Running PunkBuster with ProcessGuard

Discussion in 'ProcessGuard' started by freefall, Jul 22, 2005.

  1. freefall

    freefall Registered Member

    Joined:
    Jul 22, 2005
    Posts:
    4
    Go here in regedit:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.

    Evenbalance can be very annoying. Somehow they believe that the hackers, the people who disassemble games in SoftICE, wouldn't figure that one out. :rolleyes:

    I was just playing with the trial version of ProcessGuard when PunkBuster bombs out with a cryptic message. At the very least, they should tell me in plain language that PG has to be completely uninstalled. Any normal person will assume that disabling PG temporarily will suffice. o_O

    It is still worse that this exposes weakness and weirdness in PunkBuster. Apparantly, they are afraid of PG's ability to block the reading of a process. Surely it must be possible to detect that you are beeing blocked, and THEN complain about "blocked OS privileges" ? Then the player could simply grant the neccessary access.

    Using the above trick, PB does not complain at all when PG is blocking. It does two things:

    1. Attempt to specifically open PG's service, DCSPGSRV.
    2. Verify that it is able to install and start a bogus service.

    I think this is pretty bad. They go after Diamond instead of going after the problem. :mad:
     
  2. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129
    will that hinder PG from performing it's functions?
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    ROFL. Thanks for the info. If this works I wonder how much the other anticheat measures they have is worth :D
     
  4. lupus

    lupus Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    22
    Very interesting, i was hoping someone would come up with such a workaround. Il will re install PG and test.
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    I didn't think it'd take long for somebody to come up with another bypass trick. ProcessGuard has (unintentionally) highlighted the fact that the current implementation of the Punkbuster protection system suffers from a seemingly fundamental flaw - its security can be bypassed simply by blocking process access, something which any kernel driver programmer can do. However as you have noted, rather than fixing the problem they have gone after programs like ProcessGuard, blocking users if they detect that they have ProcessGuard. They will probably keep being confronted with these bypass tricks until the problem itself is addressed, and we're talking about a system where they can implement server-side protection as well. Blocking users from playing your game simply because you have a particular security system is clearly not acceptable in this day and age where security is so important, and users should not be expected to uninstall security programs just to play games, just as for example they shouldn't be expected to be logged in as an Administrator just to play a game (installation is of course a different matter).

    Best regards,
    Wayne
     
  6. Juggernaut

    Juggernaut Registered Member

    Joined:
    Jul 27, 2005
    Posts:
    60
    I sent a ticket into Punk Buster and the reply I got shows that they are not trying to fix the problem in any shape, form, or fashion.

    Punk Buster clearly does not care about their customers and are quite flip and arrogant about it.

    My Ticket Question:
    Why am I not allowed to own and run Process Guard on my system? This is a legit security software program. Now for no reason after a decade of playing games and NEVER cheating I am not allowed to play on line games that have punk buster installed?

    The solution is not to Blacklist security software that finds flaws in your software. I should not have to choose between having a secure computer and playing a game on line. You need to take a look at how to work around this because myself and many other are caught up in this crap and we should not have to be. We paid good money for some of these games and being told we have to remove other software from our computer thats sole purpose is not meant to cheat in games is not right.


    The Response from Punk Buster(Stuart Dunsmore):
    Process guard works, and that is the problem. Using it, you can deny PB access to check your system for hacks. You can even deny PB access to see if PG is running, so we have to take it the next step, and make sure it is not even installed. When you agreed to our EULA, you stated that the benifit of cheat free gaming out weighed system security. You cannot have a secure system, and also allow PB full access to verify your system. They are mutually exclusive.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    What a wonderful tribute to Process Guard. I love it. Sorry guys I am note a gamer.

    Pete
     
  8. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    OMG I cant belive I never thought of that.

    Thanks a ton,
    Will
     
  9. freefall

    freefall Registered Member

    Joined:
    Jul 22, 2005
    Posts:
    4
    Maybe the problem is that the gamers are not customers of PunkBuster.
    There's a disconnect they can abuse.

    Counter-Strike: Source has this new proprietary VAC2 anti-cheat system, and I believe it only
    requires access to "physical memory" to run. If I understand correctly, this can be used to completely
    bypass every other blocking method if they have the programming skills. I've heard ProcessGuard works
    with their game.

    It's interesting how the gaming world mirrors security issues in other areas. For example:

    The people at Alcohol Soft (Daemon Tools) have an option to install their virtual drives as a
    service with a user-specified name. That's because some copy-protection company specifically tried
    to look for their service, to distinguish a real CD from a hard disk image.

    Then there was a rootkit, I think it was called HackerDefender, that specifically targeted
    SysInternals' RootkitRevealer .exe filename to hide itself from that program. SysInternals
    released a new version which randomly renames it's own executable before running it, as a
    counter-counter-measure.

    Diamond could do the same if they have reason to believe evil programs are targeting their
    service. But maybe they're afraid it would be seen as a hostile move towards PunkBuster if
    they still are hoping for a cooperative solution. :)
     
  10. Juggernaut

    Juggernaut Registered Member

    Joined:
    Jul 27, 2005
    Posts:
    60
    Isn't there a law in some countries that make a person liable if they leave their computer unsecured and open to exploits that can be used to commit a crime? Wouldn't then Even Balance who makes Punk Buster be endorsing this with it's EULA?

    Not only are the denying people access to other software, but they are telling people that in order to enjoy playing games on line (which millions do) you must have an unsecured computer that can easily be hijacked and used for other means.

    Perhaps a Class Action Lawsuit is possible for Even Balance. Their policy sticks to hell and back and Process Guard is just open up peoples eyes to what they are doing.

    As for the EULA. I may have not bought and paid for Battlefield 2 had I known this was a part of the agreement. But unless that agreement is on the box you have to purchase the software before you get to read it. They have a nice gig going because you can't see what you have gotten into until you have already purchased the product.

    And the above fix does not work anymore. Tried it and was denied access to playing last night. I think they tweaked the software to look for more than just the registry entries, but to also look for any signs of installation such as directories.
     
  11. o_0

    o_0 Guest

    Might be looking at HKLM\SOFTWARE\Diamond Computer Systems
    Funnily enough, all the settings there seem fine to delete once PG is running. Give that a shot.. export all PG reg settings then remove it once its loaded and working. Could also install to a non default folder.. and with protection disabled can you rename the driver and driver filename too o_O
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    One of the biggest problems is the fact that these games are required to run with Admin privleges which is a major security hole from the start, let alone what PunkBuster is trying to enorce upon it's users.

    Pilli
     
  13. freefall

    freefall Registered Member

    Joined:
    Jul 22, 2005
    Posts:
    4
    I think the aussies would have to sell a hell of a lot of ProcessGuard to pay for the lawyers :D

    Are you sure? Works fine with Americas Army.

    They already tried to attack the true name of the ProcessGuard service, which was supposed to be a
    secret. Seems unlikely that they should use even cheaper tricks.

    They can't scan your whole hard drive. For starters it would make a lot of noise, and stress your
    system. They have a policy of making a non-intrusive PunkBuster, and who would accept a game, that
    is connected to the internet, should start reading all your files and directories.

    They would have to look for file names in the registry. You can use regedit to set permissions on
    the registry, preventing even yourself from reading keys. Besides, there are programs that can block
    parts of the registry to specified processes.

    So what are they supposed to do? Listing out your running processes, they can look for
    "DCSUserprotect.exe", "pgaccount.exe" and "procguard.exe". Well you can probably rename all those
    files. Then you can search and replace those filenames correspondingly in regedit. This is still
    nothing more than a bucket of cheap tricks that many 16 year olds would figure out fast enough.

    You could possibly even use a program like "PE Explorer" and a hex-editor to modify those
    files, to change the internal filenames correspondingly, by looking for strings inside the
    executables. That'd be against your license agreement, but the point is that the CHEATERS would have
    no quibbles.

    Reading all the processes? As Even Balance already pointed out to you, ProcessGuard can protect itself
    from beeing read by PunkBuster. Maybe they can detect that they are beeing blocked, but then there
    would be no point in banning ProcessGuard in the first place!!

    Far more likely is that Even Balance will check to see if the hidden device "procguard" is running.
    Then maybe the hackers will write their own blocking kernel-mode program. Or maybe they will simply
    crack ProcessGuard's internal file integrity checking and rename that device as well. :D

    You can see for yourself by opening "Device Manager" and clicking "Show hidden devices" under
    "View". While you're in there you may see other interesting devices called "StarForce" (only if you
    have installed certain games). It's interfering with your CD driver, preventing you from making
    backups of your CD's. You can disable those devices here, and that was supposed to be a secret as
    well. Of course, this sort of thing is what Even Balance should've made instead of feeding us this BS.

    As Wayne-DiamondCS has beein saying all the time, they need to write some kernel-mode protection.
    They deny legit customers the right to protect themselves, even if they must know that the hackers
    will circumvent the ban anyway.

    How perverse, that a Texas company should believe in the logic of gun control. The solution is,
    obviously, to get a bigger gun than the bad guys.
     
  14. Juggernaut

    Juggernaut Registered Member

    Joined:
    Jul 27, 2005
    Posts:
    60
    One of the biggest problems here is that Punk Buster comes with the game. You purchase the game and install it and there is Punk Buster doing it's install right after.

    This is the time that you get slapped with the Even Balance EULA. After you have purchased and installed the initial game. I can't help but wonder how many people would shy away from purchasing some of these game is the Even Balance license agreement was placed on the box where people could see it before they purchased the game.

    To quote another from a different forum:
    "EB's EULA is full of disclaimers and redirects and conditional rhetoric. As are most EULAs. But the whole "we're gonna sit on our hands because we don't HAVE to do anything."

    The rub is this: EB has no competition. None. Whatsoever. The burden of proof in this case is to develop an alternative for anti cheat; address the issue with PG and see what happens or uninstall PG.

    I don't know what reading license agreements will do for me after I make the purchase. Other than make me aware that I got rooked. If they published EULAs before the release, then people could see what they're getting into. Comes a time when a hefty class-action suit may force that issue.

    ...and in this case had I read the EULA prior to making the purchase, I would have never bought the game"
     
  15. Marauder

    Marauder Registered Member

    Joined:
    Jun 17, 2005
    Posts:
    28
    Does this still work ? just woundering.

    Running PunkBuster with ProcessGuard
    Go here in regedit:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    In this hive, there should be an entry named DCSPGSRV. Rename it, just change one letter. Reboot.
     
  16. squawkkkkk

    squawkkkkk Guest

    Amazing that works - thank you.

    Now got Punkbuster and ProcessGuard running together, no probs.

    Doesn't say much for PunkBuster security!!
     
  17. Kegel

    Kegel Registered Member

    Joined:
    Oct 28, 2003
    Posts:
    159
    If this works, I will reinstall PG. DOes this "fix" disable any of PG's protection though?
     
  18. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Could this be made sticky?
     
  19. desertfox

    desertfox Guest

    i dont have that file ??
     
  20. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland

    Doesn't work for me.

    Eh, scratch that, it does :)
     
    Last edited: Nov 22, 2005
  21. jamesk

    jamesk Guest

    Special Request: Bearing in mind the recent fuss over Sony and First 4 Internet, is it possible to implement the same technology to hide PG from every application on the computer its installed on? This would simply be the icing on the cake as far as security is concerned as what malware cannot see, it cannot kill. It will also prevent malware from getting the upper hand on process guard.

    I shall be looking to try and implement this myself for PG and Alcohol Soft but if Wayne can build this in it will be EXCELLENT :D
     
  22. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Has anyone found that punkbuster is disconnecting them despite doing the change suggested earlier in this post?
     
  23. lupus

    lupus Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    22
    It works, just have to change a few settings, look at the Alerts log to know what to change. Been playing BF2 for hours with PG installed without being kicked once.
     
  24. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Can't believe this.
    Updated PG to the latest version and I've tried to rename the registry key per the first guys post, however the registry wont let me.
    I'm signed in as administrator and I did it ok with the last version of PG.
    I've tried changing the permissions but get the same message that I'm not allowed to change the registry key.
    Anyone got any suggestions?
    I'm kicked off my BF2 server because of this. :(

    Thanks...

    JJ :cool:
     
  25. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Try using regedt32 rather than regedit for this change - regedt32 allows you to change permissions on keys (via Security/Permissions). It does however lack the search feature of regedit.