Two weeks ago, a member of ours got busted for 'Failed Integrity check' at the TNT server. I asked this member to send me the file in question so that I could check it over. After decompiling and carefully checking the file, I found absolutely nothing wrong. Unfortunately, I forgot I had placed this file into my UT folder so that I could use WOTGrael to tear it apart. I connected under my alias <=========> to play a game or 2. I got logged as well. I contacted CryptKeeper and actually got a copy of the log. It shows the correct info for the file our member was logged for.

Here is the PM from him. I'm leaving my info in place quite simply because, in the world of UT, this info is never private anyways.

Well files do not accidently get altered.
And decompiling a file will not necessarily show if it has been byte hacked.

Regardless of how it was altered it is altered and you possess the EXACT same file,
with the EXACT same corruption hash.


Here is the log.

[UTDCv21] +---------------------------------------------------+
[UTDCv21] Client have failed integrity check
[UTDCv21] Player name......: <=========>
[UTDCv21] Player IP........: 24.233.32.149
[UTDCv21] Client UT version: v.4.36
[UTDCv21] Client OS........: Microsoft Windows XPx32 5.1 (Build: 2600)
[UTDCv21] OpenGLDrv.dll MD5: FB373215354824D98A26D73842B1FD59
[UTDCv21] Core.dll MD5.....: 6AC677426A03FAEC24FECE284D0D652B (v4.36GOTY)
[UTDCv21] Engine.dll MD5...: 07447166E4443EA945CD7470CC50720A (v4.36GOTY)
[UTDCv21] Render.dll MD5...: F6487EFE25997FE5843D2178FE3BEC07 (v4.36GOTY)
[UTDCv21] Galaxy.dll MD5...: FDAC609BE71693E9102E5F38165D0678 (v4.36GOTY)
[UTDCv21] UTDCx.dll MD5....: E9DE0EE5B80D2CEAD8AC9436D3D5B014
[UTDCv21] MAC hash.........: EC29A2CAAC4271315BA82093FC6746A8
[UTDCv21] Mem NTDLL image..: True
[UTDCv21] Altered File.....: TNT_Ultra_Rifle_v2.u
[UTDCv21] Server Received..: DC49EF572AC5A6505FFC6915B80810A2
[UTDCv21] Date/Time........: 29-09-2009 / 17:07:50
[UTDCv21] +---------------------------------------------------+


I will not afford you any different treatment than anyone else.

Crypt

I responded to him with this.

I have the same file as ***** because it is the same file. When I had him send it to me 2 weeks ago, I placed it in my UT folder so that I could use WOTgrael to tear it apart and have a look. I just forgot that I placed it there when I visited last night.When I PM'ed you last night, I had forgotten that. I checked the text buffer and compared and they are exact. I even decompiled both files and they are exact. The file was not Byte-Hacked and, yes, DECOMPILING the file will show if it is hacked. A file can be byte-hacked while the text buffer is left intact and to someone who doesn't know better, the file would appear that it hasn't been tampered with while the md5 has been changed.

I'm all for you banning myself and ***** for this file if it will bring you peace, but I must ask that you remove myself and ***** from your shame list. I will keep both files for future reference and I will be posting them at unrealadmin.org so that I can let those who know much more than you and I combined tear into these files and post the results for the world to see. In the end, I believe that there will be a logical explanation for what has happened. I haven't got a clue as to what caused this corruption but I can promise you it isn't hacked.

~Johnny Jones

Me personally could care less about this situation quite simply because what they do from day to day has no bearing on how I run my life. But, for years, I have worked against cheaters and to have someone who really has no problem banning better players just for being better tell me that I'm cheating over a corrupt file has forced me to do this.

Not all corruptions are cheats. When you think about how many things a file goes through to get from the server to your computer and made usable to the game, you begin to understand where something can go wrong. You take the original file and put it on the server. You want your clients to download it quicker so you compress much like a zip file. Then, you place it on web space some where else in the world. When a client connects to the server and does not have the files, the server tells the client to go an address on webspace some where else and downloads that compressed file. Once the compressed file is on the clients machine, the game then 'unzips' that file and places it in your cache folder. Hopefully, you can see that there are a lot of working parts to go wrong. All it takes is for a client to unzip that file incorrectly and suddenly you have a file that still works but has a different MD5 hash. MD5's are only handy when you have a known MD5 from a proven cheat that is exact to an MD5 that is logged.

The funny thing is is that this is their file. It's their rifle. It's not like it was a file like a hacked UTPURE file or something like that.

Now, I'm providing a copy of the good file and a copy of the bad file with the MD5 of each so that you are certain it is the correct file located in the log. Those with coding experience can tear them apart and see for themselves that there is absolutely nothing wrong here.

Bad file (http://funclansnipers.unrealgamingfiles.com/fusion/attachment.php?attachmentid=578&stc=1&d=1254361561)

MD5 = DC49EF572AC5A6505FFC6915B80810A2

Good file (http://funclansnipers.unrealgamingfiles.com/fusion/attachment.php?attachmentid=579&stc=1&d=1254361586)

MD5 = 3B1F2095B8AE2C99AAAC576BB3A4BDD3

~Johnny Jones

handled very professionally.. it sux to be posted about.. but not a biggie.. life will go on and we will remain a notch better in the end...

Handled very professionally.

I remember talking to Phil about something very similar to this situation. While UTDC is a great tool to have on a server to check for certain things and for the S. S. capabilities it does produce false positives like what has been shown.

So, lets say if one were to change the hash and recompile a file, like you have shown, would UTDC pick it up even though the server has the correct file or would it be a version mismatch?

Handled very professionally.

I remember talking to Phil about something very similar to this situation. While UTDC is a great tool to have on a server to check for certain things and for the S. S. capabilities it does produce false positives like what has been shown.

So, lets say if one were to change the hash and recompile a file, like you have shown, would UTDC pick it up even though the server has the correct file or would it be a version mismatch?

If the file was actually recompiled by the UT engine, it would produce a version mismatch even if absolutely nothing had changed between the compiles.

~Johnny Jones

No way of having a look into those files without using UnrealEd I guess?

Ok, I have to ask another question or 2.

What benefit would it be to change the hash in any *.u file?

What benefit would changing anything in the rifle file on your personal system do for when you connect to a server that contains the original file?

I have another question but its more focused on server side applications than anything else.

Ok, I have to ask another question or 2.

What benefit would it be to change the hash in any *.u file?

What benefit would changing anything in the rifle file on your personal system do for when you connect to a server that contains the original file?

I have another question but its more focused on server side applications than anything else.

Personally, I believe byte-hacking a rifle file would serve no purpose at all. Byte-hacking comes in handy when you wanna turn something off in a file. For instance, let's take the No-Dodge mutator we have. The way the mutator works is by residing on both the server and client. The server tells the client to uncheck the dodging check-box in your preferences by way of the client-side file and then it tells the client to check to make sure that check-box stays un-checked every 10-12 seconds. If you took the No-Dodge.u file and byte-hacked it, you could find the value in the file responsible for the scan and turn it off. The server and client would still be on the same page but the client wouldn't know that the checks have been turned off but it still would be acknowledging to the server that the checks were still occurring. The file wouldn't change size at all but the hash would be changed. What are you gonna turn off or on in a rifle that would give you some kind of advantage?

Hacked UTPURE files do the exact same thing. They are changed so that the checks do not occur. UTDC uses dll files which are native to windows. These are the files that are responsible for checking windows memory and Pre-cache and such but UTDC still needs Uscript files(the language used by the unreal engine) on both client and server to relay the checkscan results back to the server. Someone has byte-hacked the client-side UTDC.u files to either ignore the scan results and return a normal to the server or to never initiate the scan to begin with and still report a normal back. In most cases, the server is set-up to check the MD5 of files on the client and compare them to the known, good MD5 values of files and the moron running them gets busted because byte-hacking changes the md5 in every case.

~Johnny Jones

I don't plan on changing anything, just random questions I think of when I am on my lunch break.

SSSSSSSoooooooo, when UTDC is looking at, lets say, a rifle.u file and the MD5 comes up as different hash. This would almost be considered a "False Positive"

False Positive: Type I error, also known as an "error of the first kind", an α error, or a "false positive": the error of rejecting a null hypothesis when it is actually true. Plainly speaking, it occurs when we are observing a difference when in truth there is none, thus indicating a test of poor specificity. An example of this would be if a test shows that a woman is pregnant when in reality she is not. Type I error can be viewed as the error of excessive credulity. Statistics Reference (http://en.wikipedia.org/wiki/Type_I_and_type_II_errors)

I don't plan on changing anything, just random questions I think of when I am on my lunch break.

SSSSSSSoooooooo, when UTDC is looking at, lets say, a rifle.u file and the MD5 comes up as different hash. This would almost be considered a "False Positive"

False Positive: Type I error, also known as an "error of the first kind", an α error, or a "false positive": the error of rejecting a null hypothesis when it is actually true. Plainly speaking, it occurs when we are observing a difference when in truth there is none, thus indicating a test of poor specificity. An example of this would be if a test shows that a woman is pregnant when in reality she is not. Type I error can be viewed as the error of excessive credulity. Statistics Reference (http://en.wikipedia.org/wiki/Type_I_and_type_II_errors)

It's not a false positive. The MD5 has definitely changed so UTDC was on the money in this case and did it's job perfectly. The issue that comes up for me is that this guy seems to think ANY hash corruption is automatically a cheat and he bans and then names-and-shames for it without any proof whatsoever. Now, if he can provide proof that a file with a corrupted hash is a verified cheat, name and shame away.

The part that I find strange is the man is checking his own rifle. He does boast about having one of the heaviest protected servers in the UT world but that could just be considered paranoid.

~Johnny Jones

Thank you for the correction. I was only looking at patterns not just the MD5 problem.

My biggest concern with all of this is that Crypt doesn't seem willing to even entertain the possibility that he may be wrong. I have seen many instances where Draco has articulated a deep knowledge of how this game works under the hood. I don't really understand much of that techno-b.s., but it shows me that he has spent some time backing up his words, while Crypt has only denied without explaining in depth why he is right. No matter who is right I want all cheaters removed from all servers but permanent bans should require undeniable evidence.

I guess the question of the day is ................ When is the corruption of this file ACTUALLY occurring? Is his FTP sending a corrupt file? ...........

I guess the question of the day is ................ When is the corruption of this file ACTUALLY occurring? Is his FTP sending a corrupt file? ...........

That is the complete unknown. It's only happened once on the members machine. I got popped with it because I'm a dumbass. If it were the file on his redirect, it would be every person who joins that server. I'm actually leaning towards internet connection or even maybe on the members Vista 64bit OS.

~Johnny Jones

I found sometihing on the net about getting different MD5 hashes when compiling on a 32 or 64 bit system, not sure if that's the case here. I also found that MD5 is no longer deemed save, since one can create collisions that make different files have the same MD5 hash. More on MD5 can be found here (http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html).

I still take it that there's no way of looking at .u code without UnrealEd?

I found sometihing on the net about getting different MD5 hashes when compiling on a 32 or 64 bit system, not sure if that's the case here. I also found that MD5 is no longer deemed save, since one can create collisions that make different files have the same MD5 hash. More on MD5 can be found here (http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html).

I still take it that there's no way of looking at .u code without UnrealEd?

That'll be a read I'll be doing. There is other programs out there to read uscript. Do a search for WOTgreal and try out the free version of that one. If you like it, I'll hook you up.

~Johnny Jones

That'll be a read I'll be doing. There is other programs out there to read uscript. Do a search for WOTgreal and try out the free version of that one. If you like it, I'll hook you up.

~Johnny Jones

The actual article, with explantion is here (http://eprint.iacr.org/2004/199.pdf)(pdf). On the link I provided earlier there's a program that creates collisions.

If I understand it correctly you can have any file have the same MD5 hash as the original, so one could basicly run any type of corrupted file whilst the server thinks it's dealing with the original files? That renders any anti-cheat using MD5 hashes usless in my opinion, cause any smart kid could create false files and bypass the anti-cheat without a problem.

On a second thought: anyone that's willing to put that amount of time and effort into creating a cheat for a game that's over 10 years old needs to unplug and open the curtains of his/her trailer to see that there's an actual world out there in which he/she is basicly a loser and doesn't PWN and isn't UB3R 7331... But that's just my opinion :)

HEY!!!! I resemble that "trailer" comment!! and so does Sparky!!

HEY!!!! I resemble that "trailer" comment!! and so does Sparky!!

You guys aren't creating corrupted files and then creating MD5 collisions to fool a server and cheat, so it doesn't apply to you :)

However, I was unaware that you and Sparky share a trailer?! :cool:

No Brummel, not share but SHARED, as in past time. I think YOU need to open your ears and eyes better. Back in the FCS time they were telling it to everyone that they spoke on TS. hyst hyst hyst Wasn't there that nice picture in the forum from Phil behind his screen?? I think it was. The one were his nose is almost against the screen while playing UT. hyst hyst hyst Maybe someone need to post that one again to freshen up Brummels memory.

haha. . . Memories

haha. . . Memories

That trailer was classy, not as classy as the ones in my backyard. I mean, in comparison to the trailers in my town your trailer was by far in better shape. And that is saying a lot.

UPDATE: First_Day_Dead, the member who originally had the corrupted file, is cashing in
on his warranty with Dell. Turns out that his harddrive is failing and has been for a while.
The issue with the corrupt file most likely came from this and the assumption that myself
and a few others had about Silent Data Corruption could quite possibly be true.
Anyways, it's done with. That's all I got for now.

~Johnny Jones

Wish we would've known that earlier, maybe that excuse would've worked hahaha. :p

Wish we would've known that earlier, maybe that excuse would've worked hahaha. :p

Hate to break the news to you but NOTHING would have worked with that
Self-Righteous A-hole. Trust me when I say that my hostility towards
that guy will never go away. I'm sure he'll be here to read our forums. I
have no problem with that because FuN does not, nor will it ever, censor it's
threads unless it pertains to something ILLEGAL and we will never ban someone
from our forums for speaking their mind in legitimate matters.

~Johnny Jones

**Edit: I was in a bad mood when I made this, Ya know... Getting old and stuff, So
I think I was a little to harsh with the wording. I changed it to be a little more polite.**

Good to know, wish I could be meaner hahaha it's okay if you're mean Draco, I still <3

You know what Draco.
That is what makes you who you are.
Even though the issue was over and you stated your facts/proof
Even thought I did not understand.
You made it a point to come back and say this you know this could as well been the issue.
I do not think Crypt would of made the statement you did (reguarding Brads Hard drive)
Thanks for being open and honest with us :)

Yes Thanks Draco and all for the Time and effort, I like many others did not have a use for being put on the Cheaters and Banned list for something like this, And yes the hard drive is on its way out just have to wait till it finally goes. Dells kinda being a pain, go figure. Anyways Thank you again So Much for all the tech support and help!!!

[FuN]First_Day_Dead...

Starting to wonder what happened to me then. I got banned for corrupt files as well.

Starting to wonder what happened to me then. I got banned for corrupt files as well.

That was their "reason" .......... "banned for corrupt files" means your too damn good? ! in their language .......... lol .................?????

:shitter:

Lmao! Hahahahahaha guess so:P haha

Starting to wonder what happened to me then. I got banned for corrupt files as well.

I thought you and I got banned for just screwing around and being rude :(

Their ban list says i got banned for corrupt files.

Their ban list says i got banned for corrupt files.

Wasn't it you that contacted him and he refused to help you in anyway
or tell you what it was that was corrupt? At least that's what my old ass
memory is telling me. I could be wrong. I think it was hearing this that
actually made me believe that he has no problem doing what he does.

~Johnny Jones

Cant remember, my old ass memory is letting me down!

What were we chatting about? ! .............. I don't remember ............ :puke:

Okay I know this isn't the right place to put my OMG!! Been to long! But how can I resist the the title!!

Damn!!! Soreal!!!!!!

Damn!!! Soreal!!!!!!

That's what I said!!! It's been a couple of years. Hope all is well
with you, SoReal?

~Johnny Jones

whats there server address! I will go on to there server tonight under an alias without saying a word to anyone and see if I get kicked for corrupt files?

This all sounds a bit dodgy to me....

whats there server address! I will go on to there server tonight under an alias without saying a word to anyone and see if I get kicked for corrupt files?

This all sounds a bit dodgy to me....

It'll be past your bedtime then won't it? :D

I don't know what is happening day to day now, so I can't say 100% when I can be around to play.

Ahhhh. Redemption... http://www.unrealadmin.org/forums/showthread.php?p=153295&posted=1#post153295 I doubt it will change Cryptkeepers mind about anything but It just proves my point that corruptions happen and not every failed integrity check is a cheat.

~Johnny Jones

Ahhhh. Redemption... http://www.unrealadmin.org/forums/showthread.php?p=153295&posted=1#post153295 I doubt it will change Cryptkeepers mind about anything but It just proves my point that corruptions happen and not every failed integrity check is a cheat.

~Johnny Jones

Thats great!! but we already knew that.lol

Thats great!! but we already knew that.lol

Yes we did, but I just wanted verification on it by someone impartial. He found the exact same thing I did so I'm happy.

~Johnny Jones

I have one word to sum up all of this.......Integrity

We (I feel I can speak for all FUN members) appreciate your personal integrity Draco, You have preserved the integrity of this clan and the integrity of the members who also got falsely accused and slandered.....as well as a few others who were also unfairly listed.

Not that we didn't already know, but it still brings just and open transparency to the whole affair.

That was their "reason" .......... "banned for corrupt files" means your too damn good? ! in their language .......... lol .................?????

:shitter:

Yes thats exactly what it means in their language:D

Draco also plays Counter Strike...

http://www.youtube.com/watch?v=0ECTKibWwhQ