From the Infiltration main page. A way to fight the new bots there is around. Check my sig for a direct link.
Security Takes a Step Forward
November 26, 2001 @ 16:13 Warren
Here is a small contribution to the Unreal Tournament community to help deal with some of the security issues that can be detrimental to gameplay. Though most of this will be geared towards server admins, part of the community's responsibility will be to put pressure on those admins to make the necessary changes so their servers can remain as cheat-free as possible.
Removal of the 'ServerSideOnly' backdoor within Unreal Tournament
Disclaimer:
We do not contend that performing the steps listed below will protect your server 100% against any kind of client-hack, AimBot, or cheat currently available, or those that will be available in the future. Nor do we believe that cheats and hacks are something evil that have to be fought against. This explanation merely describes one solution for "fixing" the most common security holes used by cheats at the moment. Cheats and helpers are welcomed by a wide range of the community. However, the usage of cheats online on open servers or even in clan matches can destroy the whole gaming experience for most players out there.
This information will provide server admins with an opportunity to close one of the largest security holes that Unreal Tournament currently has, and will give mod authors the chance to close another one using some simple script changes.
This fix will work with any standard Unreal Tournament server and every mod, such as Infiltration, Tactical Ops or Strike Force, just to name a few.
Here are two common ways that are used for getting an AimBot and other cheats working online:
a) Using one's own console and editing their INI file to use it instead of the original Unreal Tournament or another mod's console.
b) Using a changed version of an original Unreal Tournament .U package file that is flagged as 'ServerSideOnly'
Point a) is typically not a problem because the console can be checked directly within the code that functions on the server. Standard Unreal Tournament and mods that allow the use of the Client Side Hack Protection (CSHP) modification are normally all you need. Modifications that cannot use CSHP due to various other reasons or incapability normally use their own console class that is then checked within their own packages. Combining the use of a project's console class within their package and including this package in the server's ServerPackages= section listed in the server's INI file would normally fill this security hole. If a mod team needs help in integrating these checks, than feel free to contact us.
Point b) is even easier to fix. Server admins should read the following instructions carefully, because it takes only about 5 minutes to change. Common AimBots are using a changed version of the UTMenu.u file. This package is already listed in the ServerPackages= list, however it is flagged as 'ServerSideOnly' due to backwards compatibility issues of former versions of Unreal Tournament. Well, today all servers and clients out there have version 436 installed, and so the need of backwards compatibility is no longer an issue. The 'ServerSideOnly' flag is responsible for not allowing the check between client and server that normally takes place for all packages within the ServerPackages= list. So, different versions of these files slip between the cracks, and AimBots and other cheats can be used without anyone knowing any better. Removing the 'ServerSideOnly' flag is very easy to achieve and thankfully, the package integrity remains the same. This means that the package is still the "same" for the Unreal Tournament engine and a client-server check will not result in a "file mismatch" warning as some might come to expect. So servers can use files with the 'ServerSideOnly' flag removed and clients do not need to download a changed package or do anything else for that matter.
The following describes one possible way to change this flag. It basically describes the correct usage of the ucc.exe file for removing the flag, and how to setup the server's INI file correctly so that the new file(s) are checked. It should be said that the UTMenu.u file is not the only one that can be modified for cheating, so the procedure should be performed on a group of files that are listed below.
How to remove the ServerSideOnly flag from the UTMenu.u package:
open a command.com or cmd.exe (also known as DOS box or window)
change the path to your UnrealTournament\System folder
type in the following and hit enter (case sensitive if needed
ucc packageflag UTMenu.u UTMenu2.u -ServerSideOnly
wait until ucc has saved the new UTMenu2.u file
make a new folder .... i.e. UnrealTournament\ServerFiles
copy the new UTMenu2.u file into this folder
rename it back to UTMenu.u
open the server's ini file (ie. UnrealTournament.ini or the one from the mod you are hosting)
search for [Core.System]
below you will see the Paths= list entries, such as Paths=../System/*.u
add the folder you just created at the top of the list like this:
Paths=../ServerFiles/*.u
... then the original ones should follow
search for [Engine.GameEngine]
below you will see the ServerPackages= list entries, such as ServerPackages=Botpack
make sure that ServerPackages=UTMenu is listed there as well. If not, simply add it
That's it! Now clients using a modified version of the UTMenu.u file will automatically be rejected by your server.
Here's a list of common packages that are using the ServerSideOnly flag and can be abused:
UBrowser.u
UTBrowser.u
UWindow.u
UMenu.u
UTMenu.u (like described above)
Remove the ServerSideOnly flag for these packages as well, copy them to your new "ServerFiles" folder, and add them to your ServerPackages= list, if not already included.
Feel free to let us know if you have additional questions or comments.
Special thanks to Beppo for doing all the investigative work.
Security Takes a Step Forward
November 26, 2001 @ 16:13 Warren
Here is a small contribution to the Unreal Tournament community to help deal with some of the security issues that can be detrimental to gameplay. Though most of this will be geared towards server admins, part of the community's responsibility will be to put pressure on those admins to make the necessary changes so their servers can remain as cheat-free as possible.
Removal of the 'ServerSideOnly' backdoor within Unreal Tournament
Disclaimer:
We do not contend that performing the steps listed below will protect your server 100% against any kind of client-hack, AimBot, or cheat currently available, or those that will be available in the future. Nor do we believe that cheats and hacks are something evil that have to be fought against. This explanation merely describes one solution for "fixing" the most common security holes used by cheats at the moment. Cheats and helpers are welcomed by a wide range of the community. However, the usage of cheats online on open servers or even in clan matches can destroy the whole gaming experience for most players out there.
This information will provide server admins with an opportunity to close one of the largest security holes that Unreal Tournament currently has, and will give mod authors the chance to close another one using some simple script changes.
This fix will work with any standard Unreal Tournament server and every mod, such as Infiltration, Tactical Ops or Strike Force, just to name a few.
Here are two common ways that are used for getting an AimBot and other cheats working online:
a) Using one's own console and editing their INI file to use it instead of the original Unreal Tournament or another mod's console.
b) Using a changed version of an original Unreal Tournament .U package file that is flagged as 'ServerSideOnly'
Point a) is typically not a problem because the console can be checked directly within the code that functions on the server. Standard Unreal Tournament and mods that allow the use of the Client Side Hack Protection (CSHP) modification are normally all you need. Modifications that cannot use CSHP due to various other reasons or incapability normally use their own console class that is then checked within their own packages. Combining the use of a project's console class within their package and including this package in the server's ServerPackages= section listed in the server's INI file would normally fill this security hole. If a mod team needs help in integrating these checks, than feel free to contact us.
Point b) is even easier to fix. Server admins should read the following instructions carefully, because it takes only about 5 minutes to change. Common AimBots are using a changed version of the UTMenu.u file. This package is already listed in the ServerPackages= list, however it is flagged as 'ServerSideOnly' due to backwards compatibility issues of former versions of Unreal Tournament. Well, today all servers and clients out there have version 436 installed, and so the need of backwards compatibility is no longer an issue. The 'ServerSideOnly' flag is responsible for not allowing the check between client and server that normally takes place for all packages within the ServerPackages= list. So, different versions of these files slip between the cracks, and AimBots and other cheats can be used without anyone knowing any better. Removing the 'ServerSideOnly' flag is very easy to achieve and thankfully, the package integrity remains the same. This means that the package is still the "same" for the Unreal Tournament engine and a client-server check will not result in a "file mismatch" warning as some might come to expect. So servers can use files with the 'ServerSideOnly' flag removed and clients do not need to download a changed package or do anything else for that matter.
The following describes one possible way to change this flag. It basically describes the correct usage of the ucc.exe file for removing the flag, and how to setup the server's INI file correctly so that the new file(s) are checked. It should be said that the UTMenu.u file is not the only one that can be modified for cheating, so the procedure should be performed on a group of files that are listed below.
How to remove the ServerSideOnly flag from the UTMenu.u package:
open a command.com or cmd.exe (also known as DOS box or window)
change the path to your UnrealTournament\System folder
type in the following and hit enter (case sensitive if needed
ucc packageflag UTMenu.u UTMenu2.u -ServerSideOnly
wait until ucc has saved the new UTMenu2.u file
make a new folder .... i.e. UnrealTournament\ServerFiles
copy the new UTMenu2.u file into this folder
rename it back to UTMenu.u
open the server's ini file (ie. UnrealTournament.ini or the one from the mod you are hosting)
search for [Core.System]
below you will see the Paths= list entries, such as Paths=../System/*.u
add the folder you just created at the top of the list like this:
Paths=../ServerFiles/*.u
... then the original ones should follow
search for [Engine.GameEngine]
below you will see the ServerPackages= list entries, such as ServerPackages=Botpack
make sure that ServerPackages=UTMenu is listed there as well. If not, simply add it
That's it! Now clients using a modified version of the UTMenu.u file will automatically be rejected by your server.
Here's a list of common packages that are using the ServerSideOnly flag and can be abused:
UBrowser.u
UTBrowser.u
UWindow.u
UMenu.u
UTMenu.u (like described above)
Remove the ServerSideOnly flag for these packages as well, copy them to your new "ServerFiles" folder, and add them to your ServerPackages= list, if not already included.
Feel free to let us know if you have additional questions or comments.
Special thanks to Beppo for doing all the investigative work.