Security Issues

Hi there,

as of the fact that java bytecode is easiely decompiled I came up with the question how to secure your game app.

Lately I got the demo version of Tribal Trouble and its a very cool game but to make a retail game from the demo version was easy. (I allready ordered a retail version :)).

For ppl that only want to play the singleplayer campaign that is enough. But what if ppl hack into the code and create their own gameserver for multiplayer games? The creation of the registry file should that hard too, even if there is much more code to used from the decompiled classes.

So I question what would be good ways to protect your game and or demo version?

One way i mentioned is about ripping the whole content down to the demo version. This way the ppl have to optain the retail version or get it somewhere else.
Additionally the demo version should not be compatible with the retail files. You may ask why?

You may know Unreal Tournament 200x as Epic released the Gameserver Installation that comes as free download and includes allmost the entire content of the retail it was really easy to make a full retail game of it. How to? Unreal Tournament 200x Demo version + Server Installation = Retail.

I will not go into detail, but the problem should be visible.

So, what do you ppl think about it? How do we make JAVA Games more invulnerable?
Even obfuscated code can be decompiled under some circumstances

Evil

wasn’t that why game keys where created?

There was an interesting artikel about game protecting and hacking on tom’s-something (since tom’s hardware changed there site I’m lost, must be because I’m rusted) it was more about how certain techniques effected, or rather impacted, the user experiance.

My game runs through a server, which I keep private. So, you still have the client which can be disassembled, but it won’t help you much without the server! Also, I obfuscate the code, so even if you disassemble the client, you would have a hard time to understand what I did.

The simple answer is: don’t. The only people who are going to bother with hacking it are other Java programmers with a bunch of time on their hands and let’s face it there aren’t many of those about, especially not ones with enough money to buy the game anyway.

Cas

You can never trust anything that runs entirely on a client, it’s like handing over a book to someone and have him read it for you. If you don’t know whats in the book you can’t tell if he’s making things up. An analogy with a client / server architecture would be that you have a copy of the book and read with him, so you can easily tell if he’s making things up.

Like cas said there’s only a small group who’s able to hack your game, make it difficult for them by obfuscating your code, do crc checks on datafiles and do sanity checks on highscore uploading (given certain variables from your game).

If smashing rocks with a sledge hammer gets you the game 4 times quicker… why should you bother with cracking it in first place?

Cracking some every day native cd check needs about a postcard of knowledge and about 2 minutes for cracking and making a patch. Well, duh. Cracking a java game takes way more time and knowledge. Yadda yadda… well, that topic came up several times already

I agree with princec, don’t spend too much time on protecting your software! Obfuscation is enough. If you have a server where people need to login (if it is multiplayer), you can do some basic checking, but otherwise, there is no way for 100% safety!

the best way to secure your java code is programming of the most important java code directly in bytecode using for example jasmin, bcel, jan and others
You can make this code as complicated as you wish (for example giving lots of goto instructions etc. to labels) so the code is harder to understnd by some cracker, you can also use classes criptography (using your own secured class loader), you can also check your compiled classes if they were modificated by cracker, for example storing some information about your classes (size, modification date, or the best creating unique number using 160-bit SHA-1 alghoritm during compilation and later checking this number during execution ). Always try to think like a cracker and how you colud make his live worst.

[quote=“kylix999,post:8,topic:26041”]
Ah well, let’s screw maintainability all together ;D

[quote=“kylix999,post:8,topic:26041”]
You only have to change 1 class in rt.jar and watch all the deciphered classes fly by. Think about it, only decrypted byte-representations of classes can be processed by the JVM.

Would someone who wants to pirate your game have bought it anyway?

If everyone who is going to buy it, has bought it, and someone has a pirate copy, have you lost out?

My feeling is that if I ever get anything good that I want to sell, I’ll worry more about game issues than about making it absolutely unpirateable. In other security respects, there are major benefits to using Java because you have some degree of sandboxing going on already- if you’re writing a networked game it is that little bit harder for a cracker to find an exploit that lets them own your players’ systems for all the usual java security reasons.

If you’re focused on Windows distribution (most pirates live here anyway) - how about Molebox. You can stick the whole VM and the jars into a encrypted, compressed executable. It looks like a native game and its probably more complicated than a normal C executable to crack

Kev

This is an over-rated problem.

Game cracking has been around since well before Java and there is more or less nothing that can be done about it.

Don’t worry about individuals cracking your game. It isnt worth the effort… If you find someone distributing a cracked version of your game online, ask them to stop. If they don’t respond, then you have two choices (1) have a lawyer send them a letter (2) suck it up.

If you chose (1) and they don’t res[pond you have two choices: file a law suit or suck it up.

Welcome to the wonderful world of 21st century IP.

Or you can download the cracked version, and make the crack invalid. Then force your users to update (you do have an update option in the game dont you?). If its a multiplayer game, disable their account if they are sharing their registration code.

If all else fails, setup a P2P server (thats how cracks get distributed mainly) and share an invalid crack (some spamming bot or something), give it to all your friends, relatives, their friends and their relatives, give it good ratings and such. Everybody downloads it, and your in the clear for a while until people catch up to it…

Dirt for dirt, but hey, they started it!

DP

Don’t tell anybody about your game. Never give it out. Play it only by yourself. Also, never connect your computer to the Internet. Program in a room with darkened windows, or better no windows, so nobody can grab it off your screen!

Well, you`r genious. Why didn’t I came up on that myself?

@Topic:
Ok, most replies helped me to understand the situation better from a developers point of view.

As for myself as player i sometimes obtain a cracked version to see if it is worth to buy the retail game.
In the last years many game demos playtime/ fun were like the retail game ones

I know that there is no real protection, but as long i don’t provide any content that is expandable like the TT demo i think my problems are much smaller

thx @ all 4 their replies.

Or you could release your own “cracked” version to pirate sites that contain various nasty viruses.

Waht? Who said that? Could you identify him in a crowd? I think not…

I like darkprophets suggestion. i.e., issue a steady stream of enhancements to registered users. Crackers will have to keep updating their cracks. Obfusticate the code and put one or two sanity checks in each version. Eventually they’ll get bored and move on to something new.

…Of course you need to write a retail quality game first to attract any cracker attention. That seems to be the difficult bit.