Cheat Finder (script parser for admins)

[disorder 344]

OH cool! Thanks very much. I just noticed this.. Do you want to merge the 2nd thread with this one?

I will update the main page.

Edited August 18, 2012 by disorder

[Dylon 8]

.

Edited August 18, 2012 by Dylon

[disorder 344]

Just a bug on the parsing;

Players with ASCII characters in their name are causing the reporting component to die... e.g.

™ ♥ ♫ etc etc

Ok I just triggered it with those chars. I will try and sort it out.

Here is the thing that is confusing me, the basic log format is ANSI so these chars don't display properly in notepad anyway right?

Edited August 18, 2012 by disorder

[disorder 344]

New version is out, anyone who has got access violations please test it thanks.

[senior_hombre 1]

The link in the first post is still leading to the old version (the zip file says 13b) and the error is still there.

[disorder 344]

Ok I get laggy forum sometime and it doesn't update. I did the link again so it should be up to date (tested ok)

BTW You were using the wrong log, so I should point out to everyone again. It only searches your scripts.log file.

The file should contain the following formatted line.. this is basically what it's parsing for :

DATE TIME: USERNAME (IP) GUID - #ID TEXT

For example

27.07.2012 14:04:12: BIllybob (123.456.111.222:2304) 062346bcefe58f2e235236236d7c8747454 - #27 awn player_alertZombies;

"blah"

"moreblah"

If it doesn't contain a line that looks like that ^ then its the wrong file.

Edited August 18, 2012 by disorder

[Torndeco (DayZ) 46]

Noticed a ban report based of cheatfinder, so i updated & have afew suggestions....

U really should add back in the line number u find the cheat at, and remove the reports of players GUID's

By doing this people are forced to look @ code flagged as cheating to get the GUID and they can double check....

Atm cheatfinder doesnt appear to have any logic to it & is just doing a simple string search...

As a result it is flagging people as cheating + since u supply the GUID aswell, some people are banning without double checking.

Cheatfinder is flagging people as cheaters if there name contains the matching string

i.e

Playername = unholy

Reported as cheat = un

Also

0.1 fadeSound 0;

Harmless script code when someone spawns flagged as cheat = un

[(OCN)Vortech 65]

Just a bug on the parsing;

Players with ASCII characters in their name are causing the reporting component to die... e.g.

™ ♥ ♫ etc etc

Ok I just triggered it with those chars. I will try and sort it out.

Here is the thing that is confusing me, the basic log format is ANSI so these chars don't display properly in notepad anyway right?

As a generally North American server we simply deny access to players with ASCII characters by way of BEC.

Noticed a ban report based of cheatfinder, so i updated & have afew suggestions....

U really should add back in the line number u find the cheat at, and remove the reports of players GUID's

By doing this people are forced to look @ code flagged as cheating to get the GUID and they can double check....

Atm cheatfinder doesnt appear to have any logic to it & is just doing a simple string search...

As a result it is flagging people as cheating + since u supply the GUID aswell, some people are banning without double checking.

Cheatfinder is flagging people as cheaters if there name contains the matching string

i.e

Playername = unholy

Reported as cheat = un

Also

0.1 fadeSound 0;

Harmless script code when someone spawns flagged as cheat = un

I was about to mention the same thing, I decided to give this parser a try and it spits out anyone with matching the strings..

<ID>GUIDGUIDGUIDGUIDa10GUID</ID>

<Aliases>USER</Aliases>

<IP>#.#.#.#:####</IP>

<Logs>X:\scripts.log</Logs>

<cheats>A10</cheats>
</ID>

Edited August 18, 2012 by (OCN)Vortech

[disorder 344]

U really should add back in the line number u find the cheat at, and remove the reports of players GUID's

I took line numbers out because people were mentioning/complaining about trying to find it in logs with way too many lines. So once I made it display the GUID I thought that would work better at tracking down people than line numbers.

Ok yeah don't ban everyone just yet.

Tis my fault, I was Testing a smaller Database which had a lot of info removed (which was a quick way of making the test go faster for debugging problems).

Try copying this to the programs folder and overwriting the current file. I'll update the main zip again.

OLD DB http://www1.zippysha...90260/file.html

Edited August 18, 2012 by disorder

[hytekk@gmail.com 0]

I scanned my scripts.log and got this in CheatFinder 1.5;

------------------------------------------------------------------------------------------

<ID></ID>

<Aliases>NAME</Aliases>

<IP>7.39.224.192:2304</IP>

<Logs>C:\Program Files (x86)\ArmA 2\bliss\BattlEye\scripts.log</Logs>

<cheats>RU UN CH US</cheats>

<ID></ID>

<Aliases>NAME</Aliases>

<IP>7.36.45.109:2304</IP>

<Logs>C:\Program Files (x86)\ArmA 2\bliss\BattlEye\scripts.log C:\Program Files (x86)\ArmA 2\bliss\BattlEye\createvehicle.log</Logs>

<cheats>RU SCAR UN CH US</cheats>

<ID></ID>

<Aliases>NAME</Aliases>

<IP>7.39.70.13:2304</IP>

<Logs>C:\Program Files (x86)\ArmA 2\bliss\BattlEye\scripts.log</Logs>

<cheats>RU UN CH US</cheats>

-----------------------------------------------------------------------------------------------------------------------------------------------

How do I even identify what the ID means? Are there any lists that contain ID's that I can base the results from CheatFinder off of? Thank you in advance!

Edited August 18, 2012 by hytekk

[disorder 344]

OK no one should be banning for reports generated with the last 2 versions (1.4 > 1.5), as they contain lots of false positives. Also nobody should be throwing out bans anyway, I think they need to be checked with dayz server mods/admins.

Also the ID is the players global ID and shouldn't be posted here. The one I posted was fake. Can you edit your post please.

1.6 Will be put up in a short while.

- Line Numbers are back

- Extra formatting to the XML to split lines up

Edited August 18, 2012 by disorder

[beginner 4]

Hey, love this tool. I'm pretty new to arma scripts & I'm getting a ton of Ikarus_TK_CIV_EP1 popping up, how can I tell if it's a script?

if (!isDedicated) then {
_config = configFile >> "CfgLoot";
"
15.08.2012 06:20:12: XXXX (XXXX) XXXXX - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: XXXX (XXXXXXX) XXXXXXXXXXXXXX - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: XXXXXX (XXXXXXXX) XXXXXXXXXXXXXXXXX - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: XXXX (XXXXXXX) XXXXXXXXXXXXXXXXXXc - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: XXXXXXX (XXXXXXXXXX) XXXXXXXXXXXXXXX - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: DXXXXXXXXXX(XXXXXXXXXXX4) XXXXXXXXXXXXXXXXXX - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: XXXXXXXXXXX (XXXXXXXXXXXXXXX) 1XXXXXXXXXX4 - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: XXXX (XXXXXXX4) XXXXXXXXXXXXXXX - #20 "
if (isServer) then {
_object = createVehicle ['Ikarus_TK_CIV_EP1', [2273.29, 2121.28, 0], [], 0, 'C"
15.08.2012 06:20:12: XXXXXX (XXXXXXXXX) 5XXXXXXXXXXXXXX - #41 "de\compile\object_vehicleKilled.sqf";
object_setHitServer = compile preprocessFileLineNumbers "\z"
15.08.2012 06:20:12: XXXXXXXk (XXXXXXXXXXXX) XXXXXX- #130 "ddons\dayz_code\init\compiles.sqf"

Any of this not legit?

Cheers

It's not legit but be careful with multidetections. AJ and TGS hacks will not detected in logs so when you see a lot of ppl with the same vehicle spawn keep in mind that they are not guilty.

[(OCN)Vortech 65]

It's not legit but be careful with multidetections. AJ and TGS hacks will not detected in logs so when you see a lot of ppl with the same vehicle spawn keep in mind that they are not guilty.

The only legit things are the 06:20:12 enteries, the rest are spawned. createVehicle should be a red flag.

[disorder 344]

I'm not aware of all known scripts yet but I'm learning as I develop this.

If you see lots of people spawning to the same place then I think this is everyone getting moved to thunderdome type areas.

31.07.2012 11:05:30: Dude 1 (x) y - #35 player setVariable['lastPos',0]; 
player setposatl [6646.12,2586.48,36.4538];
31.07.2012 11:05:30: Dude 2 (x) y - #35 player setVariable['lastPos',0]; 
player setposatl [6646.12,2586.48,36.4538];
31.07.2012 11:05:30: Dude 3 (x) y - #35 player setVariable['lastPos',0]; 
player setposatl [6646.12,2586.48,36.4538];
31.07.2012 11:05:30: Dude 4 (x) y - #35 player setVariable['lastPos',0]; 
player setposatl [6646.12,2586.48,36.4538];

[AusDayZ (DayZ) 14]

It's not legit but be careful with multidetections. AJ and TGS hacks will not detected in logs so when you see a lot of ppl with the same vehicle spawn keep in mind that they are not guilty.

That's what I figured, is there anyway to differentiate between innocents and scripter or is it relatively useless info?

[(OCN)Vortech 65]

The logs are still messy.. GUID with a10 and other flagged strings appear at length. I also am encountering a bug where the output contains previously scanned logs until I close the program. It doesn't matter if I remove or clear the source files, the log just grows. I've been using your tool to look over my logs looking for a new method I read about. Here are my results:

19.08.2012 14:38:44: username (X.X.X.X:PORT) GUIDGUIDGUIDGUIDGUIDGUIDGUID - #106 "a\ui\scripts\handleGear.sqf'; _dummy; player addweapon "BAF_AS50_scoped"; player addMagazine "10Rnd_"

19.08.2012 14:38:44: username (X.X.X.X:PORT) GUIDGUIDGUIDGUIDGUIDGUIDGUID - #115 "yer addMagazine "10Rnd_127x99_m107"; player addBackPack"DZ_Backpack_EP1"; "

The user is injecting spawned items into legit sqf files. So while still a wip your tool helped me identify this cheater. Thank you.

[disorder 344]

The logs are still messy.. GUID with a10 and other flagged strings appear at length. I also am encountering a bug where the output contains previously scanned logs until I close the program. It doesn't matter if I remove or clear the source files, the log just grows. I've been using your tool to look over my logs looking for a new method I read about.

1) The accidental detection in names/ID's was removed in my current 1.7 code but something broke in changing something and I had to revert. I'm going to work on it today.

2) The program keeps a persistent database while I am debugging, this is to see data before its converted to xml. Because the way the user database creates entries based on ID, this means you can use multiple logs and it will only add a new entry if its different. Unfortunately since its persistent, it can get jammed up a bit. This is also getting removed in 1.7 and temp files will go into your AppData and also get deleted when the program closes.

If you want to stop the data overflowing, go into the programs install folder and delete the file called "tmpdb"

1.7 is being uploaded now.

Edited August 20, 2012 by disorder

[(OCN)Vortech 65]

1.7 is being uploaded now.

Sounds like a solid update. I just tried to run it and it's immensely slower parsing, I actually had to force close it as CF was intermittently not responding. In this condition 1.7 is unusable for us, the log in questions was only 4,977KB at 127k lines. CF 1.6 can parse the same log without issue in the same environment.

Edited August 20, 2012 by (OCN)Vortech

[disorder 344]

oh that's really strange, because I have a test file that is 170mb and its really fast and one around 4k was instant. Can you upload to zippyshare or something and then send me the link via pm. I want to see what is causing it.

Something is definitely not working as I intended, will check it.

Edited August 20, 2012 by disorder

[disorder 344]

OK I checked out a few things and have hopefully resolved everything. Just testing now.

Edited August 21, 2012 by disorder

[TheWeedMan 132]

Latest hotfix version not working for me at all now...I get this:-

The XML page cannot be displayed

Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later.

End tag 'Entry' does not match the start tag 'ID'. Error processing resource 'file:///C:/Users/Admin/AppData/Roaming/CheatF...

</Entry>

--^

[disorder 344]

TheWeedMan

Have you got the latest Internet Explorer version for your OS?

Update your IE and then Install Microsoft .NET Framework 3.5 SP1

In either case it's not related to my program, it is actually to do with IE or one of its settings. See here also. http://www.ssw.com.a...x?KBID=Q1070124

---

A new version has been added too.

Edited August 22, 2012 by disorder

[TheWeedMan 132]

Certainly not my end thats the issue here....I reverted back to version 1.6 and everythings working perfectly.

[disorder 344]

ok can you send me the log that's causing it (zipped)

I do notice that if you press back during a scan that it does not close the tags properly, sometimes causing this error at the bottom. Right now I can't seem to duplicate the error, as I've changed some stuff for 1.9.

---

On another topic. I hate XML! It's really annoying and I think I should change to something more graphical and maybe go back to HTML reports. It seems to be causing more problems.

What does everyone else think?

Edited August 23, 2012 by disorder

[AusDayZ (DayZ) 14]

I preferred the HTML, also it was good being able to have it display the results in order of the log as well as the line number. Perhaps a way to switch between the two if that isn't too hard? Loving the having the name and GUID in the report though. Keep up the good work!