Hello,

my games, after more than 1 years, have been correctly cracked !
Maybe they became too famous ! :p

It's not a big issue, as I need about 15 min of work to create a new version incompatible with any crack...

But the next step of hackers will be to create a keygen. I'm not sure how hard it'll be for them, but I think I should crypt the user codes with RSA.

Currently, I'm using Name+Email+Code to create my keys, and I want to crypt only the Code, which is only 32 bits long.
Would it be efficient enough to prevent Keygen to pop-up ?
And what length I should use for the RSA key ? 512 ? 1024 ?

Moreover, I create my user keys with .php (it's more efficient & easy to handle my customer base), so I need a RSA crypting in .php, and a RSA decrypting in .C ...
Anyone knows a library supporting these both formats ?

I found a nice .c lib, but it has several files, and it might a bit long to convert to .php by myself....


Thanks!

But the next step of hackers will be to create a keygen. I'm not sure how hard it'll be for them, but I think I should crypt the user codes with RSA. For what it's worth: In my experience, the keygen is actually created by following what happens inside the code and duplicating it.

If they manage to make keygen for the most popular commercial games that have serials long 16-24 characters... I think it would be wasted time, make another game instead ;)

as said in a couple of thread in these forums, RSA is "unbreakable" (it's the "prime numbers" magical effect ;) ).
But I'm not sure of the details of the implemenation; ie : is the lenght of bits I encrypt matter or not..?

I read explanations about RSA, and I guess it doesn't, but I'd like to have the advice of the RSA experts ... :)

The reason serial generators for serials 16-24 characters long exist is that they're simply too short: you can encode about 5 bits of information in each character, giving at most 128 bits in total. To get an "unbreakable" serial it needs to be at least 512 or even 1024 bits. No user wants to enter 1024 bits of information manually, so what we do is to make them enter a regular serial and contact a server that signs the key along with their conact information (if the key exists in our database). This signed object (which is much larger) is then stored on disk and its signature is checked with the public key each run.

- elias

I do what elias does. Impossible to create a keygen for it. Instead they have to release a tiny patch file that removes the registration check :) It's not hard for anyone who knows Java but you know how it goes, locks keep honest people honest etc.

Cas :)

Furthermore, a patch (crack) for the game is much harder to maintain than a serial generator.

- elias

Ah understood now... but well, why don't just use a ready solution like Armadillo? costs 250$ but you save big time on implementation... (except for java, Armadillo doesn't work with that I think).

Armadillo does work with Java (well, my games at least), but there was no point in relying on it because a) it was so easy to do in Java anyway b) it doesn't work on Mac and Linux and those two platforms are key platforms for both Elias and me and c) it's a pretty ugly solution compared to the lovingly integrated one we both use and d) it costs $250 :D

Cas :)

yup, use custom system doesn't take so long time, I think about 2 or 4 days of dev at most, and it allows greater freedom of encryption / hiding / checking / etc, I guess, and so it won't look familiar for the hackers, and it saves 250 buck ;)

Well I must admit that java is absolutely the best anti-crack thing.
I did a search in google and I found easily crack/keygen/torrent fullversions download for every game made here by the various authors, except princec ones :eek:
I tried to search hard but really couldn't find anything about puppytron, and it's a popular game...

That's right, I've tried pretty hard but I've never found a crack for my games, which is odd - they're trivial to crack. Can't find one for Tribal Trouble either.

Cas :)

yup, use custom system doesn't take so long time, I think about 2 or 4 days of dev at most, and it allows greater freedom of encryption / hiding / checking / etc, I guess, and so it won't look familiar for the hackers, and it saves 250 buckThis is a bit misleading. You might save yourself $250 of cash but you've spent 2-4 days writing it. That would put your own time at a value of $62.50 to $125 per day. My time is more valuable than that.

Luggage, remeber that integration does also take some time. And to integrate Armadillo into your application will probably take about as long as writing the simple RSA keygen. Armadillo does more stuff for sure, but if you only want RSA keys then you don't need that more stuff.

I'm also using server activation (or alternatively license files) to activate the full version. ManuTOO, I'd suggest you write both the client and server pieces in c and then call the c program from you php script. No fancy embedding, just a simple system call with the info to encrypt and the keygen returns the encypred key. This way you can keep the same code in both ends. IMath (http://engineering.dartmouth.edu/~sting/sw/imath/) is a super bignums implementation (to actually get RSA working). You can generate the keys with any RSA key generator (search for free ones).

I echo Cas, honest people etc.. :)

I thought about a different (easier) system, if you require online registration:
- user buys from plimus and I generate the normal serial (not RSA just a normal one)
- the user name and serial gets stored in a mySQL Db on my server
- when user enter his name and serial, the game connect and verify that the order was successful
- if the order can't be verified, only solution would be a crack (keygen wouldn't work anymore)

the problem is if my server for some reason doesn't work (like dabase problems or DNS problems...). Also don't know if players would like to connect again to get game registered :)

@luggage:
as Kai already said, don't forget the integration of Armadillo itself. Will it have all the features I need, will it worth the way I want, will I spend time looking for something which is not there, etc... etc... For a couple of days, I prefer not to spend time studying if I could use a 3rd party solution if I can achieve my goals by myself. (and moreover, RSA stuff is very interesting I think)
Oh, and my time is almost worth $62.5 a day now..! :p
(I'll tell u my life in another thread ;) )


@Kai Backman:
Your idea is nice, but unfortunately I don't know how I could compile a .c to produce a program that runs of my PowWeb server, and I'm afraid it'll take a bit long time to set this up (I don't value my time too much, but there's a minimum at least :p )


@Jack Norton:
I don't want online activation, it's not needed for most people and can be annoying in a few cases...
(last month, I sold my 1st full "off-line" copy, using street address instead of email to create the license key !! :eek: )

I'm not saying the 3rd party solution is always best. Just that you have to factor in the cost of your own time as well. For some they have plenty of time but not much available cash and that can affect what option you take.

Of course you still have to take into account implementing the 3rd party solution. If that was going to take 4 days and rolling your own would take 4 days then the choice is clear.

Essentially you can work out how much time you'll save against what it would cost to write it. Everyone's costs are different.