game-editor.com

[regis]

Hi to you all,
I am back again: the game I develop "3DStar Racer" is realy close to the end (a few more weeks / or days, depends on my present problem):

I read both threads on your forum dealing with RPN problems (hello to you BeyondTheTech!) and looked at several external websites in order to understand how RPN protection works. I achieve to understand 90% of the mechanism. Nevertheless, I have a problem: let's look at the following script (given by BeyondTheTech):

actualcode = strcpy(text, GetUnlockKey("key + c","Will P");
if (strcmp(actualcode, codeenteredbyuser) == 0) {registered=1;}

I have 3 questions on this:

1. (tell me if I am wrong) the sole thing I should have to do is to transmit to Handango my RPN algorithm (here: "key + c", or a more complicated one, but I have no idea... If you have, I am interested in). Then, based on the name the user declared to Handango, the Handango site may automatically send to the user his individual key: then, the script above checks the correspondance between the usermane and the key: is it right?

2. Most important point: in that example, "Will P" is the user’s name. Then this script associates a key to this user's name (PUN) and, then, checks if this is the same as the one entered by the user. Nevertheless, the PUN changes with the user, so that the string "Will P" must change with every user: the only way here is that the user enters himself his own user name (here "Will P") in my application... But, then, there is no verification procedure (in the registry I imagine) that such name corresponds to the real "owner's info", so that, hackers may simply disclose on the web both infos one name + an associated key. Have you any idea to deal with this problem (of course, the best thing would be that GE has a new function in GE (lets call it "GetPUNfromRegistry()"), so the new script becomes:

PUN_Info = strcpy(text, GetPUNfromRegistry());
actualcode = strcpy(text, GetUnlockKey("key + c",PUN_info));
if (strcmp(actualcode, codeenteredbyuser) == 0) registered=1;

Makslane told me this feature may be implemented in the future, but, meanwhile, I would be very intererested in an alternative solution, even if this is through a third party protection software... But I don"t know any and I don't see how to link them with my GE application? Even I do like coding, my skills in software protection are somewhat low.

3. The last problem is Handango works with RegCodes derived from PUN, whereas the registry only contains the PUN, not the RegCode. Am I wrong?

I am not sure all this is very clear (my English may not be as good enough to deal with such technical issues).

Good continuation to you all and many thanks in advance for your help

Régis

[makslane]

BeyondtheTech, can you help here?

[BeyondtheTech]

1. I have made a "generic" registration module that you can use to provide a method of easy unlocking of your software. All you have to do is create an RPN string and provide that string to Handango and PocketGear.

2. There is no way to pull the Owner name yet from the PocketPC's registry. I have asked Makslane about this capability solely for this feature, but he has not provided a timeframe for this feature. Since the exported code to the Pocket PC is thankfully encrypted well by Makslane, it would be difficult to "hack" the program to search for the RPN string and make changes, however, it does not stop anyone from posting both the registration name and code online. A possible added bonus to protecting the program would be to provide an unlockable version to download after purchase, but only provide a truly limited version available for download. Please Makslane, just a read of the registry entry would be great!

Code: Select all

Owner string in HKEY_CURRENT_USER_ControlPanel\Owner

3. My version translates the username directly to a registration code, without having to deal with the hexadecimal code. If you wish to make this module a separate module, and have your game module check to see if it's been registered, simply copy the script in the Global Code section, then do the same test with the same RPN string.

http://www.beyondthetech.com/downloads/ ... %201.1.zip

[regis]

OK, many thanks BeyondTheTech for these useful infos and for the link to your module: I will try to make it work on my game and send you here the result as soon as possible.
Regards,
Regis

[regis]

Thinking about the registration problem, I was wondering if the following solution could work. I suppose that GE does not include a registry reader because "user"s name" may be an info difficult to grasp (it may change with the machine). But, suppose the date info (day, month and year) was easier to have from GE, then, we could imagine a key based not only on the given name but also on the date of purchase. Then, during the registration process on the PPC, the required key would be dependant of this date, so that even in the case that a hacher gives the user's name + a key, this key would not work at a different date (of course, the developper could accept a difference of +1 month in order to permit the legal user to register with some delay). I hope my idea is clear enough... But it is based on the assumption that GE may be able to get the current date info from PPC... is it envisageable?
I think this problem is of primer importance for us: I see more and more hacker sites with illegal copies of PPC softwares these days.
Best regards,
Regis

[BeyondtheTech]

321Studios, maker of the infamous DVDXCopy suite, imposed a time-based registration along with the registration code, but most people were able to bypass that by setting the system time back to a workable period, then return the system time back to normal after the registration was completed.

The only other possibility other than having the ability to read the Owner name at this time, would be a server-based activation. It would be probably the best method of software protection possible. Now, while you may think this is a big effort, in theory, it really isn't.

In fact, Makslane's own Game Editor itself uses an activation system along with your registration information, if you happen to notice.

1. The user purchases the program and picks up a registration code based on the user's name registered with Handango/PocketGear/etc.

2. The user enters the registration information into the program.

3. Based on the username and registration code, the program automatically launches a customized URL using the OpenURL command and contacts your server to request an authorization code. Pocket Internet Explorer will open and the ASP/PHP code that you build on your server will simply display an authorization code. Once the authorization code is displayed, it cannot be used again.

4. The user enters the authorization code and the game fully unlocks.

Your Pocket PC must be able to connect to the internet via ActiveSync or if its a Phone Edition (or can connect to a modem), or otherwise you can display the link for the user to manually type on his PC to get the unlock code.

Your ASP/PHP code must have access to a file on the server to see if the "request authorization code" has been used before.

Here's an idea of what a sample "request authorization URL" would look like:

Code: Select all

http://activate.beyondthetech.com/request.asp?prog=1&name=RAPHAEL%20SALGADO&code=12345&pass=20394

or

Code: Select all

http://216.10.28.223/request.asp?prog=1&name=RAPHAEL%20SALGADO&code=12345&pass=20394

...if you want to make it a little more ominous.

And the responses would either be one of the following:

Code: Select all

Thank you for purchasing Battlestar: Fate of the Galactic Commonwealth.  You activation code is 67890.  This activation code will only work one time.  Should you have any problems, please contact support@beyondthetech.com.

or

Code: Select all

Sorry, this name and registration code has been previously activated.  Your IP address has been logged.  If you received this message in error, please contact support@beyondthetech.com.

The user would never get to the activation sequence until the registration code is completed, so sending bogus values would do no harm (except the table could be flooded with bogus, but useless registration information that would need to be cleaned up over time).

The "pass" code could be based on the program, and/or date and time, or some other number you want to make up.

I would be happy to implement this on my server, 1. if I could build the code properly, and 2. offer this activation sequence to anyone who wants to use it for their programs. I know Visual Basic pretty well, and could possibly build an ASP page to do this.

The only possible workaround with this above method is for someone to actually post the saveVars file(s) that contain the name, registration code, and activation code. If that's included, then the registration AND activation goes with the program and the scheme has been foiled.

It would be great if a unique code can be generated from the device itself, such as IMEI, or unique ID. As per this article, "Microsoft has forced OEM vendors to implement a built-in serial number with access by KernelIoControl. All Pocket PC 2002 devices I tested support this method."

If Makslane could implement this, it would definitely be a great help.

Code: Select all

#include <WINIOCTL.H>

extern "C" __declspec(dllimport)
BOOL KernelIoControl(
  DWORD dwIoControlCode, LPVOID lpInBuf, DWORD nInBufSize,
  LPVOID lpOutBuf, DWORD nOutBufSize, LPDWORD lpBytesReturned
);

#define IOCTL_HAL_GET_DEVICEID CTL_CODE(FILE_DEVICE_HAL, 21, METHOD_BUFFERED, FILE_ANY_ACCESS)

CString GetSerialNumberFromKernelIoControl()
{
   DWORD dwOutBytes;
   const int nBuffSize = 4096;
   byte arrOutBuff[nBuffSize];

   BOOL bRes = ::KernelIoControl(IOCTL_HAL_GET_DEVICEID,
                                     0, 0, arrOutBuff, nBuffSize, &dwOutBytes);

   if (bRes) {
      CString strDeviceInfo;
      for (unsigned int i = 0; i<dwOutBytes; i++) {
         CString strNextChar;
         strNextChar.Format(TEXT("%02X"), arrOutBuff[i]);
         strDeviceInfo += strNextChar;
      }
      CString strDeviceId =
         strDeviceInfo.Mid(40,2) +
         strDeviceInfo.Mid(45,9) +
         strDeviceInfo.Mid(70,6);

      return strDeviceId;
   } else {
      return _T("");
   }
}



[regis]

Hi BeyondTheTech,

I hope everything is going OK for you and for all your projects.
I have tried to run your module under GE but I receive the following error message:

"Cannot download Register_Button.png and Register.png files"

I think the data folder in your zip file does not contain all required files.

Can you help me please?
Many thanks in advance,

Best regards,
Regis