A few facts about the recent ultimate exploit/hack

cyx54tc

clocksstoppe wrote: »

code65536 wrote: »

clocksstoppe wrote: »

Fun? Not fun at all, in fact it's a disgrace that 2016 game programmers can't implement an authoritative server model in an MMO.

You are very wrong however, fixing the ultimate exploit would have literally no performance hit. It's an int compare extra.

The Ultimate cheat is only the most visible and problematic one. There are other problems that people have posted, like characters walking on air. There's a lot of state-keeping on the client-side, and offloading that to the server will have a very detrimental effect on performance. Period.

Only if they are terrible programmers. There are always ways to fix these problems, you just need the right people for it.

actually I think it has more to do with the cost of server...

klink012

clocksstoppe wrote: »

Zakor wrote: »

clocksstoppe wrote: »

code65536 wrote: »

clocksstoppe wrote: »

Fun? Not fun at all, in fact it's a disgrace that 2016 game programmers can't implement an authoritative server model in an MMO.

You are very wrong however, fixing the ultimate exploit would have literally no performance hit. It's an int compare extra.

The Ultimate cheat is only the most visible and problematic one. There are other problems that people have posted, like characters walking on air. There's a lot of state-keeping on the client-side, and offloading that to the server will have a very detrimental effect on performance. Period.

Only if they are terrible programmers. There are always ways to fix these problems, you just need the right people for it.

Sorry dude, but you are horribly wrong. This has nothing to do with people not being able to program it but with the server side calculations would

1. be a slower than now in cause of having to send the needed calc data to the server
2. be slower due to the server doing MANY calculations for MANY players

Again, you are wrong.

No, YOU are wrong. You don't HAVE to do those exact calculations, you just have to impose constraints on what the client claims to have calculated using cheaper calculations.


How to cheaply negate speed hack: compare the new position sent by client to the position on the server. If it's farther than the actual speed of the player, deny movement.


How to negate the "character walking on air": You use a simple (2d) grid system for the world map where each tile has a tolerance range for the height allowed for the player standing in it. Grids are extremely cheap and you still allow the client to do complex mesh collision calculations to look right on the client side.


Naysayers like you are exactly the problem. You give them an excuse for doing a terrible job.

I like this guy!! +1

klink012

SirAndy wrote: »

Zakor wrote: »

Sorry dude, but you are horribly wrong. This has nothing to do with people not being able to program it but with the server side calculations would

1. be a slower than now in cause of having to send the needed calc data to the server
2. be slower due to the server doing MANY calculations for MANY players

Again, you are wrong.

You are the one who is wrong...
I've worked on client/server based game engines as well as enterprise level high traffic client/server systems.

If done right, a server side system would but multitudes faster than anything we have ever seen from ESO. There as so many bad design decisions in this game, it's missing all the fundamental parts that make for a lean and fast client/server system.

And this guy too! +1

Keep up the good work!

Faunter

cyx54tc wrote: »

Feel free to take a look at maple story which uses similar model. Maple story even used 3 layers of anti-hack engine and still......

Fact 5: What exploits/hacks are possible with ESO?
Anything you saw in Maple story could theoretically be seen in ESO. Examples: god mode, damage modification, infinite resources, god speed, global skill, global gathering, global teleporting ect

lol MapleStory...

...MapleStory

Turelus

Rex-Umbra wrote: »

ZOS has data and they will be banning once they review it.

Like they had data about the survey exploits?

Wtrenga

Rex-Umbra wrote: »

ZOS has data and they will be banning once they review it.

Of course they have data, I'm not claiming they don't. In fact, they have plenty of data available, but the problem is another: It seems like they do not have the right capacities, capabilities and/or resources allocated in order to not just read the data but also implement measures in order to improve the current status.

InvitationNotFound

Rex-Umbra wrote: »

ZOS has data and they will be banning once they review it.

yes (if they even put some effort into "reviewing data"), maybe for 3 days.

Rex-Umbra wrote: »

I could probably write a thesis about network mechanics, but what's going on is really unprofessional and I am deeply disappointed. Nevertheless, no ZOS does not need to find the client hack to fix the problem. It shouldn't even be possible in the first place.

very long technical text on a gaming forum. i doubt many of the people here have any it / coding / reverse engineering / hacking experience

Short version: the server trusts the client and the client can be manipulated (in which way you want (at least atm), dll injection, a patched binary, whatever... the way you choose to accomplish your goal is actually irrelevant imho).

code65536 wrote: »

If I were the engineer designing this, what I'd do is to trust the client, but have a separate server-side watchdog that audits what the client does and see if the client's calculations actually agree with what the calculations that the server would've made if the server was doing full validation. And by separate, I mean it's not handled by the actual game server but by a separate server, working alongside the main server.

From a security standpoint: never trust "user" input. I completely agree. Adding a second process / server to verify if everything is legit is also a good approach. Unfortunately, we are dealing here with ZOS. Implementing such a solution would very likely lead in to perma ban for everyone.

Zakor wrote: »

.

Why is it necessary to scan the memory? Wouldn't xyz do the job?
This is just one way to prevent cheating/hacking completly (if done correctly). There may be other ways. But every way, that won't protect the games memory area in some way or let the server do the calculations completly can be exploitet with the correct cheats/hacks. Actually it is possible to change and read entries in your memory. So it also is possible to find the point in the memory which holds the data about your ult points, magicka, ... . When found this point can be used to change the value ingame. So the only logical way to prevent this behaviour is to block (hard) or detect (actually pretty easy) those changes and ban the player for cheating or at least trying.

Your solution is a client side protection, which again can be bypassed (question: what kind of protection does your protection have? it simply increases the effort to write a reliable cheat)? Wrong approach, sorry. Try again.

Lava_Croft

Meanwhile, everybody who hasn't been exploiting mats or using third party tools to game their way to vMSA loot just feels royally screwed, while those who did exploit mats or game their way to vMSA loot reaps the rewards.

This game is dead for anyone who wants to even semi-seriously be competitive in either PvE, PvP or both.

SlayerTheDragon

From the way the handled the Survey exploit, to the apathy of this current exploit - the only real question left is: what is the best download link for Cheat Engine?

SlayerTheDragon

SlayerTheDragon wrote: »

From the way the handled the Survey exploit, to the apathy of this current exploit - the only real question left is: what is the best download link for Cheat Engine?

On a serious note though:

1. Who still uses Client Trust? No other popular MMO, and they do just fine with lag etc
2. If you do use Client Trust, for the love of all use it in a way that you cant just crack from on-screen values (CE is so stupidly easy to use - google it).
3. Have your client look at running process for any programs that are considered a hack/bot/trainer and flag the account.

InvitationNotFound

SlayerTheDragon wrote: »

SlayerTheDragon wrote: »

From the way the handled the Survey exploit, to the apathy of this current exploit - the only real question left is: what is the best download link for Cheat Engine?

On a serious note though:

1. Who still uses Client Trust? No other popular MMO, and they do just fine with lag etc
2. If you do use Client Trust, for the love of all use it in a way that you cant just crack from on-screen values (CE is so stupidly easy to use - google it).
3. Have your client look at running process for any programs that are considered a hack/bot/trainer and flag the account.

1) Any reference on this one? Wasn't there a teleporting around the map cheat in WoWs early days (just as an example)? Not sure if they all implement it properly.
2 / 3) I never used CE so I have no idea how it works. Anyway, all client checks can be circumvented with enough effort / knowledge. It just makes cheating a bit harder for the average joe until someone releases an eso specific cheat.

The_Saint

SlayerTheDragon wrote: »

SlayerTheDragon wrote: »

From the way the handled the Survey exploit, to the apathy of this current exploit - the only real question left is: what is the best download link for Cheat Engine?

On a serious note though:

1. Who still uses Client Trust? No other popular MMO, and they do just fine with lag etc
2. If you do use Client Trust, for the love of all use it in a way that you cant just crack from on-screen values (CE is so stupidly easy to use - google it).
3. Have your client look at running process for any programs that are considered a hack/bot/trainer and flag the account.

Not really MMO ^^ but The Division have(had?) also problems with stats who can manipulate easily clientside...

kendellking_chaosb14_ESO

I completely understand the problem with finding unlimited resources hacks but something like dropping an ultimate that's not Overload over and over again should be a ban able offense that's easy to find by way of players reports with death recap screenshots.

Alcast

They banned one of those dudes......:FOR 24HOURS....

Using a CHEATENGINE and only getting a 24h ban. Sounds about right.











remember to buy senche btw. thats all that counts.

Drakoleon

Is this a hack? or just gamers found a way to exploit bad game programming? SO.... ban the exploiters? or "ban" the inadequate programmers?
I truly believe that the BEST MMO ever (for my taste) is in the wrong hands since day 1

Septimus_Magna

ZOS should do the Apple approach and only allow checked add-ons from a library within the game.

That would give ZOS the freedom to push more processes to the client side (reducing server lag) and root out all cheaters, exploiters and other sad figures once and for all.

RazielSR

You know,this happened to AoC and you were able even to "buy" infinite Funcom points from the store(like the crowns here). Just saying.

InvitationNotFound

Septimus_Magna wrote: »

ZOS should do the Apple approach and only allow checked add-ons from a library within the game.

That would give ZOS the freedom to push more processes to the client side (reducing server lag) and root out all cheaters, exploiters and other sad figures once and for all.

do you comment without reading anything else in this thread?
ALL client side checks can be bypassed. It's just a matter of how much effort you have to invest. Your "checked add-ons" is useless, besides the fact that CE is a third party application and not an add-on.

edit: side note to apple's iOS:
The checks are implemented in the iOS kernel, which means in the OS itself. Therefore, ZOS wouldn't be able to implement such a lock.
Furthermore, when you find a vulnerability in the kernel, this whole lock thing can be bypassed (yes, jailbreaking is actually exploiting some sort of security vulnerability and might even happen when you visit a web site (i guess there was one for older iOS versions)).

If you want avoid such cheats you'll have to implement server side checks. everything else will only make cheating more difficult but isn't a 100% cheat prevention.

Septimus_Magna

InvitationNotFound wrote: »

Septimus_Magna wrote: »

ZOS should do the Apple approach and only allow checked add-ons from a library within the game.

That would give ZOS the freedom to push more processes to the client side (reducing server lag) and root out all cheaters, exploiters and other sad figures once and for all.

do you comment without reading anything else in this thread?
ALL client side checks can be bypassed. It's just a matter of how much effort you have to invest. Your "checked add-ons" is useless, besides the fact that CE is a third party application and not an add-on.

edit: side note to apple's iOS:
The checks are implemented in the iOS kernel, which means in the OS itself. Therefore, ZOS wouldn't be able to implement such a lock.
Furthermore, when you find a vulnerability in the kernel, this whole lock thing can be bypassed (yes, jailbreaking is actually exploiting some sort of security vulnerability and might even happen when you visit a web site (i guess there was one for older iOS versions)).

If you want avoid such cheats you'll have to implement server side checks. everything else will only make cheating more difficult but isn't a 100% cheat prevention.

Wouldnt it be easier to check for client side irregularities if there is only normal/controlled data transfer between the server and client side?

Im no software engineer (just a mechanical engineer) so its not my field of expertise but it shouldnt be impossible to have decent latency without cheaters. Latency was pretty good in the beginning, they messed that up to eliminate bots/cheaters but it seems like that didnt work after all.

Right now we have the worst of two worlds, bad latency and cheaters.

Cously

We can go to the moon but can't have a technology that allows lag-free hack-free games.

Sunburnt_Penguin

Cously wrote: »

We can go to the moon.

Keep believing that

GreenhaloX

Wow.. even though it's regarding some negative aspects of hacking/exploiting, what a good technical discussion this has been. Bunch of smart tech savvy folks on here. Really makes me want to switch career field and get into computer science and IT. Actually learned a little bit on the IT aspects of the game by reading some of these posts.

mtwiggz

Lava_Croft wrote: »

Meanwhile, everybody who hasn't been exploiting mats or using third party tools to game their way to vMSA loot just feels royally screwed, while those who did exploit mats or game their way to vMSA loot reaps the rewards.

This game is dead for anyone who wants to even semi-seriously be competitive in either PvE, PvP or both.

Well said Tomb Raider, well said.

Been running vMA nonstop for several days now. Wanted to get the weapons I want before the loot table is watered down with all the new terrible traits. Unfortunately my rank 60ish score was quickly removed from the leaderboards as numerous others obviously legitimately out did it.

Sadly I felt almost left behind in this game for not exploiting surveys and reaping hundreds or thousands of materials for little or no effort. I was enraged. Now a month later players are abusing a new "exploit" to gain other kinds of rewards. It seems to be getting to the point that exploiting is the new meta. ZoS approved meta none the less.

InvitationNotFound

Septimus_Magna wrote: »

Wouldnt it be easier to check for client side irregularities if there is only normal/controlled data transfer between the server and client side?

Im no software engineer (just a mechanical engineer) so its not my field of expertise but it shouldnt be impossible to have decent latency without cheaters. Latency was pretty good in the beginning, they messed that up to eliminate bots/cheaters but it seems like that didnt work after all.

Right now we have the worst of two worlds, bad latency and cheaters.

The point is that "checking for client side irregularities" on the client doesn't work. If your cheat is capable of manipulating the "client side check", it will simply manipulate it in a way it always says "everything is fine". Therefore, your cheat application has to find those checks and eliminates them. It simply is a matter of effort the cheat author has to put in. At the same time, the cheat author won't be able to change the logic on the server. Therefore, if you wan't the best possible protection: implement it on the server and never trust what the users are sending. this of course means that there will be more load on the server (or on a verification server, which is looking for anomalies. but anyway, to be completely secure, the client isn't the way to go).

I don't say it is impossible to have good latency. But if they move all verification logic to the server it certainly will have a negative performance impact (maybe not in a significant way depending on their implementation).

Adding client side checks in general means adding a new process (program) which runs with admin rights on your system (otherwise it wouldn't be able to monitor everything) or adding the checks to the client while requiring the game client to run with admin rights. I personally don't like any of those options. e.g. if your game client runs with admin rights you will have to run third party software (e.g. TS3) with admin rights as well. There is a reason applications aren't running with admin rights if not necessary. ( See: https://en.wikipedia.org/wiki/Principle_of_least_privilege)

edit:typo

Zyle

Alright, so I now know anything client side won't work. What if they updated how their logging works? Wouldn't they be able to analyze said logs if they were detailed enough and spot out of the norm behavior?

InvitationNotFound

Zyle wrote: »

Alright, so I now know anything client side won't work. What if they updated how their logging works? Wouldn't they be able to analyze said logs if they were detailed enough and spot out of the norm behavior?

yes, that could be a solution. but it means they will have to log a lot and do the exact same calculations on the server. otherwise it will be a mess. and without perma bans it will still be a huge joke.

InvitationNotFound

Zyle wrote: »

Alright, so I now know anything client side won't work. What if they updated how their logging works? Wouldn't they be able to analyze said logs if they were detailed enough and spot out of the norm behavior?

to the "wont work part":
it depends, it might still be pretty difficult to get a cheat working. but there's no guarantee we won't face the exact same thing a month or two later if implemented at the client side.

Pomaikai

This cheat program has been around since Beta, and works with most other online games, including MMO's.

Rohamad_Ali

People that thought they were being killed by macros should note Zazeer pointed it out before leaving this is from the cheat engine as well . Speeding up attacks faster then normal . So if you get hit with 3 or 4 attacks in one second and die , you're not crazy , it wasn't necessarily lag , you probably got attacked by the cheat engine changing values on speed in game .

Korah_Eaglecry

Turelus wrote: »

Rex-Umbra wrote: »

ZOS has data and they will be banning once they review it.

Like they had data about the survey exploits?

They have the data but they seem to be lazy about it and dont really look into these things until theyre reported or atleast on the verge of becoming a forum fire with the potential of bad press. Its like having police that dont do patrols and only respond to things when theyre called. Its a bit late to do anything once the call goes out.