Thinking about: DRM wrapper for releases

[GMMan]

Just a novel idea I had this afternoon: what if programs uploaded to Xentax are encased in a DRM wrapper at the discretion of the developer?

As you know, people tend to like to leech on the programs developed here. I'm actually fine with people redistributing my files, however I am not fine with the lack of attribution, back to the original link where they obtained it from. It basically encourages others to profit off of programs that people here had taken a tremendous amount of time developing, without so much as attempting to understand the theory behind the program and where the program actually came from.

I propose that programs be given a period of time where it's available exclusively to Xentax members, and enforced until a month or two after someone off-site complains. Yeah, I'm a bit of a sadist, but I just want to see the reaction.

This would be enforced by the program, requiring logging in to the forums through the wrapper around the program, which upon successful login, will download a forum attachment specific to the program (hence the need to log in) and use the information in it to decrypt the program. For .NET programs, this would be really easy to do (after writing the wrapper, that is), and the original executables won't even need to be extracted. It's completely doable too, since there's a builtin web browser control in .NET Framework that I can use to get the session cookies, and the rest of the encryption stuff is also built in.

I'm crazy, right?

[Darkstar]

I actually think that open-sourcing everything (e.g. on github) would be better. It's really annoying to find a binary-only extractor in an age-old thread which doesn't work for a newer revision of the data file it's supposed to extract, and you have no way of updating or fixing it. Also, what would you do if you want to run a program but the forum is currently down? Or your internet is having trouble? And what's stopping people to take the downloaded "key" (or the decrypted binary itself) and post that somewhere else?

Thus I propose the opposite: Every program posted here must be accompanied by its source code (maybe a few weeks/months later, as you suggest, as a "grace period"). That way the work done here will at least be future-proof and not lost when the original author leaves the board

[GMMan]

True, true. My intention is to give Xentax a period of exclusivity. I release source code for all my programs, and under the DRM system, once the grace period elapses, I'd update the downloads to contain a non-wrapped version with source code. As for stopping people from unwrapping, there'll be signature checks on the whole EXE to prevent modification, and the compiled wrapper will be run through an obfuscator. I doubt the people who rehost the files will bother to figure it out, and if anyone does, I won't mind (modding communities always need good reverse engineers).

[Darkstar]

Seems hardly worth the trouble. All unpackers etc. I write/wrote are so small I don't even bother writing a GUI for them (people who can't use the command line shouldn't be allowed to call themselves "hacker" or "modder", let alone "reverse engineer"). So I definitely wouldn't bother pulling up a wrapper. Especially since command line tools are often called from batch files, and maybe even looping over 100s of files, and I don't want a user type a login every frickin time.

I think that a well-placed "coded by XXX" or "this is brought to you by XXX" printed by your program (maybe in a splash screen if needed) is attribution enough. People who edit the EXE to overwrite that will probably go to great lengths to rip out your DRM as well (and you could still use any stock EXE packer/encrypter to make it harder for them). And if they need their name in it for their ego then I don't really care, it's not as if nobody will ever find out that they can't code shit themselves if they pass it around as theirs

Again, I ask you: What happens when after 2 years this forum is updated, all the URLs change, and now every single program doesn't work anymore? And probably the original developers have left as well. Someone else has to start back from square 1 (happened to me more than once already)

[GMMan]

Again, I ask you: What happens when after 2 years this forum is updated, all the URLs change, and now every single program doesn't work anymore? And probably the original developers have left as well. Someone else has to start back from square 1 (happened to me more than once already)

The non-wrapped version will be uploaded before then. I only intend it to be an experiment, not anything long term (actually, just to piss off a few guys at another forum full of noobs who just want tools).

[Darkstar]

The non-wrapped version will be uploaded before then. I only intend it to be an experiment, not anything long term (actually, just to piss off a few guys at another forum full of noobs who just want tools).

Ah, so you want to use Xentax as a way of getting your personal revenge; or maybe for proving to someone that you're "better" than them? Well, nobody is keeping you from coding your own tools in such a way (e.g. limited runtime or feature set without proper unlock-code which can be gotten from you via PM here, for example) but I think pulling the community in your personal vendetta against other forums is not the way to go.

Instead, why not provide source code ONLY so that they at least have to compile it themselves? Maybe lock the unpacker to only a subset of the files (via fixed offsets or something which work only for some files and not for others) and then tell them (abstractly) how to code around that?That would be much more educating in the long term...

[GMMan]

An observation I've made: isn't MultiEx Commander using a similar system, sans encryption, by withholding program data without valid login?

[Bastien]

IMO using DRM in a reversing site is kinda ironic.
If leechers don't give credit or reference the original source, that's bad for them/their forum, since many tools are updated on a regular basis, and they can't give feedback/report bugs. A google search would be enough to bring the interested people here if the tool name is distinctive enough or have an "about" with info and author name, right?
Scripts on the other hand can be easily modified, but what they would do that?


I agree with darkstar in making xentax more open too, so also people could learn, and maybe some exclusivity for people who contribute with actual research and tools (1% maybe?), but that might be offtopic.

[MrAdults]

No one would adhere to it, getting developer cooperation in this kind of environment is worse than herding cats. It also overlooks the real problem. The real problem being that people are pieces of shit.

When I see someone abusing Noesis or posting ripped model batches for their own idiot manchild life-wasted glory, I yell at them. But the simple fact of the matter is, I don't witness 99% of it firsthand, and people have 0 respect when it comes to respecting me for the thing I've spent hundreds of hours making and subsequently given away for free. Over the years of Noesis work, I've gotten $0 from any kind of attached publicity or ad revenue others have made on it, and maybe $300 or so total in random donations, from a total of 3 different people that have continued donating small sums over time just to show their appreciation, and their sentiment means more to me than the money.

That's 3 out of, oh, probably around 10,000 or so total users. If the volume of unique crash reports that I get from old versions of Noesis alone is any indication, thousands more are passing it around in unofficial channels and idiotically submitting crashes that I fixed months ago. People are fucking dicks. But I digress.

Practically speaking, I don't think a forum-based DRM is a good solution, and it just leaves a bad taste in my mouth.

[Mr.Mouse]

An observation I've made: isn't MultiEx Commander using a similar system, sans encryption, by withholding program data without valid login?

Interesting observation, how did you make it ?

As for the topic, I agree that it goes against the vision to DRMify tools posted. And it is development hell to get any system to work properly integrated. I'm not going to spend any time on that, and I'm sure no other at XeNTaX would.

MrAdults raises a good point, people are being cowardly dogs by pretending to be cool, while all they do is rip other people's work without properly giving credit where credit is due. That is the real issue, but one that is not easily handled, as humanity has shown time and again to produce an overwhelming stream of bastards on a hourly basis.

I do see the point that it is very annoying if you miss the source code when a binary is no longer available, but it really is at the discretion of the developer to release it or not. So whenever you see a tool posted, and would like to have the souce code, you can always ask the developer. Perhaps he or she agrees.

So, XeNTaX is already very OPEN, and we are not going to make it obligatory to release source code, though we may give people a hard time when to come in here to boast about their skills to work with a certain game but refuse to share their information on how they did it. Sharing is key, as long as other people can then at least build their own tools.

[Mr.Mouse]

To add another note: blog/

That is the blog where forum members can post their (or other) tools of interest. I created that blog to store the tools in one place, not to be lost.

[MrAdults]

When I first started contributing compression/format/etc. specs, I came in with the mentality of "What's wrong with you people? Why doesn't anyone share their findings instead of just throwing up a binary?" So I went out of my way to write spec docs, put full source up for all of my reversed formats, and so on. Then I saw people using my work and not throwing so much as a "hey thanks" in my direction, and the whole strange and screwed up secretive nature of the community made a lot more sense. People don't release their code because the ego isn't fed when someone else takes the code and does something with it without proper attribution, and the person that steals the code thanklessly doesn't get their ego stroked as much if they correctly attribute and acknowledge that someone else did 99% of the work. It's an issue of ego on both sides, with the weak taking from the strong, leading to a basic hostility in what would otherwise be a flourishing community.

My policy these days is, if I have a reason to respect you, I'll give you code, specs, and help and expect nothing in return. If I don't have a reason to respect you, it's probably because you haven't done anything to impress me in the context of this community, which means you're probably the type to take a lot and give little to nothing back, therefore you deserve nothing from me. It's a haphazard system, but it works. Unfortunately, it's still a closed system in its nature, but people have shown that they just can't play nicely in an open environment.

The up side to all of this in terms of preservation of data/knowledge is, we're making all these tools for x86. (or at least x64) Someone with some decent knowledge and experience can reverse-engineer our work if they want, a lot more easily than having to do it in the native environment and code for whatever game/app/etc. it is that they're interested in, without worrying that the hardware is gone forever or was never properly documented itself due to some commercial entity keeping a tight hold on the information. x86 isn't going anywhere, and it will be a debuggable architecture for the common man for longer than C is likely to be a common language. So in this way, there's no danger of our work being lost to time, as long as the work is significant enough for someone to want it enough to do a little bit of disassembly down the line. And if someone is willing to go at least that far, they probably know what it is to work hard to make something, and aren't the kind of thoughtless wankbags that would just steal source code and compile it as something slightly changed to stroke their egos. So it kind of naturally filters the benefactors of the work down to the people that actually deserve it.

[Darkstar]

...Someone with some decent knowledge and experience can reverse-engineer our work if they want, a lot more easily than having to do it in the native environment and code for whatever game/app/etc. it is that they're interested in, without worrying that the hardware is gone forever or was never properly documented itself due to some commercial entity keeping a tight hold on the information.

Heh, this is the most backward argument in the whole thread. Reversing a program that someone else wrote to reverse a file format? Yeah, because with every layer you put on top the reversing gets easier and easier, right? Normally this is not about running an old binary on some other system (Linux or ARM or whatever), but rather to extend it because some slightly new/different file format made some subtle changes that make the tool crash/not work. While you are theoretically right that you can still fix that in a binary, it is infinitely more complex than having a file format description in the first place and fixing just that...

Also, the whole notion of other people grabbing source code from somewhere and passing it off as their own is not really new. If everyone thought like you we wouldn't have any Open Source software today. Licenses exist for a reason. If you put it under a (L)GPL license (or any other open source license), people will STILL steal your code but now you have legal grounds to go against them if you want. Open Source relies on trust, for 100 users who obey and respect your choice of license, there's maybe 5 or 10 who don't. Or maybe even 20, I don't know. Still you "punish" all 100 of them just to get those 20. That's the same as with DRM, you punish the many "good guys" with crippleware while the few "bad guys" just crack your program and be done with it.

It took the game industry many many years to realize that (see gog.com, desura, humblebundle, etc.), I thought that at least the reverse engineering community would understand that as well by now.

So in your case of noesis, if you want/need revenue from it, why not make it (feature-limited) Shareware? Or keep it free but sell the source code for 2 bucks? I for one would gladly pay for the specs to so many 3D formats (even if my own 3D experience is still rather small), and even though I couldn't use it directly in any of my programs (because I tend to give away the source for free) I could still create clean-room documentation from it (and that would be a bliss because so many of the formats noesis supports are still not documented at all...) and preserve at least that...

[MrAdults]

It's not an argument. It's a simple statement. The code and data is there in a way that guarantees preservation, and allows extension if someone perseveres enough to bother. How easy/complex it is has no relevance to the statement, although I do think saying it's "infinitely more complex" is silly and subjective.

I wouldn't be arrogant enough to try to put the license of my choice on code that's derived from disassembled binary. That's in itself ridiculous and just asking for legal problems of your own. It's all about pettiness and ego, and how we deal with it outside of typical open source constructs. That's the whole reason this community and reverse engineering is different and has to exist under different rules. An actual GPL zealot wouldn't consider touching RE'd code with a 10 foot pole.

Selling Noesis is a ridiculous notion for he same reasons, I never implied money was the goal either. Terrible inference.

[cra0]

Neat idea but I don't see it working