Sign in to follow this  

Registration mechanisms for standalone games sold through a website

This topic is 3290 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hi! I'm making an action puzzle game targeted at both mobile (PocketPC, Windows Mobile, Symbian) and desktop platforms (Windows XP, maybe Linux). I'm planning to sell the mobile versions through an online portal such as Clickgamer but I'm also planning to sell the desktop versions from my own website using an e-commerce solution such as BMTMicro or eSellerate. The game is almost complete, but before releasing it I would like to add some kind of registration mechanism. I know every registration mechanism gets cracked eventually, but at least I would like to make something so that the average user cannot pack the game files in a zip file and give it to her friends (the game is around 15 MB). I'm using the edgelib library to develop my game. The library offers utility functions to retrieve the device ID (which in the case of PocketPC, Windows Mobile and Windows Desktop is just the owner's name) and to generate unlock codes using the RPN technique. So, I've been researching as much as I could about this topic and, before coding a solution, I've decided to ask here so that I can check I'm not missing anything obvious (notice that I want to avoid a registration mechanism that needs an Internet connection). These are two of the possible solutions I came up with, please let me know what you think about them: 1) Offer a "demo version" to download. If the user wants the full version, she must also fill her device ID in the purchase form. When the transaction is approved, she gets via e-mail a download link to the full version along with the unlock code that matches her device ID (the unlock code would be calculated using the RPN technique I mentioned above). One disadvantage I see with this method is that she can distribute the game and the unlock code to her friends and the only thing they should do in order to play the game is change their devices IDs (something that takes no more than a few seconds). Another problem I foresee with this approach is: what happens if a person that legally bought my game wants to change her device ID? Does she have the right to ask me for a new unlock code? 2) Create a big pool of valid keys. Offer a "demo version" to download and, if the user wants the full version, she gets via e-mail a download link to the following version along with one valid key. The key is later markes as "used". This method turns the distribution even easier (no need to even change the device ID), but solves the problem I mentioned about a user changing her device ID and requesting a new validation code. What do you think about these methods? Can you suggest me a better one? Thanks in advance for your input, --Nacho

Share this post


Link to post
Share on other sites
If you want to avoid requiring an internet connection, your options are severely limited. The only way you can distinguish licensed and unlicensed users is by checking some kind of unique hardware ID, like the MAC address of the network card. This is fairly easy to forge (by changing OS settings or patching your program), and is vulnerable to failure if the user changes their hardware.

If you choose not to rely on a unique ID, then there is no way whatsoever to distinguish between two people's devices, and your situation is completely hopeless. It's not that I can't think of a better one; it's that one doesn't exist even in principle. There's no way for software to tell which human being owns the hardware it's running on.

By the way, the "key generation" algorithm you linked to is nothing more than a trivial hash function, and is easily breakable even without looking at the program's source code.

Share this post


Link to post
Share on other sites
Using device-linked activation codes is a bad idea for two main reasons:
1) As you already noted, it is trivial to bypass. Actually, the "RPN technique" is even easier to break than you think.

2) Tying games to devices is extremely inconvenient for the end user, especially if the device ID is something that isn't even remotely static (such as the owner's name - you can put anything you want each time you install windows).

A far better way would be to create activation codes that encode personal information. For example, you could encrypt the database ID of the purchase, tack on a few extra bits so the checksum will come out to a particular value, then base-64 encode it and use that as the key. If somebody leaks the key, you can easily decode it, decrypt it, and look up the index in the database to see who is giving away their key. If you want to be mean, you could include the user's email in the key (encrypted/encoded), or their real name (likewise). If you do something like that, make sure you say that the key contains personally identifying information, and make sure to follow laws like COPPA.

You can't really stop people from pirating, and the impact you can have with codes in a stand-alone game is minimal, but you can discourage casual pirates until the key-generator is released.

Share this post


Link to post
Share on other sites
My sugestion:
go the other way around.

Instead of locking out unregistered gamers, give content to registered ones.
One example:
- Give everyone the "full version".
- If someone pays for it, you give him access to a community forum with added content, new updates, etc.

You should encorage ppl to buy your software, not crack it :)

Share this post


Link to post
Share on other sites
Thanks for all your replies!

@dwahler: Yes, I know that the RPN techique is quite weak and can be easily bypassed. Nonetheless, I'm not looking to make my game cracker-proof but rather to avoid casual users pirating it.

@Extrarius: The idea of encoding personal information on the key is very interesting. Nonetheless, I'm not sure whether I would be breaking some kind of law by doing that. Fortunately, since every customer needs to register in the portal where the game will be sold (be it Clickgamer, or be it BMTMicro when sold through my own website), I'll be able to easily contact the person responsible should I find a leaked key on the Internet.

@mystb: Unfortunately, this is not a kind of game that can be released for free and profit by selling content.

Thanks again for all your input!

--Nacho

Share this post


Link to post
Share on other sites

This topic is 3290 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this