Hackers running wild, no way to stop them...

[BasileyOne 10]

Yes, I too am fed up of having my games ruined. I work full time and have 3 kids, I get very little spare time, and if I am playing a game and Im 1 hour in and a hacker ruins it, its upsetting.

I hope more time and energy is budgeted on this issue.

Ahmed.

well, its simple: no encryption and signing of netflow - make cheaters/tampering-related issues nearly guarantee. saw this in all baseline-engines-games, in past, resolved saweways by different developers teams.

[PreedSwe 18]

Well, too bad then because the hackers have cracked the encryption(took them a day or two) and can already do what they did before...

The best solution (for me and alot of other admins) would be to be able to log all incoming(only incoming) packets(not a default option of course) in clear text serverside(the server decrypts them anyway right, just send the decrypted packet stream to a logfile)..

This creates quite large logfiles but should not be a problem if you setup log rotation which I have. I rotate the logs every 6 hours and they gzip in the background. 24 hours of zipped logs amount to approx 1.8-2gb.

To go with the logs I wrote a PHP web script that our admins can use to catch hackers with. It can be set to scan the log from 5, 10, 20 or 30 minutes back (scanning the entire log could otherwise take a very long time and resources, just 30 minutes can be between 3-3.5 million lines of text with 50 players on the server).

Unfortunately the way the script works right now, it requires a few linux commands(grep, tail, tac), but there are equivalent programs for windows. I resorted to using the shell programs because php is not that good at processing files, especially large ones. In either case there are many other ways to do just that particular part of the script(just one line of code) to get it working in windows too.

I was just finished with fine-polishing the script and was getting ready to release it to the public when the packet encoding update came along. :/

EDIT: I found a package of unix commands ported to windows here: http://sourceforge.net/projects/unxutils so if this becomes an option again in the future I will easily be able to provide a working version for Windows.

Edited August 23, 2012 by PreedSwe

[BasileyOne 10]

Well, too bad then because the hackers have cracked the encryption(took them a day or two) and can already do what they did before...

The best solution (for me and alot of other admins) would be to be able to log all incoming(only incoming) packets(not a default option of course) in clear text serverside(the server decrypts them anyway right, just send the decrypted packet stream to a logfile)..

This creates quite large logfiles but should not be a problem if you setup log rotation which I have. I rotate the logs every 6 hours and they gzip in the background. 24 hours of zipped logs amount to approx 1.8-2gb.

To go with the logs I wrote a PHP web script that our admins can use to catch hackers with. It can be set to scan the log from 5, 10, 20 or 30 minutes back (scanning the entire log could otherwise take a very long time and resources, just 30 minutes can be between 3-3.5 million lines of text with 50 players on the server).

Unfortunately the way the script works right now, it requires a few linux commands(grep, tail, tac), but there are equivalent programs for windows. I resorted to using the shell programs because php is not that good at processing files, especially large ones. In either case there are many other ways to do just that particular part of the script(just one line of code) to get it working in windows too.

I was just finished with fine-polishing the script and was getting ready to release it to the public when the packet encoding update came along. :/

EDIT: I found a package of unix commands ported to windows here: http://sourceforge.net/projects/unxutils so if this becomes an option again in the future I will easily be able to provide a working version for Windows.

you can't "crack the encryption" such way/scale/speed. otherwise you will be fired by Feds, very hungry for such caps/tech, presently and for good reason. unless you use bogus, "weakened on purpose", hand-made/home-made crap, of course.

and no, there are "signing" part of it, GUARANTEEING integrity/authenticity of unaltered traffic.

[eddieck 10]

you can't "crack the encryption" such way/scale/speed. otherwise you will be fired by Feds, very hungry for such caps/tech, presently and for good reason. unless you use bogus, "weakened on purpose", hand-made/home-made crap, of course.

and no, there are "signing" part of it, GUARANTEEING integrity/authenticity of unaltered traffic.

The "encryption" is actually a relatively simple packet encoding (though from what I gather, different for every client).

[PreedSwe 18]

I dont mean to CRACK the encryption, but the game has to decrypt it to be able to use the data itself.. So it's in the memory somewhere, I just havent learned how to access it yet, like I said Im a noob at debugging :o

I have, however, managed to access the incoming unencrypted data stream inside the server process, so its a start.. :D

I am fairly certain that it is not illegal in any way to decrypt/read data that comes in to MY OWN server.. Especially since I have no malicious intent..

Edited August 24, 2012 by PreedSwe

[BasileyOne 10]

The "encryption" is actually a relatively simple packet encoding (though from what I gather, different for every client).

not, its isn't nowadays.

not simple nor resource-free[in terms of CPU overhead], thus.

combined with organically-tied message SIGNING, its can GUARANTEE authenticity of packets or make messing/tampering with netflow economically uncomfortably ever for uncle Sam.

I dont mean to CRACK the encryption, but the game has to decrypt it to be able to use the data itself.. So it's in the memory somewhere, I just havent learned how to access it yet, like I said Im a noob at debugging :o

I have, however, managed to access the incoming unencrypted data stream inside the server process, so its a start.. :D

I am fairly certain that it is not illegal in any way to decrypt/read data that comes in to MY OWN server.. Especially since I have no malicious intent..

oh, we're talk about end-user abuse now ? just like "tracedump it and you're all shiny ASPACK purchase left in smoke" ironically-speaked by UPX-creator ? ;)

ANYTHING could be exploited at END-USER, thats why complex and expensive DRM chips and loops are used anywhere from STB's, video "consoles", GPU's and even in digicams and harddrives. look at latest infineon DRM chips/solutions references/datasheets for reference/example :-) previous version cracking required weeks of work with powerful acids, STMicroscope and very-very-very-skilled/expensive personel to do it. newer version could sustain this approach/attack too, presently ;=)

bottom line to thwart attack on this level, you need anti-cheating mechanics on level, that you[or other consumer or software developer] can't get into, such as SMI/SMM or PatchGuard at least, backed by hardware portions like Infineon[or similar, differently-branded] chips, just like used in MAJORITY of UEFI 2.x-capable motherboard, ie ALL Win8-certified PC's ;-)

bright side of DRM is that: its NATIVE part of MS os[and OS-cerified hardware/drivers]starting from Windows Vista ;-)

Edited August 25, 2012 by BasileyOne

[PreedSwe 18]

I have no clue what you are talking about...

My approach to catch the hackers worked like a charm...(and Im not the only one who used this way to catch hackers fyi)

Server got hacked -> Admin loaded up web script -> Entered a keyword for the attack, i.e a classname(a10 if A10's were spawned) or setdamage(if everyone just fell down dead).. -> 3 seconds later you had a search result on your screen showing you EXACTLY who sent the command to the server, for instance

Some examples from our ban logs...

31.205.65.218:2304 -> 176.9.76.77:2302 if (1 == 1) then { vojtec_team = createGroup West; PLANE1 = createVehicle ["A10_US_EP1", [(getpos player select 0)+ 20, (getpos player select 1),1000], [], 0, "FLY"]; "TK_Special_Forces_EP1" createunit (getpos player select 0), (getpos player select 1), 50], vojtec_team,"vojtec_unit = this", 1.0, "PRIVATE"]; vojtec_unit setSkill 1; vojtec_unit moveindriver PLANE1; (vehicle player) attachTo [PLANE1,[0,1.3,2.4;};

80.56.204.187:2304 -> 176.9.76.77:2302 .......1o,..........\,...(JE.TTT5derCode.......STRINGKontostand = 1; Geld=0; geld=0; copfgeld=0; call INV_addinventoryitem;add_civmoney. = -999999999;add_copmoney. = -99999999999;add_workplace. = -99999999999;

71.162.149.220:2304 -> 94.242.227.62:2302 ^....).{.....K...........P.l....titleText ["WWW.PORNHUB.COM Beat your meat today!", "PLAIN"];

We caught 100% of the hackers when an admin was online to do it..

I know this is after the fact and not a super great solution, it WOULD be better for them not to be able to hack in the first place. But we kept them away and were not getting hacked that often.. Before we had this, one hacker could come in, do his hacks etc and keep doing that daily for weeks before slipping up and got caught.. So just one person could ruin the game for a long time..

The current solution, using the scripts.txt system BE provides, does not work for us.. Why?

A) We dont have the time to go through all the hacks(and there are new ones coming out daily), to create strings to catch, and since we can't even read the network packets anymore, creating strings from that, which would have been easy, is not an option either.

B) The lazy way would be to just add every function that could be potentially harmful such as "setpos", "setdamage", "createvehicle" etc on a line each and them add exclude strings for every legit line of code where the function is used in the mission, I tried that with setpos, all the legit code in our mission amounted to over 1600 characters which would cause a tremendous stress on the client computer. And even if it didn't, the strings are limited to 256 characters in length..

Creating the strings were easy though, I just made a small shell script that grep'ed setpos(or whatever you entered as an input to the script), then created escapes for " 's inside the code, added !" in the front and a " at the end then stripping all the \n's..

This would have been very easy to implement.. If it would not completely fry the client computer with 20 or more functions being tracked like this ;)

Dwarden told me its easy for him to do for DayZ because DayZ does not have a ton of scripts or many places where things like setdamage/createvehicle are executed, perhaps most of it is handled server-sided..

[BasileyOne 10]

first: true, you obviously hadn't. and thanks for admitting it. modern cryptography wasn't SO simple, but wasn't so hard to use, when you understand basic principles.

crypto/hash/asymmetric chiper/signing-based measures can make messing with netflow pointless with reasonably-priced hardware[and hard to manage with unreasonably-applied/scaled forces/efforts].

"when a admin online" eradicate main purpose of EFFICIENT anti-cheating systems, cuz admin HIMSELF is WAY more efficent than ANYTHING hand-made/created by ppl and clearly unavailable/absent 99% times, which clearly invalidate/nullify reliance/reference on such approach/method.

basically major trend WITHIN BIS contradict with further improving Anti-Cheating effeciency, by emphasis on offloading most CPU overhead to Client-Side[citing: "most players PC's are insanely powerfu", which isn't true, cuz most server servers/maps defaults, clearly reveal thats major player-base PC's can't handle OFP:R, let talking about Arma2 alone :].

especially notably on DayZ example :( there nearly anything crippled-down, from being [efficiently]controlled server-side "on purpose", making this thing eventually unsuitable for exactly what they targeting for: long-term MMO experience.

Edited August 25, 2012 by BasileyOne

[PreedSwe 18]

I keep telling Dwarden that the BE script detection system is silly but I guess if it works for DayZ then everything is good in the world... :/

[eddieck 10]

not, its isn't nowadays.

not simple nor resource-free[in terms of CPU overhead], thus.

combined with organically-tied message SIGNING, its can GUARANTEE authenticity of packets or make messing/tampering with netflow economically uncomfortably ever for uncle Sam.

I was referring to what's implemented in 1.62 currently.

[.kju 3239]

PreedSwe I dont quite get whats the difference of your old method vs the ones BE provides now?

What are the differences or limitations you have there?

[BasileyOne 10]

I was referring to what's implemented in 1.62 currently.

last time i know, its only provided[in low-overhead shape, so maybe reinforced further too] only in 1.63 beta, cause 1.62 missed [quite essential]traffic-signing features, without which encryption wasn't so meaningful[to guarantee authenticity of traffic], but maybe i misread readme's.

[PreedSwe 18]

PreedSwe I dont quite get whats the difference of your old method vs the ones BE provides now?

What are the differences or limitations you have there?

The difference was that we didnt need to know what hack the hacker was using, if he spawned cows, we could scan the logs for cows and see who sent the command containing that keyword to the server...

With BE script detection, you have to pre-emptively know how all the different hacks work, keywords in the code or how a command string looks.. And trust me, there are ALOT of hack programs/scripts to go through..

Our mission is very complex with 800kb of .sqf code, so we cannot generalize and just put "createvehicle" in the scripts.txt and put an exception string in !"" for every legit instance of that function that is in the mission.. It is way too many..

[NeuroFunker 11]

i've heard, bis implemented feature, wich autobans user, who used spawn items, but yesterday i was playing on arma2.ru (co) wasteland server, hackers could spawn k-52 and su 34 and f35, and destroy half chernarus with it. Why is it so? Or did i missunderstand something with that anti spawn feature?

[.kju 3239]

Well you could ask $able to add a command to log all scripting traffic I suppose.

[NeuroFunker 11]

lol even more, they can teleport now. Hopefully BIS will choose another, proper anti cheat system. Yes, it was enough before dayz, since arma 2 was not so populated. But more players, sadly means more cheaters/hackers, and if same shit happens in arma 3, when hackers can do all they want there as well, i might play singleplayer only then lol.

[eddieck 10]

i've heard, bis implemented feature, wich autobans user, who used spawn items, but yesterday i was playing on arma2.ru (co) wasteland server, hackers could spawn k-52 and su 34 and f35, and destroy half chernarus with it. Why is it so? Or did i missunderstand something with that anti spawn feature?

That feature may not have been configured on that server. Also, if the mission contains those vehicles (I'm unfamiliar with that mission), they wouldn't be able to block it since that'd also kick legitimate players.

Well you could ask $able to add a command to log all scripting traffic I suppose.

What's really needed is a way to log PVs, including the client who sent it. Certain missions (in particular, the life missions, and possibly others) also need to be modified to use PVEHs for functions and only send the necessary data, rather than send a PV with a string of code. Currently, remote code execution is still possible on those missions and isn't logged since it isn't done through setVehicleInit.

I would also like to see a syncVariable function that only sends the value to the server, rather than all clients, as well as a way to identify the client that sent it from a PVEH. Having to send the player name in the PV is insecure and can easily be spoofed (never trust the client!). This is a bit OT though.

Hopefully BIS will choose another, proper anti cheat system.

There is nothing wrong with BattlEye.

[NeuroFunker 11]

There is nothing wrong with BattlEye.

sry but had to post tho.

[eddieck 10]

sry but had to post tho.

...

Quite serious, in fact. Everybody seems to demand some magical anti-cheat that detects everything and stops all hacking, but that's unfortunately impossible.

In any case, $able does a very good job with finding the public hacks and releasing BE updates to combat them. That's all you can really expect an AC to do - private hacks are still going to be able to bypass everything, whether you're talking about BE, PB, VAC, or any other AC. I would also say that $able really does go the extra mile with the server-side features.

[$able 2]

What's really needed is a way to log PVs, including the client who sent it. Certain missions (in particular, the life missions, and possibly others) also need to be modified to use PVEHs for functions and only send the necessary data, rather than send a PV with a string of code. Currently, remote code execution is still possible on those missions and isn't logged since it isn't done through setVehicleInit.

Talking of which: http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking&p=2214572&viewfull=1#post2214572.

[TSAndrey 1]

Quite serious, in fact. Everybody seems to demand some magical anti-cheat that detects everything and stops all hacking, but that's unfortunately impossible.

In any case, $able does a very good job with finding the public hacks and releasing BE updates to combat them. That's all you can really expect an AC to do - private hacks are still going to be able to bypass everything, whether you're talking about BE, PB, VAC, or any other AC. I would also say that $able really does go the extra mile with the server-side features.

Actually, PB busted all private BF3 hacks recently. But, BF3 is a closed game without modding tools. Arma 2 is an open and trusting game with mod tools, not to mention how BE needs time to adjust to DayZ! BE is already busting public hacks every few days, which is pretty good!

So yeah, hopefully, BE will have an easier job in DayZ standalone!

[NeuroFunker 11]

Actually, PB busted all private BF3 hacks recently.

not rly, i know few buddies, who still playing with cheats even today. But better to say, played. Now they are arma 2 fans. :D

[TSAndrey 1]

not rly, i know few buddies, who still playing with cheats even today. But better to say, played. Now they are arma 2 fans. :D

Yes, really. I won't name the sites here, but most of them are busted. Some recovered, but most of them are still recoding

[das attorney 857]

I've been reading this thread with some interest. I've been playing a lot of DayZ recently and fell victim to hackers a number of times. Since the new beta 96061, I haven't been hacked at all. I know I'm playing DayZ and you guys are mostly talking about vanilla A2 (I think), but have you not noticed any fall in hacking with the latest beta?

(Not a troll post, just asking).

[BasileyOne 10]

not rly, i know few buddies, who still playing with cheats even today. But better to say, played. Now they are arma 2 fans. :D

generally-speaking, PB is better.

basically cuz its both deeper unerlying and thus require notably more knowledge from cheater to circumvent/fool protection. even paid[hilariously expensive, sometimes]cheats in PB titles/products, wasn't easy thing to use.

thats why im insisted on using/employing something similar by BIS in past.

nearly anyone did something similar. just recently tried Tribes and GA. also future Entropia Universe builds will had something alike, not sure about Eve online, but they considered it too in past.

SMI/SMM usage would be nice trick before UEFI 2.x-capable boards/PC's become mainstream[older EFI and UEFI 1.x boards had TPM as option, not mandatory feature:], and then built-in Windows DRM will allow to do it rock-solid "in general way". clean, fast and elegant[more or less';].

main PB drawbacks is human-side flaws. crew reported to be exploited service for own gain, also some weak rumors thats feds agencies use them to extract intel from PC's.

Edited September 1, 2012 by BasileyOne