License keys system

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Jul 28, 2009 at 19:29

I’m planning on selling a PC game via download at an e-commerce site, but I don’t know how to set up a good license key system.

I want to A: prevent the game owners from making copies that can be played on a different computer unless they disable the use of their copy on the original computer(only one computer at a time can be used with each game copy)

and B: stall the inevitable cracking by piraters for a long enough time to get some decent sells in first.

How would I go about making a license key system that accomplishes these two things?
(and this is by selling downloaded copies through an online store)

39 Replies

Please log in or register to post a reply.

A8433b04cb41dd57113740b779f61acb
0
Reedbeta 167 Jul 28, 2009 at 20:10

Re: stalling crackers, check out this article - old, but still interesting and useful.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Jul 28, 2009 at 22:57

That has some good ideas at the end of the article.

I also need help on how I’m going to get IP’s before buyers download the game, and then I need help finding a server that checks the IP when the game is played.

A8433b04cb41dd57113740b779f61acb
0
Reedbeta 167 Jul 28, 2009 at 23:07

Having the game required to go online every time the user plays it probably isn’t a good idea. Also, IP addresses aren’t static; imagine a user installs it on their laptop and uses it both at work and at home - they’d have a different IP at each. Some people use the MAC address of the primary network interface as a machine ID, which works well as it’s globally unique and tied to the hardware.

Anyway, one way you could implement machine IDs (and bear in mind I have no actual experience implementing license systems, so I may be overlooking something obvious) would be to create an RSA public/private key pair; keep the private key to yourself, and have the public key hard-coded in the game. Then, when someone registers, send their MAC address to your secure server, encrypt it with the private key, and send back the ciphertext. When the game starts, decrypt it with the public key and check that the MAC address matches the machine on which it’s currently running.

You still need a server to handle registrations and allow re-issuing the license if someone wants to move to a different machine (or if they replace their network card), but people won’t need to connect every time they play the game, which is much more convenient for them and reduces the load on the server for you.

Fe8a5d0ee91f9db7f5b82b8fd4a4e1e6
0
JarkkoL 102 Jul 28, 2009 at 23:44

You can spoof your MAC address, so it’s not very good mechanism for copy-protection.

I wouldn’t really worry too much about user registering the game on multiple PC’s without unregistering it first. It would strike as an inconveniency to legit users and isn’t really your major concern anyway. You want to prevent your game being distributed in torrent sites, etc. thus it’s better to think a mechanism to protect your game from that.

F147a752f2b324a197a4025d7858e9c6
0
rhamm1320 101 Jul 29, 2009 at 01:19

I had to deal with this same thing. I was amazed by the amount of pirates and people asking blatantly in message boards of “who is gonna buy and upload for this rest of us?”.

The next step was I put in a simple serial number system with a basic key-seed. Anyone that really wants to pirate it still can without much fuss, but the typical game player would not know how. I am guessing, the simple protection system probably reduced my piracy significantly.

Now, here is the twist. To an extent, I am not too bothered by torrent copies or pirated copies… those people would probably never have purchased anyways. This can be used to an advantage in a sort of viral way.

If someone downloads a torrent copy, good chance its going to be a old version. I do regular game updates and plaster the version number right on the game gui. If someone likes the game, but they have a old pirated version, there is a good chance they will not find the latest build, so hopefully they turn into paying customers, customers that would probably never have heard of my game if it were not for the torrents.

B90e245a87c85adc7cd9d77554e332a2
0
hunguptodry 101 Jul 29, 2009 at 02:32

one way to uniquely ID a computer is to find the actual physical location of files on disk. 2 computers with identical files is unlikely to have their files in the same physical location even if they have identical hardware.

here is how u go about doing it. http://www.wd-3.com/archive/luserland.htm
u may not want to go as far as this article leads u to.

good luck with your game.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Jul 29, 2009 at 02:55

All I really want to do is a decent job of discouraging most people and stalling the real piraters for at least a month or so.

Does anyone know of something I could use that helps set up a license key system with minimal work on my part?

6837d514b487de395be51432d9cdd078
0
TheNut 179 Jul 29, 2009 at 03:41

You can do what Valve does, it’s pretty good. Essentially people download or buy the game, but it doesn’t include the main executable. When the game starts up for the first time, a user inputs his or her serial, which is sent to and validated on your servers. If successful, the user will download a signed executable to run the game. If they attempt to redistribute that exe or provide a cracked version, you can tell from the signature of the EXE who it belonged to and punish accordingly. Subsequent users of that EXE can then be banned. A complex offline check can be made and cause random problems such as faulty AI or gameplay problems.

This is a model you can build off of, so it’s future-proof. Your first version may just be a basic serial validation scheme, but over time you can refine your business models and introduce new DRM features.

46407cc1bdfbd2db4f6e8876d74f990a
0
Kenneth_Gorking 101 Jul 29, 2009 at 04:34

@Nje789

All I really want to do is a decent job of discouraging most people and stalling the real piraters for at least a month or so.

You can stall newbies with some (or all) of the standard anit-debugging techniques(1,2) scattered throughout your code, but skilled crackers know these tricks, and knows how to avoid them.

You could also use the status returned from the various anti-debugging code to flip randon bits of data, or even code, instead of flashing some error. This way, it will take the game much longer to expose all of its safeguards, and although it won’t stop the crackers, it should pose some challenges for them :)
@Nje789

Does anyone know of something I could use that helps set up a license key system with minimal work on my part?

License key systems are also not immune to crackers, just look at some of the later examples in Damn vulnerable Linux :p

Fe8a5d0ee91f9db7f5b82b8fd4a4e1e6
0
JarkkoL 102 Jul 29, 2009 at 09:19

I have thought of implementing the protection by using CPUID, where user registers the executable online for given CPUID. Nice thing with CPUID is that unlike protection which uses external API calls (e.g. win32) you can’t instrument it since CPUID is an x86 instruction, and because it’s very lightweight you can sprinkle your code with tons of checks and have them hidden/encrypted from crackers. Unfortunately the serial number returned by CPUID is rarely implemented by processor vendors, but you can build a key for a specific CPU brand (EAX=1) which prevents mass distribution of your game. It’s relatively easy to remove an individual protection once it’s triggered, but you can make this VERY taunting task for crackers since they would have to play the game and remove each randomly triggering trap manually, which takes huge amount of time and crackers can never be sure that all the traps are removed.

When a trap is triggered, you just terminate the game with an appropriate message. I think it’s bad idea to make your game crash randomly because that’s very bad publicily for you and people will think your game is badly coded. Doesn’t matter if the publicity is unjustly distributed by pirates, since people wont know that and if the crashes occur due to the protection or badly coded game.

So, legit users go online to register the game for given CPU and the registration process changes bytes in the exe to make it run on that CPU. Unlike Steam, you never need to go online after registration for that CPU, so it’s actually convenient for users.

3660f98ccd9e7079e44572e870c24113
0
AticAtac 101 Jul 29, 2009 at 10:56

There is no 100% copy protection.
This is what i did:

  • each time “game” (in my case its an application) starts, it needs to authenticate to my server (serialkey)
  • the server tracks “logins” and “logouts” (game closes) and also take care of timeouts and possible client crashs
    Now comes the main part, after the login the client gets a small dll (which will be never stored to hd). This dll has some important and essential code which is needed for the client in order to be able to run properly. This way i am also able to provide some updates (thoses code in the dll need to be choosen very wisely!). So removing protections and other usual things won’t help since you still need the dll and only with a valid serial key the server will send the dll. Of course a hacker could intercept the returned dll (which is also encrypted) and make a workaround, but this is much more complex.
    With enough talent, motivation and time a hacker could always break a security system.
27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Jul 29, 2009 at 12:46

But isn’t it bad to make them have to be online in order to play? I had a similar idea, but I decided it’s not going to be more effective enough to warrant the inconvenience to users.

To be perfectly honest, I don’t know a thing about software copy protection, other than it’s recurrent theme of inevitable pirating success.

I’ll use any effective enough method, but I need something that doesn’t require any knowledge of what you’re doing, just using a “wizard” -like program to help you set something basic up automatically for you.

3660f98ccd9e7079e44572e870c24113
0
AticAtac 101 Jul 29, 2009 at 13:05

Be honest, who is not online nowadays ?
And the online-check is short and only at the beginning.

Fe8a5d0ee91f9db7f5b82b8fd4a4e1e6
0
JarkkoL 102 Jul 29, 2009 at 13:19

1) people behind (over) secure firewalls (read: some workplaces)
2) people who bring their laptops along with them (to airplanes, coffee shops, etc.)
3) people whose ISP sometimes is screwed (mine was just couple of days back)
4) your server may be off-line

Requiring online connection to play your game is a bad idea.

8676d29610e6c98d6dd2d9c38528cd9c
0
alphadog 101 Jul 29, 2009 at 13:21

With all due respect to the YOTD team, that article was in 2001. With the explosion in net access, the cracking scene is very different now, and with the criminal aspect permeating it, for the worse.

Crackers have cracked most mechanisms out there for any game with strong stand-alone presence, within days in the worst-case scenario. The more popular the game, the faster it will be fully cracked. Downloadable content doesn’t stop them. Sims 3 content packs were available on the net within hours! For AA and AAA titles, they actually sometimes have people and/or systems “on the inside” getting them early copies to get a head start. I’ve seen big titles released in cracked form before they even hit retail! In fact, the race is on to get your cracked version out first, with trojans, so as to get the most systems.

The only copying you can deter is casual copying, and for that you don’t need much. I’d look for canned systems (ex: Silicon Realms’ products) and not waste my time and resources on developing my own “new and improved” scheme that will just as likely fail. Also, don’t get seduced by promises of far-reaching DRM. You pay a lot for not much gain.

Yet, you should still have accommodations that allows a handful of installs for homes with multiple systems, or people that frequently change systems, or that are not online all the time. AticAtac’s mechanism is an example of bad idea for people who aren’t online all the time. Nothing I hate more than being stuck somewhere with bad connections and not being able to take a break with game X because of some online requirement. Not only do I end up hating the game, I likely won’t buy again from that vendor…

Also, if you develop your own canned solution, don’t forget to keep in mind the ignorant end-users. Lots of people may end up with a cracked game without knowing it. If you make a game behave erratically or do something damaging, they will blame you, not the cracker. Worse yet, a class action suit…

Most people who torrent casually frequently infect their systems and render them inoperable, so they eventually get what they deserve and hopefully learn from it.

Those who are veterans are armed with some intelligence and are pretty much unstoppable, because they are plugged into how and from who to download their warez.

8676d29610e6c98d6dd2d9c38528cd9c
0
alphadog 101 Jul 29, 2009 at 13:23

@AticAtac

Be honest, who is not online nowadays ?
And the online-check is short and only at the beginning.

Apart from Jarkkol’s bang-on comments, the one thing any shop (esp. resource-strapped indies) should fear is lighting up my support desk by using some sort of DRM that people don’t see, don’t understand and limits them at points that exacerbates the frustration factor.

F147a752f2b324a197a4025d7858e9c6
0
rhamm1320 101 Jul 29, 2009 at 16:14

@Nje789

But isn’t it bad to make them have to be online in order to play? I had a similar idea, but I decided it’s not going to be more effective enough to warrant the inconvenience to users.

I would think a one time online registration is not a big deal. Have a backup way that you can manually get them registered by phone for that 1% that are not able to active online.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Jul 29, 2009 at 18:37

Alright then, I’m going with an established casual-copying stopper.(it’s not like my game’s likely to be very popular, so it’s probably going to just be ignored by most pirates anyway)

Any suggestions?

3660f98ccd9e7079e44572e870c24113
0
AticAtac 101 Jul 30, 2009 at 06:41

@alphadog
I wrote that i used it in my case for an application !
And for this case it worked perfect and still is.
There is no general out-of-the-box copy protection, it all depends on the application/game and the user, etc.

You define who you want to reach, “people behind secure firewalls”, at coffe shops, etc. cann’t run the application , that may be < 5% of users and i can live with that (thats for my case, everyone has to decide for himself).

I still think the future belongs to games which run most of the game codes on server (like MMO’s), its a perfect copy-protection.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 01, 2009 at 13:49

Does anyone know of a python script I could use to help copy protect my game? (My game’s made using python scripts)

I’m really lost about actually implementing this the right way.

7daed93f96b8b5160b47af2f68a4bc86
0
zebeste 101 Aug 01, 2009 at 16:17

Very interesting thread. My biggest concern with many DRM methods are those that use the hardware. What if a component in someone’s computer fails? Then there is a chance that when they replace it that, depending on what you are checking, they will no longer be able to play the game. Now, I had a thought, what if you created a disabled version and posted it on the torrent sites yourself. Then when, the user tries to run it, it installs either a small oblivous file on the system or a key (or more than one) in someplace like the registry, then in your release version have a checker that checks for those files or keys so that when they come across a working copy on the torrent sites, it can just not work. Then some people will report that it doesn’t work, they’ll report it as a fake or something like that. Now, you need a way to ensure that people who downloaded your disabled version and then bought a legit copy can still run it. One way to do this may be during an online activation, where you can send them a small executable that fixes it. Not the way I would like to do it personally, but off the top of my head it is the only one I can think of. Please note, that this is an idea I had just like 5 min ago, so it may not be very good.

Fe8a5d0ee91f9db7f5b82b8fd4a4e1e6
0
JarkkoL 102 Aug 01, 2009 at 16:44

@zebeste

What if a component in someone’s computer fails?

You just register again.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 02, 2009 at 20:06

Does using a MAC or IP address for your licensing involve using Common Gateway Interfaces at the download web site?

A8433b04cb41dd57113740b779f61acb
0
Reedbeta 167 Aug 02, 2009 at 21:05

Common Gateway Interface or CGI is just one (nowadays not often used) method of server-side scripting. Most people use PHP, JSP, or ASP.NET for this kind of scripting now. All forms of server-side scripting allow you to retrieve the client’s IP address, but no other form of machine ID (cpuid, MAC address, etc). To use one of these other forms you would have to have the registration take place not at download time but the first time the user runs the game. Then the game running on the client’s computer could extract whatever information is necessary and send it to the license server.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 02, 2009 at 21:21

Is there a way to setup a general copy protection that doesn’t require a server?
I don’t even care about piraters, I just want to stop kids from giving free copies to their friends.

I just want an opinion on what would be a good way to do this that’s not hard or complicated and doesn’t cost anymore than it needs to.

99f6aeec9715bb034bba93ba2a7eb360
0
Nick 102 Aug 02, 2009 at 23:01

@rhamm1320

To an extent, I am not too bothered by torrent copies or pirated copies… those people would probably never have purchased anyways. This can be used to an advantage in a sort of viral way.

While there appears to be some advantage to piracy in the form of viral advertisement, I’m really not sure if those people would never have purchased it anyways. Many simply believe that their expensive internet connection justifies that anything they can grab for free is rightfully theirs. They just never bother to think further and realize that no money is going to the creators and it’s practically stealing. Plus, ‘everyone’ is doing it so why should they be the ones who pay and not the rest?

I truely believe that if you take away the possibility of downloading a cracked version you’ll sell a lot more copies. I’ve read and heard of numerous cases where sales dropped significantly the day a working crack appeared online.

Also think for example of World of Warcraft. Unless you steal someone’s account there’s no way to play it online. And while virtually uncracked it’s one of the most popular games, with people happily paying to play.

So good crack protection really pays off. You’ll just need to do more advertisement to increase popularity. And personally I believe the best way to do that is to have an extensive demo. Nowadays there are a lot of games without a decent demo, often with just a trailer that doesn’t even show actual gameplay. That’s really sad. Any good product should be able to ‘sell itself’. Let the people have a good taste of what the game is like, for free, and let those who really enjoy it pay to play the rest of the game.

99f6aeec9715bb034bba93ba2a7eb360
0
Nick 102 Aug 02, 2009 at 23:33

@Nje789

Is there a way to setup a general copy protection that doesn’t require a server? I just want to stop kids from giving free copies to their friends.

You’ll always need an activation server, because there’s no way to detect digital copying. But you can keep track of the number of activations. Anyway, since you’re distributing it online you know that the buyer has an internet connection, so I don’t see the problem with requiring a server.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 03, 2009 at 00:20

Ok, I guess I need a server then.

..So does anyone know of a good server to use?

How should I setup the license system?(I’m using python)

Would it be a good idea to have the game check what MAC address or file number the game is?

99f6aeec9715bb034bba93ba2a7eb360
0
Nick 102 Aug 03, 2009 at 02:37

I don’t even care about piraters, I just want to stop kids from giving free copies to their friends.

I don’t understand your way of thinking here. You don’t care about thousands of downloads on peer-to-peer networks, but you do care about a kid giving the game to his sister?

You really have to avoid that your anti-copying measures annoy the paying customers while the pirates have a cracked version free of annoyances. That makes people who at first considered bying the game, look for the pirated version instead.

So, unfortunately, you have to care about pirating too if you care about making a buck and building a good reputation with your customers. The only other option is to just not care about copying at all…

I think a reasonable approach would be to add to your EULA (which nobody reads) that the game can only be installed on three systems, and in reality allow it to be installed with five different MAC addresses (to account for ethernet card replacements and such). This way they can still give it to a limited number of close friends, but it can’t be spread on peer-to-peer networks. Show a warning on activation as soon as it’s installed on more than one system, to make sure they do understand that the installation count is limited. A de-activation tool is also appreciated, in case they sell their old system, or they exceed the activation count just to see how many times they can install it…

8676d29610e6c98d6dd2d9c38528cd9c
0
alphadog 101 Aug 03, 2009 at 20:59

@Nje789

How should I setup the license system?

Seriously, I would highly recommend you buy a canned solution. (Not sure if there is a free and open version out there. Never looked.)

Software obfuscation, trapping and protection is not for the faint-of-heart (or mind). It is very tricky and involved.

Or else, based on your questions, you will likely re-create a system that can probably be cracked in a few seconds, by some script kiddie’s first shot in a disassembler, if and when your game gains any kind of popularity.

You don’t get a license system with one Python script, unfortunately.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 04, 2009 at 21:29

I’ve been looking for a canned solution, but I’m not sure what would work well.

Does anyone know of a good one?

8676d29610e6c98d6dd2d9c38528cd9c
0
alphadog 101 Aug 04, 2009 at 22:01

What’s your budget, if any?

Actually, now that I think about it, I’ve never seen a (F)OSS activation/protection software package. Probably because FOSS and that kind of software is a little like oil and water… :)

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 05, 2009 at 01:16

What about this 100% free download:

http://spiceworks.com/free-software-inventory-audit-tool/

Is this an easy way to create licenses for software downloads? Anyone tried it?

8676d29610e6c98d6dd2d9c38528cd9c
0
alphadog 101 Aug 05, 2009 at 04:11

That an asset management system, not a license generator/manager…

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 05, 2009 at 17:45

Has anyone tried this:

http://download.cnet.com/CD-Key-Generator/3000-2216_4-10704258.html

-is this something someone that knows nothing about license keys could use?

8676d29610e6c98d6dd2d9c38528cd9c
0
alphadog 101 Aug 05, 2009 at 18:20

It just generates keys, which any stupid script can do. The trick is managing the keys and protecting the executable.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 05, 2009 at 23:33

..so that’s just a half-baked solution, then? (and a rip-off at that)

Well, back to searching, then.

I’m still just learning the engine I want to use, this is just something I wanted to have cleared up long before I get to making my game. This is so I’d know beforehand that everything would be in order should I become ready to get my game out there.

Speaking of which, it’s Blender, and I was hoping they’d hurry up and finish the next version(which is a vast improvement), before I get started on the game.(I’ve already finished writing most of how the game works and started writing scripts in free-form for the game).

I heard some people don’t use Blender for commercial purposes because they think the license doesn’t allow protection of assets, but someone else said this isn’t true, and that it’s a great license for any commercial purposes.
I read the GPL, and it seems to be the later case as far as I could tell.

27a0e09026287149ba62c9937510c8ac
0
Nje789 101 Aug 10, 2009 at 22:11

I’m having a lot of trouble finding a license generating software. I might have to just make my own license key system that uses a key server.

Does anyone know of any tutorials that could help me do this?

Fe8a5d0ee91f9db7f5b82b8fd4a4e1e6
0
JarkkoL 102 Aug 11, 2009 at 05:31

You could check out Silicon Realms SoftwarePassport DRM solution. It costs $299, but if you don’t expect even that as ROI, then your game is probably better off without any DRM ;) I haven’t used it and have no idea if it’s any good, but well, you find out and let us know (: