1. Hello Guest! It's with a heavy heart that we must announce the removal of the Legacy GMC Archive. If you wish to save anything from it, now's the time! Please see this topic for more information.
    Dismiss Notice

Wha to do about cracked software

Discussion in 'Game Design, Development And Publishing' started by RizbIT, Jul 22, 2019.

  1. RizbIT

    RizbIT Member

    Joined:
    Jun 24, 2016
    Posts:
    471
    You make a game publish it, you have in app items like lives and power ups, users have to create accounts,

    after a while you find several users have 999 lives or loads of purchased power ups in the db, but they havent actually purchased the items as you can check your console orders.

    So what can you do. It must be they have a cracked version of you game.

    the server records users ip when new user signs up but ips can be fake like with vpn
    you have their email but those can be created using fake details
    you have their username but those can be different for each account they have

    you is there really anything you can do apart from create checks in the app to like double check if they have actually purchased the item.

    In my game the after the user buys an iap the item count is increased and stored in their account, so it seems that they are somehow bypassing the actual IAP purchase and running the code that executes after user has made a purchase.
     
  2. Lonewolff

    Lonewolff Member

    Joined:
    Jan 8, 2018
    Posts:
    1,207
    Never trust the client. Always have the server validate first.

    If they hack the local game, don't worry. But as soon as the local game says 'Hey server, I have 999 lives', the server should say 'Bulls**t you do'.
     
    Cpaz and NeZvers like this.
  3. EvanSki

    EvanSki King of Raccoons

    Joined:
    Apr 17, 2018
    Posts:
    581
    Red pill: BAN THE ACCOUNT AND WATCH THEM BURN MUHAHAHAHA

    Blue Pill: I'd have checks in the game for seeing if they have a legit copy or not, or do what @Lonewolff said and have the server yell at them...THEN BAN THE ACCOUNTS *Evil highpitched laughter*
     
    Cpaz and NeZvers like this.
  4. FrostyCat

    FrostyCat Member

    Joined:
    Jun 26, 2016
    Posts:
    4,708
    If you're stupid enough to design a server that takes a client's claims of past purchases at face value without checking purchase references from the IAP vendor, you deserve having this done to you. It's absurd how many people in GM circles cheap out on server-side validation and think client-side alone is a good substitute.

    The more I see inane topics like this from you, the more I believe you don't have what it takes to hang a shingle on your door about "IT & Marketing".
     
  5. Phil Strahl

    Phil Strahl Member

    Joined:
    Jul 3, 2016
    Posts:
    387
    A rule of thumb is to always treat client data as fraudulent, so as the other posters have elaborated: Have the server validate everything.

    Also, send as little as possible back to the client meaning the client application should not know more than the player, e.g. it should not store tables for drop-rates for items or ingame currency, or monsters outside of the player's view, if you have those in your game.

    See it like this: The game is played on the server, the client is a display.
     
    NeZvers and IndianaBones like this.
  6. Mert

    Mert Member

    Joined:
    Jul 20, 2016
    Posts:
    428
    With one single Firebase account, you can securely confirm IAP, secure leaderboard, create a proper secure account system(if you don't like emails, hell you can even ask for SMS confirmation); and no need to run a single server. This is what I've been doing for the past months.

    I'm currently completing all Firebase tools rn, some of them available here : http://gmdevblog.com
    Currently working on Authentication API, we need those SMS confirmations right ;)
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice