|
|
Post by uzi9mmauto on Aug 15, 2013 8:18:22 GMT -5
Well, stupid me was having fun with some people on a Quake 2 server. I jokingly accused one fo them for cheating. I made up a fake scan starting with his screen name to make it look real. I hit "T" to Talk and typed this " QUAKEPC.COM: Moral22 -Scan AimBot AntiCheat v2.40 Scan - CHEATS DETECTEDHe suddenly went to "seriously joking" Moral22: Oh, Im Caught. Cya Later! He then signed off to my surprise! OOOPS.. lol I think I called it by accident.. So minutes go by and next thing I know I am moved t another server without any "GG" or Scores. Even though the server uses NO Anti-Cheat .Dll known as Punkbuster etc.. Somehow [WallFly]Bzzz who is the main admin of many, many servers came to my attention. Said I was cheating. I said No? Yes you are. So they were cool about it. I deleted some files and was kicked about 10 minutes later automatically. I was informed that my Baseq2 folder MUST be clean except for original files? (I have it loaded with shit) My question is- is there a SCAN Program that I can download? (It would be VERY Dumb if there was no such program!) I know I have lots of stuff. What can I do? WHAT Program are they using so I CAN DOWNLOAD it to test my own SHÍT? What should I look for? Will a modified gamex86.dll do this? (I'm using THIS .dll) www.mediafire.com/download/bcz4fhp93za456vlink1) What program do they use and where to get it? 2) How can they see into my folders? 3) What else makes them think my files are modded? |
|
|
|
Post by knightmare on Aug 16, 2013 16:35:06 GMT -5
Q2's gamex86.dll is only executed by the server, there is no use for it on the client side.
Sounds like the server admin was being a complete ass about running with totally vanilla files, something that isn't normally a part of Q2 multiplayer. Only Q3 has a "pure server" setting for multiplayer that only allows the client to mount the same paks that the server has. Everybody with a clue has additional stuff in baseq2, either custom player skins and models, additional maps/textures, retextures/remodels, misc files needed by QE/GTKRadiant, and data paks used by enhanced Q2 engines. My baseq2 folder is over 1GB.
The only actual cheat I'm aware of that's possible with altered game data is hacked player models that have spokes/rods that extrude along each axis, allowing them to be seen through walls (There's a NoCheat addon that does check for this). Hacked maps are not possible because the checksum on the client is compared against the server.
|
|
|
|
Post by knightmare on Oct 24, 2014 12:03:38 GMT -5
i saw this thread, while reading this forum, and felt i had to point out few things. ok, for ur information there is no "scan" program. they are using stufftext to "see" whats in ur quake dir by forcing ur client to execute binaries by stuffing a command such as "exec ../binaryname.bla" where bla is either a dll or an exe file and if a file the admin checks for is found ur client responds with "MZ" as chat. any admin with programming knowledge could put together a simple rcon program to test clients. this method is not capable of telling if the client is using the cheats or not and it is also not capable of detecting modified legit files or renamed cheat files as they have to know the name of the file to "detect" it. if ur client said "MZ" the scan was probably positive and the admin assumed u had cheats 1: as said above they use stufftext to force ur client to execute binary files in ur main quake dir as u would have typed it urself 2: they cant "see". they just try to execute known cheat files by their binaryname 3: still, they cant "see" files. but if the scan is positive ur client will respond with "MZ" as chat as the "MZ" is at the top of the exe and dll and this will be ur chat response when ur client execute the binary So there's no way the admin could be receiving an actual directory listing from an external program on the client system? They're only blindly checking by trying to exec specific files, and seeing if the file header is echoed by the client? (For reference, "MZ" is the header for the Windows PE (Portable Executable) file format.) i would consider myself having a "clue". i am playing stock quake without any modications, and i have played since the beginning of this game, so its just a choice, and doesnt really have anything to do with having a clue or not I only meant that the majority of avid Q2 players will have additional data files in baseq2. I myself have the CTF and mission pack .pak files in baseq2, so I can load those maps from any mod dir. Even some stuff released by id goes outside the pak0, pa1, pak2 default file set (match1's pak3.pak, and the DM64 maps). i disagree. there are certain methods to use hacked maps with any client. more than one actually. i assume as a programmer like me u know how easy it is to remove the checksum check in the source code which is the easiest way. and then rebuild that and play with any modified maps. another method i wont mention here even allows u to play with modified maps with an unmodified client as the checksum is only sent on connect. there is nothing that stops u from loading a modified map after u connected. i have tested this even with anticheat loaded and its undetectable, which is why i wont mention it so wannabe cheaters can read it and try it, etc. another method is possible on the 3.20 client by modifying a single 0x74 byte and replace it with 0xEB. and it ignores the checksum as well. i also tested and confirmed this. but i wont post the address of that byte so anyone who reads this can go try it out hehe. as it only requires a hex editor and a minute of ur time to make it work. i just felt i had to reply to some of the posts in this thread even if it is old and correct them so i hope nobody feels offended I looked at the source again, and I'd forgotten that this check is only done on the client at map load, and not on the server when the client connects. I also wasn't aware that this was possible without a client modified for cheating. Thanks for the heads up. |
|
|
|
Post by knightmare on Oct 25, 2014 19:27:21 GMT -5
Does that blind check also work for checking what .pak files are present, i.e. will the server stuffing "exec ../baseq2/pak9.pak" echo the "PACK" header and the following bytes to the server if a pak9.pak is present? Nothing shows on the client end when I try this. I'm curious if this is the exact technique that admin was using to snoop on the contents of uzi9mmauto's baseq2 folder. I doubt any attempts would be made to check for files in the subfolders under baseq2 (maps, players, etc.).
Also, I was thinking that perhaps filtering out all stuffed exec commands would raise a red flag if "exec ../quake2.exe" or "exec ../baseq2/pak0.pak" echoes nothing back to the server?
|
|
