SecureFile: Attempt to protect AGS games from piracy...

[arj0n]

I... think I've figured out a way to bypass the security.

I think not, both versions give the error message:

[report]
A Fatal error has been generated by the script using the AbortGame function. please contact the game author for support.

in "SecureFile.asc", line 74

Error: File 'protection" is active ; ) There seems to be some security problem. The version of the game you have, appears to be pirated.
[/end of report]

As far as I know, SecureFile isn't that easy to bypass/crack...

[Galen]

[Not relevant, I missed part of vince's post]

[Akatosh]

Hm... darn. Well, give me some time.

/EDIT: Alright, I've tested another version on two PCs that aren't the one I performed the crack on, and both accepted the enter key instead of a "real" serial number. Hang on, I'm uploading it right now.

Anyway, the method I used was to open SecureFile.exe with a Hex Editor, search for "secfile.vgm" to replace it with "newfile.vgm" and create said document, containing only an underscore (_). Maybe you can reproduce that if the cracked file doesn't work.

/EDIT2: http://www.sendspace.com/file/hj9zih

[Layabout]

I doubt the name idea would work Vince, unless you've got a foolproof method of stopping people supplying a false name.

The name comes from the credit card used to purchase... If you bothered to read vinces post.

[CodeJunkie]

I'm assuming the copy protection is just some function that runs before the game starts.  Can't you just disable any calls/jumps to the copy protection code?  I gave it a try but I'm new to debuggers and couldn't find it.

If it was hard to crack then there wouldn't be all sorts of elaborate measures like ARMA 2, Earthbound and Spyro 3, which would subtly make the game harder or impossible once the player has wasted enough time on it (I think, by hiding checksums of game data and comparing throughout the game).  Even then, there's a high risk of false positives causing outrage amongst legitimate users.  I'd imagine anyone intent on cracking an AGS game wouldn't struggle too much.

[Stupot]

I think the vast majority of people who pirate a game never intend to buy it anyway.  So it shouldn't be seen as an $18 loss, rather as $18 not gained, that would not have been gained anyway.  That's not a justification for piracy.  I just think of those people who are not going to pay, I'd rather they still played the game and helped spread the word, than not play it at all.

At least as an amateur.  If I were to go professional, and the games were my only source of income, then I might look at it differently.

[GarageGothic]

I doubt the name idea would work Vince, unless you've got a foolproof method of stopping people supplying a false name.

The name comes from the credit card used to purchase... If you bothered to read vinces post.

And of course nobody ever used stolen credit cards to buy stuff on the internet  :

[Layabout]

I doubt the name idea would work Vince, unless you've got a foolproof method of stopping people supplying a false name.

The name comes from the credit card used to purchase... If you bothered to read vinces post.

And of course nobody ever used stolen credit cards to buy stuff on the internet  :

The whole point of Vince's theory is to deter legal purchasers of the game. Those who would bother (almost none) to buy his game using a stolen CC would not have to worry about their name on the welcome screen, correct.

[Dualnames]

Alright, I've tested another version on two PCs that aren't the one I performed the crack on, and both accepted the enter key instead of a "real" serial number. Hang on, I'm uploading it right now.

Anyway, the method I used was to open SecureFile.exe with a Hex Editor, search for "secfile.vgm" to replace it with "newfile.vgm" and create said document, containing only an underscore (_). Maybe you can reproduce that if the cracked file doesn't work.

That is really helpful, akatosh. Laughed when I saw (just hit enter) I'll try and narrow it down if possible.

To answer to everybody's post:
Vince:
Agreed there. Thanks for the helpful insight.

So, to break this security, all the person has to do is buy the game, enter their code, and then upload it to the file sharing site.  If you have to enter the serial in every time you play (that would be really annoying to your legit users) the pirate would just have to include the serial number in a txt file along with the game.  And boom, your game is cracked.

That's not possible. Game locks if you do that. The purpose of this whole thing was to prevent exactly that. And it does.

I'll have to admit that I've never purchased software before.     I usually download them...

Games on the other hand, for some reason I seem to be willing to fork over the money.  I usually only buy games for my console (360); mainly because my computer is shite.


And that was a good idea Vince, that if you were to have an encryption code have it contain and display the purchasers name once entered.  It's definitely not going to stop it, but it does put a little fear in their minds if they decided to pirate it for everyone else.

But I'm totally against having to enter an encryption code unless it's for a high end commercial game that doesn't need word of mouth to sell.


I was going to say pretty much everything Vince had Just wrote in his new message while I was typing.  So I deleted it.

Ryan, the whole purpose of this is to create a non-bother system and still make that system unbreakable, I'm going to give it a shot anyways..just for the hell of it.

I pretty much have pirated copies of certain games. I do still own all games, and I've bought DITR, for I thought it would be unjust to steal from one man's hard work.

I'm assuming the copy protection is just some function that runs before the game starts.  Can't you just disable any calls/jumps to the copy protection code?  I gave it a try but I'm new to debuggers and couldn't find it.

If it was hard to crack then there wouldn't be all sorts of elaborate measures like ARMA 2, Earthbound and Spyro 3, which would subtly make the game harder or impossible once the player has wasted enough time on it (I think, by hiding checksums of game data and comparing throughout the game).  Even then, there's a high risk of false positives causing outrage amongst legitimate users.  I'd imagine anyone intent on cracking an AGS game wouldn't struggle too much.

The point is yes that it wouldn't be much of a struggle. The point is to make it one (if at all possible).

The whole point of Vince's theory is to deter legal purchasers of the game. Those who would bother (almost none) to buy his game using a stolen CC would not have to worry about their name on the welcome screen, correct.

That can also be done via SecureFile, I just thought it would really cause inconvience to the user.

Addition
Well, point taken there. Hell, Spore had this system (3 times on a computer), and it was the most pirated game, and people prefered to have it cracked than bought. But this attempt from my side is to make a protection system that is more than meets the eye. When and if I ever go commercial funding a project with my money, I'll probably have the game totally uncracked. Hackers just these days can enter pretty much anywhere, if they want to crack a game, they will. You just can't help it.

[arj0n]

Akatosh:
I think your right.

The easiest way:

1. Replace all the characters in the file "secfile.vgm" with for example the ALT-255 code (the most empty alt-character ) (but any char will do) and save and overwrite the file.
2. Run "SecureFile.exe" and play

Good old hex times

You can even create a patch to automatically edit that file when running the patch and done...

But:
Strange thing is that when I download an original copy again, extract it into a different directory even on a different harddisk and run securefile.exe while not using a hexeditor to edit any file, it doesn't ask anymore for a serial number?
Any idea?

[LimpingFish]

Just wanted to add that I think the super small indie game company's biggest defense against piracy is that they're real people.  Like WadjetEye Games is mostly just one dude working on games from his apartment.  Some people pirate because they're sticking it to the man (Fuck the RIAA, Fuck the MPAA, Fuck the ETCETERA!).  But how can you justify ripping off the dude who's making games just to barely make ends meet and does so because he loves games and really wants to share his creations with people?

Even Wadjet Eye isn't immune (though a quick browse of a random torrent site seems to show the numbers are relatively low):

Blackwell Legacy = 2559
Blackwell Unbound = 1201
Emerald City Confidential = 12922

Still, if we were to take those combined Blackwell downloads at market value, it's a possible $94000 (improbable and imaginary money it may be).

I never bought the whole "Fight the Power!" angle to file-sharing. People like to get stuff for free; who doesn't?. It's just easier to take it from faceless corporations. Not that I don't think Vince has a point about indie games, but if any game is critically or commercially popular it's going to be shared a considerable amount.

[Vince Twelve]

That's not possible. Game locks if you do that. The purpose of this whole thing was to prevent exactly that. And it does.

Can you explain how your SecureFile works?  For example, what stops one person's serial number from working on another person's computer?

[monkey0506]

You know this "copy protection" is all well and good until somebody goes and asks 4chan. Anonymous don't afraid of anything.

[Ubel]

Why would anyone want to break your system or try to play without the serial when all one has to do is distribute the game with the serial number in a text file? All you've done here is what so many game developers have done so far, add a serial number to your game. And since you can use the same serial number on as many computers as you want there's no piracy protection here...

[Akatosh]

Correct me if I'm wrong, but from what I've gleaned, it works like this:

- secfile.vgm contains serial number cyphers, probably with quite strong encryption. This one is checked against; I suppose the .exe uses the same algorithm and key when you enter something in the text box, and checks whether the cyphers are the same. This would prevent serials of other people from working, and with reasonably strong encryption, it would hardly be feasible to try and "force" the key (although it could probably be extracted from the .exe).

- secfile.dat probably stores... additional information.

- Additionally, I guess a "hidden" file is created somewhere when you 'unlock' the game. Maybe there's something about those save files automatically created, I don't know.

Now, when you enter the serial number correctly, a flag is set in secfile.dat and said hidden file is created. Therefore, you can't just copy the contents of the folder over; if you do, SecFile detects that the flag is set but the "validification" is missing, and doesn't allow the game to start. The trick is that once the game has been unlocked, your copy is "marked" and you can't distribute it (that was what tripped up my first crack).

Am I far off track?

(It's really not a bad system btw, especially not for an amateur solution, but it needs a lot more checking and redundancy if it's supposed to be more than a minor inconvenience.)

[bicilotti]

Curious about it Dual, let us know the trick.

[arj0n]

Akatosh, your completely right.

Once a stored serial number from "secfile.vgm" is entered, "agssave.temp" will be generated as unlocker in a savegame directory, mine seems to be "my documents/my saved games/Hitchhiker's Guide to the Galaxy Remake/agssave.temp.
The content is not clear for me, just the fact that this file is there, could be enough as unlocker. But there is some small info inside this file, maybe the "serial" entered when asked when starting the game. Any idea?
Then the info of this generated file, like location/dateime stamp/etc (the flag), is stored in "secfile.dat".

Side effect of this is that when you delete the "agssave.tmp" file, the game will crash as "sorry, pirated version"...
logically you will have to overwrite the "secfile.dat" file in the game directory with the original and the game will run again

So to distribute it "agssave.temp" is needed, but I think then the problem will be that a patch cannot search for something file to detect the location. This location can for example be OS dependent. That would not be the problem, that can be detected. but if there are more options, it can hardly be patched. Than one need to place this file manual.

So bypassing the serial isn't the problem (sorry Dual).
Distributing it, once it is bypassed will be a bit harder (but not impossible).

And yes, your exactly on track  

[Dave Gilbert]

In general, I like to keep my games DRM free.  I've found that they really annoy legit users and don't deter piracy at all.  Case in point, there were a lot of annoyed people when Emerald City Confidential was released earlier this year.  It uses PlayFirst's DRM, which is pretty draconian from what I understand.   I don't think it's a coincidence that Emerald City Confidential is the most pirated of all the games I've made!   Of course, it's more of a mass-market title than my Blackwell stuff, but still.

Anyway, this sounds useful but I'm afraid it wouldn't be feasible for someone like me.  I'd have to remove all security wrappers when I put the game on distribution channels (like iWin, Big Fish, etc) so any security I glean from it would be lost.  However, for those who just plan on selling their games from their own website and nowhere else, this would certainly come in handy.

[Vince Twelve]

Maybe I'm missing something, but I still don't understand why I can't just distribute my legally bought Serial Number (or bought with a stolen credit card I guess, if I were willing to risk such a serious crime on such a cheap piece of software...) alongside the original .rar file. 

The only way I would know how to stop that from working would be to have the verification program check with an internet server to make sure that the same serial wasn't used more than once.  But then you're getting into "too annoying and insulting to your customer" territory.

[cat]

If I knew that credit card information is used for my personal copy of the game to show the name I probably would not buy the game. Credit card information is something I don't want to give away anyway (thats why I hardly buy anything on sites I don't fully trust) so I wouldn't want someone to mess around with this information, even my name.
In this case, I'd rather pirate the game then buy it myself  :