{"id":51888,"date":"2021-02-23T06:00:48","date_gmt":"2021-02-23T11:00:48","guid":{"rendered":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=51888"},"modified":"2021-02-22T21:04:26","modified_gmt":"2021-02-23T02:04:26","slug":"source-code-theft","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=51888","title":{"rendered":"Source Code Theft"},"content":{"rendered":"

Heads up: This post is a bit more dashed-off than my usual columns. I actually think this would eventually make a good video for This Dumb Industry<\/a>, but I need to do a ton of research before I can commit my thoughts to the indelible format of a YouTube video. For right now, this is mostly me thinking out loud.<\/p>\n

Anyway…<\/p>\n

So the news is that someone hacked into CDPR’s server, downloaded the source code for several games<\/a>, then locked the files and held them for ransom. When CDPR refused to pay, the hackers “sold it on the Darkweb for 7 million<\/a>“. The hackers obtained the source for Witcher 3, Gwent, and Cyberpunk 2077. From here on I’m going to talk about the Witcher 3 source, but most of this is applicable to all of the games.<\/p>\n

My question is this:
\n<\/p>\n

What in the world are the buyers planning to do with the source?<\/b><\/p>\n

This Makes no Sense<\/h3>\n

I can't stress enough how important it is to wear a black hoodie when you're hacking a computer. Without the hoodie, people won't realize how crafty and dangerous you are.<\/div>
I can't stress enough how important it is to wear a black hoodie when you're hacking a computer. Without the hoodie, people won't realize how crafty and dangerous you are.<\/div><\/p>\n

Yes, it’s cool to have the Witcher 3 source, but 7 million is a LOT of money for something you fundamentally can’t use.<\/p>\n

Now, maybe you want to assume that the buyer is so fabulously rich that they’re willing to drop millions of dollars on something that can never yield a return and he’s just planning on printing out the source and putting in a little lightbox to look at once in a while. Like a lunatic. If that’s what you think happened, then fine. You don’t need to read the rest of this. We can all shrug our shoulders and marvel at the deeds of people with more money than brains.<\/p>\n

But let’s assume, for the sake of argument, that this buyer is a hopeful young criminal, looking to make some money with this. If that’s the case, then he’s probably looking to launch his own game studio. He bought this code, hoping to bootstrap his studio by buying the stolen source code rather than spending years developing his own game engine.<\/p>\n

Let’s call this outfit Top Sneaky<\/a> Studios. The CEO is Brandon Sneakman. To give him a break, let’s assume he’s going to use this appropriated engine to make (say) The Witchman Chronicles<\/i>Clearly this name is way too obvious. I chose the name because it’ll hopefully be easier for you to remember. Hopefully Brandon has the sense to come up with more original branding.<\/span>. That’s smarter than trying to make a space adventure or an open-world modern city game from an engine designed for medieval fantasy. I’ve worked on both cities and pastoral landscapes. Trust me, they’re VERY different! It’s no good paying millions for an engine if you’re going to have to re-write the dang thing.<\/p>\n

But even if he just wants to just make a Witcher clone, Brandon is still doomed. How doomed? Listen…<\/p>\n

1. You would get caught like, right away.<\/b><\/p>\n

Keep in mind that it’s incredibly common for AAA games to attract a modding community. People regularly datamine games to see how they work and how they were made.<\/p>\n

(Now maybe you want to argue that Top Sneaky Studios aren’t AIMING for AAA. Fine, but paying 7 million for an engine is a very non-indie move. Most indies don’t MAKE $7 million, so you’re in the hole before you even begin work.)<\/p>\n

In any case, while doing this datamining people will notice things:<\/p>\n

“Oh hey, check out these data structures. There is a limitless variety of ways to represent game concepts in memory. I’m talking about things like an NPC, a weapon, a quest, etc. And yet this game JUST HAPPENS to have the exact same memory layout as Witcher 3. The odds of that being an accident are approximately 1 in impossible.”<\/p>\n

“Check it out! This game runs its rendering pipeline in a background thread, then it has three general workhorse threads for streaming in content as the player moves around the world. Then a physics thread, a thread for pre-streaming cutscene dialog, and another thread for playing audio. That’s the exact same setup they used in Witcher 3Not really, I’m just making up an example.<\/span>. The odds of two different engines randomly having the exact same thread structure is miraculous.”<\/p>\n

Remember, the public knows that the code for Witcher 3 was stolen. A lot of curious people are going to be looking for it now.<\/p>\n

Sure, if the folks at Top Sneaky Studios know what they’re doing then they would be able to change this stuff to cover their tracks. Still, there’s a ton of ways to get caught. There are a lot of different ways to uniquely identify data structures, program flow, savegame data, game asset storage, thread behavior, and the overall structure of game objects. And I’m willing to bet that the ways I know about are vastly outnumbered by the ways I don’t know about. Better hope you don’t miss anything, because getting caught opens your entire enterprise up to both civil and criminal charges.<\/p>\n

2. The two games would have the same <\/b>dependencies<\/b><\/a>.<\/b><\/p>\n

We don’t need to engage in super-technical data mining to see what’s up. If you’ve got the game installed, then all you need to do is open up WitchermanChronicles\/bin\/x64\/ and look at the list of external DLLs. If you look in that directory you’ll see stuff like PhysXPhysics engine SDK.<\/span>, NVHairNvidia’s hair simulation SDK.<\/span>, APEX_ClothingI’ve never heard of this one, but obviously it’s a fabric solution for flowing capes and such.<\/span>. In fact, there are a total of 24 DLLs in your Witcher 3 install. If Top Sneaky doesn’t want to have the smoking gun of the same DLLs, then they need to either license something different or write their own. Either way, that’s a bunch of programming that needs to be done.<\/p>\n

I’m not sure how it works today, but back in the 90s you needed some sort of developer key to compile a library. I’m hazy on the detailsI THINK I remember your key was a simple file you kept with your source code, and inside of the text file was some huge 20-digits number.<\/span>, but you basically had to “sign” your particular install. From here you have four options:<\/p>\n

    \n
  1. Use the CDPR license keyThe key was certainly stored with the stolen code, so Brandon ought to have it.<\/span>, and thus announce to the world that this game is built on top of the stolen source.<\/li>\n
  2. Use a nonsense keyThis probably involves some DRM-removal, but I dunno. I’ve never tried it.<\/span>, thus making it really obvious that you don’t have the proper license for this particular SDK.<\/li>\n
  3. Roll your own replacement. This means giving your engineers time to familiarize themselves with this “new” engine. In a normal company, you’ve got old-timers to help guide the new coders through the code and answer “How do I do X?” type questions. But if you’re using a pilfered engine then everyone on the team needs to grope around blindly. Nobody knows how it works, and you can’t ask Google for answers because this sort of knowledge isn’t available to the public. I’m not saying it’s impossible, I’m just saying it’s really time-consuming.<\/li>\n
  4. You could obtain a fresh license for this stuff. However, that seems sort of unlikely to me. The sort of person who would purchase a bootleg game engine on the DARK WEBSeriously, the news media LOVES stories about the dark web. They don’t understand it, but it sounds exciting and illicit and it’s easy to get people to click on links about the DARK WEB.<\/span> is probably not the kind of person that will scrupulously adhere to licensing rules.<\/li>\n<\/ol>\n

    However it works these days, I doubt this system has become LESS restrictive since the 1990s.<\/p>\n

    And once you fix this problem, you still<\/b> have the issue that Witcherman Chronicles is going to have the exact same \/ very similar profile of external DLLs.<\/p>\n

    This obviously isn't REAL code. It's way too readable.<\/div>
    This obviously isn't REAL code. It's way too readable.<\/div><\/p>\n

    3. A game engine isn’t just the “game”, it’s also the internal tools.<\/b><\/p>\n

    So Brandon has a problem. He wants to hire a team of artists to make his game. However, he can’t just create a job listing that says, “Preferred: 2+ years experience with the CR Projekt RED toolset”It’s actually called the RED Engine.<\/span>. That would be a dead giveaway.<\/p>\n

    So he needs to find workers, but he can’t openly ask for the skills he needs. Worse, CRPR has shown off their tools in public videos like this one<\/a>. Sooner or later he’s going to hire someone that sits down to work on the first day and thinks, “Holy shit. This looks EXACTLY like the thing CDPR uses to make their cutscenes and dialog sequences!”<\/p>\n

    If Brandon is the kind of person to buy stolen source code, then he’s very interested in taking risky shortcuts. This means he’s probably<\/i> not the kind of leader that’s going to spend a lot of time worrying about morale and the well-being of his staff. Top Sneaky Studios is probably destined to be a place with forced crunch and low pay, thus increasing the proportion of disgruntled workers.<\/p>\n

    What are the odds that someone on the team will call the authorities, or send an email to Jason Schrier<\/a>, or just post the truth somewhere on Reddit? Actually, that’s the wrong way of looking at this. Instead we should ask: What are the odds that everyone keeps the secret FOREVER?<\/i> This is quickly turning into a conspiracy that requires perfect loyalty from a large group of people who do not personally benefit from the secret, but would benefit if they divulged it.<\/p>\n

    4. The Witcher 3 engine is friggin’ OLD.<\/b><\/p>\n

    If Brandon manages to get his studio off the ground this year, then he probably can’t hope to ship Witchman Chronicles before 2025. Witcher 3 came out in 2015.<\/p>\n

    Is Brandan planning to spend additional time and money doing a drastic overhaul to the rendering code, or is he planning to release a game in 2025 with graphics that are a decade out-of-date?<\/p>\n

    (Yes, the code for Cyberpunk is much newer, but it’s also incomplete and janky as hell. The programmers at CDPR might be able to patch the game up in half a year or so because they’re familiar with the code, but if you’re starting with a new team then that same work is going to take much, much longer.)<\/p>\n

    5. The Unreal Engine is WAY Cheaper!<\/b><\/p>\n

    You want to make a AAA game? You can use the latest, greatest Unreal Engine FOR FREE up front. You don’t need to pay anything until your game makes $1 million. After that, you just pay Epic 5% of any further sales.<\/p>\n

    The crossover point here is $141 million. By that point, you’ll have paid $7 million to Epic. Above that point, and using the stolen engine is cheaper. Below that point, and Unreal is cheaper.<\/p>\n

    So you can:<\/p>\n

      \n
    1. Use the cutting-edge modern engine that costs nothing up front and only costs money if you make money. There are tons of people familiar with this engine and finding them is easy.<\/li>\n<\/ol>\n

      OR…<\/p>\n

        \n
      1. Pay 7 million up front for access to an outdated engine that needs millions of additional dollars to bring it up to date and conceal its origins. People familiar with the engine aren’t as plentiful, and you can’t look for them directly. This option carries the added risk that if you miss something, then your crime will be exposed and your entire company could be ruined. Additionally, you need to maintain an iron-clad conspiracy. This entire plan makes no sense.<\/li>\n<\/ol>\n

        So What’s Going on Here?<\/h3>\n

        Wait, you can do this? Just write the word 'code' on a stickynote? Damn it. Turns out I've been doing things the hard way all my life.<\/div>
        Wait, you can do this? Just write the word 'code' on a stickynote? Damn it. Turns out I've been doing things the hard way all my life.<\/div><\/p>\n

        It’s conjecture time:<\/p>\n

          \n
        1. The hackers didn’t actually sell the engine to anyone. This was all done with sock puppets so they could claim they pulled off a $7 million heist. Because that sounds better than admitting in public that nobody wanted their stolen goods.<\/li>\n
        2. The hackers didn’t actually steal the source in the first place. Maybe they messed up at some point. They locked the files, but they didn’t successfully download the entire dataset before someone discovered the breach and locked them out. Think about it. They “sold” the engine to a buyer under the condition that the buyer would never<\/b> release the source. This allows them to claim they stole the data without ever furnishing proof.<\/li>\n
        3. Everyone in this story – CDPR, the hackers, and the buyers – is an idiot.<\/li>\n<\/ol>\n

          I don’t know what the truth is, but I’m extremely<\/b> reluctant to take the black-hat hackers at their word.<\/p>\n","protected":false},"excerpt":{"rendered":"

          Heads up: This post is a bit more dashed-off than my usual columns. I actually think this would eventually make a good video for This Dumb Industry, but I need to do a ton of research before I can commit my thoughts to the indelible format of a YouTube video. For right now, this is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[102],"tags":[],"class_list":["post-51888","post","type-post","status-publish","format-standard","hentry","category-weekly-column"],"_links":{"self":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/51888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=51888"}],"version-history":[{"count":6,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/51888\/revisions"}],"predecessor-version":[{"id":51894,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/51888\/revisions\/51894"}],"wp:attachment":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=51888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=51888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=51888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}