Messages

286

Quake / Re: Kicked for hacked q2.exe

« on: March 26, 2012, 01:28:11 PM »

what is anti cheat and how does this work with rich client , back when i played 7 to 8 years ago the anti cheat was built into the clients . my r1q2 is very old as well v6.5.5.5 i think.  No experiments with old hax , if you seen any old demoes of me playing on this sit there wouldnt even be a questionable doubt . loved the tdm but was never very good at it LOL

Anticheat is a DLL that gets loaded by some clients, such as r1q2 and q2pro for example, that examines files that are loaded into your client for what might be considered cheats. The "legal" modified paks and files can be different depending on the admin settings of the server you are on. The spectrum is fairly consistent but there is room for variation.

The reason it's in a DLL is because there are certain techniques it uses to prevent hacking of the DLL to mask cheats. This is what happened to no-cheat clients, the code was hackable, making them useless.

These hack-suppression techniques also account for the false-positive alerts your anti-virus scanners might issue when they scan the DLL since the anti-hacking code looks like malware to the A-V scanners. Put the DLL into your Quake2 root and put it on your A-V product's safe list.

287

Jokes / Re: Funny Pictures

« on: March 23, 2012, 06:19:46 PM »

Strange.

288

0x1337c0de / Re: Entity List Management in Q2 Mods

« on: March 22, 2012, 08:14:44 PM »

I don't think so but I'd like to read your thoughts on why the Loxo server has not crashed with ED_Alloc: no free edicts nor has it crashed with SEG-FAULT or bad data overwrites. Typical LOX num_edicts runs in the 500 to 700 range on 12 players and custom maps. It's been a long time since the server had a heavy load.

I'll bring maxentities down to 1024 for a while and see what happens when krenZ has his way with it again. It's quite possible the faster spawn search is responsible and not the size of the entity array.

But why does it say this in the original game.h?

Code: [Select]

//
// global variables shared between game and server
//

// The edict array is allocated in the game dll so it
// can vary in size from one game to another.
//
// The size will be fixed when ge->Init() is called
struct edict_s *edicts;
int edict_size;
int num_edicts; // current number, <= max_edicts
int max_edicts;


289

0x1337c0de / Re: Entity List Management in Q2 Mods

« on: March 22, 2012, 09:13:04 AM »

No, there is a difference between game entities, server entities and client entities. The MAX_EDICTS limit is only for those entities that must be passed from server to client. It's perfectly acceptable to have more entities in the game than are passed to the client.

290

0x1337c0de / Re: Entity List Management in Q2 Mods

« on: March 21, 2012, 07:08:08 PM »

Interesting point. But then why does the cvar maxentities exist and why is globals.max_edicts set to game.maxentities in g_save.c in the historical game mod?
And why does this line exist in the same code"

Code: [Select]

g_edicts =  gi.TagMalloc (game.maxentities * sizeof(g_edicts[0]), TAG_GAME);


291

0x1337c0de / Entity List Management in Q2 Mods

« on: March 20, 2012, 10:20:04 PM »

Several extensive attempts were made to crash the Loxophilia server via the entity list crash pathway. These attempts did not succeed. The crash is produced when the active entity list is filled and a subseqent call to G_Spawn in the game mod can't find space in the entity list to instantiate a new entity. The function fails with a call to gi.error ("ED_Alloc: no free edicts"); which halts the game server resulting in a temporary denial of service.

There are two factors influencing this relative immunity to DoS.

1. Entity list size: old game default is 1024 entities. Loxo uses 2048 by default.
2. List management code in LOX was modified long ago and is now an historic artifact in LOX.

Three functions were modified in g_utils.c to speed up entity initialization and freeing.
The functions are listed below. These functions are common to all Quake2 mods.
NOTE: The entity member "classnum" is used in LOX to speed up class comparisons instead of using string matching based on "classname". The CN_* values are simply #defines or enumated constants for all entity classes in the relevant mod. You may freely discard the code dealing with this data member.

Code: [Select]

void G_InitEdict (edict_t *e)
{
e->inuse = QTRUE;
e->classname = "noclass";
e->classnum = CN_NOCLASS;
e->gravity = 1.0;
e->s.number = e - g_edicts;

// Clear what the free-edict list may have set.
e->chain = NULL;

// This is another headache.
e->think = NULL;
e->nextthink = 0;
}

// The free-edict list.  Meant to vastly speed up G_Spawn().
edict_t *g_freeEdictsH = NULL;
edict_t *g_freeEdictsT = NULL;

/*
=================
G_Spawn

Either finds a free edict, or allocates a new one.
Try to avoid reusing an entity that was recently freed, because it
can cause the client to think the entity morphed into something else
instead of being removed and recreated, which can cause interpolated
angles and bad trails.
=================
*/

edict_t *G_Spawn (void)
{
int i;
edict_t *e;
// char string[64];

// If the free-edict queue can help, let it.
while (g_freeEdictsH != NULL)
{
// Remove the first item.
e = g_freeEdictsH;
g_freeEdictsH = g_freeEdictsH->chain;
if (g_freeEdictsH == NULL)
g_freeEdictsT = NULL;

// If it's in use, get another one.
if (e->inuse)
continue;

// If it's safe to use it, do so.
if (e->freetime < 2 || level.time - e->freetime > 0.5)
{
G_InitEdict (e);
return e;
}

// If we can't use it, we won't be able to use any of these -- anything
// after it in the queue was freed even later.
else
break;
}

// The old way to find a free edict.
e = &g_edicts[(int)maxclients->value+1];
for ( i = (int) maxclients->value + 1 ; i < globals.num_edicts ; i++, e++)
{
// the first couple seconds of server time can involve a lot of
// freeing and allocating, so relax the replacement policy
if (!e->inuse && ( e->freetime < 2 || level.time - e->freetime > 0.5 ) )
{
G_InitEdict (e);
return e;
}
}

if (i == game.maxentities)
gi.error ("ED_Alloc: no free edicts");

globals.num_edicts++;
G_InitEdict (e);
// sprintf(string, "num_edicts is %i\n", globals.num_edicts);
// OutputDebugString(string);
return e;
}

/*
=================
G_FreeEdict

Marks the edict as free
=================
*/
void G_FreeEdict (edict_t *ed)
{
gi.unlinkentity (ed); // unlink from world

if ((ed - g_edicts) <= (maxclients->value + BODY_QUEUE_SIZE))
{
// gi.dprintf("tried to free special edict\n");
return;
}

memset (ed, 0, sizeof(*ed));
ed->classname = "freed";
ed->classnum = CN_NOCLASS;
ed->freetime = level.time;
ed->inuse = QFALSE;

// Put this edict into the free-edict queue.
if (g_freeEdictsH == NULL)
g_freeEdictsH = ed;
else
g_freeEdictsT->chain = ed;
g_freeEdictsT = ed;
ed->chain = NULL;
}

In server configuration files you can set maxentities 2048 or you can modify g_save.c in the game source:

Code: [Select]

maxentities = gi.cvar ("maxentities", "2048", CVAR_LATCH);


292

tastyspleen.net / Re: Deliberately Crashing Servers

« on: March 20, 2012, 06:56:00 AM »

Foc, I understand your point completely and I agree that assholes need to pay the price for being assholes and krenZ deserves his ban and I wouldn't waste any more time on him either.

I was only replying to you in the same tone and method that you replied to me. All is cool.
 

But my intent was to plug a hole that exists in ancient code that might be easily fixed with a simple copy-paste of a block of code and a quick recompile of the game DLL and publication of that code for the greater good of the mod community. The total time to do that is less than I have wasted in this thread. The solution might even be as simple as increasing maxentities since the limit is artificial and the default was geared to a 1997 server. The code I have uses a "freed entity" list to speed up G_Spawn and a larger default value for maxentities. LOX uses a lot of entities and it doesn't crash and I haven't seen this exploit used on it so I would have liked to see if it can be crashed this way. The coop code is ancient original 3.21 mod code most likely.

The result would be less time dealing with future assholes who might choose to use the same exploit to crash a server. If I was more ambitious I'd write a detection program that would auto-ban anyone who acted like krenZ but as you say, enter IP, ban the asshole, quick fix.

293

tastyspleen.net / Re: Deliberately Crashing Servers

« on: March 20, 2012, 12:24:35 AM »

Unless he took the time to create a bind that would drop 1000+ ammo packs all at once, that's not the method he was using. Cajmere said he never saw any ammo packs dropped before it crashed.

It's pretty stupid that anyone should HAVE to make changes to the server to prevent this from happening again when it would be a hell of a lot quicker and simpler to keep the assholes doing it off the server with a ban until they agree to stop doing obnoxious shit. Play by the rules or play somewhere else.

I don't think making server code resistant to attack is stupid at all. You have to remember that Q2 was designed as a single player game first, multiplayer second and the philosophy of the net at the time was "everybody plays by the rules". Then the Morris worm came out and all hell broke loose. Original Q2 was riddled with vulnerabilities, hence all the admin tricks and add-ons to plug the holes.

One of the most annoying shortcuts taken by the Q2 developers IMHO, is the good old crash-the-app-because-something-bad-happened. This is exactly what you saw with the coop server. This is fine if you're developing but it sucks when you're an admin. Fortunately, quadz has Wallfly and server monitor/reset automation in place but from the degree of upset caused by all the complainers in this thread I'd say making the servers resistant to the exploit would be a better solution.

The patch would appear to be minimal and it's already written so why not take advantage of it if it exists. We only need to prove it works.

You just love to fucking argue with me lately, don't you? Your little "solution" may work, but it's still a stupid one in my opinion. Some guy pisses on your shoes and you're worried about doing what you can to make your shoes piss-proof, meanwhile some guys pissing on my shoes and I'm kicking him in the dick until he's pissing blood and can't walk. I bet you my shoe pisser won't make the mistake of pissing on my boots again. And I didn't even have to waste the time and money it'd take to go shopping for a new pair of piss-proof shoes like you did.

I don't love to fucking argue with you at all. I find your point of view very entertaining. Keep it up. Since you are so free with your opinions I am equally free with mine. The fact our opinions differ is what makes the world interesting. If you think that's an argument it's only your juvenile underdeveloped mind and that angry with the world because your old man beat you when you was little attitude. I was only interested in the topic because it showed a weakness in the game code.

Go, be angry. Give it your best shot. Piss on krenZ and have your little game. Me, I'd rather make the game better for small minded people who have no other talent than to be drama queens on forums.

P.S. You only think I'm arguing with you. It's all in your mind.

294

tastyspleen.net / Re: Deliberately Crashing Servers

« on: March 19, 2012, 09:21:54 PM »

I don't think making server code resistant to attack is stupid at all. You have to remember that Q2 was designed as a single player game first, multiplayer second and the philosophy of the net at the time was "everybody plays by the rules". Then the Morris worm came out and all hell broke loose.

you do realize the worm made by robert morris was out a full decade ahead of q2 right?

Less than a decade actually... more like 6 years or so, late '88 to late 96. But the lesson was not learned was it?

295

tastyspleen.net / Re: Deliberately Crashing Servers

« on: March 19, 2012, 05:44:10 PM »

Unless he took the time to create a bind that would drop 1000+ ammo packs all at once, that's not the method he was using. Cajmere said he never saw any ammo packs dropped before it crashed.

It's pretty stupid that anyone should HAVE to make changes to the server to prevent this from happening again when it would be a hell of a lot quicker and simpler to keep the assholes doing it off the server with a ban until they agree to stop doing obnoxious shit. Play by the rules or play somewhere else.

I don't think making server code resistant to attack is stupid at all. You have to remember that Q2 was designed as a single player game first, multiplayer second and the philosophy of the net at the time was "everybody plays by the rules". Then the Morris worm came out and all hell broke loose. Original Q2 was riddled with vulnerabilities, hence all the admin tricks and add-ons to plug the holes.

One of the most annoying shortcuts taken by the Q2 developers IMHO, is the good old crash-the-app-because-something-bad-happened. This is exactly what you saw with the coop server. This is fine if you're developing but it sucks when you're an admin. Fortunately, quadz has Wallfly and server monitor/reset automation in place but from the degree of upset caused by all the complainers in this thread I'd say making the servers resistant to the exploit would be a better solution.

The patch would appear to be minimal and it's already written so why not take advantage of it if it exists. We only need to prove it works.

296

tastyspleen.net / Re: Deliberately Crashing Servers

« on: March 18, 2012, 11:38:32 PM »

Just for the hell of it krenZ, and this may help you redeem yourself, I'd like you to try DOS'ing the Loxophilia server for me in the same way you did coop.

74.86.171.202:27910

The LOX code uses a different G_Spawn / G_FreeEdict scheme and I'd like to see if your exploit works against it. This, and the maxentities is 2048.
I'll be watching the logs, so let's see what you can do to it.
If you can't succeed in crashing the server perhaps the LOX method can be used in the other mods and this vuln can be eliminated from them since this code is in the game module and not the engine.

I can't promise what quadz might do ban-wise, but it would satisfy my curiosity about this vuln.

If anyone knows the exploit being used, please PM me so I can investigate it on test servers.

297

/dev/random / Re: im drunk

« on: March 18, 2012, 05:02:07 PM »

Will glitter scrape the intestines? Great way to abrade those polyps in your colon. Either that, or a great way to acquire a case of diverticulitis.

298

tastyspleen.net / Re: Deliberately Crashing Servers

« on: March 18, 2012, 03:46:47 PM »

So I try to hop on the server to get my railz fix and BOOM D-E-N-I-E-D. Try the mutant port, BOOM D-E-N-I-E-D. Try the whale server, BOOM D-E-N-I-E-D. I thought the ban was just for coop but apparently not. I want to get this resolved. I'm an asshat  . The lessons have been learned, let's put this behind us and frag on 

So, you exploited a game vulnerability to fuck with your fellow players and you are surprised when you are banned from all the servers involved?
I think you need more time in the ban corner myself. You need to learn what denial of service really means.

299

tastyspleen.net / Re: Deliberately Crashing Servers

« on: March 17, 2012, 12:03:04 PM »

It's a vulnerability in the way the server handles entities.

This is true.

The default value of maxentities is 1024. The G_Spawn function simply gives up when it's spawned that limit of entities and it can't find a free one. 1024 was probably a reasonable number to allocate in a 1997 vintage server.

However, maxentities is a CVAR and can easily be increased by defining a larger value in the server config making it harder for a malicious client to launch a successful DoS.

300

Outdoor Activities / Re: Firearms - Hunting/Target thread

« on: March 14, 2012, 12:10:15 AM »

It's not just guns that are prohibited but any knife, tool, camera, memory device, laptop (unless listed and registered), personal tools, non-contractor owned devices or tools, that are prohibited on nuclear resource sites. This is a federal requirement. If you want a list of "prohibited items" I can probably locate the list I was given. In my job I have to deal with all kinds of issues like this. The guys guarding one recent place I was at wore desert camo, toted AR's and even searched the car at the gate. Not your average Pinkerton dudes.

Answer NO when asked if you are bringing any prohibited items.
Serious stuff.
I had to list and have serial numbers for all test equipment and PC's and hard drives.
You can't even bring in a Leatherman tool because it has a blade.

Q.W. : I looked back and don't see the context of your post.  If it's not too intrusive a question to ask...where the heck did this happen?  You can tell me to mind my own business and it won't hurt my feelings.   

It was in response to Focalor's post about the places a CWP is valid. Nuclear site security is probably the tightest, then sites where they make fancy aircraft.
Let's just say I get around. My customers are airframe manufacturers, rocket builders and places where they make hardware for "nuclear wessels" and "nuclear boombas". I was recently at a site in Nevada where the security was especially federal and they had a long list of rules and took every one of them very seriously. What a hassle. The contents of my car, tools, etc. changes depending on where I have to drive and what the job is. Tool bag is a hassle when I fly too. Lots of layoffs in manufacturing makes me especially busy these last few years. Not much time for fun.