• Register
  • TOS
  • Privacy
  • @NeoGAF
  • Like

Hello? This is Hailun!
Member
(02-01-2016, 12:45 AM)
Hello? This is Hailun!'s Avatar
From Reddit, so grain of salt. But...

https://www.reddit.com/r/gaming/comm...rsion_will_be/


This is absolutely amazing how fucked up the Division's netcode is. Almost all stats (excluding currencies and health) are calculated and stored on the client, and server just accepts it without any checking. You can have unlimited ammo in a mag, super-speed (this, actually causes players to go invisible also), any desired critical chance, no recoil, unlimited medkits and nades and so on and on. And this is not just lack of anticheat, it is global networking architecture fuckup. I highly doubt that this will be fixed any time soon after release. You probably might wanna stay away from PVP area while this problem is present. Pic of me with unlimited mag: http://puu.sh/mQClm/81f67ceeb4.jpg PS. Sorry for my english.
Recorded a gif for proof: http://gfycat.com/ConstantWatchfulChicken
Link to original post: https://www.reddit.com/r/thedivision...with_cheaters/
OP of another thread https://www.reddit.com/r/thedivision..._in_the_final/ recorded some videos which can give you understanding on whats going on. Check it out.









https://www.reddit.com/r/thedivision..._in_the_final/


Hello The Division Subreddit.
I needed to get this information out somehow. I didn't want to post this on Ubisoft forums in fear of getting my account banned for experimenting/using said exploits.
I'd hope the developers are following this subreddit for information.
I'm a reverse engineer and experienced game developer that specializes in most game securities. I love this game too much to see this game go down in flames.
However, without stating anything specific on how to 'cheat' in this beta. It's scarily simple.
Everything from ammo count, level XP, Dark Zone currency, player speed are all CLIENT trusted, and take time to sync via server time.
For example. Infinite ammo is possible by removing the instruction that's responsible for adding/subtracting ammo into your player structure.
Speedhacking is possible by modifying the delta time used in the game's update.
And the speedhacking is possible for said 'invisible people'. If a player that is speedhacking runs ahead of the position stated on the server, because the client trusts the position of the players, you can very well quickly take out an enemy without them seeing you and reclaim the reward/loot.
Things such as extraction times, rogue times, and respawn times are the only thing that seems to be server side.
In the full game, I highly anticipate some sort of anticheat or method preventing any kind of open handle to the application.
I understand that this is a beta but for it to be this simple and with absolutely no way of reporting or having consequences, I'm scared for the full release.
Please discuss.
Edit:
Due to people such as /u/CaptainDegenerate claiming that I have been spewing false information, I gladly provided proof of my claims in these three videos below stating that everything I have said about how the player structure's information is in fact client side and not backed up by the server.
I apologize about the quality and choppiness. I use a crappy HP Elitebook laptop, so I used OBS to record and After Effects to edit these in 30 minutes.
I also apologize if this isn't enough proof for some people. Can't appease everyone
\(ツ)/
Video of Infinite Ammo
Proof that it is not a glitch by toggling it on/off and showing proof of bullets actually dealing damage/reclaiming rewards.
https://www.youtube.com/watch?v=H7klQfYYUHY
Video of Speedhacking
I apologize to the innocents I killed in this video. You were killed in the name of science ♥
Proof that it causes the 'invisible player' glitch and desync on the server. Enemies disappear/death locations are different than what the client sees.
Proof that the video isn't sped up since the delta time of the game doesn't affect the UI speed at the beginning of the video.
Proof that the game is in fact speedhacked/desynced showing the rogue timer stuck at 00 when toggled off.
Proof that the desync can cause glitches where the client can be stuck upon an object during vaulting cover since the server thinks the client is standing on ground.
Proof using speedhacking while extracting items does in fact work and allow the cheater to receive items in their stash.
Proof of respawn time being server-side due to the inability to respawn towards the end of the video even though the rogue-respawn time running out.
https://www.youtube.com/watch?v=1_lqMapJxvw
Video of Rank Information being client-side
Proof of that the information can be changed on the fly, including proof of vendors declining purchases.
https://www.youtube.com/watch?v=DtZX_nCm3cA
Edit #2:
I'm sorry but if you DO work at Ubisoft viewing this post, I assure you that "division_throwaway" isn't an account ;3
Edit #3:
Wow I didn't realize this would get this much attention and front page.
I have to stress something I'm getting a lot of messages about:
DON'T CANCEL YOUR PREORDER YET.
This is a BETA, the game doesn't release until another month, Massive and Ubisoft can easily fix this upon release or in a later patch.


edit

Possible solution/temp problem.


https://www.reddit.com/r/thedivision...eaters/czj1uhi


To everyone blaming netcode: The netcode is mostly referred to as that part of the code that handles data transfer from client to server. When people talk about 'bad netcode' they most of the times mean that the game is lagging, shots do not register and you die behind cover. This can be fixed by changing tickrates, values and other performance tweaks to the client-server communication.
Most of the times it's just adjusting stuff until 'it feels right'. That's the time when you have the least error while still compensating ping and calculating times.
Back to topic: The game currently does no server side checks to what the client reports. This is commonly used system to detect cheaters. Client and Server both calculate what would happen, when the client tells the server something that does not fit into the calculations of the server, he corrects it. In case of anti cheat, the client gets banned if what he reports falls under cheating violation. That means for example more ammo in a clip than there should be.
So to sum it up: It is not too late for them to 'change the netcode' because
first: they do not need to change it. Hit registration and everything seems to be fine and
second: They only need to switch on the server side checks, this can be done with one button press and was probably disable in beta due to many reasons:
Money, server do cost something
It's not finished, server side checks still cause bugs/issues
To delay cheaters, they now can not check and develop cheats that get not detected by anticheat because there is no anticheat. A minor problem in a beta that's only one weekend and everything gets reset. They do not want to give them any heads up.
So to everyone who is freaking out and thinks Ubi just "forgot" the anti cheat: They are probably not. This is just a naive way of thinking. They do some fairly big work at Rainbow 6: Siege to fight cheaters, you won't expect they just forgot it in Division (and no I do not want any replies telling me how Siege is riddled with hackers, this is just spread by a vocal minority online here on reddit and is clearly not representative with the state of the game. Ask some high ranked players and you'll see they rarely met any cheaters)
edit: Oh and to add one thing:
Invisible people are affected by a beta bug and in fact not cheating.





OFFICIAL RESPONSE FROM UBISOFT

http://forums.ubi.com/showthread.php...1#post11332858

Guys, so you're aware the things discussed here are not in fact hacks or cheats, but merely abuse of glitches that exist in the game currently. These glitches are currently being worked on by the team

Last edited by Hello? This is Hailun!; 02-01-2016 at 05:19 AM.
Mad Season
Banned
(02-01-2016, 12:46 AM)
That's the point of betas. They'll fix
Ala Alba
Member
(02-01-2016, 12:47 AM)
Ala Alba's Avatar
That does seem like something they should fix for release.
Squidofman
Member
(02-01-2016, 12:47 AM)
Squidofman's Avatar
What's to say it wasn't intentionally left open like this to test cheating as part of the beta?
Eolz
Member
(02-01-2016, 12:47 AM)
Eolz's Avatar

Almost all stats (excluding currencies and health) are calculated and stored on the client, and server just accepts it without any checking

Amazing indeed. How the hell did they approve that?
0racle
Member
(02-01-2016, 12:48 AM)
0racle's Avatar
Darkest zone.
Hello? This is Hailun!
Member
(02-01-2016, 12:48 AM)
Hello? This is Hailun!'s Avatar

Originally Posted by Mad Season

That's the point of betas. They'll fix

Hopefully, but how often is BETA interchangeable with just a demo?
Sini
Member
(02-01-2016, 12:48 AM)
Sini's Avatar
This is not something they will fix in just few days.
Kade
Member
(02-01-2016, 12:50 AM)
Kade's Avatar

Originally Posted by Sini

This is not something they will fix in just few days.

Well, they've got a month and some change.
TheChewyWaffles
Member
(02-01-2016, 12:50 AM)
TheChewyWaffles's Avatar

Originally Posted by Mad Season

That's the point of betas. They'll fix

I don't think you understand the nature of the issue. This is an architectural issue.
shagg_187
lapdance transform pants
(02-01-2016, 12:50 AM)
shagg_187's Avatar

Originally Posted by Mad Season

That's the point of betas. They'll fix

Yeah but Ubi won't know without this guys help. Glad he is showing it and doing actual testing.
SnakeEyes
Member
(02-01-2016, 12:50 AM)
SnakeEyes's Avatar

Originally Posted by Sini

This is not something they will fix in just few days.

Game doesn't come out til March. They have a month, because this NEEDS to be addressed on or before launch day, and especially because of the Dark Zone.
darkinstinct
Banned
(02-01-2016, 12:51 AM)

Originally Posted by Sini

This is not something they will fix in just few days.

Yes, it is.
Plasmid
Member
(02-01-2016, 12:52 AM)
Plasmid's Avatar
Anyone who has played on PC already know this.

It's all because the game is client side syncing and apparently it's easy to deal with. I don't see a good way to fix this without changing the way the game works, regardless if it's a beta or retail.
TheSpoiler
Member
(02-01-2016, 12:52 AM)
TheSpoiler's Avatar

Originally Posted by darkinstinct

Yes, it is.

How so?
texhnolyze
Member
(02-01-2016, 12:53 AM)
texhnolyze's Avatar

I highly doubt that this will be fixed any time soon after release.

Oh, please..
arts&crafts
Member
(02-01-2016, 12:54 AM)
arts&crafts's Avatar
I was thinking of getting it day one, glad people are trying to exploit now so they can maybe fix things. I am suprised big companies dont hire hackers to hack their game and so they know how to safeguard against.
WarMacheen
Member
(02-01-2016, 12:54 AM)
WarMacheen's Avatar
Pre-order canceled.

I'll buy it if it changes.

The DZ is already a gank fest without this.
Hip Hop
Banned
(02-01-2016, 12:55 AM)
Man, if this thing persists when it drops, I will have to pass on it when the meat of the game is the multiplayer.

This will totally ruin the experience.
tjohn86
Member
(02-01-2016, 12:55 AM)
tjohn86's Avatar
Come on ubi... you never trust the client.
lucebuce12
Member
(02-01-2016, 12:55 AM)
lucebuce12's Avatar
A similar issue happened in the PS4 version. I died in the Dark Zone and when I respawned, I was invincible and invisible (except to NPCs)


Literally, I could kill other players and they wouldn't even know where the damage was coming from. I could loot gear and I could kill every NPC with melee attacks because their attacks did no damage. It was weird.
CambriaRising
Member
(02-01-2016, 12:55 AM)
CambriaRising's Avatar

Originally Posted by darkinstinct

Yes, it is.

Explain why. As a Network Admin, I am interested in your answer.
shagg_187
lapdance transform pants
(02-01-2016, 12:55 AM)
shagg_187's Avatar

Originally Posted by texhnolyze

Oh, please..

Do you think it's an easy fix?
TheSpoiler
Member
(02-01-2016, 12:56 AM)
TheSpoiler's Avatar
Can someone explain why or why it won't get fixed anytime soon?
Hello? This is Hailun!
Member
(02-01-2016, 12:56 AM)
Hello? This is Hailun!'s Avatar

Originally Posted by WarMacheen


The DZ is already a gank fest without this.

How so? I'm stuck in China ATM so Im gonna miss the beta. :O
Mobius and pet octopus
Member
(02-01-2016, 12:57 AM)
Mobius and pet octopus's Avatar
I doubt it is a flaw, but intentional to keep stress off the server.

I actually don't know a ton about the division, but similar games suffer from the same drawbacks and are easy to cheat in. They do this so they can better maintain higher population counts on a server.

So my question is, whats the max player count per server?
shagg_187
lapdance transform pants
(02-01-2016, 12:58 AM)
shagg_187's Avatar
I haven't played the beta, but is it still 1000 bullets to kill an enemy? Unlimited ammo sounds like a fix to me! Lol.
tuxfool
Member
(02-01-2016, 12:59 AM)

Originally Posted by TheSpoiler

Can someone explain why or why it won't get fixed anytime soon?

I can't say whether it won't get fixed, but this kind of thing is determined early when developing data structures used to hold game information.

These days clients do store more data, but the server always checks for validity and has final say. It appears that the server doesn't do any of that and if it isn't accounted for, then adding all this extra processing will increase load on the servers.

Say a client sends faulty data:

Shots fired at xyz -> Server determines that client does not have line of sight to make that shot-> rejects and rolls back.

The last stage is fundamentally important.
Last edited by tuxfool; 02-01-2016 at 01:03 AM.
mStudios
Member
(02-01-2016, 12:59 AM)
mStudios's Avatar

Originally Posted by TheSpoiler

Can someone explain why or why it won't get fixed anytime soon?

The game was built client-side and send info to the server.
The have to do it the other way around.
If you got 500000 HP the server need to evaluate that, not the client.
It means re-write some shit on the engine and on the server.

So right now:
Client(Validates) -> Server

Needs to be
Server(Validates) -> Client
Last edited by mStudios; 02-01-2016 at 01:03 AM.
Huge Succeeded
Member
(02-01-2016, 01:01 AM)
Huge Succeeded's Avatar
jeez, the way he describes the ease of these exploits, it sounds like you could artmoney that bitch. that's.... surreal.
Zomba13
Member
(02-01-2016, 01:02 AM)
Zomba13's Avatar

Originally Posted by Mad Season

That's the point of betas. They'll fix

That should be the point of betas but really, how many games have had issues/problems in the beta (pre-order demo) that were actually fixed in the final build? Usually these "betas" aren't for testing the game but for testing the networking.
gnexus
Member
(02-01-2016, 01:03 AM)
gnexus's Avatar
Client side stats in a multiplayer game like this? Whatyearisit.jpg. Reminds me of PSO.

I played the beta on PC and enjoyed it a bit, but never noticed this. I'm not so sure they'll just "fix it" before launch, because that's a pretty technical issue. I hope so, though.
legacyzero
Member
(02-01-2016, 01:03 AM)
legacyzero's Avatar
Ubisoft/DOA
BiggNife
Member
(02-01-2016, 01:04 AM)
BiggNife's Avatar
So after seeing a bunch of posts saying "this can easily be fixed" / "no it can't," does anyone here with dev experience actually know how easy or difficult it is to move client side data to the server in a game like this?
Last edited by BiggNife; 02-01-2016 at 01:06 AM.
The Citizen Kane of Games
Junior Member
(02-01-2016, 01:04 AM)
The Citizen Kane of Games's Avatar

Originally Posted by shagg_187

I haven't played the beta, but is it still 1000 bullets to kill an enemy? Unlimited ammo sounds like a fix to me! Lol.

Nah my blue sniper kills regular NPC's in two hits and in one if it's a headshot. 'elite' enemies have shielding so they go down a lot slower, but that's the point.
M_A_C
Member
(02-01-2016, 01:05 AM)
M_A_C's Avatar
Ubi's PC games are full of cheaters. Thats the main reason I'm been getting the PS4 versions.
Josh378
Member
(02-01-2016, 01:05 AM)

Originally Posted by CambriaRising

Explain why. As a Network Admin, I am interested in your answer.



As a Network Engineer, I concur...I want to know too...(I might get educated in this thread)

:P
Karak
Member
(02-01-2016, 01:05 AM)
Karak's Avatar
If it is planned to be fixed/added I am not sure that bodes any better as something like that shouldn't be tossed in in the last 2 months and hopefully 1 more beta test especially as it will induce its own additional stresses on the systems. Can't have it both ways. Either its not going in and that's an issue, or they don't have us testing it and we are close to release and they are going to add it and that's an issue.
In the last example is how much of an issue it actually is. Though with even a beta thats odd to not have it on for testing. But they got a couple more days. Then again if its off now, there is a reason for that. Its either missing, or its not ready/impacts performance. There isn't a good legitimate reason to not have it on unless they think cheaters are awesome.
Last edited by Karak; 02-01-2016 at 01:13 AM.
SoulUnison
Member
(02-01-2016, 01:06 AM)
SoulUnison's Avatar

Originally Posted by Hello? This is Hailun!

Hopefully, but how often is BETA interchangeable with just a demo?

"BETA" nowadays just means "This is a demo, but we'll call it a BETA so that people will believe that anything they were disappointed with will be 'fixed' before release."
darkinstinct
Banned
(02-01-2016, 01:06 AM)

Originally Posted by mStudios

The game was built client-side and send info to the server.
The have to do it the other way around.
If you got 500000 HP the server need to evaluate that, not the client.
It means re-write some shit on the engine and on the server.

They just have to enable server checks which actually are in the game. Seems like they disabled them for performance reasons due to server stress in the beta. Just like they disabled unlimited random side missions and reduced random enemies compared to the alpha.
TheSpoiler
Member
(02-01-2016, 01:07 AM)
TheSpoiler's Avatar

Originally Posted by tuxfool

I can't say whether it won't get fixed, but this kind of thing is determined early when developing data structures used to hold game information.

These days clients do store more data, but the server always checks for validity and has final say. It appears that the server doesn't do any of that and if it isn't accounted for, then adding all this extra processing will increase load on the servers.

Say a client sends faulty data:

Shots fired at xyz -> Server determines that client does not have line of sight to make that shot-> rejects and rolls back.

The last stage is fundamentally important.

Originally Posted by mStudios

The game was built client-side and send info to the server.
The have to do it the other way around.
If you got 500000 HP the server need to evaluate that, not the client.
It means re-write some shit on the engine and on the server.

So right now:
Client(Validates) -> Server

Needs to be
Server(Validates) -> Client

Thanks guys. Nice to get some clarity because I've never understood how something like this could happen.
Cabbagehead
Banned
(02-01-2016, 01:07 AM)

Originally Posted by darkinstinct

They just have to enable server checks which actually are in the game. Seems like they disabled them for performance reasons due to server stress in the beta. Just like they disabled unlimited random side missions and reduced random enemies compared to the alpha.

This
SmoothRunningGun
Member
(02-01-2016, 01:09 AM)
Delay the PC version but don't fuck with PS4.
tuxfool
Member
(02-01-2016, 01:09 AM)
It should be pointed out that all these things are suppositions. Clients, especially in a complex game like the Division are liable to store a lot of data. However, the server should hold ground truth all the time, or at least have a way to determine that information.

We don't actually know if the architecture is fundamentally broken, or whether there are just bugs.
stan423321
Member
(02-01-2016, 01:09 AM)
stan423321's Avatar

Originally Posted by TheSpoiler

Can someone explain why or why it won't get fixed anytime soon?

Imagine that you have a reasonable amount of money and want to retire to a miniature farm. You order a little brick, two-floor house for yourself and a wooden barn for a cow. You pass the papers from the planner to the building crew without checking them first, and then when the stuff's ready you realize that they made a brick, two-floor barn and a wooden house for yourself.

This is not something you'll fix in a week, assuming the complaints are valid.
Hip Hop
Banned
(02-01-2016, 01:10 AM)

Originally Posted by darkinstinct

They just have to enable server checks which actually are in the game. Seems like they disabled them for performance reasons due to server stress in the beta. Just like they disabled unlimited random side missions and reduced random enemies compared to the alpha.

Yeah, there's an explanation as to why it might not be in the beta. Hopefully it's true

https://www.reddit.com/r/thedivision...eaters/czj1uhi

The game currently does no server side checks to what the client reports. This is commonly used system to detect cheaters. Client and Server both calculate what would happen, when the client tells the server something that does not fit into the calculations of the server, he corrects it. In case of anti cheat, the client gets banned if what he reports falls under cheating violation. That means for example more ammo in a clip than there should be.

So to sum it up: It is not too late for them to 'change the netcode' because

first: they do not need to change it. Hit registration and everything seems to be fine and

second: They only need to switch on the server side checks, this can be done with one button press and was probably disable in beta due to many reasons:

Money, server do cost something

It's not finished, server side checks still cause bugs/issues

To delay cheaters, they now can not check and develop cheats that get not detected by anticheat because there is no anticheat. A minor problem in a beta that's only one weekend and everything gets reset. They do not want to give them any heads up.

So to everyone who is freaking out and thinks Ubi just "forgot" the anti cheat: They are probably not. This is just a naive way of thinking. They do some fairly big work at Rainbow 6: Siege to fight cheaters, you won't expect they just forgot it in Division (and no I do not want any replies telling me how Siege is riddled with hackers, this is just spread by a vocal minority online here on reddit and is clearly not representative with the state of the game. Ask some high ranked players and you'll see they rarely met any cheaters)

edit: Oh and to add one thing:

Invisible people are affected by a beta bug and in fact not cheating.

Lumination
'enry 'ollins
(02-01-2016, 01:12 AM)
Lumination's Avatar
Who designed this? This displays a fundamental misunderstanding of how server client interactions should be handled.

I hope they just don't have server-side validation ready for the beta.
HotHamWater
Member
(02-01-2016, 01:13 AM)
HotHamWater's Avatar
wwm0nkey
Member
(02-01-2016, 01:16 AM)
wwm0nkey's Avatar
So with my limited info on networking (just started doing it) it seems like the games servers trust that the clients info is correct and that the ammo count is just stored on clients. This shouldn't be a hard fix though? Couldn't they just make the ammo count stored on the server itself or at least put checks in so that if the ammo count is something overly stupid it will just correct itself?
Savitar
Member
(02-01-2016, 01:17 AM)
Savitar's Avatar
Ubisoft does it again!

And someone was lately saying they were underrated.

Thread Tools