Lua-based anti-piracy system discussion

["Jim Bumgardner" <jbum@...>]

Hi Folks,

 

I'm pleased to announce that MetaScope (the world's coolest Lua-based
screensaver & Google Hack) is officially available for download at my new website

(www.krazydad.com).  MetaScope is a kaleidoscope screensaver that performs

image searches on Google and 4 other search engines.  Okay, enough

shameless promotion. :)

 

I thought I'd talk a little bit about the shareware distribution and anti-
piracy measures behind the new website, since other Lua programmers may
find it of interest, and it may generate some discussion.

 

I learned, years ago, when working on The Palace (an Internet Chat system
I created in 1994) that a software product isn't just the program - the
executable file.  It's a whole bunch of things: The client software, the
server software (if any), the website that sells it, the community that
visits the website, the ordering system, and so on.  I realized that when
thinking about the product, it is more helpful to me, the developer, to
think about the entire system as 'the product', rather than obsessively
focusing on the 'executable' (the software that the user downloads),
which is really only a small part of the whole system.  It's easy for
programmers such as myself to fall into this trap.

 

So in setting up the KrazyDad website, which currently has one product,
"MetaScope," I have created a 'whole software' distribution system which
consists of a number of components.  Metascope is my first product, but I
intend to (over the next few years) release a number of fun little lua-
based software toys on this website using the same system, differing

only in the script-components.

 

Here's a few key parts of the system:

 

1) Lua-scripts & C++ Engines

 

All the software toys sold by KrazyDad are (or will be) written in a
combination of C++ and Lua-Script.  All the "high-level" code is written
in Lua.   The C++ Executable is basically a high-performance OpenGL Sprite
engine which runs the script.  This is similar to the Palace model in
which the  palace-executable is basically an engine which ran forth-like "iptscray"
scripts, but more extreme - far more of the 'functionality' (and most of
the anti-piracy stuff) resides in the Lua script.  The C++ engine will
tend to be the same from product to product, with certain capabilities turned

on or off.

 

2) Cross-platform technologies.

 

The C++ engine relies on a number of cross-platform technologies. These
include Lua, OpenGL, JPEG, PNG, ZLIB, CURL and FMOD (a sound engine).  About
95% of the code is ready for porting, and it should be fairly simple for
me to make Macintosh and Linux versions (once I get a little free
time...).  In the case of the Palace (which was originally written on a
Mac), only about 50% of the code was portable.

 

3) A server for delivering 'registered' scripts.

 

The 'free trial' that you  download contains a script with limited
capabilities.  When you register the software, the demo-script downloads a new

script from my server.  The new script contains additional functionality.  Because

of this method, a software pirate can't 'unlock' the demo by adding a few NOPs to

the EXE file.

4) All the scripts are precompiled, compressed with zlib, and encrypted
using the user's identification information and registration-code as an
encryption key.

 

This way, if a particular script is copied, I can see where it came from.
Also, if someone attempts to tamper with this information, their script
will cease to function, because it can't be unscrambled.

 

I am NOT saying that this system is 'tamper proof' - it is simply harder
to tamper with than your typical shareware program which can be fixed by
inserting a few NOP instructions.  Much of the code that is responsible
for security is contained within the scrambled Lua script, rather than
inside the C++ engine.  This makes it somewhat harder for a hacker to
"decompile" and modify.

 

I am considering using a modified version of LuaLib that scrambles the
order of compiled tokens, so that an 'off-the-shelf' Lua decompiler can't
be used (Don't know if there any off-the-shelf decompilers out there,
but I imagine so...).

 

- Jim Bumgardner