Sign in to follow this  
schattenmaennlein

Copy protection for electronically distributed

Recommended Posts

Hi all,

I have an (almost)finished PC-game(300MB) I want to sell and distribute online. Seperately I will launch a freeware version with a lot less content.
It is an offline game written in C using SDL and OpenGL. At the time only for Windows, I will worry about porting it later.

Currently I am working on the copy protection.

I want to
a) prevent casual users from simply copying the registered game
b) be able to change the protection on upgrades if need arises(I will update the game monthly)

As I understand it the most common way of getting basic protection is to put some type of more or less hidden key on the system.
Which happens as simple as a registry entry or as intrusive as direct disk access or even messing around with the OS itself.

I am not going to do anything intrusive and making a registry entry seems a little bit too simple(people would merely have to copy the key).
Although this is probably something I also should do.

Then protections requiring online log-in have been mentioned. I don't like these either because I think being connected to the internet should
be optional. I think people should be able to install the game on their offline laptop and register it wherever. Also I'd like to avoid dealing with peoples firewalls.

So my method of choice is to generate an user id based on whatever unique/semi-unique information I can find and create a request code based on that.
It does not need to be 100% unique, just enough to make copying a little bit harder than watching registry changes.
I think if cracking the game needs at least the use of a disassembler or hexeditor it will limit the people capable and willing to make the effort drastically.
I imagine this will end in a cracker either faking a different user id/request code or working out how the responsecode has to be, or what variables
have to be altered to pass the test. At which point I can do stuff like hidden checks and let the program pretend to be cracked but crash
after X hours. Just to generate some revenue.

Or so I think, but I am an amateur. So my questions are:

Is this reasonable?
What kind of information should I use to make the request code a different one on different machines and how do I access it?

Thank You

Share this post


Link to post
Share on other sites
Honestly, I wouldn't put too much time into it. I guarantee that no matter what you do, someone with too much time on their hands will dedicate themselves to breaking your system.

I'd go more along the route of a "pay what you want" system. You'd be surprised at how many people will pay and the people that don't wouldn't have paid anyway. Given your self-confessed status as an amateur, I'd be more concerned with getting as many people as possible to play your game without worrying about getting money for it.

Share this post


Link to post
Share on other sites
A "good" system is an algorithmic one. Basically your program asks a control server a question and [i]knows[/i] based on the content of the response if it's genuine or not. This often takes the form of some computed hash that your program can reverse back to its original state and therefore "see" it's good. This is good until your algorithm is cracked but it's about the best you can reliably do. Anything else is simply too easily bypassed. However, unless you're a mathematician you're not too likely to come up with a complex enough algorithm to be worth implementing though there are a ton of math resources out there you could look into.

Share this post


Link to post
Share on other sites
I would probably modify a necessary and always ran file to hard code some sort of ID token upon a successful registration along with the computer name. Then upon each run, send the ID token but respond with the computer name. The app then compares the computer name your auth server responded with and the computer name of the local computer. Match? Great! No match? Show em the registration screen.

Share this post


Link to post
Share on other sites
the OP wants something that works also offline.

I agree with the suggestion of not loosing your sleep over this one.

look into WMI to access hardware information needed to generate a machine almost unique request code. Write an algorhithm to transform that request code into an unlock code and implement it in the game and on a server side script or webservice.
The user provides the request code together with some credential (email, buying code) that get validated by the server with a "user DB", if the user is found, the server sends back a valid unlock code.

Be VERY careful with WMI.. if you choose the wrong things to generate ur request codes you can quickly get in trouble.. for example, in my first game I used the CPU speed as one of the elements to generate the request code.. bad mistake, some CPU had different readings and some user had to constantly reactivate the software.
After 3 spent answering support requests my game was cracked and I realized how stupid it was to waste such a long time on an aggressive protection scheme.. after 1 week a patch was out that simply used the player "character name" to generate the request code.. and that's good enough to make sure that the ones willing to pay will.

We're trying to make games here.. pirates are just a bunch of retarded monkeys with too much time to waste.. dont waste your time trying to get around them, they have much more time you'll ever had.

Share this post


Link to post
Share on other sites
I didn't see the offline requirement. /shrug

Just saw your rant about pirates and figured I'd plug this in here: [url="http://yro.slashdot.org/story/11/07/20/2119232/Suppressed-Report-Shows-Pirates-Are-Good-Customers"]http://yro.slashdot....-Good-Customers[/url]

Enjoy :cool:

Share this post


Link to post
Share on other sites
hm i think the slashdot link is talking about "pirates" that download stuff.. my rant was directed to "pirates" that hack stuff.. .should we call them hackers?

Share this post


Link to post
Share on other sites
[quote name='freddyscoming4you' timestamp='1311699696' post='4840659']
I would probably modify a necessary and always ran file to hard code some sort of ID token upon a successful registration along with the computer name. Then upon each run, send the ID token but respond with the computer name. The app then compares the computer name your auth server responded with and the computer name of the local computer. Match? Great! No match? Show em the registration screen.
[/quote]
They should be able to register multiple computers. It would be very unfriendly to force them to register again and purchase a second copy just to run the game on their laptop instead of their desktop.

Share this post


Link to post
Share on other sites
Okay cool,

I've got something basic working now. I use the computer name and the windows directory name to create the request key.

btw, the GetComputerName() function says the minimum supported client is windows 2000.
[url="http://msdn.microsoft.com/en-us/library/ms724295(v=VS.85).aspx"]http://msdn.microsoft.com/en-us/library/ms724295(v=VS.85).aspx[/url]
Does that mean I'm not compatible to win98? Eh, people don't really use older winversions anymore either way?

And the text says "The behavior of this function can be affected if the local computer is a node in a cluster." Does that mean it might be an unreliable value if we're connected to a network?

Share this post


Link to post
Share on other sites
Just my two cents:

Copy-protection hurts more the honest client than any hacker. The greatest problem with copy protection is to get it running on all systems. Often copy protection hinders honest clients from playing whereas others playing a hacked version don't have any trouble.

The only really working copy-protection is online validation, you can try to establish some kind of useful online feature, in example a high-score, character management or a simple automatic update feature where you need to use a valid registration code.

Then there's the "benefit" of hacked version. As indie you will face one major problem: getting awareness of your game . It is bitter, but "true", that a hacked version could bring your game to a much larger audience then selling it over your webside or 1-2 portals. The first version of an new IP is often not sold much. but later versions will benefit from a broad audience of the first version, even if it was distributed as hacked version.

Whatever, I wish you good luck with selling your game.

Share this post


Link to post
Share on other sites
Thank you,

as far as getting attention is concerned I will release the first part of the game as freeware, and send it to whatever web-site or magazine I can. A lot of people will get to play it, as even unattractive freeware gets a lot of distribution. And then hope that it's awesomeness will hook enough people to want to get the second part, and create mouth-to-mouth propaganda and reviews.

I agree that merely trying to sell a game as a no-name without media attention is not a good idea. How many people are going to see your website and bother to download a demo? Some people have pulled that off, especially those that offered some kind of novelty or filled a niche. (I do neither, so I have to depend on quality). But it still is weak marketing. And probably needs luck also. Just think how many excellent games even by professional companies have failed commercially just because they failed to get attention.

I've got a soft-rpg 20$ shooter. I think the way to maximize cutomers is a low-invasive copyprotection and regulary updates. If your game gets very popular you'll get pirated anyways. And it won't matter because you've already won.

Something I have not read on the boards so far which should be on public conscience is that not every indie game is being pirated. Games of mediocre popularity are often unpirated. And pirated software also has to be distributed. If there are 3 seeds there's a good chance of a torrent dying. And it can be hard to find, especially newer versions. A person might simply search on the wrong torrentsite or only know kazaa (if that's still around) or whatever.

Many people that would play your game if they could do it for free will not pay either way(if they pirate the game it's actually better for us because it creates attention). Some people will pay if they can't pirate it. Some people would donate more than pay. Many people that would have paid will not if they can just download it. These are the reason I don't chose "pay as much as you want".

I know donation-soft is fashionable but I think commercially it can't compete in my market of choice. (also online as compared to a museum we lack social pressure). It is a valid model though and definitely wins in terms of distribution. I think for something more special like dwarve fortress it's the better one. It can't exactly impress with screen shots and forget about casual gamers but has a select crowd of fans. (How do you gain those? Distribution.)

Also it depends on what you're trying to achieve, you might prefer maximizing fame instead of profit. You might be a hobbyist with a fulfilling day job or rich or doing charity or want popularity for future buisness ventures. To me making money signifies being able to invest more time and money in game developement.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this