• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Apparently the Division on PC has a fatal flaw in it's code that allows easy cheating

From Reddit, so grain of salt. But...

https://www.reddit.com/r/gaming/comments/43ki8r/xpost_from_rthedivision_pc_version_will_be/


This is absolutely amazing how fucked up the Division's netcode is. Almost all stats (excluding currencies and health) are calculated and stored on the client, and server just accepts it without any checking. You can have unlimited ammo in a mag, super-speed (this, actually causes players to go invisible also), any desired critical chance, no recoil, unlimited medkits and nades and so on and on. And this is not just lack of anticheat, it is global networking architecture fuckup. I highly doubt that this will be fixed any time soon after release. You probably might wanna stay away from PVP area while this problem is present. Pic of me with unlimited mag: http://puu.sh/mQClm/81f67ceeb4.jpg PS. Sorry for my english.
Recorded a gif for proof: http://gfycat.com/ConstantWatchfulChicken
Link to original post: https://www.reddit.com/r/thedivision/comments/43jr61/pc_version_will_be_plagued_with_cheaters/
OP of another thread https://www.reddit.com/r/thedivisio...stion_there_better_be_anticheat_in_the_final/ recorded some videos which can give you understanding on whats going on. Check it out.

81f67ceeb4.jpg

ConstantWatchfulChicken.gif







https://www.reddit.com/r/thedivisio...stion_there_better_be_anticheat_in_the_final/


Hello The Division Subreddit.
I needed to get this information out somehow. I didn't want to post this on Ubisoft forums in fear of getting my account banned for experimenting/using said exploits.
I'd hope the developers are following this subreddit for information.
I'm a reverse engineer and experienced game developer that specializes in most game securities. I love this game too much to see this game go down in flames.
However, without stating anything specific on how to 'cheat' in this beta. It's scarily simple.
Everything from ammo count, level XP, Dark Zone currency, player speed are all CLIENT trusted, and take time to sync via server time.
For example. Infinite ammo is possible by removing the instruction that's responsible for adding/subtracting ammo into your player structure.
Speedhacking is possible by modifying the delta time used in the game's update.
And the speedhacking is possible for said 'invisible people'. If a player that is speedhacking runs ahead of the position stated on the server, because the client trusts the position of the players, you can very well quickly take out an enemy without them seeing you and reclaim the reward/loot.
Things such as extraction times, rogue times, and respawn times are the only thing that seems to be server side.
In the full game, I highly anticipate some sort of anticheat or method preventing any kind of open handle to the application.
I understand that this is a beta but for it to be this simple and with absolutely no way of reporting or having consequences, I'm scared for the full release.
Please discuss.
Edit:
Due to people such as /u/CaptainDegenerate claiming that I have been spewing false information, I gladly provided proof of my claims in these three videos below stating that everything I have said about how the player structure's information is in fact client side and not backed up by the server.
I apologize about the quality and choppiness. I use a crappy HP Elitebook laptop, so I used OBS to record and After Effects to edit these in 30 minutes.
I also apologize if this isn't enough proof for some people. Can't appease everyone
¯\(ツ)
Video of Infinite Ammo
Proof that it is not a glitch by toggling it on/off and showing proof of bullets actually dealing damage/reclaiming rewards.
https://www.youtube.com/watch?v=H7klQfYYUHY
Video of Speedhacking
I apologize to the innocents I killed in this video. You were killed in the name of science ♥
Proof that it causes the 'invisible player' glitch and desync on the server. Enemies disappear/death locations are different than what the client sees.
Proof that the video isn't sped up since the delta time of the game doesn't affect the UI speed at the beginning of the video.
Proof that the game is in fact speedhacked/desynced showing the rogue timer stuck at 00 when toggled off.
Proof that the desync can cause glitches where the client can be stuck upon an object during vaulting cover since the server thinks the client is standing on ground.
Proof using speedhacking while extracting items does in fact work and allow the cheater to receive items in their stash.
Proof of respawn time being server-side due to the inability to respawn towards the end of the video even though the rogue-respawn time running out.
https://www.youtube.com/watch?v=1_lqMapJxvw
Video of Rank Information being client-side
Proof of that the information can be changed on the fly, including proof of vendors declining purchases.
https://www.youtube.com/watch?v=DtZX_nCm3cA
Edit #2:
I'm sorry but if you DO work at Ubisoft viewing this post, I assure you that "division_throwaway" isn't an account ;3
Edit #3:
Wow I didn't realize this would get this much attention and front page.
I have to stress something I'm getting a lot of messages about:
DON'T CANCEL YOUR PREORDER YET.
This is a BETA, the game doesn't release until another month, Massive and Ubisoft can easily fix this upon release or in a later patch.


edit

Possible solution/temp problem.


https://www.reddit.com/r/thedivisio...version_will_be_plagued_with_cheaters/czj1uhi


To everyone blaming netcode: The netcode is mostly referred to as that part of the code that handles data transfer from client to server. When people talk about 'bad netcode' they most of the times mean that the game is lagging, shots do not register and you die behind cover. This can be fixed by changing tickrates, values and other performance tweaks to the client-server communication.
Most of the times it's just adjusting stuff until 'it feels right'. That's the time when you have the least error while still compensating ping and calculating times.
Back to topic: The game currently does no server side checks to what the client reports. This is commonly used system to detect cheaters. Client and Server both calculate what would happen, when the client tells the server something that does not fit into the calculations of the server, he corrects it. In case of anti cheat, the client gets banned if what he reports falls under cheating violation. That means for example more ammo in a clip than there should be.
So to sum it up: It is not too late for them to 'change the netcode' because
first: they do not need to change it. Hit registration and everything seems to be fine and
second: They only need to switch on the server side checks, this can be done with one button press and was probably disable in beta due to many reasons:
Money, server do cost something
It's not finished, server side checks still cause bugs/issues
To delay cheaters, they now can not check and develop cheats that get not detected by anticheat because there is no anticheat. A minor problem in a beta that's only one weekend and everything gets reset. They do not want to give them any heads up.
So to everyone who is freaking out and thinks Ubi just "forgot" the anti cheat: They are probably not. This is just a naive way of thinking. They do some fairly big work at Rainbow 6: Siege to fight cheaters, you won't expect they just forgot it in Division (and no I do not want any replies telling me how Siege is riddled with hackers, this is just spread by a vocal minority online here on reddit and is clearly not representative with the state of the game. Ask some high ranked players and you'll see they rarely met any cheaters)
edit: Oh and to add one thing:
Invisible people are affected by a beta bug and in fact not cheating.





OFFICIAL RESPONSE FROM UBISOFT

http://forums.ubi.com/showthread.ph...anti-cheat?p=11332858&viewfull=1#post11332858

Guys, so you're aware the things discussed here are not in fact hacks or cheats, but merely abuse of glitches that exist in the game currently. These glitches are currently being worked on by the team
 

Eolz

Member
Almost all stats (excluding currencies and health) are calculated and stored on the client, and server just accepts it without any checking

Amazing indeed. How the hell did they approve that?
 

Plasmid

Member
Anyone who has played on PC already know this.

It's all because the game is client side syncing and apparently it's easy to deal with. I don't see a good way to fix this without changing the way the game works, regardless if it's a beta or retail.
 
I was thinking of getting it day one, glad people are trying to exploit now so they can maybe fix things. I am suprised big companies dont hire hackers to hack their game and so they know how to safeguard against.
 

Hip Hop

Member
Man, if this thing persists when it drops, I will have to pass on it when the meat of the game is the multiplayer.

This will totally ruin the experience.
 
A similar issue happened in the PS4 version. I died in the Dark Zone and when I respawned, I was invincible and invisible (except to NPCs)


Literally, I could kill other players and they wouldn't even know where the damage was coming from. I could loot gear and I could kill every NPC with melee attacks because their attacks did no damage. It was weird.
 
I doubt it is a flaw, but intentional to keep stress off the server.

I actually don't know a ton about the division, but similar games suffer from the same drawbacks and are easy to cheat in. They do this so they can better maintain higher population counts on a server.

So my question is, whats the max player count per server?
 

tuxfool

Banned
Can someone explain why or why it won't get fixed anytime soon?

I can't say whether it won't get fixed, but this kind of thing is determined early when developing data structures used to hold game information.

These days clients do store more data, but the server always checks for validity and has final say. It appears that the server doesn't do any of that and if it isn't accounted for, then adding all this extra processing will increase load on the servers.

Say a client sends faulty data:

Shots fired at xyz -> Server determines that client does not have line of sight to make that shot-> rejects and rolls back.

The last stage is fundamentally important.
 

mStudios

Member
Can someone explain why or why it won't get fixed anytime soon?

The game was built client-side and send info to the server.
The have to do it the other way around.
If you got 500000 HP the server need to evaluate that, not the client.
It means re-write some shit on the engine and on the server.

So right now:
Client(Validates) -> Server

Needs to be
Server(Validates) -> Client
 

Zomba13

Member
That's the point of betas. They'll fix

That should be the point of betas but really, how many games have had issues/problems in the beta (pre-order demo) that were actually fixed in the final build? Usually these "betas" aren't for testing the game but for testing the networking.
 

gnexus

Member
Client side stats in a multiplayer game like this? Whatyearisit.jpg. Reminds me of PSO.

I played the beta on PC and enjoyed it a bit, but never noticed this. I'm not so sure they'll just "fix it" before launch, because that's a pretty technical issue. I hope so, though.
 

BiggNife

Member
So after seeing a bunch of posts saying "this can easily be fixed" / "no it can't," does anyone here with dev experience actually know how easy or difficult it is to move client side data to the server in a game like this?
 

M_A_C

Member
Ubi's PC games are full of cheaters. Thats the main reason I'm been getting the PS4 versions.
 

Karak

Member
If it is planned to be fixed/added I am not sure that bodes any better as something like that shouldn't be tossed in in the last 2 months and hopefully 1 more beta test especially as it will induce its own additional stresses on the systems. Can't have it both ways. Either its not going in and that's an issue, or they don't have us testing it and we are close to release and they are going to add it and that's an issue.
In the last example is how much of an issue it actually is. Though with even a beta thats odd to not have it on for testing. But they got a couple more days. Then again if its off now, there is a reason for that. Its either missing, or its not ready/impacts performance. There isn't a good legitimate reason to not have it on unless they think cheaters are awesome.
 

darkinstinct

...lacks reading comprehension.
The game was built client-side and send info to the server.
The have to do it the other way around.
If you got 500000 HP the server need to evaluate that, not the client.
It means re-write some shit on the engine and on the server.

They just have to enable server checks which actually are in the game. Seems like they disabled them for performance reasons due to server stress in the beta. Just like they disabled unlimited random side missions and reduced random enemies compared to the alpha.
 
I can't say whether it won't get fixed, but this kind of thing is determined early when developing data structures used to hold game information.

These days clients do store more data, but the server always checks for validity and has final say. It appears that the server doesn't do any of that and if it isn't accounted for, then adding all this extra processing will increase load on the servers.

Say a client sends faulty data:

Shots fired at xyz -> Server determines that client does not have line of sight to make that shot-> rejects and rolls back.

The last stage is fundamentally important.

The game was built client-side and send info to the server.
The have to do it the other way around.
If you got 500000 HP the server need to evaluate that, not the client.
It means re-write some shit on the engine and on the server.

So right now:
Client(Validates) -> Server

Needs to be
Server(Validates) -> Client

Thanks guys. Nice to get some clarity because I've never understood how something like this could happen.
 
They just have to enable server checks which actually are in the game. Seems like they disabled them for performance reasons due to server stress in the beta. Just like they disabled unlimited random side missions and reduced random enemies compared to the alpha.

This
 

tuxfool

Banned
It should be pointed out that all these things are suppositions. Clients, especially in a complex game like the Division are liable to store a lot of data. However, the server should hold ground truth all the time, or at least have a way to determine that information.

We don't actually know if the architecture is fundamentally broken, or whether there are just bugs.
 
Can someone explain why or why it won't get fixed anytime soon?

Imagine that you have a reasonable amount of money and want to retire to a miniature farm. You order a little brick, two-floor house for yourself and a wooden barn for a cow. You pass the papers from the planner to the building crew without checking them first, and then when the stuff's ready you realize that they made a brick, two-floor barn and a wooden house for yourself.

This is not something you'll fix in a week, assuming the complaints are valid.
 

Hip Hop

Member
They just have to enable server checks which actually are in the game. Seems like they disabled them for performance reasons due to server stress in the beta. Just like they disabled unlimited random side missions and reduced random enemies compared to the alpha.

Yeah, there's an explanation as to why it might not be in the beta. Hopefully it's true

https://www.reddit.com/r/thedivisio...version_will_be_plagued_with_cheaters/czj1uhi

The game currently does no server side checks to what the client reports. This is commonly used system to detect cheaters. Client and Server both calculate what would happen, when the client tells the server something that does not fit into the calculations of the server, he corrects it. In case of anti cheat, the client gets banned if what he reports falls under cheating violation. That means for example more ammo in a clip than there should be.

So to sum it up: It is not too late for them to 'change the netcode' because

first: they do not need to change it. Hit registration and everything seems to be fine and

second: They only need to switch on the server side checks, this can be done with one button press and was probably disable in beta due to many reasons:

Money, server do cost something

It's not finished, server side checks still cause bugs/issues

To delay cheaters, they now can not check and develop cheats that get not detected by anticheat because there is no anticheat. A minor problem in a beta that's only one weekend and everything gets reset. They do not want to give them any heads up.

So to everyone who is freaking out and thinks Ubi just "forgot" the anti cheat: They are probably not. This is just a naive way of thinking. They do some fairly big work at Rainbow 6: Siege to fight cheaters, you won't expect they just forgot it in Division (and no I do not want any replies telling me how Siege is riddled with hackers, this is just spread by a vocal minority online here on reddit and is clearly not representative with the state of the game. Ask some high ranked players and you'll see they rarely met any cheaters)

edit: Oh and to add one thing:

Invisible people are affected by a beta bug and in fact not cheating.
 

Lumination

'enry 'ollins
Who designed this? This displays a fundamental misunderstanding of how server client interactions should be handled.

I hope they just don't have server-side validation ready for the beta.
 

wwm0nkey

Member
So with my limited info on networking (just started doing it) it seems like the games servers trust that the clients info is correct and that the ammo count is just stored on clients. This shouldn't be a hard fix though? Couldn't they just make the ammo count stored on the server itself or at least put checks in so that if the ammo count is something overly stupid it will just correct itself?
 
Top Bottom