Bypass Is Active Again: Prepare for a Busy Weekend

[ChernoPTA 160]

Good evening. We just had the most amusing experience on our server.

We had a player infiltrate one of our servers fortified positions via teleport. But unlike most script kiddie sob stories. This one taught us a little lesson about paying attention to who is actually around us by just hanging out amongst our watch tower group for awhile, completely just chilling right there with them with no weapons at all, til someone noticed "Oh wow that guy isn't one of us!"....silly I know.

Anyways, he was talking on direct comms after he was challenged, and was very pleasant but was completely immune to 3 people filling him with high caliber ammunition. He then dropped an AS50 and AS50 NATO round ammo in front of our sniper and said to take it as a gift...and then began to teleport around the camp after he was asked in direct comms how he was invulnerable.

He didn't hurt anyone, or do anything majorly disruptive but was obviously immune to any and all damage, and of course seemed to be able to move from position to position at will and was quite happy to demonstrate such to our amusement.

Overall, a nice guy, but still, evidence that the Bypass is back in action, and remoteexec.log cannot see it (he has no entries in that log) and even what he spawned right in front of our eyes was not picked up by createvehicle.log either. All I found for him in scripts.log is completely normal stuff that everyone else is generating, and our newest hack filters didn't see him doing anything out of the ordinary at all.

It is, unfortunately, not a ban I can uphold, under the server hosting rules, so I can't ban him permanently, cause I cannot substantiate it via log evidence, and unfortunately no one at the time was running Fraps and a screenshot of a guy standing there with some weapons at his feet is hardly damning evidence.

So be ready, looks like a fun weekend ahead, I at least hope you all run into someone as civil as we did.

Thanks and have a great weekend.

Edited August 18, 2012 by ChernoPTA

[Jasmer 77]

great -.- just after i thought the bypass was gone its back up and modified to re-bypass how fucking lovely looks like ill be having my hand on my internet cable most of my game play :)

[umandez 139]

Its not really possible to bypass the remote executions. You'll find that you just need to look at the logs alittle better.

[(OCN)Vortech 65]

Bypass is client-side all execution is server-side so check those new logs of yours and you'll get him sorted quickly. Since you didn't mention him being kicked repeatedly I'm imagine you haven't implemented the new logging.. Read this thread (http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking&p=2207055) and you're on your way.

In the future after you ban a user on your local be sure to submit your findings to http://code.google.com/p/dayz-community-banlist/issues/entry so everyone else benefits as well. :thumbsup:

[nik21 287]

there is no such thing as "The bypass"......

[chisel 50]

So PM me his IGN, GUID and IP please.

Also all of you hanging around and all this going on and nobody had fraps going?

Edited August 18, 2012 by chisel

[ChernoPTA 160]

Its not really possible to bypass the remote executions. You'll find that you just need to look at the logs alittle better.

Thank you for your advice but I assure you that his name is no where in our remoteexec.log. At all. Period. He does not appear there.

He does appear in our RPT, Server_Console and Scripts.log, and in createvehicle.log, but everything there is completely typical entries that do not in any way support or report what we saw him doing while he was having a civil conversation with us after having three magazines from various weapons emptied into his torso. I'm quite competent at reading my logs, and Dwarden has made a great effort in making the new additions very easy to discern.

Far as there being no "THE" Bypass, I would agree that is "technically" correct, but there is one that is most often used and it is currently back online and currently undetectable, its not that hard to go find that kind of thing out for yourself if you simply use Google.

And no, unfortunately at the time no one was capping, it had been an uneventful few days other than normal server activity, thus the slightly relaxed attitude and people not paying attention to additional individuals showing up (its so hard to tell people apart after all, everyone sort of looks the same regardless of what they wear, hey its ghillie guy, camo man, suvivor dude, hero dude, towel face guy.) It only really dawned on them something was wrong when someone checked his nameplate and suddenly everyone opened up on him cause we knew he wasn't one of ours.

Far as PMing the info to you, I technically cannot do that, I have no evidence to support what we saw, and passing you his data would be a violation of data security and his privacy, for all intents and purposes. And believe me, I'd like to ban him, I don't like hacks, but if the server couldn't see this guy doing anything at all, I can't do anything at all other than post a warning about it.

Edited August 18, 2012 by ChernoPTA

[nik21 287]

Far as there being no "THE" Bypass, I would agree that is "technically" correct, but there is one that is most often used and it is currently back online and currently undetectable

There's much public BE-bypassers out in the Internet, most likely all of them are detected... even though there is also the "paid" stuff which remains as "undetected" for a bit longer. However, "undetectable" Stuff does not exist. Everything is detectable. If you believe the bullcrap these sites are talking, you should get into the stuff a bit better before you make posts about it.

[(OCN)Vortech 65]

Thank you for your advice but I assure you that his name is no where in our remoteexec.log. At all. Period. He does not appear there.

He does appear in our RPT, Server_Console and Scripts.log, and in createvehicle.log, but everything there is completely typical entries that do not in any way support or report what we saw him doing while he was having a civil conversation with us after having three magazines from various weapons emptied into his torso. I'm quite competent at reading my logs, and Dwarden has made a great effort in making the new additions very easy to discern.

Far as there being no "THE" Bypass, I would agree that is "technically" correct, but there is one that is most often used and it is currently back online and currently undetectable, its not that hard to go find that kind of thing out for yourself if you simply use Google.

The user in question was either not cheating or your files are dated/set up incorrectly. There is no bypass for server-side execution logging, period.

However, "undetectable" Stuff does not exist. Everything is detectable. If you believe the bullcrap these sites are talking, you should get into the stuff a bit better before you make posts about it.

Exactly.

[Dylon 8]

at my server rcon and logs 24/7 check out this for some help with enabling good script detections on your server.

http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Logging-Blocking

http://forums.bistudio.com/showthread.php?131759-New-BattlEye-features-for-server-admins

[umandez 139]

You'll find they will recieve a global Battleye ban soon enough any way as Battleye will detect memory editing there is just a delay with the bans.

This terminator script everyone is going on about (Godmode) does anyone know how it works exactly?

[kawaiigirl42069666xxxxxx 34]

Teleport and GM are self only scripts, plenty (all?) of these are still unlogged and undetected. Self heal, repairing vehicles, spawning weapons (directly to themselves, not in a crate), etc. are still around also. The new logs pick up global things, like morphing users, spawning vehicles, mass teleporting, etc..

[nik21 287]

Teleport and GM are self only scripts, plenty (all?) of these are still unlogged and undetected. Self heal, repairing vehicles, spawning weapons (directly to themselves, not in a crate), etc. are still around also. The new logs pick up global things, like morphing users, spawning vehicles, mass teleporting, etc..

http://forums.bistudio.com/showthread.php?131759-New-BattlEye-features-for-server-admins - Read again.

[gregrmrz 4]

if (isNil "igodokxtt") then {igodokxtt = 0;};
if (igodokxtt==0) then
{
(vehicle player) removeAllEventHandlers "handleDamage";
(vehicle player) addEventHandler ["handleDamage", { false }];
(vehicle player) allowDamage false;
igodokxtt=1;
hint "GOD mode ON";
sleep 0.001;
}
else
{

(vehicle player) addEventHandler ["handleDamage", { true }];
(vehicle player) removeAllEventHandlers "handleDamage";
(vehicle player) allowDamage true;
igodokxtt=0;
hint "YOU ARE NO LONGER GOD";
sleep 0.001;
};

Godmode script for those curious

[KField86 237]

if (isNil "igodokxtt") then {igodokxtt = 0;};
if (igodokxtt==0) then
{
(vehicle player) removeAllEventHandlers "handleDamage";
(vehicle player) addEventHandler ["handleDamage", { false }];
(vehicle player) allowDamage false;
igodokxtt=1;
hint "GOD mode ON";
sleep 0.001;
}
else
{

(vehicle player) addEventHandler ["handleDamage", { true }];
(vehicle player) removeAllEventHandlers "handleDamage";
(vehicle player) allowDamage true;
igodokxtt=0;
hint "YOU ARE NO LONGER GOD";
sleep 0.001;
};

Godmode script for those curious

Thanks man. Will save this so I can remember what to look out for, and as something to compare to.

[jwiechers 92]

Overall, a nice guy, but still, evidence that the Bypass is back in action, and remoteexec.log cannot see it (he has no entries in that log) and even what he spawned right in front of our eyes was not picked up by createvehicle.log either. All I found for him in scripts.log is completely normal stuff that everyone else is generating, and our newest hack filters didn't see him doing anything out of the ordinary at all.

Why would he appear in remote exec?

From what you told us he did absolutely nothing that would appear in remoteexec.log. Everything he did would show up only in createvehicle.log or scripts.log.

You simply do not understand how these files work.

It is completely impossible to bypass the logging of remote executions and create vehicle calls unless the server itself is tampered with.

[Razzle Dazzle 49]

you dont need any proof just ban is hacking ass , you are the server admin and you saw it with your own eyes that is proof

[ChernoPTA 160]

Why would he appear in remote exec?

From what you told us he did absolutely nothing that would appear in remoteexec.log. Everything he did would show up only in createvehicle.log or scripts.log.

You simply do not understand how these files work.

It is completely impossible to bypass the logging of remote executions and create vehicle calls unless the server itself is tampered with.

He was in createvehicle and scripts log. Both files were showing completely typical entries for the individual....this is why I am reporting it Jwiechers, not because I'm an idiot that doesn't know what I'm looking at. I mentioned remoteexec simply because it was obvious that nothing was logging any remote script executions.

And the logs he did appear in....he wasn't doing anything unnatural. Createvehicle has an entry for his Backpack and Camo_Suit but everyone that logs in gets that info written to our createvehicle regardless of it supposedly being filtered.

Scripts log was the same thing everyone else was generating, absolutely nothing stood out as atypical.

I appreciate being told I'm an idiot though when I'm simply trying to use the tools we have to report a fact that someone did some rather incredible things and none of the tools we do have saw any of it, just 4 players.

Have a nice day.

[tomfazz 3]

Someone tried to get me to download this thing via skype and run it. I searched it up and i got this link, glad i didn't do anything stupid.

[urbanfox 116]

There's much public BE-bypassers out in the Internet, most likely all of them are detected... even though there is also the "paid" stuff which remains as "undetected" for a bit longer. However, "undetectable" Stuff does not exist. Everything is detectable. If you believe the bullcrap these sites are talking, you should get into the stuff a bit better before you make posts about it.

Exactly.

How people get banned: Use bypass, BattlEye update comes out, use bypass again before it is updated, BAN

How people don't get banned: use bypass, BattlEye update comes out, wait for bypass to be updated, use bypass

Creating and updating a bypasser is pretty easy. The only reason people are being constantly banned is because they are idiots who don't understand how the bypass works. The "paid" stuff doesn't remain undetected longer, it just gets updated faster.

What I just said may sound pretty hopeless, but BattlEye has done a pretty darn good job on constantly updating and catching these loop holes as well as implementing new logging features.

Education > misconceptions

[nik21 287]

How people don't get banned: use bypass, BattlEye update comes out, wait for bypass to be updated, use bypass

As a side note:

BE doesen't neccessarily need Client and/ or server updates in order to detect a bypass.

BE is also able to do so called "silent detections", which means that everyone using a specific cheat is being logged for a certain period. All those being logged get banned at once. This prevents cheaters from warning each other in their forums (other anticheats like VAC or PB are using the same tactic).

[urbanfox 116]

As a side note:

BE doesen't neccessarily need Client and/ or server updates in order to detect a bypass.

BE is also able to do so called "silent detections", which means that everyone using a specific cheat is being logged for a certain period. All those being logged get banned at once. This prevents cheaters from warning each other in their forums (other anticheats like VAC or PB are using the same tactic).

It needs an update to detect a new bypass, it can't detect new things on the fly unfortunately.

[(OCN)Vortech 65]

How people get banned: Use bypass, BattlEye update comes out, use bypass again before it is updated, BAN

How people don't get banned: use bypass, BattlEye update comes out, wait for bypass to be updated, use bypass

Creating and updating a bypasser is pretty easy. The only reason people are being constantly banned is because they are idiots who don't understand how the bypass works. The "paid" stuff doesn't remain undetected longer, it just gets updated faster.

What I just said may sound pretty hopeless, but BattlEye has done a pretty darn good job on constantly updating and catching these loop holes as well as implementing new logging features.

Education > misconceptions

I'm not clear on why you quoted my exactly out of context..? Post was an interesting read.. So it seems, assumptions =/= education > misconceptions

As a side note:

BE doesen't neccessarily need Client and/ or server updates in order to detect a bypass.

BE is also able to do so called "silent detections", which means that everyone using a specific cheat is being logged for a certain period. All those being logged get banned at once. This prevents cheaters from warning each other in their forums (other anticheats like VAC or PB are using the same tactic).

It needs an update to detect a new bypass, it can't detect new things on the fly unfortunately.

I think what you mean by "silent detection's" is silent update. BE loves to troll cheaters by rolling out incremental updates without changing versions. Rather sneaky and I rather enjoy it :D

[urbanfox 116]

I'm not clear on why you quoted my exactly out of context..? Post was an interesting read.. So it seems, assumptions =/= education > misconceptions

You were quoted on accident. typo > assumptions

[nik21 287]

It needs an update to detect a new bypass, it can't detect new things on the fly unfortunately.

It can.

"BE Client is using innovative, sophisticated detection routines, such as entirely dynamic on-the-fly scanning being controlled by the BE Master Server, advanced debugging techniques and full scanning of relocatable memory"

http://www.battleye.com/info.html