GOG feature
News

GOG.com Introduces Password Protected RAR Files On Its Game Installers, Fans Accuse Of DRM

30 Comments

GOG.com has moved away from inno’s own compression to storing a password-protected RAR archive inside their installers; a move that brought a lot of complains from various GOG users. According to fans, this new decision to include password-protected RAR files is basically a form of DRM, something that is against what GOG really stands for. On the other hand, GOG.com’s developer ‘Gowor’ shed some light on what exactly is currently going on.

According to Gowor, the archives are password-protected because the GOG.com team wanted to avoid the situation where someone tampers with the archive and uploads it to a torrent site, and because the team wanted to avoid the situation of ‘when user will see a unprotected rar file, download and unpack it, and get a “broken” installation, because he didn’t use the installer.’

“There were situations, when users would download just a single part of the installer, or try to unrar it manually (because apparently some browsers detect our new archives as rar files), or even try to open the .bin files with the VLC Video Player.
In such a situation I think it’s better to give immediate “it won’t work that way” message, rather than allow someone to make a “partial” installation, which may or may not work, without any information. “

Gowor claimed that the Installer is designed mostly for reliability and ease of use for any user, and that most users won’t be affected by those password protected files (as the Installers never ask gamers to insert a password).

As Gowor added:

“Mind you – if you are using the supported installation mode, you don’t have to enter the password anywhere. Nor is it in any way dependent on username, or hardware, or anything else. It’s more or less hardcoded into the installer (I see you guys already figured out how), as much as the decompression algorithm. You can still use the installer exactly as you could since the beginning of GOG, and install your games wherever, whenever, and however many times you want. It doesn’t detect where was it downloaded from either. That hasn’t changed at all. “

Of course this decision to move to password protected RAR archives comes with a price. This new method now prevents the use of tools such as innoextract to dump installer contents. By a number of users, this was the go-to method to set up games with DOSbox/emulators/ScummVM/Freespace 2 on phones, Linux and other platforms.

Users have already figured out ways to gain the passwords for GOG.com’s password protected RAR archives, so at least there is a workaround for those few who are affected by it.

Gowor concluded:

“We don’t really support installing the game by manually unpacking the archives (for whatever reason you do that). On the other hand, I see you already figured out the algorithm for obtaining the password, so you are still able to do as much. I’m not going to say “Hey, good job hacking into our software guys!”, but I’m not going to try and make the password harder either.”

Share on Tumblr
  • Dante Murasaki

    People are just LOOKING for reasons to complain now arent they? Wow.

    • Jay

      I think some people view DRM and encryption as kind of like an STD. They want their games to be clean.

  • Psionicinversion

    its not DRM there just protecting the files from nefarious users uploading the files to torrents potentially packing them with malware.

    • John

      what stops it from being repacked? nothing. its just drm.

      • Psionicinversion

        DRM stops the game from being played without steam, uplay, origin etc password protecting the download file is not DRM

        • John

          you dont have the game installed yet on your laptop.

          you go on a trip and have no wifi to check out what the rar file password is.

          drm has f`d you out of your purchased game, whese as the earlier gog installer didnt require a drm password.

          please feel free to try to troll me further you shill.

          • Psionicinversion

            Actually it says the password is hard coded into the installer so you don’t need to know the password as its already there. There’s only parts of the full article on here, need to go read the full thing from somewhere else

            I know reading is a bit hard for you derp but tell em you need some pictures with it next time

      • Durka Durka

        Yeah thats what i want to know as well, how does this stops anything? Crackers rip game and updates off steam and make custom repacked installers.

        What does this do exactly to protect the files? It is just a password.

        • Vagrant Zero

          It’s not intended to stop anything other than a failed installation. This isn’t DRM.

    • It meets the definition of DRM given by TheEnigmaticT who was, until August, the “GOG Marketer Guy”.

      DRM is explicitly a class of technologies that attempt to control the utility of a digital work after sale. Regional pricing, by the definition of it, is something that clearly works before (or possibly, you could argue, during) sale. Further, once you have purchased the game with regional pricing, you are free to do as many things with it as anyone else in the world is, so we’re not attempting to limit your post-sale utility of your files. That’s why I say it’s not DRM. –http://www.gog.com/forum/general/announcement_big_preorders_launch_day_releases_coming/post4015

      Also, RAR encryprion is symmetric crypto (which can’t be used for authenticity verification) and, to the best of my knowledge (given what Gowor said and didn’t say about its purpose), it’s currently relying on it as a substitute for hash-checking or digitally signing the RARs. It should be possible to inject malware without tripping any alarms.

  • People do complain about everything…

  • FamiliarrStrangerr

    DRM protections gets cracked and GOG thinks a password can protect from hackers/crackers?? really GOG! -_-

    • theguywhogamesalot

      It just prevents the pirates from archiving from the installer file. They can still share it and download it. It mainly prevents people from tampering with the installer. This is kinda redundant if I’m understanding correctly.

      This is less adding DRM and more of prevention of file tampering. It is like when a game doesn’t have mod support. You can only install the file the way it is meant to be installed. I am personally not affected or care, but if removing the password makes others happy why shouldn’t GOG do that? I mean can’t you still put the installer on a flash drive and copy it on your friends computer?

      • Durka Durka

        how does that prevents tampering when hackers make custome installers for games with uber drm in them, let alone steam, ripping games from steam and make custom installers with emulation is not easy, people think it is becuse all games end up that way.

        • theguywhogamesalot

          I didn’t say tampering with game files, just the installer they use. The person who shares the software illegally would install the game, then repackage it using their own installer, or simply share the original install file.

          • Durka Durka

            so it doesnt do crap, thats why i dont get why they even bother with it anyway.

          • theguywhogamesalot

            I have no idea. It is quite redundant.

      • Gowor’s statements seemed to imply that he saw using RAR encryption as a substitute for checking hashes or digital signatures, so it should be possible for anyone who gets the password to inject malware into the RAR without the GOG-signed installer complaining.

        As for limiting users, what if I want to play Duke Nukem 3D with enhanced graphics via EDuke32 (or enhanced Dungeon Keeper via KeeperFX) without having to install, copy files, uninstall, and hope the uninstaller didn’t leave anything behind?

        GOG tries to use the same tech for all their installers so these encrypted RARs will eventually come to those games too.

        I’ve actually written a detailed post explaining how to accomplish Gowor’s stated goals properly AND without annoying skilled users:

        https://www.gog.com/forum/general/tech_gog_new_windows_installer_a_technical_thread/page2

    • Durka Durka

      i know right? Crackers rip game and updates off steam and make custom repacked installers.

      Wtf does a password do?

  • John

    how the mighty have fallen. oh wait, gog has always been terrible. remember when it was found out a game of there was a pirated version and had a crack on it and was distrusted?

    now they went full drm… lol. this does nothing to deter pirates and only adds complications to buyers. drm free my a*s.

  • Jay

    Their reasons for adding this don’t make much sense, or he’s not explaining it well. Why should it force users to use the installer? What else is that installer doing other than “extract files here/ there”?

    • Sometimes, adding registry keys that the game needs to run properly… but there are better ways to prevent unskilled users from doing broken installs.

      (Or, since it’s wasted support time he’s worried about, he could write a minimal dxdiag-like tool which checks the install for correctness and then require that its output be attached to support requests.)

  • ROdNEY

    Generally, DRM or other form of protection never helped anyone. Not company to make better sales nor customers! It only cause potential problems!

  • Hassassin

    you went full re**rd…

    • John

      you just went full shill. do you do it for free? or are you paid per every certain amount of posts?

      • Johnny Ringo

        upvoting yourself is a shill thing to do.

  • Durka Durka

    lol which game?

    I heard ubisoft patched vegas 2 crashes with a crack.

    • John

      arcanum i believe.

  • “according to fans,” John?

    According to some fans who have no idea of what they’re talking about.