The Spread Of Aimbots.

[kevlarman]

I am talking about tremulous
and it is open source
but I think you dont understand this

and as I said I dont need to prove anything to you

loading a closed source anticheat dll.. *yawn*

at syscall / vm_create / vm_call look for JMP, JNZ, JZ, etc then if found flag as cheat... anticheat made!

ignoring the obvious workarounds for that solution, how do you plan to compile that on windows/mac os x/just about every bsd/linux/solaris/irix/etc. on x86,x86_64,ppc,IA64,and probably sparc and alpha too?

[.f0rqu3]

good if you think that will work, proceed, and make an anticheat
but I know you are not after anticheat just trying to chain the convo
and you dont get my point:

trem is open source. any binary level hooking/change is stupid
you are the one who tweaked ogc to run with trem and distributed it

you wont get any replies

[dodo1122]

f0rqu3 <3

anyway, right now because of that aimbot we only got tons of people using this aimbot, and therefore longer ban lists... i suppose it doesnt really matter after all, does it?   servers with admins = no problem there, aimbotters will just get banned. servers without admins? well, why the hell do they even exist?  

dodo

[Evlesoa]

you are the one who tweaked ogc to run with trem and distributed it

you wont get any replies

I believe he STATED that he coded it from scratch... read back and see

[null]

ignoring the obvious workarounds for that solution, how do you plan to compile that on windows/mac os x/just about every bsd/linux/solaris/irix/etc. on x86,x86_64,ppc,IA64,and probably sparc and alpha too?

why bother figuring out for all? figure out for the ones that are hacked. or, another 'anticheat' would be a simple closed source mod dll that servers run with structs mixed around.

trem is open source. any binary level hooking/change is stupid

I said earlier, smaller file, easier to use.

[Plague Bringer]

Just a little spam about f0rqu3's ET aimbot?

This whole text is a link to a youtube video. The opening clip says F0rc3 Demo. Im thinking it's our f0rqu3.

[Evlesoa]

i doubt thats him... f0rc3 and f0rqu3 may look similar, but sorry, they probably are totally different people...

[daenyth]

I think that wider distribution of tjw's backport with guid built in would help.

Not so that we can track griefers, but so that we have a whitelist of known good players.

A good blacklist will never be as effective as a good whitelist. Indeed, by its very definition, a blacklist allows everyone (except blah blah and blah).

This, combined with competant admins can easily reduce the problem to a managable level. If aimbotters are forced to add in measures to the aimbot, such as slower movement, less than 100% accuracy, etc, in order to avoid suspicion, then they are reducing the effectiveness of the aimbot.


Back to my main point, I think a good step for this would be to distribute the backport on the main website, for example saying that the stock 1.1 version has been deprecated etc etc, or even just a brief blurb and a link. The client on the official site is hopelessly out of date.

[ghostshell]

we (DretchStorm) are seeking a solution using the aimbots own system: prediction. if we can detect computed prediction, then aimbots can be spotted. the aimbots wouldnt be fixable because that would render them useless. I'm using a honeypot server to collect logs/data on aimbot prediction, also have copies of the [name withheld] aimbot source.

i'll let you know if i'm successful, so far it has been tricky but promising.

[R1CH]

Back when zbot and friends came out for Quake II, there wasn't even a cgame dll or anything that could be used client-side. Yet the bots were able to be detected through careful inspection of usercmds, looking for jitter and 'locking on' to targets. An unsophisticated aimbot will always do such things and thus be detectable to some degree in a similar manner. The fact Tremulous is open source and based on a game which already has a huge number of cheats makes it very easy to cheat as all the game data can be used to make an aimbot such as knowing exactly where each player is, your own velocity / aiming vector and input state, etc. While usercmd inspection may work for the current breed of aimbots, if they are still under development you can only expect them to get better.

The only real solutions are either a web of trust system or an anticheat. A web of trust would require guids for everyone and possibly work as a closed system where new players have to be referred by an existing player and any cheaters cause the referrers repuation to be decreased also. A closed source binary anticheat, given how diverse Tremulous is OS-wise, would not be an easy undertaking - even if the checks themselves were relatively simple.

[Metsjeesus]

Cheating is problem. Not only in tremulous, but in all games. We should gather information about what can be done and what cant be done on this situatsion. Maybe there is a solution.

There are 3 places to look. Server, connection and client.

I think connection problem is solved by now. Using encryption methods to transfer information is good enough. if speed is needed you can combine encryption methods, saw a way, that XTEA key whose transfererd trough RSA key pair. Works pretty good. Anyway, enough for connection, it can be secure.

Server is a bit harder. Problem is, server sends alot information what client dont need. Like where every opponent is, even if its another side of map or sometimes even how many bullets he has in his gun. Less information you send, less things to cheat. Still, you must send needed information and cheats can still use it. So next thing to ask is, can server detect cheater on gameplay, not on startup. Must useless way is statistical, because there will be allways lucky bastards, who really shot sometimes n times row to head. Good idea is "honeypot"(proposed here). If you know what clients needs, then you know what he dont need. At random times, spawn a normal opponent there for some moments, where normal player dont see it. Like behind you if there is no one. If someone is cheating, it reacts and you can do something about it. Point is not only detecting cheaters, but making cheats useless. But downside is, its hard to find effective "honeypots" and they wont give 100% accurate results. There is a hard way to implement algorithms, that detect on server side certain patters of cheats, but in long term, its useless. Is there anything more you can do on server side?

Last thing is client. You can't control what client has on his computer. It can be anything, but trough network connections looks pretty much authentic. MD5 sums of files wont work:you can replace them to correct values and most important, self compiled binarys have their own md5 sum. I have a idea, but i dont know how practical it is. There are 2 things you can trust. Server and connection. So you can send some programs/scripts from server to client and run them there. Can that program quickly detect, if client machine is running some cheat programs? If answer is yes, can we use it? I imagine program itself is open source, but every server has its own key pair to crypt that program and ofcorse, program is usable only 1 time only. Basicly, you secure now that program, not runing client application. Maybe im running to wall, maybe it helps.

Ty for listening:)

[.f0rqu3]

1 server sends the application
2 client DLs
3 client stops execution
4 runs his own version
5 sends wrong data
6 ...
7 PROFIT???

point: you cant trust any data coming from some random client

honeypot just wont work. it will just lead to more advanced aimbots
(+ suceessful or not you wont get the source from ghostshell XD)
web of trust is prone to abuse, and gonna keep lots of new players outside
(coming from r1ch, I am not exited)

[Evlesoa]

you can just use WPE Pro, cuz if the packets arent encrypted, you can easily manipulate the number of kills you get... or even better, kill a person remotely, or something...

[David]

how?

[beerbitch]

This whole thread is pointless. You can't stop the cheating. As suggested before, the best defense against this are good admins. Every single game I've ever played where cheating became common, the developers spent WAY too much time trying to keep up with it. Its just not worth it, especially since this is an opensource game. Just play on servers with good admins.

[Evlesoa]

how?

Well... im not sure if Tremulous' packets are encrypted, but if they are, you would have to do some extra work...

Lets say they arent tho...

WPE Pro is a basic Packet Editor known as Winsock Packet Editor (for those who dont know)

So what happens is, in some games where cheating with memory editors doesnt work, you can try a coding language (like C#, Pearl, VB etc...) and using WPE Pro, you can record the packets for a kill... or record the packets as a dretch (since it auto attacks) you can basically speed those packets up. A typical packet is in hex, and usually looks SIMILAR to this:

Code: [Select]

0013 002 0039 129 2930 992 1029 01929
2039 029 0293 029 0291 837 5939 29381

and so on... Now if you were to send those packets back to the server, you would basically speed up the bite... That is... if the server accepts them. There are games like DarkEden, where hackers literally ruined it... how you may ask? Oh no, not gold hack... but worse... CHARACTER ERASE HACK! Yes!! Believe it or not, WPE Pro is capable of doing that. It takes much research but once you figure out how to do it, you can practically erase any char from the server. Legal? I think so... but you might not, and im really not too clear with this issue... So technically you can send a crash packet, or something. So the point is, if you kill someone, and record that packet (its a bit hard to differentiate them apart, only by size im guessing) and if you get it, you can send it to the server, no matter where you are. This tells the character that you killed, DIED... what happens now, is pretty simple. The character doesnt have to be alive, but it tells the server that he just died (regardless of living / dead status, if you're smart ;P) and this causes your kills to rank up! There are a lot of tricks you can do, im just learning this stuff at a snail's pace since im kinda too lazy to shut off all my securities and shit or else it will be detected and its just a pain with a slow computer. But ya, as I said, you can basically do w/e u want with it.

Edit - Oh i forgot to mention, reason DarkEden shut down is mainly due to character erases... Another good example tho of hacking is able to use a heal packet. What you do is > Go to a character that heals (NPC?) And record packets... once you heal, play it back, and there you go... in that map you have infinite heal. Note: There are also hacks with DE that allows you to powerlevel off another character level 1-100 in a mere hour, and allows you to respawn in same map, by a simple packet send... I dont know hex too well, i wish i did :\

[gerbalblaste]

good thing that doesn't (shouldn't?) work in trem, hit detection and weapons upgrades/evolves are controlled server side so packet snuffing doesn't work.

[.f0rqu3]

quake3 does not work this way

[Evlesoa]

I didnt say it did... and i just got banned from [T] TremX and its packet SNIFFING

im just saying, it works for some... in GunZ for example, my friend made teleport to player (with massive on its an instant kill) where you press numpad 1-0 including the / * - and + and it teleports to that slot, with massive and causes them all to die... fun thing, i know he used packets for it, but he also used coding for it... but its an EXAMPLE of what you CAN do with packets

and reason i posted the dretch thing is cuz i know it doesnt work... so ppl wont try it

[benmachine]

Packet modification is useless in Tremulous, as far as I understand. The server knows - always - what you can do and doesn't allow you to do anything else. You don't send a kill packet to the server, a damage packet, or even a hit packet. All you send is "I'm firing" and the server checks if you hit, calculates your damage, and resolves deaths. The client has remarkably little control over this process.
It is true, however, that the client is told too much - but imagine for a moment the processing power involved in calculating what every client can see and thus deciding whether to tell them something is there. Let's not forget, either, that the client needs information on targets not in line of sight to properly generate sounds and helmet information.
Ideally, every frame would be generated by the server and streamed to the client, along with audio :P but clearly that's impossible with today's bandwidth and server specs etc.

Yeah, so good admins - what happened to my idea of telling people where to go? What, I ask you?
I'll write a patch sometime soon to detect if admins are present and put it in the serverinfo string (which clients will promptly ignore, but it's a start)

[Evlesoa]

Packet modification is useless in Tremulous, as far as I understand. The server knows - always - what you can do and doesn't allow you to do anything else. You don't send a kill packet to the server, a damage packet, or even a hit packet. All you send is "I'm firing" and the server checks if you hit, calculates your damage, and resolves deaths. The client has remarkably little control over this process.
It is true, however, that the client is told too much - but imagine for a moment the processing power involved in calculating what every client can see and thus deciding whether to tell them something is there. Let's not forget, either, that the client needs information on targets not in line of sight to properly generate sounds and helmet information.
Ideally, every frame would be generated by the server and streamed to the client, along with audio but clearly that's impossible with today's bandwidth and server specs etc.

Yeah, so good admins - what happened to my idea of telling people where to go? What, I ask you?
I'll write a patch sometime soon to detect if admins are present and put it in the serverinfo string (which clients will promptly ignore, but it's a start)

But the server still relies on what the client does... if you are in your base, the client tells the server that. What if you TRICK it into thinking you're in the OTHER team's base... after all, the client does control your location, and communicates with the server... Without the client communication, what the hell? The server isnt going to "Guess" where you are, it has to know some how...

[.f0rqu3]

umm your position view angles etc are on server
player sends input only afaik

[benmachine]

Server: Client, you're in human base
Client: No, I'm in alien base
Server: Fuck off, you're in human base
Client: Ok, ok, I want to move to alien base
Server: No.
Client: I want to move forward? Also I'm looking up
Server: You're moving forward, and looking up. You're now a bit ahead of the human base.
Client: OK, more forward 4me
Server: There's a wall there.
Client: :(
Client: OK, I'm gonna kill this guy
Server: No you're not.
Client: Well, I'm looking in his direction in pressing fire.
Server: Kinda sucks that you're holding a ckit and he's a tyrant then? Back to human base for you.
Client: D:

[Evlesoa]

so what does the client do then??

It seems like runescape, the server decides everything...

[kevlarman]

so what does the client do then??

It seems like runescape, the server decides everything...

the client draws a pretty picture and tells the server what buttons you push

[Metsjeesus]

1 server sends the application
2 client DLs
3 client stops execution
4 runs his own version
5 sends wrong data
6 ...
7 PROFIT???
point: you cant trust any data coming from some random client

Yes, you cant trust any data. Point of that thing is, you now must secure this small application, not whole client. I dont know exactly if its possible. Since you must use it 1 time only, its not static. Since server knows what program is sended, he also knows what data he is expecting and it can be random, not just 0 or 1. Ideal is client runs a program, but haxxor cant read what that program does. I still dont know if its possible to secure one program like that.

[beerbitch]

Yeah, so good admins - what happened to my idea of telling people where to go? What, I ask you?
I'll write a patch sometime soon to detect if admins are present and put it in the serverinfo string (which clients will promptly ignore, but it's a start)

I love this idea. I'll run that patch on OPP if you make one.

[Evlesoa]

Umm if admins are what...

[jal]

Server: Client, you're in human base
Client: No, I'm in alien base
Server: Fuck off, you're in human base
Client: Ok, ok, I want to move to alien base
Server: No.
Client: I want to move forward? Also I'm looking up
Server: You're moving forward, and looking up. You're now a bit ahead of the human base.
Client: OK, more forward 4me
Server: There's a wall there.
Client:
Client: OK, I'm gonna kill this guy
Server: No you're not.
Client: Well, I'm looking in his direction in pressing fire.
Server: Kinda sucks that you're holding a ckit and he's a tyrant then? Back to human base for you.
Client: D:

Haha nice description, and yes, it is VERY accurate of how it works.

[Yarou]

This thread needs to die.
Half of you don't know what the fuck you're talking about.