The company has tweaked its policy to counter potential "install-bombing" and clarified how titles on Xbox Game Pass and similar services will be impacted.
They could still abuse the latter if they use a VM to tweak the device fingerprint, and you know that’ll happen.
The other thing that was brought up, and is a good point, is that this will cause publishers to yank their games from anything like GamePass as the cost will be an unknown liability to them.
It’ll probably much easier… In the end, Unity needs to call something to let them know there was an install, like http://telemetry.unity.com?game=DiabloImmortal&deviceId=acb-123
After installing a game locally or on a VM / Sandboxie, someone will figure out how it works… Then you just generate a lot of calls, either call it locally or through a proxylist / botnet - and you have millions of installs.
That brings up a good point. If they were smart they’d encrypt the fingerprint payload so it can’t be easily spoofed. However, I thought I read that this was going to apply to already existing games. So short of the developers (laughably) issuing an update for existing games, how are they going track installs of older games? And that’s probably easier to target for the lulz.
Unity aren’t exactly in the DRM business, and there is really no chance they’re going to do something silly like licensing Denuvo for every single one of their clients just to obfuscate a piece of analytics code designed to make them money; stuff’s far more expensive than what they’d earn from it. They’re not going to build something remotely Denuvo-like, the best you can hope for is obfuscation that only has to be cracked once that gets cracked in days.
My guess is they’re not even going to bother doing HWID-ish nonsense and will just hope that identifiers from the previous install hang around, which will often be the case on Windows PC anyhow (a little more complicated on other OSes). Hitting the uninstall and reinstall buttons in Steam doesn’t do much other than deleting the game’s files and re-running redistributable installers the first time you play the game.
But on Android/iOS where this is really targeted at, that approach simply doesn’t work. The only stable thing apps can get across a reinstall is the AAID/IDFA advertising identifiers and that can be turned off or changed at will. Either Unity has found a novel solution (which is a one way trip to Apple’s shitlist) or they’re just bullshitting this change to appease the population while not actually changing anything. Since they did their prep work so badly that they couldn’t even answer whether app updates would count, my money’s on the latter.
Last year Unity merged with ironSource - a “mobile monetization and distribution” company that was once blacklisted by Microsoft for developing and distributing actual malware. I’d assume the tracking is done via a product brought over from that side of the business.
If they do roll it out, there will be a vested interest in actually abusing it purely to highlight the absurdity. The legal fees alone from a company fighting the charges would negate a vast amount of any potential profit.
Which means they’ll probably drop ‘excessive’ install charges from anyone they think can actually take them to court and will instead focus on gouging smaller companies that can’t fight back.
well sure, they would probably encrypt the payload, but they’d still have to add the encryption code / key in there to be able to do that.
It wouldn’t be as easy as just finding the correct url and calling it loads of times, but someone cracking the game would already be deobfuscating and reverse engineering the code anyways patch out the DRM.
So figuring out how Unity “calls home” and replicating it can’t be too complicated
They could still abuse the latter if they use a VM to tweak the device fingerprint, and you know that’ll happen.
The other thing that was brought up, and is a good point, is that this will cause publishers to yank their games from anything like GamePass as the cost will be an unknown liability to them.
It’ll probably much easier… In the end, Unity needs to call something to let them know there was an install, like
http://telemetry.unity.com?game=DiabloImmortal&deviceId=acb-123
After installing a game locally or on a VM / Sandboxie, someone will figure out how it works… Then you just generate a lot of calls, either call it locally or through a proxylist / botnet - and you have millions of installs.
Heck, I was thinking the same but “what do I need to block to ensure unity never sees my installs?”
That brings up a good point. If they were smart they’d encrypt the fingerprint payload so it can’t be easily spoofed. However, I thought I read that this was going to apply to already existing games. So short of the developers (laughably) issuing an update for existing games, how are they going track installs of older games? And that’s probably easier to target for the lulz.
Unity aren’t exactly in the DRM business, and there is really no chance they’re going to do something silly like licensing Denuvo for every single one of their clients just to obfuscate a piece of analytics code designed to make them money; stuff’s far more expensive than what they’d earn from it. They’re not going to build something remotely Denuvo-like, the best you can hope for is obfuscation that only has to be cracked once that gets cracked in days.
My guess is they’re not even going to bother doing HWID-ish nonsense and will just hope that identifiers from the previous install hang around, which will often be the case on Windows PC anyhow (a little more complicated on other OSes). Hitting the uninstall and reinstall buttons in Steam doesn’t do much other than deleting the game’s files and re-running redistributable installers the first time you play the game.
But on Android/iOS where this is really targeted at, that approach simply doesn’t work. The only stable thing apps can get across a reinstall is the AAID/IDFA advertising identifiers and that can be turned off or changed at will. Either Unity has found a novel solution (which is a one way trip to Apple’s shitlist) or they’re just bullshitting this change to appease the population while not actually changing anything. Since they did their prep work so badly that they couldn’t even answer whether app updates would count, my money’s on the latter.
Last year Unity merged with ironSource - a “mobile monetization and distribution” company that was once blacklisted by Microsoft for developing and distributing actual malware. I’d assume the tracking is done via a product brought over from that side of the business.
If they do roll it out, there will be a vested interest in actually abusing it purely to highlight the absurdity. The legal fees alone from a company fighting the charges would negate a vast amount of any potential profit.
Which means they’ll probably drop ‘excessive’ install charges from anyone they think can actually take them to court and will instead focus on gouging smaller companies that can’t fight back.
well sure, they would probably encrypt the payload, but they’d still have to add the encryption code / key in there to be able to do that.
It wouldn’t be as easy as just finding the correct url and calling it loads of times, but someone cracking the game would already be deobfuscating and reverse engineering the code anyways patch out the DRM.
So figuring out how Unity “calls home” and replicating it can’t be too complicated