39 replies to this topic

[Nje789]

I'm planning on selling a PC game via download at an e-commerce site, but I don't know how to set up a good license key system.

I want to A: prevent the game owners from making copies that can be played on a different computer unless they disable the use of their copy on the original computer(only one computer at a time can be used with each game copy)

and B: stall the inevitable cracking by piraters for a long enough time to get some decent sells in first.

How would I go about making a license key system that accomplishes these two things?
(and this is by selling downloaded copies through an online store)

[Reedbeta]

Re: stalling crackers, check out this article - old, but still interesting and useful.

[Nje789]

That has some good ideas at the end of the article.

I also need help on how I'm going to get IP's before buyers download the game, and then I need help finding a server that checks the IP when the game is played.

[Reedbeta]

Having the game required to go online every time the user plays it probably isn't a good idea. Also, IP addresses aren't static; imagine a user installs it on their laptop and uses it both at work and at home - they'd have a different IP at each. Some people use the MAC address of the primary network interface as a machine ID, which works well as it's globally unique and tied to the hardware.

Anyway, one way you could implement machine IDs (and bear in mind I have no actual experience implementing license systems, so I may be overlooking something obvious) would be to create an RSA public/private key pair; keep the private key to yourself, and have the public key hard-coded in the game. Then, when someone registers, send their MAC address to your secure server, encrypt it with the private key, and send back the ciphertext. When the game starts, decrypt it with the public key and check that the MAC address matches the machine on which it's currently running.

You still need a server to handle registrations and allow re-issuing the license if someone wants to move to a different machine (or if they replace their network card), but people won't need to connect every time they play the game, which is much more convenient for them and reduces the load on the server for you.

[JarkkoL]

You can spoof your MAC address, so it's not very good mechanism for copy-protection.

I wouldn't really worry too much about user registering the game on multiple PC's without unregistering it first. It would strike as an inconveniency to legit users and isn't really your major concern anyway. You want to prevent your game being distributed in torrent sites, etc. thus it's better to think a mechanism to protect your game from that.

[rhamm1320]

I had to deal with this same thing. I was amazed by the amount of pirates and people asking blatantly in message boards of "who is gonna buy and upload for this rest of us?".

The next step was I put in a simple serial number system with a basic key-seed. Anyone that really wants to pirate it still can without much fuss, but the typical game player would not know how. I am guessing, the simple protection system probably reduced my piracy significantly.

Now, here is the twist. To an extent, I am not too bothered by torrent copies or pirated copies... those people would probably never have purchased anyways. This can be used to an advantage in a sort of viral way.

If someone downloads a torrent copy, good chance its going to be a old version. I do regular game updates and plaster the version number right on the game gui. If someone likes the game, but they have a old pirated version, there is a good chance they will not find the latest build, so hopefully they turn into paying customers, customers that would probably never have heard of my game if it were not for the torrents.

[hunguptodry]

one way to uniquely ID a computer is to find the actual physical location of files on disk. 2 computers with identical files is unlikely to have their files in the same physical location even if they have identical hardware.

here is how u go about doing it. http://www.wd-3.com/...e/luserland.htm
u may not want to go as far as this article leads u to.

good luck with your game.

[Nje789]

All I really want to do is a decent job of discouraging most people and stalling the real piraters for at least a month or so.

Does anyone know of something I could use that helps set up a license key system with minimal work on my part?

[TheNut]

You can do what Valve does, it's pretty good. Essentially people download or buy the game, but it doesn't include the main executable. When the game starts up for the first time, a user inputs his or her serial, which is sent to and validated on your servers. If successful, the user will download a signed executable to run the game. If they attempt to redistribute that exe or provide a cracked version, you can tell from the signature of the EXE who it belonged to and punish accordingly. Subsequent users of that EXE can then be banned. A complex offline check can be made and cause random problems such as faulty AI or gameplay problems.

This is a model you can build off of, so it's future-proof. Your first version may just be a basic serial validation scheme, but over time you can refine your business models and introduce new DRM features.

[Kenneth Gorking]

Nje789 said:

All I really want to do is a decent job of discouraging most people and stalling the real piraters for at least a month or so.

You can stall newbies with some (or all) of the standard anit-debugging techniques(1,2) scattered throughout your code, but skilled crackers know these tricks, and knows how to avoid them.

You could also use the status returned from the various anti-debugging code to flip randon bits of data, or even code, instead of flashing some error. This way, it will take the game much longer to expose all of its safeguards, and although it won't stop the crackers, it should pose some challenges for them :)

Nje789 said:

Does anyone know of something I could use that helps set up a license key system with minimal work on my part?

License key systems are also not immune to crackers, just look at some of the later examples in Damn vulnerable Linux :p

[JarkkoL]

I have thought of implementing the protection by using CPUID, where user registers the executable online for given CPUID. Nice thing with CPUID is that unlike protection which uses external API calls (e.g. win32) you can't instrument it since CPUID is an x86 instruction, and because it's very lightweight you can sprinkle your code with tons of checks and have them hidden/encrypted from crackers. Unfortunately the serial number returned by CPUID is rarely implemented by processor vendors, but you can build a key for a specific CPU brand (EAX=1) which prevents mass distribution of your game. It's relatively easy to remove an individual protection once it's triggered, but you can make this VERY taunting task for crackers since they would have to play the game and remove each randomly triggering trap manually, which takes huge amount of time and crackers can never be sure that all the traps are removed.

When a trap is triggered, you just terminate the game with an appropriate message. I think it's bad idea to make your game crash randomly because that's very bad publicily for you and people will think your game is badly coded. Doesn't matter if the publicity is unjustly distributed by pirates, since people wont know that and if the crashes occur due to the protection or badly coded game.

So, legit users go online to register the game for given CPU and the registration process changes bytes in the exe to make it run on that CPU. Unlike Steam, you never need to go online after registration for that CPU, so it's actually convenient for users.

[AticAtac]

There is no 100% copy protection.
This is what i did:

- each time "game" (in my case its an application) starts, it needs to authenticate to my server (serialkey)
- the server tracks "logins" and "logouts" (game closes) and also take care of timeouts and possible client crashs
Now comes the main part, after the login the client gets a small dll (which will be never stored to hd). This dll has some important and essential code which is needed for the client in order to be able to run properly. This way i am also able to provide some updates (thoses code in the dll need to be choosen very wisely!). So removing protections and other usual things won't help since you still need the dll and only with a valid serial key the server will send the dll. Of course a hacker could intercept the returned dll (which is also encrypted) and make a workaround, but this is much more complex.
With enough talent, motivation and time a hacker could always break a security system.

[Nje789]

But isn't it bad to make them have to be online in order to play? I had a similar idea, but I decided it's not going to be more effective enough to warrant the inconvenience to users.

To be perfectly honest, I don't know a thing about software copy protection, other than it's recurrent theme of inevitable pirating success.

I'll use any effective enough method, but I need something that doesn't require any knowledge of what you're doing, just using a "wizard" -like program to help you set something basic up automatically for you.

[AticAtac]

Be honest, who is not online nowadays ?
And the online-check is short and only at the beginning.

[JarkkoL]

1) people behind (over) secure firewalls (read: some workplaces)
2) people who bring their laptops along with them (to airplanes, coffee shops, etc.)
3) people whose ISP sometimes is screwed (mine was just couple of days back)
4) your server may be off-line
...
Requiring online connection to play your game is a bad idea.

[alphadog]

With all due respect to the YOTD team, that article was in 2001. With the explosion in net access, the cracking scene is very different now, and with the criminal aspect permeating it, for the worse.

Crackers have cracked most mechanisms out there for any game with strong stand-alone presence, within days in the worst-case scenario. The more popular the game, the faster it will be fully cracked. Downloadable content doesn't stop them. Sims 3 content packs were available on the net within hours! For AA and AAA titles, they actually sometimes have people and/or systems "on the inside" getting them early copies to get a head start. I've seen big titles released in cracked form before they even hit retail! In fact, the race is on to get your cracked version out first, with trojans, so as to get the most systems.

The only copying you can deter is casual copying, and for that you don't need much. I'd look for canned systems (ex: Silicon Realms' products) and not waste my time and resources on developing my own "new and improved" scheme that will just as likely fail. Also, don't get seduced by promises of far-reaching DRM. You pay a lot for not much gain.

Yet, you should still have accommodations that allows a handful of installs for homes with multiple systems, or people that frequently change systems, or that are not online all the time. AticAtac's mechanism is an example of bad idea for people who aren't online all the time. Nothing I hate more than being stuck somewhere with bad connections and not being able to take a break with game X because of some online requirement. Not only do I end up hating the game, I likely won't buy again from that vendor...

Also, if you develop your own canned solution, don't forget to keep in mind the ignorant end-users. Lots of people may end up with a cracked game without knowing it. If you make a game behave erratically or do something damaging, they will blame you, not the cracker. Worse yet, a class action suit...

Most people who torrent casually frequently infect their systems and render them inoperable, so they eventually get what they deserve and hopefully learn from it.

Those who are veterans are armed with some intelligence and are pretty much unstoppable, because they are plugged into how and from who to download their warez.

[alphadog]

AticAtac said:

Be honest, who is not online nowadays ?
And the online-check is short and only at the beginning.

Apart from Jarkkol's bang-on comments, the one thing any shop (esp. resource-strapped indies) should fear is lighting up my support desk by using some sort of DRM that people don't see, don't understand and limits them at points that exacerbates the frustration factor.

[rhamm1320]

Nje789 said:

But isn't it bad to make them have to be online in order to play? I had a similar idea, but I decided it's not going to be more effective enough to warrant the inconvenience to users.

I would think a one time online registration is not a big deal. Have a backup way that you can manually get them registered by phone for that 1% that are not able to active online.

[Nje789]

Alright then, I'm going with an established casual-copying stopper.(it's not like my game's likely to be very popular, so it's probably going to just be ignored by most pirates anyway)

Any suggestions?

[AticAtac]

@alphadog
I wrote that i used it in my case for an application !
And for this case it worked perfect and still is.
There is no general out-of-the-box copy protection, it all depends on the application/game and the user, etc.

You define who you want to reach, "people behind secure firewalls", at coffe shops, etc. cann't run the application , that may be < 5% of users and i can live with that (thats for my case, everyone has to decide for himself).

I still think the future belongs to games which run most of the game codes on server (like MMO's), its a perfect copy-protection.