Use Minimal Copy Protection | Secrets of the Game Business (Game Development Series)

For years, developers have debated over how much copy protection a game should have. Today, the standard seems to be to create "light" copy protection—just enough to keep the honest people honest.

Heavy-duty copy protection usually isn't worth it. As you know, no copy protection is unbreakable, and hackers see sophisticated padlocks as challenges. The cracker might not even like your game, but will still crack it just because you've "challenged" him by using sophisticated anti-piracy techniques.

Remember that most of the people who play and buy games online are not technically knowledgeable enough to crack something. They're casual people who enjoy a quick diversion, not hardcore gamers. They don't usually know how to get a crack, much less how to use it.

The most prevalent form of piracy today is called "casual piracy." This is where someone lets a friend copy a game he's bought or got from someone else. Most of the time, if someone copies a CD and the anti-piracy mechanism notices and prevents them from playing the copied game, that person isn't likely to spend time trying to crack the protection. At worst, he might try a few times, enter a few different serial numbers, fail, and either buy the game or move on.

This is great, because it means that you can prevent most of your piracy losses by employing a relatively easy protection scheme. You just need to think about the most common ways a game gets copied, and put a couple of layers of protection on those holes.

For example, Web-validated registration codes work well. The basic idea is that in exchange for their purchase, a customer gets a registration code that he or she types into the game. Then, the game validates the code, either through an internal algorithm (e.g., a checksum), or by "phoning home" to a registration server and query that server to make sure the code is valid. The game either checks the code each time it is run, or it hides a key/value pair in the system's registry that specifies whether the game is registered.

The main problem with an algorithm-based registration code is that it doesn't prevent someone from writing the code on the CD copy and giving that to a friend. Unless your algorithm is based on something unique to the machine the game was originally registered for, your program has no way of knowing if a code has been used before. If someone posts a registration code on the Internet, your only recourse is to release a new version of your software that disallows that code.

The "phone home" method is slightly better than relying on an algorithm, if you don't mind forcing your customers to connect to the Internet. With phone-home protection, whenever someone uses a code, you know about it. It then becomes easy to prevent the same code from being used on multiple computers, and if you see that a registration code has been leaked out to the Internet, you just add it to your "blacklist" database, so that any game that asks if that code is good gets a "no" answer from your server.

The weak spot for the phone-home algorithm is spoofing. To a cracker, it's pretty easy to write a program that pretends to be your registration server, and tricks the game into believing it's talking to the real registration server. You can mitigate this risk by creating your own communications protocol, but then you're off to the races—you can spend months designing a secure method of communication, but there will always be a way around it.

Another issue to keep in mind if you use the phone-home technique is that users expect to be able to re-install their games on their own computer if they're forced to re-install their operating system, if they upgrade to a new hard drive, or otherwise change their system configuration. You need to think about a way they can do this easily, or you'll get a lot of angry e-mails from people who believe their fair-use rights have been trampled.

In summary, you should create some type of copy protection. Most games distributed online use algorithm verification, and/or phone home to a central registration server. Regardless of which method you choose, realize that it's a game of diminishing returns—concede the fact that you'll never stop someone who really wants to crack your game, and concentrate on keeping honest people honest.