Would love to try out my anti-cheat/hack/injection service on the game - Question. - Rust

I know this is in Alpha so I would like to pose this question. Would it be possible to help you guys test host a server so I can use my anti-cheat/hack/injection service on a server to see its decrease in hackers? If it poses useful, it could be possible to use this to blacklist the IP's connecting to the host's server that are injecting their scripts into the machines to gain elevated permissions. Please let me know whenever possible, I think it would be a great help to the community, and to the production and growth of the game. I currently use the service on my Minecraft server that I own and host myself and it works flawlessly for that purpose, so that's where I got curious. If this gets looked at, I would be more than happy to help explain how it works and how the defense could assist in the grown and stability of the Rust servers out there. Thanks for viewing this if you got a chance to, I really appreciate all the time and effort you guys have put into the game so far, I think this will go far in the future of survival games that exist at the moment, and keeps my uttermost attention. [B][U]Cheers![/U][/B] :eng101:

IP blacklisting does not work effectively which is why VAC doesn't do that. Its due to most ISPs using Dynamic Allocation. So pretty much thats why its no longer a standard practice among anti-cheat programs. Besides its only highly effective against static IP users.

Actually, I can combat that by adding that its automatic adding of any IP connecting that's using a particular DLL, and running it in the process memory on the host machine. It adds any IP before the user even has a chance to connect to the host's server. The attacker can change their IP as many times as they want, that IP will be blocked instantaneously, and so will any other IP that is linked to the injected script that is caught. This isn't the normal blacklisting of an IP address, it's something a little different, and it's not on the market, its all custom. [editline]28th January 2014[/editline] That is why I wanted to test it out on a server of my own, or a server that will allow me to test it on. It could be of great use if its setup properly. I'd like to mess around with the setting a little bit once I have it all setup on the machine, then it's just the waiting game to see how many people we can get to try to hack our server. It ain't gonna happen.. What happens with other anti-cheat programs is they put all these "chains" on the process/host machine. Then when an attacker tries his luck, he either gets caught or gets around it. But the "chains" that are put up by the program actually disallow it from doing exactly what you'd like it to... What I have to offer is something that drops all the chains on the host machine, and puts all the walls down so it allows the attacker to try his luck on ours, but oh wait, hes using "example.dll" to inject his script, so we then take action by blocking the rule against that DLL usage. Then next time he tries to connect with a new IP, he gets denied instantly and turned right back around and won't be able to connect, he just gets denied. That is the main difference with what I use, and what other people use. They have chained down programs, and mine drops everything giving you full control of what your blocking and protecting against. This can also pose a threat to your machine if you are inexperienced and don't know what your doing, that is why you run a test server (since it's in Alpha stage right now) and work out all the correct main DLL's that people are using to get in, then block em out. Then after that its simple monitoring through the alarm console, and rebanning of new DLL's that attackers are using to get in. It's all about the rules you use, and I use very powerful rules to keep people out (for my Minecraft server) and I have yet to be hacked or injected on. Chances are this wont get looked at by a Mod or someone who has power to do anything about it since there are so many other people throwing similar requests out there and get more views than me. But I think it would be neat if I got a shot at it [B][U]Cheers![/U][/B] :eng101:

Sorry if i missed that point but how do you determine which dlls someone is using?

[QUOTE=iSoldier;43697805]Actually, I can combat that by adding that its automatic adding of any IP connecting that's using a particular DLL, and running it in the process memory on the host machine. It adds any IP before the user even has a chance to connect to the host's server. The attacker can change their IP as many times as they want, that IP will be blocked instantaneously, and so will any other IP that is linked to the injected script that is caught. This isn't the normal blacklisting of an IP address, it's something a little different, and it's not on the market, its all custom. [editline]28th January 2014[/editline] That is why I wanted to test it out on a server of my own, or a server that will allow me to test it on. It could be of great use if its setup properly. I'd like to mess around with the setting a little bit once I have it all setup on the machine, then it's just the waiting game to see how many people we can get to try to hack our server. It ain't gonna happen.. What happens with other anti-cheat programs is they put all these "chains" on the process/host machine. Then when an attacker tries his luck, he either gets caught or gets around it. But the "chains" that are put up by the program actually disallow it from doing exactly what you'd like it to... What I have to offer is something that drops all the chains on the host machine, and puts all the walls down so it allows the attacker to try his luck on ours, but oh wait, hes using "example.dll" to inject his script, so we then take action by blocking the rule against that DLL usage. Then next time he tries to connect with a new IP, he gets denied instantly and turned right back around and won't be able to connect, he just gets denied. That is the main difference with what I use, and what other people use. They have chained down programs, and mine drops everything giving you full control of what your blocking and protecting against. This can also pose a threat to your machine if you are inexperienced and don't know what your doing, that is why you run a test server (since it's in Alpha stage right now) and work out all the correct main DLL's that people are using to get in, then block em out. Then after that its simple monitoring through the alarm console, and rebanning of new DLL's that attackers are using to get in. It's all about the rules you use, and I use very powerful rules to keep people out (for my Minecraft server) and I have yet to be hacked or injected on. Chances are this wont get looked at by a Mod or someone who has power to do anything about it since there are so many other people throwing similar requests out there and get more views than me. But I think it would be neat if I got a shot at it [B][U]Cheers![/U][/B] :eng101:[/QUOTE] Well then, this is definitely a curious thing. Good luck to you.

Interesting. (bump)

So you're using an injector to spy on host machines in order to determine if their IP changed, amongst other things? You couldn't use this on a test server because you don't download information from a server, only from Steam. They would have to implement your idea into their codebase and package it with the game.

Rusty, that is not exactly true though, is it? If that was the case then how do modded servers work if the additional content is not downloaded from the server? Nice idea though OP, wouldn't mind seeing it in action. Would this not be circumvented by using a dll file name that is considered trusted?

[QUOTE=Wolffire9;43700941]Rusty, that is not exactly true though, is it? If that was the case then how do modded servers work if the additional content is not downloaded from the server? Nice idea though OP, wouldn't mind seeing it in action. Would this not be circumvented by using a dll file name that is considered trusted?[/QUOTE] All mods are server side and modifying the Rust Server game files or plugging into an existing API. You are incorrect.

[QUOTE=RustyValve;43700897]So you're using an injector to spy on host machines in order to determine if their IP changed, amongst other things? You couldn't use this on a test server because you don't download information from a server, only from Steam. They would have to implement your idea into their codebase and package it with the game.[/QUOTE] I do not use a injector to "spy" on the machines trying to connect in. I guess I didn't explain myself enough. The service that runs on the box that's running the server simply monitors DLL's being used to write a process to memory on the host machine. When it detects a DLL being used and sees a process ID that is attached to it, it gets rid of it, just dumps it and then blacklist's the IP associated with that PID. No spying here sir. Just a great defense. [editline]28th January 2014[/editline] [QUOTE=Wolffire9;43700941]Rusty, that is not exactly true though, is it? If that was the case then how do modded servers work if the additional content is not downloaded from the server? Nice idea though OP, wouldn't mind seeing it in action. Would this not be circumvented by using a dll file name that is considered trusted?[/QUOTE] Technically, the attacker can only use the DLL's associated with injector programs, only certain DLL's are used when a function is being called on the server. Those DLL's are the ones that are being monitored, all the other ones I have no need to monitor because injectors don't use them. :-) And as of now, I incredibly doubt that Rust would be using the injector DLL's to run their game on the host machine...That would be incredibly amateur of any company to pull, because it would basically doom their game for life until it is changed.

[QUOTE=AmShaegar;43697993]Sorry if i missed that point but how do you determine which dlls someone is using?[/QUOTE] I sorta added in the answer to your question in one of my previous posts, check it out if you'd like an answer to your question. [B][U]Cheers![/U][/B] :eng101: [editline]28th January 2014[/editline] [QUOTE=RustyValve;43700897]So you're using an injector to spy on host machines in order to determine if their IP changed, amongst other things? You couldn't use this on a test server because you don't download information from a server, only from Steam. They would have to implement your idea into their codebase and package it with the game.[/QUOTE] They wouldn't because whichever machine the server files are running on has to have some sort of OS. It doesn't use any sort of code that needs to be implemented into the servers files. All that needs to happen is to install the service on the OS that the Rust server is installed to, and it starts monitoring in real time. Technically you can install what I use to ANY server box out there for ANY type of game, and it will protect your server and its players from being infiltrated. I just was curious how it would work for Rust, and if it could improve its quality of game play any more by getting rid of those nuisances (hackers).

[QUOTE=Teddybeer;43701461]So it going to monitor the server application, something aimbots and the like inject nothing into. [editline]28th January 2014[/editline] So that brings you to a 0% catch rate.[/QUOTE] dat coffeh tiem *drool*

[QUOTE=Teddybeer;43701461]So it going to monitor the server application, something aimbots and the like inject nothing into. [editline]28th January 2014[/editline] So that brings you to a 0% catch rate.[/QUOTE] Actually I have had a 100% catch rate so far via Minecraft and World of Warcraft, and ARMA3. Whats the excuse to "not" try this out for Rust? I wanna see this community grow, and game development grow as well. I think we can all agree that hacking is the #1 thing in the entire world that people all feel the same about. We wanna get rid of hackers, and this could be a solution that would cost nothing, because I believe in open source projects. And if it does work, I would be very interested in talking with the developers about how it works and how we can implement this world wide for everyone to use to deter people injecting. [editline]28th January 2014[/editline] If there are any questions, comments, or concerns about making this happen, please post! I am going to be answering questions all day long about this and I will get to every person's question eventually and have a reply for you. [B][U]Cheers![/U][/B] :eng101:

[QUOTE=iSoldier;43701576]Actually I have had a 100% catch rate so far via Minecraft and World of Warcraft, and ARMA3. Whats the excuse to "not" try this out for Rust? I wanna see this community grow, and game development grow as well. I think we can all agree that hacking is the #1 thing in the entire world that people all feel the same about. We wanna get rid of hackers, and this could be a solution that would cost nothing, because I believe in open source projects. And if it does work, I would be very interested in talking with the developers about how it works and how we can implement this world wide for everyone to use to deter people injecting. [editline]28th January 2014[/editline] If there are any questions, comments, or concerns about making this happen, please post! I am going to be answering questions all day long about this and I will get to every person's question eventually and have a reply for you. [B][U]Cheers![/U][/B] :eng101:[/QUOTE] Am I dreaming? Everything you are saying is complete nonsense. You're gonna detect hackers injecting into processes on their PC's by monitoring the server which has nothing to do with it?

this is gold.

1) Read on how VAC works - it's similar to what the OP wants to do. Though, even VAC requires a client side monitor. 2) VAC already does this, so why bother with it? [B][I]EDIT...[/I][/B] The only thing VAC doesn't do - nor would your program be able to do - is detect if a graphics file (such as textures for player models) has been modified. I don't know if RUST has a download update system like GMOD - but if it does, you should focus your efforts on a mod that works similar to SV_PURE in source games like Counter Strike.

[QUOTE=Onisan;43702314]1) Yes it can be done. Read on how VAC works - it's almost word for word what the OP wants to do. 2) VAC already does this, so why bother with it? [B][I]EDIT...[/I][/B] The only thing VAC doesn't do - nor would your program be able to do - is detect if a graphics file (such as textures for player models) has been modified. I don't know if RUST has a download update system like GMOD - but if it does, you should focus your efforts on a mod that works similar to SV_PURE in source games like Counter Strike.[/QUOTE] VAC does not work serverside. It scans your memory which it obviously does on your PC, not magically from the server. If you think it works differently then I am happy to listen.

[QUOTE=XoX;43702757]VAC does not work serverside.[/QUOTE] If you look up on how script injection works, you would see that when the attacker creates the injection in the first place, as SOON as he hits that little simple "inject" button, it sends a process written into virtual memory, which opens as an EXE. on the Rust server. That in turn is what gives the elevated privileges to the player account. Whenever your connected to a server, your computer is talking back and forth to the server to remain connected. What most people don't understand is through that connection, a number of things can be happening. This is just one of them. VAC does not work server side because it would be too much hassle and they don't wanna be liable for losses on the server end of things. Then again, who would??

[QUOTE=iSoldier;43702865]If you look up on how script injection works, you would see that when the attacker creates the injection in the first place, as SOON as he hits that little simple "inject" button, it sends a process written into virtual memory, which opens as an EXE. on the Rust server. That in turn is what gives the elevated privileges to the player account. Whenever your connected to a server, your computer is talking back and forth to the server to remain connected. What most people don't understand is through that connection, a number of things can be happening. This is just one of them. VAC does not work server side because it would be too much hassle and they don't wanna be liable for losses on the server end of things. Then again, who would??[/QUOTE] Again more nonsense. What the hell are you talking about? And VAC doesn't run on the server because it can't do jack shit on the server. VAC scans your memory. Which it has to do on the machine it's running on. There are very few things VAC could do from the server.

[QUOTE=Onisan;43702314]1) Yes it can be done. Read on how VAC works - it's almost word for word what the OP wants to do. 2) VAC already does this, so why bother with it? [B][I]EDIT...[/I][/B] The only thing VAC doesn't do - nor would your program be able to do - is detect if a graphics file (such as textures for player models) has been modified. I don't know if RUST has a download update system like GMOD - but if it does, you should focus your efforts on a mod that works similar to SV_PURE in source games like Counter Strike.[/QUOTE] VAC already does this, but not server side like I want to do. Now you are correct, this does not detect any sort of graphics file change, unless its using some sort of DLL to script the player special permissions from the hosts side of things. As that is an issue of itself, I would like to focus efforts to deal with this issue first and foremost because it is of the biggest threat to the community, and really to any community for that matter. And if I'm correct, if a player modifies their graphics files, shouldn't that only change cosmetically for the player only? And not for the server end of things. For example - I modify my graphics file, and it makes me invisible, but for my screen only, everyone else can see me, but I think its "cool" that I'm invisible... This would not pose a threat big enough to deal with, but if a player is modifying something client side that is effecting the host machine's files and tampering with them. This would be borderline injection in itself. Or at least how I'm thinking of how I know it to work via scripts that people are able to write. Let me know what you think!

[QUOTE=XoX;43702757]VAC does not work serverside. It scans your memory which it obviously does on your PC, not magically from the server. If you think it works differently then I am happy to listen.[/QUOTE] [url=http://en.wikipedia.org/wiki/Valve_Anti-Cheat]Wikipedia: Valve Anti-Cheat[/url] [quote=Wikipedia]The software sends client challenges to the machine, if the appropriate response is not received, it is flagged as a possible violation.[/quote] It would not have to send a challenge to the machine if it was located on the machine, it would simply detect the change - like GameGuard, etc. I'd go on further to mention that how do you explain VAC protected servers versus non-VAC protected servers if it's [B][I]not[/I][/B] located on the server?

[QUOTE=XoX;43702945]Again more nonsense. What the hell are you talking about? And VAC doesn't run on the server because it can't do jack shit on the server. VAC scans your memory. Which it has to do on the machine it's running on. There are very few things VAC could do from the server.[/QUOTE] I'm sorry if I'm going all scientific on you, I'm just trying to explain it to the best of my ability. [editline]28th January 2014[/editline] [QUOTE=Onisan;43702980][url=http://en.wikipedia.org/wiki/Valve_Anti-Cheat]Wikipedia: Valve Anti-Cheat[/url] It would not have to send a challenge to the machine if it was located on the machine, it would simply detect the change - like GameGuard, etc. I'd go on further to mention that how do you explain VAC protected servers versus non-VAC protected servers if it's [B][I]not[/I][/B] located on the server?[/QUOTE] I think it's more of a "Valve Authentication Server" that they have back in some server room somewhere that all it does is scan the game servers that its shared with, and send out requests all day long. Now of course it would be on a MUCH bigger scale, but on a smaller scale, this is how I see it working, and this is how Minecraft works with its authentication servers back in Mojang HQ.

[QUOTE=iSoldier;43697304]I know this is in Alpha so I would like to pose this question. Would it be possible to help you guys test host a server so I can use my anti-cheat/hack/injection service on a server to see its decrease in hackers? If it poses useful, it could be possible to use this to blacklist the IP's connecting to the host's server that are injecting their scripts into the machines to gain elevated permissions. Please let me know whenever possible, I think it would be a great help to the community, and to the production and growth of the game. I currently use the service on my Minecraft server that I own and host myself and it works flawlessly for that purpose, so that's where I got curious. If this gets looked at, I would be more than happy to help explain how it works and how the defense could assist in the grown and stability of the Rust servers out there. Thanks for viewing this if you got a chance to, I really appreciate all the time and effort you guys have put into the game so far, I think this will go far in the future of survival games that exist at the moment, and keeps my uttermost attention. [B][U]Cheers![/U][/B] :eng101:[/QUOTE] Thanks for looking into this. I have also been researching the RustHack to see how it works. I have been killed many times by guys using a 'speed hack' and the 'suicide hack'. Rather than banning the ip, I would recommend banning the steamid or the username. That would be more effective. In rust hack there are a number of mods to the client code that seem to change the way the rust client behaves. I think the API data needs to be encrypted for the cheat programs to away. A simplier solution would be simply remove the code that creates the specials ability in the first place. You can not exploit a piece of software if these features don't exist. Here are all the exploitable features. Here are the rusthack features: ESP HACK Speed Hack AimBot Wall Hack No Door No Clip Developer Mode Edit Maps Spawn Cars I am not sure how you develop checks for all these. But, these are your signitures.

[QUOTE=Onisan;43702980][url=http://en.wikipedia.org/wiki/Valve_Anti-Cheat]Wikipedia: Valve Anti-Cheat[/url] It would not have to send a challenge to the machine if it was located on the machine, it would simply detect the change - like GameGuard, etc. I'd go on further to mention that how do you explain VAC protected servers versus non-VAC protected servers if it's [B][I]not[/I][/B] located on the server?[/QUOTE] That is a small part of what VAC does and it's not what VAC bans on. Please read the rest of it. [quote]It uses heuristics to detect possible cheats when scanning the [b]computers memory[/b], an incident report is created whenever an anomaly is detected, which is then analyzed by Valve's engineers. The engineers inspect the code and may also run it on their own copies of the game. If the code is confirmed as a cheat, it is added to the database of cheat codes. New detections are also compared to previous detections in this database.[/quote]

[QUOTE=iSoldier;43702958]VAC already does this, but not server side like I want to do. Now you are correct, this does not detect any sort of graphics file change, unless its using some sort of DLL to script the player special permissions from the hosts side of things. As that is an issue of itself, I would like to focus efforts to deal with this issue first and foremost because it is of the biggest threat to the community, and really to any community for that matter. And if I'm correct, if a player modifies their graphics files, shouldn't that only change cosmetically for the player only? And not for the server end of things. For example - I modify my graphics file, and it makes me invisible, but for my screen only, everyone else can see me, but I think its "cool" that I'm invisible... This would not pose a threat big enough to deal with, but if a player is modifying something client side that is effecting the host machine's files and tampering with them. This would be borderline injection in itself. Or at least how I'm thinking of how I know it to work via scripts that people are able to write. Let me know what you think![/QUOTE] You're wrong about VAC, but you can read my prior post to this one for it's explanation. You're thinking about graphic mods in a wrong manner. Assume they make rocks, trees and grass graphics semi-transparent, and player models/armor bright red. That poses a huge problem for others. Files that are modified on a clients side can not directly affect a server, unless they're actively uploading files to the server - in which such a breach would go beyond simple game manipulation into the legal definition of malicious hacking. The exception to this being position modifying with applications such as Cheat Engine - which VAC detects.

All of this sounds nice until someone purchases a VPN and says their IP is a random IP in India. Then your anti cheat pretty much fails.

[QUOTE=Zeroun;43703086]All of this sounds nice until someone purchases a VPN and says their IP is a random IP in India. Then your anti cheat pretty much fails.[/QUOTE] Doesn't matter, they can connect from a VPN from anywhere in the world, and it can say their on the moon, trust me when I tell you, it WILL detect them injecting their script to alter their client on the server, and it will ban the IP their associated with. If their IP changes, then it bans them instantly again on that new IP FROM THE SERVER ONLY, not from Steam. Do I have something to VAC ban them? No of course not, that already exists with VAC's support. What I have will ban them from your PERSONAL server so they cannot come back and ruin YOUR server that you pay good money for. [B][U]Cheers![/U][/B] :eng101:

How about you let him try his shit and if it fails it fails, if it works, great. Instead of pissing on about how this or that wont work, jesus guys.. The way hes explaining things might not work, but he seems to know at least a LITTLE more than some of us about cheat detection. Simply let him test it, adjust it for RUST, and see how it works. These forums get 50 rant threads per day about cheats, and when a person like this raises their hand to offer an anticheat idea you fuckers beat them up for it.. What the fuck? You really are living up to what Facepunch Forums have been marked for..

[QUOTE=XoX;43703030]That is a small part of what VAC does and it's not what VAC bans on. Please read the rest of it.[/QUOTE] I did, VAC is a two-part system. The challenges/reporting system is located on the server, but there is a client-side monitor. The part I quoted specifically proves that point in which it relies on the client to send specific information, but the server still identifies if the player is being malicious. Think of it as a reverse PunkBuster - where as PunkBuster definitions are stored on the client and responds to server pokes to make sure it's there and working. It's a parity of sorts. VAC instead sends specific challenges to the client in which if the response is not in line with VAC standards, it is flagged.

[QUOTE=Onisan;43703064]You're wrong about VAC, but you can read my prior post to this one for it's explanation. You're thinking about graphic mods in a wrong manner. Assume they make rocks, trees and grass graphics semi-transparent, and player models/armor bright red. That poses a huge problem for others. Files that are modified on a clients side can not directly affect a server, unless they're actively uploading files to the server - in which such a breach would go beyond simple game manipulation into the legal definition of malicious hacking. The exception to this being position modifying with applications such as Cheat Engine - which VAC detects.[/QUOTE] We all know there will always be PAID for versions of injection programs to buy to hack Rust. This defeats that and ruins their source of income to keep producing hacks if we blow this up on a large scale, every server will be impervious to script injection, all this is about is denying script injection to Rust servers. [URL="http://imgur.com/8WPOQ3x"]Trust me when I tell you...[/URL] [editline]28th January 2014[/editline] [QUOTE=Onisan;43703174]I did, VAC is a two-part system. The challenges/reporting system is located on the server, but there is a client-side monitor. The part I quoted specifically proves that point in which it relies on the client to send specific information, but the server still identifies if the player is being malicious. Think of it as a reverse PunkBuster - where as PunkBuster definitions are stored on the client and responds to server pokes to make sure it's there and working. It's a parity of sorts. VAC instead sends specific challenges to the client in which if the response is not in line with VAC standards, it is flagged.[/QUOTE] Exactly. This ^