Sign in to follow this  
codingo

Who has implemented a licensing API/SDK

Recommended Posts

codingo    119

I'm starting this topic to get general information, anecdotes, tips, warnings, suggestions, recommendations, ideas from all those out there who have ever implemented a licensing scheme into their application be it a licensing API/SDK or your own proprietary solution.

 

I've written a small program and have looked at services from Halpeiron, Safe-Net, RLM and others and have recently began implementing one solution into my app. It is a process of learning a new, and from the looks of the documentation, robust SDK that deals with areas of programming I have never explored before.  I do 3d math stuff.  This SDK deals with network calls, encryption, permissions, XML and really tricky code styles that rely on many many defines, function pointers, and many many funky functions that do obscure things that I can't find in a myriad of books that deal with 3d graphics programming.

 

What was your experience like?

Share this post


Link to post
Share on other sites
codingo    119

Yes even the most sophicticated services like Halpeiron stipulate that if someone wants to crack your code bad enough, they will do it. So is it even worthwhile protecting your product?

 

what sophisticated solutions did you explore?

Edited by sweetRum

Share this post


Link to post
Share on other sites
NightCreature83    5002

Steams CEG solution seems to be the better direction for this stuff, as it doesn't impair the game on a functional level. It just makes it so you can't use certain features or texts are changed to other things. Which can make a game look like this: https://www.youtube.com/watch?v=ntVEaGESBsc this is a pirate copy hence the Yarrrr replacement of real text smile.png, we never disabled the game other then the text. Batman Arkham made the game playable up until you had to use your cape to glide somewhere which the game didnt allow if it was a pirated copy.

 

These are also crackable but more subtle and make your game act like a demo for the real product, so that when users start to complain on your forums you can tell them, to buy the full version to get ride of the issues.

Edited by NightCreature83

Share this post


Link to post
Share on other sites
wintertime    4108

My opinion on DRM is it will always be cracked and only annoy people who legally bought your program. At the same time people would probably be encouraged in copying when there is no protection.

So I would go for something very light and cheap that just prevents casual copy and paste and hopefully gives you a few days(or more likely hours depending on your luck) before its cracked. Then later you can remove it in a patch without loosing much effort, if you feel like it gives you a reputation boost to call your program DRM-free.

There is an example: http://rampantgames.com/blog/?p=6446

Share this post


Link to post
Share on other sites
dilyan_rusev    1360

My take on this is that you need some really basic stuff to prevent the not-very-small population of extremely nontechnical people from just copy-pasting. Other than that, the more popular you are, the faster they will crack you.

Share this post


Link to post
Share on other sites
BitMaster    8651
When The Witcher 2 was released, there was a DRMed disc-based version sold in stores and a completely DRM-free release on GoG.com (as well as some other distribution channels), all at the same time. The game showed up on file sharing sites within hours of being released, however the version showing up there was practically exclusively the cracked, DRM version.
I couldn't find the original interview where that was mentioned but the story is referenced here.

On a more personal note, when I consider buying a game nowadays the first thing I find out is "Does it have DRM?". Unless I can answer quickly that the answer is a simple "No, it does not", I will abandon all intentions of buying the game, no matter how much anything in there interests me.
I have dealt with Steam, I have dealt with other handrolled DRM and I'm just no longer willing to put up with it. On the other hand, I'm spending well over the average when anything in a (DRM-free) Humble Bundle interests me, I have accumulated a rather huge library from GoG and I have left quite a bit of money with several indie developers who go DRM-free (and mark that properly).

A similar attitude is mirrored in friends with the exception that they are generally more accepting of Steam.

Share this post


Link to post
Share on other sites
codingo    119


These are also crackable but more subtle...

 

That seems like an interesting solution.

 

How do you reason with someone who wants instant gratification by asking them to make the choice between 'free' or 'at-cost'?  It makes it very difficult to make any endeavor profitable.

Share this post


Link to post
Share on other sites
PhillipHamlyn    579

My background in development is entirely commerical/business, not gaming, but in that area I have had to deal with issues of licensing and copyright protection of APIs (not the product itself - just the API). After some thought we ended up developing a trivial protection system using easily-reverse-engineered license keys purchased by the third party developer company. Althought it in no way prevented software theft, it did provide evidence that software theft had taken place, which was good enough for my bosses.

 

Possession of a key issued to a legitimate third party organisation whose content was copyrighted, was in itself a copyright theft. Use of that key was therefore in some way illegal. The important point seemed to be that (a) the software was protected (however trivially) and (b) the method used to gain access to the software prevented casual or mistaken use by a third party. I put the case to my bosses that theft is a law-enforcement issue, all I could do was provide some basic protection such that there could be no defence of ignorance (i.e. "I didn't know it was copyrighted" or "it was open source code I found on the web"). It was made easier for me because we work exclusively in the Microsoft .net world where all code is open and trivially decompiled - just like (for instance) JavaScript - so there is no real technical protection from copyright theft.

 

Interestingly the prevention of theft of the companies IPR was their main reason for investigating web hosting - it prevented the software from ever leaving our premesis, so was inherently secure. Didn't end up being a strong enough reason to actually convert it for the web, which probably reflects more on the weight given to copyright theft over and above, say, user experience.

 

Phillip.

Share this post


Link to post
Share on other sites
Bearhugger    1276

I'd just leave it to my distribution platform (Steam, Apple App Store, Windows Store, etc.) to handle the DRM and focus on making a good game. I would not lose time with it myself, it's just not worth the effort and I don't care to play that cat-and-mouse game with hackers. People who will crack your game are usually not going to buy it anyway. I'm guilty of having pirated games in the past but those were either games I was never going to buy, or games that I wanted to try before buying. I have never pirated a game from developers I trust to not make cheap cash grab games. I have never pirated a Blizzard game, for example.

 

More importantly, sometimes DRM itself might be the reason why people don't want to buy your game. Don't make it safer and easier to pirate the game than to buy it legit. Mass Effect 3 has been massively pirated, and I bet that one of the reason was that people didn't want to install EA's Origin's DRM/spyware/cloud on their computer. I decided to just not play the game (rumors about the ending cooled my excitement anyway) but those I know that have played it on the PC have all pirated it. Although unless you're called Ubisoft or EA you probably don't have the means to invest into draconian DRMs like Origin or Uplay so you can probably ignore this issue.

 

You might want to go the always-online way, but if you do so you need to ADD VALUE to the always online factor so that it's not just an annoyance for the players. A lot of people have complained against Diablo III's always-online feature (and who am I to tell them that they're wrong) but personally I grew a large friend list by playing World of Warcraft, so being able to chat with my friends while playing any Blizzard game makes always-online awesome for me. I wouldn't play the game offline even if I could.

 

On a side note, I have once successfully used a protection scheme to force the customer to pay the full price of a software when I was working for a company that made industrial machines. I hid the lock/unlock flag into the machine's RAM on a chip. Of course he could have "easily" hacked it, but when you're buying hardware that is one-of-a-kind and costs 5M$, you don't want to risk breaking it (plus voiding your warranty) by hacking the chips for the 5k$ software add-on... Of course, games are all software, so you can't do anything like that. 

Share this post


Link to post
Share on other sites
SimonForsman    7642
 

Of course not. That would be illegal.

 

That would depend on what jurisdiction you're in, (Allthough i can't think of any jurisdiction in which it is illegal when you have the copyrightholder and system owners permission)

Share this post


Link to post
Share on other sites
codingo    119

Of course not. That would be illegal.

not necessarily if we do it under the spirit of development testing and I give you permission to test my security.

Share this post


Link to post
Share on other sites
codingo    119

 

Of course not. That would be illegal.

 

That would depend on what jurisdiction you're in, (Allthough i can't think of any jurisdiction in which it is illegal when you have the copyrightholder and system owners permission)

 

indeed:)

Share this post


Link to post
Share on other sites
Ectara    3097

More importantly, sometimes DRM itself might be the reason why people don't want to buy your game.

This, and 100 times this. I own legitimate copies of excellent games, but I still run the cracked versions because of one important DRM technique of the time period: requiring the disc to be in the drive. My main computer is a laptop, and I am always on the go. I rarely sit in one place, and while I'm often seated in my living room, my PC games are upstairs, since they are rarely used. I simply do not want to carry the disc on me, when I have the harddrive space to hold the entire game. It isn't necessary, and it is cumbersome enough for me to buy the game and run the cracks that would allow me to not need the disc. First, carrying the discs sucks. Second, spinning up a CD drive is loud, and can be slower than just as easily reading from the harddrive. Third, having my optical drive spinning while I play drains my battery life and heats up my machine unnecessarily. Fourth, running the game from a removable drive is very useful if you move from machine to machine in a public area, like a school, so cracking it to do so is desirable.

 

These are all ways that local DRM frustrates me. I was very leery of always-online DRM when I started playing Phantasy Star Online 2, for one very big reason: I played Phantasy Star Online in the offline single player mode intermittently for many years! Dealing with the fact that if I wasn't connected to the Internet, I could not level my character was a tough hurdle, when I had been playing the game's predecessor for 10 years. However, I eventually accepted it as a necessary step (PSO was filled with hackers and cheaters).

 

So, let it be known that there is yet another type of customer: if you sell your game with DRM, and I buy it, I will still try to break it to remove the burden that was imposed upon me, despite me doing the right thing. I was very glad that the versions of Quake I, II, and III: Arena that I have for Linux install and ask that you copy the data from the legitimate Windows discs to the install directory, instead of requiring that the disc be in the drive like installing the Windows versions. I own the Ultimate Quake collection, so that is not the problem.

Edited by Ectara

Share this post


Link to post
Share on other sites
Adam_42    3629


Most DRM solutions are trivial to bypass and generate "valid" keys once folks get even a basic sampling of keys.

 

Any decent DRM system will use public key cryptography to make sure that the only practical way to generate valid keys is to have the private key.

 

Of course that doesn't stop someone hacking the code to remove the check or replace the public key, but at least it lets you easily and reliably identify pirates.

Share this post


Link to post
Share on other sites
BitMaster    8651

Most DRM solutions are trivial to bypass and generate "valid" keys once folks get even a basic sampling of keys.

 
Any decent DRM system will use public key cryptography to make sure that the only practical way to generate valid keys is to have the private key.
 
Of course that doesn't stop someone hacking the code to remove the check or replace the public key, but at least it lets you easily and reliably identify pirates.


I don't see how that is applicable. If you do not require online validation the program itself needs to validate the key and any decent hacker can extract whatever counts as the private key from the executable.
If you require online validation you don't need public/private keys, it's much simpler and safer in the long run to create completely random keys and store them in a database, together with whatever usage information accumulates.

Share this post


Link to post
Share on other sites
Adam_42    3629


If you do not require online validation the program itself needs to validate the key and any decent hacker can extract whatever counts as the private key from the executable.

 

The private key can't be extracted from the executable, because it's not stored there.

 

The developer signs a message with the private key which they keep secure and don't distribute. The application which contains the public key can then verify that the message is signed by the developer.

 

See http://en.wikipedia.org/wiki/Public-key_cryptography

Edited by Adam_42

Share this post


Link to post
Share on other sites
codingo    119

My experience was that it was an utter waste of time and trivially cracked by an amateur reverse engineer (me) in a matter of a few minutes for the simpler solutions, and a couple of days of hardcore reversing for the more sophisticated options out there. (I won't name them, for legal reasons.)

Can you tell me what tools you used to crack your app?  I've implemented a very basic scheme so far and would like to see what is visible to the potential hacker.

Share this post


Link to post
Share on other sites
ApochPiQ    23005

Tools aren't really important - understanding the machine code and how to modify it are what really matters. Even the debugger shipped with Visual Studio is plenty to reverse most apps, combined with a hex editor and careful fingers. If you're really industrious you might learn and love WinDbg. OllyDbg is also pretty good and has some handy tools.

 

There are of course other high-caliber options out there, but they're generally expensive and don't offer much if you don't already know what you're doing.

Share this post


Link to post
Share on other sites
ChaosEngine    5185

My $0.02: don't put much time into it. As others have said, all it will do is end up annoying your legitimate customers.

 

If you really feel you must do something like this, favour unobtrusiveness and simplicity over security. No matter what you do (short of hosting all the content remotely) it will be cracked, so look at your DRM as something to inconvenience amateurs rather than something that will stop determined hackers.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this