anticheat: RiDiX caught wallhacking (badsoul ref_gl wh)

[PANTONE 7717C]

the dll isn't made for any of the new anticheats, there is NO WAY for me to use it on ts.

Yes you can use it on ts, unless you're using a valid anticheat.dll client.  You can use it with plain r1q2 (without anticheat.dll), you can use it with 3.20, you can use it with frkq2 (that emulates NoCheat), etc. etc. etc.

Are you saying that under those circumstances you can use a cheat on ts without getting the "MZ exec" message? Or that you'll get that message but technically you can keep using it till someone takes action?
If this dude speaks the truth which I doubt he shouldn't have renamed the dll to something standard but he should've removed that dll and if he had loaded it earlier, rebooted first before playing right? I never got the impression he was walling but why rename it to something standard if you use it to watch demos...

[Remedy]

so do we know he was using it in game?

well the way i understand it from this is that he had to use the command "gl_modlate" to toggle it off or on, as it was always loaded ready for use

what I would like to see is a search done of all the logs on ts for that command, to see who was using it

[randypants]

<3 Panjoo.....

[console]

Are you saying that under those circumstances you can use a cheat on ts without getting the "MZ exec" message?

The MZ message only reveals the _existence_ of a file.  Everybody would MZ if we scanned for ref_gl.dll.

what I would like to see is a search done of all the logs on ts for that command, to see who was using it

Can't.  It's a client-local command.  It doesn't get sent to the servers, so it doesn't appear in the logs.


There's no way I'm aware of to prove whether Granny ever enabled the wallhack during a game.  All we know for sure, is it was his default OpenGL renderer, and it was loaded when he connected with r1q2+anticheat.dll.



Regards,

[krez]

It was his default open gl renderer and is not an old hack, its a new one.  This queer should be banned for a while, with some extra time added for being such a douche trying to deny it.

[PANTONE 7717C]

The MZ message only reveals the _existence_ of a file.

OK that's what I thought. But shouldn't that be: When you're not using anticheat the MZ message can only reveal the _existence_ of a file(?)

So let me see. If you don't use anticheat and have;
- a bad file in your folder but it is not loaded as your default renderer (you forgot to take it out) -> MZ msg only
- a bad file in your folder and it is loaded as your default renderer (in other words you're cheating) -> MZ msg only

Now that would mean that as soon as someone gets the MZ message (and doesn't use anticheat) there's no way to tell for sure he was not using it. So, when someone goes "MZ" while being on the server and then claims "but it's not loaded, I only use it to watch demos", it's a weak excuse because it could just as well mean he is/was in fact using it.

But if you do use anticheat and have bad files laying around you'll get kicked from the server, loaded or not?
I'm guessing only when loaded and if that's so then there's no reason for him to deny it. If it got loaded by quake2 itself because he had renamed it then that's his own fault.

[reaper]

if he was playing quake and could just type a command to cheat:
he would be kicked by the server most of the time with the nc_visibility check?
i take it , this isn't recorded or logged. 

[R1CH]

But if you do use anticheat and have bad files laying around you'll get kicked from the server, loaded or not?
I'm guessing only when loaded and if that's so then there's no reason for him to deny it. If it got loaded by quake2 itself because he had renamed it then that's his own fault.

Nice try.  But unlike our rcon scans, anticheat.dll doesn't report files sitting in your q2 folder.  It only reports files you ACTUALLY HAVE LOADED.

rcon scan simply checks for presence of files, regardless if you're using anticheat or not.

anticheat only checks for stuff that's actually loaded.

Whether the wallhack was actually activated or not, no one but Granny knows. All I can say is that it was loaded and available at the press of a key.

[randypants]

if he was playing quake and could just type a command to cheat:
he would be kicked by the server most of the time with the nc_visibility check?
i take it , this isn't recorded or logged.

[Remedy]

what I would like to see is a search done of all the logs on ts for that command, to see who was using it

Can't.

[reaper]

Note, your wallhack isn't sophisticated enough to get around the server-side anti-wallhack measures (sv_nc_visibilitycheck) when we have those turned on.

[KaiTech]

KICKBAN  END OF TOPIC

[console]

  Well it seems we should probably hold some kind of seminar or symposium on how the various cheat detection methods work.  On the other hand, before anticheat.dll, we didn't want to talk about the scans much because if you know how they work, you can avoid many of them.  (That's why I've always said, the scans are good for catching newbies, and that's about it.)

Anyway: sv_nc_visibilitycheck doesn't _detect_ wallhacks, it just makes simplistic wallhacks not work.  (It is technically possible to code a wallhack to work in spite of sv_nc_visibilitycheck 1, however I'm not sure any such have been coded or not.)

As for anticheat.dll, it's more sophisticated.  It didn't just spot Granny's wallhack because it was a different filesize, although that's the general idea.  Instead, it analyzes the binary machine code instructions of modules loaded into the quake2 process space, computing cryptographic hash signatures of the binary code, that can be compared against a white list of known good, or black list of known bad modules.  (At least that is my present understanding, based on discussions with r1ch.)  So, that is how r1ch knew it was the badsoul wallhack, before Granny sent us the file.

. . . Not sure if I'm making things more clear, or less clear, with these attempts at explanation... 


Regards,

[console]

if he did always have that as his file, the check would kick him.  .  so you would think he didn't try it on the servers. i presume it doesn't log that. i don't think it matters what client you use - the server just has that protection?

do you really think he was just always trying that command, even though he might think he would get logged/kicked?

Just in case it wasn't clear from what I wrote in the previous post... None of the scans or checks (except for anticheat.dll) would have kicked for the ref_gl.dll wallhack, whether it was turned on or not.


Regards,

[Remedy]

I see

;D

sounds like its a step up from what bryce did with nocheat