A disclaimer before I begin: I have no prior knowledge on how to code or hack, I simply wish to understand how it's done, via client-side scripts or external software.
I've been dabbling in GMod for a few years now, and I've found myself moderating the odd server; as many may. In the last year or so, I've been moderating for a small-time gamemode community. My team and I have had our odd run-in with players taking advantage of the owner's shoddy coding, among other things, and we've had to ban them. We have some preventative measures in place (for which I have little to no knowledge about), but mostly it's down to the moderation team. For the sake of the gamemode, community and moderating team I would like to better understand how "hacking" works.
Be it a software, plugin, code or whatever: I'd like any users with an inkling of knowledge on this to walk me through how hacking works. I want to gain understanding of better methods on how to spot and prevent hackers and modders from usurping the gamemode.
People actually bother hacking in gmod? After shit like baconbot got bean'd I didn't think there was really anything like that left seeing as 90% of that you can do without hacks.
So far I've seen people use anti-screengrab, ESP hacks, aimbots and something else that alerts them to other players spectating them. Besides this, I've had to ban a player who exploited the servers coding to cause it to lag and even crash. Is there anything I or my team could use to better spot and/or prevent this?
stop using exploitable addons.
While I can appreciate your reply, it does me no good due to the fact that most of the content we have is custom-made by our developers. Even so, care to elaborate on what designates an 'exploitable addon'?
If everything is properly verified on the serverside there shouldn't be any exploits within the custom content.
Thanks for the info. Could you explain what it means to 'fire a net message'?
Net Library Usage
send this to your developers and tell them to code more securely.
Thanks for the info. Assuming you have a decent understanding of this net library you mentioned, would you mind explaining what it means to fire a net message? I assume its a method players can use to flood the server with unwanted data--potentially crashing it. I'm utterly curious, so please elaborate.
Scripts fire net methods in order to send data between the client and the server.
For example, let's say you have a script that fires a net method basically saying to the server, "hey, kill this player". The server doesn't verify anything and just does it.
It might work well with the script, but a player could write their own script to fire the method, and suddenly everybody on the server is dying.
I would recommend reading up on server - client networking in general, as it applies to any multiplayer video game. Ideal practice when developing a game, or in this case, lua add-on, is to have any player input check with the server before being authorized. If a player wants to shoot their gun, they send a networked message to the server saying "shoot gun", the server will then check to see if they can, by looking at ammo count, whether they're reloading, etc., and if everything looks good, the server will run a "shoot gun" function, creating a hitscan or projectile and then moving forward with game logic.
In a poorly designed game, the client might be able to attempt to shoot their gun, but the game might not ask the server if the client can fire, instead it might check locally, based on the ammo count the player has stored on their machine. The player's machine says "all good", and sends the message to the server to run the "shoot gun" function. This would work fine and dandy if players behaved, and it does decease latency, but if a player's ammo is never checked by the server before firing, a player might write a client-side script to artificially inflate their ammo count, meaning they can send the "all good" message any time they want, as the server never authorizes the firing of the gun, but merely runs the function when it gets told.
These little flaws in logic are the exploits people use to cheat, and there are many. Any clientside function (that is, a function that should only be relevant to the client, like UI) that can be run without first being authorized by the server in some way, that in turn runs a server side function, (a function that must replicate information to other clients, data important to other players, like whether a gun is shot) is exploitable as the client can basically run that server side function any time they want. This is the most extreme case, and most exploits aren't this cut and dry, but the idea is the same.
Assuming that player still run hacked clients such as Citizen Hack, Big Packets, Odium, Friendly Hack, getze.us, Aimware and Aimjunkies; would an anti-cheat addon such as SimpLAC Anticheat be worth it's price? Information on the concepts of coding and server-client networking is helpful knowledge, but as I specified in my most recent edit of the post; I'm looking for more ways of preventing clients from exploiting the server. One example of someone hacking on our server can be seen here:
https://www.youtube.com/watch?v=gjX_GQHNJ1w
Note that though the video quality is bad, I was still able to discover that this unnamed player was using the Lucid.Cheats loader. Besides just using your eyes to scout out these types of hackers, does anybody recommend any addon from the GMod Store or elsewhere that can be used to prevent a CAC bypass in the future?
CAC and other AC's can't really detect C++ cheats that well, although most of them have methods of detecting patterns on how people cheating could aimbot and other shit like that.
Really as long as you keep sv_allowcslua to 0 (which is enabled by default on darkrp for some odd reason) it's p hard for most skids w/ the simple lua cheats on the workshop to do anything. Most of the time it just comes down to your staff being able to identify who's cheating and who isn't cause cheats will always bypass AC's.
CAC gets rid of lua cheats
SimplAC gets rid of cheats by scanning for behavioural patterns serverside because too many C++ cheats nowadays ( e.g. snapping then killing )
and neither get rid of exploits; Because nothing can protect your server from being exploited.
which is enabled by default on darkrp for some odd reason
Probably has to do with the shoddy coding in DarkRP's client-side functions. I recall seeing hundreds of RunString bits in the F3 and F4 menus.
RunString would work. It's simply enabled by default because Falco doesn't like the inability to load scripts & cheats.
Apparently I was mistaken. It has been years since I've last read DarkRP code though, so I probably must have gotten confused.
I do recall having seen lots of RunString calls in gamemodes though.
There is really no reason for anyone to use RunString when they're already running lua
I use it (or rather CompileString but same philosophy) to run code manually for my Lua preprocessor.
They're for gigaskiddies who were too incompetent to gain any recognition from the normal skiddies over at mpgh who paste cheats in C++/C#.
Sorry, you need to Log In to post a reply to this thread.
