Friday, June 18, 2010

DRM: Product/CD Keys

I remember the first time I ever saw a CD key. It was on the original StarCraft. I remember wondering why you needed it. Oh, how young and naive I was back then.

CD keys or product keys were one of the very first methods of DRM used. They were quickly adopted by game companies and are still used today. They work by having a unique set of characters and/or numbers for each product sold. This key, upon installation, was used to validate a game copy's legality.

At first, this validation process was just an algorithm. This algorithm checked a set of rules against the key. If it met all the rules then the copy was recognized as legit and installation would continue. If it failed this rule check, the copy was viewed as illegal and the installation would fail.

The problem with this approach, is that it's very easy for pirates and hackers to discover this algorithm. Once discovered it's another short step to create an algorithm that will spit out "legit" keys. This is called a key gen and, even today, you can still find them for many games.

With the spread of the internet a new method of authenticating keys came about. Instead of checking the key with an algorithm, the key is instead checked against a database online. This database holds every key ever created for a product. A lot of the time these keys still use an algorithm for their creation and still follow a set of rules. The difference is that legit keys not only have to pass this algorithm, but they also have to be in the database.

This database makes it harder for pirates and hackers to install their illegal copy, but not impossible. In a case like this, pirates usually avoid using keys altogether. Instead of having it check a key you just trick the program installer into believing it did the check or, better yet, remove the check altogether.

So, why are product keys still in use today? Well, they stop just anyone from stealing the game. Everyone can install a program, but not everyone can create a key gen.

Why are so many other DRM solutions shunned, yet product keys aren't even blinked at? It's because product keys are unobtrusive. The user generally deals with them only once, at installation time. After that point the user is never bugged again.

Lastly, why aren't product keys the be-all end-all for DRM? Because they're laughably hackable, nothing more than an annoying gnat. They're there to stop the every day Joe and Jane from stealing the game, but will be quickly swatted aside by any hacker.

Friday, June 4, 2010


SecuROM is a class of DRM that runs disc-checks and does online activation. It is meant to tie a game to either one disc or a certain number of online activations. The disc check means you need to carry the disc with you wherever you play, but this isn't a big deal since we had been doing this for years before online retail.

The problem comes up with the online activation. The activation method basically gives you a number of tokens. When you install the game on a machine, the games activates itself and uses one of these tokens. When you run out of tokens you can no longer install a new copy of the game. Effectively, this locks you to a specified number of computers.

This seems like a fitting idea, until you realize that people upgrade and buy new computer. They even reinstall their operating system. In all of these cases, you have to use another token to activate your software again. In this way, you can see how people can legitimately run out of tokens and need more. You can also extrapolate that this will get some people mad.

This can be clearly seen with BioShock. BioShock, using SecuROM, came with a limit of five activations and, at first, there was no way to get your activation back. As expected, some people had trouble. And as one user tactfully put it, "2k has screwed us over. We are renting this game."

The developers of BioShock quickly came out with a Activation Revoke Tool to allow recovery of activations, but the damage had been done and the backlash continued and six months later, the activation limit was completely removed. Even more telling, when BioShock 2 came out, activations had been removed and SecuROM was relegated to disc-checking only.

This is a popular trend with companies that once used SecuROM's activation deciding to jump ship. Other's have seen the hassle online activation has caused and decided to avoid it all together.

But with all the problems that SecuROM causes, does it work? The answer is no, it does not. BioShock was cracked within days of its release. Spore, which has SecuROM, was the most pirated game of 2008. So, for all the hassle SecuROM causes customer, it in no way stops hackers from cracking the game. It even makes some people turn to pirating.