If these pirates weren't so irritating, they'd be downright fascinating. They're using automated cracking tools (duh) and have sophisticated distribution infrastructures in place. We (miraculously) released a new build of Jurojin just 2 days after the pirate influx. Within 24 hours the new build was already cracked and being distributed. Jurojin has some startup code that disallows old clients from playing and points those players to the App Store to upgrade. During the transition, our new users reverted to legit downloads until the new binary was cracked. Because of the endless stream of Chinese display names, I think I correctly assumed that the pirates were Chinese. So, I released Jurojin in the Chinese App Store. There's a lot of Chinese people (if you didn't know) and we got a lot of downloads. More than 300 legit downloads in the first day with zero advertising and no ranking. Was it because of the pirates? I don't know, but it did give me an opportunity to compare the users.
The pirates are people. Or, at least they seem to be. Jurojin uses the latest authentication services from Apple and we try to authenticate users' GameCenter logins in order to provide a seamless account creation. The crypto is pretty standard and I'm assuming unbroken. So when I see about 30% of pirates with legit GameCenter logins, I trust that they're real. Real users, by the way, are about 90% logged into GameCenter. Pirates also seem to see apps as completely disposable. The churn is huge. The fall out rate for our tutorial is over 80% for pirates, with many not even making it more than a few steps past account creation. Some of them do seem to like the game though.
One of my hobbies (now that the game is live) is to watch the live logs and look at what players are doing.
New User. Haha, this guy died to the low level minion. Somebody opened the store and didn't buy anything. New User. Core user is training some scrolls. New User. Attempted IAP!! Wait a second...
So, the pirates, their tools are pretty good. The automated cracking tools seem to be sophisticated enough to attempt IAP circumvention. Seems pretty obvious: if you don't have a legit binary you can't make legit IAP transactions. But, I was a good boy and I studied instead of played. Like I said: Jurojin uses the latest auth services from Apple. And since the game is server-authoritative, all transactions must pass validation from our server code. Server code which validates receipts via a direct connection to Apple. Even if you've cracked the Jurojin binary, you're not getting the content without also reimplementing our fairly sophisticated server infrastructure. But that doesn't stop the pirates from trying.