Ubisoft's New DRM Cracked In One Day 678
Colonel Korn writes "Ubisoft's recent announcement that upcoming games would require a constant internet connection in order to play has been discussed at length on Slashdot ('The Awful Anti-Pirate System That Will Probably Work'). Many were of the opinion that this new, more demanding DRM would have effectiveness to match its inconvenience, at least financially justifying its use. Others assumed that it would be immediately cracked, as is usually the case, leaving the inconvenience for paying customers and resulting in a superior product for pirates. As usual, the latter group was right. Though Ubisoft won't yet admit it, Skid-Row managed to crack the new DRM less than a day after it was first released."
Re:Well, what a surprise (Score:5, Interesting)
I'm a big fan of Silent Hunter. But I won't buy or play the new one until they release it sans DRM. It's really funny; watching the videos from Subsim, you constantly see messages about "no internet" and then, a few seconds later, "internet reconnected". That sure helps you to remain immersed in a faithful WW2 sub sim. After all, Adolph would have won if not for his shitty broadband connection.
http://www.youtube.com/user/Subsim [youtube.com]
Re:Well, what a surprise (Score:5, Interesting)
Re:Is DRM socially irresponsible? (Score:5, Interesting)
Re:Insolvent Company (Score:3, Interesting)
Not that I believe it, of course. Just sayin'.
Re:Priceless (Score:1, Interesting)
Re:Insolvent Company (Score:3, Interesting)
Seems to me like the correct solution (from their perspective) ought to be to release a game with tons of DRM, sell it for awhile, then disable the DRM once it's no longer profitable. This is, of course, if they intend to stay in business and wish to avoid alienating customers from future purchases.
Re:Well, what a surprise (Score:3, Interesting)
While you have a point, consider that if you pay for it you make them think their DRM is acceptable. As a compromise, I suggest buying it, pirating it, and writing an angry letter explaining the situation. It'll be ignored of course, but it would make me feel better.
Human deterrent (Score:4, Interesting)
1. Ubisoft creates a reasonably simple (read cheap) traditional DRM;
2. Ubisoft promises to donate five thousand dollars to cancer research for each day the game goes without being cracked, for a year.
I think they'd have better chances that way. Don't you?
any games shipping sans drm these days? (Score:4, Interesting)
Re:Priceless (Score:5, Interesting)
You can use the various DRMed binary obfuscation tricks to slow them down; but the hackers will eventually manage to neuter the internet checking stuff, producing a tame version that always returns what the program wants to hear, or a version of the program that doesn't even care.
The only way to really force the issue is to actually move large chunks of vital game code to the server, and only provide the output of that code to the client. For instance, they could hypothetically ship the game with absolutely no AI code, and have every NPC in the game controlled by AI code on their server, just as if it were a multiplayer game. The trouble with doing that sort of thing is twofold: One is latency. There are only certain parts of a game's code that can reasonably be moved 100+milliseconds away from the user. AI would be doable, if suboptimal, because of our experience with providing adequate multiplayer FPS results. It'd be worse than doing it locally; but DRM shows a willingness to hurt paying customers, so so what? Second is cost: the more code you move to your server, the more computational capacity you need to maintain for the supported lifespan of the game. The more data you need to transfer back and forth, the higher your bandwidth bills, and the more customers with marginal connections you lose out on.
The problem is, if the internet presence check is purely artificial, hackers will strip it out, just as they stripped out CD presence checks and offline serial key verification checks. If the internet component is vital, the hackers won't be able to simply strip the checks; because they'll be left missing whatever pieces are server side; but you run into new issues. If the vital component is static(certain textures or models or something aren't shipped; but are downloaded when needed) it'll be extracted and posted on bittorrent inside a week. If the vital component is dynamic(as in the AI example, where the client sends player location data and gets back a series of movement commands for NPCs) it cannot be usefully extracted; but you will take on substantial server load over the lifetime of the game, and whatever that dynamic component is will suffer from latency.
This is where another problem comes in. Since your servers cost money, you want to make the server-side dynamic component as computationally cheap as possible. The simpler it is, though, the easier it will be for hackers to simply write an equivalent version of whatever it is, and make that version, running locally, available in their cracked copies. Unless you can find something that is, simultaneously, computationally cheap to run, very hard to rewrite, and fairly insensitive to latency, you are screwed.
There may, in fact, at least for some games, be an aspect of the game that fulfills these criteria. In that case, anybody who wants to crack the game will, indeed, have to spend weeks or months doing real software engineering to re-implement whatever it was that you left off the disk and on your server(assuming a copy of that doesn't leak on day two, which would be embarassing) in addition to doing the basic cracking work required to defeat the artificial checks and any SSL style verification of the server the game binary is talking to.
snake oil salesmen rake in the cash again (Score:3, Interesting)
in jest (that humor itself is priceless), I certainly could not agree more. The reality of DRM is that the whole concept is flawed, by the logic alone. In that you have to give the user everything they need to run the app, or listen/watch to the media, so what is there to prevent someone skilled with IDA Pro from making it work for their own purposes after the DRM manages to sufficiently piss them off? So, you there you sit, you have the key, you have the data/code/bitstream, and you have the algorithm. Nothing prevents you from hacking apart the code and putting those three pieces back together in a different way other than what was intended, except for a few badly written laws like the DMCA. That's not a prevention, it's just a social mechanism that just serves to make the hackers self-righteous in their own mind, and therefore even 'more likely' to feel justified in 'getting back' at 'the bad-guys' (not my frame of mind, but its out there).
The sad thing is that with the use of DRM everyone looses, EXCEPT for the one peddling DRM as the 'answer to everything'. It's not. Reality could not be further from the truth. Yet these modern-day snake oil salesmen always manage to walk off with millions of dollars in their pockets while everyone else, including the owner of the copyrighted media being 'protected', get the shaft. It only hurts the owners bottom line, stiffs the purchaser who can't use the product, and the snake oil salesman lives in a big mansion somewhere on a hill. What is wrong with this picture? What we need is a new set of laws to protect us from snake oil salesmen, in that if you promise your product is going to do XYZ then you should not be legally shielded by some EULA when you promise something that is known by real experts to not be true. Selling a 'solution' under false pretences is the way I see it. If you sell snake oil you should pay the price.
btw - If you honestly believe that DRM can actually work, then Have I got a bridge for you!!...
Re:On the bright side... (Score:3, Interesting)
But in that case they didn't need such massive DRM. They could have made a regular CD check or whatever. It would still be cracked in a day and it would still require pirates to download the crack, so the lazy (as you said) users would still have to buy the game.
Re:Is DRM socially irresponsible? (Score:2, Interesting)
Re:Priceless (Score:2, Interesting)
The AI code doesn't have to be run remotely. You could just have it spawn weapons, healthpacks and enemies in the correct places using an encrypted positioning system. Then the crackers would have to meticulously play through the game itemizing every single xyz position for every spawn.
Re:You're all dicks (Score:5, Interesting)
BULL SHIT
I say this because I know one company who sells tons of games and they use no DRM:
Paradox Interactive [paradoxplaza.com]
Before they were self publishing, their publisher required them to have DRM in the store release, but the lead Dev patched it out in an official patch a few months later.
Now they self-publish and host Gamersgate, which beyond the download check, the game itself is completely copyable without any DRM whatsover.
Does that mean people pirate their games? Yes, they do, but players like myself have basically spent hundreds of dollars on their games because:
1. They have no DRM
2. The developers are active with speaking directly with users on the forums
3. They have open beta patches with registered users to test bug fixes with the gaming community rather than throwing stuff out there.
Yes, being a successful gaming company can be done without DRM.
It only takes one. (Score:5, Interesting)
The only thing that I'm surprised about is that companies remain so obstinately stupid in trying to implement Digital Rights Restrictions.
Anyone who has ever been involved in software development knows that even when it comes to relatively simple systems, all it takes is one minor SNAFU, one little bug, for the whole thing to be laid bare before skilled hackers. And it doesn't even have to be a problem with your code; it can be in anything from firmware to the operating system to libraries you've linked to to the compiler you used. Add to this the fact that Digital Rights Restriction systems are hardly anything but relatively simple; they typically encompass very complex encryption, heavy duty mathematics, picky dependencies on very specialized hardware and/or software and/or connectivity requirements, etc.
Also, how many people did it take to write your Digital Rights Restrictions system, and how smart were they? Let me tell you, it's not like there's just one guy holed up in a basement somewhere working on cracking the Digital Rights Restrictions of a popular game. There are thousands, maybe tens of thousands. And they all want that reputation boost (or sometimes even financial gain) of being The One Who Cracked [insert game title here]. Oh, and maybe your people are smart, but these people are frickin' brilliant.
Yet still, these companies are under the delusion that after decades of abject failure after abject failure by companies much bigger and more motivated than they are to stop software theft, they're going to be the ones that come up with the magic bullet, that special recipe that will keep their software locked. So sure of it, in fact, that they're continually willing to invest a lot of time, money, and effort into their futile pursuit. The reality of the situation is that all it takes is one. One hacker, one flaw, and every cent you poured into your Digital Rights Restrictions system is *poof!* gone.
I'd like them to hire me to create the Digital Rights Restrictions system they use for their next game. I'll charge them a few thousand dollars and put a text file on the root of the installation media that says, "It would really mean a lot to us if you would not copy this game illegally, so please don't. Thanks!" Now, I know you're probably thinking, "But Skippus, people would be able to copy the game from day one!" My contention is that I've saved them tens to hundreds of thousands of dollars and my Digital Rights Restrictions system lasted just one day less than the one they would have otherwise spent so much money on.
Re:Priceless (Score:2, Interesting)
Or, how about simply not permitting save games to exist anywhere but on the server?
As part of the "checking DRM" activity, it uploads the current game state to the server, effectively "saving" your progress.
When you log in again, it grabs the game state into memory and resumes from there.
Hacked games that run without internet connectivity can work just fine. Just you lose the ability to save and load your game.
The only real way around this is to either run a local authentication server (difficult if you use asymmetric keys), or use a debugger to save/restore the entire memory footprint - in which case your game saves start averaging around the 500+MB mark. Which can be worked around by making the application un-debuggable (there are APIs in Windows to prevent attaching a debugger), at which point you need a second computer to hook into the Windows kernel debugger to reset those attributes...
Re:Well, what a surprise (Score:5, Interesting)
So, yes. Pirating the game does take a few coins from the pockets of the developers of this game. But it's but a small fraction of the sales anyway, so it really doesn't matter. The point is that if the piracy rate actually INCREASES, then the execs might actually have to answer for this nonsense at some point. They'll no doubt spin it to look like angels, but I'm sure that if the piracy rate is really high, then this might end at some point.
So, I say raise the jolly roger, but keep buying Indie games. That's where our future (hopefully) lies.
Re:It only takes one. (Score:2, Interesting)
You know, it's possible that DRM is a sort of viral marketing campaign in a way. I mean, now everyone knows Ubisoft has just released a new game, and everyone's basically implying that, if it wasn't for the DRM, it'd be a really awesome game, that everyone wants to play, and if no-one wants to play it, why is everyone talking about it?
Maybe DRM is a little bit like a girl playing "hard to get"? Everyone likes to get something they need to work for a bit. That's what levelling is all about.
Re:It only takes one. (Score:3, Interesting)
Seriously, the companies won't listen, they'll just blame any revenue decrease to piracy and blow money on even more elaborate drm.
Also drm isn't really about copy protection so much as stopping re-sale and forced eol so you eventually have to buy 'Wonder game XVIIIIVIIX, the quest for more cash' with new improved names for the same old crap.
But they claim DRM is to stop piracy and protect revenue (and thus shareholder value). Once the shareholders see DRM as a waste of money it'll go away fast.
Get the stockholders involved and they'll move heaven and earth to avoid a major issue.
Why so many don't get this confuses me.
Mycroft
Re:Priceless (Score:3, Interesting)
I have to consider the option of using a VM to run windows, then doing the debug from the host system there by rendering the windows anti debug APIs moot. In using a VM or even 'rooting' your own system you can get around the systems that would normally prevent the reading of the information. Really it's all just a loss for the vender that uses DRM as there will always be a way around it so long as it has to run on a system that the user controls. Though saying that, I am starting to understand the ideas behind Vista and Win7 being set up to lock the owner out of so much, while allowing remote users so much more power then can be accessed from the keyboard. Perhaps that is what MS is after. Trying to own the system and lock you out, so that the other venders can prevent people from finding how to break the DRM. Still, it will be a while before even that will be posible.
Re:Priceless (Score:3, Interesting)
A dongle, unless it’s a FPGA or custom chip actually executing game logic, does not help anything.
Steinberg Cubase, an expensive program, had its entire UI encrypted, and only decrypted right before execution, by a USB dongle.
Which made it slow and unresponsive. (That’s why they couldn’t encrypt the core.)
Someone simply went, and managed to pipe the whole encrypted code trough the dongle.
Done.
As a result, the pre-decrypted program run significantly smoother. Some people even cracked their bought version because of that. (And/or because they needed the USB port.)
Re:It only takes one. (Score:1, Interesting)
In the 20+ years of down loading things from the "scene". I have have never ever, not once, exactly zero times received a virus, trojan, or any type of malware.
You should a fundamental lack of understanding about how the scene works. Releases are put out by different groups. These groups care about their reputation. Greatly. The scene talks. The scene has politics and drama. The scene would not put up with someone releasing malware. It's a community.
I'm not saying malware isn't out there. Hell peopleofwalmart.com infected two desktops here last week. Sure people who download from some random link on google are going to get bit. Limewire and Bearshare installed malware as part of the program. People agreed to the malware. If you find an established community you don't even think about dealing with this stuff.