Running PunkBuster with ProcessGuard

[freefall]

Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

Evenbalance can be very annoying. Somehow they believe that the hackers, the people who disassemble games in SoftICE, wouldn't figure that one out.

I was just playing with the trial version of ProcessGuard when PunkBuster bombs out with a cryptic message. At the very least, they should tell me in plain language that PG has to be completely uninstalled. Any normal person will assume that disabling PG temporarily will suffice.

It is still worse that this exposes weakness and weirdness in PunkBuster. Apparantly, they are afraid of PG's ability to block the reading of a process. Surely it must be possible to detect that you are beeing blocked, and THEN complain about "blocked OS privileges" ? Then the player could simply grant the neccessary access.

Using the above trick, PB does not complain at all when PG is blocking. It does two things:

1. Attempt to specifically open PG's service, DCSPGSRV.
2. Verify that it is able to install and start a bogus service.

I think this is pretty bad. They go after Diamond instead of going after the problem.

[azumi21]

Quote:

Originally Posted by freefall

Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

Evenbalance can be very annoying. Somehow they believe that the hackers, the people who disassemble games in SoftICE, wouldn't figure that one out.

I was just playing with the trial version of ProcessGuard when PunkBuster bombs out with a cryptic message. At the very least, they should tell me in plain language that PG has to be completely uninstalled. Any normal person will assume that disabling PG temporarily will suffice.

It is still worse that this exposes weakness and weirdness in PunkBuster. Apparantly, they are afraid of PG's ability to block the reading of a process. Surely it must be possible to detect that you are beeing blocked, and THEN complain about "blocked OS privileges" ? Then the player could simply grant the neccessary access.

Using the above trick, PB does not complain at all when PG is blocking. It does two things:

1. Attempt to specifically open PG's service, DCSPGSRV.
2. Verify that it is able to install and start a bogus service.

I think this is pretty bad. They go after Diamond instead of going after the problem.

will that hinder PG from performing it's functions?

[sukarof]

Quote:

Originally Posted by freefall

Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

ROFL. Thanks for the info. If this works I wonder how much the other anticheat measures they have is worth

[lupus]

Very interesting, i was hoping someone would come up with such a workaround. Il will re install PG and test.

[Wayne - DiamondCS]

Quote:

I think this is pretty bad. They go after Diamond instead of going after the problem.

I didn't think it'd take long for somebody to come up with another bypass trick. ProcessGuard has (unintentionally) highlighted the fact that the current implementation of the Punkbuster protection system suffers from a seemingly fundamental flaw - its security can be bypassed simply by blocking process access, something which any kernel driver programmer can do. However as you have noted, rather than fixing the problem they have gone after programs like ProcessGuard, blocking users if they detect that they have ProcessGuard. They will probably keep being confronted with these bypass tricks until the problem itself is addressed, and we're talking about a system where they can implement server-side protection as well. Blocking users from playing your game simply because you have a particular security system is clearly not acceptable in this day and age where security is so important, and users should not be expected to uninstall security programs just to play games, just as for example they shouldn't be expected to be logged in as an Administrator just to play a game (installation is of course a different matter).

Best regards,
Wayne

[Juggernaut]

I sent a ticket into Punk Buster and the reply I got shows that they are not trying to fix the problem in any shape, form, or fashion.

Punk Buster clearly does not care about their customers and are quite flip and arrogant about it.

My Ticket Question:
Why am I not allowed to own and run Process Guard on my system? This is a legit security software program. Now for no reason after a decade of playing games and NEVER cheating I am not allowed to play on line games that have punk buster installed?

The solution is not to Blacklist security software that finds flaws in your software. I should not have to choose between having a secure computer and playing a game on line. You need to take a look at how to work around this because myself and many other are caught up in this crap and we should not have to be. We paid good money for some of these games and being told we have to remove other software from our computer thats sole purpose is not meant to cheat in games is not right.


The Response from Punk Buster(Stuart Dunsmore):
Process guard works, and that is the problem. Using it, you can deny PB access to check your system for hacks. You can even deny PB access to see if PG is running, so we have to take it the next step, and make sure it is not even installed. When you agreed to our EULA, you stated that the benifit of cheat free gaming out weighed system security. You cannot have a secure system, and also allow PB full access to verify your system. They are mutually exclusive.

[Peter2150]

What a wonderful tribute to Process Guard. I love it. Sorry guys I am note a gamer.

Pete

[war59312]

OMG I cant belive I never thought of that.

Thanks a ton,
Will

[freefall]

Quote:

Originally Posted by Juggernaut

Punk Buster clearly does not care about their customers and are quite flip and arrogant about it.

Maybe the problem is that the gamers are not customers of PunkBuster.
There's a disconnect they can abuse.

Counter-Strike: Source has this new proprietary VAC2 anti-cheat system, and I believe it only
requires access to "physical memory" to run. If I understand correctly, this can be used to completely
bypass every other blocking method if they have the programming skills. I've heard ProcessGuard works
with their game.

It's interesting how the gaming world mirrors security issues in other areas. For example:

The people at Alcohol Soft (Daemon Tools) have an option to install their virtual drives as a
service with a user-specified name. That's because some copy-protection company specifically tried
to look for their service, to distinguish a real CD from a hard disk image.

Then there was a rootkit, I think it was called HackerDefender, that specifically targeted
SysInternals' RootkitRevealer .exe filename to hide itself from that program. SysInternals
released a new version which randomly renames it's own executable before running it, as a
counter-counter-measure.

Diamond could do the same if they have reason to believe evil programs are targeting their
service. But maybe they're afraid it would be seen as a hostile move towards PunkBuster if
they still are hoping for a cooperative solution.

[Juggernaut]

Isn't there a law in some countries that make a person liable if they leave their computer unsecured and open to exploits that can be used to commit a crime? Wouldn't then Even Balance who makes Punk Buster be endorsing this with it's EULA?

Not only are the denying people access to other software, but they are telling people that in order to enjoy playing games on line (which millions do) you must have an unsecured computer that can easily be hijacked and used for other means.

Perhaps a Class Action Lawsuit is possible for Even Balance. Their policy sticks to hell and back and Process Guard is just open up peoples eyes to what they are doing.

As for the EULA. I may have not bought and paid for Battlefield 2 had I known this was a part of the agreement. But unless that agreement is on the box you have to purchase the software before you get to read it. They have a nice gig going because you can't see what you have gotten into until you have already purchased the product.

And the above fix does not work anymore. Tried it and was denied access to playing last night. I think they tweaked the software to look for more than just the registry entries, but to also look for any signs of installation such as directories.

Might be looking at HKLM\SOFTWARE\Diamond Computer Systems
Funnily enough, all the settings there seem fine to delete once PG is running. Give that a shot.. export all PG reg settings then remove it once its loaded and working. Could also install to a non default folder.. and with protection disabled can you rename the driver and driver filename too

[Pilli]

Quote:

Not only are the denying people access to other software, but they are telling people that in order to enjoy playing games on line (which millions do) you must have an unsecured computer that can easily be hijacked and used for other means.

One of the biggest problems is the fact that these games are required to run with Admin privleges which is a major security hole from the start, let alone what PunkBuster is trying to enorce upon it's users.

Pilli

[freefall]

Quote:

Originally Posted by Juggernaut

Perhaps a Class Action Lawsuit is possible

I think the aussies would have to sell a hell of a lot of ProcessGuard to pay for the lawyers

Quote:

Originally Posted by Juggernaut

And the above fix does not work anymore. Tried it and was denied access to playing last night.

Are you sure? Works fine with Americas Army.

Quote:

Originally Posted by Juggernaut

I think they tweaked the software to look for more than just the registry entries, but to also look for any signs of installation such as directories.

They already tried to attack the true name of the ProcessGuard service, which was supposed to be a
secret. Seems unlikely that they should use even cheaper tricks.

They can't scan your whole hard drive. For starters it would make a lot of noise, and stress your
system. They have a policy of making a non-intrusive PunkBuster, and who would accept a game, that
is connected to the internet, should start reading all your files and directories.

They would have to look for file names in the registry. You can use regedit to set permissions on
the registry, preventing even yourself from reading keys. Besides, there are programs that can block
parts of the registry to specified processes.

So what are they supposed to do? Listing out your running processes, they can look for
"DCSUserprotect.exe", "pgaccount.exe" and "procguard.exe". Well you can probably rename all those
files. Then you can search and replace those filenames correspondingly in regedit. This is still
nothing more than a bucket of cheap tricks that many 16 year olds would figure out fast enough.

You could possibly even use a program like "PE Explorer" and a hex-editor to modify those
files, to change the internal filenames correspondingly, by looking for strings inside the
executables. That'd be against your license agreement, but the point is that the CHEATERS would have
no quibbles.

Reading all the processes? As Even Balance already pointed out to you, ProcessGuard can protect itself
from beeing read by PunkBuster. Maybe they can detect that they are beeing blocked, but then there
would be no point in banning ProcessGuard in the first place!!

Far more likely is that Even Balance will check to see if the hidden device "procguard" is running.
Then maybe the hackers will write their own blocking kernel-mode program. Or maybe they will simply
crack ProcessGuard's internal file integrity checking and rename that device as well.

You can see for yourself by opening "Device Manager" and clicking "Show hidden devices" under
"View". While you're in there you may see other interesting devices called "StarForce" (only if you
have installed certain games). It's interfering with your CD driver, preventing you from making
backups of your CD's. You can disable those devices here, and that was supposed to be a secret as
well. Of course, this sort of thing is what Even Balance should've made instead of feeding us this BS.

As Wayne-DiamondCS has beein saying all the time, they need to write some kernel-mode protection.
They deny legit customers the right to protect themselves, even if they must know that the hackers
will circumvent the ban anyway.

How perverse, that a Texas company should believe in the logic of gun control. The solution is,
obviously, to get a bigger gun than the bad guys.

[Juggernaut]

One of the biggest problems here is that Punk Buster comes with the game. You purchase the game and install it and there is Punk Buster doing it's install right after.

This is the time that you get slapped with the Even Balance EULA. After you have purchased and installed the initial game. I can't help but wonder how many people would shy away from purchasing some of these game is the Even Balance license agreement was placed on the box where people could see it before they purchased the game.

To quote another from a different forum:
"EB's EULA is full of disclaimers and redirects and conditional rhetoric. As are most EULAs. But the whole "we're gonna sit on our hands because we don't HAVE to do anything."

The rub is this: EB has no competition. None. Whatsoever. The burden of proof in this case is to develop an alternative for anti cheat; address the issue with PG and see what happens or uninstall PG.

I don't know what reading license agreements will do for me after I make the purchase. Other than make me aware that I got rooked. If they published EULAs before the release, then people could see what they're getting into. Comes a time when a hefty class-action suit may force that issue.

...and in this case had I read the EULA prior to making the purchase, I would have never bought the game"

[Marauder]

Does this still work ? just woundering.

Running PunkBuster with ProcessGuard
Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

Amazing that works - thank you.

Now got Punkbuster and ProcessGuard running together, no probs.

Doesn't say much for PunkBuster security!!

[Kegel]

If this works, I will reinstall PG. DOes this "fix" disable any of PG's protection though?

[halcyon]

Could this be made sticky?

i dont have that file ??

[Joliet Jake]

Quote:

Originally Posted by Marauder

Does this still work ? just woundering.

Running PunkBuster with ProcessGuard
Go here in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

Doesn't work for me.

Eh, scratch that, it does

Special Request: Bearing in mind the recent fuss over Sony and First 4 Internet, is it possible to implement the same technology to hide PG from every application on the computer its installed on? This would simply be the icing on the cake as far as security is concerned as what malware cannot see, it cannot kill. It will also prevent malware from getting the upper hand on process guard.

I shall be looking to try and implement this myself for PG and Alcohol Soft but if Wayne can build this in it will be EXCELLENT

[Joliet Jake]

Has anyone found that punkbuster is disconnecting them despite doing the change suggested earlier in this post?

[lupus]

It works, just have to change a few settings, look at the Alerts log to know what to change. Been playing BF2 for hours with PG installed without being kicked once.

[Joliet Jake]

Can't believe this.
Updated PG to the latest version and I've tried to rename the registry key per the first guys post, however the registry wont let me.
I'm signed in as administrator and I did it ok with the last version of PG.
I've tried changing the permissions but get the same message that I'm not allowed to change the registry key.
Anyone got any suggestions?
I'm kicked off my BF2 server because of this.

Thanks...

JJ

[Paranoid2000]

Quote:

Originally Posted by Joliet Jake

I've tried changing the permissions but get the same message that I'm not allowed to change the registry key.
Anyone got any suggestions?

Try using regedt32 rather than regedit for this change - regedt32 allows you to change permissions on keys (via Security/Permissions). It does however lack the search feature of regedit.