Proof that corruptions can happen...

[Draco]

Two weeks ago, a member of ours got busted for 'Failed Integrity check' at the TNT server. I asked this member to send me the file in question so that I could check it over. After decompiling and carefully checking the file, I found absolutely nothing wrong. Unfortunately, I forgot I had placed this file into my UT folder so that I could use WOTGrael to tear it apart. I connected under my alias <=========> to play a game or 2. I got logged as well. I contacted CryptKeeper and actually got a copy of the log. It shows the correct info for the file our member was logged for.

Here is the PM from him. I'm leaving my info in place quite simply because, in the world of UT, this info is never private anyways.

Quote:

Well files do not accidently get altered.
And decompiling a file will not necessarily show if it has been byte hacked.

Regardless of how it was altered it is altered and you possess the EXACT same file,
with the EXACT same corruption hash.


Here is the log.

[UTDCv21] +---------------------------------------------------+
[UTDCv21] Client have failed integrity check
[UTDCv21] Player name......: <=========>
[UTDCv21] Player IP........: 24.233.32.149
[UTDCv21] Client UT version: v.4.36
[UTDCv21] Client OS........: Microsoft Windows XPx32 5.1 (Build: 2600)
[UTDCv21] OpenGLDrv.dll MD5: FB373215354824D98A26D73842B1FD59
[UTDCv21] Core.dll MD5.....: 6AC677426A03FAEC24FECE284D0D652B (v4.36GOTY)
[UTDCv21] Engine.dll MD5...: 07447166E4443EA945CD7470CC50720A (v4.36GOTY)
[UTDCv21] Render.dll MD5...: F6487EFE25997FE5843D2178FE3BEC07 (v4.36GOTY)
[UTDCv21] Galaxy.dll MD5...: FDAC609BE71693E9102E5F38165D0678 (v4.36GOTY)
[UTDCv21] UTDCx.dll MD5....: E9DE0EE5B80D2CEAD8AC9436D3D5B014
[UTDCv21] MAC hash.........: EC29A2CAAC4271315BA82093FC6746A8
[UTDCv21] Mem NTDLL image..: True
[UTDCv21] Altered File.....: TNT_Ultra_Rifle_v2.u
[UTDCv21] Server Received..: DC49EF572AC5A6505FFC6915B80810A2
[UTDCv21] Date/Time........: 29-09-2009 / 17:07:50
[UTDCv21] +---------------------------------------------------+


I will not afford you any different treatment than anyone else.

Crypt

I responded to him with this.

Quote:

I have the same file as ***** because it is the same file. When I had him send it to me 2 weeks ago, I placed it in my UT folder so that I could use WOTgrael to tear it apart and have a look. I just forgot that I placed it there when I visited last night.When I PM'ed you last night, I had forgotten that. I checked the text buffer and compared and they are exact. I even decompiled both files and they are exact. The file was not Byte-Hacked and, yes, DECOMPILING the file will show if it is hacked. A file can be byte-hacked while the text buffer is left intact and to someone who doesn't know better, the file would appear that it hasn't been tampered with while the md5 has been changed.

I'm all for you banning myself and ***** for this file if it will bring you peace, but I must ask that you remove myself and ***** from your shame list. I will keep both files for future reference and I will be posting them at unrealadmin.org so that I can let those who know much more than you and I combined tear into these files and post the results for the world to see. In the end, I believe that there will be a logical explanation for what has happened. I haven't got a clue as to what caused this corruption but I can promise you it isn't hacked.

~Johnny Jones

Me personally could care less about this situation quite simply because what they do from day to day has no bearing on how I run my life. But, for years, I have worked against cheaters and to have someone who really has no problem banning better players just for being better tell me that I'm cheating over a corrupt file has forced me to do this.

Not all corruptions are cheats. When you think about how many things a file goes through to get from the server to your computer and made usable to the game, you begin to understand where something can go wrong. You take the original file and put it on the server. You want your clients to download it quicker so you compress much like a zip file. Then, you place it on web space some where else in the world. When a client connects to the server and does not have the files, the server tells the client to go an address on webspace some where else and downloads that compressed file. Once the compressed file is on the clients machine, the game then 'unzips' that file and places it in your cache folder. Hopefully, you can see that there are a lot of working parts to go wrong. All it takes is for a client to unzip that file incorrectly and suddenly you have a file that still works but has a different MD5 hash. MD5's are only handy when you have a known MD5 from a proven cheat that is exact to an MD5 that is logged.

The funny thing is is that this is their file. It's their rifle. It's not like it was a file like a hacked UTPURE file or something like that.

Now, I'm providing a copy of the good file and a copy of the bad file with the MD5 of each so that you are certain it is the correct file located in the log. Those with coding experience can tear them apart and see for themselves that there is absolutely nothing wrong here.

Bad file

MD5 = DC49EF572AC5A6505FFC6915B80810A2

Good file

MD5 = 3B1F2095B8AE2C99AAAC576BB3A4BDD3

~Johnny Jones

[Death_Dealer]

handled very professionally.. it sux to be posted about.. but not a biggie.. life will go on and we will remain a notch better in the end...

[Badmotor]

Handled very professionally.

I remember talking to Phil about something very similar to this situation. While UTDC is a great tool to have on a server to check for certain things and for the S. S. capabilities it does produce false positives like what has been shown.

So, lets say if one were to change the hash and recompile a file, like you have shown, would UTDC pick it up even though the server has the correct file or would it be a version mismatch?

[Draco]

Quote:

Originally Posted by Badmotor

Handled very professionally.

I remember talking to Phil about something very similar to this situation. While UTDC is a great tool to have on a server to check for certain things and for the S. S. capabilities it does produce false positives like what has been shown.

So, lets say if one were to change the hash and recompile a file, like you have shown, would UTDC pick it up even though the server has the correct file or would it be a version mismatch?

If the file was actually recompiled by the UT engine, it would produce a version mismatch even if absolutely nothing had changed between the compiles.

~Johnny Jones

[Brummel]

No way of having a look into those files without using UnrealEd I guess?

[Badmotor]

Ok, I have to ask another question or 2.

What benefit would it be to change the hash in any *.u file?

What benefit would changing anything in the rifle file on your personal system do for when you connect to a server that contains the original file?

I have another question but its more focused on server side applications than anything else.

[Draco]

Quote:

Originally Posted by Badmotor

Ok, I have to ask another question or 2.

What benefit would it be to change the hash in any *.u file?

What benefit would changing anything in the rifle file on your personal system do for when you connect to a server that contains the original file?

I have another question but its more focused on server side applications than anything else.

Personally, I believe byte-hacking a rifle file would serve no purpose at all. Byte-hacking comes in handy when you wanna turn something off in a file. For instance, let's take the No-Dodge mutator we have. The way the mutator works is by residing on both the server and client. The server tells the client to uncheck the dodging check-box in your preferences by way of the client-side file and then it tells the client to check to make sure that check-box stays un-checked every 10-12 seconds. If you took the No-Dodge.u file and byte-hacked it, you could find the value in the file responsible for the scan and turn it off. The server and client would still be on the same page but the client wouldn't know that the checks have been turned off but it still would be acknowledging to the server that the checks were still occurring. The file wouldn't change size at all but the hash would be changed. What are you gonna turn off or on in a rifle that would give you some kind of advantage?

Hacked UTPURE files do the exact same thing. They are changed so that the checks do not occur. UTDC uses dll files which are native to windows. These are the files that are responsible for checking windows memory and Pre-cache and such but UTDC still needs Uscript files(the language used by the unreal engine) on both client and server to relay the checkscan results back to the server. Someone has byte-hacked the client-side UTDC.u files to either ignore the scan results and return a normal to the server or to never initiate the scan to begin with and still report a normal back. In most cases, the server is set-up to check the MD5 of files on the client and compare them to the known, good MD5 values of files and the moron running them gets busted because byte-hacking changes the md5 in every case.

~Johnny Jones

[Badmotor]

I don't plan on changing anything, just random questions I think of when I am on my lunch break.

SSSSSSSoooooooo, when UTDC is looking at, lets say, a rifle.u file and the MD5 comes up as different hash. This would almost be considered a "False Positive"

False Positive: Type I error, also known as an "error of the first kind", an α error, or a "false positive": the error of rejecting a null hypothesis when it is actually true. Plainly speaking, it occurs when we are observing a difference when in truth there is none, thus indicating a test of poor specificity. An example of this would be if a test shows that a woman is pregnant when in reality she is not. Type I error can be viewed as the error of excessive credulity. Statistics Reference

[Draco]

Quote:

Originally Posted by Badmotor

I don't plan on changing anything, just random questions I think of when I am on my lunch break.

SSSSSSSoooooooo, when UTDC is looking at, lets say, a rifle.u file and the MD5 comes up as different hash. This would almost be considered a "False Positive"

False Positive: Type I error, also known as an "error of the first kind", an α error, or a "false positive": the error of rejecting a null hypothesis when it is actually true. Plainly speaking, it occurs when we are observing a difference when in truth there is none, thus indicating a test of poor specificity. An example of this would be if a test shows that a woman is pregnant when in reality she is not. Type I error can be viewed as the error of excessive credulity. Statistics Reference

It's not a false positive. The MD5 has definitely changed so UTDC was on the money in this case and did it's job perfectly. The issue that comes up for me is that this guy seems to think ANY hash corruption is automatically a cheat and he bans and then names-and-shames for it without any proof whatsoever. Now, if he can provide proof that a file with a corrupted hash is a verified cheat, name and shame away.

The part that I find strange is the man is checking his own rifle. He does boast about having one of the heaviest protected servers in the UT world but that could just be considered paranoid.

~Johnny Jones

[Badmotor]

Thank you for the correction. I was only looking at patterns not just the MD5 problem.