[TF2] HUD Exploit that bypass sv_cheats 1 commands

[Jofre-Problem]

There is a HUD element called "Sliders", that if the cvar is set to a sv_cheats 1 command, it allows to be used, and so, making it work on servers, like Casual and Community ones.

Here is a video example:

Here is an image example:

Probably this TF2 bug was there since the beggining. If you need more info, please let me know!

If this get fixed, I would like really much to be on the credits!

[Jofre-Problem]

I didnt check if this works on other source games. As well, didnt check if this works on Comp.

[Esoterism]

sorry for being stupid but what exactly can you do with sv_cheats in casual mode? i mean its not like you can god mode right?

[Jofre-Problem]

I dont really know what are the limits, but most commands that worked were related to visual stuff and misc stuff, even you can manipulate host_timescale and get 1500 ping. And no, god command doesnt work.

[wgetJane]

please dont fix this yet i haven't performed some trolling with it yet

[Nopey]

CvarToggleCheckButton is also effected

[shaiko2k]

For the CVar slider, only console commands with numerical values can bypass the sv_cheats requirement

[jh34ghu43gu]

Can confirm it works.

sorry for being stupid but what exactly can you do with sv_cheats in casual mode? i mean its not like you can god mode right?

Me and a friend went through the list of cvars and the most damning thing you can do with this is give yourself discount walls, among other smaller things like full bright. High priority bug imo.

[AzureWoof]

Hi.

I've been watching this thread for a while. I've been doing a lot of testing with this relating to what it can and cannot do. Seeing as the exact method to accomplish this was posted to a popular cheating forum earlier today, I think that now is the best time to post my findings.

I'd like to preface this by saying this: This is an extremely broken exploit that must be patched ASAP. I think the main reason this has stuck around for so long without much attention is because OP didn't really explain it as well as they could've. I'd like to urge you to forward this as soon as possible to prevent imminent rampant cheating with no consequences.

Of course, this exploit won't have any extreme effect on the servers themselves. It only bypasses commands on the client. Anything that would have a significant effect on the server itself cannot be accomplished with this exploit. However, it still can be heavily abused, and can provide an unfair advantage in multiple scenarios.

I will be referring to the official list of TF2 console commands and variables available on the Valve developer wiki, which you can find here: List of TF2 console commands and variables

---

1.) Reproduction

This can be reproduced in two ways, both through editing a custom Hud. I will not go through the specifics of how to implement this into a Hud. The first method is by applying a restricted command to a slider. You can create new sliders and it will still work. In this example, I've applied "sv_cheats" to the slider, which will allow me to use it to force it's value to "1" while in a match.

"HudCheats"
    {
        "ControlName"                   "CCvarSlider"
        "fieldName"                     "HudCheats"
        "xpos"                          "5"
        "ypos"                          "40"
        "zpos"                          "3"
        "wide"                          "55"
        "tall"                          "20"
        "proportionaltoparent"          "1"
        "labeltext"                     ""
        "textAlignment"                 "west"
        "font"                          "nüBold10"
        "AllCaps"                       "1"
        "smallcheckimage"               "1"

        "sound_depressed"               "UI/buttonclickrelease.wav" 
        "button_activation_type"        "1"

        "cvar_name"                     "sv_cheats"
        "use_convar_minmax"             "1"
    }

The second way this can be reproduced is through editing an existing instance of "CvarToggleCheckButton", which means that this exploit is no longer restricted to commands with numerical values-- although I haven't found any problematic uses for this as of yet. Attempting to create a new instance of the button will cause the exploit to not work.

Here, I replace an existing instance of the button through the "IgnorePartyInvites" section located in MatchMakingPingPanel.res. I enable a cheat command that does not have a numerical value: "camortho", which enables an orthographic camera. This is usually used for mapmakers to take flat pictures of their maps from the top of the map itself.

    "IgnorePartyInvites"
    {
        "ControlName"                   "CvarToggleCheckButton"
        "fieldName"                     "IgnorePartyInvites"
        "xpos"                          "5"
        "ypos"                          "55"
        "zpos"                          "3"
        "wide"                          "208"
        "tall"                          "20"
        "proportionaltoparent"          "1"
        "labeltext"                     "Enable orthographic camera"
        "textAlignment"                 "west"
        "font"                          "nüBold10"
        "AllCaps"                       "1"
        "smallcheckimage"               "1"

        "sound_depressed"               "UI/buttonclickrelease.wav" 
        "button_activation_type"        "1"

        "cvar_name"                     "camortho"
    }

---

2.) VAC can't detect abuse of this

Yes. You heard me right. You cannot be VAC banned for using this exploit on VAC secured servers. It's just a hud modification after all. VAC doesn't care about cvar bypassing by itself. Some community-made anti-cheats may detect this, though. The more people that know about this, the more it will be abused. Due to what I mentioned previously, I do believe that this should be focused on and patched as soon as possible.

---

3.) This exploit bypasses more than just "cheat" commands; it bypasses "devonly" and "hidden" commands too

Legend from the Valve Developer Wiki

This legend states the 3 command types: Normal, Hidden, and Devonly. The same types apply to cheat commands, as shown on the right side of the legend. For the sake of simplicity, we'll just focus on the right side.

OP claimed that this exploit bypasses cheat commands. This is true. Creating a slider with the command _"svcheats 1" will cause that command to get bypassed when dragging the slider to set it's value to 1. The sv_cheats command is listed as a "cheat" command, and isn't hidden from the client, and isn't devonly. So, this confirms that it bypasses commands labeled as a cheat. (Using it to bypass sv_cheats will allow the client to run other commands clientside that can give them an unfair advantage.)

Now, what else can it do? Well, remember what I said about the 3 command types? Yeah, it bypasses literally all of them. Even the ones marked as "devonly" and "hidden".

Devonly commands are described as such: "Commands/variables flagged devonly cannot be run, queried or modified via the console in release builds of the game (without the use of plugins)." Through this exploit, you can, in fact, run these commands in release builds of the game. Not all of them work; just as before, you don't really have full access to any commands that could potentially harm game servers. But all of the client-based commands work.

An example of a devonly (and hidden) command that works is _"clinterpolate", not to be confused with _"clinterp". cl_interp is a different command responsible for changing interpolation latency on the client, which is usable by default (and is heavily restricted). cl_interpolate, on the other hand, is also responsible for changing interpolation on the client. However, instead of changing the latency of the interpolation, cl_interpolate enables / disables interpolation entirely. The command is set to 1 by default, and slapping it on a slider allows you to change it to 0. Doing this will cause every player's animations on the server to look choppy, but you'll see their exact positions as processed by the server. The command itself is relatively harmless, but I'm just using it as an example.

---

4.) Commands that are abusable

All of the following commands can be entered through the developer console manually once the player bypasses sv_cheats with the exploit.

_"rdrawothermodels" is a command that is responsible for different rendering modes for entities on the server. By default, it's set to 1. Setting it to 2 will cause you to be able to see these specific entities through walls. This includes players and most projectiles. The caveat is that everything becomes a bright cyan color, which means it is impossible to tell which team the player you're looking at is even on. This can be remedied by creating a toggle to quickly switch the command's number between 1 and 2, along with using game sense to predict what team the player you're looking at is on.

_"sndshow" renders all active sound effects in a list on your screen when set to 1. Using it in conjunction with _"sndvisualize" set to 1, you'll be able to see where sound effects are coming from on the map in real time. Typically, it's way too messy to even get much use out of it, especially considering that the previous command does a better job at showing players through walls. However, this combo does allow you to track down and kill invisible Spies, which the previous command cannot do. To find an invisible Spy, you enable the previous command alongside these two commands. You look for the sound effect labeled as footsteps, and if there's no cyan model to accompany it, then it's an enemy Spy. They need to be moving for this to work. (Friendly spies still show up as cyan when cloaked, as they never fully go invisible for you.)

_"clpitchup" and _"clpitchdown" being set to an extremely high value will allow you to look in any direction you want, as well as being able to look upside down. This causes quite a few issues. Your model itself obviously isn't able to accommodate for the directions you're looking in, so you're either stuck visually looking up or down when looking upside down and behind you. This means that you can bait an enemy Spy into trying to "backstab" you, when in reality you're facing them through your back. When they try to stab you, you'll take 40 damage, aaaand that Spy just revealed themselves to everyone around them because they genuinely thought that they'd get an easy kill.

Besides that and being able to shoot behind you while looking upside down, you can also cause taunts to do weird stuff. Initiating a moving taunt while looking upside down will cause it to move backwards, even if it's designed not to. Initiating a partner taunt while looking upside down will cause the "accept taunt" hitbox to be behind you facing the wrong direction, so you can bait teammates / enemies into trying to accept a taunt they have no chance of actually accepting unless they know what you're doing. Kind of funny, but serves no practical use.

---

Closing thoughts

That about wraps up everything I've found. It's nothing too extreme, but you do pretty much get free VAC-proof wallhacks, access to almost any client command, and a way to make Spy players hate their lives even more. Please patch this when possible. Thanks again.

[AzureWoof]

@kisak-valve

[Not-Anatrax]

Yeah I posted it to Unknowncheats to get this patched quicker, I think that the more people to know about it the better. I have also let Delfy a popular tf2 youtuber know about this as well.

[SpookyToad2]

Lol it's working. Pretty funny result https://youtu.be/sYfnvJxoFuc

[Verg9999]

Its seems that with sv_cheats 1 , you can use lerp below 15.2 , but when joining valve servers , it automaticly changes to 15.2, is there a way to bypass that?

[Not-Anatrax]

bump.

[improvised-explosive-device]

Thanks I'm definitely trying this

[aUniqueUser]

trolled

[UAVXP]

trolled

Typical scriptkiddie

[VedaantAchuthan]

wow remarkably easy to get this cheat up and running with a custom hud with some googling. Managed to fuck around with r_drawothermodels on an upward server. Too bad its 2am and have to use mobile data to get tf2 to work. Hopefully won't be patched by morning (but still should be patched by tomorrow)

also i learnt wallhacks don't help all that much if you're stupid

[elf-XNSR]

Wow @AzureAzel what an amazing page of text, if only explaining simple concepts to needlessly extensive lengths was what got bugs fixed.

[jh34ghu43gu]

This appears to be getting spread around now, one of the discord tf2 community mods posted it in the private regulars channel and just saw a post on r/tf2 about it... Can't wait for the d*lfy video with a premade hud for any casual player to use.

[UAVXP]

Devs are here only for adding labels, marking comments as off-topic and editing user comments so they're not that long with those responses. Deal with it guys, they're not gonna make something about above explained issue, unfortunately for us all

[kbfton2]

Damn, this is dangerous. I hope Valve fixes the exploit soon.

[jh34ghu43gu]

Looks fixed in today's update but I don't have the hud to test if anyone wants to confirm.

[melvyn2]

Yep, it's finally fixed!

[elf-XNSR]

Fixed in record time!!!

[kisak-valve]

Closing per the last several comments.

[Verg9999]

Question: Could someone please explain to me what sliders are?

[Niterux]

this still works in left 4 dead

https://user-images.githubusercontent.com/110568869/236620983-91f5ba92-14fb-4d9a-96e1-8e6505f55971.mp4