The Q3 Anti Cheat Tutorial

26 replies [Last post]
rUnThEoN?!
Site administrator
Skullheadq3's picture
Offline
Joined: Dec 2005
Posts:
DE Germany

The Q3 Anti Cheat Tutorial

Introduction

It's been the main problem of any FPS community - cheaters.

There have been a lot of tries to actually find out if somebody cheats or not, starting from anticheatprograms up social pressure and giving cheaters unique id - such as the esl player card - making them think twice if they want to cheat or not.

However over the time and the leaks in those methods, one method clearly always helped when all others failed - the watching cheaters and analyse their gameplay. This actually even helped in some rare professional situations.

This Tutorial is supposed to bring everyone nearer towards the infos you need to know and do not want to collect them themself.

Punkbuster

Homepage -> http://evenbalance.com

Otherwise, here a short list with explanaitions.

Technical Violations: (Resolution: Reinstall PunkBuster from the latest game update patch)
 
#101 - Communication Failure
 
#102 - Communication Failure
 
#131 - Initialization Failure
 
#132 - Protocol Error
 
#141 - Distress (This indicates a problem trying to update to the latest version of PunkBuster - it may indicate a problem reaching one of our Internet-based Master PB Servers which can be caused by firewalls, router problems, etc.) 

All of these ain't interesting for us, aint worth a yellow card.

Miscellaneous Violations:
 
#111 - Bad Name (Resolution: Change player name or play on a different server)
 
#112 - Too Many Bad Names
 
#113 - Too Many Name Changes (Designed to eliminate name change spamming)
 
#114 - Protected Name (Resolution: Change player name or play on a different server)
 
#121 - Negative Score Too Low (usually from Killing Teammates)
 
#151 - Extended ASCII Characters in Player Name (Resolution: use regular letters, numbers and symbols in the player name or play on a different server)
 
#9001 - CVAR value failed range check (see the FAQ for more info) 

Also uninteresting...

Cheat/Hack Violations:
 
When PunkBuster detects a cheat or hack by repeated positive identification on a player's computer, a violation is raised. These violation numbers are 50000 and higher. Families of cheats are listed below.
 
#50000s - Aimbot -> Aims for the cheater
 
#60000s - Wallhack -> There are 3 kinds of wallhacks, transparency, entity and EPS. Last ones are mostly used for custom hacks.
 
#70000s - Multihack -> Can have all other hacks in it.
 
#80000s - Gamehack -> Such a thing as infinitive ammo or godmode.
 
#90000s - 'Cheat' Video Drivers -> Mostly wallhack, otherwise such stuff as higher contrast
 
#100000s - Speedhack -> lets you walk faster
 
#110000s - Autofire -> Shoots for the cheater
 
#120000s - Game Hook -> Can be a lot, the name of this kick is based on the way the cheat works, its mostly a dll hooked into quake (can be multihack, af etc.) .
 
#130000s - Attempted PunkBuster Hack -> Is supposed to make pb not scan the pc for cheats so u can use any hack eventhough its detected by pb normally.

Now we come straight to the point here, all of these kicks are worth a ban, there are roughly false positives and if there are, you should try checking the person playing same good on another game engine such as quakelive.
Always remember that punkbuster just detects hacks that it knows, ergo are known to pb stuff.
Any hack just been sold to private people will not be detected by pb.
Thats why we need to watch demos also of some people.

Programs for demo watching

There are two usefull tools: Q3mme and E+ Demobuffer:

Q3mme: A q3 video capturing tool with cheezy functions considering demo playback.

It's usefull to watch the demo first with it since you can move back in demotime and rewatch scenes you rather find critical.

-Scale back/forward in time: hold shift + a,d or move the mouse left or right.

-Stop demo: hit c once and hit again for going on (very usefull in combination with shift + moving the mouse)

-Clientoverride ( check mme tutorial for seeing how the command works. )

-Bind k clientoverride enemy model keel/pm hmodel keel/pm c1 2222

-Bind t clientoverride enemy model tankjr/pm hmodel tankjr/pm c1 2222

-Fx_vibrate 0 ( turns off explosion vibrating )

-R_shownormals 1 ( a command integrated in quake3 which shows the edges of entities rendered, therefor you also can see through walls - cheat protected.)

-Mov_seekinterval 4 ( seconds for timejump if u hold shift and hit a or d )

-X, Z = Cycle views [ Camera, Chase, Follow(1st person)]

-Hold Space + E : follow next player

-Hold Space + Q : follow last player

Now you can load a demo and if you see something suspicious stop demo by hitting c once , move back in time holding shift and hitting A once to jump 4 seconds and slowly look the part again via shift + mousemoving.

To switch between players load a demo, press 2, hold space and hit q once and release space.

Note that enemys are interpolated if demo aint mvd ( didn't actually record the players pov ) so shoots of the player - who recorded demo/ the one who got record by a spec - don't have to be on especially if it is unlagged. In a mvd you also can switch between players and mousemovement will be precise, while it also works if you dont have a mvd, however mouse will look a bit fucked up. ( You just have 30/125 the mouse info, so You just should use it to proove impossible shoots like 8msec around wall shooting while Enemy didn't hear/see )

Excessiveplus Demobuffer:

-Xp_delagdemo 1 (1=on or use xp_delagdemo 2-XXX (ping value) )

-Xp_Autoscreen 8/15 (use with low timescale value to have it exact)

Note: Again enemys are interpolated 30/125 so shoots can be a bit off. ask beast about the exact odds of this.

This gives a basicview of how a player seen the game while playing and might have reacted.

Autoshoot:

What an Autoshoot basically does is shoot as soon as it touches a hitbox of a player (mostly an enemy, some cheap ones also shoot teammates) .

There are other variants which cause it to shoot delayed by a set value, like 8 msec or 50 msec (theoretically you could measure/ do statistics (panda up for it? Tongue ) the time somebody needs from being on hitbox until shooting, for players this is rather unstable, while autoshoots are stable beside hitbox interpolation.

Another variant is that it shoots a special color, like green, depending on enemymodel and color this might be very efficient (like if you set enemymodel to something small it will kinda always look like you hit about around the middle of an enemy)

Autoshoots also can be bound to a key such as mouse1, mouse4 or anything else the cheater likes.

Easiest way to caugh an autoshoot is to have a demo of the cheater being afk but still shooting an enemy.

Otherwise an autoshoot can be caught by their instant reations, like doing a 180 shooting people on the edge of the hitbox, shooting people who bfg jump, shooting people who came in vision just a moment before or shooting people who just spawned (its lucky for once, but all the time on odd places is rather odd )

Basically the most significant characteristic of an Autoshoot is shooting people on edge of hitbox or below 130 msec (this is lowest reaction time of people thats stable ) to hit the fire button after realising were an enemy is (basically that means 130 msec when you see him, but if you do a 180 enemy wasnt in sight but you still might shoot him) . One more obvious detail is that autoshoots hit stable high accuracys over anything a progamer could do. ( Best is fox doing railacc up to 70 on stable slow enemys in vq3 in a serius game, in e+ the max stable acc is prolly around 50-55 in a serius game, it might be way higher nevertheless when playing noobs or trying to acc very save. )

The most significant thing is that an Autoshoot is stable, no matter what person you spec, even if he is suspicious, he needs to do his impossible stuff stable or impossible enough so one shoot is enough ( watch d1s/wit ).

But never forgett an Autoshoot can miss due to interpolation errors or mouselag.

Speedhack:

Speedhack does exactly what it's name says, it can make you travel at XXX ups speed. You prolly will never find that in e+ and if, then its mostly combinated/hidden under bad strafejump and so on and so on.

Laghack:

Obviously... it makes u lag.

Basically it can do the same as a torrent, it can be a lot harder, basically it abuses the interpolations, so u dont have any negative side effects from lagging. If somebody has lags over from 100 to over 300 and doesnt recognise a shit or never complains, thats prolly laghack, once seen a guy having lags from 30 to 800 every second, unhitable but he had no problems playing. You will roughly encounter this in q3 too.

Wallhack:

animalchik wrote:

- there are few things that differs a wh user from a sound player

- when someone playing on sound the reaction time is still normal, unless he decides to spam with rail, but if he want to hit the target hes going to press the button when he going to see the target

- wh user know the exact location of the target so his reaction is faster than a sound player, because the shot decision of wh user was before the target appears, while sound player just knows the location of the target but the shot decision is made after hes going to see the target in most of the situations

but if u have watched the demos u saw i have preses fire button before enemy appears in my pov, thats why u won't catch walhacker unless hes a stupid no skill and trying to use wh as a main advantage

( I do not want to alter quotes )

It is possible to detect a wallhack 100% as long as he uses it totally ( as main advantage ) or he fucks up.

In the following example demo the guy does both, in ligas demo he does both too.

If you do not use a wallhack totally, it ends up being same effective as somebody with good sound beside the fact he doesnt hear people behind and doesnt react as fast to incoming people.

There even a decent wallhack fucks up, if its easily possible to hear somebody while he doesnt but he still reacts around corners as if he had sound. ( a average good player has a rythm of 300-400 msec mostly. )

Other point where wallhacks mostly fuck up is distance. If it's not possible to hear somebody its barely possible to go below 300msec reaction (narc did 80).

Example of a wallhacker:

http://www.excessiveplus.net/files/forum/2007/08/2xf-o-_193.dm_68

Note: NEVER accuse somebody for wallhack based on singleshots except if they are totally unhearable and impossible reaction and the person did not see the guy neither could predict were he will go. Also never forgett to check that its really impossible to hear (ergo you need pov demo mostly, mvd display all players on whole map but sometimes if the enemy is away far enough its impossible to hear). Also as better the player, as more of such shoots you should collect otherwise it might be expirience based.

Aimbot:

Actually aimbots are quite obvious mostly, the flick towards an enemy within 1 frame (at 125 fps thats 8 msec ( 1000/125 = 8 ) )

Some bots also aim towards the nearest enemy, so eventhough somebody might be easy to aim, he will aim the harder enemy if he is nearer, but its quite hard banning somebody for that though.

http://www.youtube.com/watch?v=kXVDo35-rY8

The real pain are custom out smoothed bots.

The only chance to get this ones are when the mouse does something its not supposed to do.

This can be a lot of things, imagine somebody with a sluggish ballmouse but out of sudden his aim is 100 percent smooth.

Aimbots are always unnatural, ergo they are also 100 percent precise, no matter if its an smoothed out or real bot, so if you zoom in there SHOULDNT (not been that expirienced with smoothed out code so Tongue ) be any inprecise stuff. However they can miss due to Interpolation and other errors.

Never forgett that the reaction time of a human is 215 down to 130 msec, but the time u need to recognise that u missed and so on is over 250-300 msec always. Also bots tend to fuck ur mousemovement, while u do a 90 or 180 to the right and the enemy is left, they might tend to immidiatly change direction.

this mousemovement looks the exact opposite of a flickshot. While the flickshot goes on the enemy and the mouse nearly instantly accelerates back, the mouse of an smoothed bot will correct the aim from going away from an enemy to instantly accelerate towards him again. This is still possible beside the fact that any human wont do that below 200 msec. For example you strafe somewhere and somebody spawns, u wont shoot him below 200 msec. Same thing considering shadow. He missed the rail on dm17 and his mouse went towards enemy again way before any human would realised that. Neither are his reactions fast enough for that considering his gamestyle in other situations ( he need 400 msec or more to realise somebody walked into his crosshair when camping ).

GL busting any smoothed out bot. Here u have an example ->

http://www.youtube.com/watch?v=P3mDn0-qfuw&feature=related

The most important Thing.

Logic

No matter what it is about, logic helps you.

You will not belive somebody railing good when hes nub with other weapons.

You will not belive him failing hear somebody behind when he hears everybody in front ( as long as he doesnt mixx the sound up ).

Odd shoots must happen more often in 1 demo, it isnt enough if they happen from time to time.

Also never forgett that Bots can be toggled on and off without rebooting q3, you just cant load them instantly without rebooting.

Also you need to set a main priority if you bust cheaters, do you belive everything theoretical possible or do you ban already before that.

Last option hasn't been practicated in E+ since E+ is such an extreme mod, nearly everything is possible - and if you start banning on suspicion, you might end up banned too.

Greetz:

To Everybody who corrected all parts of this tutorial - ofc it aint perfect (especially since players like me are used to some general knowledge other people lack ), but it might give people a good overview to gather their own expirience.

Good Luck and dont beg me for watching demos please. Happy

hurrenson: "This idiot is apparently not familiar with a rail/sniper style."

SHADOW
SHADOWS's picture
Offline
Joined: Nov 2009
Posts:
Re: The Q3 Anti Cheat Tutorial

cool green box
guessing Rocket

very interesting.....

nice work Skull

Big grin

*ZMB*SKINNIS*
skinnis's picture
Offline
Joined: Jan 2006
Posts:
Re: The Q3 Anti Cheat Tutorial

Good job Skull,and Thank you!

I will clean this thread as soon as i get home.

madbringer wrote:

How 'bout you 'bicker' off back to your sandbox, someone is pissing in your little plastic bucket.

epsiplayer
THE ONE AND ONLY
intact-epsilon's picture
Offline
Joined: Dec 2006
Posts:
Re: The Q3 Anti Cheat Tutorial

Thanks
skull for doing this!

these are good infos that need to be taken into consideration before condemning a player to cheat.

i used r_shownormal 1 and timescale + i have a q3 modification made by myself that adds 3d view in cross-eyed mode and works for excessiveplus only.

__________
epsislow


epsiplayer
THE ONE AND ONLY
intact-epsilon's picture
Offline
Joined: Dec 2006
Posts:
Re: The Q3 Anti Cheat Tutorial

if we can do a step-by-step instructions .. we could also develop a anti-cheat program! Big grin better then pb! (ofc we all know pb sux in some cases, but it's better then nothing)

i am serious about this, no sarcasm in this post.

skull's post is good!
________
epsislow


P-ERK *WGVD*
Perk's picture
Offline
Joined: Mar 2008
Posts:
Re: The Q3 Anti Cheat Tutorial

well epsi: you are right

behaviour analysis is easy to put in an algorithm.. but it is hard to code.. 

for instance a tool for statistical analysis would be very helpful, like "time hitbox in fov till hit" "percentage of hits on hitbox boundary" "time from hitboxcrossing to shot"... if one inputs enough demos of one player and there are significant deviations from usual one would have an objective argument for cheats..

BOZO
Bozo's picture
Offline
Joined: Feb 2010
Posts:
Re: The Q3 Anti Cheat Tutorial
rUnThEoN?! wrote:

Excessiveplus Demobuffer:

What is this and how do I enable it?

GrosBedo
grosbedo's picture
Offline
Joined: May 2010
Posts:
Re: The Q3 Anti Cheat Tutorial

Thank you very much Skull Soul, this will be HIGHLY useful.

j
Offline
Joined: Feb 2006
Posts:
Re: The Q3 Anti Cheat Tutorial

print it, underline the best parts, write it down, add ur personal bla bla bla and report everything in a clean paper

rUnThEoN?!
Site administrator
Skullheadq3's picture
Offline
Joined: Dec 2005
Posts:
DE Germany
Re: The Q3 Anti Cheat Tutorial

anybody  can stick this?

hurrenson: "This idiot is apparently not familiar with a rail/sniper style."

!@#$%&*( terror )_
terror's picture
Offline
Joined: Feb 2007
Posts:
GB United Kingdom
Re: The Q3 Anti Cheat Tutorial
rUnThEoN?! wrote:

anybody can stick this?

mods can't,
mods can't anything around here Confused