Question about Battle Eye

[Doomblayde]

Hey everyone,

So I've been looking all over for what most people do to hack in DayZ and it looks like just about everyone is messing around with scripts and bypasses and things of that nature. I see where these might be more useful in getting what you want, but they also seem like they're easy to detect through admin logs and things of that nature. I play on an Origins server and anyone that scripts in there even with a bypass gets manually admin banned because the admin looks at the logs and sees that they have been spawning items. So I'm not really wanting to mess around with scripts.

However, I've seen 2 memory reading based hacks floating around. One called Obama Drone, and another called DayZ Navigator. I've used both pretty easily without getting banned at all by using the exploit detailed all over, but here is my question. How does Battle Eye detect these hacks? Is it just detecting the program's unique signature? Or is it something else? If it's just detecting the signature then could you use the source provided to code your own and then use it without having to do some exploit. Would it will be forever undetected as long as it isn't publicly released?

I ask this because I downloaded the source code for Obama Drone and completely gutted the program. I removed every instance of code that could possible write to the memory of Arma 2. I'd imagine writing to memory would be easy to spot and would more than likely immediately get you banned. What about reading memory though? The program is external, and merely reads memory and updates an external map with player and vehicle locations. Could Battle Eye detect this even if the program is completely gutted of memory writing code and then optimized with more reading functionality?

[Woodhouse]

Hey everyone,

So I've been looking all over for what most people do to hack in DayZ and it looks like just about everyone is messing around with scripts and bypasses and things of that nature. I see where these might be more useful in getting what you want, but they also seem like they're easy to detect through admin logs and things of that nature. I play on an Origins server and anyone that scripts in there even with a bypass gets manually admin banned because the admin looks at the logs and sees that they have been spawning items. So I'm not really wanting to mess around with scripts.

However, I've seen 2 memory reading based hacks floating around. One called Obama Drone, and another called DayZ Navigator. I've used both pretty easily without getting banned at all by using the exploit detailed all over, but here is my question. How does Battle Eye detect these hacks? Is it just detecting the program's unique signature? Or is it something else? If it's just detecting the signature then could you use the source provided to code your own and then use it without having to do some exploit. Would it will be forever undetected as long as it isn't publicly released?

I ask this because I downloaded the source code for Obama Drone and completely gutted the program. I removed every instance of code that could possible write to the memory of Arma 2. I'd imagine writing to memory would be easy to spot and would more than likely immediately get you banned. What about reading memory though? The program is external, and merely reads memory and updates an external map with player and vehicle locations. Could Battle Eye detect this even if the program is completely gutted of memory writing code and then optimized with more reading functionality?

Sutter (Owner of Battleye) has done a number of things to detect hacks. First and foremost, yes, they do add signatures to the programs, but they'd be a pretty shitty anti-cheat if all that's all they did, lol. They detect anything that pauses the Arma process which is why things like CheatEngine will get you kicked and for "GameHack". Any sort of DirectX Hook (Used when my an overlay hack) will be picked up by them. Most recently, they've added a measure to keep people from reading memory, but that won't get you banned. Honestly, I have no idea how anti cheats are constructed so I wouldn't be able to tell you exactly how they detect things. I'm assuming they just look for common methods or functions used and are able to check for it.

[Doomblayde]

So, theoretically if I *can* read the memory with Battleye running, I don't overlay, pause the process, or some how end up with the same signature as the obama drone. I should be alright if I were to run this while Battleye is running? The only reason I'm thinking this is many anti viruses read memory from various programs and since there are many antiviruses and there is no way to differentiate what is an antivirus and what is a hack they shouldn't outright ban you for something reading the memory right?

[Woodhouse]

So, theoretically if I *can* read the memory with Battleye running, I don't overlay, pause the process, or some how end up with the same signature as the obama drone. I should be alright if I were to run this while Battleye is running? The only reason I'm thinking this is many anti viruses read memory from various programs and since there are many antiviruses and there is no way to differentiate what is an antivirus and what is a hack they shouldn't outright ban you for something reading the memory right?

I can't say. I honestly do suggest changing up the math. Even if you did remove lines where the program writes to memory, what's still there could be possibly be detected.

[Distraught]

Sadly I don't know anything about BEs end. Just what each individual mod is doing with their antihacks

[Doomblayde]

Ok thanks for the idea.

@Distraught
Do you know if any of the mods have an anti hack that might detect a hack like this? I doubt very seriously if they can detect memory being read, but can they detect if a player has found more than a certain amount of tents or vehicles over a period of time? Then it might flag them for further questioning by an admin? Does that sort of thing show up in server logs, or is it possible to implement into an anti-hack? Should I even be concerned about that?

[Distraught]

Should I even be concerned about that?

It would only result in an admin ban if they were able to. New key and you would be fine unless they ip ban you. I know of antihacks that automatically ban you if you receive a certain gun (i.e AS50, military grade guns) within so much time of logging in. Lots of different scripts have the possibility to be entered into logs. Although not as much since it's impossible to find a working RE anymore. You shouldn't really be concerned.

[Woodhouse]

Ok thanks for the idea.

@Distraught
Do you know if any of the mods have an anti hack that might detect a hack like this? I doubt very seriously if they can detect memory being read, but can they detect if a player has found more than a certain amount of tents or vehicles over a period of time? Then it might flag them for further questioning by an admin? Does that sort of thing show up in server logs, or is it possible to implement into an anti-hack? Should I even be concerned about that?

No, server anti-hacks can't detect anything memory based. However, if you start changing things via RPM/WPM's like bullet velocity, your health and the amount of damage you do, servers/mods can detect the change. I know for a fact that DayZero does this. As far as tents/vehicles you find, it's very possible that the admins/players will begin to your notice. Admins don't need to proof to ban. If they suspect you're hacking, they'll ban you. Just try not to act suspicious.

[Doomblayde]

Yeah my friend got banned for using Obama Drone in an Origins server for the WPM part of Obama Drone. He killed the Battleye service on his computer and thought he'd be ok since it let him stay in game instead of kicking for Corrupt Data #5. Then he teleported to me and shot me with a full auto Makarov with infinite ammo. Needless to say the next day he logged in he was global banned. I lol'd. That's why I was asking if it would still be detected if I gutted all the WPM functions out of the program.

Alright, anyway! Awesome. All good things to know guys. Thank you.

[Confin3d]

Question was answered, Closing thread.

#Solved