A couple of weeks ago, DanLab found on MSJ that there's a cracked version of the eSellerate (http://www.esellerate.net/) engine for the Mac circulating the web.

The cracked version comes with an installer and replaces the original engine. The effect is that ALL AND EVERY application that uses the eSellerate engine sees the user as registered.

I've contacted eSellerate's support and they say they are working on a new engine, but I was given no time frame.

If you've been using eSellerate to protect and register your application, you may want to consider other alternatives until they fully address this problem.

[edited by Carlos: Let's not post that URL]

the cracked engine has been around for awhile, and I'm surprised it took so long to come up with. It would be very easy to use APE to patch eSellerate_Validate() to always return true-- that would crack most apps right there.

But this brings up a good question about piracy. It annoys me personally to have my app cracked, but I also wonder how many sales I'm actually losing to people who would have bought my game anyway.

It annoys me personally to have my app cracked, but I also wonder how many sales I'm actually losing to people who would have bought my game anyway.
you loosing more sales than you think.
People dont buy what they can have for free, its human nature

you loosing more sales than you think.
People dont buy what they can have for free, its human nature

Also, when they've grabbed it for free, they don't see any problem with letting their friends have copies, and so on and so on.

But this brings up a good question about piracy. It annoys me personally to have my app cracked, but I also wonder how many sales I'm actually losing to people who would have bought my game anyway.

How about your site's wasted bandwidth? How many new downloads are caused by the "publication" of a cracked serial?

I'm thinking about entering the shareware business(?) and was this >||< close to choosing eSellerate.
Time to consider Kagi again? :???:

BMT Micro seems to work well, although they don't have their own engine. The whole problem with eSellerate is that they've created one engine in one file that serves all applications in a give computer. That was poor planning. If each application used the engine inside of its own package, I think it'll be more difficult to circumvent it - one would have to open all application packages and replace the file in each one.

Anyway, they say they are working on a new engine that will address this problem.

What is that eSellerate engine? Is it some sort of copy protection? The shareware developers I have worked with use Kagi. Kagi has no engine. I guess it's better that way.

Kagi has its own engine (with a different pricing scheme), in Cocoa, Carbon & Java versions, but unlike the one from eSellerate, each application is independent. Even so, I think it will probably be a good idea to checksum the library/bundle/whatever before accepting any input from it.

I use esellerate but without the engine... its hard to port it to TNTbasic lol

FCCovett, since I was concerned for the welfare of the community, I mentioned this post on Apple's Mac Game Dev list. I'm hoping that either a solution, tips, alternatives can be found.

The first reply that came in was...It doesn't sound like anyone posting really understands what eSellerate is or does. And any game author who uses a single boolean to see if the game has been paid for is just begging for trouble.

eSellerate can deliver any number of things that could be much more "interesting" to try to circumvent. E.g. an essential library, or a signed key for decoding essential tables, etc...

If I get any direct emails, I will mirror them here.

Cheers,

"It doesn't sound like anyone posting really understands what eSellerate is or does." This sounds a bit condescending.

There are always alternatives, but most are very time consuming. There's a trade-off between convenience and security, that's for sure, but we've seen many applications being cracked in the past. There doesn't seem to be one good solution to prevent that. For example, Aspyr decided that the player must have the DVDs in the driver in order for the game to launch. That decision seems to have been reached after what happended to Halo.

As indie developers with limited resources, we could barely afford to spend more time developing our own online registration and billing system. Also, there's a question of the customers trusting each single developer with their credit card information. In the end, using third-party distributors as Kagi, eSellerate, BMT Micro, etc., just makes sense for the small guy.

Unfortunately, games will get cracked at some point. It's an endless battle.

That first reply was a direct mail? It doesn't seem to be on the list.

I find interesting that this person used the word "interesting". :ninja:

Yes, a direct email. I didn't ask the person for permission to post here, so I removed the name. But I want to bring as much feedback to this discussion for the benefit of EVERYONE. (No intention to offend anyone, OK?!)

I never did use eSellerate's serial numbers though it did some very usefull.

Please note that this crack does NOT affect all eSellerate engine-enabled applications. It only affects those applications that use eSellerate's serial number scheme and product activation system. If your application uses its own custom serial number and registration system and ONLY relies on the eSellerate engine for processing secure online purchases, then your application is NOT vulnerable to this crack.

This is one of the primary reasons that commercial and shareware developers should not rely on third-party serial number activation systems. By creating your own serial number/registration system, if it gets cracked, you can quickly blacklist the bootlegged serials and/or release new app versions with a revised algorithm. This way, you are not at the mercy of a third-party company, waiting until they patch their cracked system.

If you program your app to do its own validation/registration based on your own serial number system and then simply upload a set of your custom generated serial numbers to your eSellerate account, then you're only using the eSellerate engine for processing secure online purchases. Once a purchase is successfully completed, eSellerate's secure server can safely send one of your unique serial numbers back to the customer's application for your application code to process. This method does not leave your application vulnerable to eSellerate registration cracks since you're doing validation yourself and simply using the eSellerate engine as an e-commerce gateway.

Just thought I'd share in case there are eSellerate users on this forum who are looking to reduce their vulnerability without having to switch to a different e-commerce partner.

To discuss generating serials, follow this link:
http://www.idevgames.com/forum/showthread.php?t=8540

To continue the business discussion of payment systems for shareware developers, continue to post here.

Cheers,

My post dealt with both. oh well ;)