My sitelock script was hacked, how do I fix it?

Hello,

I’m making small webgl games and I sell licenses to gaming websites (currently only coolmathgames).

I use a script that prevents my game to be played on unauthorized websites, so it was quite surprised to found it HERE.

My script is inspired from the one coolmathgames sent me. I just call Application.Quit() to stop the game while coolmathgames is redirecting to their site using a jslib. I though that it was better not to use a jslib as they are easier to modify than the webassembly file.

I tested my script and it seems to works as intended. It doesn’t prevent the game to be iframed, though.

But the site that “hacked” my game didn’t iframed it, they are hosting it on their own servers. It should not be possible with my script. I don’t know how they did it. I didn’t found anything obvious on their site.

Obviously as the authorized domains strings are serialised somewhere in the game data, it is possible to edit it. But I didn’t think that they would bother doing that. I’m not sure how to do it myself, so I wasn’t able to check if they did it.

Here is my script

public class SiteLock : MonoBehaviour
{
    public string redirect = "https://mysite.com/";

    public string[] domains = new string[] { /* My urls here*/ };

    private void Start()
    {
#if (UNITY_WEBGL && !UNITY_EDITOR)
        if (!IsValidHost(domains))
        {
            Application.Quit();
        }
#endif
    }

    private bool IsValidHost(string[] hosts)
    {
        foreach (string host in hosts)
            if (Application.absoluteURL.IndexOf(host) == 0)
                return true;
        return false;
    }
}

Does someone know a way to sitelock a game that is more reliable than my script?

Welcome to the world of piracy! :eyes:

Strings are easy to change, and it‘s even easier to change a method that returns a bool to always return either true or false. In any language on any platform.

Best is to just accept it, or even go with it. For instance, do not protect your games at all. But still check domains and if it‘s not the right one display a message or hyperlink after an hour of play or so that encourages the user to actually make a purchase or whatever you like but do not lock them out entirely, maybe take away a bonus of some kind at best. That check could still be hacked away but most crackers won‘t even bother or play for an hour to begin with. That is far better than trying to play cat and mice, or rather lion and mouse given the fact that this trivial hack actually surprised you. :wink:

You will just waste time trying to prevent the inevitable. The best copy protection schemes are the ones that don‘t prevent plays but prevent the user from enjoying everything, like make them not progress to the past level or something like that but make it clear why this is happening. You don‘t want support issues because of that behaviour.