I don’t think you understand what a bug is.
Imagine watching a youtuber who has no clue what he is saying, and coming here to make a post about it.
People making a career on youtube have an interest to generate views even at the cost of spreading misinformation or creating fake news. Don’t believe everything you hear and make your own research.
1 Like
But where is the proof that he is wrong? We all saw the videos of the exploits, he also uploaded a second video proofing again that you can have an unending iframe from dodge as long as you freeze your client.
The server is accepting the client word “i am in iframe for x amount of seconds” depending on how long you drag that window. It cleary shows that the server is not checking in his backend and just accepting the response from the client when the window is released.
If you say he is wrong, proof it with actual proof. Not theory and your understanding of x or y.
edit: btw if it is not like that, where is AGS response clearing it up? Saying nothing about that just shows something has to be true, otherwise they would have stomped that already with an official statement saying it is not like that.
1 Like
If anyone thinks the invincibility cheat and lag exploits are the end of it, they are grossly mistaken.
Now players are macro-ing what is probably unintended animation cancellation that is realistically too fast to repeatedly do manually – and using it to win in PvP of course.
PvPers are killing of what’s left of PvP after the alpha version of New World.
AGS should just let it die.
1 Like
We live in the age of whataboutism. Everyone claims they know everything about anything. This guy judges video games from the consumers perspective and has no real background in software/game development, let alone coding in general. I wouldn’t waste my time to research what he is saying.
This youtuber puts “worst mmo ever” in most of his video’s titles and only makes biased negative reviews of actual good games. Lets all believe what he says and make him a certified expert on MMOs.
He actually has a second channel for the same thing, that literally means he’s just in for the views/add revenue and couldn’t care less if he’s spreading misinformation about video games or space rockets.
Regarding this topic, I think it’s a bit naive to believe that the game will die in a month considering that AGS releases weekly updates and has multiple teams of software developers working on different bugs at the same time.
1 Like
cheap excuse, but whatever.
We don’t know what is available on the client-side yet for users to exploit, but we know with the base of some exploits already discovered that the server trusts the client in some aspects. What is happening now is exploiters digging the communication between client and server to find out what they can exploit. That is why on these issues they only release mitigations, not a proper fix.
The gold dupe on the server transfer was a clearly evidence that just using an old trick of cutting the communication with the server, can avoid some sort of transaction on the server-side to be completed.
Imagine disqualifieng all YouTubers without any evidence.
2 Likes
Yes because you need a degree in computer science to cheat.
He is just replaying a exploit that people told him about.
Impossible to proof unless you’re a dev. Even then, its risky to proof because it’ll involve making public proprietary code. If you say to prove regardless, by extension you are demanding the game go open sourced.
Even a statement is hard because it’ll probably reveal enough information to expose said code to further exploits.
Its like a robber asking the bank to prove that 111 is not the pin to the safe. The bank says/proof its not, and now the robber knows 111 is not the pin. The robber than ask the bank to prove that 222 is not the pin to the safe… etc. Eventually the robber figures out that 123 is the pin without the bank even telling the robber or the robber asking straight up what the pin to the safe is.
The game will die Nov 23rd at exactly 7:34 PM.
Plan accordingly.
1 Like
I don’t know what exactly streamers or YouTubers people refer to, they always put all in one pack ignoring they are different people with different backgrounds.
The tests themselves on exploits already discovered already prove the meanings, don’t even need to see the code for it. It is an old trick faced by many games and applications in the past and until today.
The current exploits discovered to not fit on this example.
We can’t say when or if it will die. The loss of player trust can be the most devastating thing to the game.
the window dragging exploit is just the tip of the iceberg, there are also Videos where you can have unlimited space in your storage and inventory …
Here’s the thing, without access to the code itself, every single thing said by every single person in this universe with regards to what the client and server is doing, is speculative. Thereby, the most we can say is a “maybe, perhaps or most likely”. Anyone saying that it is “definitely, confirmed, guaranteed or without a doubt” are borderline dishonest.
ESO has run on trusted client for years. Many games do and it is possible to do it with minimal player corruption. Regardless of how things are set up people will always find a way exploit it. What may happen which happened in ESO is that more and more checks will be moved to the server. This does cause a detriment to performance though. They also be able to further calibrate anti-cheat to stop these issues and better than that catch those who choose to cheat/exploit.
1 Like
No, it is not.
Let get for example the “invincibility” exploit. When you are in window mode and shake it, the client “pause” the game, it stops the application, and with this, it stops sending information to the server, so the server thinks the user is offline and stack the requests sent by other players until it has any updates from this client that is just “paused”. What is unacceptable, the server should do the calculation is what the player character is doing by itself. If you played any other MMO, when you lag or disconnect, you just appear dead, because the server does not trust you to say what are you doing or where you are, if you stop sending commands to the server to say what you want to do now, the server doesn’t care if you lost connection, for the server you are just an AFK character, and all the damage to you is processed normally as the other players or NPC hits you.
What you are saying about reading the source code are details of implementation that do not change the fact of how the application works in a certain aspect. How you implement your field validation in a form on your website at a code level do not change the fact of when you insert invalid data, the error appears to say to the user the data is invalid. You can just debug the communication with the server and take a look on the source code of the page in your browser to see how this validation works, if it is made server-side or client-side and if I can bypass it by calling the URL directly in the case the validation is done in the browser and not double-checked by the server.
It is how exploits are discovered and abused, just need to find the means to do it, do not need to read line by line of the source code to guess it.
2 Likes
I know people are cheating.
It is easy to prove: If you beat me in PvP you’re cheating.(1)
Q.E.D.
NOTES
1: My server is overrun with cheaters, btw.
We don’t know what’s being kept on the client yet, which is why it’s not total doomsday, but we can infer some things…
- The game state updates are handled in the same thread as the UI, which is why moving the screen stops state updates taking effect.
- State changes are handled by the client not the server (I’m invincible, I’m no longer invincible, etc). Which is why freezing the message pump when you are invincible keeps you invincible.
- The server therefore isn’t running checks against player state, so no checks that you aren’t invincible forever. You can also see this with the animation canceling light attacks. If the server was enforcing a set time between attacks, the animation canceling wouldn’t work.
- Assumption: During combat, the server is really just a message passing system, and it’s a stateless cluster. Meaning that to enforce checks on player state, each element in the cluster would have to share information about every player it was passing messages for. This is really hard to make performant, as can be seen in the Wars. The AoE collision algorithms aren’t performant on the server when determining which players should receive messages about the AoE damage, resulting in lag.
- If all this is true, then replay attacks are the best way to start fooling the game. Break the packet encryption the game is using, then just keep telling it the client did a reasonable amount damage every frame until your target is dead.
Some of this can be mitigated by AGS serverside, at the cost of some performance and more crucially, at the risk of making more bugs later. IF (as I suspect) the server side is just doing message passing, they should remove the end effect triggers from the client and instead spawn actors serverside to handle it instead (basically use AWS Lamdba, that’s what it does!), let them trigger status end effects. They can also add message filtering to stop the worst of the animation canceling / replay exploits. Basically if the server receives two messages to do damage in too short a space of time, discard the last one, and tell the client it was rejected.
The game state updates being in the same thread as the UI though? That’s a serious overhaul needed I’d reckon.
I don’t think we’ve seen any client side item duping yet (or at least I haven’t seen any), so the client might not be authoritive for that, it could only just be combat.
Caveats: All this is speculation based on my own knowledge and experience, and what we’ve seen from the current round of exploits (and more tellingly, the attempted fixes). Take with as many grains of salt as you wish.
3 Likes
You are dead set on this being definitively without question, beyond all doubt, working exactly as you assume it is working. You give no room that it might just be a bug or a flaw in logic somewhere, that what is happening is not supposed to happen.
The only thing you can do without access to the code itself is infer and speculate.
The exploit exists because we know how it works. You can deny as much you can.