Mass Effect and Spore:
How the DRM Works

By Shamus Posted Thursday May 8, 2008

Filed under: Game Reviews 46 comments

There is a lot of misunderstanding on the nuts and bolts of this new DRM scheme. This is, of course, the fault of EA for making something so convoluted, but we can’t really heap anger and shame on the thing until we have our facts right.

Some people think that if they just don’t play at all for a couple of weeks they will be locked out forever. This is not the case. To clear things up:

  1. You get three total “activations”. This means the game can be placed onto three computers. This can be three different computers, or the same computer upgraded three times. Every time you try to run the game on what the server thinks of as a “new” system, one of your three activations is consumed. This means your relationship with the game is directly affected by how often you upgrade.
  2. Once the game is “activated”, you’re free to play for five days without hassle. After five days, the game will try to call the mothership on startup. If it can’t get through – for whatever reason – it will still let you play.
  3. After ten days since activation, if it still hasn’t been able to reach the mothership, the game will refuse to run. It will not run again until it can once again call home. Anytime it does call home and finds out everything is fine, the timer is reset and you have five days before it will attempt to connect again.
  4. If your serial number ends up on the web, it will be blacklisted. (Note that this means they must be trolling the warez sites and torrents. Which makes this entire charade even more ludicrous. They must know how quickly their games are cracked. This isn’t ignorance, this is willful delusion.) Next time the game phones home, it will… what? They aren’t really specific on what it will say or do if you’re using a banned serial number, but whatever it is you won’t be playing your game.
  5. They claim that there is only a 1 in 3 billion chance of someone guessing your registration number. I’ve written about the massive number space of serial numbers before, and this isn’t that hard to believe. But this assumes the hacker is just going to sit there and blindly guess at numbers. Hackers aren’t that stupid. The hacker will usually (I assume) try to figure out what system is used to denote valid serial numbers via some sort of reverse-engineering. Since the server is in charge of approving serial numbers and not the local executable, this would be very hard to do. The hacker would need an awful lot of serial numbers to work with. So this part of the system is pretty secure. However, it’s still pointless, since it will be easy enough to disable the mothership call – no different than disabling a DVD check.
  6. You do not need to have the DVD in the drive to play. This is what they are using to sell the scheme to users as one of the “benefits” of the new system.

comic_monkey.jpg

In the original Monkey Island, at one point you are captured by natives who lock you in a simple bamboo hut. There is a trap door in the floor through which you may escape. If you’re dumb you can walk over to the natives once you’re out, and they will grab you and throw you back into the hut. The second time they throw you in, they nail the door shut. The next time they add chains to the door This keeps going until eventually (if you keep going back) they have a bamboo shack with a massive steel vault door on the front, a timed lock with an alarm system on it. It looks like the front of Fort Knox.

How he keeps getting out is almost as mysterious as why he keeps coming back.

In a lot of ways these DRM schemes are a bamboo hut with a vault door on the front. The keep using a bigger and bigger lock and a more complex system of authentication, but it still has to run on a machine where you can edit the executable, and all the hacker has to do is go in and disable the part that says, “Do the security check.” It doesn’t matter how secure or complex or devious the security check is, if the machine’s not doing it, it’s not doing it.

 


From The Archives:
 

46 thoughts on “Mass Effect and Spore:
How the DRM Works

  1. Kristin says:

    Well, that’s better than the other way… but, still, not good.

  2. Krellen says:

    Under the category “Anime”?

    I can’t wait to hear the justifications for that folks’ll come up with. :D

  3. Viktor says:

    The Monkey Island comparison is surprisingly apt. As would be a simple post calling the executives of EA monkeys throwing their feces at customers in an attempt to hit pirates.

  4. henebry says:

    Great post. I especially like the Monkey Island bit. Could you do a quick cartoon showing the executives of EA as island natives locking the videogamer back in the bamboo hut for the nth time?

    As for the classification as “Anime”, I suspect that the site’s classification system is broken. If you click on “Previous in Anime: Print Job” you get a post which has nothing to do with video games OR Anime. When you get there, Print Job is misclassified not as anime but as a rant, with a “Previous in Rants” link that takes you to a story about a couple that let their child die (a blog entry that just might be a rant.

  5. Phlux says:

    Shamus: Do you have any insights to deliver on the relative complexity of “altering” an executable once it has been compiled?

    I’ve always wondered how the craft of piracy works. Certainly if I had access to the original source code I could scan through it until I found a section related to security checks and remove the offending lines. I have NO idea how to do this on an already compiled EXE file.

    I’m not asking for a walkthrough for how to crack EXEs, but I’m wondering if your software engineering experience can shed some light on a topic that has always mystified me.

    Once it’s compiled, how do you make it human readable again? Or are these pirates so smart that they can read the raw machine code?

  6. Zukhramm says:

    “Or are these pirates so smart that they can read the raw machine code?”

    The pirates usually bring the discs to a far off island, to let them go through a secret three day cleansing ritual. After that they upload it on the internets.

  7. Shamus says:

    Phlux: I don’t have any deep insights, no. My own hacking is simply using a hex editor to alter an .exe – I never did so to subvert DRM, but I used to do it in order to cheat in old early 90’s games.

    I’ve also seen the problem from the other side: Trying to secure an executable against hackers. The bottom line – which was something we realized very quickly – is that it is impossible to fully secure an .exe. There are ways of encrypting an executable and doing internal checksums that will slow down the hacker and maybe annoy them, but any security that relies on something run on the hacker’s machine is inherently insecure.

    “how do you make it human readable again? Or are these pirates so smart that they can read the raw machine code?”

    In the old days, yeah they could. I have no idea if it’s still done that way, though. I imagine they’d have better tools by now.

  8. Deoxy says:

    Reading raw machine code is not difficult if you know the instruction set – time consuming, but not difficult.

    Of course, I doubt many of them actually do this… google “decompiler”. A decompiler is a tool that turns machine code into a “human readable” form, such as C VB or Pascal.

    Another tool is anything that let’s you monitor memory and resource usage… that is, something that lets you see what part of the code is running and what system resources it is requesting (like an internet call). You could then disable that section of the code.

    Etc – there are many ways to skin a cat. I don’t actually know what methods they prefer, I just have a fairly extensive knowledge of computing and programming. I would be surprised if there aren’t tools made practically automate this process.

    And yes, that Monkey Island thing is PERFECT.

  9. Elf says:

    If your serial number ends up on the web, it will be blacklisted. (Note that this means they must be trolling the warez sites and torrents. …)

    You’re making a false assumption there, because…

    They claim that there is only a 1 in 3 billion chance of someone guessing your registration number. … the server is in charge of approving serial numbers …

    I imagine that their train of thought is this: because there is a vast keyspace, if the server detects a serial number being used more than a set number of times, probably the number of allowed activations, then it must have been leaked for warez use. There is no other checking or validation involved than that, I’d wager.

    This is presumably why the game continues to ‘phone home even after it has been initially validated, not because it ‘becomes pirated’, as you jokingly wrote previously, but because every copy of a game with a leaked serial code can soon be shut down.

    Let’s hope an almost inevitable keygen doesn’t generate a serial number in use, huh?

  10. Winter says:

    To those wondering how pirates crack games: i don’t actually know myself, but i know how i would start. You can get programs that will watch the memory allocated to a program, in other words everything that’s going on. This is (of course) quite complicated, but it’s got to be better than a decompiler in some cases. Anyway, you fire up the game and step through the code (with some sort of debugger ideally) until you get to the step that you can’t get past without having a legit copy. Some step before that has to be the “is this legit” check, so you then look through the game for that. Eventually you’ll find a “0” that turns into a “1” when the game checks out and so you just always lock that at a “1” and the game thinks it’s always legit.

    Obviously it’s waaaaaay more complicated than that (and i suspect that particular dance has evolved quite a bit on both sides), but watching memory and decompiling is the way i would assume.

  11. Eric Meyer says:

    They’ll blacklist any serial number they find on the net? Hmmm. So what happens if someone decompiles the relevant code, generates all the possible serials, and puts them all online?

    Just sayin’.

  12. JFargo says:

    I got that that was how it worked, mostly because if I thought for an instant that it worked the other way (locks you out forever) I would have realized that, as foolish as EA is being, they couldn’t be THAT dumb.

    Well, not yet anyways. They’re getting there though.

  13. mark says:

    old adventure games had the best copy protection: feelies. you had to reference a word from a random page of the manual (boring) or some pretend piece of documentation for an in game device. (eg, the codes for getting the data cartridge at the start of space quest 1 and the sector that the ship is in later)

    These wouldnt work nowdays though, people would scan the manual. It only worked before photocopiers or scanners were cheap and easily avaiable. :(

  14. Shamus says:

    Eric Meyer: I’m guessing you can’t decompile the code to generate valid keys, because that runs on the server. Most games test the key locally and if it’s valid the game will run. This system, the local exe doesn’t know if the key is good or not – it asks the server and all it gets back is yea or nay.

    At least, that’s how I’d design it if I was stupid enough to use this sort of DRM but smart enough to see the obvious loophole in local key authentication.

  15. GAZZA says:

    Phlux: It depends.

    Tools called “decompilers” exist that will turn raw machine code into a semblance of the source code that it was compiled from. These can be fooled, obviously, but for some languages and compilers they’re pretty effective.

    However, assuming that the art of cracking hasn’t significantly changed from when my mates and I used to do it back in DOS days, the basic technique is to fire up a disassembler, and step through the code paying attention to each jump or call to a subroutine. Once you find stepping over one of these calls brings up the security stuff, you just edit the assembler code to use NUL operations on those bytes, and then make sure that wasn’t the only place. It’s tedious, and it can be made more complex by certain obfuscation techniques, but that’s the basics. It requires patience more than any particular genius – high school kids with time on their hands can be taught the necessary skills.

  16. Ozy says:

    I have a hypothesis: the people who write DRM have no delusions whatsoever as to the usefulness of their schemes, but merely regard the exercise as an entertaining game between them and the crackers. They then sell their services to ignorant executives in order to also get payed to do what they would do for fun anyway, and to have better resources at their disposal.

    I’d imagine that they have some sort of betting pool between themselves and crackers as to how absurd they can make things before people stop buying DRMed games completely. I’d further imagine that any of those who were so idealistic as to have much faith in the consumer have long since lost.

  17. Martin says:

    They’ll probably buffer-overflow the authentication server somehow and grab that copy of the serial checker. Heh.

  18. I think that the serial number blacklisting isn’t based on them trolling warez sites. Rather, if the mother ship sees a particular serial number being called in an excessive number of times, from a large number of different IPs, then they assume it’s gone feral and ban it.

  19. bargamer says:

    This reminds me of a joke I heard a long time ago: A car repair shop had a unique service and pricing plan. Every customer was presented with three choices, only two of which would be represented in their service. Their choices were: Quick, Cheap, and Good. For example, if they wanted service that was quick and cheap, it would not be any good. If they wanted service that was quick and good, it would not be cheap.

    In this case, all DRM proponents screwed themselves, because they only got to choose quick, and got a product that is neither good or cheap. The pirates win, because with a little work, they can get products out quick, cheap, and only slightly less good than the official version, which is why for a month or two, they will continue releasing new versions as the official game releases patches, etc. In the case of Spore, unless these pirates have their own pollination servers, their product will be even less “good” than usual. Needless to say, if the pirates DO get ahold of a pollination server, someone in EA is a mole.

  20. Adamantyr says:

    Concerning executable cracking, Chris Crawford has a VERY good write-up of how he protected one of his games in his book “Chris Crawford On Game Design”. (Link below)

    In particular, he uses obfuscation techniques such as:

    – Burying work code inside of recursive loops, so reading the active process stream has a ton of noise the hacker has to wade through to find the ONE interval that does something.
    – Code over-writing, in other words, the program overwrites parts of itself while running in memory. This is actually really bad from a security standpoint nowadays, but it’s fiendishly clever and sadistic for the poor hacker who’s world view has just been demolished by code that changes when he’s NOT LOOKING.
    – Dummy variables with obvious names that draw the hacker away from the actual important ones.
    – Storing actual data in the stack garbage and fetching it in a clandestine way, like an “accidental” buffer over-run.
    – Deliberately breaking the game so the legitimate version would “fix” one element of data. Otherwise the game can’t be finished.

    He actually hired a professional hacker to try and break his program after he’d finished it, and the guy never got past the first level of defense he set up. He later found cracked versions online, but none of them were actually completable as his “flawed” data element wasn’t fixed.

    http://www.amazon.com/Chris-Crawford-Design-Riders-Games/dp/0131460994/ref=pd_bbs_sr_2?ie=UTF8&s=books&qid=1210267071&sr=8-2

  21. Alan De Smet says:

    To reply to a few random points people have made:

    If the publisher is smart, a keygen program isn’t possible. When you’re authenticating to a server, the secure option is to generate a few million keys entirely at random, then just store the valid ones in a database. You might want to add on a simple checksum so the client code can help users identify typos, but it’s not possible to keygen a valid key. Of course, this assume they did what I describe above. If it’s just a simple checksum, it is possible to break it, although it may be hard.

    Of course, there is the other way to get a key: steal one. Write software to pull the key from an installed copy and email it to you. Then distribute it with a virus, or purchase time on a botnet to run it. Or work at a store selling the game, open boxes, copy the codes, and use the store shrinkwrap machine to reseal them. Whatever the situation, you’ll get codes to use. Sure, they may eventually get blacklisted, but you the bad guy can get more, while the person who paid for the game gets screwed. This isn’t hypothetical; I’ve known someone who bought a sealed copy of World of Warcraft off a store shelf, got it home, and was denied access as the key was already in use. Blizzard customer service refused to fix the problem, as in their words it was absolutely impossible for the key to have been copied by someone else, so my friend must be using an infringing copy. Sadly my friend wasn’t willing to fight as hard as I would have to get his money back.

  22. Morzas says:

    I think the way Blizzard does it works pretty well. There are keygens out there for SC and WC3, but their public servers have some extra rule that the key has to follow if you want to use their matchmaking services. So, a pirate can play the single-player campaign pretty easily, but after they get bored of that they have to go on private servers if they want to get any human competition. The only problem there is that currently the best place to find high-level StarCraft matches is iccup, which is a private server. D’oh!

  23. After thinking about it a lot, I believe that feelies are actually the best copy-protection strategy. The point of copy-protection is not to make it impossible to copy the game, it’s to make it more of an hassle than purchasing a copy.

    Admittedly, looking up a word in the manual is really easy to circumvent, but there were some really creative strategies back in the day (I’m thinking of the small picture book in the first Alone in the Dark, or the code-wheels of the Gold Box serie.

    I’m convinced it would probably be cheaper nowadays to figure out a really, really hard to break feelie than to try and code a working DRM scheme. Hell – I’m so tired I’m not even working, and I thought of at least two ideas in the time I wrote that last sentence.

  24. evilmrhenry says:

    I wish to make one thing perfectly clear. If it turns out that the 10 day activation thing can be bypassed by setting your clock to 1975, I will laugh at EA. I will laugh long and hard, and with considerable merriment. It will take the form of various chuckles, snickers, and belly-laughs, and it will be directed firmly at EA.

    Note that they state that the game won’t touch the internet until after the 5 days are up….

    (I’ll buy Bioshock after the DRM is removed. I’ll buy Mass Effect after the DRM is removed. I’ll buy Spore after the DRM is removed. I simply find any limitation on the number of installs to be over the line, completely and utterly unacceptable.)

    EDIT: Wait. Is this the same EA who routinely take down multiplayer servers a year or two after the games comes out, without offering any sort of patch to eliminate dependency on their server, or any sort of workaround other than “buy the sequel”?

  25. RodeoClown says:

    My theory on circumventing this DRM:

    1 – record outgoing TCP message
    2 – record reply
    3 – setup a small little program that will catch that outgoing TCP message and replay reply.

    4 – …
    5 – Profit!

  26. Amstrad says:

    For a brief period in between the end of the Audiosurf beta and the actual retail release of the game people who still had access to the beta client where obviously still interested in playing it. This was impossible however as Audiosurf requires an internet connection so that it can communicate with the high scores server, which had been shut down after the beta period. So what did some smart folks do? It was rather obvious really, forward the IP address that Audiosurf was looking for to Localhost and run a program locally to spoof the Audiosurf servers. I imagine a crafty hacker could do something similar in order to circumvent SecureRom’s phone home procedures.

  27. Shamus says:

    Vincent: I agree. I complained about those things back in the day, but I’d love it if we could go back to needing just a piece of paper or something to play our game. It would be far safer than registry hacks and online interrogation. :)

  28. Wolfwing says:

    Well the main issue with these things are three thigns.

    1. Some times it can take a few installs to get a program to run, wether problem on your end, drivers need updating or what ever, you can go through your 3 uses before you can get a game to run.

    2. As many have said, problem with Steam and this is…what happens if the company goes bankrupt, you suddenly can’t play your game that you only be playing 100% offline.

    3. All of these things screw over legitimate players who buy the games and rewards Priates that are only inconvienced by a week or two…I mean lets face it steam for all it’s problems had a work around within 2-3 weeks of it being out for Halflife 2. So what exactly did they acomplish, they hurt and pissed off their paying customers while didn’t do a thing to the pirates.

  29. Deoxy says:

    If it turns out that the 10 day activation thing can be bypassed by setting your clock to 1975…

    Actually, it would be better to set your clock far ahead (say, 2050) before you install the game, so that it wants to go check for an update sometime in 2050 and you can set your own clock back to TODAY and leave it alone.

    But yeah, that probably will work, which makes the whole thing rather funny.

  30. Blake says:

    Aaron Ardiri, a well-known Palm Developer, published a paper about the various methods he used to try and foil pirates.

    I wholeheartedly agree with his conclusion, which can be summed up by the following two quotes:

    Every war has a loser. The losers of the piracy war are not the developers or the piracy community ““ it's the most important person of all, the user.

    and

    Why are we doing all this? The answer is very simple ““ we shouldn't. […] Implement what is required to keep honest users honest ““ they are important, don't fight the battle.

  31. evilmrhenry says:

    Alright, sounds like they’re backing off on the 10 days reactivation thing. http://forums.penny-arcade.com/showthread.php?t=57566
    Still waiting for the 3 activations total thing to be removed before I bother.

  32. Jeff says:

    Phlux:
    They actually look at the hex, afaik. I recall when two groups were ‘fighting’, and they’d often post snippets of code, in a manner of “Look what they did. They just took out this line, that’s why it’s unstable. We actually just disabled the check here without removing the chunk of necessary code…”

    Adamantyr:
    What that says to me is “terribly unoptimized code that’ll slow your system to a crawl even though the game looks like crap”.

    Regarding verifying through servers, bypassing those have been done. For at least a half dozen years, if my memory serves. I recall one game who’s crack was you download a mini-server that intercepts the outgoing validation signal and pings back a valid reply. The only difficulty is in getting the signals, but you’d be surprised how many of the enthusiast crackers actually buy their own copy before fiddling with the exe’s.

  33. Ravens_Cry says:

    What are your opinions on abandonware? I admit some things claimed by some sites to be abandonware just aren’t, mosty through the hue and cry of ye old timey adventure game lovers. One can, with effort, still legally acquire copies of the Monkey Island series, as well as Kings Quest and other Quests. However there are games over a quarter of a century old that while not up to todays standards, are still playable if you are willing to take them on their own terms.

  34. Corylea says:

    Thank you for this information; I’ve just canceled my Amazon.com pre-order of Spore.

  35. Hasteric says:

    Meh. I was planning to buy this game. Might just have to download it so I’m on the cracker’s side, they’ll win anyways. Nice job EA, your protection is making illegal gaming more popular.

  36. Sgt Tris says:

    well the only thing im worried about is people guessing my code! wait did i say that rite IDK :?

    any way what if some one found out how to put a virus on there creature that would be bad, another thing how would my computer suppurt all the new memory coming in every day i mean that would be crazy! oh well i hardly know what im talking about i just want the game

  37. Guthix says:

    this is insanity… i was actually considering buying the game because i wanted to go online… but i reformat once in a while and i plan on upgrading to a new comp eventually… this is ridiculous… great job EA gave me another reason to hate u…
    do they even think? do they not realize… if u do this ppl will actually be discouraged from buying ur games… and just decide to pirate it because its safer…
    because with a pirated game u dont have to worry about anything… if it works the first time it’l work tomorrow or in a week or in a year or ten…
    EA’s stupidity just keeps on amazing me more and more every year…

    im waiting till a successful hack exists to bypass the checks for going online… or a working keygen… because im not waisting my hard earned money just to be jipped because i like to reformat or upgrade…

    oh and thank you for letting me know this important information :)

  38. Sydney says:

    “They must know how quickly their games are cracked. This isn't ignorance, this is willful delusion.”

    Sounds like 1984. The Inner Party tries whole-heartedly to find an Ultimate Weapon, while simultaneously knowing it’s impossible.

  39. Anonymous says:

    Khao Sok’s rainforest is one of the few untouched rainforests in the
    world, it’s even more diverse than the Amazon Rainforest.

    Hat Yai and Songkla are other destinations which is gaining a little popularity but is only developing
    slowly, these 2 places are a good place to visit if you want a better
    experience of a real Thailand and better experience with Thai
    culture. Gibbons, macaque, and languor (or leaf) monkeys, sun bear, and over 100 species of birds thrived in a low density tourist development without little village kids shooting them with sling shots.

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun. Your email address will not be published. Required fields are marked*

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>

Leave a Reply to RodeoClown Cancel reply

Your email address will not be published.