0

Say for example that I was a digital video game provider, and my games were played via a virtual machine. Lets also say that the code for this virtual machine were open source, and that this VM was designed to run on somebody's computer.

When I launch this VM, it would check itself for updates, then the user would log in, and be funneled to my online store where they could purchase new games or launch games they had purchased. Those game binaries would be stored on the user's hard-drive and be fed into that same VM. Game binaries, much like binaries composed of Java bytecode, are not necessarily open-source.

Obviously I want a few conditions upon this VM's operation.

  • Users should only be able to launch games associated with their own accounts.
  • My VM has anti-cheat built in. I don't want users to circumnavigate this.

I would think to solve this issue via a reported checksum; the VM binary should match the latest official version before an attempted log-in is accepted by the service, but open-source code means that a savvy user could modify the report_checksum function to return whatever matches the official version.

How could a service in such a relationship with its clients authenticate those who tried to query it?

DeepDeadpool
  • 251
  • 2
  • 10
  • The problem with modifying the checksum function always exists, even if the software is not open source. And in any case, you can't stop a user that starts modifying your software. There are plenty ways to make it harder though, there's just the question if it is worth it. Most people are not able technically to do this anyways, and the others usually don't give up easily. – deviantfan Jul 02 '18 at 20:44
  • How could they modify the checksum function if they didn't have the source code? How would they even know what was being used? – DeepDeadpool Jul 02 '18 at 21:27
  • It seems you never heard of eg. "Reverse Engineering" ... it's a huge huge topic, but for this question, reading some Wikipedia will be more than enough. In short, what the compiler produces is not magic. It can be read by your computer, so it can be read by humans too. And it's not even necessary to read it directly as there are many tools to help dissecting it. – deviantfan Jul 02 '18 at 21:50
  • Btw., as your write your binaries are "like Java bytecode", note that Java is pretty easy - there are fully automatic tools that get a well-readable Java source code from some compiled program, just with a few clicks. – deviantfan Jul 02 '18 at 21:51

0 Answers0