2008/5/8 Ronny Schedel <[EMAIL PROTECTED]>: > You can fuck up every game. The name can be in the first place, at the > second (killed event, attacked event) and in the last place (flag capture, > point capture). The example is from TF2, but you also have a similar log > line in DODS when you capture a flag. It is not possible to catch this abuse > by a program, forget it.
I don't use regex. I process the line using substr and index mainly (perl). Let's take a line you'd usually see a problem with: L 05/08/2008 - 16:51:00: "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432><CT>" with "deagle" (damage "18") (damage_armor "3") (health "82") (armor "97") So how would I decode it? Of course first take the timestamp and decode it. Remove it fro the line: "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432><CT>" with "deagle" (damage "18") (damage_armor "3") (health "82") (armor "97") Now I see you're using quotes to take player 1 and player 2. But we know they can be faked. So forget about them. So now we can pull info backwards. That part is reliable at least. So armor = 97. Remove it from the line: "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432><CT>" with "deagle" (damage "18") (damage_armor "3") (health "82") Health 82, remove it from the line "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432><CT>" with "deagle" (damage "18") (damage_armor "3") damage_armor 3, remove it from the line "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432><CT>" with "deagle" (damage "18") damage 18 remove it "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432><CT>" with "deagle" We get weapon "deagle" remove "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432><CT>" We have 2 players and the reason. Now to a certain extent there is a possibility to fraud. But, on the whole I am not so sure. We can get the team name of player 2. It's safe they can't mess with that. CT "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23><STEAM_0:1:5432>" Steam ID also "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2<23>" Slot ID "player1<21><STEAM_0:1:345><TERRORIST>" attacked "player2" Now we have the problem. They COULD put "attacked" in their name. But we can check for more than one use of "attacked" or if other "reason" codes were used within context (outside the quoted area we expected). I could at this point just issue a kick on the player (by steam ID or slot ID which we reliably have already remember). Or I can ignore the line. Provided I can ascertain the reason safely (and it would take elaborate work to deceive) we've got player name. Now by the way quotes in the name don't matter. I worked from the first instance of "attacked" outside what I believe to be player 1's info. So now I have player 2's name "player1<21><STEAM_0:1:345><TERRORIST>" attacked We had already pullled reason, but now we remove it from the string. "player1<21><STEAM_0:1:345><TERRORIST>" Now it's even easier. We retrieve team, ID and slot in the usual way. and what's left is the player name.. e.g. it couldn't be spoofed at all. Worst that can happen is through some elaborate naming (NOT JUST quotes) we ignore the line, or boot the player from the server. Hell you can even issue an amx/adminmod command to force them to change their name. It's been running forever and I've not seen anything get past it. And looking at the player join logs (also pulled using the log listener) I see plenty of names with single quotes double quotes > and < in the names. Maybe TF2 has some tougher obstacles to overcome. Like I say it's not something I've looked into. Certainly nothing interupts the running of this script. It's maximum non stop running time was 5 months once (interupted due to server reboot). Sure enough server has been up 9 days, process was started on boot (process number 185). It is possible to either safely parse a line, or ignore it at the very worse case if it's a blatant attempt to spoof info. Hope this walloftext has explained what I meant. _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
