UTDC
From UnrealAdminWiki
Contents |
About
UTDC is a native anticheat mod designed to block public native hacks which are otherwise virtually undetectable using uscript solutions.
Discussion
Any comments or questions on this topic ? Go to the discussion page here.
How to read UTDC logs
UTDC have a few different checks which can be diffecult to figure out how to act on, so here is some help:
- Log headline: Client have hooked functions
This one shouldn't give any false positives. If you get a hook match unknown and no suspect processes from which you can identify the cheat then post the log on the UTDC forum for clarification.
- Log headline: Client have failed integrity check
The client have failed the file MD5 check. As file corruptions do occur, you need to know if the failed MD5 hash match a cheat file or you need to ask for the file that failed the check, to check if it's a cheat or file corruption. If you can't do any of the above to identify the file as a cheat, then assume that it was a file corruption that cause the failed check. If other players fail the check with the same bad MD5 hash you can assume it's a cheat file or a legit file you don't know about. Search the forums or ultimately get the file to check if it's a cheat. A good resource can be found here: http://www.unrealadmin.org/forums/showthread.php?t=11684
- Log headline: Client have corrupt memory
Corrupt memory can be caused by a cheat or some computer error. From UTDC v.1.7 there is given a MD5 hash, that express the pattern of the corruption. A cheat will (almost) always give the same hash. Therefore you can treat this hash same way as the hash for the file check and determine if it's a cheat the same way as a client that fail integrity check. (nogginBasher: Some of my buddies are throwing up "Client have corrupt memory" all the time from UTDCv18 - but they aren't cheating. I think it might be because they are on 64-bit PCs.)
- Log headline: Client is using a cheat
There should be enough log information to determine if it's a false positive. If you are in doubt then search the UTDC forum and post there. There is a problem with false positives with the speedhack detection, so player kick is default off for this.
- Log headline: Client have made an illegal ufunction call
What does this mean?
Screenshotting From UTDC v.1.7 you can screenshot the clients to look for any suspicious things. It can be bypassed by some cheats, so it isn't 100% reliable and shouldn't be proof for *not* cheating.
False/true positives
False
Example :
[UTDCv18] +---------------------------------------------------+ [UTDCv18] Client have corrupt memory [UTDCv18] Player name......: * [UTDCv18] Player IP........: *:2338 [UTDCv18] Client UT version: v.4.36 [UTDCv18] Client OS........: WindowsXP [UTDCv18] Corruption hash..: 2C6DDF8E67F60ABC4C15856422A9970D [UTDCv18] Altered addresses: 1042EAD4-5008459B/5008458B, [UTDCv18] Date/Time........: 08-07-2006 / 16:29:52 [UTDCv18] +---------------------------------------------------+
If you look at Altered addresses : <n1>-<n2>/<n3>
n1 is the memory address.
n2 is the memory content at that address.
n3 is what the content should be.
In this case there is a 1 bit difference in what the content is and what it should be.
Speedhack logs
With recent processors, it's hard to tell if someone is messing around with the apparent cpu speed in order to alter their in-game speed.
However, here's a few things you should note. Here's an example log :
[UTDCv17c] +---------------------------------------------------+ [UTDCv17c] Client is using a cheat [UTDCv17c] Player Name......: [UTDCv17c] Player IP........: [UTDCv17c] Client UT Version: [UTDCv17c] Client OS........: WindowsXP [UTDCv17c] Cheat Type.......: Speed Hack [UTDCv17c] Cheat Trace......: CPU:797 - UT:1600 / AuthenticAMD F:F M:4 S:8 - Commandline: "-cpuspeed=1600" [UTDCv17c] Date/Time........: 25-8-2006 / 12:55:53 [UTDCv17c] +---------------------------------------------------+
This log simply indicates that UTDC's speedhack detection has been triggered. The first thing to look at is the respective UT and CPU speeds (note that the UT speed is the MHz UT thinks the machine is running at).
If there is a big difference, say 200 MHz or more, something is happening. This isn't a sure flag for speedhacking though. This can be caused by a processor capable of speedstepping, a power saving feature that has undesireable effects on early games that don't push the CPU enough. This feature now exists on both portable and desktop configurations.
Now, the code "AuthenticAMD F:F M:4 S:8" gives some clues as to what the processor being used is. In this case, it's an AMD processor and most probably an AMD 64 which is capable of speed stepping. If you're in touch with the player, advise them to turn off any power saving features when they're playing in Windows as it's likely that this is causing undesireable effects.
Also note that commandline is applying a directive to force UT to adopt a certain cpu speed, in this case 1600 MHz. This is usually applied by players who are experiencing problems playing with their configuration. It could be used for tampering in-game but this is unlikely.
In conclusion, it's up to you as an admin to determine whether some foul play is going on. There are visible effects that can be seen when someone is messing around with their speed intentionally. Either they go too fast or too slow but will always warp due to the server trying to correct speed differences. Also, it's likely that using outside software to mess around with speeds will trigger speedhack detection a few times during a gaming session at opportune moments like when someone is bringing the ennemy flag back to base.
Reading demos recorded on UTDC servers
Demos recorded on UTDC (> version 1.7 ?) servers will most often crash UT on playback.
You have two solutions :
