My game is a completely stand-alone game, and many customers try to keep the game files after a refund to continue playing.
How can I avoid this? Do I need to use Epic Online Services? Does using Epic Online Services mean that I need to provide resources such as domain names and servers in my organization?
Hey there @baishi422! Welcome to the community! Depending on where you’re launching your game, you have a couple options for DRM but neither are meant to be used for actual heavy DRM, just the first layer to stop casual sharing like you mentioned.
EOS Interfaces (though Epic doesn’t intend to do hard DRM)
Rolling your own personal DRM:
Unless doing offline key validation, this could require your own server somewhere to authenticate the client. Generally a simple REST API to call your site to verify the user’s using a valid key can do the trick.
It’s recommended to be very careful with DRM on indie games, as no amount of defense will stop a dedicated cracker, but enough resistance for players will cause some attrition.
1 Like
Ok, so how do I do offline key validation?
The great thing about that path, is that’ll be decided almost entirely by how you want it to work and is rather customizable. The downside is that unless you’re using an out of the box solution, this could be quite an undertaking as it goes into some non-trivial concepts like cryptography, obfuscation, and hardware identification.
From a high level (I haven’t had to work with local DRM in 10ish years):
You’d first write a tool that can use an algorithm like RSA (for example) to generate a public and private key.
You’d then incorporate a crypto library in C++ in UE that takes the public key and checks it’s signature is correct. My examples are dated but “back in my day” OpenSSL or Crypto++ would do this, but may be significant effort implementing in engine.
From there you can decide if you want keys to be able to be used again (Like the game Starsector) or if you’d want something to identify the computer it was launched on locally and tie the key to that data, like their Hardware IDs (HWID is how you’ll likely research this). However fair warning, that used to be more common but isn’t anymore since users upgrade their computers frequently these days.
Lastly you write a file that’s checked on startup, that the engine will read and verify this is the user that this key is bound to or not, then handle each validity state how you would like.
For indie games, it’s often not worth using too many anti-piracy measures since the bar for cracking games is so low, especially in common engines that have tools to do this already.
1 Like