Get the latest FPS news,
follow me on Twitter:

twitter / jockyitch


netCoders vs. PunkBuster
Written by jockyitch   
Thursday, 27 March 2008

Standing back and watching the pro-hackers at netCoders and the anti-cheat boyz at PunkBuster duking it out lately has been like watching Randy Couture and Chuck Liddell go at it in the Octagon: heavy fists, a few kicks and lots of blood.

It has been a back and forth fight so far - that is for sure.

Round One

Without a doubt, the first round in this match was all Even Balance. The folks behind PunkBuster used their memory and drive scanning capabilities to search for hidden hack dll's stored on client systems. Once a hack was found, PB issued a global ban on the GUID belonging to that computer. 

PB currently does not have heuristics, so in addition to the checks they do to ensure you have not tampered with the game's executable they also check for specific hacks. They do this by looking for strings of code (signatures) that could only have come from a hack program. 

How do they know what the hack code looks like?  They buy it!

Yup...Even Balance's staff simply goes to a major hack provider website and purchases the hacks...just like the rest of the hacking public. If they are fortunate, some good-natured soul sends them the hack. Either way, Even Balance can then check the hack opcode and catalog its "genetics".

Snippets of this code can now be searched for on client computers. This is what the two resident processes on your system, PnkBstrA.exe and PnkBstrB.exe, are there for.

There are many misconceptions about what those two processes are actually doing on your computer. We asked Even Balance engineer, Micah to give us the true dope. We published his responses here:

Scanning for specific hacks has been extremely effective lately. So much so that it has been rumored that the high-profile hack sites, like netCoders have been seeing their clientèle's lose faith with the hack community. And worse, they have been leaving and taking their money with them. Selling hacks is good business. Hacker sites will sell you their "services" at a premium rates ($50-60US every three months is not uncommon).

It stands to reason then, that round two would see netCoders come out swinging.

Round Two

One of the professional hacking sites on the web, netCoders (nC), pummeled and bleeding from PB body shots, came up with a stunningly simple strategy to fight back. Here is how Pansemuckl from nC described this idea on their site .

"Punkbuster - desperate to get our private cheats detected, thought it might be a good idea to randomly sniff any PC's physical (!!!) memory. Basically it's acting like a virus-scanner trying to find blacklisted sequences of bytes found in cheat files. Which is not even a bad idea - it's just been used badly. Give a monkey a gun and he shoots himself. Don't blame the gun...Do you know what PB is doing with that data? Do you trust them? Of couse you do. Punkbuster never fails. I don't trust them. So I kept digging deeper. After a while I found out what rsHook got detected for: Some noob leaked the files to Punkbuster (editor: more than likely Even Balance probably just bought the hack from their site). As they couldn't manage to reverse or crack them, they've just added some random string to their signature blacklist.


Game: ET v2.60
PB: version (add)
Violation: #80332
Signature dump:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 2C 20 22 52 69 66 6C 65 20 41 69 6D 20 50 72 65 , "Rifle Aim Pre 00000010 64 69 63 74 69 6F 6E 3A 22 00 diction:.

Neither Rainer nor I could believe what's happening here. All it takes to get kicked is to have that sequences of bytes in a computer's memory, and you will get kicked for #80332, even without hacks!!!"

- Pansemuckl (netCoders) March 23, 2008

How could this fact affect the average player who has never bought a hack? Surely he/she does not have this tell-tale signature on their computer. We're safe right?

Well...nC has apparently found a way to spam message these hack signatures to your computer. The signature then resides on your computer's memory - and Punk Buster detects it. End result: you get banned.

nC found that they can get these "signatures" on your system by uploading them through chat programs (for instance). IRC client is a good example of such an attack vector.

...I'm sure you can guess what happened next.

To prove out their nefarious (but admittedly brilliant) idea, nC embarked on hitting a legit gaming community known as Crossfire 3.0. Let Pansemuckl take it from here: 

"So here's another "proof of concept" you will find more difficult to explain: Today we decided to put this up to public after having fun with it for a couple of month. So we chose our beloved friends at (revenge is sweet, isn't it) to help us out. People wont trust us, but them. They're loyal.

So we put up one of our signatures and send it as a message to their IRC master channel. Soon, more than 300 players got kicked for #80332."

This false-positive disaster hit the legit gaming community like a tactical nuke. And the reaction to nC's exploit of PB code has been hysterical. Here is a sample of the hysterics, this one, from an editorial near ground-zero itself:

Crossfire 3.0

"We should stop using PunkBuster. In it's current state it is useless, meaning we could as well use no protection and have the benefit of a better performance. When PunkBuster, or any other anti-cheat for that matter, becomes usable again, we can still reconsider using it. I'm not trying to say that we shouldn't use an anti-cheat because there will never be an optimal, efficient one, but using one (PunkBuster) that is so flawed isn't really an option either."

-wipeout (Crossfire 3.0) 


Rubbing salt in PB's wounds, nC bragged about their work with this graphic on their website:


The upshot here is logically stated by wipeout on Crossfire's site:

"(i) All a cheat coder needs to do, in order make his cheat undetected again, is search for the affected string in his code, change one char and possibly any reference to this string and (re-)compile the cheat. THAT'S IT! He got a working, undetected cheat again with hardly any effort.

(ii) False positives: like we see now anyone can get banned just for having a blacklisted string in his memory.

Think of these poor Evenbalance employees: after searching for cheats all day long, searching for strings to ban by and after they finally released a PunkBuster update after some days/weeks/months, the cheat is undetected again within a matter of minutes and all that's left are a lot of false positives, because some kid on the internet thinks it's fun to spam these blacklisted strings. Ouch."

The repercussions from this embarassing situation were significant enough to elicit this quote from Even Balance on Mar 25, 2008, talking about this netCoder counterattack (source: Even Balance website). 

"We rarely announce anything regarding commercial cheats and hacks. However, we are aware of the numerous "You Tube" type videos and posts on various sites where hackers who sell cheats make claims that are false but sound believable about PunkBuster and hack detection status. We receive numerous emails daily by concerned honest players regarding advertisements for undetectable hacks, etc. The truth is that via recent enhancements to PunkBuster's detection capabilities, we have cracked down hard on cheaters who pay for hacks in the games we support. Some commercial cheat sites have closed down due to our new methods and others have private forums where punks routinely complain about getting caught with the "undetectable" hacks, demanding refunds, etc. We have always maintained a strict policy of not giving money to punks, but thanks to community volunteer moles who have helped us obtain access to private hacks via donations of their time, etc., PunkBuster has been catching hacks from virtually all commercial cheat sites in recent weeks and months.

One of the recent enhancements involves our memory scanner which aggressively scans for patterns included in known cheats (public and private). A commercial hack site where we have had recent success catching their subscribers has recently staged a few demonstrations of inserting text-based patterns via certain chat-related systems such as IRC, Instant Messaging, etc. directly into the memory of computers. These are specific text patterns that we have deployed in some supported games in the recent past. It is clear that many of the demonstrators are cheat-supporters willingly participating in the demonstration, but there is evidence that some innocent players had PunkBuster violations triggered during the past few days by the hackers who sent specific text patterns into the chat programs that were open during gameplay. We are removing these text based patterns from our system and encourage admins to not ban for PB violations that occurred during the past few days.

Online gamers who play with other programs running should always enable security features in their messaging and chat programs to deny auto-download of files and only accept downloads from people they know and trust.

As always, from PunkBuster's standpoint, if a known cheat pattern is in the memory of the computer during gameplay, then a violation will be triggered. We have always suggested closing other programs while you are playing multiplayer games on PunkBuster servers and that remains the safest policy. Leagues that require chat room usage for competitive play should take steps to ensure that only league participants have access and suspicious activity should be reported to us when there are concerns about manipulating the system."


Even Balance has responded to the nC exploits by removing the string-signatures from their database. What else could they do? The false positives that would have been generated had the checks stayed in place would have been staggering. Could they have been triggered by someone typing a signature in to game-chat for instance? 

Either way, round two to netCoders.

Round Three

The next round may be make or break for both the legit gamers and the hackers. At stake is whether Even Balance can get back in the fight. They have clearly lost the ability to detect private hacks and this leaves all of us vulnerable (yet again) to the haxors out there.

Perhaps a clue as to where PB will go, is anti-virus software.

This battle was fought out back in the 80's and 90's. We now have AV software that features sophisticated heuristics that can determine what a good or bad program is. Maybe Even Balance will invest in this technology.

In the meantime, if you are an average legit player, before you play online you may want to:

1. Reboot, or at the very least: clean out your browser caches 

2. Make sure you are not running any text chat programs (IRC seems especially vulnerable)

3. Cross your fingers.


< Prev   Next >

BASHandSlash Network


BASH on YouTube


The BASHandSlash Forums

original solarflare design by rhuk
lunarized by joomlashack