I really think, if it didn't mean sacrificing a bit of security, that this is further proof that a developer or developers should just make a template automated key generation system that's open source, and then a developer can work off that. I'm not just saying that for Manamon specifically, but any game. I'm quite sure, and while I'm not directly trying to speaking for Aaron here, but there is no key replacement system because it takes time to code. Justin had a good thing going when he connected an unlock code restore on his site to the email address records used for purchases. If such a set it and forget it approach could be made, then this would almost never be a problem as long as a developer deployed it which wouldn't take much time.
That said I do agree that it is essential to backup your keys, and ultimately it's your ass on the line if you lose your key. Realizing that there is a first time for everything, but like Aaron said a second key replacement is almost never given, so I should hope you would've learned your lesson by the first screwup. Folks, there is literally no excuse whatsoever. A textfile will almost never accumulate up to 1mb, let alone require a hard drive. Needless to say that a hard drive is an absolute must-have, and we're in an era where you can get an 8tb hard drive for a little over 200 bucks. Is it really too much to ask for to buy even 1 500gb backup drive? Come on!
Note that I can't speak for international markets and their pricing so as far as I'm concerned, I won't presume anything, considering the obvious pain-in-the-ass exchange rate and region restrictions. Then again, failing hard drives you have the cloud of course.
As for email, I agree - it is almost never necessary to delete emails in this day and age. Gmail gives you 15gb to accommodate emails which is more than enough even if your spam folder is filled to the brim.
You are not logged in. Please login or register.
2024 Note on Registrations
manamon key (Page 2 of 2)
AudioGames.net Forum → General Game Discussion → manamon key
Posts: 26 to 49 of 49
#26 2018-11-22 06:18:07
#27 2018-11-22 07:21:55
I have lost registration keys before, so I started making .txt files to keep track of keys. What Jack said totally makes sense. As to moderators, I think we all forget sometimes about asking for key sharing, so my apologies, as I myself have done it. So, let's all move on and do what this forum is for; discussing audio games!
#28 2018-11-22 08:42:43
@Aaron Baker:
A friend of mine have bought one of your games, lost his registration key, contacted you to get a key replacement, where you replied you don't do key replacements. Because of this, he and a lot of other people from my country will never buy games from you again. Just mentioning...
Feel free to contact me privately if you have something in mind. If you do so, then please send me a mail instead of using the private message on the forum, since I don't check those very often.
Facebook: https://facebook.com/sorenjensen1988
Twitter: https://twitter.com/soerenjensen
#29 2018-11-22 18:06:36
@SLJ I'd need to know who it was. Like I said, I almost always try the first time. It is possible they weren't able to give me enough information to locate their information at all. But I will also point out, when purchasing, everyone is duely warned that key replacements aren't guaranteed, and to back them up.
#30 2018-11-22 19:52:24
Ok, let me tell you my personal opinion. It's up to you if you agree or not, so don't get angry at me.
If we buy something, we are responsible for taking care of what we've bought. In my case, this applies not just to audiogames, but to any piece of software or hardware that I purchase over the Internet.
I'm not just keeping backups of my purchased keys on my hard drive, but also I'm keeping emails on my GMail server containing registration keys in a special GMail folder. I've bought it, and I don't wanna lose it. Simple as that. This ensures that I will be able to get to my keys in no time in case of hard drive failure or if my PC explodes and what not. Especially if I buy something for 40 dollars and more. And I'm taking it seriously since my first online purchase in my life.
I'm not the type of person who thinks: Well, I don't care if I lose the key, the developer will re-generate it for me. I simply don't want it happen, because the game may sooner or later be sold to some other developer (Q9 is a good example), discontinued, etc. That's what happens for years and years, especially in the audiogame industry.
#31 2018-11-22 20:49:25
Hello Freedom Scientific I lost my Jaws dongle u will geeve me free dongle replacement I pay good money for this dongle...what you say you won't giv me dongle replacement ok fine I sue ya! And i spread bad rumors about you!
Ok, all kidding aside, basically Hrvoge nailed it. You buy something, you're responsible for it. This is why you don't take spending high amounts lightly. As for the joke, I was gonna use the diskette gag, but boy were those things legitimately problematic. Couldn't even move the thing without risking corruption. At least for me, the USB diskette drive started grinding on one of my Jaws authorizationdiskettes.
Anyway, back on topic.
#32 2018-11-22 21:33:06 (edited by Ethin 2018-11-22 21:38:54)
@AronBaker, I can't help but notice you attempting to attribute -- or compare -- your games to the video game market. I'm sorry to inform you that the audio games industry is not the video games industry, and most video game developers don't offer license keys, but instead distribute via a platform like Steam, where the games can be re-downloaded and whatnot for as long as the customer needs, and as many times as the customer requires. For you folks preaching the backup rule, while the rule is generally a good thing to follow, what happens if your backup drives fail? What happens if that cloud storage provider you use goes out of business and you lose all that data? You can't just buy 10000 hard drives and set up a RAID array to back up everything to -- I doubt very many people in the community have the money for a reliable RAID array anyway. So while the back up everything is a good idea, you must also factor in the fact that, while it is the customers job to ensure that they don't lose information, it is the vendors job to ensure that they don't, either, and can provide the customer with the data the customer requires if the customer is unable to reacquire the data themselves. It doesn't matter who you are or how powerful or popular you are; if you rebuff users and blame them for losing data when the loss of such data may be out of their control, or their backup disks or services may have failed, and they don't have the money to pay for a drive data recovery service, your going to lose customers. Period. As such, if a customer loses an activation dongle (perhaps in a flood, fire, or whatnot), you are obligated to replace it, or lose that customer. If a customers email provider starts to instigate a filter that deletes emails after a specified number of days, and the customer does not have the resources to set up a backup system of their own, you are obligated to supply them with a replacement key, or lose that customer. There is no alternative. Just because I back up my entire computer to a million disk drives does not mean that those million disk drives won't fail in the near future, perhaps because Caveat Emptor set in, and I was unaware of a hardware fault in the drives and, as I am not a drive technician, can't be expected to know that. It does not mean that, because my data is spread across millions of drives, it will never go away, or never be lost.
My Github
#33 2018-11-23 07:27:38
While there is no true way to prevent drive failure, precautions can be made.
1. Don't buy a cheap 8tb drive. Seriously, just don't. Chances are it's a mass-produced, cheaply manufactured drive that is bound to die sooner or later.
2. Get a manager program - hard disk Sentinel comes to mind. It can't provide near exact usage stats like an ssd's firmware can report, but it will at least give you predictive warning signs. In either case, you will hopefully at least hear the drive grind while spinning before you actually are faced with a drive failure, but still the sudden crash and burn is bound to happen. Seriously, a computer and two hard drives at least are better than one internal. Mechanical volume storage is available so affordably it isn't even funny. It's not like you really need a speedy drive anyway if all it is is a backup drive, hell, even a 5400rpm would do while not recommended. It is probably not possible that all three of your drives would fail at the same time if you had them. Plus, can I stress enough, gmail gives you 15gb for email so I cannot count a single time where I actually went ahead and deleted a message on purpose. Why? I never ran out of space. Realizing that normally your email provider of choice is ultimately down to you, if you search on Google, then what's holding you back from getting a google account?
As for Steam, while yes you are indeed correct on the drm front Ethin, I would say that that just opens up another can of worms altogether. Remember when Windows Live music ended support, and people could no longer retrieve their master keys for their drm-protected files? Yeah, that happened. Not everyone promises an offline solution should they close their doors. Of course, a company like Valve would never be able to get away with that as it would quite obviously screw many game developers over. And keep in mind that while video games do use drm, software programs still rely on registration keys. Like I said, this could use a lot more shift towards some open source work here. I could get behind a template key replacement web portal that developers could simply integrate, then they wouldn't have to worry about manual key generation.
#34 2018-11-23 08:24:14
@33, true, but we'd need all of those who integrated it to customize it for their own purpose so no one could figure out the full algorithm used, or at least have a missing key ingrediant.
My Github
#35 2018-11-23 09:27:51
@Aaron Baker: It doesn't matter that much who I am talking about. I could tell you that, but he is mad because of the bad support he got from you. He have used the same mail address since 2005 I think. I won't go into personal detailes here on the public forum, but I can ask him to contact you, if you wanna get it sorted out.
What really matters is: He has told a lot of people about his situation, and said they can't get their keys back if they are lost. That is true, at leased in his situation. That make a lot of people not buying your games.
Personally, I'm not having any issues, because I always back up all my keys. But I do get why people are feeling upset if they haven't got a new mail address since their purchase, and they just get a reply back that you don't make key replacements.
Such bad stories can seriously harm a company, which is even more critical in a small community. It wouldn't matter that much in a mainstream market, but it does matter in the small blind community, because it's much smaller than in the mainstream market.
Feel free to contact me privately if you have something in mind. If you do so, then please send me a mail instead of using the private message on the forum, since I don't check those very often.
Facebook: https://facebook.com/sorenjensen1988
Twitter: https://twitter.com/soerenjensen
#36 2018-11-23 17:38:33
There's a fairly good point to be made here.
On one hand, I think it should be up to us to expend reasonable means to back up and store our stuff. Reasonable, however, depends on your means. Some people don't have the money for an external drive, or aren't savvy enough to think it's necessary.
But then, there's the developer angle. When you provide a replacement key, it's a pain in the neck, but the net cost to you is nothing, as far as I'm aware. You are literally just allowing someone to re-access a product they have already bought. if you want to alienate customers, go ahead and selectively institute a no-key-replacement policy alongside a price tag which is among the highest I have ever seen for an audio game. I think this is bad business practice, and don't even get me started on all the design decisions that have plagued this developer in particular. The point is, even reasonable means sometimes fail, and I don't think it's unreasonable that a player should be able to come to you and say "Hey so-and-so, I'm really sorry to do this to you but my hard drive busted/I got a new machine, and I love your game, and can I have a replacement key please? I'm really sorry I don't have a backup of my original key or email or whatever". And if you want to keep that customer a happy customer, you do a couple of minutes of legwork and give them a key. End of story. Failure to do so, in my opinion at least, speaks to a lot of negative characteristics which good developers shouldn't have, or at least shouldn't have too much of.
Now, with that out of the way, I started with responsibility for a reason, and I do realize that replacing people's keys is annoying. That said, I think some sort of software which could automatically validate your details and send you a new key is a good idea. It would take the work out of it for developers while simultaneously offering greater support to players. If I somehow lost my registration info for Manamon and Aaron refused to replace my key - he replaced my Paladin key no problem, by the way - I would immediately and without a backward glance simply stop playing Manamon and stop supporting the developer. This is true for any other game I pay a fair amount for and expect good support from.
Now I'm going to get personal to Manamon for a moment. I hope this doesn't offend, but I think it ought to be said.
Aaron, just a thought. If you don't want to add to the game anymore, don't want to support it anymore except for the fixing of bugs, then why exactly do you think you still deserve forty bucks from everyone who hasn't gotten the game yet? When the game was new, and we thought you might address a lot of your balance and other concerns, forty bucks was both a purchase and something of a promise of faith. "We're giving you this money because we expect that it's paying both for the game and for that game's continued improvement". And then the majority of that improvement never came. Most manamon are unbalanced in some fashion. Moves can't be taught except by level-up and a couple of niche items. Some items, attacks and manamon are utterly broken and simply not worth using. The script is littered with literally hundreds of spelling and grammar errors. There is virtually no post-game. Trading or battling requires a lot of business with port forwarding which is poorly explained in the manual and rather unfriendly to those who don't know what they're doing. There is no metagame to speak of and probably few to no online battles occurring. For me, at least, I view this as a broken promise of sorts. It wasn't a promise you explicitly made, but one you implicitly did by charging that price for your game. I will never suggest that people crack the game or try and steal keys or whatever - that's not ethical - but if you really don't have the time, the desire or the inclination, or dare I say even the skill, to make this game better than it is, why not abandon it, or drop its price significantly, that way people who still wish to enjoy it can do so at a reduced price, with the understanding that this is essentially as good as it gets? I really can't stress this enough.
https://www.dropbox.com/s/z8ls3rc3f4mkb … n.txt?dl=1
#37 2018-11-23 17:54:22
I have to agree with Jade here. I'd be much more inclinded to buy all the VG storm games if they were reduced in price, as they are no longer being supported. Aaron has told us he will never, for example, adjust the dragon strike scrolls in Paladin. If that is the case, then why still charge a fee for it if you are not willing to support it. Having said all this, I am not suggesting sharing or cracking the game. I am also not suggesting attacking this developer, or any developer, for that matter. I may have different opinions as a consumer on how I think things should be done, but it is what it is, and we can either support it or not, but slander is not the way to go.
#38 2018-11-23 21:06:53
I'd be happy to write the initial algorithm/system myself. At least, to generate keys. But other than generating new keys, 'd need to know other features you guys might want. Something like this isn't going to be easy, at least it won't be if we want to make it secure as well.
My Github
#39 2018-11-24 00:52:32 (edited by defender 2018-11-24 00:55:46)
@Jade
Just wanted to say that I think your moderation in this topic has been very reasonable. Good job.
And I agree. the price shouldn't be so high anymore if gameplay/balance issues and improvements are not planned.
Even a one month Dec 1 to Jan 1 half off sail for the holidays would help people afford it who have been wanting to...
#40 2018-11-24 02:55:11
My initial thought is a DRM system like AHC uses, where you have an online account at a website, and that account determines which games you can play. With this system, rather than entering your name and a registration key, you enter a username or Email address and a password, the game logs into that account, and checks if it's authorized for that account. The developer can decide how many computers can be activated at a time. Every so often (not every time, probably random), the program phones home to make sure its license is still valid. The developer can allow a fixed number of activations, or what I might call "Reasonably Unlimited Activations." With this scheme, activations are normally allowed, unless the system sees an excessive number of activation attempts in a short period of time, or an activation from a geographic area far from where other activations have happened. In this case, the activation is possibly provisionally allowed, but the developer is alerted, and contacts the customer to see if there's a legitimate explanation for the recent activity E.G. lost all computers in a natural disaster, moved to another country, etc. or if it's a simple case of attempted account sharing. Any previously-issued software license can be revoked by the developer if it's suspect, or possibly by the customer if they've had a computer stolen, etc. When that copy of the program next checks in to validate its license, it gets told the bad news, and reverts to trial/demo/unregistered status until a new license is supplied.
#41 2018-11-25 17:52:02
That is exactly what I'm thinking. The name/key system is so dated and primitive it's not even funny. It's arguably the easiest system to deploy, yet it is often encouraged as a set it and forget it approach because there is no automated ability for key replacement as it were. Again, some collaborative work can really go a long way here. I think Jason and Ethin had the same idea of an account-based system. Granted, that system is probably as apparently easy to crack as the former, but if account info has been passed around and there's an incessant number of activations, the system can start to ask questions and then the dev can be notified. This is further proof as to why we really need a distribution hub. Guidedog Games could use some improvement and some more acceptance among devs, other than that it is the right idea as far as I'm concerned. Granted, the only people using it are the very developers who made the thing. But once they fix the persistent online authentication, the thing will be a lot easier to deal with.
#42 2018-11-25 18:02:03
@jack, I wouldn't really say that the name/key system is outdated. Its more that its implemented incorrectly, leaving applications insecure and vulnerable. Either someone uses the wrong encryption or hashing algorithm, or they try implementing their own crypto scheme (which backfires horribly), or they try to do something weird by (for example) repeatedly encrypting or hashing the same thing over and over to attempt to make it harder to crack. By the hashing/encrypting the same thing bit, I mean they'll do something like:
encrypt(encrypt(encrypt(encrypt(data))))
Or
hash(hash(hash(data)))
This kind of scheme doesn't make your application any more secure. In fact, it can Make it even less secure. The name/key system can be used, but you need internet activation, and you need to do it right. I can try and whip something up to figure out how I might do it, and then show you guys. Mmm....
My Github
#43 2018-11-25 19:54:43
The main issue i see with internet activation is that if the dev’s site goes down, well, you’re pretty much fucked. Even if it doesn’t try to phone home every time you launch, it’ll have to avenchually.
#44 2018-11-25 22:37:56
@43, that's always a risk with internet activation. But that's literally the only way to prevent people from usurping the system and cracking it relatively easily. It certainly isn't perfect, and people have found ways around it, but its the best defense we have so far.
My Github
#45 2018-11-26 01:06:48
That's what I meant. I'd love to see another Software Passport/Armadilo to bring that kind of thing to Windows 10, maybe even crossplatform. The original armadilo didn't have anything server-side out of the box, but they encouraged setting it up with, at the time your ordering system, to have the armadilo key generation server-side and automatic. Problem is if it's open source people could see the encryption algorithm and a skilled person will obviously crack it based on found evidence, and the problem is that technically they are absolutely entitled to that if it's open source. Big problem for developers then. Liam has a good thing going with Penelope's license activation, I know that. Something with nanomites in would really be something, those were certainly enough to frustrate crackers. Those injected bits of the Armadilo shell into the program's code like malware when clearly it isn't malware, but what would happen was that certain program functions could be doctored into springing a license check. If the Armadilo -protected program is still in its shell, and the program is licensed, you're fine. But if someone decrypts the program and remove the Armadilo shell, they'd be taking part of the program with it, and a program functioned triggered a validation check, you were more than screwed. The program would supposedly crash completely. The nanomites were only available in custom builds of Armadilo, and rightfully so. Custom builds also flipped the configuration options around, so that on the outside no two user interfaces would look the same, but the inner workings of the program were thus changed, making the program harder to decrypt than a standard professional edition.
Screw you Digital River. Take a fine program, acquire it only to use it as a marketing ploy to push people to your e-commerce system, then kill the consumer project. Nice bate-and-switch, jerks.
#46 2018-11-26 01:47:05 (edited by Ethin 2018-11-26 04:54:22)
@45, not really. If we use something like a keyed hash algorithm like Argon2I, or encrypt the license data with an AEAD encryption algorithm like AES-256-GCM, and generate the key based off of random data that we ask the operating system to retrieve, and encode that data as base64 and use that as the product key, the client can send what the user enters for their license data back to the server, and the server can decode, decrypt, and verify the license datas authenticity. I'm no cryptographer, but I can probably try to whip up a minimalist command-line license key generator in C++ in about an hour, though that's a major guess.
My Github
#47 2018-11-26 04:55:59
Let's not forget that there are plenty of open-source encryption packages out there. Anyone can look at the source code, and a sufficiently skilled cryptographer could look at it bit by bit, and determine how every last line of the program works, and what it does, in every detail. It's not the source code of the implementation that needs to be kept secret, it's the key material. For instance, in a public key cryptosystem, users need to keep their secret keys confidential. Same ought to go for a registration system. Design an open-source system where the first thing a new developer does is to generate new, random key material which he keeps confidential. Then a would-be cracker can download the registration system, study it in great detail, know all its internal workings, and yet still not be able to fake keys for an actual protected application.
#48 2018-11-26 07:31:50 (edited by Ethin 2018-11-26 07:34:56)
@47, true. One way we could do this is by using an algorithm like XChaCha20Poly1305. No, I'm not abandoning AES; however, AES relies on hardware to make it fast, and if that fails it resorts to software. And AES encryption at the software level is incredibly slow compared to it running directly on the processor. XChaCha20Poly1305 is, so far as my research indicates, just as secure as AES, with the bonus of being fully software based, and much faster than AES. So, any thoughts on a resource like this:
* A developer downloads this open-source web activation framework
* In the download is the source code to both the framework as well as a little tool. The developer compiles everything.
* The developer runs the tool and is issued two things: a private key and a public key. Here, we use public key encryption to generate license keys: the developer logs into the system with his private key and is able to generate license files (which are just public keys).
* The developer receives a purchase and issues a public key license file. The customer downloads the public key file (encoded in hex, base32 or base64) and runs the app.
* The app does two things at this stage:
First: the app runs a hash of the public key, authenticates with the server and requests a hash validation. If the server responds in the affirmative, then the public key is considered an authentic public key -- that is, the app knows that the public key was issued by a trusted party; otherwise, the app rejects the public key and pops up some kind of error message stating that the license is invalid.
Second: the app decodes the public key, deserializes it, and reads it into RAM. It then sends a request to the server to verify the details of the public key with the server. If the server, again, responds in the affirmative, the key is considered truly authentic, and the app is considered activated.
Of course, all data transmission would be sent over a TLS 1.2 (or if possible, TLS 1.3) connection between the client and server, using the best encryption algorithms available. Hell, we could even make the framework scriptable, if we wanted to. But that's my general idea of how a system like this might work. I'd be happy to attempt to make a proof-of-concept using the cryptography library I am currently enjoying using. At least, the server part. 
The only downside to this idea is that it would not work in BGT. But the hole point of this system -- or at least one of its points -- is to utterly eradicate BGT's influence as much as possible. BGT is far too insecure and far too easy to manipulate and retrieve data from for this system to function with it.
My Github
#49 2018-11-26 19:57:48
Update: My proof-of-concept I spoke of in 46 is available. Its not the POC in 48, but the name/key system I spoke of in 46. We should probably move this discussion to the developers room, as well. A sample run of my app follows (a license key identifier is anything you'd like: name, email, ...):
Enter license key identifier:[email protected]
Generating a 32 byte key... Done
Determining maximum length for IV...192 bits
Generating license key with system RNG for IV... done
License key: ICFBXUJ22MOTL23RK4UR3GILATB3GWKRGWGAC64VVZGZNSTM-7eQw9wipn1Hsulx1Q59pkdYeuRZwNIVmHzVmG5ripUTTnqM1iXhU4Br3MgEAruQMpL+NhhBhTxpTMQ9+Xv9Jxg==
The license key is made of two parts, separated by a dash: on the left-hand side is the base32 encoding of the XChaCha20 encryption of the license key identifier. For the purposes of this test application, the IV and key are randomly generated and not displayed, making decryption impossible, but the hole point of this app was to generate a basic POC. On the right-hand side of the dash is a 512-bit (64-byte) Blake2B hash of the encrypted data.
I could very easily make it possible to decrypt license keys by using something like a PSK database. For now though, that's what I have so far. What do you guys think?
My Github
Posts: 26 to 49 of 49
AudioGames.net Forum → General Game Discussion → manamon key
Generated in 0.024 seconds (61% PHP - 39% DB) with 11 queries