How to ban specific cvars? (Fighting the new multihack)

[Ragnarok|GER]

you guys may allready know it: there's a new multihack in town.
etpro 3.1.0 detects it as STRANGE WIN32, punkbuster doesn't (but will as soon as the new update is avaible)
acoording to bani, updated versions of etpro anticheat will kick clients using it in the future.
by the way, here's the answer to this "problem" by the developer of the multihack, as to be read in his forum:

Please notice that we know about this issue and we already found a
way around ET PRO's anti cheat. But we are NOT going to release it
right now. Don't ask, as all messages related to it will be ignored
from now on.

further more, he says that running this hack on any etpro-server older or newer than 3.1.0 will cause serious problem and the hack will crash.

whatever, this cheat has some weak spots: it uses the following cvars:

nc_wall 1
nc_esp 1
nc_espfade 1
nc_aim 1
nc_aimheight 5
nc_aimkey 16
nc_fov 360.0
nc_shoot 1

now heres my question: is there any possibility for server admins to autokick clients using this cvars?
oh and i'd like to advice all server admins out there to have a look at clients with STRANGE WIN32 and to lock the cvars i mentioned above. thank you.

[RoadKillPuppy]

Code: Select all

pb_sv_cvar nc_wall IN 0  
pb_sv_cvar nc_aim IN 0
pb_sv_cvar nc_aimkey IN 0
pb_sv_cvar nc_shoot IN 0
pb_sv_cvar nc_esp IN 0
pb_sv_cvar nc_espfade IN 0
pb_sv_cvar nc_aimheight IN 0
pb_sv_cvar nc_fov IN 0
pb_sv_cvar nc_aim IN 0

I guess... . /me pb nub

RKP

[gotenks]

force cvar or sv_cvar would work aswell

[daemord]

force and sv_ wouldnt kick people from the server if they have them, pb will, adding those cvars is something i have also thought about adding to our server, would be nice if we could get a list of any and all cvars any of the cheats use (that are non standard ones) and just setup a list to start kicking on with PB

[Ragnarok|GER]

where to implement this settings? server.cfg?
@daemord all the cvars i mentioned are used by hack-users only.

[daemord]

yes im aware of that, i mean there must be more, used by other hacks, if im following threads correctly, i reckon there is about 3 maybee 4 hacks, that are undetectable by ET-Pro and PB, the one you have mentioned is the main one mentioned i belive, but i assume the others may possibly use cvars or something as well, just until either PB, or Bani release an update, if we could get a complete list of used cvars by all the hacks and then kick on them, it would be good.

[Deus]

force cvar or sv_cvar would work aswell

If you forcecvar anybody who joins the server will have this cvars. if they are not fully removed before joining a new server you may be called a cheater by just having these cvars. so please do NOT forcecvar them.
use pb_sv_cvarname IN 0 0 and kick them imediately.
For all other cvars user the etpro cvar stuff so there is nobody kicked.

[gotenks]

AFAIK, just having a cvar will not get you kicked... however setting it to some garbage var or 0 (i didn't think it could be changed back, but i could be wrong) will leave a var there, that will not make a difference except to the people using the cheat

[Ragnarok|GER]

indeed. just forcing nc_wall and nc_fov to 0 would make the hack completly useless. well.. some other cvars should be set to 0 also, but i don't know which ones.

[deej]

I would also say to everyone: do a "PB_SV_CVARUSER" in console when you notice suspicious activity, it helps look for 'user-defined' cvars.

Anyway, RKP's statements are correct. I use a .config file for my server set-up so I added:

Code: Select all

...
yada yada other stuff yada yada
...

command "pb_sv_enable"
command "sv_cvarempty"
command "pb_sv_cvarempty"
	
command "pb_sv_cvar nc_wall IN 0"
command "pb_sv_cvar nc_aim IN 0"
command "pb_sv_cvar nc_aimkey IN 0"
command "pb_sv_cvar nc_shoot IN 0"
command "pb_sv_cvar nc_esp IN 0"
command "pb_sv_cvar nc_espfade IN 0"
command "pb_sv_cvar nc_aimheight IN 0"
command "pb_sv_cvar nc_fov IN 0"
command "pb_sv_cvar nc_aim IN 0"

....
other checks
...

[RoadKillPuppy]

Anyway, RKP's statements are correct.

w°°t ... sorry, had to quote that

[Deus]

AFAIK, just having a cvar will not get you kicked... however setting it to some garbage var or 0 (i didn't think it could be changed back, but i could be wrong) will leave a var there, that will not make a difference except to the people using the cheat

it makes you suspicious if such a cvar is detected however. then you have to proof you are cleen, and this isnt that easy...

[DG]

in other news...

HEY CHEAT AUTHORS!
STOP USING CVARS IN CLENT HOOKS BECAUSE WE CAN AND HAVE BEEN DETECTING IT IMMEDIATELY!

like i was picking up n7 hacks for about a year with pbweb, then told ~4 people and asked them to keep it to themselves. it got posted on forum then some newssite and -> posted about on cheater forum. now they no lonmger put files in the et folder for pbweb to pick up.


[10.03.2004 22:34:36] VIOLATION (CVAR) #9001: ^0Shaft^9!^-.. (slot #7) Cvar nc_aimkey = 16 [e2d2168d2eab05e53ec4d6c55147dbca(-) 62.238.18.174:27960]
[10.02.2004 20:48:05] VIOLATION (CVAR) #9001: ^3^0-[]^4Id^0[]-^4!^0n^4J^0e^4C (slot #7) Cvar nc_wall = 1 [9daefc6451ad497e4b43b41c6fe68880(VALID:41) 80.44.117.202:27961]
[10.01.2004 21:25:24] VIOLATION (CVAR) #9001: wtf (slot #24) Cvar nc_wall = 1 [763ac3045381b46896eb4a07eeb087a1(VALID:284) 67.173.35.217:39059]
[09.30.2004 18:18:36] VIOLATION (CVAR) #9001: Fuse (slot #24) Cvar nc_wall = 1 [763ac3045381b46896eb4a07eeb087a1(VALID:283) 67.173.35.217:15281]
[09.30.2004 18:08:41] VIOLATION (CVAR) #9001: Fuse (slot #21) Cvar nc_wall = 1 [763ac3045381b46896eb4a07eeb087a1(VALID:283) 67.173.35.217:10200]

[Ragnarok|GER]

so what? better not fight them?
it's always a race between server admins, mod developers, evenbalance on the one side and cheat developers on the other side. but they're heavily outnumbered.

[daemord]

no the point DG is trying to make, is its better not to advertise to the world and his dog how we detect, as if the cheats know how we detect, they can change.