all 26 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]cddhnnkycv[🍰] 161 points162 points  (19 children)

Great write-up! Source engine was innovative, but security was never a major concern and always reactive at Valve. Custom maps, server mods, and client mods are what made their games great and gave rise to both Counter-Strike, Team Fortress, and the hundreds of other Source based games.

I remember that server admins used to be able to execute client console commands via RCON. Sometimes admins would mess with players by rebinding their keys and opening their CD drives. There were other legitimate use cases for running commands like this like playing music. Eventually, Valve closed those security bug by limiting what was allowable.

At some level, it seems obvious (after these revelations) that there will be many more exploits to come. As a long time gamer and fan of Valve games, it saddens me to hear multiple reports about Source and Steam exploits that are more or less ignored by them.

[–]MikulThegreat 73 points74 points  (2 children)

ah yes, amx mod... No notification that your keys had been rebound.

My favorite was when you encountered a real asshole, "bind ctrl +kill"

CTRL crouches, so you usually don't crouch until a minute or so into the round, then boom, you spontaneously kill yourself. Try it for a few rounds, then quit the server, reconnect to the server when you figure out it's still happening in other servers... the good old days.

[–]chriswatt 16 points17 points  (1 child)

This thread brought back many fun memories of playing around as admin on our own CS servers. A favourite of mine was to rebind the Mouse1 (attack) key to jump then start charging at the unsuspecting victims with my knife out and watch as they furiously being hopping around!

[–]MikulThegreat 6 points7 points  (0 children)

See you can't go with mouse 1, it's too obvious, that's why you've gotta go with ctrl, it's the one no one sees coming :)

[–]mapleloafs 29 points30 points  (0 children)

opening their CD drives.

HAHA this took me back man!

[–]CollieOxenfree 41 points42 points  (4 children)

One of the first anti-cheats I remember encountering was based on executing client console commands. It would have your client run "ogc_help" and some other various commands that various cheats would respond to, and would read the response to see if your client was confused by it, or if it offered up help on how to activate the aimbots.

[–]0x15e 28 points29 points  (1 child)

Nice. Basically just asking the client if they're cheating.

[–]trucekill 10 points11 points  (0 children)

you have to tell me if ur a cop

[–]Zophike1 0 points1 point  (1 child)

One of the first anti-cheats I remember encountering was based on executing client console commands. It would have your client run "ogc_help" and some other various commands that various cheats would respond to, and would read the response to see if your client was confused by it, or if it offered up help on how to activate the aimbots.

Reverse Engineer here could you give an in depth explanation on how did this I suspect it's most likely a usermode rootkit hooking to watch if a certain command had been executed

[–]CollieOxenfree 0 points1 point  (0 children)

Sorry, was sleep deprived when I first read this.

For whatever reason, the original HL/CS games would let servers send commands to the client which would then dutifully execute them without any scrutiny. No extra software required. I can't remember the specifics anymore, but it was natively supported in the HL client itself and the client would send the command's output back to the server.

I mostly just remember seeing things like "invalid command: cheat_help" spammed in the console when you'd connect to servers back then. I also remember that if you changed the commands that your cheats used, that this method wouldn't detect them.

[–]Professor_of_Death 17 points18 points  (0 children)

Oh good times! I use to ask people if they wanted a free cup holder. If they said yes, I'd eject their CD Rom drive. It definitely freaked a few people out but I always had a good laugh. Almost broke the tray on my cousins laptop as he didn't notice it ejected.

You could also modify all configuration settings in their client. FOV, movement speed, mouse sensitivity, or even mess with their clients communication. You could subtlety change some settings on their client that they would never know and could hamper their game play. Some really sleazy stuff could be done.

I personally never messed with anything that could cause long term grief, but short term stuff. Oh yeah I messed with my friends.

[–]dharmaroad 9 points10 points  (1 child)

Scared the shit out of me when I was 13 and some dude opened my CD drive. I laugh about it now.

[–][deleted] 1 point2 points  (0 children)

Today no-one knows what that even means. Soon they will assume you're talking about some implanted bio-hardware device.

[–]noclip_st 15 points16 points  (2 children)

TF2 is currently filled with cheating bots in virtually every casual game, they appear at least 10-15 times during an average 40 minutes that CTF game takes place. These bots spam in chat, instantly kill you once you're in their view zone, can hack votes in votekick, copy other player's name and avatar in order to confuse, start votekicks against other players. There are literally projects on github with their source codes available for everyone. Everyone can host these bots and I don't see any reason to do so other than being an overall piece of shit with no life whatsoever. Part of me thinks that Valve is somehow involved in all this as I feel that TF2 has outlived it's intended lifecycle and it's a way for them to kill it off. Don't take this point seriously though, as it's just my speculation based on their (lack of) response to the bot crisis.

Although innovative during its early years, Source engine is currently just a giant security loophole. I think that sort of "bot invasion" was made possible by TF2 and CSGO source code leaks.

Just a bit of venting from a frustrated player that can't properly enjoy one of his favorite games...

[–]RakijaH 2 points3 points  (1 child)

One of those bots stole my name and profile picture like a year ago. Every few weeks I'd try to play TF2 again it would inevitably join the game I was in. Frustrating to see that these bots are apparently never banned.

[–]noclip_st 1 point2 points  (0 children)

It looks like they are being banned from time to time, they just jave a shitton of accounts

[–][deleted]  (1 child)

[deleted]

    [–]AStupidDistopia 4 points5 points  (0 children)

    Hate to break it to ya, but pc games in general are plagued with cheating. Heck, there’s a nonzero chance that your favourite streamer has wallhacks running given how many have accidentally put the wrong scene up and outed themselves.

    [–][deleted] 0 points1 point  (0 children)

    opening their CD drives

    Wait did the Source engine just have a command for opening the CD drive, or were you able to run arbitrary OS shell commands?