http://www.mpcforum.com/showthread.php?248972-SourceMod-SpeedhackAccording to this old glitch of a few years, the client controls the speed of the client, the server controls it indirectly (through variables that the client thereby makes decisions). VALVe fixed the glitch by applying a
client-side patch to prevent certain server mods running on the client giving server-like capabilities.
Fast forward to now, and I bet that this is still the case, however security has only been tightened up on the client-side. What if we could fool the client into thinking that cheats are enabled?
Easy, intercept the packets sent from the server to the client, and find out where sv_cheats is controlled, change it, and then the gateway to all the other cheats is open (assuming the security flaw still exists, which it most likely does).
I connected to my server 4 times, alternating between cheats and no cheats. I now have data across the 4 connections and made a program to compare packets. We need to examine which packets differ and in what way across the 4 different connections to my server. I noticed that I could see if identical packets from one stream existed in other streams, and this appears to be the way to go.
I have to find out when the packet controlling cheats comes in. Consider the two facts: (1) you get a warning message for cvars or commands you cannot change and (2) you can set sv_cheats to 1, and run cheat commands client-sided until it's reverted when joining a server.. The solution: make a looping script to run the thirdperson command, and doing so will cause a message in the console to appear once the client loses permission to run the command.
I connected to any old server running the script, and here are the console results:
Can't change replicated ConVar sv_cheats from console of client, only server operator can change its value
go
Can't change replicated ConVar sv_cheats from console of client, only server operator can change its value
go
Team Fortress
Map: pl_thundermountain
Players: 24 / 25
Build: 4833
Server Number: 17
Can't use cheat command thirdperson in multiplayer, unless the server has sv_cheats set to 1.
Can't change replicated ConVar sv_cheats from console of client, only server operator can change its value
go
Can't use cheat command thirdperson in multiplayer, unless the server has sv_cheats set to 1.
go
go
go "go" is said every time the script runs, which is about 3 times per second
First, notice how the client can't change sv_cheats. Then, notice when they stop appearing. Once I disconnected, I would then be able to set sv_cheats on as the server no longer dictates what I can and can't do.
The thirdperson command will stop running once sv_cheats if off, and I started off with them on. This means that the sv_cheats variable is transmitted from the server right after the data part. I happened to disconnect at a good time, no less than 2 seconds after the server sent the sv_cheats variable. Since I had the packet capture open at the same time, I now know to look towards the end of the stream to find what controls sv_cheats.
Poll