swixel dot net

Playing by the rules(?)

Team Fortress 2 Items and Game Coordinator

Since the potato hat release, there has been a renewed misunderstanding of how TF2 items are used.  I think it’s time I correct that.

(FALSE) Myth #1: Servers do all of the item handling

While this was once true, modifications like the “TF2 Equipment Manager” changed this for everyone. The change ensured that both client and server check the backpack.

(FALSE, unless they’re Valve) Myth #2: People can create items with console commands

For the modders who have found something to hook within the server binary, that does not work, and has not worked for a very long time (if it ever did — as far as I know, nobody tried).

(MOSTLY FALSE) Myth #3: People can create items with hacks and get away with it

While they could, and it’s become apparent to me in the last two months how they could, I have almost no doubt that Valve logs every single bit sent through the system in question, and therefore that abusing it would result in a VAC ban. The way to make items was only made public by Valve in what I could consider to be a mistake made in trying to optimise the game.

There is a lot of speculation in the opensteamworks community that someone malicious found out how to find out during the potato hat update. <REMOVED> Apparently the hole has been closed (I’d dare not test it, others haven’t either, but apparently it doesn’t work.)

(FALSE) Myth #4: tf2items hacks your backpack data

No. Asherkin’s TF2items extension does not hack your backpack data, it recreates items and gives those items to the player. It’s opensource, so go read the source if you doubt me.

(FALSE) Myth #5: The item system is easy to hack

While this isn’t so much a myth, it’s fairly difficult to actually do anything unless you found the vulnerability above. The opensteamworks project does have headers obtained/constructed through reverse engineering which reference the old item system. This system is no longer userd. Instead something called the ‘gamecoordinator’ is used. This system is connected to Steam itself, and it appears (from the tf2 server and client binaries) that tf2 has its own abstraction. I would suspect other games with items (DOTA2?) would likely use it too.

(FALSE) Myth #6: The GameCoordinator data is public, and opensteamworks made it possible to hack the game!

No. The opensteamworks project did not publish the leak. While they published a lot of information other than that particular leak, they showed incredibly good sense and character by notifying Valve about the issue, rather than making it public.

(UNKNOWN; why would you?) Myth #7: Debugging the game will always get you VAC banned

Try -insecure, or better yet, debug the server; chances are, there is no legitimate reason to mess with the client beyond skinning things. If you debug in secure mode, it’s your risk, and I wouldn’t blame them. I haven’t tried it, and I wouldn’t recommend it. Though apparently many modders run both server and client through VS2010; but without the source, or a client side plugin to debug, there’s no point anyway as you won’t catch anything.

(MOSTLY FALSE) Myth #8: I run a TF2 server, and have installed SourceMod, therefore I know everything

There are some exceptions where this is probably true, but I sincerely doubt it for most of you. I don’t know everything, but I have the good sense to go looking before I start spouting nonsense about how you can hack a game with a plastic whistle and a tinfoil hat.

If you want more information on the game coordinator, be aware that most of it has been published in relatively shady places which talk about techniques to violate software licences (rin.ru being one place), or have published information which many may consider questionable from a legal point of view (opensteamworks). I find that reading information doesn’t hurt me, but if you use it, it’s at your own risk.

As a final note, I do not participate in the reversing of data for use in the opensteamworks project, as I wish to publish a game on steam with steamworks and do not wish to upset Valve prior to that. If you have any questions about what is already available, the comments in the provided source should be enough; and I will probably answer simple questions regarding what is already in the public domain (regardless of source), unless in an agreement with Valve (i.e. they accept a submission of mine) I am requested not to do so.

  1. swixel posted this