Day of Dragons’ Killswitch: How it Works and Why it’s Wrong

Day of Dragons is a Kickstarted game released on Steam Greenlight that has seen difficulties as of late, and I wanted to chime in. Before we get started, though, allow me to make something clear: I do not hate the game, I do not hate the developer, nor do I hate the community, despite anything you might hear to the contrary. If anything, I believe the developer in question (who I’ll refer to as Jao, which appears to be the handle he uses for this game) is merely in over his head and needs some guidance. I am an indie developer myself, so I would like nothing more than to see him succeed. I would be more than happy to talk with him and help him along.

The problem I do have is not with the game nor the community, but with how Jao has reacted to critique. I am not going to waste any time reviewing the game, as I have not personally purchased it as of the time of writing. There are plenty of reviews out there describing the content of the game and the problems reviews have found, but I am not going to repeat them, as this article is not a review.

Instead, I would like to focus on the more technical aspects of the game, particularly the SteamID license revocation system that Jao introduced, and attempt to explain it so that lay users can understand it and the implications of it. I will also discuss common misconceptions.

Yoink, You Paid $20 for a Brick

One of the biggest controversies surrounding Day of Dragons is that Jao appears to have locked certain players out of being able to play the game at all, including offline play.

For background, several prominent YouTubers (IGP, IcyCaress, and others) made videos about this game and were, in general, not impressed. Looking around the Unreal game engine’s Marketplace (where you can purchase pre-made asset packs), it was discovered that the game had been made with pre-made assets and almost no unique code nor assets were used. It is important to note at this stage that several YouTubers displayed two lines of C++ header code on their videos to demonstrate there were some changes made. This code, however, was not extracted from the game themselves, but instead came from a third-party blog, and they made this clear in their videos. I will discuss what a header is later on in this article.

Later, when launching the game from Steam during a stream, YouTube game reviewers IcyCaress and another YouTuber (possibly IGP) noticed that the game prematurely “crashed” before even displaying a menu. Getting suspicious, they experimented for a bit and determined the game would crash if launched from their publically-known Steam accounts, but not if launched from another account. To determine if this was done on purpose, they opened the game files in a hex editor and were surprised to find their own SteamIDs (a SteamID is a unique account number), as well as SteamIDs of other YouTube reviewers, standing out from the gibberish. SidAlpha was able to confirm this on his account, as well.

In theory (I don’t own a copy of the game, nor do I possess samples with which to examine), you’d try to start the game. Before doing anything else, the game would obtain your SteamID from Steam, and check if it’s in the list of blacklisted accounts. From the behaviour I observed, it would then silently exit to desktop if it matched your ID against an ID in the list. In effect, the game would simply kill itself before you could do anything meaningful with it.

Reaction

Before we get into the nuts and bolts of how Jao tried to justify this, I just want to inject my own reaction as an indie developer.

You should never, ever treat your customers like this, and I wouldn’t be surprised if there was even a law or FTC regulation against this sort of behaviour. Ethically speaking, it’s an enormous dick move, and effectively burns any bridges behind you. By doing this, reviewers are not offered any chances to watch your game evolve into a more developed state, regular customers are removed from their legally purchased game, and you just generally look vindictive.

Secondly, from a technical standpoint, this is absolutely pointless and can be defeated in 5 seconds by searching for your SteamID and replacing every digit with a “0” . I could write a script in PowerShell or Bash that could do that relatively easily, if I were so inclined.

Third, this is self-defeating: If Jao was hoping to improve his image on Steam, he did the opposite. Reviewers are all over the game, tearing it from limb to limb for this kind of crap.

Enough with my ire, though, let’s see how Jao handled this.

Jao’s Statements

In a statement released later, Jao claimed the ban was done because the users in question were “reverse-engineering” the game. This is patently untrue, as the original videos that he banned them for used code that was not extracted by the banned users in the first place, and the code posted wouldn’t work anyway, as it was two lines from a C++ header.

“Headers”, in programming terminology, are what you can think of as a table of contents: You get a name to call that code by, some information on what you need to send to that code (arguments), and what you might get out of it when it runs (return type), but nothing about the actual content of that code. So, in effect, what was displayed on screen was more of a bare description of what was in there, similar to a citation in a paper.

A sample header
A header in Dwarf Fortress isoworld’s AGUI code (BSD license)

Developers find headers to be useful, and they’re usually exposed on purpose so that external code can make use of them. For instance, Windows has a Software Development Kit (SDK) that has a load of headers that Windows software developers can use for making applications, and you cannot make a Windows application in some languages without them.

The next assertion was that the later hex-editing analysis also constituted reverse engineering and even decompiling, further justifying his ban.

A hex editor is a program specifically written for reading files consisting of binary data rather than text. Files (even text files) are stored on disk as a series of bytes, each byte being 8 bits in size. A bit is a single binary 0 or 1. So, each byte is handled as an individual unit in a hex editor, displaying it by default as a two-digit hexadecimal number (also known as base 16). For example, the byte 00000000 has a base-10 decimal value of 0, and a base-16 value of 00. A byte with the binary value of 11111111 has a base-10 decimal value of 255, and would be displayed as the base-16 hexadecimal number FF. However, to make analysis even easier, hex editors often have a third column displaying what each byte would look like if it were interpreted as an ASCII character code, letting you see any strings of letters embedded in the binary code.

What a hex editor looks like
How to know a file is a PNG.

The end result is that you can open any binary or even text data, no matter what it is, in a hex editor. This includes, in our case, a memory dump of the running game.

This could be construed as reverse engineering, as it involves trying to work out what the binary is doing, but the guys in question don’t appear to have much background in RE and were just looking to see if their SteamIDs appeared in the binary, so I don’t really think it counts. The analysis on the stream in question was what is called a black-box analysis: You have no idea what’s in a box, but you can work it out from how it behaves when given particular inputs.

On top of this, I need to drive home an important point: Reverse engineering and decompiling are not necessarily bad things. My entire career has been built on reverse engineering games and tinkering with them, and I am not alone. Modding for many games requires reverse engineering things. A well known example is Dwarf Fortress, which requires you to install various kinds of memory scanning and manipulation tools in order to get some mods working. Modding Unity games often demands decompiling the game to actual code to inject things into the loading process. (I did this to KSP, and Squad hired me to put in a less hairy, built-in modding system.) So, even though it’s technically against Steam ToS, they will usually let it slide unless you are doing something malicious, like bypassing DRM or hacking on multiplayer. And don’t even start with EULAs, they are usually non-enforceable, especially in cases like this.

In short, the hex editing is not decompiling (it doesn’t transform the binary EXE in any way, just displays the binary as-is), and even though it is kinda reverse-engineering, it’s not being used to bypass DRM, gain an unfair advantage in MP, or to be used in another game.

Next Steps

So, how does Jao resolve this situation? What are some ways he can get back on solid footing and regain some level of trust from the larger community?

First and foremost, to paraphrase Leonard French: “He needs to eat crow while the eating is good.” Deliberately removing the ability of players to make use of a product they legally purchased for the crime of making a YouTube video is just flat-out wrong, no matter the circumstances. KSP and From the Depths had their share of bad reviews, decompiling, and twitter fights, but neither company had ever dreamed of doing something like this.

An apology is just the first step, though. The next would be removing the kill switch. If you had done this to a car you manufactured and sold to someone, you’d be hauled off to jail. I’m still not entirely sure a software kill switch for non-DRM purposes is legal, either, and I don’t have a criminal lawyer on retainer to look it up for me. My inclination is that it should be, given all the instances of software developers getting fired and triggering kill switches ending up in prison, but don’t quote me on that.

Third, Jao needs to stop and take a breather. Getting this worked up about bad reviews is not helping. You will always get bad reviews, even if you somehow manage to defy the Code Gods and pound out a perfect game. How you react to those reviews is how your game sinks or swims. Considering critique seriously is how you grow as a developer.

Leave a Reply

Your email address will not be published. Required fields are marked *