Quote: "It is trivial to write code that can get the filenames, filesizes and file content from a Dirblock."
Not to mention creating a DBPRO executable with :
READ DIRBLOCK
written in it. Are easy to produce security measures not also easy to breach, in most cases?
But at least what you do will be better than nothing if you are worried about casual manipulation as you mentioned before.
However, what I am about to say is not to say that your ideas are bad, mine are no better, I'm just trying to contribute ideas; I also would like to earn more profit. I also would like to figure out how to raise security without spoiling the experience for genuine customers.
I must emphasize point A:
I emphasize that yes, we all understand that we must treat customers well, and yes we know that we are not Blizzard Entertainment, we just want more piece of mind;
and it is just that we'd also like to make things more difficult for the pirates. Plus, I particually do not want to be known as that boy who claims to have produced [Enter Name of Product] EG: Something at similar scale to Facebook; only to hand over the credit to a skillful crook.
I should really go to bed, but you guys are really making my stomach boil with fire with those comments. I am sure the hackers reading this must be laughing like crazy; we should post this on a hacking forum so that it kills them to death with laughter. Now I am not saying that I know much better; but we need to stop under-estimating these guys.
Password protected archives sounds a little bit more difficult to get around; but what happens if the passwords gets found out; its like finding the small key that opens many locked doors. The effort put in to create and update the archives is indefinitely wasted once the password is found. And where is this password being stored? In a variable or as a literal in a program that can be decompiled and read? How long does it take to distribute the password over the internet?
We need to first accept that our source code is not protected. So any security measure that is rendered useless after a single act by one individual, isn't worth considering. We need something that can be secured again once breached. So it is obvious that changing the password will not suffice.
My mind thinks about the kind of person who is even looking for your media folder in the first place; it says alot about what they have been doing in life, maybe for years. Maybe there is an archive password hacking tutorial on google, who knows.
We've got to think like the hacker really. What's the first thing they will assume when they see the data files? they'd probably assume that since there are no recognizable media files, that
'these must be file archives. What was this software made in? DBPRO.' or
'Since this has got to be an archive, what Dlls could have been used to produce it; let's email Bob and ask him for his archive hack list'
With software as popular as DarkBasic, you're going to have a hard time protecting your stuff against DarkBasic users with part-time hacking jobs.
For your effort to be worth while, you simply must develop something more harder to crack than that; its like level 2 on Sonic the Hedgehog for these guys. You would have to think something up more difficult to give most hackers a hard time; hacking is their life, it pays their rent; they probably earn more money than some of us; definately more than me; which is why I assume that my efforts are futile as a solo developer.
I'm just randomly posting up ideas here: You could pack sensitive stuff together into a series memblocks in a obfuscated manner, and then save memblocks into fileblocks; or something along those lines to at least give DBPRO hackers something extra to figure out.
Another idea if you are creating an online game, is to have fragments of your stuff downloaded and have some of the small content downloaded from your server directly through packets, never the hard drive; then the only way to get the content is to get into the network packets, which sounds more difficult crack to me, than figuring out what a file is for and what is in it; the size of the file alone gives it away somewhat.
Network transfer is slow, but at least some of your content will never reach the hard disk. The least sensitive data could sit in your archives. But the disadvantage of this idea is that it encourages people to hack your server.
Another idea is splitting the content up into various files in such a way that someone would have to decompile your source code to know what is going on; and when they do, the functions which deal with the files are obfuscated, have no meaning without a written document you keep in your office. But still, once that has been found out, everyone on the planet will find it out; however, this is far more time consuming than hacking a packed file. The more complicated, the more difficult to hack.
Quote: "Even with the amount of dodgy windows going around, Microsoft still makes a hell of a killing in sales."
Very true, sales are still made; hence they still bother to print price tickets.
Quote: "My philosophy may be a little different, but this is not an exercise in how I spend my idle time. I am doing this for business reasons. I expect to make a profit from my efforts, which extend beyond gaming."
Same here. Based on your experience, the type of product and your target audience, you know more than anyone else how bad it is going to be for you if a large group of your players ended up not paying half dime for the amount of hours you put into your work. It's up to everyone to judge what to do about their own customers.
For me, and my online game project, I am more worried about people cheating and selling game currency, things like that which ruin the experience for other players. I'd feel more comfortable if 20% of my players did not pay to play the game, than if 20% of them did pay only to ruin everyone elses experience by cheating and taking the mick out of people.
At least these pirates will spread some word of mouth advertising, letting people know that my game exists, for me. But what if 75-80% of my players didn't pay? What if you had 1000 players, but only 200 sales? Knowing me I'd probably commit suicide, but seriously, having a registration system with some sort of link between order transactions at least lets you know who paid and who to suspect. (Re-emphasizing point A above)
Edit: Note about shop lifting illustration.
I've worked in retail for years; I worked in a wealthy area known as Kingston; somewhat the south west of London. Kids steal every day, and when they get caught they do not go to jail; and the shop keeper does not get his stock back from the police. The people who steal know that they are on camera, yet they come back for more every week. Eventually the Chairman of the chain forced the managers to get rid of the security guards; that's right. The chairman and board of directors felt that they were useless! Because the amount of money required to pay them was higher than what was being stolen. More people stole more often after they left, but it was still cheaper to let the kids steal than to raise security.
