Without server validation, yes, that's exactly what happens.
Checking about the BMT/Plimus information pages, I noticed that the vendor can supply a list of registration keys. How do you go about integrating this with your program?
It makes it sound like if you have one key, then you can just email your buddy with this key and he can use it to unlock his game too.
Do I completely have the wrong idea about how this system works?
Without server validation, yes, that's exactly what happens.
or hardware locking, but that's not a good option really and will surely cause confusion even if you made a page available where the customers could update their configuration.
Yeah, I was originally going to do this, as it's nice and easy. You just generate a big list of keys that will unlock your game, and they send them out one at a time. I was going to blacklist any keys I found published on the web.It makes it sound like if you have one key, then you can just email your buddy with this key and he can use it to unlock his game too.
Although it's a bit harder, generating the key from the customers name or email address (you write an online script which is called by your e-commerce provider) is much better. It's a bit more work, but I managed it okay (luckily Perl scripting is very similar to C).
If you're writing your own 'keys' system it's worth doing a bit of research. It took me three attempts to write mine. I kept overlooking issues in the first versions.
Another solution is to go with a system like ASProtect or Armadillo. A load of e-commerce providers are set up to use their key generators - I don't know too much about this route though.
That sounds like a not-so-difficult but effective method. How would you go about implementing that, and why is it better than the original "send-out-a-list-of-keys" method?Although it's a bit harder, generating the key from the customers name or email address (you write an online script which is called by your e-commerce provider) is much better. It's a bit more work, but I managed it okay (luckily Perl scripting is very similar to C).
If you ensure that the key is generated from the user's personal information they are going to be very unwilling to share it. The very bestest way would be to generate it from their credit card number
Essentially the user must enter this information along with the key to unlock the full version. To thwart keygenerators you'd have to use public/private key encryption.
The way it works (I'm not expert ) is the e-commerce provider passes purchase details to your online keygen script (using '?name=xxxxx' at the end of the URL). You merge/scramble this name with a gameID (usually a load of intergers) to produce the key.
So .... the game can take in the key and the name, unmerge/unscramble them to get the game ID. You then check the Game ID is valid.
A few things to note are -
- Your game shouldn't check/unscramble the entire game ID !! - if you do, a hacker using a valid key, can write a keygen as good as yours.
- Put a checksum in there to check if the key is mistyped - You don't want to call your new customer a pirate !
- Hide your keygen script somewhere online.
As for details of the 'merging/scrambling' process, it's hard to find any cause most people seem to keep quite about their methods (for good reasons) ... but do a bit of searching and you can get some ideas.
Note : I'm not recommending your create your own key system !! - If you get it wrong (which I nearly did) then it can be a real pain to fix later.
There are complete systems for doing this sort of thing (like ASProtect / Armadilo). These also include .exe wrapping, so it's a good idea to check them out even if you do 'roll your own'.
The person who buys ur game can still go "hey buddy, here's my scrambled code" and thus the problem still prevails...
I'm using Plimus with the custom generation script method. What I do is have Plimus send the customer's email to the script, and then I decrypt it with a 128-bit private key and send that back to Plimus as the user's registration key. When the user enter's his or her email and registration key to register the game, I check that:
encrypt(regkey) = email address
The only thing a pirate knows is that the encrypted value of the valid registration key is equal to the user's email address, and the public key used to encrypt the reg key, but he doesn't know the private key required to decrypt the email address and find the true registration key.
This method should hopefully prevent keygens from being made to crack my game, until a pirate is able to crack the 128 bit encryption (which would take a long time).
Last edited by JWoyame; 07-13-2006 at 10:15 AM.
But how do you prevent people from sharing its reg key & email ?Originally Posted by JWoyame
Manuel F. Lara
Descargar juegos indie - Blog about indie games (in Spanish)
Blog sobre productividad, motivación y espíritu emprendedor
The person who buys ur game can still go "hey buddy, here's my scrambled code" and thus the problem still prevails...I don't think you can prevent key sharing completely. Maybe if your games go online you could check for overused keys somehow?But how do you prevent people from sharing its reg key & email ?
I'd like to think most people who buy games, will tend not to share their keys, and having the keys linked with their email address should make this even less likely.
Also, if someone does give their key to a friend, I think that friend will be less likely to share the key with their other friends, as it's got their friends email address with it ( )
I can guarantee that whatever system you use, someone will find a way around it. It is best not to worry too much about it. For example, even if you had a foolproof way to prevent key stealing, someone could just distribute a cracked version of the program that has the registration key check removed from the program code completely (you can discourage this by making the registration check code hard to find, but you can hardly prevent it from happening eventually).Originally Posted by ManuelFLara
I trust that people will not share their keys for the reasons PiEyeGeorge mentioned. Most people would not share a key with anyone unless they are really close to them, such as a best friend/family member. Its probably less likely they will share a registration key than they would copy a music CD for someone. They paid for it, why should they share it?
Considering the number of people on the Earth compared to the number of shareware game sales, its not likely that someone looking for a free key happens to know someone who has a registered version of that game and are willing to share. It's more likely that someone would say, "Here, try this cool game I found. You can use my registration key." The person receiving the game never would have heard of the game otherwise. This can actually be a good thing for you because the 'thief', the person receiving the key, might buy other games from you in the future.
Also, people wouldn't likely hand out their keys freely over the Internet because it's attached to personal information (ie their email address). The only keys freely given on the Internet are from pirates showing off their "mad skillz", not someone who legitimately bought the game. And the only way to get a key with good strong encryption is to legitimately buy it.
Last edited by JWoyame; 07-13-2006 at 10:19 AM.
You also have to consider that the people who buy indie games are not the people who look for the cracks. Also, I seriously doubt any 'seria/crack user' would ever consider buying an game if they couldn't get a crack.
Its an effort vs. reward issue. By making it more involved to register the game (checks to reduce piracy) you will spend more time & annoy more potential customers than you could hope to gain. Only the most anticipated games (sequels like HL2) can even attempt something this serious, and even so they annoy a large number of valid customers.
The only game I ever took back to the shops was PC Halo, as the CD protection wouldn't recognise the disk in my CD drive. Very irritating, and I doubt MS made any extra sales because of whatever protection they decided to use. I know they lost mine!
Plimus also allows you to set up a website with an ASP script that'll generate a key for them. I haven't used this method because I don't know the first thing about ASP or setting up a webserver.
Are you using PHP?Originally Posted by JWoyame
Where do you get/generate and store the private key?
This sounds like a good method in terms of effort versus security.
I'm interested in that too. I'm using Plimus and am going through trying to set this stuff up right now. What a timely thread! My keygen program is a Win32 app. I'm trying to figure out how to use it online.
Hopefully it is, however it hasn't been field tested. I came up with it myself after searching in vain on the Internet for information on generating keys; not many people are willing to share their secrets (for obvious reasons).Originally Posted by tentons
I am using an ASP script to generate keys, however it should be portable to any programming language. I generated the private key with a custom command line program and put it into the script code.
The only drawback to the solution is the large keys that are generated. I originally tried 1024-bit encryption, but the keys were massive. I switched to 128-bit, and the keys were still very large in base 10 format, but I convert them to base 36 (0-9 and A-Z) after they are generated and they are more manageable.