Author Topic: How the F*** did BattlEye detect WPE Pro?  (Read 5707 times)

0 Members and 1 Guest are viewing this topic.

Double Hack

  • Klass Klown
  • ***
  • Posts: 254
  • Do a barrel roll
    • View Profile
How the F*** did BattlEye detect WPE Pro?
« on: December 01, 2010, 09:21:16 pm »
Joined 2 servers in Arma 2, WPE Pro with Hidetoolz 2.2, got kicked by the Slut for "Gamehack #21".

Later joined server with BE, Used WPE Pro in Lobby, Exited Hidetoolz and WPE Pro, joined mission, got kicked for "Gamehack #20".

I mean, how did BattlShit detect this? Changes in bisign? Repeated sending of a single bisign?


Double H-a-c-k, the Original Spoof clown XD

bptuner

  • Online Villain
  • ***
  • Posts: 124
  • █▄ █▄█ █▄ ▀█▄
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #1 on: December 01, 2010, 10:14:39 pm »
Looks like they've added detection for the *injection* of WpeSpy.dll; HideToolz does nothing to protect from this as it only hides the window and its name.

Regardless, it looks like the WPE method (maybe the entire sendto exploit) has been patched.

If its just WPE's dll, just make your own hook, use google to find the api's you need or just disable BE lol.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #2 on: December 01, 2010, 10:24:16 pm »
yep wpe is detected just tried when i read this got kicked gamehack #20 shut down wpe after lobby .. gamehack #21


there goes the wpe method lol
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

bptuner

  • Online Villain
  • ***
  • Posts: 124
  • █▄ █▄█ █▄ ▀█▄
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #3 on: December 01, 2010, 10:25:27 pm »
Also, if its just the added detection of WpeSpy, then just use a different program to filter your packets. Theres a ton more than just WPE. Just google "packet editor".

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #4 on: December 01, 2010, 10:26:43 pm »
they will be detectd also , be is checking deeper than just the dll name

be carefull i heard they have started guid banning
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

karmalover

  • I canz carpet bomb joo?
  • Online Villain
  • ***
  • Posts: 201
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #5 on: December 01, 2010, 10:31:07 pm »
yes i confirm the WPE age has ended  :icon_laugh

deleted...
« Last Edit: December 01, 2010, 10:39:23 pm by karmalover »

Double Hack

  • Klass Klown
  • ***
  • Posts: 254
  • Do a barrel roll
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #6 on: December 01, 2010, 10:34:04 pm »
Regardless, it looks like the WPE method (maybe the entire sendto exploit) has been patched.

There is an option with the filter to send/check in winsock 2.2.
Would that do anythink?


Double H-a-c-k, the Original Spoof clown XD

karmalover

  • I canz carpet bomb joo?
  • Online Villain
  • ***
  • Posts: 201
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #7 on: December 01, 2010, 10:38:48 pm »
now you have to NOP things

i don't think winsock 2.2 would be useful

Double Hack

  • Klass Klown
  • ***
  • Posts: 254
  • Do a barrel roll
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #8 on: December 02, 2010, 12:06:33 am »
Disabling BattlEye is one way, just a shame mr medic's offsets he provided have changed


Double H-a-c-k, the Original Spoof clown XD

Coronel_Niel

  • Insane Joker
  • ****
  • Posts: 846
  • Why can't I pick my own profile picture...
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #9 on: December 02, 2010, 12:58:08 am »
I am pritty sure there is a way to detect all PBO's a person has loaded. Not sure if you can send it to other players, but its in the functions module.
"Now we are going to watch my boys do it" - Joopig

Pride

  • Klass Klown
  • ***
  • Posts: 332
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #10 on: December 02, 2010, 04:45:44 am »
Disabling BattlEye is one way, just a shame mr medic's offsets he provided have changed

1.56:
4C7124

Well, somewhere around there. :P

Double Hack

  • Klass Klown
  • ***
  • Posts: 254
  • Do a barrel roll
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #11 on: December 02, 2010, 03:06:49 pm »
May I ask how the technique of finding the BE offsets is? Like what to search for?


Double H-a-c-k, the Original Spoof clown XD

karmalover

  • I canz carpet bomb joo?
  • Online Villain
  • ***
  • Posts: 201
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #12 on: December 02, 2010, 07:36:40 pm »

Quote

1.56:
4C7124

Well, somewhere around there. :P

 :icon_laugh

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #13 on: December 02, 2010, 11:47:43 pm »
winsoc 2.0 is not used in arma 2 or oa

OA... 0x4AD2C8  ORIG [0x75] CHANGE TO [0xEB]  :icon_rolleyes2 1.56

A2... 0X498A27  ORIG [0x75] CHANGE TO [0xEB]   :icon_shifty 1.08

battleye disabled OA and Arma 2
« Last Edit: December 02, 2010, 11:55:09 pm by MrMedic »
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Double Hack

  • Klass Klown
  • ***
  • Posts: 254
  • Do a barrel roll
    • View Profile
Re: How the F*** did BattlEye detect WPE Pro?
« Reply #14 on: December 02, 2010, 11:53:31 pm »
Or, you could just go to AppData and remove the BE.dll and rename the Battleye folder in Arma2  :icon_thumbsup


Double H-a-c-k, the Original Spoof clown XD