Playtesters!

[+Al_Nafuur]

1 hour ago, Thomas Jentzsch said:

Some years ago, I have created some convenient DASM macros. The developer just has to replace mnemonics with the macros. The macros will then randomize the unused address bits.

 

Watermark.inc 5.86 kB · 1 download

Awesome!

 

As far as I understand this, each unique ROM has to be compiled individually by the developer.

 

It would be cool if the macros would produce a list of watermark addresses with a list of valid values (range) for each address, so this list can be used by a external "watermarker" tool to generate a bunch of unique ROMs.

 

[+Al_Nafuur]

1 hour ago, Thomas Jentzsch said:

Another idea, which just occurred to me could be using the emulators. These know the valid bits and could randomize the ROMs. The results could become more complete (more changes) but less controlled, since the changes would depend on the executed/detected code (mainly bankswitched ROMs).

This would be much better, because this way any ROM can be watermarked!

 

The emulators (when run in a special mode) would generate this list while emulating the ROM. When you have enough addresses (from every bank) in this list you would use the list with the external tool to generate unique ROMs.

 

[Thomas Jentzsch]

36 minutes ago, Al_Nafuur said:

Awesome!

 

As far as I understand this, each unique ROM has to be compiled individually by the developer.

Yes, because you have to define a different seed for each ROM. This can be done via command line, so that this can be automated via a batch file.

 

36 minutes ago, Al_Nafuur said:

It would be cool if the macros would produce a list of watermark addresses with a list of valid values (range) for each address, so this list can be used by a external "watermarker" tool to generate a bunch of unique ROMs.

That's another option, yes. Basically you need the address and the bits which can be randomized.

[Thomas Jentzsch]

25 minutes ago, Al_Nafuur said:

This would be much better, because this way any ROM can be watermarked!

 

The emulators (when run in a special mode) would generate this list while emulating the ROM. When you have enough addresses (from every bank) in this list you would use the list with the external tool to generate unique ROMs.

Well, after further thinking about this, the problems is, that this would make the watermarked addresses public. Everyone could create that list and then change/remove the watermarks. 

[+Al_Nafuur]

8 minutes ago, Thomas Jentzsch said:

Well, after further thinking about this, the problems is, that this would make the watermarked addresses public. Everyone could create that list and then change/remove the watermarks. 

You always can remove (or add) some addresses from/to the list before using it for watermarking.

 

Yes such a mode in the emulators would show everyone which addresses could have been used for watermarking, but the emulator watermarking mode would show this for ROMs that have been watermarked with you marcros too.

 

[Thomas Jentzsch]

5 minutes ago, Al_Nafuur said:

the emulator watermarking mode would show this for ROMs that have been watermarked with you marcros too.

Yup, that's why I would not want to implement this is Stella.

[+Al_Nafuur]

4 minutes ago, Thomas Jentzsch said:

Yup, that's why I would not want to implement this is Stella.

at least not in a public build.

 

But how about a custom build for a single "watermarking authority" that would generate the lists for the developers on request?

?‍♂️?

[Thomas Jentzsch]

6 minutes ago, Al_Nafuur said:

But how about a custom build for a single "watermarking authority" that would generate the lists for the developers on request?

I guess one could create a private fork which one would not check into the public repository. But keeping this fork in sync with the public master is the kind of extra work which I would want to avoid.

[+Al_Nafuur]

23 minutes ago, Thomas Jentzsch said:

I guess one could create a private fork which one would not check into the public repository. But keeping this fork in sync with the public master is the kind of extra work which I would want to avoid.

Does watermarking makes any sense at all?

 

As far as I can see you only need to buy/have two marked ROMs to identify (by a binary diff) not all but enough addresses to build a new ROM that is very difficult (if not impossible) to trace back to the original two ROMs?

 

[Thomas Jentzsch]

9 minutes ago, Al_Nafuur said:

Does watermarking makes any sense at all?

 

As far as I can see you only need to buy/have two marked ROMs to identify (by a binary diff) not all but enough addresses to build a new ROM that is very difficult (if not impossible) to trace back to the original two ROMs?

 

Do the math!  

 

If you have e.g. 100 watermarked spots with just one bit changed and you compare two ROMs, you will find only 50 spots (on average) where the bits differ. If you change these, the remaining 50 spots can still differentiate between 2^50 ROMs. 

[+Al_Nafuur]

7 minutes ago, Thomas Jentzsch said:

Do the math!  

 

If you have e.g. 100 watermarked spots with just one bit changed and you compare two ROMs, you will find only 50 spots (on average) where the bits differ. If you change these, the remaining 50 spots can still differentiate between 2^50 ROMs. 

The question is: does this help identifying which (for you unknown amount of) ROMs the new ROM originated from?

 

If the values only differ by one bit then 2 ROMs might be not enough, but with a few ROMs (6?) you will find about 97% of all addresses..

 

[+Karl G]

No scheme is foolproof, but watermarking sounds like a good way to match ROMs to those they were intended for. It would take a very knowledgeable hacker to defeat it.

[Thomas Jentzsch]

9 minutes ago, Al_Nafuur said:

The question is: does this help identifying which (for you unknown amount of) ROMs the new ROM originated from?

 

If the values only differ by one bit then 2 ROMs might be not enough, but with a few ROMs (6?) you will find about 97% of all addresses..

Your example would mean here, that there are 6 verified tester cooperating to pirate the ROM. Very unlikely.

 

Also, the pirate cannot know how many addresses were watermarked, so initially he cannot know the amount of ROMs needed to find enough addresses. He can only do averages and estimate.

[orange808]

In theory, two roms have to leak to reliably find and remove a watermark. That's particularly true if you throw a little something extra into the code. Could be as simple as slightly changing an asset.

 

Probably more secure if each tester doesn't see fresh randomized information and/or individualized asset modifications (wrong color, pixel, sound) with each new build, so there's no baseline for comparison between them.

 

Wouldn't want to juggle all of that for more than three or four people, though.

Edited May 2, 2022 by orange808

[+Al_Nafuur]

8 minutes ago, Thomas Jentzsch said:

Your example would mean here, that there are 6 verified tester cooperating to pirate the ROM. Very unlikely.

Watermarking ROMs for tester is extremely exaggerated. It is even unlikely that two of them will cooperate, because every verified tester would (have to) report such a request from another tester. So a simple 1 byte marker in the ROM would be sufficient for tester ROMs. A single tester cannot find this byte, because he has no other ROM to make a diff..

 

8 minutes ago, Thomas Jentzsch said:

Also, the pirate cannot know how many addresses were watermarked, so initially he cannot know the amount of ROMs needed to find enough addresses. He can only do averages and estimate.

Pirates don't need to know the exact amount of addresses, he can be sure that he will find ~97% of them when he buys 6 of the ROMs. And I am quite sure that it is impossible for the seller to find out which ROMs (of the hundreds he sold) the illegal ROM originates from. 

 

 

[Thomas Jentzsch]

12 minutes ago, Al_Nafuur said:

Watermarking ROMs for tester is extremely exaggerated. It is even unlikely that two of them will cooperate, because every verified tester would (have to) report such a request from another tester. So a simple 1 byte marker in the ROM would be sufficient for tester ROMs. A single tester cannot find this byte, because he has no other ROM to make a diff..

True.

Quote

Pirates don't need to know the exact amount of addresses, he can be sure that he will find ~97% of them when he buys 6 of the ROMs. And I am quite sure that it is impossible for the seller to find out which ROMs (of the hundreds he sold) the illegal ROM originates from. 

For 100 watermarked bits and more than 8 copies existing, you are correct. But you can put way more bits into even a 4K ROM.

 

With quite little effort, I randomized 2536 bits in Three.s (591 bytes at 393 different spots).

Edited May 2, 2022 by Thomas Jentzsch

[orange808]

Should also be convenient to hide a little something on the ARM side. AFAIK, Stella doesn't provide instant easy disassembly of ARM code. 

[+Al_Nafuur]

19 minutes ago, orange808 said:

Should also be convenient to hide a little something on the ARM side. AFAIK, Stella doesn't provide instant easy disassembly of ARM code. 

?

For finding diffs in two or more ROMs it doesn't matter if it is 6502 or ARM code (or data or free space, or whatever).

 

however it would be possible to compute a checksum of the differences (with the ARM or the 6502) and the ROM would simply refuse to work if the checksum doesn't match a certain condition. But this would be much more effort than a simple watermarking..

 

[hizzy]

I would be keen to sign up. I have a harmony, a 2600, a 7800, various controllers & adapters, use emulation. It would be a nice way to contribute to the community

[orange808]

1 hour ago, Al_Nafuur said:

?

For finding diffs in two or more ROMs it doesn't matter if it is 6502 or ARM code (or data or free space, or whatever).

 

however it would be possible to compute a checksum of the differences (with the ARM or the 6502) and the ROM would simply refuse to work if the checksum doesn't match a certain condition. But this would be much more effort than a simple watermarking..

 

Could probably hide the ability to access the computed value. Might not ever show it to the user at all. There's also some neat tricks you could do with cryptography that wouldn't require too much effort. Don't have to actually do the computations in the game. A pair of values "in the code" that are related using cryptography would be extremely unlikely to occur due to entropy.

 

It's just a watermark. DRM that disables software is never a particularly good idea, in my opinion. Risky Rick tried to tie DRM to hardware and it ended up affecting their paying customers.

[+Gemintronic]

I think there's a few enough volunteers that a paranoid developer could just manually add an ID in the source and compile a unique ROM.  Create a Play Testing Club.  Let playtesters hollar at you if they have interest helping a particular project.

 

Even better provide beta testing ROM in the club and requested tests.  Let volunteers pick at tasks as they can.

[RevEng]

The algorithm can be published, so long as the watermark locations are part of an input secret, and necessary for the reveal process. But that doesn't mesh well with equivalent opcode substitutions, since one can indiscriminately do the same substitutions throughout the executable portion of the rom and be pretty confident the watermark is  scuttled.

 

With an input secret, it would be better to just spend a few bytes of rom in certain locations with instructions that look legit in an automatic disassembly, but are pointless in the larger context of the game. Finding those locations would be a matter of adding enough context to the disassembly and finding areas that aren't necessary. That's a whole lot of manual work to go through, just to be confident you've ruined the watermark.

[Thomas Jentzsch]

3 minutes ago, RevEng said:

The algorithm can be published, so long as the watermark locations are part of an input secret, and necessary for the reveal process. But that doesn't mesh well with equivalent opcode substitutions, since one can indiscriminately do the same substitutions throughout the executable portion of the rom and be pretty confident the watermark is  scuttled.

I am not changing opcodes, but values. And that can be operands of code or data statements. 

 

Of course you can try to undo all changes. But doing that manually is very tedious and error prone. So you have to come up with some automated solution. Which requires disassembling the code and then identify and randomize all potential changes. That's also a quite hefty challenge.

[RevEng]

Ok, sounds like you can just use a secret input to access the watermark, rather than keeping the decoder secret.

[Thomas Jentzsch]

12 minutes ago, RevEng said:

Ok, sounds like you can just use a secret input to access the watermark, rather than keeping the decoder secret.

Yes, you only define a secret seed per ROM for the random number generator.

 

The code I posted above uses 16 bit which should be way more than needed for Atari 2600 games.