New Major BattlEye Anti-Cheat Features

[jwiechers 92]

hey, is BIS_RscMiniMap a script that banable?

No, not by itself. This is the Map displayed by the GPS system. Dwarden included this in order to do some cross-checking, but it will likely be added to the whitelist.

[jwiechers 92]

edit: i think this is also solved with the new remoteexec.txt right?

It should be, but I'll be looking into it again tonight. (same goes for the other snippets here)

Edited August 15, 2012 by jwiechers

[jwiechers 92]

Should we look at anything related to AmmoBoxes (especially AmmoBoxBIg) as a potential hacker?

Spawns of AmmoBoxBig are almost certainly coming from a cheater.

Edited August 15, 2012 by jwiechers

[paniohitus 8]

Question, with latest scripts.txt from day.community.banlist i see this script spawned sometimes the following (mailed it also)

14.08.2012 05:04:11: (xxxxxxxxx (178.xxxxx04) 1e828dfedexxxxxxxxxxx9ed3b6 - #68 "= _type createVehicleLocal _position;

_object setPos _position;

_object setDir _dir;

_object allowD"

14.08.2012 05:04:11: (xxxxxxxxxxxxxx(178.5.xxx4) 1e828dfede4axxxxed3b6 - #21 "(_config >> "onFire");

_object = _type createVehicleLocal _position;

_object setPos _position;

_ob"

Is this cheating?

The log is also going very fast, the whole script spawns allot:

if (!isDedicated) then {

_config = configFile >> "CfgLoot";

"

14.08.2012 05:05:22:xxxx (9xxx314) 0ae526a525xxx11c923d1c0c75 - #41 "de\compile\object_vehicleKilled.sqf";

object_setHitServer = compile preprocessFileLineNumbers "\z"

14.08.2012 05:05:22: xxx (94.209.163.137:2314) 0ae5xxxx64dc0bfe211c923d1c0c75 - #132 "ddons\dayz_code\init\compiles.sqf"

Is 'whitelisting' a way to clear this up, or tells it something... I now uses always the latest files posted on http://code.google.c...munity-banlist/ Very nice way btw! Keep it up!

Edited August 15, 2012 by paniohitus

[Gogster (DayZ) 626]

The lack of information about createvehicle.txt is creating confusion. Are we saying entries in this log are coming from users triggering 'hot spots' causing items to appear? If so, why is the log so small?

Also if the above is true, are we accepting anything that is in the game as a normal item as ok, and items that are not as cheats? How do we know what people are not scripting them in?

13.08.2012 16:26:57: <player name> (<IP address>) <GUID> - #0 "G_40mm_HE" 870:399 870:312 [6674,2362,7] [14,-76,16]
13.08.2012 16:27:35: <player name> (<IP address>) <GUID> - #0 "PipeBomb" 870:403 870:312 [6672,2301,6] [0,0,0]

The pipe bomb line appears 7 times within the space of 4 minutes.

[jwiechers 92]

The lack of information about createvehicle.txt is creating confusion. Are we saying entries in this log are coming from users triggering 'hot spots' causing items to appear? If so, why is the log so small?

Heh, we don't know all that much more, either :D

The log is so small because a lot of the typical stuff has been whitelisted (and I've actually whitelisted a few of the things that Dwarden had still on report because they largely confuse people and it would not be possible for us to effectively investigate them at the moment, anyway). If legitimate items are illegitimately spawned in, we should still catch them via the scripts.txt logging.

I'm still waiting on a word from Dwarden (or rather, a chance to catch him on IRC) on a number of the snippets here since I can't entirely rule out that they're genuine.

On the subject of the TT5 compile, that is definitely illegitimate, but it is also being executed on remote hosts -- so banning people with that is currently not advisable because a cheater could cause the entire server to execute it.

We'll get there, though.

[KField86 237]

Here's an interesting little excerpt from my remoteexec.txt log.

13.08.2012 16:53:59: Name Removed (IP Removed) GUID Removed - #0 "TitleText [format['One of these days, Alice...Pow! Right to the MOON!'], 'PLAIN DOWN'];

player setPos [1234, 5678, 900];

Please tell me I can ban this piece of shit.

[Frop 33]

I've been collecting logging since those scripts were published. Who would be interested in sifting through those? I could upload an archive every few days.

[Gogster (DayZ) 626]

Here's an interesting little excerpt from my remoteexec.txt log.

13.08.2012 16:53:59: Name Removed (IP Removed) GUID Removed - #0 "TitleText [format['One of these days, Alice...Pow! Right to the MOON!'], 'PLAIN DOWN'];

player setPos [1234, 5678, 900];

Please tell me I can ban this piece of shit.

I believe that's just teleported someone into the air.

[KField86 237]

I believe that's just teleported someone into the air.

That's what I was thinking at first, but that line only showed up for him, and I compared it to my scripts.log during that time frame, and again.. only him. Which leads me to believe maybe he executed it? Besides that, he has

13.08.2012 16:48:23: NAME (IP) GUID - #0 "

if (isServer) then {

_dsasadsa = createVehicle ['TT650_Civ', [-18563.4, 25833.9, 0], [], 0, 'CAN_COLLIDE'];

_dsasadsa setVariable ['ObjectID', 3374.19, true];

I'm wondering that since this was after the createvehicle .txt file was uploaded, that these were events he was auto-kicked for. Still don't understand the whole thing clearly. I guess I should of played some arma before dayz :x

[Gogster (DayZ) 626]

I would just ban him - the createVehicle is enough.

Getting my head around the code for teleporting someone, he must have called via a script, can you search for teleport?

[KField86 237]

Will report back if I find anything.

Btw, this is what happened during the Alice Pow! line...

13.08.2012 16:51:22: blkboi () GUID - #0 "if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

13.08.2012 16:51:55: blkboi () GUID - #0 "{ if((getPlayerUID _x) == '31908486') then { _x hideObject true; }; } forEach playableUnits;"

13.08.2012 16:52:00: blkboi () GUID - #0 "if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

13.08.2012 16:53:31: blkboi () GUID- #0 "if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

13.08.2012 16:53:37: blkboi () GUID - #0 "{ if((getPlayerUID _x) == '31908486') then { _x hideObject false; }; } forEach playableUnits;"

13.08.2012 16:53:59: blkboi () GUID- #0 "TitleText [format['One of these days, Alice...Pow! Right to the MOON!'], 'PLAIN DOWN'];

player setPos [1234, 5678, 900];

Maybe that will help some people crack this.

Edited August 15, 2012 by KField86

[hohlraum 9]

Here is a batch file that updates the filters. I run this along with the job that kills and restarts the arma 2 server.

You just need a copy of curl on your drive somewhere.

http://curl.haxx.se/...atic-bin-w64.7z

Edit the batch files accordingly. Here is the code:

set a2oapath="C:\Program Files (x86)\Steam\steamapps\common\arma 2 operation arrowhead\cfgdayz\battleye"
set curlpath="C:\Users\Administrator\Desktop\curl"

%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/createvehicle.txt -o %a2oapath%\createvehicle.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/remoteexec.txt -o %a2oapath%\remoteexec.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/scripts.txt -o %a2oapath%\scripts.txt

If you want to do this with a managed server you'd normally have to upload the files manually. BUT here is a batch file you can run that does it quickly without interaction on your part. I didn't test this at all :( but it looks about right :) You will still need curl downloaded and in a folder on your desktop:

set curlpath="C:\Users\Administrator\Desktop\curl"
set ftpurl="ftp://myhost/pathforbattleyefiles/"
set ftpuserpass="myuser:mypass"

%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/createvehicle.txt -o %temp%\createvehicle.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/remoteexec.txt -o %temp%\remoteexec.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/scripts.txt -o %temp%\scripts.txt

%curlpath%\curl.exe -T "{%temp%\createvehicle.txt,%temp%\remoteexec.txt,%temp%\scripts.txt}" %ftpurl% --user %ftpuserpass%

Edited August 15, 2012 by Hohlraum

[Frop 33]

Thanks Hohlraum! I appended your script with a little FTP session to my managed server.

Edited August 15, 2012 by Frop

[KField86 237]

So.. does this script appear every time someone loots the ammo box, or for only the person who spawns it. The reason I'm asking is this comes up for multiple people in my createvehicle.log

14.08.2012 13:27:56: Dzeaz (IP Removed) a42245fce82e8b148dba01701ff67533 - #0 "AmmoBoxBig" 148:9 [6459,7775,303]

Also, the same line except "SeaGull". WTF is seagull? Lol. I know wiechers said that this is 99% an illegitimate player(AmmoBoxBig), but I want to be sure before I shell out more bans. I've banned over a dozen people in the last 30 minutes of searching all for createvehicle scripts among other things.. it's getting ridiculous now lol.

Edited August 15, 2012 by KField86

[hohlraum 9]

I updated my post to include a local batch you can run that will update your files automatically if your dayz server is hosted and supports ftping battleye files. You'll still need to refresh your server manually though unless your host automatically detects new files and does so for you.

[falcon911 19]

So.. does this script appear every time someone loots the ammo box, or for only the person who spawns it. The reason I'm asking is this comes up for multiple people in my createvehicle.log

14.08.2012 13:27:56: Dzeaz (IP Removed) a42245fce82e8b148dba01701ff67533 - #0 "AmmoBoxBig" 148:9 [6459,7775,303]

Also, the same line except "SeaGull". WTF is seagull? Lol. I know wiechers said that this is 99% an illegitimate player(AmmoBoxBig), but I want to be sure before I shell out more bans. I've banned over a dozen people in the last 30 minutes of searching all for createvehicle scripts among other things.. it's getting ridiculous now lol.

FYI the #0 before the ammobox meaning someone opened one. Not created the AmmoBox. Remember downed choppers have AmmoBoxBig!! You might ant to unban those guys. I stand corrected.

Ammobox's are at crashed choppers. However does #0 mean opened or spawned? I am guessing that means opened...

See my reference below

http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking

Edited August 15, 2012 by Falcon911

[Gogster (DayZ) 626]

Will report back if I find anything.

Btw, this is what happened during the Alice Pow! line...

13.08.2012 16:51:22: blkboi () GUID - #0 "if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

13.08.2012 16:51:55: blkboi () GUID - #0 "{ if((getPlayerUID _x) == '31908486') then { _x hideObject true; }; } forEach playableUnits;"

13.08.2012 16:52:00: blkboi () GUID - #0 "if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

13.08.2012 16:53:31: blkboi () GUID- #0 "if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

13.08.2012 16:53:37: blkboi () GUID - #0 "{ if((getPlayerUID _x) == '31908486') then { _x hideObject false; }; } forEach playableUnits;"

13.08.2012 16:53:59: blkboi () GUID- #0 "TitleText [format['One of these days, Alice...Pow! Right to the MOON!'], 'PLAIN DOWN'];

player setPos [1234, 5678, 900];

Maybe that will help some people crack this.

Thunderdome - ban.

[paniohitus 8]

Here is a batch file that updates the filters. I run this along with the job that kills and restarts the arma 2 server.

You just need a copy of curl on your drive somewhere.

http://curl.haxx.se/...atic-bin-w64.7z

Edit the batch files accordingly. Here is the code:

set a2oapath="C:\Program Files (x86)\Steam\steamapps\common\arma 2 operation arrowhead\cfgdayz\battleye"
set curlpath="C:\Users\Administrator\Desktop\curl"

%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/createvehicle.txt -o %a2oapath%\createvehicle.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/remoteexec.txt -o %a2oapath%\remoteexec.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/scripts.txt -o %a2oapath%\scripts.txt

If you want to do this with a managed server you'd normally have to upload the files manually. BUT here is a batch file you can run that does it quickly without interaction on your part. I didn't test this at all :( but it looks about right :) You will still need curl downloaded and in a folder on your desktop:

set curlpath="C:\Users\Administrator\Desktop\curl"
set ftpurl="ftp://myhost/pathforbattleyefiles/"
set ftpuserpass="myuser:mypass"

%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/createvehicle.txt -o %temp%\createvehicle.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/remoteexec.txt -o %temp%\remoteexec.txt
%curlpath%\curl.exe http://dayz-community-banlist.googlecode.com/git/filters/scripts.txt -o %temp%\scripts.txt

%curlpath%\curl.exe -T "{%temp%\createvehicle.txt,%temp%\remoteexec.txt,%temp%\scripts.txt}" %ftpurl% --user %ftpuserpass%

Thank you!! I have only 1 problem. He downloads the files, but the last step he din't get management (it's Curl i guess):

curl: Can't open 'F:ProgrammasDayzscriptscurltempcreatevehicle.tx

curl: try 'curl --help' or 'curl --manual' for more information

curl: Can't open 'F:ProgrammasDayzscriptscurltempremoteexec.txt'!

curl: try 'curl --help' or 'curl --manual' for more information

curl: Can't open 'F:ProgrammasDayzscriptscurltempscripts.txt'!

curl: try 'curl --help' or 'curl --manual' for more information

The paths are correct, but he deletes the slashes, i also had this problem with the 'temp', so i tried this, same problem. But the files are downloaded, that's already very nice!!!

[KField86 237]

FYI the #0 before the ammobox meaning someone opened one. Not created the AmmoBox. Remember downed choppers have AmmoBoxBig!! You might ant to unban those guys.

I haven't banned anyone with this yet until I received word from someone who knows more than me. Thanks for the info!

The people I banned were all caught with createvehicle / vehicle spawn scripts. Not this particular ammobox spawn. This was just something I noticed.

Edited August 15, 2012 by KField86

[KField86 237]

Thunderdome - ban.

Already done. One of these days Alice. POW! Straight to the ban list.

Here's his GUID if you'd like to update your list. Poor bastard doesn't deserve to be on any servers.

561ef5610852dc3bc67b0bd4a1c82475

Edited August 15, 2012 by KField86

[jwiechers 92]

So.. does this script appear every time someone loots the ammo box, or for only the person who spawns it. The reason I'm asking is this comes up for multiple people in my createvehicle.log

Once something is spawned, it is spawned.

Also, the same line except "SeaGull". WTF is seagull? Lol. I know wiechers said that this is 99% an illegitimate player(AmmoBoxBig), but I want to be sure before I shell out more bans. I've banned over a dozen people in the last 30 minutes of searching all for createvehicle scripts among other things.. it's getting ridiculous now lol.

SeaGull is a model (or vehicle in the logic of ARMA). It is possible that someone spawns as a seagull or a crow due to a server load bug, but mostly, this is used by cheaters. You should not ban for it, but anyone spawning as a seagull will be kicked.

[KField86 237]

Once something is spawned, it is spawned.

SeaGull is a model (or vehicle in the logic of ARMA). It is possible that someone spawns as a seagull or a crow due to a server load bug, but mostly, this is used by cheaters. You should not ban for it, but anyone spawning as a seagull will be kicked.

I understand the bit about once it's spawned, it's spawned.. but what I don't understand fully is how to tell WHEN it is spawned, versus when it is just looted by maybe a passer by, which is clearly something I don't intend to ban for. I obviously want to ban the person doing it. Someone else already said that if #0 comes at the start of the line, it means it's just been looted. What do I need to look for to distinguish it between being looted versus being spawned, I guess thats what I need to understand. Someone also said Ammoboxbig also spawns at chopper crashes? I thought those were small ammo boxes? Like your typical one that contains maybe 7.62 ammo for DMR/M24/SVD, etc etc. Last thing I want is any false bans. I avoid that by any means necessary.

The seagull thing auto-kicking is good though. I read in a post that this was generally malicious most of the time, so as long as it auto-kicks I don't care all that much, unless it circumvents the kick & still gets through.

Thanks for all your help, Wiechers.

Edited August 15, 2012 by KField86

[jwiechers 92]

FYI the #0 before the ammobox meaning someone opened one. Not created the AmmoBox. Remember downed choppers have AmmoBoxBig!! You might ant to unban those guys. I stand corrected.

I was just about to. ;-)

The legitimate ammo boxes are AmmoBoxSmall_556 and AmmoBoxSmall_762. AmmoBoxBig is significantly different.

Ammobox's are at crashed choppers. However does #0 mean opened or spawned? I am guessing that means opened...

It may mean both, although given that people are kicked for this violation, the script will not be processed. That means there will be no ammobox for someone else to open.

Edited August 15, 2012 by jwiechers

[Gogster (DayZ) 626]

Either way, we definitely need to keep and eye on it.