(OCN)Vortech 65 Posted August 28, 2012 (edited) Players started mentioning a teleporter running around and shooting at them.. One player in our VOIP said someone popped out of nowhere but she got the best of him. She inspected his body, took some nice gear, inspected the body (this server is nametag off), and moved on. Moments later he snuck up on her again and she claims he looked to have the same gun. Lucky for us she got the name so I had something specific to look for. I noticed something that I think could be helpful:BEC Log?16:50:25 : Player #5 USRNAME (IP) connected?16:50:26 : Player #5 USRNAME - USRNAME: GUID (unverified)?16:50:26 : Verified USRNAME (GUID) of player #5 USRNAME?16:58:23 : Player #5 USRNAME disconnected?16:58:46 : Player #5 USRNAME (IP) connected?16:58:47 : Player #5 USRNAME - USRNAME: GUID (unverified)?16:58:47 : Verified USRNAME (GUID) of player #5 USRNAME*.RPT Log2012/08/27, 16:51:39 "LOGIN ATTEMPT: "PID" USRNAME"2012/08/27, 16:51:40 "READ/WRITE: ['PASS',false,'29748204',[82,[9708.16,1994.9,0.534232]],[["ItemFlashlight"],["ItemPainkiller","ItemBandage"]],["DZ_Patrol_Pack_EP1",[[],[]],[[],[]]],[5,9,9],Bandit1_DZ,0.94]"2012/08/27, 16:51:40 "LOGIN LOADED: B 1-1-A:40 (USRNAME) REMOTE Type: Survivor1_DZ"2012/08/27, 16:51:41 Server: Object 54:6 not found (message 94)2012/08/27, 16:51:41 "READ/WRITE: ['PASS',[false,false,false,false,false,false,false,12000,[],[0,0],0,[18.68,19.5579]],[0,0,0,0],["","amovpercmstpsnonwnondnon",37],[82,[9708.16,1994.9,0.534232]],-88853]"2012/08/27, 16:51:41 "LOGIN PUBLISHING: B 1-3-H:1 (USRNAME) REMOTE Type: Bandit1_DZ"2012/08/27, 16:55:34 "PDEATH: Player Died PID"2012/08/27, 16:55:41 "DISCONNECT START (i): USRNAME ("PID") Object: 2c16e040# 1087266: man_bandit.p3d REMOTE"2012/08/27, 16:55:53 "LOGIN ATTEMPT: "PID" USRNAME"2012/08/27, 16:55:56 "READ/WRITE: ['PASS',false,'29748204',[345,[10516.3,2242.06,0.00143862]],[["ItemFlashlight"],["ItemPainkiller"]],["DZ_Patrol_Pack_EP1",[[],[]],[[],[]]],[9,13,13],"Bandit1_DZ",0.94]"2012/08/27, 16:55:56 "LOGIN LOADED: B 1-1-A:18 (USRNAME) REMOTE Type: Survivor1_DZ"2012/08/27, 16:55:57 Server: Object 54:29 not found (message 94)2012/08/27, 16:55:57 "READ/WRITE: ['PASS',[false,false,false,false,false,false,true,7817.48,[],[0.921826,0],0,[117.155,126.888]],[0,0,0,0],["","amovpercmrunsnonwnondf",39],[345,[10516.3,2242.06,0.00143862]],-88853]"2012/08/27, 16:55:57 "LOGIN PUBLISHING: B 1-2-I:1 (USRNAME) REMOTE Type: Bandit1_DZ"So at 16:50:25 the player is logged by BEC, at 16:51:39 the player connects to the game, yet there is NO TRACE OF HIM in createvehicle EVER. To clarify we can see this player is a bandit but there is NO trace of him in createvehicle. Which would look like:DATE TIME: USRNAME (IP) GUID - #0 "BanditW1_DZ" ##:## [#,#,#]Both DZ_Patrol_Pack_EP1 and Survivor1_DZ are not logged but the skin BanditW1_DZ is and there should be an entry for this player. So this is a leap but I'm guessing after the handshake his bypass goes into effect and BE can't see him so nothing he does gets logged? If so, then theoretically someone could make a parser that sweeps the *.RPT or BEC.log and compares it against createvehicle.log? While very primitive it might help us..Parse *.RPT or BEC.log then compare against createvehicle.log? What do you guys think?PS - He isn't the only one, his buddy is in my BEC log but never appears in the *.RPT or creatvehicle.. Which I don't even understand how that happens.He connected under one name, switched to another.. Never shows up in anything but BEC.log on either. I will continue to review the logs on the other Korean players. Edited August 29, 2012 by (OCN)Vortech Share this post Link to post Share on other sites
Max Planck 7174 Posted August 28, 2012 Moved to cheat reporting as per request. 1 Share this post Link to post Share on other sites
(OCN)Vortech 65 Posted August 29, 2012 Thanks, ttp as title was changed to attract more attention. I'm really hoping to get some feedback on this. Share this post Link to post Share on other sites
Gogster (DayZ) 626 Posted August 29, 2012 I guess the answer is to test it.How effective do we think the BE bypass really is? I say this because I see more and more kicks for BE client not responding. Share this post Link to post Share on other sites
osirish 165 Posted August 29, 2012 It would be great if a parser could compare the two files.Another way we accidentally discovered players bypassing battleye on our servers is the Battleye high ping kicker.We had a couple of "incidents" while our server was low population. All the players on the server were either clan members or known regulars. The only two players who weren't known to us had Russian names and pings between 350 and 400.They shouldn't have been able to play on the server if the ping limit is 200. So if battleye handles the ping kicks, they must have been bypassing it ... correct? Share this post Link to post Share on other sites
(OCN)Vortech 65 Posted August 29, 2012 It would be great if a parser could compare the two files.Another way we accidentally discovered players bypassing battleye on our servers is the Battleye high ping kicker.We had a couple of "incidents" while our server was low population. All the players on the server were either clan members or known regulars. The only two players who weren't known to us had Russian names and pings between 350 and 400.They shouldn't have been able to play on the server if the ping limit is 200. So if battleye handles the ping kicks, they must have been bypassing it ... correct?I'm working with one of our communities developers on this as we speak! :) I'm sure the dev will inform everyone after we've tested the theory.BEC and BE are two different things. I think their ping is handled by the ArmAII server and not BE itself. I say this because While the players I mentioned were not in any of my filter logs I could see them online in DaRT and their pings. I wish I had thought of trying to list them in traditional RCON :/ I was told you won't see them if you list players. Share this post Link to post Share on other sites
domistyle 221 Posted August 30, 2012 Looks interesting, will take a look at it too once I got time. Share this post Link to post Share on other sites
hardcoreymp 16 Posted September 4, 2012 If you give me an exact requirement I can script this in powershell. As detailed as you can. Including log files. I have server logs in which I can test this on. PM me the details and I will do it tonight when I get the chance. Should not take me too long. ARemember as detailed as you can please. Share this post Link to post Share on other sites
xfortune 91 Posted September 4, 2012 It would be great if a parser could compare the two files.Another way we accidentally discovered players bypassing battleye on our servers is the Battleye high ping kicker.We had a couple of "incidents" while our server was low population. All the players on the server were either clan members or known regulars. The only two players who weren't known to us had Russian names and pings between 350 and 400.They shouldn't have been able to play on the server if the ping limit is 200. So if battleye handles the ping kicks, they must have been bypassing it ... correct?Nah, my friend is Austrialian and she logs onto US servers where the ping limit is 125, she has 200-250 and often doesn't get kicked. It's just buggy/inconsistent about kicks. Share this post Link to post Share on other sites
nyk_nunya 40 Posted September 4, 2012 Also, sorry to go off topic ish here, b ut if you connect into a server before battle eye initializes you get kicked for client not responding. Awesome idea, and I'll pass it on to my server hosting friend. Share this post Link to post Share on other sites
KField86 237 Posted September 5, 2012 I guess the answer is to test it.How effective do we think the BE bypass really is? I say this because I see more and more kicks for BE client not responding.The kick happens when you get stuck at loading, 99.9% of the time. Since the game hangs, battleye cannot handshake with the server, thus the "kick" even though usually you're forced to close the process. Share this post Link to post Share on other sites
Gogster (DayZ) 626 Posted September 5, 2012 The kick happens when you get stuck at loading, 99.9% of the time. Since the game hangs, battleye cannot handshake with the server, thus the "kick" even though usually you're forced to close the process.I would agree, but I also see this for people already in the game. Admittedly the majority are for people suffering network issues, but I wonder whether any are for those trying to launch a bypass and cheats? Share this post Link to post Share on other sites
torturedchunk 22 Posted September 5, 2012 (edited) I have also wondered why some players dont show in one log or another. Yet they play fine on the server. Hard to catch a hacker if the logs dont report. Edited September 5, 2012 by Reality Share this post Link to post Share on other sites
cwc_shadow 70 Posted September 6, 2012 (edited) Any news on this? We have had some teleport and godmode hackers lately on our server. Yet I can't find any of them in the logs, even though I have screenshots from them playing (ingame server client list). I'd love to have a way to identify those BE bypassers and ban them without banning innocent players who only suffer from connection issues. Edited September 6, 2012 by System98 Share this post Link to post Share on other sites
Gogster (DayZ) 626 Posted September 6, 2012 News from BE? Don't hold your breath. Share this post Link to post Share on other sites
trenth 0 Posted September 6, 2012 (edited) Not sure about you, but I sure do love not being logged by BE when I spawn items, etc. Thanks for trying to make anti-cheats, that way I can continue cheating, and you can continue trying to prevent me from doing it.Buying CD-Keys for 5$ for 100x and using a undetected BE bypasser never gets old.You all have fun. ;)User/hacker/Skiddie - BannedMuch love - Fraggle. Edited September 6, 2012 by Fraggle Share this post Link to post Share on other sites
