问题
Let's assume that after a few years of work I would have a 3D game ready, that can be downloaded by millions of people worldwide, it would be a game running on a client-server model.
As far as I understand anyone can look at other people's source code if they possess the .jar (the client one in this case). What are the risks of other people having a client .jar?
The checking part (anti-cheating) will be done on the server side anyway, so I doubt there will be much risk here, but I'm just wanting to have a good view of what can exactly happen, so to be more precise I'm asking the following questions:
- What can be done to protect, let's say, client.jar from other people reading the code?
- What is the harm that even if people would have full control to the client.jar source code, could be done to the game itself in a singleplayer environment?
- What is the same harm that could be done in a client-server multiplayer environment?
- What is the harm that could be done to me/my business on a personal and/or legal level?
- What could if other people decide to copy the game, okay I know this can also happen if others just build their own game 1:1 mirrorred to my game.
I thought about putting it up on gamedev, but I think it's better suited here as it is directly about a programming language - Java - and an abstract programming problem.
回答1:
On this one, I should emphasize that all opinions are my own and do NOT necessarily reflect those of my employer.
No, they can't look at your source code if they've got the jar. They can decompile it into equivalent source code, which will be significantly harder to read but can be figured out... just as they could dis-assemble object code (which would, admittedly, be a bit harder to figure out). Code obfuscation will indeed slow them down, but the folks who would do this are used to dealing with that too. Java is more vulnerable than some other languages to being reverse-engineered.
Copy protection generally works only to keep honest people honest. Luckily, most folks are at least moderately honest. The dishonest treat it as a free puzzle included with your product. You can slow them down. But realistically, you can't stop them unless you use specific kinds of hardware-assisted security (basically, running critical parts of the program inside a separate encapsulated machine) -- which tends to drive the cost up and/or annoy people enough that they avoid your product. Most companies have instead moved to a model of requiring that code be registered in order to get upgrades, support, online services, or whatever... and to either pricing it with the assumption that some piracy is going to occur, or pricing low enough that pirating it just isn't worthwhile.
Or, for commercial code, going after the pirated copies in court. For serious code, most companies are very aware that they have much more to lose by allowing a pirated copy onto the premises than they can save by pirating; I've seen employees fired on the spot for making a pirated copy at work.
In fact some companies have made "pirating" part of their business model. "If you got this program from a friend, and you like it, please consider sending us money to support the developers and/or buying an upgrade to the current version." Surprisingly, for good products, many folks are perfectly willing to pay voluntarily. Not everyone, but it helps.
Addressing your questions about alteration of the code:
I AM NOT A LAWYER, AND YOU SHOULD CONSULT ONE FOR THIS QUESTION, but my best understanding is that you have no new liability. If they mess up the code, that's their fault and their problem.
In a singleplayer environment, all they can do is mess with their own copy. If they break it, that's their problem. If they cheat, they're only cheating themselves out of the gaming experience they paid for.
Multiplayer is a much larger problem; if they reverse-engineer the game they can mess with your databases and other player's experience of the game. The only way to solve this, as far as I know, is to design your servers to (a) only allow the client to do things which can't cause much damage, and (b) watch player actions to try to detect abuse and kick abusing players out of the system. It's annoying, but it's the reality. And if you can show that you've made a reasonable effort to do this, it should guard you against any possible liability at this level.... but again, I AM NOT A LAWYER and free legal advice from programmers is like free programming advice from lawyers...
Building their own game mirroring yours: If you can detect that they're accessing your servers, that's legally actionable. If you've got something as simple as Tetris or Minehunter then you're going to get knock-offs and unless you're willing to go after them in court there isn't much you can do about it except by offering upgrades and so on to registered players that the knock-offs won't get. if you've written something complicated, then for the effort of duplicating yours they could create their own so this is less likely to be a problem than pure piracy is.
And as far as industrial-level piracy in the far east etc... Again, there really isn't a good answer.
If you find a solution that actually works, THAT should be your product; the world will beat a path to your door. But in the long run, I really don't think it's possible; all you can do is slow them down and use copyright and license agreements, and build a loyal enough fan base that they'd rather work with you than against you.
回答2:
What can be done to protect, let's say, client.jar from other people reading the code?
Obfuscate the code, it makes reading the code harder but not impossible.
What is the harm that even if people would have full control to the client.jar source code, could be done to the game itself in a singleplayer environment?
They'll have control over everything (change anything they like), I have no idea how would that effect your game, business wise. but many games offer ways to change the game environment and that makes the game more desirable by players.
What is the same harm that could be done in a client-server multiplayer environment?
It will make it easier to reverse engineer the game protocol and you'll start having [BOTs] instead of real players play the game, besides any constraint imposed by the game UI will be rendered useless.
What is the harm that could be done to me/my business on a personal and/or legal level?
Depends how you monetize and in what country do you operate (local lows). I think you should consult a legal expert on this one.
回答3:
"anyone can look at other people's source code if they possess the .jar" - this is not true. You can create special jar with the source code, but you are not obliged to do so in order to run a program. The program may contain only "binary jar" - that is, containing compiled java code and/or resources, no source. Corrected: since binary code can be decompiled back to java code (for example, with http://jd.benow.ca/ ), it will be important to obfuscate or encrypt the compiled code ( google for JODE, RetroGuard, etc.)
- What can be done to protect, let's say, client.jar from other people reading the code?
you can create "thin client", that does nothing, but downloads the main code from the designated server. Of course, you'll have to protect traffic and use such key authentication that makes it impossible to trick client into using fake server.
- What is the harm that even if people would have full control to the client.jar source code
that assume you don't give source-code level control to anyone
- What is the same harm that could be done in a client-server multiplayer environment?
bots and DOS-attacks at least
- What is the harm that could be done to me/my business on a personal and/or legal level?
it depends on concrete implementation and business model
- What could if other people decide to copy the game, okay I know this can also happen if others just build their own game 1:1 mirrorred to my game.
If your client program is reverse-engineered, than hardly you can protect it from copying. Otherwise you should implement such network protocol, that makes copy impossible/useless.
来源:https://stackoverflow.com/questions/21064329/protecting-java-code-of-a-game