Allegro.cc - Online Community

Allegro.cc Forums » Programming Questions » Preventing art assets from being altered

This thread is locked; no one can reply to it. rss feed Print
Preventing art assets from being altered
Greyland818
Member #16,851
April 2018

What is a good method for preventing art assets from being altered on the client machine?

l j
Member #10,584
January 2009
avatar

First of all, ask yourself if it's needed.

Anyway allegro 5 has an addon for PhysicsFS integration. PhysicsFS makes it easy to read zip archives. Just a renamed .zip extension is probably enough to stop most people from tampering with files. If you're not using allegro 5 you can still use PhysicsFS on its own. The addon just bridges the allegro 5 file interface to PhysicsFS afaik.

Greyland818
Member #16,851
April 2018

How do PC game developers prevent their models from being modded and altered. Especially professional developers in the industry.

Chris Katko
Member #1,881
January 2002
avatar

How do PC game developers prevent their models from being modded and altered. Especially professional developers in the industry.

They use the law.

The only "easy" way is to design a non-standard package format. But you should just use an encrypted normal package format like zip. But either way, a determined person will eventually get your files out by getting the key from your program. It's like locks on a house. Locks stop "honest" people from breaking it. They don't stop determined thieves.

You want the easiest way, that's it. Use a zip/7zip, and add a password. Don't waste time on this. It's literally impossible to prevent a determined hacker from breaking files they already have access to. The only thing you can do is make it annoying enough for it to not be reward enough to crack, to bother with.

If you "need" files that users can't access, keep them on your server.

But just to prevent modding/altering? The chances of your game being notable enough for someone to care means you should already be spending tens of thousands on a professional artist.

AAA titles are not even worried about this. You'll see Half-Life 2 assets everywhere. The Witcher 3. Everything. If they bother to get your content, it's going to be fan art. And why would you attack your fans?

And if it's a company stealing your art? 1) 99% aren't going to because stealing is a bigger liability than benefit to their long-term profits and that's because you 2) Sue them.

So yeah, this really isn't a problem you should worry about. If it's a 2-D game, they can take a screenshot and you should be blessed if someone cares enough to screen record you game and provide free exposure to you on YouTube. If you really care, just zip and password with the password stored as a hash or some obfuscated way. But you're attacking a problem that doesn't need solved.

If you're AAA, you should care a 1000x more about hackers trying to WIN (cheat) in your game, than people loving your art. They also care 1000x more about people pirating their game by cracking the DRM. They don't spend time worrying about textures or models because if it shows up anywhere, it's their legal right to shut it down. The police are a far greater power than anything you can code.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

NiteHackr
Member #2,229
April 2002
avatar

In my Deluxe Pacman 2 game I use a ZIP file, renamed as a DAT file then I use Allegro 5's PhysFS file system to access it. If you take one of my data files and rename it with .ZIP or just tell 7ZIP to open it, you can open it and see it all.

As stated, the average person won't know this so that will be enough. For the rest, the determined will, so just be certain to state the legalities of doing so in your program.

If you really want to, you could write your own packaging system.

If you're AAA, you should care a 1000x more about hackers trying to WIN (cheat) in your game

I'm not AAA, but I did implement an anticheating system in my Deluxe Pacman 2 game. Not that it really needs it, but I wanted to just as an excesize when I found out someone had posted some hacking files to allow people to cheat in my game, so I decided to see if I could mess him up.

In my first attempts, the game would just shut down cold when a hack was detected. But that made it too obvious the game was detecting this and for them to counter it. So later I was more subtle. if a hack is detected in the game, it will increase the radius of the collision with ghosts, so you are more likely to collide with them. It gives you slightly less points on various things, it won't save your high scores when you shut the game down. Things that make the game harder with no high scores and it can take time to detect, so anyone whipping up a crack for the game, and testing it, won't notice the alterations on the first test and so will release their hack. It was fun, and I got a "hacker" very angry at me once he found out what I did. :)

Some of the things I did was I store the size of the data file and compare it when it is opened. I created some fake variables that do nothing, but are altered during gameplay so software that tries to discover what variables do what (so they can hack it) will show the fake ones as well. I store the amount of lives that the player had, and if they lose a life or gain a life, I compare the amount with the last number (if you had 1 life left and suddenly have 5, HACK), similar things with scores etc. Not needed for my game, but it was fun to see what I could do.

I remember reading years ago about a company that did this with their commercial game. When the hack was detected, their game would remove crucial elements which were needed to advance later in the game so you wouldn't detect it right away until you have played for a while. As a result, hackers released cracks for their game and it took a while before people realized they couldn't complete the game. The hackers were totally embarrassed because of this and it took them a while to figure it out. By the time they did, the company sold enough of the game. It didn't prevent the hacking, but it slowed them down enough so the company could make some money off of it. It was one of those genius ideas I thought.

You won't prevent determined people, but you can slow them down and I am against what some people will say "don't bother trying, it's a waste of time", bull. In my Deluxe Pacman 1 game, the data file is password protected, and the password is not stored directly in my game, but the game does some math to create the password, so it is really difficult to figure out, even by looking through my executable code, you won't see the password anywhere. Yes a determined person CAN do it, but it will take you a while, and that reduces the number of people that will even bother to try. :)

Chris Katko
Member #1,881
January 2002
avatar

Neil Roy said:

You won't prevent determined people, but you can slow them down and I am against what some people will say "don't bother trying, it's a waste of time", bull.

I never said that.

I said use what's most effective at reducing hackers, for the least waste of your time. Mostly your post said the same thing as mine. We're on the same page.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Greyland818
Member #16,851
April 2018

You guys bring up good points that are worth considering. Thanks.

Audric
Member #907
January 2001

If you use the zip-password system, you also have to ensure there is no trivial way to intercept your game's unzipping :
- Don't use a zip function from a DLL, because it is trivial to patch the DLL with a modified functions that logs the arguments it is given (filename, password)
- You have to strip debugging information from your program, because anyone could use a debugger to halt on function names that looks like a resource-loader, and see the password in the stack trace.

In my opinion, a much better protection would be to have double-checking code based on some characteristics of your resources (ex: number of vertices on your models, XOR-sum of their coordinates), and have the game subtly fail when they don't match expected values.

Aaron Bolyard
Member #7,537
July 2006
avatar

You could always sign the zip with a public/private key pair and then verify the sign before loading the archive. Someone would have to have you private key to sign the archive which, unless you give it out, isn't happening.

Of course, someone could modify your executable to skip that check, but that's how it goes.

Edgar Reynaldo
Member #8,592
May 2007
avatar

Mark Oates
Member #1,146
March 2001
avatar

What is a good method for preventing art assets from being altered on the client machine?

A lot of developers have taken the alternative approach. If you're clever enough to want to alter the assets, then feel free to tinker away.

I like this approach because if anything, it's another avenue to get people's eyes on your project, it encourages a community around your game, and it gives back to the open source community that built the tools you use!

Audric
Member #907
January 2001

The wording of the original post makes me think of cheating in multiplayer FPS.
Typical aimbot uses a modified player model where there is color-coded box for the head (think 'magic pink'), and then the aimbot can scan the screen buffer for this highly unusual color to locate an opponent, and lock on it.

NiteHackr
Member #2,229
April 2002
avatar

and it gives back to the open source community that built the tools you use!

There's giving back, and there's stealing copyrighted material. If you break into someone's home and take their belongings because they didn't lock the front door, they didn't give it to you, you stole it. Even if they used your tools to build the house.

Chris Katko
Member #1,881
January 2002
avatar

The point is not that it's "legal". The point is that it's easy.

The people who crack games do it professionally. Maybe not for money, but for "cred". They have experience you don't. They know where and how to crack your game with decades of combined experience. They know how windows function calls work, how assembly looks, and how CPU access works better than you ever will.

And You cannot control a clients machine. Period. Full stop.

If you encrypt the files, they will get the key. If the key is in an exe? They'll grab it. It the key is secretly on your super-secure home server and only sent when the game loads up? They'll find it. It's trivial for a hacker to run and view all the code that leads up to a file system access.

Now, this all usually only applies to cracking games copy-protection, and preventing hackers who cheat. But whatever you put "off limits", you've planted the seed and the "cred" for breaking into it.

You cannot stop a dedicated hacker and AAA studios don't even try. Instead, they only hope to delay a hacker long enough for the majority of game sales to occur (which happens in the first few months). Go to Game Developer magazine and read a hundred articles--they all say that.

So, my position is pretty straight forward:

- Either don't encrypt anything and don't worry about it. (china has a huge ripoff culture so maybe this won't work for you. But the chances of your game being ripped off over literally thousands of games released a year is still super rare.)

- Pick a simple encryption system with a key that's easy to access for you.

Because the time you spend on protecting files already on someone's computer, is time wasted... unless you really just "enjoy" it--but that's not productive time. Again, door locks only prevent casual thieves.

And worst of all, if you make your code obfuscated, if you add all these DRM layers, every single one is a new failure point (and harder to debug point) that may trigger on legit user's machines. And at that point, you're throwing away real $$$ by pissing off your consumer base.

There's a reason modern DRM has gotten so much simpler. (read: Steam) Because people realized that intrusive DRM doesn't really increase sales, and pisses off tons of normal users. From what I've read, most programmers hate DRM too and only include it when their publishers demand them do it for their contract.

Now you may say, "art assets != DRM" but it's still the same thing. You're still playing a game of cat-and-mouse to protect something that the user already has physically on their machine--which means they can run any off-line attacks as often as they want across as many machines as they want.

So the question is, are you trying to defend it out of a sense of "because it's mine!" or, out of a practical need? If it's the first, I'd say go with Mark Oates view and be honored that someone wants to see your artwork and play with it.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

NiteHackr
Member #2,229
April 2002
avatar

Protecting your assets does not equal DRM, not even close! So long as you can run the game without needing a connection or some sort of copy protection question, there is NO problem with protecting your assets and making it difficult for people to steal from you so that's a poor excuse.

My Deluxe Pacman 1's data file is password protected, yet it is completely free and has been downloaded literally millions of times. So that excuse doesn't hold water and doesn't equate to DRM in the slightest.

Chris Katko
Member #1,881
January 2002
avatar

You missed the point. It's not about morality. It's about practicality.

If someone wants your data, and they have it on their machine, there is no theoretical (read: academic) way to prevent it from being pwned from someone who actually wants it. The key is access, and data on their computer is giving them that key.

You ship the key WITH the assets. Your program has it.

DRM is digital rights management (duh). Controlling access. It doesn't matter whether it's "owners vs non-owners" or "you vs players". You're still trying to control access. So you don't have to imagine your some evil heartless corporation with DRM. I'm talking about the math. And the math is the same. The obfuscation is the same.

I'm not arguing any kind of moral or social point here. You have every right to THINK that your program is yours. But feeling some way has nothing to do with whether someone CAN pwn it.

The best bang-for-your-buck is a lock that keeps respectful people out of your house(/data). The second most, is the obscurity of being an indie developer that hasn't gone viral. But either way, planning on nobody being able to access your data because of some coding "trick" you did, is silly.

Don't want people to crack your data? Never give them that data to begin with. Keep it on your server. That's the only real copy-protection and you'll find dozens upon dozens of experts who will break it down detail-by-detail, online. I'm not pulling these ideas out of my butt.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

NiteHackr
Member #2,229
April 2002
avatar

I'm not blocking access to my data though, play the game and you can see it all. I'm just preventing you from stealing my assets and using it in your own projects without my permission. Whether or not I block access to the data outside of the game doesn't matter as it doesn't prevent the game from being played.

My Deluxe Pacman 2 game has no protection aside from a renamed ZIP file. And I had someone take the assets out etc... the only reason it is not blocked is because there is no way to password protect it with Allegro.

IF I create something in the future I will use another method to create a protected file, or perhaps even create my own package system.

IF I keep all data on a server, THAT is DRM and that will drive more people away from playing your game than simply encrypting your data. Nobody will care or even know it is encrypted except unscrupulous people who wish to steal it and use it outside of your game.

Anyhow, call it silly or whatever, but since 2000 when I made DP1, I have had no incidents of the assets being removed and used outside of the intended game, and it has literally millions of downloads (I am not exaggerating, the last time I checked I think it was well over 2 million for just one website alone).

My coding trick worked. The password is not visible in the executable, and the data is secure and the extra coding was no problem.

I don't give a shit what you say, it is MY game, MY assets I worked on and I wish it to be protected from unauthorized usage. Period. And yes, I do have a right to think that my program is mine, BECAUSE IT IS MINE! And so far my "silly trick" has prevented access to it. But hey, feel free to download it and try and open it up and use it. Let me know how you do.

Anyhow, the original poster wanted solutions on protecting his assets, either provide a viable solution, or go elsewhere.

Michael Weiss
Member #223
April 2000

Sorry Neil,

I totally agree with Chris.

I think the reason your data was not removed and used outside the game is because no one wanted to or cared enough to try, not because of your easily by-passable 'security'.

No one is saying its not YOUR game, YOUR assets, etc. I'm sure we all feel the same way about things that we create.

Chris gave some very spot on commentary on why most methods of trying to prevent this are trivially by-passable, and not worth spending too much time on.

Not because YOUR data is not worth protecting. More because your protection scheme gives you a false sense of security.

You claim that your coding trick worked, I claim no one cared enough to try.

Edgar Reynaldo
Member #8,592
May 2007
avatar

I find this all a little funny. Unless you hired someone to create the art or you did it yourself, then this is all a giant rip off. I mean, cmon its Pacman, why are you worried about someone stealing PacMan? I understand it would piss me off if someone was selling my shit but just viewing the assets and modding if you're bored? It's not even AAA. Most crackers aren't even remotely interested in your game, but if they were they would crack it like an egg.

People use disassemblers and read game memory and can basically get at anything they want. My dad used to use memory hacks all the time, and cheated on his stats and maxed them all out. To them, it's just a game (cracking), and they're trying to have fun. I really wouldn't worry about it. Life is short, stop stressing over silly things you can't control.

NiteHackr
Member #2,229
April 2002
avatar

The point of all this is, the original poster wanted to know ways to protect his assets, no matter what they are. Quick fucking arguing against it for 5 seconds and try actually giving advice which answers his question or piss off! You people are so annoying in here.

It's no wonder other people label the Allegro forums as "toxic", you can't even give useful answers to simple questions without attacking someone!

I'll continue to protect my assets whether you think it is worthwhile or not! They're mine to protect. Part of the reason I protected against hacking was so that when you get several people playing the same game and you have a high score list, that one person can't cheat and get a higher score than the other, so that the game is fair for everyone.

I really don't give a rats ass about whether you like what I do or not, some of us want to protect our games from hacking, and that is what we will continue to do.

Chris Katko
Member #1,881
January 2002
avatar

Neil Roy said:

It's no wonder other people label the Allegro forums as "toxic", you can't even give useful answers to simple questions without attacking someone!

Calm down, Neil! You're welcome to disagree. I don't see why you take it so personally when people don't agree with you.

Whatever you choose for your DRM, it's your decision to make, and more power to you. But I'm still going to list every applicable fact to a discussion, and then you can make whatever decision you want.

Quote:

They're mine to protect.

So protect them. But, I could probably spend a single weekend and rip them even if they're in a password'ed zip. Hell, I could simply screen capture and bypass literally every bit of DRM there is.

I did exactly that with a game here (though I manually stitched it. There are automatic stiching tools available):

{"name":"kvXvlrj.jpg","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/0\/8\/084d051edf113f717e84d11c33f624de.jpg","w":6700,"h":3824,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/0\/8\/084d051edf113f717e84d11c33f624de"}kvXvlrj.jpg

But one or two of them kept giving them crappy results like this:

{"name":"1450TM3.jpg","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/c\/f\/cf3be2d8059f68c472b04cf73d116b2b.jpg","w":2048,"h":1553,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/c\/f\/cf3be2d8059f68c472b04cf73d116b2b"}1450TM3.jpg

So I just manually stitched the maps back when I was unemployed and had free time.

But back on point: Highscores SHOULD be protected! But that's more applicable than art assets. A game can be ruined if the community cheats. PUBG (#1 Steam game) almost lost everything when it became swamped with hackers. You have to maintain the integrity of the "simulation". But art assets? It's just files. They're not the game. The GAME is the game! Protect that. Art assets are just a bunch of sprites in a PNG file.

But yeah, all these are just my viewpoint. It's obviously up to you to make your decision based on the facts. I'm just listing mine.

[edit]

OH, and I forgot. Here's an entire community dedicated to ripping sprites.

http://spritedatabase.net/

[edit]

Quote:

try actually giving advice which answers his question or piss off! Y

We're trying to protect his time by telling him something that can't be done. ::)

"Hey guys, I want to shoot up Heroin."
"Don't. You'll die."
Neil: "Omg, guys, just tell him where to get some heroin." :P

As if the gratuitous amount of emoticons isn't obvious. I'm speaking in jest.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Oscar Giner
Member #2,207
April 2002
avatar

There are easily available programs that retrieve texture data from the GPU, so protecting the data files is completely useless. There's software that can even do a "3D screen capture", basically capturing the entire 3D scene (models, textures and shaders).

Texmod for example, was an old utility (it only works for DX9, and I think DX8 too) to first extract textures from a game (you put a dll in the same folder as the game exe and it saves to disk all textures the game generates/loads), and then use it to inject your own textures (it doesn't modify game data files, the dll detects when a game loads a specific texture (identified by its hash value) and injects the desired modified texture directly in memory).

Sorry to disappointing some people, but if your images haven't been ripped from your game is because no one was interested in them :P

Chris Katko
Member #1,881
January 2002
avatar

Could you replace in-game textures with larger ones and still have it function? Or would they just draw the original stored coordinates?

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Oscar Giner
Member #2,207
April 2002
avatar

u,v texture coordinates are AFAIK (0..1) values, so changing texture resolution should work. But I never used TexMod to create mods myself, only used a few already made ones from other people.

bamccaig
Member #7,536
July 2006
avatar

Basically Chris and Oscar have hit the major nails on the head. You cannot do this, and in general it will only cost you time (and therefore money) and potentially customers to try. A "high score" is always meaningless. Take it with a grain of salt.

How do you verify that it's real?

  • You saw a screenshot?

    • A digital artist can make any image they want. They don't need your game to do it. Hell, talented artists can photoshop images of actual real life that appear real, but are complete fabrications (basically all advertising these days).

  • Registered in some Internet server?

    • How does the server validate the player's game?

    • No matter what you do, it can always be beaten.

Hacks are a serious problem for gamers. As Chris mentioned, they're rampant (last I checked) in PUBG. They're also rampant in CSGO. Every night I play I am reporting several suspicious characters. The "overwatch" crowd that may possibly review them is not large enough to get them all, and it's only ~$20 for another account/license to just start doing it again (cheaper when there's sales, and so there are businesses that exist that purchase "gift" licenses when sales are on to resell to hackers later).

At best, you can hope to develop smart enough software to detect the hacks, and respond in kind. But typically, there's not enough profit in doing that. Which is very unfortunate for the legitimate players that are getting screwed.

When it comes to proving legitimate, god-like skill, the only way is with a set of judges/controls to observe, and a computer is isolated/quarantined/guarded to prevent hacks. Despite measures to prevent it, there have been professional (i.e., paid to play) CSGO gamers that have used hacks during competitions (which have many eyes watching them and computers that are supposed to be somewhat out of their control). At the end of the day, people will find a way if the "prize" is valuable enough for them. As stated, if your game hasn't been hacked it's not because it's immune even in the slightest, but simply because nobody with the necessary skills cared to try.

There are communities full of people that crack software for fun. The more work you do to try to stop them the more fun it is for them to crack it. Often AAA DRM is cracked zero-day. Lots of $$$$ spent, zero gain. That's the point that people are trying to get across.

If you want to protect your "content"/rights/etc. there are already laws that protect them. Your art is your art. It's called copyright. If somebody blatantly rips it off you can sue them. As with all things legal, it requires you to take a risk. Pay some money, and hope that it pays off. That said, there are many legal ways to use your art as well, and you cannot do anything to prevent it. If people want to use it, they can and they will. Nothing you do will stop them. Don't waste your time.

Leaving your game open can actually improve the player experience. For example, I recall nearly 2 decades ago now, you could add vehicles to GTA3 on PC and modify all vehicle properties by simply editing text files (well, and obviously installing the necessary art assets). This was immensely fun to experiment with. It didn't hurt anybody. You could make certain types of cars extremely heavy so when they physically collided with stuff it sent it flying and barely impacted the vehicle. That's just an example. You could also make the vehicle super light so it would fly far when you took jumps.

Online games certainly need to be somewhat policed, but in my experience software never works to prevent hackers. As a Counter-Strike player for more than 10 years, I can attest to that. Hackers are running rampant. The software cannot detect them. You require humans to detect them. If your game is of the nature where hackers will harm other players then your best bet is to develop "admin" features into the server software, and allow the server software to be hosted by anyone. This way, private servers can exist, where a team of volunteers (or employees, if the server is sufficiently funded) can police the system.

In CS: Source, by the time I started playing at least "community servers" was all there was. Maybe that's all there ever was. The server was basically operated by "Joe Anybody". It was his responsibility to catch and remove hackers. The software supported bans in a rudimentary, but reasonably effective way. It just required human beings to basically review suspicious players and ban them. So the operator would effectively recruit volunteers that were trustworthy to spend time playing on the server and punishing guilty players. They also made themselves available through networking to be called upon by other players when a cheater was found. It worked extremely well on well managed servers, and didn't work at all on poorly managed servers. It depended on the popularity and size of the volunteer list of trusted admins. Often hackers would get banned before you even realized they were hacking. Or sometimes you might lose 5 minutes trying to call one up. Beat the Hell out of the situation in CSGO and PUBG today on public servers where the hackers basically just get away with it for months at a time.

Go to: