Author Topic: Antihack false positive for xXxSmeagolxXx, 00Kyle, 8472, thaydrad and others  (Read 5319 times)

Offline iL

  • Administrator
  • Ogre Mage
  • *****
  • Posts: 1653
    • View Profile
Let me repost from here: http://forum.war2.ru/index.php/topic,1825.msg32123.html#msg32123

Just checked logs.
However, that looks like a false positive, so i'm sorry.

Let me explain:

How my antihack works:
It reads the memory values known as used by hacks from war2 memory. Then it sends that values to the server. And then the server compares that values to "known clean war2 values" and reports HACK if differs.
For map hack known "clean" value = XX. "Hack" value = 00.
That's why when i see value 00 from someone i can definitely say that he activated maphack. When i see XX i can definitely say that maphack is not being activated for him.

But what if value changes from XX to anything else, like 02? I have no idea if the map will be open (as in maphack) or ok (as usual), but that definitely means something strange happens. Normally that value is ALWAYS XX. That's why that will also be reported as HACK.


Another question is, what happens if reading the memory value will cause error for some reason? I've been so stupid that i didn't check that properly until last update.
Technically, value possibly be sent to the server then is not defined, but that should be 00 most likely.
I still don't understand how that can happen that defined and existing memory data in existing process can be checked most of the time, but not in several moments.

But I added that check to new version, just to be sure, marking failed-reading values as UNDEFINED.

And now what i can see in server logs:
These are several akas being marked as "HACK!":
- thaydrad:
map value: XX changed to YY and then changed back to XX.
other values also have been also changed to YY and then back to proper values.
YY is not any of known hacking values.
No idea what that can mean, but that's not kell-known hacks.

- 8472:
values have been clean most time. But sometimes changes to UNDEFINED.

- 00Kyle:
values have been ok at the beginning. But then they have been changed to UNDEFINED. After that they all have been changed to 00. And then to UNDEFINED again, many times.
00 means hack for maphack, but not for other hacks. So, 00 for all values could mean something else than hacking. No idea what exactly.

- Miron:
All values changed to UNDEFINED also.

Returning to the past:
xXxSmeagolxXx used previous version and i rechecked now:
All values have been changed from ok to 00. That could mean hack for maphack, but other values should be different.
I think that means antihack have not been able to read his memory values properly for some reason and then sent 00 instead. I classified that as hack. And i think i was wrong.
So i think that was false positive with xXxSmeagolxXx  also.

I'm sorry again.

My future plans:
1. the problem in loader have been fixed. So, no more false positives. There are some more problems (not related to false positives) i plan to fix soon, so several new versions should be released.
2. my idea to consider any non-proper value as hack have been bad. I think 3 states should be shown: definite OK, definite HACK and undefined.
3. my idea to keep everything secret have been failed also. I have to discover at least several basic concepts about antihack and it's logic. Such discovering could cause the rish of hacking the antihack, but i can't keep everything secret anymore.
4. i still plan to rewrite the backend of server side from scratch to handle input data more careful. So, i'll consider these new conditions also.

I'm sorry again, but antihack project is still in testing stage. So, some bugs in code and in concept appeared in real environment only.
I'll make efforts to never repeat such situations.
Need help to translate War2Combat to German, French, Italian, Polish or another language: http://forum.war2.ru/index.php/topic,4728.0.html
Please, contact me if you are interested in that.

Offline Certified MENSA Genius Brain (smart)

  • "The Architect"
  • Global Moderator
  • Dragon
  • *****
  • Posts: 5384
    • View Profile
Any theories on what would cause UNDEFINED or 02 or other strange results?
    

Offline SmartPeon

  • Peon
  • **
  • Posts: 7
    • View Profile
Any theories on what would cause UNDEFINED or 02 or other strange results?
You can't tell anything about that memory cuz you don't know where exactly in memory iL digs. after all it could be free memory which can take any random data.

Offline SmartPeon

  • Peon
  • **
  • Posts: 7
    • View Profile
iL, dude, let status page live a life. It's so usefull to watch about games and players online.

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Ohhh

Well we could say for example 00400000 = 00 then let's say map hack, = 01 then that could be build hack, = 02 could be unite the clans, = 03 glittering prizes. I noticed the main memory address for cheat codes comes from the same location. So my theory is we should build a bigger white list. 0-254 right for each address?

We can call this method 1 of 3 or 1? With my code I relied on watching them play instead of changes. They can use any memory location / value but we would still catch build hack with mage / tower even though we don't have a clue what memory location was changed to make build hack, known values, or new versions of the old cheat we would always find out build hack even when we have no white list info ;)

If you send me the addresses I will reverse each one and learn. Was it all the values sometimes being undefined or just some map hack 1?

Offline {Lance}

  • Sappers
  • ******
  • Posts: 889
    • View Profile
What needs to happen before declaring anything a false positive is debugging.  There is a reason why these locations change.  Reproducing the results in a real game should tell you what was going on.  Also,  timestamp EVERYTHING please.  Even add a timestamp to the status page if something is detected.  That will tell everyone and their dog if it happened in a game or not,  maybe even go as far as adding the game log link.  That info is invaluable for debugging.  You can ask people what was going on in the game, etc.
« Last Edit: December 30, 2015, 02:58:59 PM by {Lance} »
Dk At hall is cause I started with temple at start and didn't need the castle . Not a hack .  I wouldn't bother editing a ss btw

^---- Dellam doesnt hack!  See, even by his own admission, no hack!!  LMFAO.

Offline {Lance}

  • Sappers
  • ******
  • Posts: 889
    • View Profile
I think that means antihack have not been able to read his memory values properly for some reason and then sent 00 instead. I classified that as hack. And i think i was wrong.

Until a reason for those, I think its better to assume it was something up to no good.  There are very few legit, if any, reasons why you would be unable to read memory addresses (while in a game that is,  in chat is a different story,  the game lobby IS NOT chat btw).  If it's discovered that your method is to flawed,  then perhaps you can see if Tupac has experienced the same issue.  If not,  use his method instead.  Otherwise there is always the built in packet 17 which I've had absolutely ZERO problems with so far.  It's not an ideal method, but it does work right now and it's very available to make use of until a better method can be put together.
Dk At hall is cause I started with temple at start and didn't need the castle . Not a hack .  I wouldn't bother editing a ss btw

^---- Dellam doesnt hack!  See, even by his own admission, no hack!!  LMFAO.

Offline Nox

  • Death Knight
  • *********
  • Posts: 4133
    • View Profile
what is fun with swift is everytime we caught him it was by build hacking.. And everytime he pass that for a troll, like, it was a joke to mess with you...

The fact is ive always said he was actually not trolling and just build hack by accident.

And try to turn that into a troll to save himself...

But today there no troll, he definitly get caught for map hack, what a great day!!!
Mr.120apm aka U8! Best player of the world losing 4v3 against Phillip5256.