[Tutorial] How to get away of Leaking-sites

Discussion in 'Spigot Discussion' started by SyntaxPhoenix, Apr 17, 2019 at 3:58 PM.

  1. Hello,
    today I want to show you a short guide, how to get rid of leaking-pages.

    When you create a premium-resource you do not want to get it leaked on such sites. This short tutorial should show how to prevent that behavior and what you can do against it when your resource has already been leaked.

    What to do before leaking

    First of all, I want to start to explain, what you could do against it:

    1. Save the Username of the Spigot-User into your plugin

    Spigot offers you to change the value of the following variable in your plugin:
    Code (Text):
    public static String USER = "%%__USER__%%";
    By adding this code, the value %%__USER__%% will get replaced by the Spigot-UserID of the user. This could be used for a simple antipiracy-system which communicates with your server

    2. Take a hash-value of your plugin-jar

    The hash value of each downloaded file on Spigot is different. By taking the hash-value of a downloaded file you can also create a simple antipiracy-system.

    This two methods can be extended by tracking the IPs also over a stats-system etc.
    The crackers are often only removing the antipiracy itself, so by tracking the IPs of the stats-data which is sent to your server and comparing it with the anti-piracy, you can easily get IPs, which are running illegal versions of your plugin.

    3. Obfuscate your plugin

    A good anti-piracy would not work without a good obfuscation. There many obfuscators out there. A common, but not bad one is ProGuard. This makes leakers harder to read your code and take them more time to crack your software. So just give it a try, there many tutorials out there, how you could make your plugin obfuscated very well.

    What to do after leaking

    Now we get to the point, where your resource had already been leaked anywhere out in the web.
    Here you have also some good options to go against leaking-sites.

    1. Contact Google to remove links from its web search

    Google offers to remove links, which are against valid copyright. So just collect the links and send them to Google via this form: https://support.google.com/legal/contact/lr_dmca?product=groups&uraw=&hl=en
    Google will contact you after one or two days and will remove these links. This is a good step to ban leaking-sites from the web.

    2. Contact hosters of IPs

    If you found an IP which is using your plugin illegal, you can simply contact the hoster by searching them over their IP. The hoster will surely not host illegal content, as he would probably get problems by the police when doing so. Often the hoster will ban the user. Here you could also take a lawyer and get into court against the person, as the hoster needs to give the customer data to the police in such case.


    I hope this thread had overall helped you with leakers and gave you some good tips on how to get rid of them. I'm using them myself, too and I'm very happy with that :)

    Please note: This post should not be a discussion about DRM itself. It should give interested Developers some hints, how they could improve their software.

    Each person should decide on their own if an anti-piracy is a useful thing for their plugin.
     
    #1 SyntaxPhoenix, Apr 17, 2019 at 3:58 PM
    Last edited: Apr 17, 2019 at 7:05 PM
    • Like Like x 1
  2. Celebrimbor

    Patron

    1. I would remove the specific name mention of certain sites to (1) avoid pointing even more people to those sites, and (2) to avoid your thread being removed as a result of pointing to illegal sites.

    2. The counteractive measures following a leak will do nothing unfortunately. A certain unnamed site is working on a host that DOES NOT care about contents. If they decided to oust them, they just move. Getting links removed from Google search??? Not sure that does anything besides make it harder to keyword search from Google. Maybe that was the only goal?
     
  3. 1. Yep, I removed that
    2. You are totally right. But if they always need to move, it would get harder for them and they will think of probably better buying the resource than moving their Minecraft-server that often.
    3. You are totally right, removing them just from the Google-Index does not do anything against leaking-sites. But it is getting harder to find that resource on that leaking page. Also, you could ban the site with their main-url and so they will get removed from the complete google-index. This is not great, but it is working :)
     
  4. Celebrimbor

    Patron

    Name of thread...
     
  5. Removing them from google would prevent this, I guess?
    upload_2019-4-17_10-54-27.png
    The third result! :l
     
  6. 99% of people who download it for free, will never buy it so trying to hide these sites or to make anti leak things are useless.
     
  7. Yep exactly. Google will display following at the end of the page:
    [​IMG]

    Maybe, maybe not. Overall Leaking is against the Copyright-Law and you should work against it, as probably some buyers will try to get it for free.
     
    • Agree Agree x 1
  8. How do you shutdown the plugin if the antipiracy system has been cracked ?
     
  9. As spigot does not allow to shutdown the complete server I just disable the plugin itself. That can be easily done with following code:
    Code (Text):
    Bukkit.getPluginManager().disablePlugin(this);
     
  10. Guess what, the basic Anti-Piracy is cracked so you have to do your own thing, and chances are your own thing will break the rules.
    When it comes to the basic default Anti-Piracy, I'm sure most leakers have a program that auto-removes the default anti-piracy
     
  11. Yeah, that's the reason, why I would ever have multiple systems onboard. Just let your plugin send some data to your servers, like stats. The would probably let the stats included and that would be everything :) Other option would to base on a free dependency, which has a build-in data-collector etc.
    This is the point, where you need to be creative. They will, of course, try to break your DRM, but by obfuscating and multiple systems you can try to trick them out :)
     
  12. Yea and....
    (using my Anti-Malware for this example)
    Lets say your plugin is SUPER obfuscated and oh idk, it's detected as a force-op or literally any other check. It gets reported. high chances of your plugin being deleted for suspicious of being Malicious.

    Edit: Also aren't your plugins on these leaking sites already?
     
  13. If the leaker remove this line of code from the jar, which is I think easy for him, then the antipiracy system is broken.
    I had this issue with one of my plugin, I created a system that disable the plugin if a value in a database is set on false.
    Guess what, it got cracked easily.

    I think that there is no way to get away of leaking sites, the best way to counter them is to provide an active support and many updates.
     
    • Winner Winner x 1
  14. Yep, thats why I had also created the section: What to do after leaking :)

    But still, the newest versions are not on there, as we had used a stronger obfuscator-mechanism :)

    Overall you are right, that your plugin might block something like that, but that would be better than having stolen versions of your plugin out there...
     
  15. I mean, you wouldn't be getting any money at all due to your resource being deleted AND there would still people leaking your plugin, not sure how that's better?

    ALSO IT'S NOT A PLUGIN T^T
     
  16. Yep, you are totally right. That's the reason, why I would highly recommend comparing the IPs of the stats-system with the one of the anti-piracy. Never, really never do internal things, they will get cracked if they are not properly obfuscated. But sometimes it is good to have them in there, as the cracker would not check if there is something more :)

    Also frequent support and many updates are important :)
     
  17. All things, I had written here are okay with the DRM-Rules of Spigot.
    - You are allowed to use a DRM
    - You are allowed to disable the plugin
    - You are allowed to obfuscate your code

    So there would be no problem at all. We might have talked from two different things, but all I had told here is legit and allowed by Spigot.
     
  18. Obfuscation / DRM
    • You are allowed to obfuscate your resources, however the decompiled code must be somewhat legible by staff. We may request you use a different obfuscator or none at all.
    • DRM systems are (provisionally allowed), with the following key caveats:
      • All resources must run directly from downloaded file without any manual installation steps or internet access. This means that licensing systems of any form are prohibited.
      • They must not interfere with any aspect of the server outside of the plugin itself.
      • We will treat all complaints of DRM abuse with the highest severity, which may result in immediate and permanent suspension of your resource unless sufficient evidence is provided.
      • We may request it be removed or altered at any time.
     
  19. So how can DRM be allowed but not licensing?
     
  20. Obfuscation / DRM
    • You are allowed to obfuscate your resources, however the decompiled code must be somewhat legible by staff. We may request you use a different obfuscator or none at all.
    • DRM systems are (provisionally allowed), with the following key caveats:
      • All resources must run directly from downloaded file without any manual installation steps or internet access. This means that licensing systems of any form are prohibited.
      • They must not interfere with any aspect of the server outside of the plugin itself.
      • We will treat all complaints of DRM abuse with the highest severity, which may result in immediate and permanent suspension of your resource unless sufficient evidence is provided.
      • We may request it be removed or altered at any time.
     

Share This Page