Figured out how people are hacking to run lua and bypass sv_allowcslua - Garry's Mod

You'd think people would of guessed by now, but nah. Turns out anyone can just force sv_allowcslua to 1. "but how will you run the lua to do it?" Easy, you go into singleplayer, strip sv_allowcslua of its flags using cvar3 and set it to 1, go to a server then load your scripts. Chances are garry made it this simple to lure cheaters in, but if he did it on accident I wouldn't be surprised. Let's all give a round of applause to our friend harry aka hazza for making this all possible with cvar3, thanks for contributing to the cheating community, Harry. tl;dr strip the flags of sv_allowcslua in SP then you can set it to 1 on any server you want and manually load your shit [editline]13th November 2012[/editline] inb4 "OMG U POSTED IT NOW EVERY1 WILL CHEAT" Mind you all, losers from myg0t and such are just using cheat engine to force it because they are not smart enough to use the method I said above. As for you, mods, at least let garry see this before you mindlessly trash it. [editline]13th November 2012[/editline] Proof of concept code by noPE. [code] http://pastebin.com/r7Gr6ZKF [/code]

[img]http://puu.sh/1pFTy[/img] [img]http://puu.sh/1pFTj[/img] lol also thanks for posting, hope garry decides to fix this

[QUOTE=fr1kin;38431686][img]http://puu.sh/1pFTy[/img] [img]http://puu.sh/1pFTj[/img] lol also thanks for posting, hope garry decides to fix this[/QUOTE] that's why i posted it [editline]13th November 2012[/editline] [img]http://puu.sh/1pG5L[/img] As you guys can see from this screenshot, people have been actively using this exploit. With either cheat engine or the method I listed above. I think I will save all these.

[QUOTE=hugeasshole;38431713]that's why i posted it [editline]13th November 2012[/editline] [img]http://puu.sh/1pG5L[/img] As you guys can see from this screenshot, people have been actively using this exploit. With either cheat engine or the method I listed above. I think I will save all these.[/QUOTE] Yeah, because in all DarkRP servers there is SE enabled. /endsarcasm.

In retrospect, ScriptEnforcer wasn't [i]that[/i] bad, at least compared to this abomination that replaced it. Third time is the charm I guess, I wonder what our glorious overlord Hairy Jewman will come up with next!

[QUOTE=Fisheater;38431838]Yeah, because in all DarkRP servers there is SE enabled. /endsarcasm.[/QUOTE] Not too bright are you there, fishy? All servers have sv_allowcslua or "SE" as you call it set to 0 by default.

[QUOTE=Fisheater;38431838]Yeah, because in all DarkRP servers there is SE enabled. /endsarcasm.[/QUOTE] allowcslua is off by default so yeah [editline]12th November 2012[/editline] late.

If anybody is wondering, cvar3 is public and open-source on harry's svn

[QUOTE=TylerB;38431886]allowcslua is off by default so yeah [editline]12th November 2012[/editline] late.[/QUOTE] Actually, in DarkRP's code, it turns sv_allowcslua to 1. [lua]-- Scriptenforcer enabled by default? Fuck you, not gonna happen. game.ConsoleCommand("sv_allowcslua 1\n")[/lua] Check the source: [url]https://github.com/FPtje/DarkRP/blob/master/gamemode/server/gamemode_functions.lua[/url]

[QUOTE=Fisheater;38431931]Actually, in DarkRP's code it turns sv_allowcslua to 1. [lua]-- Scriptenforcer enabled by default? Fuck you, not gonna happen. game.ConsoleCommand("sv_allowcslua 1\n")[/lua] Check the source: [url]https://github.com/FPtje/DarkRP/blob/master/gamemode/server/gamemode_functions.lua[/url][/QUOTE] Nuh-huh.

[QUOTE=hugeasshole;38431943]Nuh-huh.[/QUOTE] What are you talking about? Did you even read the script? [img]https://dl.dropbox.com/u/16737046/darkrppoop.png[/img]

No fucking way... How long has this been happening?

Like a month. [editline]13th November 2012[/editline] [QUOTE=TylerB;38432021]What are you talking about? Did you even read the script? [img]https://dl.dropbox.com/u/16737046/darkrppoop.png[/img][/QUOTE] Fake.

Isn't this a step backwards? I remember seeing this same exploit back when sv_scriptenforcer was a thing. Oh well, guess it's time to whip up the old anti cheat. Atleast they haven't figured out cvar renaming yet.

[QUOTE=Virulity;38433090]Isn't this a step backwards? I remember seeing this same exploit back when sv_scriptenforcer was a thing. Oh well, guess it's time to whip up the old anti cheat. Atleast they haven't figured out cvar renaming yet.[/QUOTE] Yes they have. All thanks to haza! It'll never go away either, due to him making his cheat module open-source. [code] require('cvar3') GetConVar('sv_cheats'):Setname('lolidk') [/code] Fisheater is going to cum loads. But hey, this is not as nearly as bad as having servers like top hat gaming (TTHG.org) around. The server dev is "BL00DB4TH", a mingebag. He put an aimbot in the datapack that only he can use. On the stronghold anyways.

[QUOTE=hugeasshole;38433154]Yes they have. All thanks to haza! It'll never go away either, due to him making his cheat module open-source. require('cvar3') GetConVar('sv_cheats'):Setname('lolidk') Fisheater is going to cum loads.[/QUOTE] Well that's unfortunate, I'll have to update a lot more on my anti cheat then just cvar querying..

[QUOTE=TylerB;38432021]What are you talking about? Did you even read the script? [img]https://dl.dropbox.com/u/16737046/darkrppoop.png[/img][/QUOTE] lmao.

[QUOTE=hugeasshole;38432102]Like a month. [editline]13th November 2012[/editline] Fake.[/QUOTE] You're fucking special aye, it's off the DarkRP gituhb with a direct link to the source and you still thik it's fake. Why ? Because you sir have the IQ of a watermelon.

[QUOTE=sargoe85;38433296]You're fucking special aye, it's off the DarkRP gituhb with a direct link to the source and you still thik it's fake. Why ? Because you sir have the IQ of a watermelon.[/QUOTE] Enough trolling now.

[QUOTE=Virulity;38433174]Well that's unfortunate, I'll have to update a lot more on my anti cheat then just cvar querying..[/QUOTE] Oh poor you, you're little anticheat is going to have to be slightly updated. Maybe you could think of the implications of this in the grand scale of well.. you know.. THE GAME? Chances are Garry is going to fuck all about this. Inb4 banned for being negative/because I'm implying Garry is lazy Also [code] GetConVar( "sv_allowcslua" ) [/code] HURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR [highlight](User was banned for this post ("Meme reply" - Craptasket))[/highlight]

You might better get his attention if you report this as a bug in the development forum

[url]http://www.facepunch.com/showthread.php?t=1225566&p=38434188#post38434188[/url] I don't see this being easy to fix, there are plenty of ways to force cvars clientside, however maybe a start would be to wipe all loaded modules when going from server to server / single player etc. Should cut down on the 'legit' methods and force them to risk triggering anticheats.

There's not a good solution to the problem. Garry isn't being lazy. He has a lot of bugs and problems to fix. SE shouldn't be the first or the last on his list.

[QUOTE=Fisheater;38431838]Yeah, because in all DarkRP servers there is SE enabled. /endsarcasm.[/QUOTE] Good job Fisheater now they will leave you alone for sure now. Autistic skiddie.

This is no magic trick, i wouldn't be surprised if garry pulls through a wave of bans the next patch.

[QUOTE=OldFusion;38523367]This is no magic trick, i wouldn't be surprised if garry pulls through a wave of bans the next patch.[/QUOTE] Garry could just ban them from the work shop and let the server owners deal with the cheaters, no need for the developer to-do it.

Oh Well, at least Garry will see it now. Garry does know right?