Button Up

Game Protection on Steam: Steam’s Own Methods and 3rd Party DRM

Natalia Yashenkova
Natalia Yashenkova
Head of Marketing and PR at StarForce Technologies.

Natalia Yashenkova has more than 15 years experience in software development and information security. Before StarForce Technologies she worked at Netris and Vimcom Optic.

1 Feb 2016

In 2008 at the Valve's summit on the state of PC gaming in Seattle, president Gabe Newell revealed that his company is not concerned about the threat of piracy in the PC market, including in territories like China and Russia. He said that Valve's Steam distribution platform and the service it provides its customers protects it from privacy. In addition, gamers are interested in an ongoing relationship with Steam and if they are caught pirating, they risk losing all their purchased games as well as the possibility to participate in multiplayer games.


Nevertheless, in 2015 a potential customer contacted StarForce to protect a game pirated from Steam. He wanted to distribute it on CDs. This may sound like complete nonsense, but it actually happened. So exactly what kind of protection does Steam provide? And what methods do publishers use to prevent the spread of pirated copies?

How Steam arranges its protection

By default, games on Steam are not protected. They work as common files that can be copied or run without any restrictions. If you want to protect your file (hereinafter, the word "file" means an executable file of an application) against pirate distribution you can select one of four ways offered by Steam.

Method 1. Protection with Steamworks API


Steam provides developers with Steamworks API, which you can use, among other things, to obtain information about user accounts and purchased games. It is the easiest way to verify that a given account has the right to run the application. With the help of the API, the application itself checks if it was really purchased by the current user. This can be done with the addition of a few lines of code:

if(Steamworks.SteamInterface.User.UserHasLicenseForApp(playerSteamInfo.savedSteamID, new AppID(MyApplicationId)) == UserHasLicenseForAppResult.HasLicense)
{
Debug.Log("Valid License");
}

This method also solves the problem running the application on multiple different computers under one account, because an account can be authorized on not more than one computer at the same time. If a gamer does not have an Internet connection, the system cannot confirm the right to run the application and as a result, the application will not launch. To avoid this issue, the Steam client should be switched to Offline mode in which the current status of the account is stored locally. However, if you do not like the idea to run the application offline for whatever reason, with the Steamworks API you can always find out the current mode and abort the launch of the application, if necessary.

There is a way to deceive this type of protection though. This is usually done by substituting the Steamworks API interface library (steam_api.dll). The task of the new library file is to emulate the behavior of the protection.

Method 2. Protection with Steam Bind

If a publisher does not have a possibility to modify the code of the game to add protection via API functions he can use Steam Bind, an external protection system. This protection system is installed on finalized .exe/.dll files and is responsible for authorization the same way as described before. Steam Bind has poor tamper resistance though. It works as follows: the system encrypts a part of the code section and adds a module to call the Steamworks API. If verification is successful, the module recovers the code. However, the protected file itself keeps the decryption key and that is why this kind of protection can be taken off from any application, even without buying it.

There is at least one public project that can break this kind of protection – Steamless. The source code of this project is available here:https://gitlab.com/atom0s/Steamless.

Method 3. Protection with Steam Custom Executable Generation

As an alternative to the previous method, Steam offers an option to provide personalized executable files to each user. This method allows you to distribute games that will be physically bound to a specific computer configuration. If the configuration of a computer is changed, the user needs to log in to Steam on that same computer and get updated files. According to the documentation, this method is now superseded by the previous method.

Method 4. Protection is provided by 3rd party DRM

Steam allows to use systems developed by third party companies to protect games against pirate distribution and hacking.

In January 2016, the founder of the notorious Chinese cracking forum 3DM was warning that given the current state of anti-piracy technology in two years there might be no more pirate games to play. And Denuvo, an Austrian anti-tamper system, was mentioned as an example of such an anti-piracy technology. At first glance this looks like a Denuvo PR campaign. But everybody admits that protection technologies become more sophisticated, especially in the field of code obfuscation.

Steam started offering many games protected by Denuvo lately. What is Denuvo and can it be called a DRM system?

The main task of Denuvo is to protect the game’s code with the help of a virtual machine; it uses lots of obfuscation and different methods of file encryption. Denuvo has DRM functionality, that makes it possible to verify game authorization on a gamer’s account (see method 1).

The protection of executable files imposes a great responsibility on the developer of the game, as they need to find a balance between performance and level of security. Also, when this protection system is used, players can start asking questions about quick failure of SSD drives. Although Denuvo representatives claim that their protection system does not affect drives, the fact remains - there is a certain increase in reading program fragments from the disk, thus the load on the drive is higher.

Traditionally StarForce Technologies offers solutions to protect games on Steam. A wide line of StarForce products allows to select an optimal method for game protection: only code, code + DRM or only DRM. The main task of StarForce for the moment is to provide protection that does not bother an honest gamer but becomes an unbreakable barrier for a pirate. Compared to Denuvo, StarForce Technologies offers a high level of tamper resistance at lower cost.

You can find other 3rd party DRM systems on Steam, for example ActControl, Reality Pump and TAGES. They are not as well-known as the two previous ones but to me that sounds more like a benefit than a drawback. Generally these solutions offer an alternative DRM but sometimes they also provide code protection.

The costs

The cost of protection depends on which one of two available options you choose: does every gamer need to be counted and will you use an alternative DRM, or do you only need code protection. In the first case a publisher needs to buy a license to use a protection system and he also needs to buy a serial number for every gamer. There is a life hack to save some money, though. There are two ways to pay for serial numbers: to buy them in advance or to pay after a gamer activated his serial. The second variant is better because payments for DRM will then depend on real sales and use. The cost of StarForce serial numbers varies from $0.28 to $1.05, depending on quantity, method of protection, number of activations, and method of payment.

When the game's source code is protected without counting the number of players, the total cost of using the protection system is set in advance. The costs then depend on the provider of the protection and the territory where the game is sold.

Players’ attitudes to 3rd party DRM on Steam

Players as a rule do not welcome additional DRM or code protection. On Steam forum you can find titles like: “Do not buy this game! It uses a third-party DRM!”. And 15 more exclamation marks. Why are they so negative?

Firstly they don’t like the limitation of the number of computers. Steam allows to enter an account from any computer any place with internet. But a DRM system usually limits the number of computers where a player can activate the purchased game. So gamers worry about lack of activations and about whether they could still play this game in 5 years or so, when his or her computer is updated or replaced. Modern DRM systems have answers to these questions. For example StarForce has the AAA (add activations automatically) feature. This feature allows to add an activation after a definite period, e.g. every 45 days or once a year. And it’s great when a publisher explains this feature to the players to calm them down.

The second objection is connected with the negative reviews on the web about the extra load on the computer and hard drives. But in practice - if the protection is set correctly - it only uses a small part of a computer’s resources. If it would take more, it will not be interesting to play. As I said before it is crucial to find a balance in the deployment of protection.

Developers of DRM systems are making every effort for the system to be as invisible as possible for players. Due to the integration with Steam, a user does not interact directly with the protection system - even a third party DRM activation occurs within a standard Steam interface.

Prospects for game protection

There are big doubts if pirated copies of games will ever disappear altogether especially now when economic situation is rather unstable, so it will continue to be necessary to add good protection. On the other hand, the loyalty of the players is the most important asset of game developers and publishers, so the main task when selecting a protection method is to find the optimal balance between a pleasant gaming experience and adequate piracy prevention.


Back to the list