next »

[Saturn2888]

How do game developers encrypt their executables or prevent people from peaking inside and pulling out sensitive private game information?

[Oddball]

What sensitive game information do you want to obfuscate? Unless the game has an online competitive element, say high-scores or versus mode, then I wouldn't bother. In fact I welcomed people hacking my game. It added an extra word of mouth marketing angle as people would show off what they had done. So I guess what I'm saying is we need more info, but most of the time it's not needed.

[Saturn2888]

I'd want to obscure the keys in the source that crack open encrypted files used by the game. Also, online scores exist.

[Dacke]

Why would you even want to have locally encrypted files?

You can't actually properly protect the keys, obviously. The best you can do is to obfuscate them bit, to keep casuals out. But just compiling the keys into the binary should do that anyway.

[Saturn2888]

So you're saying the way to do it is to send that info over the cloud to keep people out?

[Layl]

This subject comes up every month or so, generally developers don't encrypt their save data at all.
For the average player, they're not going to figure out how to access that data anyways, and the more tech-savvy player will just resent you for taking away control from them.

[Dacke]

So you're saying the way to do it is to send that info over the cloud to keep people out?

No, definitely not. Cloud based DRM means that your game will become unplayable if your server gets hacked or you stop supporting it. That's a bad, bad idea.

[ProgramGamer]

What exactly do you want to hide from the players? You only mentioned encrypted files, but not what kind of encrypted files.

[ThemsAllTook]

There are ways to discourage cheating in online scores without using encryption. My preferred method is to use a deterministic game simulation, collect all of the player's inputs during their play session, send them to the server, and have the server replay the inputs in its own simulation to calculate the score. This might not be practical for some games, depending on length of a typical session and complexity vs. computing resources available on the server, but it neatly removes any need for encryption since the server doesn't have to trust anything the client tells it about scores; only the player's inputs.

Encrypting game data for the sole reason that you don't want people looking at it is a pointless exercise. If the game can decrypt it, someone who wants to examine it can decrypt it, no matter how many layers of obfuscation you put in place.

[Saturn2888]

But it could be minimized right? I mean, you could do a string search on a typical executable, but if you obscure it through encryption, that makes it significantly harder to crack what's inside. My point is to make it too much trouble for someone to even bother.

[Layl]

But why? Why go through the effort to reduce the value of your game?

[Saturn2888]

It's not reducing the value; in fact, it's quite the opposite.

For instance, my game is based on an open source game engine. I re-programmed most of it in the front-end (uncompiled Lua) piece of this game engine. Also, all of the levels are in a proprietary plaintext format mostly readable by that game engine. If someone cracks open the encrypted game files, that gives them access to a majority of the code I've written and the levels we worked so hard on.

The purpose of this is to retain value. Most people in this genre would rather get free content than pay for it if possible; therefore, if the content is available freely, that will not assist in the sales of the game. Any future content would be provided in the same hacked-encryption way. At that point there'd be no reason to lock it down. You could go so far as to say there'd be no reason to develop the game at all; not for a profit that is.

A possible alternative is to have all the content available freely and charge for something else. This method means I'm doing what mobile game developers typically do and the quality of the content will not matter, it'll be whatever service I'm selling on top of it; hence, quantity over quality (in the case of song count) or difficulty over fun (in the case of an arcade release).

I'm paying a lot of money for music licenses. Sure, anyone could purchase the original tracks and make their own version of the songs, but they would have a much harder time doing it. The same argument could be used for patents. If it's too difficult to figure out, don't patent it; otherwise, you're giving people instruction on how to do it.

In the same way, companies who sell a product based on open source do not release their source code for free either unless their business is technical support or some other service. SQLyog, for example, has a paid product and a community one. They use the open source codebase to assist in the development of their paid app and give that version free to consumers. They do not release the source code of their paid product.

The point of this isn't to restrict players or make it difficult to play, it's only to restrict access to the game's content in a way that protects my assets.

And on that, I've not received a proper response. What do other game developers do? Do they do nothing? If so, why not? If the solution is to compile everything into the executable, how do I go about doing that? How do I turn plaintext into binary in a way that say C++ or Lua can read it?

[Oddball]

What!? Have you developed the next Call of Duty or something? In Hack, Slash, Loot I save all game progress in xml plain text format. The quests are all xml plain text. All art and music assets are are in their original unencrypted formats. Hell you can even tweak a plain text file and instantly give yourself all the Steam achievements. I've had no issues at all with any of the stuff your going on about. You're wasting your time.

[Conker]

People that want to cheat will cheat

Most people do not buy games to cheat them, don't bother with it.

[Layl]

The answer is "don't", the game industry is basically the only industry in software development remaining that even remotely looks at doing this. Most companies have embraced that if a player wants to get at your assets and mod them, there's no way of stopping them and if you succeed in stopping them you're only taking away value in modability. Outside the game industry, this has been embraced to a point where open sourcing has become the common case for desktop software and even websites. (notably, Microsoft in the desktop case and Facebook in the web case)

I would advice as well that you take a look at the game engine you're using to make sure you're not violating its open source license when trying to prevent people from looking at the code.

[ThemsAllTook]

This is a complicated subject. The main reason you're getting backlash here is because it sounds like you're trying to use DRM to combat piracy. DRM is almost universally hated, largely ineffective, and can prevent paying customers from using your software the way they desire. It's a fundamentally adversarial approach to selling your game. "DRM free" is sometimes used as a selling point because it's so maligned.

An open, trusting relationship with your players can lead to business success just much as a closed, DRM-laden approach can. Piracy will happen no matter how much or how little protection you use. If you use too much protection, it may cause some players who would otherwise have paid you to choose the piracy route instead, because the cracked version provides a better experience (or because the protected version can't be used by them at all).

To answer your question, I do nothing to protect the assets in my own games, for the reason that I want them to be as accessible to players as possible. None of the information in any game I've made has been considered sensitive or private, with the exception of one piece of server communication code that used a private key compiled into the executable. The only purpose of that was for online leaderboards, and these days I'd use the alternate solution outlined in my earlier post, which doesn't require any protection at all.

Does the license for the music you've bought have any special conditions for redistribution? If there's a specific contractual requirement that needs to be fulfilled, then that's a different matter from the other stuff that's being talked about. Protecting your code, protecting your music, protecting your levels, and the broader discussion of DRM could all be considered separate topics. With some more specifics, we may be able to help with each individual one.

How do I turn plaintext into binary in a way that say C++ or Lua can read it?

An easyish way would be to write an offline converter tool that knows how to read plain text and write it as a binary format of your choosing (and possible vice versa). You'd just have to design a simple binary format that's equivalent in structure to your plain text one. Here's some information on dealing with binary files in Lua: http://www.lua.org/pil/21.2.2.html

[Saturn2888]

Thanks for asking the right questions ThemsAllTook.

I apologize for not being clear enough or realizing there were some other posts made in-between mine about people getting worked up assuming I was trying to pull an Ubisoft. My game does not have DRM. You can copy it freely and while I don't like that, I know that people are going to find a way around it anyway, and I personally hate it when other developers or publishers pull the DRM card when I purchased their product.

Protecting the Music:
Yes, the music cannot be put in the game without it being hidden or encrypted in some way. Doesn't stop someone from recording the songs or buying the originals. Not my problem. My requirement is so they can't just copy/paste the audio.

Protecting the Code:
I do not want my game to be open source. The underlying engine I've forked is open source and thus, anything I write can possibly be written or reverse engineered to work in that system fairly easily. I'm not comfortable with open sourcing everything I've coded over the last 5 years.

Protecting the Levels:
The levels and the music are one in the same because this is a music game. Without one you can't have the other. The levels are plaintext files which I paid a lot of money and spent a lot of time to get produced. I'm comfortable with someone copy/pasting it out of my game and in the open source version. Sure I've added stuff to make the content unique, but it's still the same core gameplay.

Protecting Online Scores:
It's not me that cares about scores, it's other players. They want to know that the scores other people upload are valid; thus, I've done a ton of work to ensure that's the case.

I've already created an encryption system that protects these files. I was posting here to figure out how other game devs do it. I can't be the only guy with online scores and assets that he needs hidden. I've opened the folders for so many games where music and art and other assets are all hidden away in weird proprietary files.

My goal is to protect the keys to these files located in the executable. I have a way of doing this in Windows, but I need a way of doing this in Mac and Linux. If I cannot find a way (as I haven't), I refuse to release on those platforms for fear that someone's going to hack out all my stuff and destroy sales of the game.

@ThemsAllTook, that's a good idea on how to calculate the scores. I'm already doing something similar actually, but players can fake those numbers on the way up if they have access to the encryption keys which are hidden away in other encrypted files.


tl;dr
The music and other assets needs to be protected because of binding contracts and I've spent 5 years writing code that I want to protect.

There won't be any copy protection-style DRM in my game.

I need to know how other people have done encryption on Mac and Linux. I know how to do protection on Windows but want to know others did it in case there are better ways.

[Layl]

For your music, check the license to see to what extend you have to go. Perhaps just a file rename will do.

For hiding the source code, again make sure you are allowed to do this according to the license of the engine you're using. A lot of open source licenses require you to distribute the source as well. An example being Open Hexagon, which is under the AFL 3.0 license. Generally companies don't really protect their code any further than compiling it.

If you release a product and the keys are in there, no matter in what proprietary format or in what way they're embedded in the executable, they're compromised. A dedicated user WILL find those keys no matter what you do if you include them in the product.

[Saturn2888]

Thank you for your advice @Layl. That's all accounted for already.

I would like to know how other people have done encryption on Mac and Linux. If you know anyone or can point me in the right direction, I'd greatly appreciate it.

[Polly]

One route you can take is putting resources in a password protected ZIP archive, and then unzip them to RAM when you need them. But, as mentioned .. anything can be hacked.