How does ds_map_secure_save work?

The documentation for ds_map_secure_save in GM2 states:

IMPORTANT! One of the features of a secure saved file is that it is locked to the device that it was created on, so you cannot load a file saved on one device into a project running on another device.

That's a pretty bold claim, so I was wondering how it achieves that? Or is that a GM2 secret that's better for everyone if it's not known...
Some of my guesses of what it could use to encrypt it would be:
- The username of the current user
- Meta information about computer hardware (but if the user upgrades, then save files corrupt?)
- A hidden key buried somewhere in the registry
- A hidden key stored in a file buried in some root folder / next to the .exe

I'm also assuming this feature is exclusive to GM2 given that the GM1 documentation doesn't claim this?
 

chamaeleon

Member
Similar questions has been asked several times about this function, and in my cursory reading of past threads the word secure is not entirely well deserved in the function name. Make of that what you will. Maybe it's good enough for your use case, maybe it isn't. Search the forum for the name of the function and explore what has been written in the past.
 
I would guess it is because ds_maps are created with a certain key, so game maker knows ds_map a. Is different from ds_map b. Now YOUR computer probably is told how to read this information and make sense of the ds_map. Hence it would cause problems if someone else tried to access it through your computer, it would not know what to do with it. Of course this is all speculation I don’t really know to be honest. But it would make sense because Json files are readable by any computer.
 

GMWolf

aka fel666
It's pretty crap tbh.
It JSON encodes your file. And then base64 encodes that.
The whole file is the prepended with some unique identifier for your machine.

So if you get the file and just base64 decode it you can easily get the data back.

You can also copy the first part of the file and paste it in another which allows you to use that file on any machine


To be clear there is no signature of the data, nor is the data encrypted in any way (only encoded).

This makes it wholly unusable tu store any sort of sensitive user data (passwords) or other data you wish to be tamper proof (IAP purchases).



You could improve the tamper proof aspect by signing the data. One option is to append some private key and then hash the whole file (including the key).
You can then verify if the data was tampered with by checking the hash.
Unfortunately if the user gets Access to the private key then they would be able to sign data themselves.

A more robust solution is to sign using public-private key cryptographie, then some server could sign data and the client would be able to verify it without the user being able to sign their own data but it is quite a bit more complex and doesn't apply to many situations.
 
Last edited:
It's pretty crap tbh.
It JSON encodes your file. And then base64 encodes that.
The whole file is the prepended with some unique identifier for your machine.
Wow yeah I can see how that's not quite measuring up to expectations. You can even do all that yourself using built in game maker functions?
 
Top