Hi
I wonder how to drm protect my stuff better than I do currently. Currently I check at every start for a key and compare it online. I would prefer
to check it not so often or only once. The problem is how to know when my stuff get's copied to another location. (Win/mac/linux) etc. and start a
now online comparison.
Thanks for any ideas
Either move part of or all of your game to servers you control, or replace your code checking with a dialog box that politely asks the player whether the game was obtained in a moral way or not.
[exeggaration] Anything else is a waste of your time because your game will be cracked by evil pirates in 3 minutes. [/exeggaration]
edit: added tone markup :3
Locally enforced DRM is a fundamentally flawed concept as information located on digital storage media under the user's control can unconditionally be copied or altered at near zero cost, especially since it is enough that one person do it and then freely release a crack to the world. There is nothing you can do to prevent that - if the information is stored on the user's computer, you've already lost whatever battle you were trying to fight. Indeed, the DRM problem ("the user cannot access the game without being authorized to") can be reduced to the problem of information copy ("the user cannot copy this information without being authorized to"), i.e. they are equivalent, and information copy cannot be prevented without limiting the user's ability to read that information in the first place.
That leaves online games (mmorpg's and other persistent worlds, where the closest thing to a DRM breach is setting up a free - or paid - private server and garnering a community of your own), or remotely served gaming (OnLive and the like, which are certainly not designed for DRM purposes anyway).
These are the hard facts. The kind of DRM you are thinking of does not work, never has, and never will. Think outside the box, the most successful forms of DRM were those that provided value for actually owning the game, instead of oppressing the player with dozens of "security checks", with half of them not even working reliably and the other half actually favoring players who do not own the game (used CD keys, anyone?). In short, if when people see "DRM" written on a game they mentally conjure up the image of a padlock, you have failed.
While I agree with others that every DRM will be cracked, etc. I don't think that's gonna convince OP to just abandon the idea.
Since what you asked is how to detect moved software, I'd suggest keeping some machine identifier (maybe MachineGuid or just user login) and maybe displaying user's surname on the splash screen or sth. Some people will be uncomfortable running software with different person's name.
And yeah, I know all those things are trivial to bypass, but that's not the point. The OP already has some form of registration and now the point is just to remind an honest user that he needs to register each new machine.
Yes, not biased at all.Anything else is a waste of your time because your game will be cracked by evil pirates in 3 minutes.
The OP already has some form of registration and now the point is just to remind an honest user that he needs to register each new machine.
From what I have observed, the best ones are just a nag as part of the loading screen.
This works especially well if your clients are businesses, but it can also work well with individuals.
A simple message "Registered to x" can be enough. Pirates are going to continue to pirate, and they won't care if they downloaded the game from a cheat site, or if it says "Registered to Lame Hacker", they'll still use the software. More honest people will pay, or at least feel guilty enough about it that someday they might pay.
As a real life example, one of my friends has a fairly popular shareware-style utility and is constantly battling piracy, but in a beneficial way as it is tied to support and benefits rather than to disabling features or other punitive measures. In one update he added a 'phone home' capability that reported assorted telemetry in addition to the license key to help discover and disable pirate keys. Among the discoveries, he found Microsoft had about 2000 users in their domains, but only a single license for a team of 12. They were not the only corporate offender, but they were the worst by number. So he amended his splash screen slightly, to say either "Registered to x, single user license" or "Registered to x, n user license" based on the license key. His forum went wild. There were a lot of people turning in their companies "It says registered to our CTO as a single person license, but everyone uses it." Some IT people piped up saying things along the lines of "Our mistake, we have a 2-5 user license for a team of 150, we're paying now" and paid up. A few individuals piped up "I didn't know it was registered to someone else".
Since updates were frequent people were more likely to get the updates directly from the source rather than pirate sites, so with the added license visibility quite a few companies quickly coughed up money when it was obvious to all the users that it was out of license. He said that as the worst offender, Microsoft's licensing contacted him and worked out a bulk license deal, but even then he contacted them again with a list of phone-home IP addresses to help them get back in compliance or pay up. The 'phone home' is not just to disable pirate keys (usually accompanied by notification to the person who owned the key) but it also pulls out useful telemetry like feature usage, confusing features, and crash reports. Some people continue to abuse the license system, but it is tied to their license key so if they ever need to log in for support they are greeted by a screen that says their licenses appear to be out of compliance.
Otherwise if they have an unlicensed version of the software they can use it, just with a big nag screen during loading.
I also see this kind of thing in software like Perforce or Visual Assist X. They prominently display messages like "Registered to Company, 1500 user license".
Currently I check at every start for a key and compare it online. I would prefer
to check it not so often or only once. The problem is how to know when my stuff get's copied to another location. (Win/mac/linux) etc. and start a
now online comparison.
i'm a little confused. what does comparing the key online accomplish, other than adding internet connection as a system requirement? as you can see, it does nothing to prevent illegal copying. or anything else that i can see - except maybe prevent running a legit copy when the internet is down.
NEVER NEVER NEVER deny legit access! this is _VITAL_ in _ANY_ DRM solution. better to allow access when unsure, than possibly deny paying customers.
to know if its been copied, the software will need a systemID or authentication certificate. there may be other methods as well.
systemID:
a systemID number is generated using hardware specs on the PC (serial numbers, types of processors and drives, etc). this systemID is then used to generate a matching registration key. so a reg key is only good with a given system ID, and a systemID is based on the hardware installed. this makes the reg key hardware dependent. if they move to another pc , the hardware changes, the systemID changes, and the registration key no longer works. the downside of this approach is what if they change their hardware? this is typically handled by allowing a couple new reg numbers per user when they upgrade. another approach is to simply licence the software for single user use and installation on a single mass storage device.
authentication certificate:
when the software is installed, a hidden authentication certificate is installed. this certificate identifies the PC as legit. a user copying the software can't copy the certificate as long as it remains hidden. downsides: 1: the certificate must remain hidden. 2: this probably requires install via web, so the user doesn't have a certificate on a master disk or in a master install exe.
note that copy protection is only half the battle. the other half is anti-crack protection for your copy protection.
in general, research on client server authentication and security procedures should help. your situation is more of a network AUTH issue than it is a pure DRM issue on a stand-alone pc.
Hmm, funny while coding this I've never thought my security through. So wireshark found that remote file on my site. Now another question: Would it be possible to fake that TCP GET request? Get that file locally and tell the myapp to use that instead? If so, I would better drop my DRM before it gets hacked...
I'll forget about not checking at every start...seems to complicated and I won't spend any more time on this.
