system32\PnkBstrB.xtr - The original downloaded form of PnkBstrB.exe (I think this is a guess because file size is the same)
- C:\Program Files\EA Games\Battlefield Play4Free\pbsvc_p4f.exe - The punk buster installer / remover service checking tool
C:\Program Files\EA Games\Battlefield Play4Free\pb\pbcl.db - Looks to be a list of servers, ports and hashes of some sort (for installed files maybe?).
C:\Program Files\EA Games\Battlefield Play4Free\pb\pbcl.log - Client log, shows connection/update query information.
C:\Program Files\EA Games\Battlefield Play4Free\pb\pbag.dll - Single export name of 'a' looks to be doing some sort of obfuscation. Not sure on purpose yet.

C:\Program Files\EA Games\Battlefield Play4Free\pb\pbcl.dll - Not too sure, exports two names 'ca' and 'cb' both of which look to be doing weird jmp calls. By looks of the strings appears to communicate with the punk buster servers. Guessing by the name alone, probably the punk buster client.
C:\Program Files\EA Games\Battlefield Play4Free\pb\pbclgame.cfg - Contains the line: "cl_punkbuster 1"
C:\Program Files\EA Games\Battlefield Play4Free\pb\pbns.dat -  Unknown data format
C:\Program Files\EA Games\Battlefield Play4Free\pb\pbns_c.dat - Same as above, with 16 bytes differing.
C:\Program Files\EA Games\Battlefield Play4Free\pb\pbsvc_p4f.exe - The punk buster installer / remover service checking tool
C:\Program Files\EA Games\Battlefield Play4Free\pb\dll\wa001377.dll - Appears to be related to the html file full of signatures/hashes.
C:\Program Files\EA Games\Battlefield Play4Free\pb\dll\wc002244.dll - Appears to be related to the html file full of signatures/hashes.

C:\Program Files\EA Games\Battlefield Play4Free\pb\htm\wa001377.htm - Appears to be signatures/hashes. Probably for known hacks
C:\Program Files\EA Games\Battlefield Play4Free\pb\htm\wc002244.htm - Same as above.


So that's my target, of course everything I stated above is speculation as to the files purpose. I will be debugging it to learn more details the coming weeks.

Ahh it's good to have a target :>





No comments:

Post a Comment