Non-Obfuscation Asset DRM: Steam and/or Honeypots.
Posted: Fri Mar 26, 2021 1:33 am
Hello etc.
I've been following Ren'Py for some time now, and found its code enjoyable to manipulate. There are some posts on the forum about cracking your asset encryption format (RPA). I'd like to make a few comments in that direction.
Discussion of improved encryption, obfuscation, and encumbrance not withstanding, I think there's an unexplored counter-half-measure that might be desirable to firms willing to operate a honeypot server: enforced registration. As far as I know, this can happen at least one of two ways.
1. Some kind of always-on Web authentication measure like Steam or Battle.net, possibly involving a public/private key exchange while the game is running, that would bar users from playing if they failed the authentication handshake. (I'm not qualified in cryptology; but, hypothetically, one could fake the client/server handshake by forging the Internet traffic to/from the computer.)
2. Passive honey pot: the game executable reports to the author's server every time the author's assets are decrypted. Could check for a fake/duplicate CD key and, again, user would have to forge protocol traffic to get the game to run.
Problematically, neither of these approaches is going to prevent people from going after the RPA archives themselves. It'll just be another metaphorical wire to cut (remove authentication protocol, invoke Ren'Py's extraction procedures by hand) before the user can hot-wire the metaphorical car.
So, I guess only larger firms would be interested in such an expensive wild goose chase as this -- in which case they could simply edit their changes into Ren'Py's code and you wouldn't need to get involved -- but, if you want to protect your creators' assets by waging a war of attrition, then this could be yet another treacherous sandbar that may wreck the digital pirates' metaphorical ships.
Thanks.
I've been following Ren'Py for some time now, and found its code enjoyable to manipulate. There are some posts on the forum about cracking your asset encryption format (RPA). I'd like to make a few comments in that direction.
Discussion of improved encryption, obfuscation, and encumbrance not withstanding, I think there's an unexplored counter-half-measure that might be desirable to firms willing to operate a honeypot server: enforced registration. As far as I know, this can happen at least one of two ways.
1. Some kind of always-on Web authentication measure like Steam or Battle.net, possibly involving a public/private key exchange while the game is running, that would bar users from playing if they failed the authentication handshake. (I'm not qualified in cryptology; but, hypothetically, one could fake the client/server handshake by forging the Internet traffic to/from the computer.)
2. Passive honey pot: the game executable reports to the author's server every time the author's assets are decrypted. Could check for a fake/duplicate CD key and, again, user would have to forge protocol traffic to get the game to run.
Problematically, neither of these approaches is going to prevent people from going after the RPA archives themselves. It'll just be another metaphorical wire to cut (remove authentication protocol, invoke Ren'Py's extraction procedures by hand) before the user can hot-wire the metaphorical car.
So, I guess only larger firms would be interested in such an expensive wild goose chase as this -- in which case they could simply edit their changes into Ren'Py's code and you wouldn't need to get involved -- but, if you want to protect your creators' assets by waging a war of attrition, then this could be yet another treacherous sandbar that may wreck the digital pirates' metaphorical ships.
Thanks.