Question about a few ACE logs

[UT Sniper (SJA94)]

I have a few logs that I would like to check if they are cheats, because all the sshots failed to create, I wanted to be sure before I banned anyone.
I only just got the ftp account and fixed the problem with ace not making sshots.

[ACEv08h]: | Player Kick |
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: PlayerName...: xxxxxxx
[ACEv08h]: PlayerIP.....: xxxxxxxx
[ACEv08h]: OS...........: Microsoft Windows 7/2008 R2 x64 (Version: 6.1.7601)
[ACEv08h]: CPU..........: AMD E-450 APU with Radeon(tm) HD Graphics
[ACEv08h]: CPUSpeed.....: 1648.447343 Mhz Measured - 1650.141511 Mhz Reported
[ACEv08h]: NICDesc......: 802.11n Wireless LAN Card
[ACEv08h]: MACHash1.....: 6018B5A9C5BBCD26D0F04
[ACEv08h]: MACHash2.....: 7C8F657C6AD5615BEA4E959C
[ACEv08h]: HWID.........: 703051756D4
[ACEv08h]: UTVersion....: 436
[ACEv08h]: Renderer.....: OpenGLDrv.OpenGLRenderDevice
[ACEv08h]: SoundDevice..: Galaxy.GalaxyAudioSubsystem
[ACEv08h]: CommandLine..:
[ACEv08h]: KickReason...: VTable Hook
[ACEv08h]: TimeStamp....: 06-12-2013 / 18:15:18
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: | Extra Info |
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: ModuleHandle.: 0x10300000
[ACEv08h]: ModuleName...: Engine.dll
[ACEv08h]: HookedObject.: ActorChannel Transient.ActorChannel685
[ACEv08h]: HookedEntry..: 0
[ACEv08h]: Found........: 0x0D282640 -> Unknown Module!Unknown Function+0x0000
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: ModuleHandle.: 0x10300000
[ACEv08h]: ModuleName...: Engine.dll
[ACEv08h]: HookedObject.: ActorChannel Transient.ActorChannel685
[ACEv08h]: HookedEntry..: 1
[ACEv08h]: Found........: 0x00000001 -> Unknown Module!Unknown Function+0x0000
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: ModuleHandle.: 0x10300000
[ACEv08h]: ModuleName...: Engine.dll
[ACEv08h]: HookedObject.: ActorChannel Transient.ActorChannel685
[ACEv08h]: HookedEntry..: 2
[ACEv08h]: Found........: 0x0D283F00 -> Unknown Module!Unknown Function+0x0000
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: | Screenshot Status |
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: Success......: FALSE
[ACEv08h]: FileName.....: ../Shots/[ACE] - nn_----I----N----S----T----A----M----A----N----I----A----_-=Rp_sXc=-_2013.12.06.18.15.18_DM-ViridianDreamsXL_xxxxxx.jpg
[ACEv08h]: Error........: Couldn't create file
[ACEv08h]: +---------------------------------------------------------------+

[ACEv08h]: | Player Kick |
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: PlayerName...: xxxx
[ACEv08h]: PlayerIP.....:xxxxxxxxx
[ACEv08h]: OS...........: Microsoft Windows XP x86 (Version: 5.1.2600)
[ACEv08h]: CPU..........: Intel(R) Celeron(R) CPU 2.53GHz
[ACEv08h]: CPUSpeed.....: 2532.056630 Mhz Measured - 2533.330939 Mhz Reported
[ACEv08h]: NICDesc......: Adaptador Fast Ethernet compatible VIA - Minipuerto del administrador de paquetes
[ACEv08h]: MACHash1.....: A169A110303DB435BDD74F6854
[ACEv08h]: MACHash2.....: C21EC787F69027B586D9E5
[ACEv08h]: HWID.........: 3AAEC5690E445E86ADFC
[ACEv08h]: UTVersion....: 436
[ACEv08h]: Renderer.....: D3D9Drv.D3D9RenderDevice
[ACEv08h]: SoundDevice..: Galaxy.GalaxyAudioSubsystem
[ACEv08h]: CommandLine..:
[ACEv08h]: KickReason...: VTable Hook
[ACEv08h]: TimeStamp....: 30-10-2013 / 16:34:59
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: | Extra Info |
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: ModuleHandle.: 0x10300000
[ACEv08h]: ModuleName...: Engine.dll
[ACEv08h]: HookedObject.: ActorChannel Transient.ActorChannel6242
[ACEv08h]: HookedEntry..: 0
[ACEv08h]: Found........: 0x03D0C180 -> Unknown Module!Unknown Function+0x0000
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: ModuleHandle.: 0x10300000
[ACEv08h]: ModuleName...: Engine.dll
[ACEv08h]: HookedObject.: ActorChannel Transient.ActorChannel6242
[ACEv08h]: HookedEntry..: 1
[ACEv08h]: Found........: 0x00000001 -> Unknown Module!Unknown Function+0x0000
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: ModuleHandle.: 0x10300000
[ACEv08h]: ModuleName...: Engine.dll
[ACEv08h]: HookedObject.: ActorChannel Transient.ActorChannel6242
[ACEv08h]: HookedEntry..: 2
[ACEv08h]: Found........: 0x03B81490 -> Unknown Module!Unknown Function+0x0000
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: | Screenshot Status |
[ACEv08h]: +---------------------------------------------------------------+
[ACEv08h]: Success......: FALSE
[ACEv08h]: FileName.....: ../Shots/[ACE] - nn_----I----N----S----T----A----M----A----N----I----A----_-=Rp_sXc=-_2013.10.30.16.35.00_CTF-BedroomsSE[ELC]_.jpg
[ACEv08h]: Error........: Couldn't create file
[ACEv08h]: +---------------------------------------------------------------+

[$carface]

I would treat these as false.

[Chamberly]

I've seen something like this before but I tried searching, I don't see much of anything that is exactly the same... There has been a few posted for request and they said that it is false positive... which I think that they might be as well. But that's just my opinion and should not take it seriously. I may got the wrong info.

Searched:
http://www.unrealadmin.org/forums/archi ... 29985.html
http://www.unrealadmin.org/forums/archi ... 30517.html
http://www.unrealadmin.org/forums/archi ... 30210.html
http://www.unrealadmin.org/forums/archi ... 31097.html

[Wises]

vtable hooks are hacks.

[TheDane]

unknown module like this looks like a 99,9999999% hack. Just ban the player and if he/she complains send him/her a legit version of the Engine.dll file to join your server with. Since it's an unknown module it is certainly a hacked version of the game in the first place and not released by Epic, so why does the player use this and how did he/she obtain it? If you use malware you Loose the right to complain about compatibility problems.

[anth]

false positive. the vtable scanner I used up till v0.8h had to "guess" what the size of the vtables was. This is the most common case where that algorithm failed. I rewrote the vtable scanner for v0.9 though

[Wises]

i stand corrected.. getting rusty.

also anths.. would you be able to add ability to use different WAN ip in newer version. as it only allows for 10.x / 192.168.x currently.

this is due to microsoft being clever with their cloud based services wgich use different WAN IP's from the norm..

thanks..

btw we have made a nasty fix for our version 8h to address this issue and have got it working... whilst awaiting a future revission at some stage.

Edit---------------------------------- by papercoffee

also re: the unfortunate 'false positive' issue above.. how would admins whitelist these events so the ^ players can be allowed to connect to the server..?.. or is trying to advise them to use different version of engine.dll the only way of getting sround this.. currently..

maybe you can whitelist it your end.. or dies this issue require a total update.. v9c for example.

No double posts!!! ...

[UT99.org]

i stand corrected.. getting rusty.

Who is rusty here ?

We have a fun play together on a assault server we can do it again
unreal://178.32.72.37:7777/?password=eric Tuesday and Friday 21.00 CET

If other player want to come play Assault you can to

[UT Sniper (SJA94)]

Thanks for the advice

[Wises]

i stand corrected.. getting rusty.

Who is rusty here ?

I made the statement that Vtable Hooks were hacks..

where Anths corrected me by stating above

thats all..

[TheDane]

false positive. the vtable scanner I used up till v0.8h had to "guess" what the size of the vtables was. This is the most common case where that algorithm failed. I rewrote the vtable scanner for v0.9 though

Is it me or did you just dig a big hole there for the cheaters to abuse? I guess it's safe to say now that you can't prove anything by banning for vtable. Why not just release v9c then? Most server admins has it already and it seems to work fine?

[$carface]

false positive. the vtable scanner I used up till v0.8h had to "guess" what the size of the vtables was. This is the most common case where that algorithm failed. I rewrote the vtable scanner for v0.9 though

Is it me or did you just dig a big hole there for the cheaters to abuse? I guess it's safe to say now that you can't prove anything by banning for vtable. Why not just release v9c then? Most server admins has it already and it seems to work fine?

It's pretty easy, at least for me to have a good understanding whether or not a client is cheating with vtable. Most of the time just check the offset and hooked object

[Wises]

either way... they still get kicked.. and unless they come to (The Forums) they are likely to play elsewhere?
so there is probably a need for either a whitelisting feature / patch fir these types of VTable Hooks or.. lose players?

[papercoffee]

Wises has a good point there ...I (as player) would stop visiting a server where I get kicked for no reason.

[Chamberly]

false positive. the vtable scanner I used up till v0.8h had to "guess" what the size of the vtables was. This is the most common case where that algorithm failed. I rewrote the vtable scanner for v0.9 though

Is it me or did you just dig a big hole there for the cheaters to abuse? I guess it's safe to say now that you can't prove anything by banning for vtable. Why not just release v9c then? Most server admins has it already and it seems to work fine?

Where exactly are these servers? You are they aren't the beta tester? Those who aren't the beta tester aren't suppose to have it.

There is a lot of problem that was told in Unreal Admin, varies from OS support to couple of generated kick. Not many peoples would be able to play.