Wow, nice research and all.

Thank you for taking your time and helping us all with this.

by that logic you could excuse quite a lot of copy protection software:
"hey, they didn't try to implement a DRM, if they did, they would have used one that is harder to crack" :p

side note: the strength of the password here is totally irrelevant, since they give you installer which calculates the password.

honestly, i'm still baffled what the purpose of all this is. Putting any kind of access restriction on the game archive _and_ giving me the installer which removes those restriction doesn't make any sense. Even if we assume for a second that those restrictions are impossible to break.

And it makes even less sense for GOG who claim they want to remain DRM-free. If they won't come and explain that this was some kind of oversight, their DRM-free reputation will be tarnished.

I feel like I have to clarify that I don't excuse this in any way.
If GOG indeed deliberately created those password-protected installers, I'll be pretty pissed. Their reputation would be... as you said already, tarnished - quite a bit.

Okay, maybe the password strength is irrelevant. Ah, I don't know, I'll give GOG the benefit of the doubt for now.

Would like to add that if you create a new file in linux, paste the game id in it and run md5sum "filename" it produces the correct md5 as well.


EDIT:

To get the game id from the website, go into a game page and search for "data-product-id=" in the source. I primarily tried this with neverwinter nights and the number you provided matches. :)

i still hope this turns out to be just an ignorant/unthoughtful design decision:
like: "hmm, encryption sounds like security, security is good, lets put this in here"
People do the strangest things in software development ;)
The only thing tarnished is the belief in their technical competence.

I wouldn't go so far as bringing up the whole "DRM-free/GoG loosing their" way discussion at this point.
Can't even call this an attempt of DRM, it's just a really stupid annoyance.

That's not a good method since the page can contain multiple entries like that if that game belongs to some series. See another method and scripts above with using addToCart('/cart/add/

You're right, I was a bit hasty (it's also pretty late) hehe. Looking at the page code again, it does list the codes for other games from the "Series" and from the "People who bought it also bought" lists.

The addToCart method is indeed much better. Thanks for the correction.

Currently, I feel the same way. Still would like to hear a response from GOG and more importantly for them to change this.

Hmm, did you somehow miss the Fresher, Better GOG.com? ;) Mainly just wanted to say thanks & good work.


For anyone looking for more blues to bother, has worked on patches in the past & [url=https://www.gog.com/forum/witcher_adventure_game_the_online_beta/game_launcher_feedback_post_here/post101]Gowor is the resident Install Wizard. Come to think of it His Penguinity, Linux installers, might not be a bad choice.

Thanks for the pointers, I didn't meet them on the forum before. I pinged them, let's see if they'll be able to clarify anything.

I haven't tested with others but the deadly premonition director's cut installer provides a network-free way to get the game ID with current innoextract versions: Unpack the EXE and match for "tmp/\d+\.ini".

I'll upload a gog_unrar.py script which uses that approach in about four hours. (It should be done right now, but I can't do the final testing until I redownload deadly premonition. That's the only game I have in "new installer" form and I accidentally deleted it from my "burn to DVD+R" queue while testing.)

I, at least, will be looking at this issue seriously, and I won't keep GOG on the same level of admiration I once had reserved for it. If we don't get answers soon, it will only amount suspicion.

Has anyone noticed any pattern regarding the use of this new packaging system? Are there new games using it?

If I had to guess, I would say that this was a small controlled test "in the wild", to see if the users reported any problem with it. If it goes OK, they can continue this line of work. In no way do I believe that the password will remain based entirely on the gameID. I can see them adding at least the userID to the mix, as a way to watermark the files.

My main concern here is losing the ability to interoperate with the instalation files. I can see no tradeoffs in this change.

Doubtful. Adding it to the BIN password would shoot either their CPU requirements or their CDN fees through the roof while, if they watermarked only the EXE, using innounp or a version of innoextract enhanced to extract the install script would make it trivial for piracy-minded folks to replace the watermarked GOG EXE file with a copy of unrar.exe, a regedit .reg file, and a .bat file.

Also, as I just mentioned in another thread, given that two installers apparently use non-RAR compression (one FreeArc, the other unknown), I'm wondering whether they just hired a warez kiddie into their installer department.

This certainly feels like those early/mid-2000s warez releases where each game had a .bat file, some bundled decompression utilities, and a unique mix of compression formats you'd never heard of which was designed to crunch the game's download size down as far as possible.

Sorry for the delay. Here's the script I wrote which successfully unpacks the Deadly Premonition Director's Cut installer using only the output of innoextract to deduce the RAR password.

https://gist.github.com/ssokolow/7368450647df37c40830

Thanks for pointing it out! The ini file there indeed has that id as a name. That's useful and simplifies unpacking.