cvar exploit, sv_consistency, sv_pure, addons_eclipse_content, DoS

[shazzz]

First of all, all these things were reported to Valve a long time ago, but for some reason they haven't been fixed yet. I decided to make this public, hoping Valve will stop ignoring them and do something about it.

PLEASE NOTICE THAT NONE OF THESE EXPLOITS IS DETECTED BY VAC


cvar exploit
This is the most serious of all the problems explained on this thread. Please note that that this is not a real hack, in the sense of being an external program. No, this is just a simple file override that will allow the player to change any cvar value, even cheat flagged cvars, such as r_drawothermodels (which allows the player to see through walls), among thousands of others. The only cvars which it can't change are the ones flagged as replicated.


sv_consistency & sv_pure
This option already exists and ensures that a player has the default pak01_*.vpk files. This option came with a list (whitelist.cfg) where server owners supposedly could specify what to allow or block, but it never actually worked properly, and Valve also forgot to add some paths when they released the last DLC's (left4dead2_dlc2\pak01_dir.vpk and left4dead2_dlc3\pak01_dir.vpk). However, it doesn't check for files outside of the pak01_*.vpk files, hence the need of sv_pure, or an improved version of sv_consistency.

Note that the correct name for the "whitelist" is actually "blacklist", since it lists what can't be changed. This poses another problem, because if an admin wanted to block any changes to the default files (e.g. for competitive tournaments), he would have to create a list with thousands of entries (L4D2 has over 50.000 files by default), which is not viable, and not even possible since, as explained above, the "whitelist" doesn't work.

sv_pure also exists, but doesn't work. It's needed to check files that are not inside the pak01_*.vpk files, such as sounds. It would probably be more practical to deprecate this option, and just integrate it into sv_consistency, by turning the "blacklist" into a real "whitelist".


addons_eclipse_content
This is an hidden cvar and you can check it's value at any time by typing on console "help addons_eclipse_content". Depending on its value the game will load/unload all installed addons when connecting to a server. As you may guess this is what makes it possible for Official dedicated servers to force you to unload all your addons.

This is needed for server admins, because although some of the pak01_*.vpk files are already protected by sv_consistency, it's still possible to extract the wanted files, change them, and repack them into another vpk and use it as an addon. This is how material hacks (mathacks) work and allow a player to see through walls. You can virtually override any file by using this method, without having to touch the original pak01_*.vpk files. Therefore, sv_consistency needs this option as a complement, or it's almost useless by itself.

Right now, L4D2 has a hardcoded list of IP addresses stored on Client.dll, and that's how it recognizes if a server is Official or not. Obviously this is not the ideal way to do things. The best way would be to flag addons_eclipse_content as a replicated cvar, which means that the player must have the same value as the server. This would give the option of allowing/blocking addons to the server admin.


DoS vulnerability
It's possible to lag most servers by using a program (sent/reported to Valve multiple times) that will send thousands of packets to the target server, making it unplayable. It's as simple as copy-pasting the ip and port of the server, and typing the desired number of packets to send.

Most people are convinced there's no way to fix this, because they think this is a problem related to DDoS (multiple people sending the packets), but they are wrong, because you only need one computer to render a server completely useless, that's why it is called DoS, and not DDoS, and therefore it's possible to fix.

[Robertto]

yeah... and ♥♥♥♥ all the nice mods that improves quality of the game, like better weapons models, alternate characters/skins, better viewmodels...

i hate sv_pure at least if doesn't allow some mods, in other words, whitelist

[FapJak]

Ahem this will render custom skins useless.

[shazzz]

Between not having custom skins and not having cheaters, I prefer the last. And this option exists in basically all Valve games, and people have the choice not to play on those servers. Why would L4D2 be different? The abscence of this option makes cheating easy and inconsequent. Besides, most servers would still use the default sv_pure 0. That's why it's called an option, each server owner would decide what to do with their server. And the poor excuse that public games would end on those servers is easily fixed by excluding servers with sv_pure enabled from the master server list.

[aldo1]

Quote:

Originally Posted by shazzz

Between not having custom skins and not having cheaters, I prefer the last. And this option exists in basically all Valve games, and people have the choice not to play on those servers. Why would L4D2 be different? The abscence of this option makes cheating easy and inconsequent. Besides, most servers would still use the default sv_pure 0. That's why it's called an option, each server owner would decide what to do with their server. And the poor excuse that public games would end on those servers is easily fixed by excluding servers with sv_pure enabled from the master server list.

This. I wish official dedicated enforced this. Peoples custom servers can do whatever they choose.

[r2k.Fire]

Quote:

Originally Posted by shazzz

Can someone from Valve say if this is part of the plans? Because without this, anyone can cheat without consequences.

I sent a link to some Valve employees that contained a vpk file that allows you to see through walls, and also a tool that allows to lag most servers. This was 1 year ago, since then, nothing has been done, although they said they would look into it.

Also, from the videos I watched of CS Global Offensive, it seems it will use an updated version of l4d2/portal2 engine, but I just can't believe that game won't have sv_pure either.

I really appreciate the confogl mutation and the new maps, but that's content, which doesn't matter if the game isn't fair and easily exploitable. These two things are essential to any competitive (human vs human) fps. Look at Crysis 2 at launch for example, everyone had changed files to get an advantage over other players. The difference is this happens in L4D2 for years.

So please, Valve, we need consistency checks to files outside vpk's and a option to mimic official servers to not allow vpk addons on clients.

I understand some players will end on servers that won't allow addons, but it's already a lottery anyway, and a lot of times you end up on a modded 10vs10 clusterf* server with perks.

Thanks

Nice post. I full agree all jou said. I run 8 public l4d2 servers, all original set so no confogl crap or wat ever mods, cheats for kids. I wish Valve would make sure server admins could keep out lame gamers easyer.

Quote:

Originally Posted by r2k.Fire

...all original set so no confogl crap or wat ever mods, cheats for kids...

I lol'd

[shazzz]

Quote:

Originally Posted by r2k.Fire

Nice post. I full agree all jou said. I run 8 public l4d2 servers, all original set so no confogl crap or wat ever mods, cheats for kids. I wish Valve would make sure server admins could keep out lame gamers easyer.

Good to know it's not only the competitive part of the community that would like to see these options implemented.

Also, I edited something important on the first post.

[john_volkov]

dosen't the offical dedicate servers restrict all addons ?

Anyway sure, they sould try evrything to prevent cheating.I heard people using a boomer bile that you can see troght it.You must be really stupid to have to get that most of the time you can see troght boomer bile if you concentrate.

[aldo1]

what are you even talking about? So you think boomer bile is mind over matter? Not that it is easy to try to translate what you say... i don't think you try to troll, but im pretty sure you are just lost.

[pappaskurtz]

I wish I knew more about sv_pure, but there has to be a way to restrict things like wall hacks or transparent boomer vomit but still allow things like custom survivor and weapon models and skins. Not all addons or vpks are malicious or intent on giving an advantage.

I will say that I haven't bothered looking into very much custom SI work because the SI models are protected and you'll be kicked from most servers for having a custom SI-model addon enabled--even in single-player/locally hosted games (without setting sv_pure 0), which annoys me greatly, and saps any motivation to experiment with custom SI models. I mean, I see the logic behind it, but the consequences are the same, regardless.

There's a reason I don't do much modding for L4D1 either, and that's because of the outdated add-on system and the manual pak_01_dir edits required to get custom models and skins working.

[ckspike]

I don't know how they haven't learned from their experience in CSS... There was tons of mat hacks, prop transparency, hell even bright green player models with bullseye's on the head so you could easily see them from distance and in dark. Some players will do anything to get an edge on the competition, even in a game like this that 'supposedly' isn't competitive. Customization at the expense of fairness is never ok. ALL official should have ALL model/mat modifications blocked and 3rd party should have the option to do so. If you want to run you Zoey-Rochelle model and teletubbie boomer, that's fine - play on local or rent a server. It has no place in a mode playing against other players, period.

[pappaskurtz]

Quote:

Originally Posted by ckspike

I don't know how they haven't learned from their experience in CSS... There was tons of mat hacks, prop transparency, hell even bright green player models with bullseye's on the head so you could easily see them from distance and in dark. Some players will do anything to get an edge on the competition, even in a game like this that 'supposedly' isn't competitive. Customization at the expense of fairness is never ok. ALL official should have ALL model/mat modifications blocked and 3rd party should have the option to do so. If you want to run you Zoey-Rochelle model and teletubbie boomer, that's fine - play on local or rent a server. It has no place in a mode playing against other players, period.

Do you play this game? SI models are already cheat-protected, and any custom survivor model or skin designed to give an advantage can only give a minimal advantage at best when you have things like glows and player names highlighting where your team is all the time. Official servers already block all custom content, too; it's not ideal in my opinion, but like I said, there has to be a way to distinguish between mods like custom survivor models and weapons and mods that make walls invisible.

This old game I used to play, C&C Renegade, had a community-generated white list that modders could submit their work to be approved in online play. For custom SI-models, that might be a great way to strike a balance.

[ckspike]

Quote:

Originally Posted by pappaskurtz

Do you play this game? SI models are already cheat-protected, and any custom survivor model or skin designed to give an advantage can only give a minimal advantage at best when you have things like glows and player names highlighting where your team is all the time. Official servers already block all custom content, too; it's not ideal in my opinion, but like I said, there has to be a way to distinguish between mods like custom survivor models and weapons and mods that make walls invisible.

This old game I used to play, C&C Renegade, had a community-generated white list that modders could submit their work to be approved in online play. For custom SI-models, that might be a great way to strike a balance.

You are completely wrong. It is not working as intended even on official. I'd have to find it again but I have personally tried 'custom' models that allow you to remove all leaves and grass and have transparent walls/trees/dumpsters whatever. The advantage is astonishing. Sorry to burst your bubble but there is no safe place in the game.

[r2k.Fire]

Shazzz posted :

Quote:

Can someone from Valve say if this is part of the plans? Because without this, anyone can cheat without consequences.

The part in orange is the biggest problem. I 'am sure, if the consequences would, or could be set to a higher level, people would be more carefull to even thinking of using mods/cheats right ?

My servers all run in VAC secure mode, but still it is very easy to use cheats like you can use them at official servers also. The software we ( server admins ) use aint that differend from Valve's software.

Valve / Steam is able to count every bullet you fire, as also to count the dammage you do with that single bullet. So wy is it so hard to check 'data' that was NOT ment to be in the game at all ? , and kick the client from the server. Give the client a warning and 24 hr timeout, all VAC secured servers. If the client comes back with same data difference in VAC secured servers, he will be VAC banned.

Not to many people kno that server administrators have loads of work daily, to keep there servers running. Fighting agains a group of people that can do loads crap because there aint realy consequences .