• Hello [name]! Thanks for joining the GMC. Before making any posts in the Tech Support forum, can we suggest you read the forum rules? These are simple guidelines that we ask you to follow so that you can get the best help possible for your issue.

Steam What can i do against piracy?

Ronchon

Member
Hi,
Hi! Is there anything i can do to deter piracy of my game, which is now increasing rapidly ?
Especially to deter their connection to my official servers which they are apparently able to do ( i'm using steam ).
They're using an emulator allowing them bypass the authentication at the client startup. On the server side i don't know any way to authenticate users.
So i was wondering what i could do on the server side to block them.
Is there built-in steam functions in Gamemaker that can do that ? Or any other ideas ?

Its a bit discouraging : not only are they stealing my game (unavoidable), but they'll also be using the servers at my expense, which are not cheap.
 

curato

Member
You could ask the client to give the steam id then have the server do a check to see if the stem user is logged in via steam_is_user_logged_on(); and if not kick the user.
 

Ronchon

Member
thanks a lot! i'll try that!
however my understanding is that this wont check that this steam user id actually owns a valid license of the game ?

So with an emulator on the client and using their real steam ID they'd still be able to pass this ?

I had another "hacky" suggestion: to use an automatic achievement allowing to check if someone does own the actual game , but i'm not sure if that's effectively possible.
 

Ronchon

Member
Actually looked into this, but this function doesnt allow any arguments, so it can only check the ID of the program where its beeing executed.
So it can't check the player's steam ID... only its own ? Therefore it wont work. At best i could make the client check itself but it doubt it will work and it can be intercepted.
I'm looking for a server side solution only, independent of the potentially corrupted client.
 

Ronchon

Member
Yes i've looked at it, and it's part of my problem: it seems that none of the functions mentionned there have been implemented in Gamemaker's steam support , like everything regarding the tickets and authentication. So i'm not sure what to do.
Just for example, its starts with a " Client A must retrieve a session ticket by calling ISteamUser::GetAuthSessionTicket. " , but this function doesnt exist in gamemaker. None of these are.
 

Lewa

Member
Yes i've looked at it, and it's part of my problem: it seems that none of the functions mentionned there have been implemented in Gamemaker's steam support , like everything regarding the tickets and authentication. So i'm not sure what to do.
Just for example, its starts with a " Client A must retrieve a session ticket by calling ISteamUser::GetAuthSessionTicket. " , but this function doesnt exist in gamemaker. None of these are.
You would need to add the SteamAPI by yourself. (Using a C++ wrapper DLL.) That's the only way to make this possible as far as i'm aware.
/Edit: If you are hosting a Web-Server then you have to implement HTTPS too as GMS doesn't support that out of the box either (steam requires this for security reasons).
 
Last edited:

Lewa

Member
You could check if there are any existing/free wrappers for GMS available on the internet.
If not, another option would be to hire someone to write them for you. But you have to determine if the benefits of doing so outweigh the cost.
 
Last edited:

FrostyCat

Redemption Seeker
/Edit: If you are hosting a Web-Server then you have to implement HTTPS too as GMS doesn't support that out of the box either (steam requires this for security reasons).
Both GMS 1.4 and 2.2 support HTTPS the last time I checked, you just need to specify https:// when making the request.

If you want to check whether a user owns a given product, you can get your server to call the CheckAppOwnership API endpoint for Steam before granting a session. The client would provide the Steam ID, and your server would have its own API publisher key and the product ID.
 
Last edited:

Lewa

Member
Both GMS 1.4 and 2.2 support HTTPS the last time I checked, you just need to specify https:// when making the request.
Wait what? Wasn't aware of that. (I think i remember some kind of HTTPS dll for GM floating around somewhere, hence why i thought that GM doesn't support this.)

Btw, your link seems to be broken. Here is the CheckAppOwnerShip Documentation:
https://partner.steamgames.com/doc/webapi/ISteamUser#CheckAppOwnership

Also from the documentation:
Ownership Verification
Once a user's identity has been verified, a secure server can use the ISteamUser/CheckAppOwnership Web API method to check if the user owns a particular AppID, or call ISteamUser/GetPublisherAppOwnership to retrieve a list of all user owned AppIDs that are associated with the provided Publisher Key.
So from what i can gather is that you don't actually need to create a session ticket if you just want to check if the user owns your particular game?
 
Last edited:

Ronchon

Member
No. But that requires a Steam publisher API key that is very important and cannot be included in any way in the distributed games: too dangerous. It can only be used from highly trusted servers.
So the only solution is to make your own server as an intermediary, so the game itself doesnt hold the API key.
 

Lewa

Member
No. But that requires a Steam publisher API key that is very important and cannot be included in any way in the distributed games: too dangerous. It can only be used from highly trusted servers.
So the only solution is to make your own server as an intermediary, so the game itself doesnt hold the API key.
Well, yes but isn't that what you want?
You already provide a custom server for the game. But you want to exclude players which didn't buy the game.
You can retrieve the SteamID of the player on the client, send it to the server and do a check on the serverside if the given steamID bought the game. (the API key is only stored on the server and not on the client.) If the ID didn't purchase the game, don't process the serverrequest.

The issue with that system though is that the player can circumvent it by modifyng the steamID which is sent to the server. (Simply change it to a steamID which bought the game.) It's in no way a proper authentification replacement but it might filter out/lessen the load on the server.

/Edit: I'm currently in a similar boat. (Provinding a custom server for an upcoming steam game.)
 
Last edited:

The-any-Key

Member
When I tried to prevent piracy in another game (not GM). I created a script check. The game connected to a server and the server sent back one of many test scripts. These scripts gather different data from the game itself like size of exe, sertain values in key areas and it created a long number and sent it back to the server. This number was then used as a authentication that the game has not been changed.

But if you want to check if an owner own your steam game. Let him send his steamID to the server and let the server check if he owns it. This way you don't need to include the developerd key in the game itself.
 
Top