Cheats performed on BZFlag are usually made by modifying your client. A great deal of power is invested in the client program, and therefore the client may cheat in every way from creating invincible tanks, to invisibility, to super killing. If you have seen any cheats, have performed them yourself, or have noticed a hole in the source, please add it here.
List of Known Cheats
A cheater may:
* fly without Wings. * shoot teammates without blowing them up. * spawn with a flag (usually Guided Missile or Genocide, but can be anything). * get any flag on demand (people get the exact flag they need to escape from you!). * respond differently to gravity. * move at a different rate (usually faster). * shoot bullets that travel at a different rate (usually faster). * hold multiple flags (such as shockwave, cloak, and stealth). * fire multiple shots (i.e. firing spreads of shots at once). * cover the field with SW blasts. * not respond to bad flags. * move and pickup flags while paused. * shoot other tanks while paused. * instantaneous travel to a new location. * lock on to other players with flags other than Guided Missile (or no flag at all). * grab a new flag when passing through a teleporter (when no flag exists). * double jump. * shoot bullets which cannot be seen on radar or in the HUD. * cause the bullets of other tanks to explode prematurely. * be completely invincible. * be partially invincible, repelling everything but some particular flags (often SW is chosen). * drive outside of the playing area. * produce abnormally large shockwave blasts. * "drag 'n drop", moving from any location to any other at any speed. * be zoned, but yet still shoot tanks that are not zoned. * instantly kill everyone else. :-/ * move backwards through buildings with the Oscillation Overthruster. * produce abnormally long laser blasts (in terms of length and time). * move through buildings without Oscillation Overthruster. * jump back briefly to avoid a bullet then return to where you were ("network jitter"). * promote themselves to server administrator and give large bans and kicks. * be completely invisible (or faded) without cloaking. * change variables without polling succesfully or being an admin
All the cheats listed above are "blatant" cheats in that they are easy to spot. There is a whole class of "subtle cheats" which are nearly impossible to spot. I'm documenting these cheats on the Subtle_Cheats page. - His Blind Ambition
I compiled such that I see players ip numbers. I saw a tank that did not display an ip It also did not display what flag it had, and if you right clicked on it it did not say the player or flag. GM could lock on the tank, but far on the left of the screen it would say in red Locked o . . . the rest was off the screen. (possibly due to non-printable characters in the username)
It is also possible to change the size of the tank making it almost impossible to hit except with GM or SW.
Ignoring death - changing != Shield to == Shield
I can't prove it, but I'm pretty sure I've seen some people reload faster than the standard reload time. For example, on a two-shot server, I'll shoot two shots, then the enemy will shoot two, then before I've reloaded, they've shot again. WHAT?
Pretty often you have these "instant-pause" cheaters. They're in a bad situation and -zing- in the next moment they're in pause mode. Sweet.
I once saw a tank which shoots in 8 different directions around . . . this tank also seemed immortal. . . .
A tank that can do several things at the same time, such as shooting a gm and a regular shot and a shockwave surounded it.
I saw a tank with shots dragging behind it in a line like some mines. . . .
I've been attacked by guided "guided missiles" when having stealth flag
Killing a tank then they respawn behind you in perfect position every time.
For the future: Some very inflexible ways to prevent cheating include MD5 checks.
If you release pre-compiled binaries for several platforms (which you should always), then you could send the MD5 of the current binary being used to the server for verification. There can then be servers for "verified" non-cheaters to play on, and also separate "non-verified" servers for folks who have compiled their own code.
Couldn't a client just hand a preset string and not it's actual md5 hash? or is there some nifty ways around this? TimRiker has not found one, so this will not be implemented.
What we need to do is get a full server state and let the server decide who is cheating. Remember, we can't trust the client! How about partial server state, where the server uses periodic sanity checks: ie, player 1 just jumped, does it land where I expect it to? Hey, player 2 just shot 50 rounds/sec!, etc.
Server-side state checking might cause too much load for the server; how about state checking in the clients? Ie. every client checks the actions of all other tanks that are around, so in the end every tank's action is checked by one or several other tanks for illegal moves.
Well, MD5 checksums aren't that bad an idea. Everytime you "make" BZFlag (which will work for compiling from source or using binaries), a collection of MD5's could be made of all the C++ files and their headers. These could then be combined into a single string. The date of the compilation is already recorded, and could be encrypted along side the MD5 (although not part of it). The server would then compare the MD5 (sent immediately on join) with the server's own MD5 made when it was "make"d. The server can then identify a false client by comparing the encrypted compilation date to the date of client compilation which is public. A client which did not match would NOT be booted, or be prevented from joining, but would be seen as a non-standard, modified, or outdated client. Just a thought. - Happy Tanker