InsaneDoggo
commented
6 months ago I don't know how DOTA2 dedicated server's deploy/initialization process looks like, but there is well known practice (in software dev in general) to store secrets as environment variables. It's not required to use environment variables exactly, similar behavior can be achieved via launch arguments. Main point is to provide way for developers to specify key value pairs bypassing "downloadable addon files" e.g. via WorkshopManager during upload. Then API would looks like: GetSecret("some key") which should return value on server and "empty string/none" on client.
withvoidwithin
Description
The essence of the problem
Custom game developers do not have the option to save player data in Dota 2. Therefore we use http requests and query our own web servers and databases.
The problem with http requests is that any user who decompiles .vpk file of a custom game will be able to find and know in the code where these http requests address, and then emulate that.
To determine the validity of requests from Valve's game servers, there is a function called GetDedicatedServerKey that works only on Valve's dedicated servers and returns a unique custom game key to help determine the validity of the request.
Unfortunately, because this feature is also on the game client, hackers were able to hack into and understand how keys are generated for custom games. As a result, they can easily simulate requests from Valve's dedicated servers and send requests with any data within...
In an attempt to solve this problem, Valve made 3 similar functions of different versions.(GetDedicatedServerKey, GetDedicatedServerKeyV2, GetDedicatedServerKeyV3). All of these functions have been hacked. Each time stepping on the same mistakes.
What I'm suggesting
Example Match ID (and possibly Timestamp)
No response
Screenshots
No response