Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - s0beit

Pages: 1 2 3 [4] 5 6
46
I think he could of done it with a bit more taste to be honest , maybe given them all every item and opened up their gear so they could see the miriad of goodies  , waited until they closed the gear menu then they explode , I'm sure that would of received a more 'spirited' reaction than 'simply dropping the bomb'.

Yeah, I told him it was pretty lame and boring but he is easily amused I suppose.

47
But be informed before you post, please? Java will be used for A3.

Well, that sucks. Seriously, this makes me very sad. Java is awful.

Even still, the language doesn't have any impact on the security.

Also, I think talking to the community is something important. Even if it is the part of the community that is able to destroy your game within the blink of an eye. It's the internet after all. No feelings were hurt, everybody can go about their daily lives.

About the guy though. What an empty, boring, joyless life must one live to jerk off on having your thread on the first page of 4chan, or being hated by /r/dayz? If I did what this guy seems to specialize in, i.e. feeling like a hero for using mod-apps and scripts that he didn't even develop himself, or, in my terms, post on 4chan and reddit whenever I use one of my mod-apps, I would be more fucking internet-famous than Rickrolling or LOLcats.

Oh, he's totally out to fuck up the game and piss people off, I know the guy. He doesn't see himself as some sort of hero for doing it and he just enjoys the reactions.

48
The issue needs to be dealt with at an engine level, so that it runs correctly and in line with how the application was programmed. Otherwise, I write some clumsy shitty script monitor to check, use up some of the frame checking, degrade the players performance, and very quickly a new way to get around that can be found.

As I said in my first post, this is not a battle I can win. Only by altering the anti-cheat and engine mechanisms can anything be realistically done. Well, from what I can tell anyway.

It's not a battle you can win with Arma 2's horrible engine period. This is an aspect of the design that could have and really should have been questioned by any competent programmer on your team, immediately.

You need a total redesign of the engine (and preferably a less horrible scripting language, you do know that Lua is optimized more than your proprietary junk, right?). You trust the client too much, you trust it so much that they actually have control over aspects of the engine only the server should have control over.

I've mod-apped a lot of games that were P2P and heavily client-side, they never, ever gave that much trust to the client. Why would I ever be able to spawn objects, AI, vehicles in a normal situation? Why would that right ever be granted to the client outside of lazy programming?

I'm sorry to say this but it really needs to be said, I've only wanted to post here since I saw the article on gameranx heavily criticizing mod-appers for their actions (actions only possible, mind you, because of the flaws in the engine): You guys are professionals now. To come here and start a fuss is extremely stupid of you. When I first came to this community a year or so ago, I was amazed in that these people deliberately held themselves back so that they didn't destroy your game. The only reason your game has survived this long is by the altruism displayed by these evil mod-appers here.

You're a big boy developer, and you're a big boy company. Please fucking act like it.

Sorry if I'm late to the show and sorry for showing up, I know you guys hate me  :icon_laugh

49
Armed Assault 2 / Re: Trade? bi2 bypass for some keys :)
« on: June 12, 2011, 11:24:17 am »
The bypass for BI2 is the same as BI, I'll reply to your PM now.

51
Armed Assault 2 / Re: Trade? bi2 bypass for some keys :)
« on: June 10, 2011, 12:50:58 am »
hmmm, I might take this offer, do you just need information or do you want a full working bypass?

53
All that a2l does is check to see if certain words exist in any of your pbo's, these words being the names of hack programs or their authors. If the words are found, then it runs the nc.sqf script which disables user input. You can evade a2l simply by changing a couple letters in your hacked PBO, no getting rid of "disableUserInput" required. Just check what are the words (listed in init.sqf) that trigger nc.sqf. Then go to your hack .pbo and change all these words (Gerk, Ribalion and Water) to something that is the same length, but make sure any words that are .sqf file names are changed to something that occupies the same alphabetical order (ie, changing "Gerk" to "Merk" will fuck it up because then Merk.sqf should be somewhere else in the compiled pbo... but changing it to "Germ" will be fine since Germ.sqf should be in the same place Gerk.sqf was).

I concur, but just to be safe i disabled the script in mine as well.

Hooking the engine's execVM function is fairly simple. I know i said it was a bad idea in my last post, but, isClass hooking is harder than it should be  :icon_razz2

54
Armed Assault 2 / Re: Borrowing Serverside Mission files
« on: June 02, 2011, 01:24:05 pm »
Well maybe i can help, I'm not BE banned from Island life, unsure about ZL lol (i forget)

In any case, maybe try posting some examples of packets and I'll see if i can't rig up something, the main problem with ARMA2 packets is that from what I've seen so far, they're heavily inconsistent. Makes it hard to construct real hard data from them. I'll give it a shot though.

55
Armed Assault 2 / Re: warinc hack
« on: June 02, 2011, 12:22:51 am »
wat lol

56
Well here's a bypass which WILL STILL DETECT YOU but your keys won't be frozen (it also might be helpful for other scripts which disable your input for whatever reason)

Code: [Select]
int __cdecl new_disableUserInput_cb( int a1, int a2, int a3 )
{
*( DWORD* )( a3 + 4 ) = 0;

return pdisableUserInput_cb( a1, a2, a3 );
}

pdisableUserInput_cb = ( disableUserInput_cb_t ) GDet.Create( ( BYTE* ) 0x006E2394, ( BYTE* ) new_disableUserInput_cb, DETOUR_TYPE_JMP );

Now if I could only figure out how isClass works... HUMMMM  :icon_thumbsup

EDIT:

Note, you can also hook execVM, but if they changed the name of nc.sqf it wouldn't be helpful

EDIT:

For the easiest method though, and if you have your own PBO, just change the detected bits around O___o

57
Armed Assault 2 / Re: PBO packet analysis
« on: May 31, 2011, 08:46:19 am »
If you look at the hex-rays dump i posted of the function which makes it (BUFFER + 4), it's not a sequence counter. Definitely some sort of hash of the packet to be sent.

Particularly this bit:
Code: [Select]
    pbuf = buf;
    bufSize = *(_WORD *)buf;
    *(_DWORD *)(buf + 4) = 0;
    *(_DWORD *)(buf + 4) = CRC32(0, buf, bufSize, (unsigned __int64)bufSize >> 32);
    v20 = 12;
    while ( sendto(*(_DWORD *)(v4 + 0x70), (const char *)pbuf, *(_WORD *)pbuf, 0, &to, 16) == -1 )

58
You don't need to hex-edit anything, you can hook the disableUserInput script function callback, it's extremely easy to find and disable  :icon_thumbsup

NOTE: Hex editing/hooking this function might help you, but it isn't everything!

Code: [Select]
if ((isClass (configFile >> "CfgPatches" >> "Ribalion"))) exitWith
{
[] execVM "nc.sqf";
};

if((isClass (configFile >> "CfgPatches" >> "ACCPack")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "Schleiflshackpack")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "awk_ch34tsDevString_ak")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "loki_lk")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "zump")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "water")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "gerk")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "mors_anygear")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "CHN_TroopMon")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "AlexanderPack")))exitWith
{
[] execVM "nc.sqf";

};

if((isClass (configFile >> "CfgPatches" >> "MRMEDIC_TroopMon")))exitWith
{
[] execVM "nc.sqf";

};

Code: [Select]
//Gman
{player sidechat format["%1 I AM A CHEATER",_x]} foreach thislist;
disableuserinput true;
processInitCommands;
diag_log format["HACK DETECTED: %1 tried to join with a hack!", _x];

MRMEDIC UR EXPOSED! lol

if you want to fix this, try avoiding the scans, or else you'll be logged as well (and banned later most likely)

59
Armed Assault 2 / Re: PBO packet analysis
« on: May 31, 2011, 05:36:17 am »
There is certainly another key after the BI KEY, you can tell if you open the bi.key in a hex editor and see what it ends with, there is data beyond that which is definitely different depending on the PBO.

Also that "UnknownHash" seems to be a buffer CRC32 (meaning, before it's passed to sendto, they CRC32 hash the packet... I'll explain)
Code: [Select]
igned int __thiscall PboPacketSend(int this, int buf, struct sockaddr to)
{
  struct _RTL_CRITICAL_SECTION *v3; // edi@1
  int v4; // esi@1
  signed int result; // eax@2
  int pbuf; // edi@3
  int bufSize; // eax@3
  int v8; // eax@5
  int v9; // ebx@5
  SOCKET v10; // ST04_4@5
  char v11; // al@5
  int v12; // eax@6
  char v13; // al@7
  signed int v14; // eax@7
  char v15; // al@9
  signed int v16; // esi@12
  int optlen; // [sp+8h] [bp-Ch]@5
  char optval[4]; // [sp+Ch] [bp-8h]@5
  LPCRITICAL_SECTION lpCriticalSection; // [sp+10h] [bp-4h]@1
  signed int v20; // [sp+1Ch] [bp+8h]@3

  v4 = this;
  v3 = (struct _RTL_CRITICAL_SECTION *)(this + 8);
  lpCriticalSection = (LPCRITICAL_SECTION)(this + 8);
  sub_9893E9((LPCRITICAL_SECTION)(this + 8));
  if ( *(_DWORD *)(v4 + 112) == -1 )
  {
    sub_9893F7(v3);
    result = 0;
  }
  else
  {
    pbuf = buf;
    bufSize = *(_WORD *)buf;
    *(_DWORD *)(buf + 4) = 0;
    *(_DWORD *)(buf + 4) = CRC32(0, buf, bufSize, (unsigned __int64)bufSize >> 32);
    v20 = 12;
    while ( sendto(*(_DWORD *)(v4 + 0x70), (const char *)pbuf, *(_WORD *)pbuf, 0, &to, 16) == -1 )
    {
      v8 = WSAGetLastError();
      *(_DWORD *)optval = 0;
      v9 = v8;
      v10 = *(_DWORD *)(v4 + 112);
      optlen = 4;
      getsockopt(v10, 65535, 4103, optval, &optlen);
      WSASetLastError(0);
      v11 = (*(int (__thiscall **)(int))(*(_DWORD *)v4 + 24))(v4);
      sub_988047("Pe(%u):err-s(%d,%d)", v11);
      if ( v9 != 10054 )
      {
        v16 = 0;
        goto LABEL_13;
      }
      sub_961BF1(v4);
      v12 = *(_DWORD *)v4;
      if ( *(_DWORD *)(v4 + 112) == -1 )
      {
        v15 = (*(int (__thiscall **)(int))(v12 + 24))(v4);
        sub_988047("Pe(%u):rec-giveup", v15);
LABEL_10:
        sub_9893F7(lpCriticalSection);
        return 0;
      }
      v13 = (*(int (__thiscall **)(int))(v12 + 24))(v4);
      sub_988047("Pe(%u):rec-retry", v13);
      v14 = v20--;
      if ( !v14 )
        goto LABEL_10;
    }
    v16 = 9;
LABEL_13:
    sub_9893F7(lpCriticalSection);
    result = v16;
  }
  return result;
}

This is the hex-rays dump of the function which calls sendto, if you catch the buffer BEFORE sendto is called, it should be much, much more effective  :icon_devil

Also, I'm not 100% it's CRC32, but its definitely a hash function and it definitely returns a 4 byte (DWORD) hash, so, it makes sense.

Code: [Select]
signed int __cdecl CRC32(int a1, int a2, unsigned int a3, int a4)
{
  int v4; // edx@1
  signed int result; // eax@2
  int v6; // edi@3
  int v7; // esi@3
  int v8; // esi@5
  int v9; // edx@5
  int v10; // esi@5
  int v11; // esi@5
  int v12; // esi@5
  int v13; // esi@5
  int v14; // esi@5
  int v15; // esi@5
  unsigned __int8 v16; // cf@5
  unsigned __int8 v17; // cf@9

  v4 = a2;
  if ( a2 )
  {
    v6 = a4;
    v7 = ~a1;
    if ( a4 >= 0 )
    {
      if ( a4 <= 0 )
        goto LABEL_7;
      do
      {
        do
        {
          v8 = dword_C71BE0[(v7 ^ *(_BYTE *)v4) & 0xFF] ^ ((unsigned int)v7 >> 8);
          v9 = v4 + 1;
          v10 = dword_C71BE0[(v8 ^ *(_BYTE *)v9++) & 0xFF] ^ ((unsigned int)v8 >> 8);
          v11 = dword_C71BE0[(v10 ^ *(_BYTE *)v9++) & 0xFF] ^ ((unsigned int)v10 >> 8);
          v12 = dword_C71BE0[(v11 ^ *(_BYTE *)v9++) & 0xFF] ^ ((unsigned int)v11 >> 8);
          v13 = dword_C71BE0[(v12 ^ *(_BYTE *)v9++) & 0xFF] ^ ((unsigned int)v12 >> 8);
          v14 = dword_C71BE0[(v13 ^ *(_BYTE *)v9++) & 0xFF] ^ ((unsigned int)v13 >> 8);
          v15 = dword_C71BE0[(v14 ^ *(_BYTE *)v9++) & 0xFF] ^ ((unsigned int)v14 >> 8);
          v7 = dword_C71BE0[(v15 ^ *(_BYTE *)v9) & 0xFF] ^ ((unsigned int)v15 >> 8);
          v4 = v9 + 1;
          v16 = a3 >= 8;
          a3 -= 8;
          v6 = v16 + v6 - 1;
        }
        while ( v6 > 0 );
        if ( v6 < 0 )
          break;
LABEL_7:
        ;
      }
      while ( a3 >= 8 );
    }
    while ( v6 | a3 )
    {
      v7 = dword_C71BE0[(v7 ^ *(_BYTE *)v4++) & 0xFF] ^ ((unsigned int)v7 >> 8);
      v17 = a3-- >= 1;
      v6 = v17 + v6 - 1;
    }
    result = ~v7;
  }
  else
  {
    result = 0;
  }
  return result;
}

60
Cheat Requests / Re: Garry's Mod
« on: May 30, 2011, 11:42:34 pm »
VAC protection does _nothing_ against lua scripts, script enforcer bypassing can get you banned, but not Lua scripts themselves.

I wrote this a while ago but it still works like a charm
Code: [Select]
--[[
Name: s0beit.lua
Product: Client-side LUA hook
Author: s0beit
]]--

--Start of config
local s0beitEspCvar = CreateClientConVar( "s0beit_esp", 1, true, false )
local s0beitCroCvar = CreateClientConVar( "s0beit_xhair", 0, true, false )
--End of config

local function HeadPos(ply)
    if ValidEntity(ply) then
        local hbone = ply:LookupBone("ValveBiped.Bip01_Head1")
        return ply:GetBonePosition(hbone)
    else return end
end

local function Visible(ply)
    local trace = {start = LocalPlayer():GetShootPos(),endpos = HeadPos(ply),filter = {LocalPlayer(), ply}}
    local tr = util.TraceLine(trace)
    if tr.Fraction == 1 then
        return true
    else
        return false
    end     
end

local function IsSteamFriend( ply )
    return ply:GetFriendStatus() == "friend"
end

local function FillRGBA(x,y,w,h,col)
    surface.SetDrawColor( col.r, col.g, col.b, col.a );
    surface.DrawRect( x, y, w, h );
end

local function OutlineRGBA(x,y,w,h,col)
    surface.SetDrawColor( col.r, col.g, col.b, col.a );
    surface.DrawOutlinedRect( x, y, w, h );
end

local function DrawCrosshair()
    local w = ScrW() / 2;
    local h = ScrH() / 2;
     
    FillRGBA( w - 5, h, 11, 1, Color( 255, 0, 0, 255 ) );
    FillRGBA( w, h - 5, 1, 11, Color( 255, 0, 0, 255 ) );
end

function DrawESP()
    if s0beitEspCvar:GetInt() == 1 then
        for k, v in pairs(ents.GetAll()) do
            if( ValidEntity(v) and v ~= LocalPlayer() ) then
                if( v:IsNPC() ) then
                    local drawColor = Color(255, 255, 255, 255);
                    local drawPosit = v:GetPos():ToScreen();
                     
                    if( Visible(v) ) then
                        drawColor = Color( 255, 0, 0, 255 );
                    else
                        drawColor = Color( 0, 255, 0, 255 );
                    end
                     
                    local textData = {}
                     
                    textData.pos = {}
                    textData.pos[1] = drawPosit.x;
                    textData.pos[2] = drawPosit.y;
                    textData.color = drawColor;
                    textData.text = v:GetClass();
                    textData.font = "DefaultFixed";
                    textData.xalign = TEXT_ALIGN_CENTER;
                    textData.yalign = TEXT_ALIGN_CENTER;
                    draw.Text( textData );
                     
                elseif( v:IsPlayer() and v:Health() > 0 and v:Alive() ) then
                    local drawColor = team.GetColor(v:Team());
                    local drawPosit = v:GetPos():ToScreen();
                     
                    if( Visible(v) ) then
                        drawColor.a = 255;
                    else
                        drawColor.r = 255 - drawColor.r;
                        drawColor.g = 255 - drawColor.g;
                        drawColor.b = 255 - drawColor.b;
                    end
                     
                    local textData = {}
                     
                    textData.pos = {}
                    textData.pos[1] = drawPosit.x;
                    textData.pos[2] = drawPosit.y;
                    textData.color = drawColor;
                    textData.text = v:GetName();
                    textData.font = "DefaultFixed";
                    textData.xalign = TEXT_ALIGN_CENTER;
                    textData.yalign = TEXT_ALIGN_CENTER;
                     
                    draw.Text( textData );
                     
                    local max_health = 100;
                     
                    if( v:Health() > max_health ) then
                        max_health = v:Health();
                    end
                     
                    local mx = max_health / 4;
                    local mw = v:Health() / 4;
                     
                    local drawPosHealth = drawPosit;
                     
                    drawPosHealth.x = drawPosHealth.x - ( mx / 2 );
                    drawPosHealth.y = drawPosHealth.y + 10;
                     
                    FillRGBA( drawPosHealth.x - 1, drawPosHealth.y - 1, mx + 2, 4 + 2, Color( 0, 0, 0, 255 ) );
                    FillRGBA( drawPosHealth.x, drawPosHealth.y, mw, 4, drawColor );
                end
            end
        end
    end
end

function DrawXHair()
    if( s0beitCroCvar:GetInt() == 1 ) then
        DrawCrosshair();
    end
end

hook.Add( "HUDPaint", "DrawESP", DrawESP );
hook.Add( "HUDPaint", "DrawXHair", DrawXHair ); 

Simple ESP and crosshair

Pages: 1 2 3 [4] 5 6