Standalone Hackers, and assurances ?

[Taiphoz 95]

I really need to try very hard not to make this a whiny post.... it's difficult but I will try.

First of all, I would like to just say that fixing tents while hacking is still so bad was a massive mistake on dayz's part, having a supply in tents we could use to recover from death made the hacker kills a lot less annoying and lot easier to deal with, dont get me wrong I know this came with major draw backs to the gameplay and balance, with high end weapons flooding the servers but I think that as a negative is overshadowed by hackers, and has to be the lesser of two evils.

OK that aside.. and to my main point, I was one of those people who bought Arma simply to play DayZ, so in a sense yes I have paid for DayZ already I have not and will not Play Arma its not what I want in a game, DayZ is however, I am a massive fan playing through all these bugs and most of the hackers takes a lot of dedication.

But my faith and enjoyment in the game is being shaken by the endless and saddening onslaught of the hackers who seem to have a never ending supply of new tools in their tool box's while Battle EyE chugs along behind failing to really make an impact.

I would like to hear some assurences on how good the Anti Cheat on the stand alone will be, we have all been told how Rocket and co will be able to physically remove the hacked guns from the game, which is cool, but whats to stop hacker still injecting scripts and insta killing people with the click of their buttons, or spawning in box's with legal guns , or teleporting around the map.

I guess what I am saying is that I am really starting to fear that I may not buy the stand alone, if I get it and the hacking is as bad as this then I think I would probably never buy another BIS product and would be sure to let all my friends and family know why.

SO

TELL ME, BIS, ROCKET.. will the stand alone be really hacker free. or are you just blowing smoke up our collective ass's so we buy your game.

I love the game I love your work but I simply do not know how much more of this shit I can take.

[lvg 1690]

The ARMA 2 engine is very "trusting" in the execution of scripts, Rocket has stated it won't be so "trusting" in the stand alone.

[Kingspiral 15]

I've heard the only available hacks for standalone will be the norm you find with any other online game' aimbot, wallhack etc.

[Zombie Jesus 723]

No game is hacker free, but Dayz suffers from far more hacking than other games due to a very script friendly engine (we should remember this engine helped create the mod so it is not all bad). First you need to realize that since this is a mod of Arma 2 they are limited in fixing the script friendly engine since it runs the risk of breaking the actual game you bought to play Dayz (not starting that discussion but we should at least agree that Dayz is a Mod and there is a separate game that can not be broken for the sake of the mod). So they should focus on fixing things like tents and vehicles (which they largely did) because that was an achievable goal for the mod while fixing hacking beyond what we have seen is impossible as of right now.

As far as the steps to combat hacking I asked a similar question and this was the response I got from him. Some of it is technical so not sure if all of it will come across but the gist is not allowing injection of scripts making it easier to identify those who do this.

Agreed.

The approach must be several layers:

1. Remove the ability to inject scripts in game. This is done through stopping the engine from loading pbo's after runtime, not allowing SQF script riles in after initial load, and checking signatures of all Pbo's. Compiling the SQF in the distribution is also additional security.

2. Improve the security of information between client<>server. You'll never solve that, but you can make it more challenging. This helps make packet injection more complex, therefore more easier to make mistakes. For mistake results... see #3.

3. Auditing of information. An additional cloud of servers who's job is to go through information archived in the database to identify those profiles with suspicious information. Some will clearly be hackers, and these accounts can be banned. Those that are just suspicious can be monitored, and informed of the reasons for their ban with evidence over time.

4. VAC/PB. If, for example, the game is released as a Steam distribution - then it can make use of VAC. Think of it as BattlEye on steroids. It also can cause you some issues with your steam account.

Even with all these levels, some hacking will undoubtedly occur. But like committing a crime, the chance is each time you will screw up, and when you do, you'll be caught. When 1-3 is tied with 4, the results can become even more effective. We need to increase the effectiveness to the point where the chances of you encountering a hacker are low, and where the amount of hacking is low due to the risks of getting caught. Once we reach this, and I am confident we can with standalone, then we will be in a much better position.

But, these things take time, and they take access to the source + smart people. We have all those things, but time only flows in one direction.

Hope that puts you at ease, but if you are still worried just wait a couple of weeks to buy the standalone and make sure to read up on the issues that are important to you.

Edited October 9, 2012 by Zombie Jesus

[OrLoK 16182]

Hello there

Unusually for me I took the jump and bought BF3 when it came out. It turned out to be a fun little shooter. But after a while was inundated with hacks.

If AAA games like BF3, WoW etc etc cannot eliminate scripts/hacks then it's unlikely Dayz will be completely free of them.

One has to be somewhat realistic nowadays about these issues. When the standalone comes out play on respected well moderated or passworded servers and that will lessen the scripters impact.

Lastly, don't expect scripting to be as prevalent as it is in the Mod.

rgds

LoK

[Sticker704 121]

Look at it this way: Arma 2 is piss easy to hack. My hamster could do it due to the trusting engine. There's no way to fix this without delving deep into Arma's code. Rocket doesn't want that, so Dayz is going standalone.

[AlcApwn (DayZ) 28]

so lets go through what rocket said.

1. Remove the ability to inject scripts in game. This is done through stopping the engine from loading pbo's after runtime, not allowing SQF script riles in after initial load, and checking signatures of all Pbo's. Compiling the SQF in the distribution is also additional security.

so they are going to use the old scripting system, with little increased work for hackers. obfuscation is no security by definition, but appearently BIS has not yet acknowledged that.

2. Improve the security of information between client<>server. You'll never solve that, but you can make it more challenging. This helps make packet injection more complex, therefore more easier to make mistakes. For mistake results... see #3.

with a sophisticated server software & communication protocol you indeed CAN make injection useless. this has been archieved by almost ANY game since the 90s of the last century, usually the client disconnects because of desynchronisation.

Speaking in terms of DayZ:

if the client "picks up beans" (or tells the server it does), the server has to check if it was able to do so ("there are in fact beans in valid range, which are not taken by another player at the same time"), and disconnect it if not!

arma2 does not, but any half-serious game does.

3. Auditing of information. An additional cloud of servers who's job is to go through information archived in the database to identify those profiles with suspicious information. Some will clearly be hackers, and these accounts can be banned. Those that are just suspicious can be monitored, and informed of the reasons for their ban with evidence over time.

yes, lets take the problem we created by our own ignorance and put it to a "to be constructed"-workaround which will work in 10% of all cases at most. not needed if you would do your job properly.

4. VAC/PB. If, for example, the game is released as a Steam distribution - then it can make use of VAC. Think of it as BattlEye on steroids. It also can cause you some issues with your steam account.

finally a good idea, but only in addition to a validated server-client communication goddammnit!

the only uses of VAC/PB (PB should be your choice, as VAC fails totally in MW2) should be countermeasures against wallhacks/aimbots/clientside manipulation.

But, these things take time, and they take access to the source + smart people. We have all those things, but time only flows in one direction.

i seriously hope you do NOT talk about the guys at battlEye.

did you know you can attach a fuckin full-scale DEBUGGER to the dll without it even NOTICING?

and that they do not even check the SIZE of the dll? we changed the version with a hexeditor and it didnt notice we run an older version!

Games like World of Tanks, Heroes of Newerth (the latter developed by an indie company as well) and many others send their clients EXACTLY the information they need - and not more.

if you cant see a unit, its not in your RAM.

what does arma2's engine do?

it provides ANY client with ALL information about EVERYTHING on the map.

players, tents, vehicles, EVERYTHING.

dont use anti-cheat measures to cover up your crucial mistakes with your engine!

[Never 237]

It'll never be hacker free, but hopefully the steps being made will improve things, although the ARMA:TOH code is still ARMA 2, and since DayZ made ARMA popular the hackers see it as a perfect little playground.

Add in how resourceful some hackers are, and the fact that the community has shown signs of knowing the code better than the Devs (all the fixes provided on Private hives that it seems Rocket couldn't do for example), I think at first its not going to be to tight, but if Rocket continues the Private hive model and works closely with the community in the early days of Standalone alpha things should improve.

Even Rocket says atm, the way to play the mod is on private hives, public hive is fucked. I can see standalone going the same way, mainly because the Privates have proved themselves more secure already.

[Never 237]

so lets go through what rocket said.

so they are going to use the old scripting system, with little increased work for hackers. obfuscation is no security by definition, but appearently BIS has not yet acknowledged that.

with a sophisticated server software & communication protocol you indeed CAN make injection useless. this has been archieved by almost ANY game since the 90s of the last century, usually the client disconnects because of desynchronisation.

Speaking in terms of DayZ:

if the client "picks up beans" (or tells the server it does), the server has to check if it was able to do so ("there are in fact beans in valid range, which are not taken by another player at the same time"), and disconnect it if not!

arma2 does not, but any half-serious game does.

yes, lets take the problem we created by our own ignorance and put it to a "to be constructed"-workaround which will work in 10% of all cases at most. not needed if you would do your job properly.

finally a good idea, but only in addition to a validated server-client communication goddammnit!

the only uses of VAC/PB (PB should be your choice, as VAC fails totally in MW2) should be countermeasures against wallhacks/aimbots/clientside manipulation.

i seriously hope you do NOT talk about the guys at battlEye.

did you know you can attach a fuckin full-scale DEBUGGER to the dll without it even NOTICING?

and that they do not even check the SIZE of the dll? we changed the version with a hexeditor and it didnt notice we run an older version!

Games like World of Tanks, Heroes of Newerth (the latter developed by an indie company as well) and many others send their clients EXACTLY the information they need - and not more.

if you cant see a unit, its not in your RAM.

what does arma2's engine do?

it provides ANY client with ALL information about EVERYTHING on the map.

players, tents, vehicles, EVERYTHING.

dont use anti-cheat measures to cover up your crucial mistakes with your engine!

Actually, yeah. What he said basically.

[Zombie Jesus 723]

Arguing about measures that have yet to be released is foolish, it looks like they are addressing the issue quite aggressively but the devil will always be in the details.

AlcApwn, you keep referencing the Arma 2 engine and I just wanted to make it clear when I asked the question we were talking about the standalone version which is not the same engine. I think they are well aware of what vulnerabilities hackers take advantage of and will attempt to lock down these issues, but only time will tell if they are successful (100% success is an impossible barrier to hit in PC gaming, hackers gonna hack question is will they be easily caught).

If every game had this figured out since the 1990's then we have a ton of lazy developers who just want their game ruined by hackers. Lets take the map hack, sure you should not be able to "see" what is not in your FOV but that information is still being sent to you since you have to eventually be able to see these objects. Sure it might not be in your ram, but the information still is communicated to your device so when you are able to see the unit you will need that information. So it is there waiting to be accessed by a clever hacker, trick is to make it harder to access. What hackers do is find a way to access this information and while it should be harder than it is now the map hack is a very common hack in almost every game.

Have not seen it confirmed that Battleye will be anti hack software used, but nothing is perfect (punkbuster is not much better).

PS, took two seconds to find publicly available hacks for World of Tanks, the hacks are just hard to spot as a player (so not as terrible as current mod hacks that very obvious, but they are there and they will always be there).

Edit: Did not want to create a new post to say this but Nik21's post shows terrific understanding of how hacking works. It is not some one and done job and requires constant vigilance which means people will always die from hackers the question is can it be kept to a minimum and detected quickly. Some of us overstate how useless Battleye is, with an engine like Arma 2 I think they are doing everything that could reasonably be expected.

Edited October 9, 2012 by Zombie Jesus

[nik21 287]

I'm just hoping they won't use VAC only in the Standalone. It's just not enough for a game like DayZ. Even with a closed down engine, still loads of hackers. Best examples: Homefront, CoD: MW2, MW3 (in every 2nd or 3rd lobby is a cheater, stuff like Free Weekend completely unplayable from what I've heard from friends) etc..

The best thing IMO would be the combination of 2 or even 3 different Anti-Cheat Systems. Something like VAC+PB, PB+BE. Ultimately: VAC+PB+BE B)

Red Orchestra 2 for example is using VAC+PB. VAC is active by default, PB is optional.

For DayZ, the best combination would be Punkbuster + BattlEye imho.

Another thing why I wouldn't use VAC only is their banning policy and Private Hacks. VAC Bans are massively delayed. What a popular game like DayZ needs is a live kicking/banning system like BattlEye or PunkBuster. I mean, just look up public hacks for MW3 or something... SERVERAL (50+) undetected public hacks. Comparison: PB usually detects public hacks within a week or something. BattlEye even less, mostly under 24 hours depending on the hack. As of right now, ALL public hacks for Arma 2/ DayZ are detected by BattlEye.

As for the private hacks - VAC is doing close to nothing against them. Some of them are even undetectable by the current Version of VAC(3) - and it's not being updated.

If PB or BE can't detect something on-the-fly, they roll out a client update. Or do something else about it. VAC doesen't.

VAC is only useful to scare cheaters off, because some of them will be pissed if they have to create a new Steam account every time they get busted.

Punkbuster is actually doing much more against Private Hacks compared to VAC. Not enough in my opinion (see BF3 e.g.), but at least more.

BattlEye is actually one of the most effective and innovative Anticheat-Systems on the market. But, as you may know, there may be a lack of man-power for a Game like DayZ (Yes, BattlEye is being developed by one man, $able.)

What I am trying to say here is, none of those Anti-Cheat Systems alone will be enogh to keep cheating and hacking to a minimal level. I'm pretty sure there will be a shitload of attempts to cheat in the DayZ standalone. It is a blockbuster title. And as I have seen in other Blockbuster Titles (BF3, MW3), VAC or PB alone are simply not enough. Nor is BattlEye, but a combination of 2 or even all of them would bring massive Improvements to this problem.

Edited October 9, 2012 by Nik21

[AlcApwn (DayZ) 28]

If every game had this figured out since the 1990's then we have a ton of lazy developers who just want their game ruined by hackers. Lets take the map hack, sure you should not be able to "see" what is not in your FOV but that information is still being sent to you since you have to eventually be able to see these objects.

nope, the server has to calculate if you can see it, and if you cant, you MUST not get the information.

Have not seen it confirmed that Battleye will be anti hack software used, but nothing is perfect (punkbuster is not much better).

did you try to bypass both of them yourself?

the one, where you attach a normal debugger and got FULL access to anything, and the other, which has 2 processes watching each other AND the game, one as a process, the other as a service?

i dont think you know what you are talking about.

PS, took two seconds to find publicly available hacks for World of Tanks, the hacks are just hard to spot as a player (so not as terrible as current mod hacks that very obvious, but they are there and they will always be there).

i doubt the existence of a wot-maphack until you show me one.

try to find one for Heroes of Newerth, where the server sends you exactly the minimum of information you need. if you lag, it's your problem.

[AlcApwn (DayZ) 28]

BattlEye is actually one of the most effective and innovative Anticheat-Systems on the market.

are you kidding me?

BattlEye is the worst anti-cheat system i have ever seen in ALL of my games...

just download the free version of IDA, attach it to the BattlEye.dll and voila, you got full unnoticed acess to both arma2 and BE.

its not like there is IsDebuggerPresent you could call to check -.-

aaaaand no use of global hooks, no checks for the validity of arma2's ram, no encrypted communication with arma2 and the BE-Masterserver, and, and and.

whoether is behind BE, he/she has little knowledge of security engineering.

[nik21 287]

are you kidding me?

BattlEye is the worst anti-cheat system i have ever seen in ALL of my games...

just download the free version of IDA, attach it to the BattlEye.dll and voila, you got full unnoticed acess to both arma2 and BE.

its not like there is IsDebuggerPresent you could call to check -.-

aaaaand no use of global hooks, no checks for the validity of arma2's ram, no encrypted communication with arma2 and the BE-Masterserver, and, and and.

whoether is behind BE, he/she has little knowledge of security engineering.

You seem to be such a pro coder. :facepalm:

[AlcApwn (DayZ) 28]

i can assure you, for battleye you dont need to be, little fanboy.

[Zombie Jesus 723]

AlcApwn, popular games (heroes of Newerth is hardly attracting the same attention as a Dayz or BF3) attract hackers and no I did not try to bypass either one of these services, the only thing I based this statement on was the fact that BF3 has quite a few publicly available hacks that are either hard to detect or not detected (Punkbuster runs this). Comparing apples to oranges with World of Tanks and Dayz, one is a server sided game and I am not sure how well that would work out here. Did I say maphack? No, well than stick to the point man. I will not link hack sites on here but Google is your friend and it will take a few seconds to see the hacks available for that game, which includes several map hack references but since I do not hack and do not want to point people in the right direction to hack you will just have to do the research yourself.

When it gets too technical you are right I am out of my element, but I do understand the basics of how these systems work. As far as attaching something to the debugger I never addressed that subject because frankly I am out of my element there, no need to be a dick about something like that dude I bet there is plenty of shit you are unaware of (like common social interaction and understanding tone, way to go full Asperger).

If you are so awesome at this why not go out and make an effective anti cheat system? What is that, you just like to pretend you are great at shit online and have nothing to provide beyond armchair quaterbacking, well carry on then.

Edited October 9, 2012 by Zombie Jesus

[AlcApwn (DayZ) 28]

AlcApwn, popular games (heroes of Newerth is hardly attracting the same attention as a Dayz or BF3) attract hackers and no I did not try to bypass either one of these services, the only thing I based this statement on was the fact that BF3 has quite a few publicly available hacks that are either hard to detect or not detected (Punkbuster runs this). Comparing apples to oranges with World of Tanks and Dayz, one is a server sided game and I am not sure how well that would work out here. Did I say maphack? No, well than stick to the point man. I will not link hack sites on here but Google is your friend and it will take a few seconds to see the hacks available for that game, which includes several map hack references but since I do not hack and do not want to point people in the right direction to hack you will just have to do the research yourself.

When it gets too technical you are right I am out of my element, but I do understand the basics of how these systems work. As far as attaching something to the debugger I never addressed that subject because frankly I am out of my element there, no need to be a dick about something like that dude I bet there is plenty of shit you are unaware of (like common social interaction and understanding tone, way to go full Asperger).

If you are so awesome at this why do you not go out and make an effective anti cheat system? What is that you just like to pretend you are great at shit online and have nothing to provide beyond armchair quaterbacking, well carry one then.

first of all thanks a lot that you start insulting instead of bringing satisfating arguments...

and i think HoN and DayZ are pretty much in the same league regarding the size of the community.

you still did not get my point.

BF3 hacks are client-sided manipulations like aimbots, wallhacks and whatnot. those have to be adressed by the corresponding anti-cheat system (pb, vac, whatever).

***s are (at least most of) exploits targeting the very poor communication design (clients execute code on the server is a NO-GO) and the poor client design itself.

I am sorry, but any half-decent game IS a "server sided game". even arma is partly, as essential things like the trajectories of bullets etc are computed on the servers (now dont tell me they dont, id smash my head if they did not).

DayZ's gameplay is build up on:

- getting gear, steal from others

- using the large map as your advantage for hiding, storing, and ambushing

both can be (quite easily) basically guarded by a sophisticated server-client system. (take hon as an example - if you dont got the information, you dont got it. end of the story.)

the obvious problems are:

- rocket uses a branch of arma2's engine

- rocket didnt say the server will validate the process of picking up items (he didnt adress it precisely yet, until he does i assume no)

- rocket did say he still uses arma2's scripts for communicating.

the server spawns the items, but does not keep track of them if a client attempts to pick up one - this must not happen.

my point is:

if the server would control the items and cut down the information sent to clients to the absolute minimum, we would have about 1% of the hackers we got right now.

because the only thing possible would be removing night, wallhack, aimbot, the usual bullshit you encounter in shooters. which won't be such attractive for "the typical exploiting idiot", as he still will have to gear up like any other player and can not be the 1337-h4xx0r-sniper with his AS50 TWS teleporting around.

what do you think am i here?

because imho rocket discovered a great concept of gaming.

if i get the chance to help, i will do (and not only i would).

but the community is not taken serious in this point, to be honest.

give us an opportunity to point out weaknesses which are actually taken care of, and we will. but i am not gonna send mails to BE and receice copypaste answers of somebody who doesnt notice that i attached a debugger to his so-called anti-cheat engine.

we would work for free for dayz, but we expect to be taken seriously. and thats NOT what it looks like.

[Zombie Jesus 723]

AlcApwn, I was not being a dick until the tone of your post set me off, so learn how to engage in constructive conversations or take the deserved insult like a man. My first reply to you was not insulting, but the tone of your second reply was so I responded in kind. When I "copy pasted" the reply from Rocket it was not to you in the first place, it was to the guy who asked the original question and then you decided that I was just taking the response as gospel. I was just providing a previously available answer that might help the OP, not really trying to pretend I am some developer who knows how to perfectly combat this problem. If you notice in my original reply I even stated if the person is concerned that the standalone will be unable to effectively address the problem then they should hold back until they can confirm the problem is under control.

I have hit the limit of my understanding when it comes to the ways to combat the problem so I will refrain from arguing the point, I will say neither of us know how well the standalone will combat these issues so what is the point in the argument in the first place? To me it looks like they are taking the issue seriously, but maybe you see it differently and having a different opinion on something this subjective is not really a reason to get worked up. Have a good day man, sorry for the dickish response since many times tone is hard to detect on internet forums.

[RogueOne 112]

what does arma2's engine do?

it provides ANY client with ALL information about EVERYTHING on the map.

players, tents, vehicles, EVERYTHING.

dont use anti-cheat measures to cover up your crucial mistakes with your engine!

The ArmA2 engine was designed specifically for this application so modders could have a ball developing things. It's not a mistake at all. The engine was made for this purpose exclusively. Do you really think the coders at BIS are that stupid or you could do a better job then they? You have no idea what the original project points were nor o you have any information on the goals so please try to refrain from making statements you have no idea about.

The problem is this engine was never in a million years designed for an application such as dayz. If you want to lay blame, Blame rocket for choosing to use a game engine that should have never been thought about for this mod. You have to also take into account this was just an experiment to see if this type of game would be viable. Everyones talking like this is the end result and complaining over little bullshit nit picking things. I've been playing online since doom and played my share of alphas and can tell you this game plays better then 99% of the beta games I've been a part of so stop complaining and enjoy the game for what it is. All this nitpicking is just plain stupid.

[AlcApwn (DayZ) 28]

i did not want to be rude to you, be sure!

but it saddens to read so much false & semiproof information in this forum (as if the informationflow was not bad enough allrdy ;)).

i can not take easily anyone serious who uses the engine of a simulation as an engine for a multiplayer-pvp-game after it has proved it's weaknesses in so many ways. (not to mention battleye)

if the servers continue their policy on items and location information, this game will be rippen apart - and that would be just sad. (and, as i said 100times allready, thats NOT the fault of the anti-hack system!)

the whole utopia of a "trusted client" in competetive gaming has to stop!

[AlcApwn (DayZ) 28]

The ArmA2 engine was designed specifically for this application so modders could have a ball developing things. It's not a mistake at all. The engine was made for this purpose exclusively. Do you really think the coders at BIS are that stupid or you could do a better job then they? You have no idea what the original project points were nor o you have any information on the goals so please try to refrain from making statements you have no idea about.

The problem is this engine was never in a million years designed for an application such as dayz. If you want to lay blame, Blame rocket for choosing to use a game engine that should have never been thought about for this mod. You have to also take into account this was just an experiment to see if this type of game would be viable. Everyones talking like this is the end result and complaining over little bullshit nit picking things. I've been playing online since doom and played my share of alphas and can tell you this game plays better then 99% of the beta games I've been a part of so stop complaining and enjoy the game for what it is. All this nitpicking is just plain stupid.

i never, ever blamed the problems of arma2 itself, because i just dont give a damn. i dont play it, it doesnt matter to me.

i know that BIS sold branches of their engine to several countries militaries, and i know that's money for free. (thats not army related - any part of any state pays very well and stable for assigned tasks. at least germany does - tax offices' software and so on)

but the dayz community is not a group of trusted clients, dayz is no simulation, but a mmorpg a little different from all the others. and YES, thats a reason to complain, if such things happen.

dont tell me to stop talking about the poor engine design (which is not the best in general) in the dayz forum, because for dayz it is indeed very poor.

[RogueOne 112]

Yes, I read your last reply and it seems we are in agreement.

[Zombie Jesus 723]

All I will say is at least hold out the possibility that a modified engine might be able to address many of these concerns. From his recent interviews it seems like this is the main focus for the standalone, so the situation might not be as dire as you think. Pretty sure they know what the problems are and how they address these issues will make or break the standalone so the motivation is there to get it right.

Here is to hoping your suspicions are wrong, you can call it being a fanboy but I prefer opptimist.

[WalkerDown (DayZ) 296]

I hope they will abandon BE if anything... it's the worst anticheat system out there, even worse than the shitty PunkBuster.

[tomallbones@gmail.com 2]

Idc what they have to do as long as there isn't even 10% of the hacking and duping there is now. I'd pay for DayZ as it is without the use of arma III itself if I had to haha.