Hello etc.
I've been following Ren'Py for some time now, and found its code enjoyable to manipulate. There are some posts on the forum about cracking your asset encryption format (RPA). I'd like to make a few comments in that direction.
Discussion of improved encryption, obfuscation, and encumbrance not withstanding, I think there's an unexplored counter-half-measure that might be desirable to firms willing to operate a honeypot server: enforced registration. As far as I know, this can happen at least one of two ways.
1. Some kind of always-on Web authentication measure like Steam or Battle.net, possibly involving a public/private key exchange while the game is running, that would bar users from playing if they failed the authentication handshake. (I'm not qualified in cryptology; but, hypothetically, one could fake the client/server handshake by forging the Internet traffic to/from the computer.)
2. Passive honey pot: the game executable reports to the author's server every time the author's assets are decrypted. Could check for a fake/duplicate CD key and, again, user would have to forge protocol traffic to get the game to run.
Problematically, neither of these approaches is going to prevent people from going after the RPA archives themselves. It'll just be another metaphorical wire to cut (remove authentication protocol, invoke Ren'Py's extraction procedures by hand) before the user can hot-wire the metaphorical car.
So, I guess only larger firms would be interested in such an expensive wild goose chase as this -- in which case they could simply edit their changes into Ren'Py's code and you wouldn't need to get involved -- but, if you want to protect your creators' assets by waging a war of attrition, then this could be yet another treacherous sandbar that may wreck the digital pirates' metaphorical ships.
Thanks.
Non-Obfuscation Asset DRM: Steam and/or Honeypots.
-
xavimat
- Eileen-Class Veteran
- Posts: 1461
- Joined: Sat Feb 25, 2012 8:45 pm
- Completed: Yeshua, Jesus Life, Cops&Robbers
- Projects: Fear&Love
- Organization: Pilgrim Creations
- Github: xavi-mat
- itch: pilgrimcreations
- Location: Spain
- Discord: xavimat
- Contact:
Re: Non-Obfuscation Asset DRM: Steam and/or Honeypots.
I don't think renpy assets can be protected in any way.
Not only rpa can be opened, but also rpyc can be reversed into rpy files. So, any blocker in the code, can be read and bypassed.
Say you have a function that calls a web server passing a key and, after checking against the database returns (or not) a confirmation. In the end, your function returns True if access is granted or False, if not.
Anyone can put "return True" at the beginning of that function, recompile the game and play without any check.
It's possible to have the images on the server and not in renpy, renpy can load them from the web (checking the key etc.). But then, all images go to the memory, and the saves. That would be simply impossible to handle.
Don't worry about assets. They will be read/saw anyway. Don't worry about the code, it will be messed with.
I have some prototypes harder to hack because they store values of variables in the server, not in renpy. Code and assets can be read, but the game can't be played. The hacker needs to guess how calculations are made on the server and recode them in renpy (not impossible, though).
I haven't made them to avoid hackers but to explore multiplayer possibilities of renpy. That was a side effect. (I really don't mind... actually, I'd be honoured if someone wants to see the code in my games, that means they find it interesting)
A different approach is this:
Create a web server with the dialogue in text form. At the beginning of any label, renpy could download the dialogue from the web server (checking the key, etc.), iterate it and use it with python equivalent functions. This way, the game cannot be played without the proper authentication (but, then again, the first buyer could download manually the lines, put them in txt files, recode it to look in the folder and not in the web and rebuild your game and put it in internet again. At least, you can ensure one buyer).
Not only rpa can be opened, but also rpyc can be reversed into rpy files. So, any blocker in the code, can be read and bypassed.
Say you have a function that calls a web server passing a key and, after checking against the database returns (or not) a confirmation. In the end, your function returns True if access is granted or False, if not.
Anyone can put "return True" at the beginning of that function, recompile the game and play without any check.
It's possible to have the images on the server and not in renpy, renpy can load them from the web (checking the key etc.). But then, all images go to the memory, and the saves. That would be simply impossible to handle.
Don't worry about assets. They will be read/saw anyway. Don't worry about the code, it will be messed with.
I have some prototypes harder to hack because they store values of variables in the server, not in renpy. Code and assets can be read, but the game can't be played. The hacker needs to guess how calculations are made on the server and recode them in renpy (not impossible, though).
I haven't made them to avoid hackers but to explore multiplayer possibilities of renpy. That was a side effect. (I really don't mind... actually, I'd be honoured if someone wants to see the code in my games, that means they find it interesting)
A different approach is this:
Create a web server with the dialogue in text form. At the beginning of any label, renpy could download the dialogue from the web server (checking the key, etc.), iterate it and use it with python equivalent functions. This way, the game cannot be played without the proper authentication (but, then again, the first buyer could download manually the lines, put them in txt files, recode it to look in the folder and not in the web and rebuild your game and put it in internet again. At least, you can ensure one buyer).
Comunidad Ren'Py en español: ¡Únete a nuestro Discord!
Rhaier Kingdom A Ren'Py Multiplayer Adventure Visual Novel.
Cops&Robbers A two-player experiment | Fear&Love Why can't we say I love you?
Honest Critique (Avatar made with Chibi Maker by ~gen8)
Rhaier Kingdom A Ren'Py Multiplayer Adventure Visual Novel.
Cops&Robbers A two-player experiment | Fear&Love Why can't we say I love you?
Honest Critique (Avatar made with Chibi Maker by ~gen8)
-
Lochana
- Newbie
- Posts: 21
- Joined: Fri Jul 28, 2017 6:26 am
- Projects: Touhou - Reimu's day out! (Won't see the light of day probably)
- Github: lochana-Dineko
- Contact:
Re: Non-Obfuscation Asset DRM: Steam and/or Honeypots.
The truth is it's unlikely that someone will start going through your assets in the first place. Regardless a dedicated person can circumvent most obfuscation anyway. Just look at how many Visual Novel archive formats have been decoded and extracted.
Honestly if someone is willing to go to the extra effort and look at my game assets it's quite humbling isn't it?
Honestly if someone is willing to go to the extra effort and look at my game assets it's quite humbling isn't it?
Who is online
Users browsing this forum: No registered users