It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
high rated
avatar
Gowor: As for Wine... Well, it's not really officially supported.
I know it is not officially supported and I do not expect it to be. I'm not going to be contacting your support with installation woes. What I do expect from you is that you aren't actively working against me by means of digital locks. There's a three-letter acronym for that that you claim to be against.
avatar
Gowor: Malware pushers tend to be better, and any protection can be broken (as this thread shows), but AFAIK innounp doesn't unpack the compiled code, just the resources, so it's not the same thing. Plus, a repacked installer won't have the digital signature, so it can be easily distinguished (Windows shows a notification if you run unsigned downloaded exe).
Good point. I forgot about the signed EXEs... but then why not just have release builds of the InnoSetup installer contain a hash check for the RARs and properly tamperproof them?

If you're worried about it being slow enough for a "skip check" option to be necessary, just store a copy of the archive's table of contents in the release-build InnoSetup installer and do equality comparison with what your unrar.dll reports. If you're worried that verifying the full archive's on-disk size, plus the CRC32 and filesize of each stored file doesn't offer enough security, opt into the 256-bit BLAKE2 file hashes RAR now offers as an option.

Then, either you abort because the table of contents from the signed EXE doesn't match what the unrar.dll from the signed EXE reports as the contents of the RAR or your signed-EXE unrar.dll aborts because the attacker tried to modify the data without updating the CRC32/BLAKE2 corruption-check hashes that you've repurposed to do double duty as authenticity verification.

Then you've got a nice, secure chain of validity that has your signed EXE indirectly protecting the RAR in a much more trustworthy way than a RAR password and you don't annoy the Linux and OSX users.

avatar
Gowor: The browser actually identifies the archive very well (it is a rar file after all). The problem is when the only downloaded things are the rar files, without the installer exe, or even only the first part of the multi-part archive. And if I try to add any more protection from extracting such a download, then you'll have even more work to break that :-P Current solution works well enough for that purpose.
As I pointed out in my edit to my previous comment, all you need to do is prevent the browser and the user's unrar tool from identifying the archive. You should be good if you snip off the initial 7-byte magic number that says "this is a RAR file" and adjust your unrar.dll to infer it based on something like a combination of expected filename, expected filesize, and the hash of the first 4K of the file.

avatar
Gowor: As for Wine... Well, it's not really officially supported. I added a /nogui switch some time ago for that purpose, because it was a feature requested by some users. For now it's not working due to other updates which had higher priority. I'll look into getting it working again.
That's good to know for the immediate future for games we currently have to run in Wine via PlayOnLinux and I am thankful for it, but it's still sub-optimal for the long term and for future updates to installers on things which, with current installers, need no Windows code execution capability at all, such as DOSBox-wrapped games, games supported by ScummVM, Theme Hospital (CorsixTH), Arx Fatalis (Arx Libertatis), etc.
Post edited December 29, 2014 by ssokolow
high rated
avatar
Gowor: Another reason - I want to avoid the situation where someone tampers with the archives (let's say adding malware, or some illegal content), and uploads the modified version on torrents. I don't want the GOG Installer installing anything else than it was supposed to, and it doesn't matter how it was obtained.
you are telling me you are more concerned about people who download your games from some torrent site, than about people who _buy_ your games and try to fiddle around with them to make them work under linux(or any other experiments). That is really sad.
I mean that's why we all want DRM-free games in the first place. Because we don't want somebody telling us how to use the software. People want the freedom to screw around with stuff: to integrate mods, to adapt installers to their liking, to make the games work under linux or with some rewritten game-engine or whatever else they come up with.

That you can't offer support for any of that is totally understandable. Just make it clear that when you don't use the installer "good luck, you are on your own". Nobody would object to that.

And frankly, stop giving a damn about people who obtain the game from illegal places. You really think that those people will care if the exe doesn't have the proper digital signature? come on ....
Just think again what you just wrote here: You are worried that someone adds something illegal to the game and then puts it one a torrents site. Then someone would download that and inside the illegal download there would be more illegal content.
We really can't have that. *scnr*

(btw. iirc innounp -m will give you the embedded pascal(?) code. There is even a disassembler for that somewhere.)
Post edited December 29, 2014 by immi101
avatar
ssokolow: You should be good if you snip off the initial 7-byte magic number that says "this is a RAR file" (...)
If I may, I would suggest just the opposite: adding a few extra bytes at the beggining to mask RAR's "magic number".

- RAR will skip those automatically (if this is not part of the RAR specification, at least it is widely supported). That means that GOG needs not change their RAR library, and unrar already works fine this way.

- It is more "future-proof" to add extraneous bytes than removing vital ones. If they use something like "18 GOG EXTRA BYTES", they will also be self-documenting.

However, while this would take care of the RAR archives, I'm unsure how to deal with FreeARC and the other archives you may use in the future.
high rated
avatar
ssokolow: As I pointed out in my edit to my previous comment, all you need to do is prevent the browser and the user's unrar tool from identifying the archive. You should be good if you snip off the initial 7-byte magic number that says "this is a RAR file" and adjust your unrar.dll to infer it based on something like a combination of expected filename, expected filesize, and the hash of the first 4K of the file.
crazy thought: Let's just tell the users that they have to run the installer to properly install the game.
People used to be able to install stuff from cd/dvd by looking for the install/setup.exe and clicking on it.
Why are we assuming that people are too stupid to understand these simple instructions when they download the game?
Post edited December 29, 2014 by immi101
avatar
immi101: crazy thought: Let's just tell the users that they have to run the installer to properly install the game.
Very much this, I was about to post something along these lines.
I have to agree with immi101, and I'm not even a Linux user (yet?).

I'd much rather have the old way back, and get a warning message like what ssokolow proposed.

Sadly, I see that you won't reconsider. GOG is giving us more and more disappointment as time passes. :/
avatar
immi101: Why are we assuming that people are too stupid to understand these simple instructions when they download the game?
One word : Steam

Nowadays you can no longer consider that most peoples will be able to understand the complex concept of double clicking on a .exe to install a game ;).
Post edited December 29, 2014 by Gersen
Yeah, your explanation is a bit disappointing.

Everything I would have written has been written by others before me now already, so I'll just say that I agree with them.
avatar
Gersen: One word : Steam

Nowadays you can no longer consider that most peoples will be able to understand the complex concept of double clicking on a .exe to install a game ;).
And appstores! People don't even know where stuff is installed anymore. (Good old days where you would just copy a directory and were all done).

Lowering the technical aptitude that is required of a user also broadens GOG's potential market. I understand and respect that. I just wish that GOG wouldn't take a mutually exclusive view.

"If you don't know much about computers, please install our Galaxy software, that defaults to a fully automatic configuration. No more worries! It can install, uninstall and update all your games for you!" This, IMHO, would work quite well.

Auto-Galaxy users default to downloading ".gog" files from the website, that are some XML files registered to Galaxy, containing all the information that may be required, e.g. the download URL, total installation size, executable names, game manual file, update check URL, patches to apply, uninstaller executable, and so on. This is just my idea. It may be flawed in many ways.

As long as GOG is willing to talk with us tinkerers and Linux users, there will be no worries. We can create our bridges and our tools. Just talk to us and we should be able to manage ourselves. We don't ask for much.
high rated
avatar
Gowor: -Yes, the archives are password-protected. Here's why:

The supported way of installing the games is by using the Installer, which apart from unpacking the files, also creates registry entries, shortcuts, compatibility fixes etc. We want to avoid having the situation, when user will see a unprotected rar file, download and unpack it, and get a "broken" installation, because he didn't use the installer.
There were situations, when users would download just a single part of the installer, or try to unrar it manually (because apparently some browsers detect our new archives as rar files), or even try to open the .bin files with the VLC Video Player.
In such a situation I think it's better to give immediate "it won't work that way" message, rather than allow someone to make a "partial" installation, which may or may not work, without any information.

Another reason - I want to avoid the situation where someone tampers with the archives (let's say adding malware, or some illegal content), and uploads the modified version on torrents. I don't want the GOG Installer installing anything else than it was supposed to, and it doesn't matter how it was obtained.
Both of those reasons go against DRM-free approach which should give the user full freedom of how to use the package. Users want to do weird stuff like playing it with VLC? It shouldn't stop them from doing it! That's the point. Putting any kind of password protection or worrying about potential torrents is already falling into the DRM mentality. Come on, the last people I expected it from were GOG!

About updating without repacking, there should be free non patent encumbered format to achieve that, and no password protection is required.

Overall I'm pretty disappointed with the direction where this is heading.

avatar
Gowor: Mind you - if you are using the supported installation mode, you don't have to enter the password anywhere. Nor is it in any way dependent on username, or hardware, or anything else. It's more or less hardcoded into the installer (I see you guys already figured out how), as much as the decompression algorithm. You can still use the installer exactly as you could since the beginning of GOG, and install your games wherever, whenever, and however many times you want. It doesn't detect where was it downloaded from either. That hasn't changed at all.
Yet you know perefctly well that many users don't use "supported installation mode" and unpack their games with other tools. Which often happens for systems which don't have Windows / Wine. For example to play those games on mobile systems with ScummVM. Why should users go through the pain of finding Windows just to unpack those games in such case?

avatar
Gowor: We don't really support installing the game by manually unpacking the archives (for whatever reason you do that). On the other hand, I see you already figured out the algorithm for obtaining the password, so you are still able to do as much. I'm not going to say "Hey, good job hacking into our software guys!", but I'm not going to try and make the password harder either.
It's one thing not to support it, it's another thing to actively make it hard. Yes, we figured out a way to bypass this stupid password, but nothing stops you tomorrow from changing that way and making it much harder to bypass. Yesterday you said there will be no DRM. Today we got this password. You say today you won't make it harder. Should we believe it? We are talking about the attitude here, not about the method. Once you are falling into that mentality, there can be no end to it. So please, revise this approach and remain community friendly by avoiding any such stuff. You don't need to support it but you don't need to be hostile to DRM-free approach either, which is exactly what's happening in this case.

If you want any kind of verification / authenticity checks, provide checksums. You don't need any passwords for authenticity checks to avoid malware.
Post edited December 29, 2014 by shmerl
avatar
HypersomniacLive: I have to agree with immi101, and I'm not even a Linux user (yet?).

I'd much rather have the old way back, and get a warning message like what ssokolow proposed.

Sadly, I see that you won't reconsider. GOG is giving us more and more disappointment as time passes. :/
I hope GOG will still reconsider if they value their community. I posted a wish item here, please vote:

https://www.gog.com/wishlist/site/dont_slip_into_drm_swamp_stop_using_password_protection_on_installer_packages
Post edited December 29, 2014 by shmerl
Oh I forgot - good job you guys who figured out how the password thingy works! ;)
Voted. I wish there was a way to increase the visibility of this somehow.

Meanwhile I gathered the gameids for all the games I have from here from the web page and stored them and a precalculated md5sum right next to all my games for potential future use. The ones that have left the catalogue were tricky, but waybackmachine worked there.
high rated
avatar
Gowor: Another reason - I want to avoid the situation where someone tampers with the archives (let's say adding malware, or some illegal content), and uploads the modified version on torrents.
But what you've created is a reason for people to go looking for the modified torrent version of the file that doesn't have a password lock on it.

avatar
Gowor: As for Wine... Well, it's not really officially supported.
I'm not really looking for official support, I'm looking for a way to play old games on a modern Linux system without resorting to straight up software piracy. Stop making software piracy more convenient than doing the right thing.