New Major BattlEye Anti-Cheat Features

[byteslam (DayZ) 0]

I guess, there is nothing we can do against RADAR hacking or?

[(OCN)Vortech 65]

I guess, there is nothing we can do against RADAR hacking or?

There is currently nothing much we can do about radar/ESP, teleporting, and infinite ammo. Basically any cheater utilizing a functional bypass can do anything they like client side. I also believe we still can't do anything about remote executions to/on other players. I'm hopeful we can eventually defeat all script based stuff, we'll likely never defeat anything utilizing DirectX.

[Frop 33]

My scripts.log has been spammed with this entry somewhere after midnight. Even after restarting the server it keeps occurring and my logfile is simply exploding in size. Does anyone have an idea what's going on and how to fix this (other than commenting out the corresponding line in scripts.txt)?

23.08.2012 12:57:02: <hidden> (<hidden>) <hidden> - #0 "e >> _type >> _classname >> "displayName");
null = _holder addAction [format[(localize "STR_DAYZ_CODE_1"),_name], "\z\addons\day"

[falcon911 19]

My scripts.log has been spammed with this entry somewhere after midnight. Even after restarting the server it keeps occurring and my logfile is simply exploding in size. Does anyone have an idea what's going on and how to fix this (other than commenting out the corresponding line in scripts.txt)?

23.08.2012 12:57:02: <hidden> (<hidden>) <hidden> - #0 "e >> _type >> _classname >> "displayName");
null = _holder addAction [format[(localize "STR_DAYZ_CODE_1"),_name], "\z\addons\day"

Funny that this only happens to certain people. Think this could be the "ESP/Radar" hack? IF so I think we can figure out how to just "search/log" for only this...Just can't quite figure out if the issue is with Displayname or not.

Edited August 23, 2012 by Falcon911

[(OCN)Vortech 65]

Two new types of entries

22.08.2012 14:05:56: username (ip) guid - #3 "m1aark1Pods3=True;
While {m1aark1Pods3} do {
{
(group _x) addGroupIcon ["x_art"];
(group _x) setGroupIconParams [[1,0,0,1],forma"

Little ESP?

22.08.2012 15:04:14: username (ip) guid - #121 "0;}; private ['_dummy']; _dummy = [_this,'initDialog'] call compile preprocessFile    'hooray.sqf';                    _dummy = [_t"
22.08.2012 15:04:14: username (ip) guid - #2 "sqf";

};
_handled;
};
Missionstrr =(findDisplay 46) displayAddEventHandler ["keyDown", "_this call keyhandler"];"
22.08.2012 15:04:16: username (ip) guid - #0 "#line 1 "hello.sqf"

_veh = vehicle  player;
_veh addaction ["A", "\dayztest\A.sqf"];
_veh addaction ["Remote CMD", "\dayztest\A"
22.08.2012 15:04:18: username (ip) guid - #9 "';
_veh addEventHandler+['handleDamage', { false }];
_veh allowDamage false;"
22.08.2012 15:04:18: username (ip) guid - #31 "line 1 "dayztest\A.sqf"
_veh = vehicle  player;
_veh removeAllEventHandlers 'handleDamage';
_veh addEventHandler+['handleDamage'"
22.08.2012 15:04:20: username (ip) guid - #21 "_wtf = getposATL player;
wtf1 = "USBasicAmmunitionBox" createVehiclelocal ( position player  ); 
wtf1 setposATL _plpos;
_dayz_we"

Looks like we see some invincibility and a crate spawn? Nice work Dwarden and whoever else may be contributing to the filters.

Edited August 23, 2012 by (OCN)Vortech

[Frop 33]

Funny that this only happens to certain people. Think this could be the "ESP/Radar" hack? IF so I think we can figure out how to just "search/log" for only this...Just can't quite figure out if the issue is with Displayname or not.

I doubt it since this entry has come up multiple times for nearly everyone on the server (even a buddy who doesn't hack for sure).

[falcon911 19]

I doubt it since this entry has come up multiple times for nearly everyone on the server (even a buddy who doesn't hack for sure).

Yeap.

[hohlraum 9]

I think the new scripts.log spam is caused by the new battleye update. I don't see any changes to scripts.txt on the site for 2 days and this just started.

[Frop 33]

I've edited out the following (and coincidentally the first) line of scripts.txt. I doubt it's a good idea on the long run, but at least for now it gets rid of the spam.

1 addAction !"\"addAction\"," !"_action1 = _unit addAction [localize \"str_actions_medical_01" !"s_player_grabflare = player addAction [format[localize \"str_actions_medical_15\",_te" !"raddAction = 'addAction'" !"raddActioncode = compile PreprocessFile (BIS_PathMPscriptCommands + 'addAction.sqf')" !"null = _holder addAction [format[(localize \"STR_DAYZ_CODE_1\"),_name], \"z\addons\dayz_code\actions\object_pickup.sqf\"," !"NORRN_dropAction = player addAction [\"Drop body\", \"\z\addons\dayz_code\medical\drop_body.sqf\",_dragee, 0, false, true];" !"s_player_dropflare = player addAction [format[localize \"str_actions_medical_16\",_text],"

Edited August 23, 2012 by Frop

[digital0 22]

can anyone tell me what this is doing?

#121 "e ['_dummy']; _dummy = [_this, "CA_VO_ToggleAdvanced"] call compile preprocessfilelinenumbers "\ca\ui\scripts\HideVideoOptions.s"

[Frop 33]

can anyone tell me what this is doing?

#121 "e ['_dummy']; _dummy = [_this, "CA_VO_ToggleAdvanced"] call compile preprocessfilelinenumbers "\ca\ui\scripts\HideVideoOptions.s"

I've seen this one too and my uneducated guess would be that people are hiding the Advanced video options after they tried flushing their memory with the Video Memory setting.

[Frop 33]

The new .txts released last night seem to fix the spam problem of "STR_DAYZ_CODE_1".

Edited August 24, 2012 by Frop

[quatermass 9]

Can someone explain why in the game does BattlEye kick a player for a line such as #213 when line 213 is

// not much of use //#+14

I presume that BE takes account of commented lines and therefore is reported the correct line in Scripts.txt?

I would like to see each line with an explanation of what it is intended to do.

For example what the heck does line 215 report? 1 "wuat\\" :)

As a IT engineer and not stupid, I can't find the documentation of these security lines on BE web site or this forum.

Many thanks... :thumbsup:

[falcon911 19]

Can someone explain why in the game does BattlEye kick a player for a line such as #213 when line 213 is

// not much of use //#+14

I presume that BE takes account of commented lines and therefore is reported the correct line in Scripts.txt?

I would like to see each line with an explanation of what it is intended to do.

For example what the heck does line 215 report? 1 "wuat\\" :)

As a IT engineer and not stupid, I can't find the documentation of these security lines on BE web site or this forum.

Many thanks... :thumbsup:

Well you need to go back to school, do a little more research next time or take a programming class. Line 213 -1 So look at line 212. The -1 is due to the first line not being counted.

Try the below link over at BI there since they are the ones that created the new feature to assist you on the hackers.

http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking

Easy up cowboy and do better research before coming on here and ranting like you did.

[Frop 33]

Obviously BE doesn't count commented lines, so the scripting team put +# behind the commented lines for convenience (for instance everything under a "#+10" line needs to have 10 subtracted to get to the kick reason, e.g. something on line 200 would be kick reason #190).

Edited August 24, 2012 by Frop

[Khyron_UN 14]

is there any way, or is it possible to log who kills who? I don't mean to show in the game of course, but when I hear complaints about teleporting killers it would be so easy to catch is we had a log saying so and so killed so and so here.... because if you see 3 kills from one person all over the map in less then a minutes then bam, we got them.

[falcon911 19]

is there any way, or is it possible to log who kills who? I don't mean to show in the game of course, but when I hear complaints about teleporting killers it would be so easy to catch is we had a log saying so and so killed so and so here.... because if you see 3 kills from one person all over the map in less then a minutes then bam, we got them.

That would be nice...

[cwc_shadow 70]

Found this in my remoteexec.log. Hack or not?

24.08.2012 16:27:48: PLAYERNAME (IP) GUID - #0 "titleText ["Everybody stop and Dance!", "PLAIN"];"
24.08.2012 16:27:48: PLAYERNAME (IP) GUID - #13 "titleText ["Everybody stop and Dance!", "PLAIN"];"
24.08.2012 16:27:48: PLAYERNAME (IP) GUID - #0 "
player playMove 'ActsPercMstpSnonWnonDnon_DancingDuoIvan';
"
24.08.2012 16:27:48: Kerr (90.213.94.238:2304) 92c2953024ff119aabf8c61885176826 - #8 "
player playMove 'ActsPercMstpSnonWnonDnon_DancingDuoIvan';
"

I anonymized the name, IP and GUID in case that guy is innocent. But it looks like he executed a dance script. Am I right?

[violentnava@gmail.com 7]

So....

Just got my own server a few days ago, and while perusing my createvehicle log, I found these.

25.08.2012 02:48:45: player2 (x.x.x.x.:xxxx) GUID - #0 "AmmoBoxBig" 22:29 [12301,3502,6]

25.08.2012 05:24:06: player (x.x.x.x.:xxxx) GUID - #0 "AmmoBoxSmall_762" 43:787 [4668,9595,339]

Im pretty sure they spawned boxes, correct?

I also saw these and thought they looked strange.

"GrenadeHandTimedWest" 24:117 24:4 [4632,10485,340] [3,-7,0]

"PipeBomb" 75:144 75:4 [10772,8586,243] [0,0,0]

But out of these last 4, these 2 stood out the most to me as suspicious.

"HelicopterExploSmall" 70:84 0:0 [10076,8153,244] [0,0,0]

"HelicopterExploBig" 70:85 0:0 [10076,8153,245] [0,0,0]

Also, what should my remoteexec.txt have in it. Its pretty empty and it hasnt even created a log for it yet.

Edited August 25, 2012 by Nava

[nik21 287]

@System98

Yes it's a hack, makes everybody dance (lol).

@Nava

You can find official files for DayZ here:

http://code.google.com/p/dayz-community-banlist/source/browse/#git%2Ffilters

[icetbag 3]

Hi chaps,

Found several of the following entries in my scripts.log (having used dwardens CBL filters):

21.08.2012 23:08:52: PLAYER_NAME (PLAYER_IP:PORT) PLAYER_GUID - #121 "private ['_dummy']; _dummy = [_this' date='onload'] call compile preprocessfile '\ca\ui\scripts\server_interface.sqf';"

I'm aware of kicks for accessing the in-game admin control panel (dedicatedServerInterface.sqf) but this is first time I've seen log entries for server_interface.sqf, anyone got any thoughts? Not all players are logged, but some players are logged several times for this.

Cheers

[Geit (DayZ) 1]

Hi chaps,

Found several of the following entries in my scripts.log (having used dwardens CBL filters):

I'm aware of kicks for accessing the in-game admin control panel (dedicatedServerInterface.sqf) but this is first time I've seen log entries for server_interface.sqf, anyone got any thoughts? Not all players are logged, but some players are logged several times for this.

Cheers

This one is the "map/briefing" screen that appears for a player before the mission starts (That is, the first few people who join the server after a restart will be logged with this), it is not a hack.

Edited August 25, 2012 by Geit

[icetbag 3]

Cheers Geit :thumbsup:

[xXdom 5]

Earlier today I had a guy on my server picking up randoms in a chopper and ferrying them around, being an all around nice guy. Since he was solo prior to picking up people, I decided to check the logs for anything suspicious. The ONLY trace of him being on the server was this from createvehicle.log:

25.08.2012 16:05:28: PLAYERNAME (IP) GUID - #0 "Sniper1_DZ" 100:30 [1,0,0]

25.08.2012 16:06:10: PLAYERNAME (IP) GUID - #0 "Camo1_DZ" 100:36 [1,1,0]

I parsed the scripts.log and remoteexec.log for any other entries from his name, IP and GUID and there wasn't a single entry in either. I find it suspicious that there isn't a single entry from him in scipts.log and I was curious if anyone had any thoughts on this.

[Frop 33]

Earlier today I had a guy on my server picking up randoms in a chopper and ferrying them around, being an all around nice guy. Since he was solo prior to picking up people, I decided to check the logs for anything suspicious. The ONLY trace of him being on the server was this from createvehicle.log:

I parsed the scripts.log and remoteexec.log for any other entries from his name, IP and GUID and there wasn't a single entry in either. I find it suspicious that there isn't a single entry from him in scipts.log and I was curious if anyone had any thoughts on this.

I find it odd that someone would have a ghillie _and_ a camo suit on at the same time. Yesterday I had very strong indications someone was teleporting on our server, but I couldn't find anything in the logs except the fact he spawned in with two different backpacks at the same time (Assault and Coyote). I think I've seen screenshots here on the forum of hackers having multiple backpacks on them (I guess the spawn scripts don't take into account regular inventory restrictions), so I had to ban him. Better safe than sorry.