Discussion in 'Spigot Plugin Development' started by SpoKaPh, Jun 5, 2017.

  1. Hey,
    is it allowed to bind the plugin to an IP address (or Hardware-ID)? [-> The Plugin will only work on one server. ] If the user then wants to change the IP address the plugin is bound to, he has to enter a key that's generated the first time he starts the plugin. So is this allowed? (Please with sources :))
    Thanks in advance!
  2. Save yourself the time, people will crack if they want to crack. Rather spend that time to post updates often, so leaks quickly become outdated.
    • Agree Agree x 1
  3. This system seems to be implying you'd be querying a server when the plugin starts to check if the IP is valid. If you disable if that check fails, it's against the guidelines

    This isn't even mentioning that piracy protection in all its forms is utterly worthless, but whatever
  4. One can crack everything. However, I want to prevent that someone just copies it. Most of the people don't put a lot effort in cracking the plugin and if the notice that it has a good protection the probably will give up.
    If the user doesn't have a connection to the internet, he would also be allowed to use the software. But usually, servers have an internet connection :)
  5. Yes, one can crack everything. But at that point you might aswell save all HWID's to a pastebin, and if you notice someone leaks disable that hwid.
  6. I have been working on something like this for quite a while for my marketplace ShulkerBox, called ShulkerDRM. Each plugin in a way is binded to an IP. The server owner must log into the DRM panel and verify their server's IP by setting their MOTD to a specific code, one time only. Once verified, all plugins through ShulkerDRM will work on their server.

    For the crackers, I decided to make a custom class loader with RSA encryption. YES, it can be decrypted, however not easily, as I am using timestamps which change every X hours, which changes the plugin's encryption every hour (unless the server is running, else it will change the encryption on next reboot). Secondly, the plugin doesnt contain the plugin's code, but the code needed to DOWNLOAD the plugin from our servers, which needs to be decrypted and loaded. Lastly, even if they plugin is decrypted, the plugin is simply looted with kill switches. Simply just to make the cracker's life absolute hell. It has class filesize checks, signature checks, etc. It's simply too the point of not worth cracking anymore, as it takes this much work to crack, just for 1 version of the plugin. The next time the developer releases an update, this entire process will need to be repeated, however the encryption will be different and need to be re-decrypted. This system isnt done yet, however I've been working on it with some testing happening periodically.
    • Like Like x 2
  7. Congratulations, you'll have completely defeated the purpose of the protection in the first place then. I don't know if you've noticed, but someone who actually knows what they're doing can just block outgoing traffic to whatever server you intend on running this DRM at.
  8. Not everyone knows what they are doing ;)
  9. But everyone is able to follow instructions on how to block a host from someone who does.
  10. Oh look, the 213,798th anti-piracy thread.
    • Like Like x 2
    • Agree Agree x 2
  11. electronicboy

    IRC Staff

    binding to a machine address is going to cause complications as not all servers can actually grab a machine address due to some network interfaces not actually providing a mac address.
    binding on IP addresses is also somewhat prone to failure as many people may want to use the same plugin on the same node.
    Some people also use a single plugin on multiple machines on their own bungee networks.

    Your plugin also needs to work no matter what happens with the internet connection, e.g. a server might have an internet connection, but your server might be down. your server host might be having routing issues, etc, etc...

    it's also going to cause issues with people who are home hosting, or behind weird networks that do weird stuff.

    it's DRM systems like this which cause grievance for users, and push spigot into introducing new rules to prevent inane DRM systems such as this from hurting purchasers.
    • Informative Informative x 1
  12. ScarabCoder

    ScarabCoder Retired Resource Staff

    Sounds like overkill, and a pain for releasing every update. If you just update your plugin at least once a week, nobody's gonna try downloading an old pirated version.
    • Agree Agree x 1
  13. How would you suggest to make an Anti-Piracy system? I must ensure that someone can't just copy the plugin or send it to a friend,...
  14. Just dont.. you're not gonna prevent that without going total overkill. Just reguraly update so leaks arent worth it
  15. electronicboy

    IRC Staff

    Quite simply: other than hurting people who want to use your plugin legitly, there is no real sane way to handle that.
    you could probably attempt to limit x amount of instances per nonce or per user id and offer to up it for people who actually need it increasing, but then you're impeding users and having to manually increase their limit in your system, as well as people can just say they want it upping for themselves. really not worth the effort in the long run.
    • Like Like x 1
  16. That does not answer my question...
  17. Don't make software public if you don't want piracy. Forget about it, many have tried, all failed.
    • Agree Agree x 2
    • Like Like x 1
  18. what about just using basic spigot anti piracy?
    let the dumb leakers just get their ID up and get a spigot ban, removing access to not only your resource but all other they bought with no chance of getting unbanned.
    this also adds just a bit of protection, which should be enough for you.
    You could also use a host to allow only 1 IP per week to use it, but it'd easily be both exploitable and will be cracked.
  19. Most leakes are on seperat forums. Or they give it to each other via Dropbox, Google Drive etc...
  20. Well, unless you manage to make your code work only with a specific method which is linked thru JNI or something, which is again embedded within the method, you'll have to find out something else to do, because else it'll not work with anti piracy..