A (very) minor setback

Post by **BackTrak** » Sun Aug 27, 2017 10:12 am

Hi All,

Just wanted to update you with a quick progress report. I have made a lot of it!

Unfortunately, the first pass at a Steam Store review was rejected because I had put the some text that belonged in the EULA into a field marked "Legal Lines". I got that email right as they closed the door on my plane, and I had to stew about it for the next 5 hours. The steam reviewer requested that I move that to the EULA and resubmit, which has been done and done.

I have the steam API fully integrated into the lobby, server and client with authentication happening at all stages of connection, and everything seems to be playing very happily together. The initial Steam packaging has been configured, and it is now deploying Allegiance as a developer comp via the Steam pipeline. Allegiance is launch-able from Steam with either the Dx9 or Dx7 engine based on your selection from the Steam client (Dx9 is the default). When playing with the Dx9 engine, the steam overlay is fully integrated into both full screen and windowed mode. Which just happened automatically. Classy job with that bit, hats off to the Steam API dev team!

What's Next:

I need to complete some setup defaults so that Allegiance knows how to find it's artwork and lobby server, and then request an application review from Steam. I expect the store front review will complete this week, and then I will put up the coming soon page (2 weeks cool-down time, which is mandatory from Steam), and you will be able to check it out. In addition, I have 100 beta keys which we will start distributing to anyone who wants one (I can get more on demand) as soon as I get the setup kinks worked out.

So, lots of stuff done, Wasp and I have been fixing more bugs than I am creating so we are very close now!

Sorry for the update delay, I had a lot of work travel this week, but I'm now back in action to close this phase out. Stay tuned!

Thanks,
-BT

Deathrender · Post by **Deathrender** » Sun Aug 27, 2017 3:13 pm

Based Backtrak

KGJV · Post by **KGJV** » Sun Aug 27, 2017 4:31 pm

hi, gj & gl

Is it mandatory to support Steam integration & API to publish a game of the Steam Store ? or is it just something you wanted to add before launching ?

Allegiance R7 + ACSS work great as it is (minus the default keyboard) so the minimum needed was eventually some 'account linking' between ACSS & Steam (at oauth/openid level so no code modification in Allegiance, only in the ACSS backend).

How would you handle anti-cheating without ACSS ? AFAIK, I don't think VAC covers 'client side modification' cheating. afaik, nothing prevent me from using a moded core .igc file on my side where my scout can load ab1 or go very very fast. Or is ACSS still present with the Steam Integration?

If not, aren't you afraid of a huge cheating fiasco at (re)launch that could definitely kill the reboot ? (I know I'm been pessimistic and conservative here but someone needs to be the devil's advocate here

)

Post by **TheBored** » Mon Aug 28, 2017 4:24 pm

I haven't followed up with BT but we did discuss leaving in portions of ACSS to leave those protections in place. Something along the lines of disabling (ACSS) authentication checks and leaving artwork integrity, squad management, stats, etc.

TB

Post by **BackTrak** » Tue Aug 29, 2017 2:17 am

Hi TB, KG,

I have been thinking very hard about how to handle forged game clients, I am hoping that Steam DRM can assist me here, but I haven't gotten the steam based installer 100% nailed yet. I'm hoping to solve that one tonight.

Steam DRM can only wrap up native .exes, and ACSS is a .net based application which makes this a minus for both linux support and native deployment. I have some thoughts around what to do if Steam DRM is not sufficient, which revolve around keeping a small shim binary library private that I can build Allegiance with and then DRM the entire kit under steam to enforce a medium amount of client security. The information around Steam DRM is incredibly thin. As we are using an Allegiance server instead of a steam integrated server, it appears that some protection is lost. I want to keep this as a last resort, I am assuming that Steam must have a way for open source games to run securely, with non-forged clients.

While ACSS works fine for our community size, I am afraid it would melt under any kind of serious bad attention. As it has a server component as well, the load would move right up the chain and potentially cause issues for others.

A lot hinges on what steam brings to the table. I know that it does prevent client modification once it's running under DRM, but I haven't been able to determine if it blocks running a non-DRM client from getting an auth token to sign into the server. That will be part of tonight's testing.

Definitely open to suggestions here!

KGJV · Post by **KGJV** » Tue Aug 29, 2017 8:20 pm

When you mention 'client modification' so it's just the main .exe or the "whole client" including the artwork folder or can it be selective ?

Enforcing just a genuine/validated .exe won't be enough because the problem with current Alleg code is client side core modifications. They are easy to do, anyone with ICE can edit his local copy of a core and from there cheat...But enforcing the whole artwork folder will prevent mods and UI customization which is not a good thing. One could put cores and other sensitives 'files' in a special folder, outside of the artwork folder.

If Steam DRM can only enforce the .exe than you'll need to add some "core enforcing" inside the .exe (hash sig or encryption , etc) or even better have the core downloaded (encrypted) from the game server...that's not so hard to do. But all of this will be vain is the .exe can be hacked.

Ultimately the best anti-cheat is to enhance the server code to detected suspicious client behaviors but that's more a mid/long term solution. A lot of IGC stuff need to be rewritten for that.

Post by **BackTrak** » Sun Sep 10, 2017 8:12 am

Hi Kage,

If you want to see what I came up with for the artwork checksum enforcement, you can see it in the FreeAllegiance github now. The concept is to generate a class that holds all the checksums, compile it into code, wrap it with Steam DRM which blocks tampering with the checksums and .exe. That way, I only have to ensure that the client is legit to talk to the server. I'm making headway on the DRM enforcement to prevent a non-DRM client from talking to the server. I think I have a good solution for how to keep the DRM check private, but still let developers do their thing without it getting in the way. I will check that stuff in shortly as well. it's not quite baked yet.

I also have some plans for how to get some VAC traps setup in the client as well, should we actually have issues with bad actors. Hopefully I don't need to waste time playing arms race.