<----- Return to Class Projects

Contents 1 Video Game Copyright Protection 1.1 Notes to Ted and Monica 1.2 Goals 2 Work Accomplished 2.1 Impact 2.2 Knowledge 2.3 Instruction 2.4 Technology Overview 2.5 Future 2.6 Resources 2.7 Milestones 3 Writeup 4 Abstract 5 Background 5.1 Publishers 5.2 Developers 5.3 Players 5.4 Crackers 5.5 Security Companies 6 Protection Schemes 6.1 Offline 6.2 Online 6.3 In-Game Protection 6.4 Hardware 7 Protection Cracks 7.1 Offline 7.2 Online 7.3 Hardware 8 Results 9 Resources 9.1 Glossary 9.2 Tools 9.3 Resources 9.4 Hacker News 10 Conclusion / Future Work

Video Game Copyright Protection

Notes to Ted and Monica

• Graduation - I'm a graduating senior so please submit my grade by the appropriate deadline.
• Wiki Layout - This is the main page of my writeup though several sub-wikipages exist with more detailed information. I've labeled off-site URL links with [] brackets to distinguish from my wikipage links. Red links are areas I'd like to work on in the future.
• Legality - I will clean up this page to remove specific details on Sims 2: Pets next week - I'll leave the content up for now so you can see how I implemented it.

Goals

• Analyze the history and evolution of protection attempts on video games.
  • Incorporate analysis of real source code used in exploits
• Investigate current and future technologies that may be used to secure video games.
• Predict multiple paths the games industry could take to address the piracy issue.

Work Accomplished

Impact

• Established the relevance of the game copy protection problem by researching impacted groups and corporations. Incorporated background reading from reliable game industry sources (Gamasutra, Game Programming Gems, Game Developer Magazine) to establish the commonly accepted point of view for each group involved with the piracy issue.

Knowledge

• Compiled difficult-to-gather information for both the underground community of game cracking as well as the game security industry. This involved a lot of background research online through many media (IRC, forums, cached webpages, etc.) as well as many hours of personal testing to verify that the information gathered was correct.

Instruction

• Created easy-to-reproduce set of tutorials for any user to try themselves and demonstrate that copy protection is a serious concern for all video gamers.

Technology Overview

• Hours of research to get all the latest technologies that are in play for the copy protection problem as well as future technologies that are posited as solutions.

Future

• Original thought on where the games industry may be headed and what the implications of these actions would be.

Resources

• Extensive list of tools, webpages, and other resources for anyone interested in the game security scene to learn more about the details.

Milestones

• See Milestones Wikipage for my previous milestones.

Writeup

Abstract

In 2006, the Entertainment Software Association (ESA) determined that the video game industry sold $7.4 billion dollars worth of software. Though the games industry has shown skyrocket growth, almost tripling sales since a decade prior, the ESA released a chilling statistic just one year prior at Electronic Entertainment Expo (E3) 2005: "The video game industry loses $3 billion dollars of revenue annually due to software piracy". Though this statement is only a estimate, it only factors in hard-copy pirated versions and does not take into account losses due to online piracy (which is difficult to track). When we consider that the games industry could be losing from 40% - 60% of its annual revenue due to piracy, we should begin to seriously take a look at the issue of video game copy protection.

This report surveys current copy protections and circumvention methods in the three main types of video games: offline, online, and console (hardware). Current popular protection techniques are analyzed, such as SafeDisc, StarForce, and SecuROM in the offline type, ActiveMark and PunkBuster in the online type, and finally XBox 360 in the console type. I then proceed to demonstrate the flaws in current offline protection schemes by providing a series of tutorials that show how to compromise the protection on a recent game, Sims 2: Pets Expansion Pack (released October 18th, 2006). Next, I document how server emulation has managed to evade online protection on two popular titles, World of Warcraft and Ragnarok Online. Finally, I discuss the technique known as 'mod-chipping' to evade hardware copy protection on the XBox 360 console.

This report determines that current copy protection schemes are insufficient to prevent widespread video game piracy and that a new class of techniques need to be developed in order to truly combat piracy. I explore technical ideas that bear potential such as software watermarking and tamperproof hardware (through the Trusted Computing Platform) and weigh the advantages and disadvantages of employing such methods. I also explore a series of social engineering ideas and brainstorm the variety of options that the game industry can take to address the piracy issue.

Finally, I have compiled a useful list of tools and resources to aid any further study on the topic and recommend future exploration on up-and-coming protection schemes. I view this wiki as a work-in-progress and intend to continue research on the topic after the conclusion of this course.

Background

In this section, I explore the backgrounds of the major players with interests in video game copy protection and identify their key motivations. This is a recommended read to gain familiarity with what groups are involved and why copy protection is in its current state.

Publishers

Game publishers are represented by the Business Software Alliance and more specifically by the Entertainment Software Association. The goal of these two organizations is to generate awareness about software piracy and encourage its legitimate use. Both organizations support anti-piracy movements and actively engage the government to prosecute known pirates.

Game publishers are greatly concerned with the issue of copy protection since their role is to finance game developers and ultimately manufacture, market, and advertise the video game product. Since the publishers often supply most of the money in the development cycle, they usually set requirements for the game developers. These requirements often include the type of copy protection to be used in conjunction with the game.

Publishers have often been criticized for applying aggressive and invasive copy protection solutions on game CDs, creating an unpleasant environment for legitimate gamers. Since video game budgets have now become quite significant, easily in the multimillion dollar range, publishers desire a good return on their financial investments and use these invasive techniques to prevent the game from being pirated at an early date when profits are highest.

Larger publishers contain in-house studios which develop games specifically for the publisher (see Developers section below).

In summary, an interpretation of the publishers' stance on piracy can be: "In order to be profitable, we must delay piracy of the game by applying aggressive copy protection schemes which have the side-effect of possibly creating poor user experiences for legitimate customers."

• Business Software Alliance Wikipage
• Entertainment Software Association Wikipage
• Electronic Arts Wikipage
• [Video Game Publisher Wikipedia Article]

Developers

Video game developers are companies or individuals that create video games for any variety of platforms, including PC, console, and mobile and are represented by the International Game Developers Association. Developers can be separated into three categories: Third-party developers are larger companies that are contracted by video game publishers to work on a title, in-house studios are development companies owned directly by the publisher, and independent developers are smaller companies that work independently of publishers (often using the Internet as an alternative medium for distribution).

Developers are deeply connected to the issue of copy protection since these companies often live or die by the financial success of its game titles, due to the ever-increasing cost of game development. Surprisingly, copy protection has rarely been viewed as a high priority for game developers since tight development schedules and intense market competition force the focus to be on the quality of game rather than game security. The general accepted theory is that time spent on game security is wasted since the protection is bound to be broken eventually and it is instead more valuable to focus on making a good game that hopefully more people will buy legitimately.

Since developers often do not spend much time on copy protection, publishers often add on a protection scheme in the final production process. In some cases, unforeseen compatibility problems have resulted, leading to poor user experiences outside of the developers' control (as in the case with Operation Flashpoint). Also, developers must deal with leaks in the development or manufacturing process which often enable game crackers to distribute games on or even before the official release date. In one highly publicized case involving a flaw in Microsoft Outlook, Valve's highly anticipated Half-Life 2 title had its source code hacked and released as a playable build on the Internet. Clearly, piracy events such as these can wreak havoc on team morale.

In summary, an interpretation of the developers' stance on game piracy is: "We don't really have time to secure our game because we have to worry about our schedule and the competition - just please don't pirate us!"

• International Game Developers Association Wikipage
• id Software
• [Video Game Developer Wikipedia Article]
• [Gamasutra 'Operation Flashpoint' Article]
• [CNN - Theft of Half-Life 2]

Players

Game players are represented by the Entertainment Consumers Association and are present in many countries of the world and cover a large range of the population demographic. The Entertainment Software Association presents some interesting facts about the American game player:

• • The average game player is 33 years old and has been playing games for 12 years. 62% of players are male and 38% are female.
  • The average gamer spends roughly 7.5 hours per week playing video games.
  • 35% of American parents say they play computer or video games.

Game players are the consumers making the choice between using illegal, pirated copies of video games or legitimate copies. For gamers in certain countries, such as China, the cost of games are so prohibitively high compared to the average worker's salary that there is no choice other than to procure a pirated version of the game. Even within America, however, the average PC gamer often has easy access to pirated versions of games on or immediately after the scheduled release date. The gamer can quickly download the game with little fear of legal repercussion. In many cases, the game experience has been improved for the gamer since cracked versions often include features such as a No-CD patch and skipped advertisement and logo screens. Console gamers also have an avenue to piracy through 'mod-chipping' their game consoles, though it is a more technically involved process.

Some publishers use copy protections that are so invasive and aggressive that many consumers cannot install even with a legitimately purchased game. In some cases, the copy protection even proves to be damaging to the user's computer - causing system instability, crashes, and damage to the CD/DVD drive. Ironically, these copy protections instead force embittered consumers to turn to pirated versions in order to play the game. P

Porting companies such as Aspyr suffer when releasing games for Macs since they charge full price for an old game and do not have the technical capability to provide copy protection. These games are often easily pirated and distributed online for consumers who don't see why they should pay so much for an older game.

In summary, an interpretation of the players' stance on game piracy is: "Sometimes I can't afford it, sometimes I can't even install it, sometimes the pirated version is just better, the only reason I pay is for convenience or to support the game developers."

• Entertainment Consumers Association Wikipage
• [StarForce Must Die]
• [Boycott StarForce]

Crackers

Little information is available about game crackers and there is no formal organization that represents them, though often teams of crackers have grouped together to release pirated goods under a unified name.

Motivations for game crackers is often thought to be respect within the cracking community for being the first to perform a difficult crack as well as personal enjoyment through circumventing game security. Crackers may also have some degree of financial motivation as well since sites where cracks are posted often feature a plethora of paid advertisements. Also, sometimes cracks embed dangerous viruses or trojans which can be used maliciously by the crackers to control other computers.

Game crackers are not a well-unified community and in fact are highly secretive of their own source codes, although they collaborate quite well in developing a common set of useful tools for hacking. Game crackers can often work in collusion through the Internet from various countries outside of the United States. Tutorials and instructional help from game crackers is sparse and often hidden well within the bowels of the Internet.

In summary, an interpretation of the crackers' stance on game piracy is: "It's fun for us and you can't stop us from giving away your software!"

Security Companies

Security companies are not grouped under any formal organization and come into play in the game piracy issue as the enforcers. Publishers often seek out these security companies to license their technology for particular games that the publisher wants to manufacture. The publisher has no choice other than to turn to third-party security companies since game developers do not have the time to focus on security.

The motivations of security companies are simple - they provide technology that secures the content of the game publishers so that they can win contracts and licenses in the face of intense competition in the game security market. They must take part in the arms race against crackers by further obfuscating code and making it more difficult for the crackers to penetrate the protection of the game. However, some of these protection tactics have often resulted in more difficulty and inconvenience for the end-user and have led these particular copy protection schemes to fall out of favor with the publishers.

In summary, an interpretation of the security companies' stance on game piracy is: "We'll protect your product however you want it, just give us the contract!"

• Macrovision Wikipage
• StarForce Wikipage
• SecuROM Wikipage

Protection Schemes

Game security companies provide protection for video games that can be classified under three major categories based on the type of the game: offline, online, and console (hardware). In this section, I detail the major protection techniques in each of the three categories and include a brief history of evolution and technical advancement.

Offline

Offline copy protection is used by the publisher to protect the actual CD or DVD disc that the game is shipped on. Though protection techniques vary from company to company, the main goals are similar:

• Prevent piracy groups from mass-producing a cracked game executable for resale
• Prevent the easy distribution of virtual images online by forcing CD/DVD checks
• Protect against CD emulation and protection circumvention devices
• Ensure that the game is not available through piracy channels for the first few weeks after its release.

Vendors have taken different approaches to tackling the problem and some interesting solutions have involved:

• Burning 'defective' original disks with characteristic patterns of bad sectors
• Incorporating 'nanomites' to cause random crashes through the game if the protection is circumvented
• Encrypting game executables so they are not easily copied
• Detect hacker tools and hide debugging symbols and information to delay reverse engineering
• Provide API for game developers to imbed secret hooks within the game that check for presence of copy protection
• Automated code obfuscation

For details about specific offline copy protection techniques and an evolution of the technology, please see:

• SafeDisc Wikipage
• StarForce Wikipage
• SecuROM Wikipage
• [Copy Protection FAQ]

Online

Online game copy protection ensures that games can be distributed through the online venue and also ensures that games are checked for authenticity when the player logs on to an online server.

Many vendors have created varied solutions for the online distribution method and some characteristic features are as follows:

• Allow demo 'trial' version of game, after which the full version must be unlocked through purchase of a serial key
• Encrypt different parts of the distribution binary so that if one version is cracked, it may not allow cracks for all other players
• Provide a streamlined distribution mechanism that makes it easy for players to purchase and download games online

One good example is Macrovision's ActiveMark:

• ActiveMark Wikipage

On the other end of the spectrum, many games seek to validate that players have indeed purchased a legitimate copy of the software by using an online authentication method. This method checks the player's key against a stronger encryption algorithm or a list of valid serial keys hosted at the company server - if the check succeeds, the player is allowed access to a greater list of features such as online game play or web site registration.

Though many online games have their own methods of CD-key verification, one example of a widely-used software that incorporates this technique is Punkbuster:

• PunkBuster Wikipage

In-Game Protection

Though not the primary focus of the topic of copy protection, protecting game security within game worlds has become a popular discussion topic lately. With the advent of virtual economies and virtual-to-real currency exchange, it has become more important than ever to make sure that games are secure from hackers that seek to benefit from exploiting game rules.

In-game protection usually deals with online community games where it is important to the entire community that each of its members is playing by the game rules. Many online game companies employ in-game security software to ensure that gamers are not running malicious processes or applications and to prevent gamers from easily accessing other programs while within the game world. In addition, this software cleans up the memory space of the protected game application to prevent game hackers from reverse engineering which memory locations refer to which game abilities. For example, a hacker may find that a certain memory address controls the health of his or her character - by overwriting this address with a larger number, the hacker has effectively increased his or her potential in the game unfairly.

• GameGuard Wikipage

Hardware

Gaming consoles (Playstation, XBox, Nintendo) have tried various strategies to prevent pirated games from being run on their systems. These strategies usually rely on difficulty of use to make it not worth the gamer's time to invest in circumvention techniques. Since circumventing a hardware system security often involves soldering or attaching additional hardware components, there is some amount of investment required from the gamer in order to successfully defeat copy protection mechanisms.

One critical strategy that many console vendors adopted was to make the game media difficult to reproduce. Earlier game consoles used game cartridges which embedded the actual game data into a ROM (Read-Only Memory) and required plugging in to the game system, similar to inserting a stick of RAM in modern computers. However, this technique was both expensive and inefficient and was soon replaced by burned CDs, DVDs, and soon Blu-ray Discs. In order to prevent gamers from burning their own CD/DVDs, these games often used similar methods of 'defective' CD detection as the SafeDisc protection scheme mentioned above. One key difference is that the SafeDisc protection can be fooled into authenticating a backup CD if virtual emulators are in play - this advantage is lost on the console since the gamer cannot run arbitrary programs.

After the gamer has managed to obtain a copy of the game and burn it successfully onto the proper media, the only way to skip the hardware detection present within the game console itself is to circumvent it. Common techniques involve either modifying the operating system that the console is running on (both difficult and dangerous) or soldering a hardware mod-chip onto the console to disable the security protections (similarly dangerous).

In order to protect against these strategies, consoles have now adopted an online approach to validating the hardware of gamers. Even though gamers may be able to modify their own system to disable security routines and play backup copies of games, these modified systems can be easily detected when the gamer goes online and the online console network checks the gamer's hardware to validate that the hardware security is enabled. Since the gamer is using a modchip that disables the security, this check will fail and the gamer will be denied access. This denial of access includes critical updates necessary for online play as well as free upgraded game content - with these incentives in place, it becomes less advantageous for gamers to utilize hardware modchips.

[XBox 360 Exploit Crackdown]

Protection Cracks

To illustrate the problem with current copy protection schemes, I provide a set of user-friendly tutorials to guide interested students in how to examine weaknesses in copy protection.

Offline

Offline copy protection circumvention involves being able to create a duplicate image of the software as well as creating a serial key number to validate the software for installation. Since duplicate image generation is legal for making backup copies of owned software, I have provided tutorials below that demonstrate how to create full and mini-images. Key generation, however, is strictly ILLEGAL and as such I only illustrate to the reader a proof-of-concept that keygens exist and generally demonstrate how keygens are constructed.

• Advanced Tutorial: How to Identify Copy Protection Scheme
• Advanced Tutorial: How to Crack Copy Protection
• Advanced Tutorial: How to Prevent Blacklisting

Online

Online games are often protected from copy protection circumvention due to a large amount of the source code being controlled server-side. However, online game copy protection is not wholly without flaw -- to prevent slowdown, most of the code for games is often run client-side. This means that it is theoretically possible to create an emulated server for any online game as long as this server provides the correct message responses to the gamer's client. Of course, these messages are not made transparent in the source code included with the user copy of the game, so they must be reverse engineered.

Two popular Massively-Multiplayer Online Role-Playing Games have been compromised in such a manner by emulated virtual servers. The companies that sponsor these games use the same offline copy protection as offline games. When the server component of the game can be emulated, these online games' intellectual property can be stolen as well.

• MangOs World of Warcraft Emulation
• Xaos Ragnarok Online Emulation

Hardware

Hardware games benefit from hardware security validation mechanisms that ensure backup game media will not run on the console. However, these security validation mechanisms can be disabled by soldering a 'mod-chip' directly onto the system board of the console, thereby enabling the same security bypass mechanisms used for offline games.

• Advanced Tutorial: Installing a Mod-Chip on the XBox 360
• [Samsung XBox 360 Mod-Chip Install]

Results

• Piracy is clearly a large issue that affects the entertainment industry, including publishers, developers, gamers, security companies, and crackers.
• Current copy protection schemes are insufficient to protect against circumvention techniques.
• Legitimate users are affected by aggressive copy protection mechanisms and often have a less enjoyable user experience than piracy users.
• Copy protection circumvention is a real problem and can be performed by most users within hours.
• Two paths exist for game companies to prevent against intellectual property theft:
  • Software Watermarking and Trusted Computing - Games are shipped with crippled executables that require users to register online and provide unique identifying information in exchange for the watermark decryption code to install a fully working executable. By this method, users will be able to be tracked based on this uniquely identifying watermark code. In addition, to prevent emulation from hiding the watermark, systems can use tamperproof hardware (implemented as the Trusted Platform Module for Windows Vista machines) to validate the true hardware configuration of the user. This means that the game will be able to examine the user's true hardware at install time and modify the watermarking algorithm to be based on the user's hardware configuration. This means that even if a keygen were to be released for the watermark algorithm, users would have to also defeat the TPM on Windows Vista to enable hardware emulation. This path is technically involved and may involve more difficulty to the user, but preserves gameplay.
  • Micro-transactions - Abandon copy protection and ship games without it. Instead, entice the user to buy small virtual items or enhancements to the game from secured content servers. This way, the copy protection problem is sidestepped since the main value the intellectual property generates will be from these items instead of the actual game software itself. This path is the path of least resistance but will severely limit viable gameplay types as well as incite some amount of user backlash. Some users want to feel like they 'own' the game and not like they must be continually paying upkeep for the game.

Resources

One of the main features of this writeup is an extensive list of useful tools and technologies that individuals interested in game security can use to further their own knowledge of the topic. Though this section is still due to expand, I believe the list below is a good subset of the popular websites and software that is available for both protection and cracking of game software.

Glossary

Still in development, this is a list of definitions for confusing terms related to game security.

Glossary

Tools

• WinRAR Wikipage
• DAEMON Tools Wikipage
• SafeDisc 4 Hider Wikipage
• Protection ID Wikipage
• Alcohol 120% Wikipage
• OllyDBG 2.0 Wikipage
• [Windows XP Service Pack 2 BinDiff]

Resources

These are websites that feature tutorials and important forum questions with detailed insights on current copy protections, circumvention techniques, and how to investigate further.

• Crackstore.com Wikipage
• CheatEngine.org Wikipage
• GameCopyWorld.com Wikipage
• Crackz Reverse Engineering Wikipage
• Fravia's Site Wikipage

Hacker News

Online blog about all the latest happenings in game security, though it focuses more on in-game hacking.

• PlayNoEvil Blog

Conclusion / Future Work

• This foray into copy protection is mostly an exploratory survey to gather data for analysis. This page contains only a small subset of the true world of security protection (only the major security protections are represented).
• Future work would include a more comprehensive review of the security scene - I include what I consider to be necessary inquires as red Wiki links to indicate an area of future improvement.
• Research on alternative methods for future copy protection.