BIS_Effects_AirDestruction

[Gogster (DayZ) 626]

In the past we've routinely ignored:

BIS_Effects_AirDestruction

In log files as helicopter/vehicle crashes. I wonder whether we're missing something. For example (this is from today's logs):

05.09.2012 19:00:33: Player (IP) GUID - #0 "[this] spawn BIS_Effects_AirDestruction"
05.09.2012 19:00:33: Player (IP) GUID - #0 "[this] spawn BIS_Effects_AirDestruction"

(both lines are the same player)

There's an initial thing that raises alarm bells, he's targeting himself:

#0 "[this]

And the spawn keyword:

#0 "[this] spawn BIS_Effects_AirDestruction"

Given this thread on the Bohemia forums:

http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking&p=2214760&viewfull=1#post2214760

I'm drawn to this comment:

Cheaters can overwrite normal functions with "publicVariable" as well, one public example being the BIS_Effects_* functions

Just to reassure people, $able is a BattlEye Developer.

So I guess what I am suggesting is that this is actually a cheat. Appreciate your comments as always.

[Paddy0610 278]

I crashed a Heli one time and due to this i createt the postet lines. It not need to be hacked. as he done it on his self he may jsut crashed in some building or ground.

[Torndeco (DayZ) 46]

Cheaters overwritting PublicVariable is what the latest battleye change was for...

i.e the new filter file

publicvariable.txt

3.) Log and/or block all public variable events via "publicvariable.txt"

By creating this file in your BE working directory and adding rules/filters to it, you can now log and/or block all public variable events (triggered via "publicVariable" and its variants) that are often exploited to execute code remotely on the server or other clients by overwriting certain game variables/functions/symbols. Logging is done to "publicvariable.log". The filters are applied on the name of the public variable and look exactly the same as in the scripts.txt file, see here for more information: http://forums.bistud....-server-admins. Note that each command is automatically blocked if the corresponding filter has kicking enabled (type "4").

http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking&p=2207051&viewfull=1#post2207051

Edited September 7, 2012 by Torndeco

[Gogster (DayZ) 626]

Cheaters overwritting PublicVariable is what the latest battleye change was for...

i.e the new filter file

publicvariable.txt

http://forums.bistud...l=1#post2207051

I saw that thread, however this is from remoteexec - should have said in my first post.

[SumoS 168]

I have seen an entry on this by someone I know not to be hacking.

Quite confusing to be honest.

[Gogster (DayZ) 626]

I have seen an entry on this by someone I know not to be hacking.

Quite confusing to be honest.

In exactly the same format?

[Torndeco (DayZ) 46]

Yes i know sigh...

U were worried about it relating to cheaters overwriting public variables. i.e the quote/comment u mentioned in your first post.

I pointed u to the new filter file that addresses this new technique of scripters / hackers to bypass detection.

This was added so admins can log / kick / ban players for altering publicvariables.

edit:-

Anyway u really should be kicking for BIS Effects, so worrying over if its some hacking is a non-issue.

They get kicked before anything happens & if they try something else later u ban them for it

Edited September 7, 2012 by Torndeco

[SumoS 168]

Pretty much mate. It was in the remote execution file as well.

[Gogster (DayZ) 626]

Yes i know sigh...

U were worried about it relating to cheaters overwritting public variables. i.e the quote

I pointed u to the new filter file that addresses this new technique of scripters / hackers to bypass detection.

This was added so admins can log / kick / ban players for altering publicvariables.

You're either confusing things, me or yourself. This entry is from remoteexec.log, not publicvariables.log - so what are you saying?

[Gogster (DayZ) 626]

Pretty much mate. It was in the remote execution file as well.

Right, I'm going to try our testing server tonight, I'll grab the chopper and stove it into the ground and see what it comes up with.

[SumoS 168]

Right, I'm going to try our testing server tonight, I'll grab the chopper and stove it into the ground and see what it comes up with.

Listen to this while you are doing it.

[Torndeco (DayZ) 46]

I'm drawn to this comment:

Quote

Cheaters can overwrite normal functions with "publicVariable" as well, one public example being the BIS_Effects_* functions

Just to reassure people, $able is a BattlEye Developer.

Hacker overwrites normal heli explosions <inserts his hack>

Hacker trigggers his new heli explosions <logs just show a standard heli explosion script>

Admin looks at logs <nothing shows up in logs, expect a standard heli explosion>

Heli explosions are nice for hackers to abuse since them appearing in remoteexec.log & other clients is normal behaviour.

This is basicly what the recent fcking battleye update is for, to prevent hackers from doing that.

edit:- So if u dont have a publicvariable.txt setup properly, u wont get any usefull log info if hacker using an overwritting PV method to hack your server.

Edited September 7, 2012 by Torndeco

[domistyle 221]

Here is are the lines of me crashing a helicopter:

06.09.2012 16:35:13: Domi (188.22.204.202:2304) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #38 "[this] spawn BIS_Effects_AirDestruction"

06.09.2012 16:35:13: Domi (188.22.204.202:2304) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #40 "[this] spawn BIS_Effects_AirDestruction"

So it can be legit I would say.

Edited September 7, 2012 by DomiStyle

[SumoS 168]

Potentially.

A Hacker could cause a crash and the pilot would be the one with the published AirDestruction entry.

[(OCN)Vortech 65]

dat search (http://dayzmod.com/f...ng-bis-effects/).

We were tracking the evolution of this spoof and documented it for everyone.. Long story short if you see a single or double line execution ban local and submit to the CBL, the full 3x line spoof cannot be determined real or fake. Now that we have publicvar hopefully we'll be able to smoke out the spoofing cheaters, we haven't seen one yet but we're ready.

To clarify "[this] is not an indicator of a cheater.

Edited September 7, 2012 by (OCN)Vortech

[Gogster (DayZ) 626]

dat search (http://dayzmod.com/f...ng-bis-effects/).

We were tracking the evolution of this spoof and documented it for everyone.. Long story short if you see a single or double line execution ban local and submit to the CBL, the full 3x line spoof cannot be determined real or fake. Now that we have publicvar hopefully we'll be able to smoke out the spoofing cheaters, we haven't seen one yet but we're ready.

To clarify "[this] is not an indicator of a cheater.

Reading your posts, and I appreciate your time, it reminds me very much of Torndeco's posts, you actually don't know. I'm 11 pages into the scripts topic on BIS and the indication I'm getting from there is that if it is in the remoteexec.log it's more likely a cheat.

Not trying to rubbish any expertise you're bringing to this thread but do you have anything other than hypothetical evidence or opinion?

By the way I said [this] is a target.

[(OCN)Vortech 65]

Reading your posts, and I appreciate your time, it reminds me very much of Torndeco's posts, you actually don't know. I'm 11 pages into the scripts topic on BIS and the indication I'm getting from there is that if it is in the remoteexec.log it's more likely a cheat.

Not trying to rubbish any expertise you're bringing to this thread but do you have anything other than hypothetical evidence or opinion?

By the way I said [this] is a target.

It's not hypothetical it's factual.. Simply crash a helo legit and you'll see the lines for yourself, it doesn't get much easier to disprove "hypothetical evidence". The remoteexec.log simply logs executions, it doesn't know if their legit or not. The cheaters realized this and spoofed the legit execution in the hopes we could not identify them easily. Single and double lines were earlier attempts, full 3x line are more difficult but publicvar should help there. No theory, just truth. Hope it helps.

[domistyle 221]

Long story short if you see a single or double line execution ban local and submit to the CBL, the full 3x line spoof cannot be determined real or fake. Now that we have publicvar hopefully we'll be able to smoke out the spoofing cheaters, we haven't seen one yet but we're ready.

I can tell you that this is not true and it will cause the wrong people to land on the CBL.

2x this line is usually a heli crash, we had people getting kicked for this alot of times now.

See example I posted above.

[Gogster (DayZ) 626]

I've crashed a helicopter and we have nothing in the log files (I'm too impatient!) so where does that leave us? I think people are confused and rightly so.

And reading that post on the BIS forums contradicts what you are saying Vortex, Dwarden is practically saying if it is in the remoteexec log file, it's a cheat.

[SumoS 168]

Agreed Gog. If it is in the RemoteExec file there must have been some foul-play at work.

The question is: Does that mean it was executed by that person? Or It was executed on that person?

[(OCN)Vortech 65]

I can tell you that this is not true and it will cause the wrong people to land on the CBL.

2x this line is usually a heli crash, we had people getting kicked for this alot of times now.

See example I posted above.

The CBL is not outright listing users for these executions when submitted. It takes multiple of these submissions for a user to be listed. If I combine all of our logs since BIS started being logged we've only had a two line execution appear 4x times total. All 4x of these executions were banned locally at our discretion and submitted to the CBL, NONE of these bans were appealed or disputed locally or otherwise. As an admin of a DayZ server in this situation given the nature of the spoof it is better to ban local first for the sake of your players and ask questions if they appeal.

I've crashed a helicopter and we have nothing in the log files (I'm too impatient!) so where does that leave us? I think people are confused and rightly so.

And reading that post on the BIS forums contradicts what you are saying Vortex, Dwarden is practically saying if it is in the remoteexec log file, it's a cheat.

Let me clarify, crashing and explosions are different. The execution is triggered by the explosion not the crash itself. Dwarden is a huge help to the community but he's wrong on this one, test it for yourself and you'll see. Honestly I think you're confusing the context, up until the BIS spoof remoteexec did always equal a ban. Honestly anything ELSE in remoteexec should constitute a ban, BIS is the only known exception.

[domistyle 221]

Here is the content from my remoteexec.log on my private server.

3 helis crashed and I know from all 3 that it was legit.

05.09.2012 13:43:12: Islu (81.225.125.69:59160) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #38 "[this] spawn BIS_Effects_AirDestruction"

05.09.2012 13:43:12: Islu (81.225.125.69:59160) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #40 "[this] spawn BIS_Effects_AirDestruction"

06.09.2012 16:35:13: Domi (188.22.204.202:2304) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #38 "[this] spawn BIS_Effects_AirDestruction"

06.09.2012 16:35:13: Domi (188.22.204.202:2304) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #40 "[this] spawn BIS_Effects_AirDestruction"

06.09.2012 19:44:00: Mauî (84.238.55.150:2304) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #38 "[this] spawn BIS_Effects_AirDestruction"

06.09.2012 19:44:00: Mauî (84.238.55.150:2304) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #40 "[this] spawn BIS_Effects_AirDestruction"

So not everything in remoteexec.log is a cheat.

[(OCN)Vortech 65]

Here is the content from my remoteexec.log on my private server.

3 helis crashed and I know from all 3 that it was legit.

So not everything in remoteexec.log is a cheat.

Let me help you there, not every BIS_effects on a private server is a cheat. :) There is always the possibility of exceptions, you yourself just proved that Dwardens logic is incorrect in respect to private servers running modified files. The point is we need to adapt quickly and speak freely to one another about what we're seeing. Results are truth, everything else is opinionated until proven otherwise. The cheaters will keep evolving as will the tools we have to identify them, it's a constant game of cat and mouse.

[Gogster (DayZ) 626]

Anyone else noticed the script line anomaly in Domi's post and mine?

[domistyle 221]

Anyone else noticed the script line anomaly in Domi's post and mine?

Except the script restriction #? No.