Pk3 archives protected by password in FTEQW

[toneddu2000]

Hy guys, I asked a modeler to do some models for my game but he said "I don't feel confortable to know that everyone that buys your game can unzip data archives and see/use my models". Which, of course, seen from a external freelance modeler point of view is not so unreasonable. So, I''m asking you engine gurus, there's a way to tell the engine (I use FTEQW) to search for a password (at least for a specific .pk3 file) before open a .pk3 archive?

Please guys help me!

EDIT: An hardcoded solution (search for password 'foobar' in protected.pk3) would be still great! Thanks!

[Spirit]

Sorry, but that is an idiotic viewpoint of him. You can pretty extract everything from every game ever, often easily. How on earth does he want things to be instead?

What prevents someone to simply check what password your engine uses?

[Jay Dolan]

Yea, because your engine is open source (it is, right?), this would simply never work. The artist needs to get over his fears (and himself, from the sound of it). Despite his paranoia, "hackers" aren't waiting eagerly to leak or repurpose models from free Quake mods. Either he wants to help you out, or he doesn't. He ain't gettin' rich either way

Edit: Wait a minute, you're selling your Quake-based game? Do you have a commercial license for idTech, or are you selling an open source game?

[toneddu2000]

Sorry, but that is an idiotic viewpoint of him. You can pretty extract everything from every game ever, often easily. How on earth does he want things to be instead?

Please guys, let's try to not psycho-analyze people, I don't know why he wants that, but the only thing I know is that he'll not make his models available to me if I didn't find a solution, so I'm pretty forced to do it!

What prevents someone to simply check what password your engine uses?

Well, I'd do something like this:
1) create the password hardcoded in fteqw - password 'foobar' for example
2) release binary with 'foobar' password and source code with 'xxxx' password

So, only people that would like to recompile source code should be able (after a little of trouble) to get rid of the protected code lines. The others (which are at least the 65% / 70% of the gamers) would only be able to launch the binary protected version and a 65/70% of gamers which cannot be able to open the protected pk3 would be imo a great relief for the artist!

Either he wants to help you out, or he doesn't. He ain't gettin' rich either way

None of them, he lives selling 3d models, like a IKEA lives selling fornitures

Edit: Wait a minute, you're selling your Quake-based game? Do you have a commercial license for idTech, or are you selling an open source game?

Engine is open source and it will remain as it. Game source code is written from scratch but it will be "closed" only for a little time, I'll release as CC0 license in some months after game ships. Game assets will be closed source but I don't have any problems if people see "what'inside". I'll release some models as CC0 to help people to find out how to create a game with FTEQW

[Spirit]

I didn't mean to insult him, just the thought. And I am honestly interested how he thinks it should be "protected". Has he sold models previously? How was it handled there.

It will be trivial for someone experienced (with reverse engineering or peaking at binaries) to get the model out in any case. It just takes one to publish it then.

You can't technically limit this. Instead, the model is protected by copyright and that should really be enough in my opinion.

[Spike]

firstly, remember that its a pk3. yes its a zip, but your average user will not necessarily know that and won't try opening it (and windows won't guess based upon anything but the extension).

you could just use a pak instead, which do require more specialist tools to read+write properly.

if you're really desperate, you can use/make a filesystem plugin, an example is the mpq filesystem plugin (spirit may remember the diablo2 thing). again, people will be able to decode that if they know what it is and they can find appropriate tools.
if you made a similar plugin that 'contains' a single pk3, you could can hardcode pretty much all the logic to act as a passthrough to decrypt the embedded data, and depend upon fte's nested package support in order to load it using its built-in pk3 loading. of course, filesystem plugins depend upon engine headers, so you can't really get away from the gpl.
and even if you could, a user could just configure a server to allow its contents to be downloaded, or could write some qc to read the files and write them out to a new name that isn't inside a package (or do it in the engine).

it might be interesting to store per-file passwords as some postfix on the filename or something, and have the gamecode specify the passwords that way. you'd need some sort of algorithm to generate the (per-file) passwords to avoid the strings being seen in plain text (at least stored in the string table away from the mdl names), and there's always a problem with people decompiling mods.
however, there's some file types that would be hard to provide passwords for in this way, stuff like textures and shader files.


lots of options, and none of them with any real protection.
which I guess is why you'd be happy with a hardcoded password.


tl:dr:
fte doesn't support any encryption in pk3s.
there's a plugin for mpq (which does still support compression+obfuscation) if you can find tools to write them.
whatever you do, someone can hack the engine to write the file out to disk after any decryption.

[frag.machine]

Hy guys, I asked a modeler to do some models for my game but he said "I don't feel confortable to know that everyone that buys your game can unzip data archives and see/use my models". Which, of course, seen from a external freelance modeler point of view is not so unreasonable. So, I''m asking you engine gurus, there's a way to tell the engine (I use FTEQW) to search for a password (at least for a specific .pk3 file) before open a .pk3 archive?

Please guys help me!

EDIT: An hardcoded solution (search for password 'foobar' in protected.pk3) would be still great! Thanks!

As Spike already told you, pk3 == zip. There are *tons* of tools on the internet to simply brute force crack password protected .zip files, so, no real protection.
Also, you better find another less pretentious/neurotic artist. Because don't matter what you do, people WILL break any "protection" you use and he will blame you in the end.

[Baker]

FTE doesn't support that in the code, so one possibiility rather that going to all that trouble is to skip all of that and overwrite some of the bytes in the zip file to cause it to be invalid.

Store the bytes in a string in the engine source code (const char[] zipbytes = "zAtZkLL40 ..."). Write those bytes to the .pk3 on engine startup causing it to be valid. To be more thorough, you would do it memory and never touch the disk file.

Newbie dudes would not be able to access the file (how can you open an invalid file missing directory header?)

It would be a quick and dirty solution. And I wouldn't recommend it. But if your only problem is someone feeling secure, it would solve your problem.

A more legitimate way would be to store the model in the executable, thus it is never available as an individual file. On Windows you could add the file to resources (.rc section). Someone very determined or knowledgeable would be able to find tools to extract out of the executable, but a casual person wouldn't likely know the right words to even begin that journey in a search engine.

[toneddu2000]

Thanks guys for all of your replies! Much appreciated! I tried to post yesterday night but forums site always replied with a "connection time timeout" error

you better find another less pretentious/neurotic artist. Because don't matter what you do, people WILL break any "protection" you use and he will blame you in the end.

That would be an idea! But it's extremely difficult to find someone talented and cheap when you're starting your super indie project with all of your savings and nothing else! :roll:

you could just use a pak instead, which do require more specialist tools to read+write properly.

But, there's any difference between PAK and PK3? Can I put inside same contents right? Or there are some file-type restrictions/limitations?

if you're really desperate, you can use/make a filesystem plugin, an example is the mpq filesystem plugin

That could be a solution, but a very complicated one!

so you can't really get away from the gpl

No, but that's not my intent

You can't technically limit this. Instead, the model is protected by copyright and that should really be enough in my opinion.

Completely agree, but, what should I do?

Anyway, hardcoded solution seems to me the most practicable one.

one possibiility rather that going to all that trouble is to skip all of that and overwrite some of the bytes in the zip file to cause it to be invalid.

Yeah, that could be a solution too, thanks!

[Baker]

I tried to post yesterday night but forums site always replied with a "connection time timeout" error

Sounds like "dog ate my homework".

[toneddu2000]

Sounds like "dog ate my homework".

I swear teacher, my homework was there a minute ago!
No seriously, anyone experienced a tremendous latency last night (from about 11:00 greenwich time). Yesterday, instead, in the morning, forums.inside3d was a blank page.
No one else?

[revelator]

Still problems atleast on my end, the reply page takes several minutes to load and i have a 100/100 mb connection also the entire site takes ages to load.

[frag.machine]

Sounds like "dog ate my homework".

I swear teacher, my homework was there a minute ago!
No seriously, anyone experienced a tremendous latency last night (from about 11:00 greenwich time). Yesterday, instead, in the morning, forums.inside3d was a blank page.
No one else?

Same here. At first I thought it was my connection, but all other sites I use to visit were loading normally. Tried to access from work and confirmed the problem was in the site. Either there's something b0rked at the server side, or I3D is under some kind of DoS attack (still a bit sluggish right now, but at least is working).

[toneddu2000]

last night I spent 20 minutes to post a message then I gave up. Browser never accomplished to reload an entire page

or I3D is under some kind of DoS attack

Probably. I thought same thing

[NOWBACKONTOPIC]What do you think about create a password-locked control mechanism in quakec? That would be impossible, useless, slowAsHell right? right? right?[/NOWBACKONTOPIC]

[frag.machine]

[NOWBACKONTOPIC]What do you think about create a password-locked control mechanism in quakec? That would be impossible, useless, slowAsHell right? right? right?[/NOWBACKONTOPIC]

Impossible ? Not really.
Slow as hell ? It depends. You can always resort to custom builtins for the hot spots in your code.
Useless ? Of course. By the same reasons everyone else already exposed.

I remember some security expert saying many time ago that the ammount of money/time/effort you need to invest in security varies accordingly the value of what you are trying to protect. What is the ammount of money represented by the artwork assets involved in your money ? US$100 ? US$1k ? More ? Less ?

For example, an experienced engine coder could hack the FTE engine to add a cryptographic layer to the file system using an external key retrieved online from a master server, using SSL (so MITM schemes are not worthless to consider). Certainly safe enough to protect a reasonable investment in artwork (let's say, tens of thousands of dollars), but let's consider the costs:
a) you certainly will need to pay this skilled programmer;
b) you will need to pay for an always online, redundant master server at least for the foreseable life time of your game;
c) you will need to pay for a SSL certificate;
d) your game will have a always online requirement, even if it's single player (yeah, this worked very well for Diablo III and SimCity).

Remember, you are an indie developer. Be pragmatic. You are not swimming in money.
The implicit cost of these artwork assets imposed by your arstist are UNREASONABLE.

Your stuff can be ripped and used ? Of course.
How to prevent it ? You can't really. No one can actually.
I remember John Romero commenting how they were lucky to arrange agreements with pirates and getting like 5 bucks per otherwise unlicensed CDs containing full versions of Wolf3D/Doom plus community maps and mods, because it was impossible to sue chinese/russian pirates.
And those were the id guys, loved by every gamer back then.

Heck, I pirated Doom and Quake myself (I was a student without money back then). Nowadays I am proud to own all my games, Doom and Quake included (thanks Steam).

The best approach I ever saw so far was to shame the pirates. Make your game so good and cheap to buy that (most) people will feel bad for robbing you.
It's not 100% efficient, but you'd be surprised how effective it can be. Most people is willing to pay for a good game.

TL;DR: Stop spending effort in a fruitless battle against piracy. You're alone making a game, your time and money are already very limited, use it wisely to MAKE THE GOD DAMNED GAME.