Big concern regarding commercial games made with Unity

With scripting being compiled with .NET/Mono and no obfuscation as far as I know being applied, Unity seems to leave a big gaping exploit in the games it builds. I was able to decompile a certain data file of a free but non-open source game back into C# and got what seems to be a pretty revealing script. Combined with the handful of asset extractors out there, it seems to be a recipe for disaster for the developers of a game made with Unity. Yes, there's likely some work involved that I'd have to redo myself, but with the availability of third party programs, I'm already set with scripts, textures, and models from a compromised game, leaving the only real effort to scene/prefab construction.

I'm not one to redistribute compromised work, but I do see a potential for non-profit modding of certain games. However, there are likely shady people out there that will probably buy one copy of the game, do the above, and give free copies to friends, leaving the developer/publisher to take a big hit in profits.

The screenshot below is of a free game I decompiled. For privacy and security concerns, the decompiler and script data file has been blanked out.

 

I recommend RedGate products. They have very good obfuscation and encryption technology. It works just fine with Unity, both in editor and standalone. Unity is just a game engine, what you do with your files ones compiled is up to you.

http://www.red-gate.com/products/dotnet-development/smartassembly/

I also recommend to compile your structure code in dll lib ones they are Finnish, to have separated assemblies. Then you just inherit your codes in header. Its a good routine.

 

I didn't think about that. Thanks.

 

Your welcome Note that not all the features works with unity, but the most important ones does. Good luck

 

This is an old discussion point that has been covered many times
http://forum.unity3d.com/threads/obfuscation-community-requested.175054/
http://forum.unity3d.com/threads/unity-games-are-hackable.319895/
http://forum.unity3d.com/threads/protecting-source-code.292947/
tl;dr it's almost pointless to obfuscate, you'll only slow down the people that are really motivated to get into your stuff. If they want it they can get it, you'll just spend money for little gain (the whole games industry struggles with DRM and has done for decades).
Short of running all code server-side and just beaming the results to clients, you can do nothing.

If people start reselling your assets, then you lawyer up

 

Well I do know Mono can do AOT compilation and remove the guts from the .NET assembly, leaving a stub that points to native code instead. Though, I don't know if Unity's internal cross compiler will work that way.

 

I dont agree. While if we talk about Network game i can agree more,but there are techniques to protect your packets, to avoid Network hacking, still it is always possible to temper with it.

What i think SchalaZeal was thinking about was to protect your codes in your game files, since they are open by default. I been using RedGates SmartAssmbler for some time now, never had any breach or find a way to hack my own files, even with hexa/assembly hacking string or value manipulation, you will find just noise. You wont even find correct pointer offsets. Your not only slowing them down, your pretty much blocking them. I cant not speak of other products but.

 

Obfuscation is pretty pointless - it takes more work to figure out your code, but it's still totally doable. Everything you put in a game can be extracted and figured out. It's kinda the nature of software.

What you're worried about is essentially piracy. All of the big publishers has probably spent more money than any of us would make in a hundred lifetimes trying to stop it, and has achieved exactly nothing.

People won't buy a game, decompile it, extract the assets, recombine scenes, and give it to friends. That is a crazy amount of work. Instead, they'll buy the game, rip out any copyright protection that might be there, and put it on the pirate bay. You're overthinking here.

 

How exactly are you going to put all the pieces together without the Obfuscation algorithm? + The cryptology behind it?
easy..? no possible? maybe in 100 years.. More safe = yes .

You can not "extract" any thing without its logic and pattern. You say its doable, but you have no idea what you are dealing with. I recommend reading bytestream and see for your self what Obfuscation + good cryptology does to the codes. Thats why cryptology is a big business.

 

You can always decompile code. If the goal is piracy, the only goal is to figure out what parts of the code that makes a pirated version not run, and simply kill those.

It'll make it near impossible to say mod your game without permission, and if you have interesting algorithms you can probably hide those, but if the selling point of your game is interesting algorithms...

 

If you don't overprice the game players will never do that.
The only thing im worried is small not well known developers that could get their games content stolen and published by others.
Also if 1 player buys it and gives free copies to his friends, big chances are a few of them are gonna buy the original game that otherwise wouldn't.

 

The best advice I can offer anyone who is worried about their software being stolen by another developer is this: own it. Make it known to the world that you are making this software, it is yours and yours alone. Nobody else has the rights to it. In the case of a game, promote early and often. Once the concept is fleshed out start telling people about it, amass a following, you can't claim something is yours if thousands of people already know it isn't. Just a thought. I seriously don't concern myself with people ripping off my software. If they do, I can file suit for intellectual property rights violations and I have all the pertinent data to assure a win in the extremely unlikely even that this happens.

 

Obfuscation is indeed pointless, however this does not render the issue at hand pointless, at all. People, customers want protection and it's clear Unity has to answer to the customers. I for one would welcome stripping it down to stubs.

With Unet on the way, I'd rather spend less time fixing issues by every script kiddie and a few hacks (the majority), and more time fixing the real deeper decompiled hacks (which are far rarer).

The idea is that you make life fairly awkward to the point where you only need to deal with the dedicated few. And yes, some of us do see successes where this matters.

Theft isn't the problem.

 

There is a very big difference from modifying a game code, and just extracting everything out.

If your going to decompile, you need the decompile logic

Decompiling doesn't make you see the source code on executable level, if most of the logic are in private protected constructors you only see the objects. No variables or properties. If your going to hack it, you need to learn the algorithm of the game (basically) build it up from scratch, "backwards engineering". I think you have a better luck with just making your own game than going with that hell. Its pointless to not to protect your files at all, if your planning on making money.

 

So basically if I understood correctly, if I declare variables as private or protected in a Object class, decompiling won't show what variables that object contains?

 

Yes you understood it correctly. decompiling wont access private variables or objects of a public class, and since you obfuscated your files, attackers will have no way to decode your logic structure. If the private reference is missing, the class object wont work.
Making it a very hard work to reverse engineer your game. Recommend to try to hack your own game to see what is visible and what is not. Also check what is running in memory, so that nobody can modifie "lets say character health"

It is also possible to not have any stats like Health, speed , strength etc inside your game code. I should probably make a guile to help others with security concern, to share some tricks.

 

Not sure if you are talking about regular compiled code? Because private variables are still visible when decompiled. See this random ILSpy screenshot off the web:

 

You're neglecting to mention the major disadvantage to encryption. At some point, to actually run the program, the code has to be decrypted. It cannot execute in an encrypted format.

Obfuscation is another matter, but that isn't particularly effective. It merely renames the code's variables and function calls to make it more difficult to understand. A skilled developer can still extract what they want.

 

That is without obfuscation ..I am talking about in executional level, you wont access private variables that are obfuscated.
At least not with the tools I been using for obfuscation.

If you try to decompile obfuscation string/variable you get no data that is useful to you.

I show you an example with your tool (i use reflector but)

 

The variable is still there, it just has a name that's unreadable. That really doesn't stop a good programmer from discerning the meaning of the variable - it's just more work.

 

Of course you can i have no problems with it in my projects. You can even implement your own cryptology algorithm.

 

I don't think you and Ryiah are talking about the same thing.

 

You won't have problems because it is decrypting prior to execution. It doesn't matter when it actually does the decryption. While loading the binary into memory, just before executing a code segment, etc. It has to decrypt at some point to run.

 

Your right, that's when the private access modifier comes to play, you cant hack the files and you can't reference the access modifier. even if they are decrypted. In Binary/memory you just looking for a needle in a haystack

 

Wishful thinking at best. You'd be surprised how resourceful those who actually want the source can be. There is no such thing as an unbreakable solution. If there were piracy would not exist.

 

Its not only wishful, I have manage to hack a few "known" tittle games, so I know a "little bit" on how this works. If you want to hack a very good protected game, your only option is to use memory hexadecimal hacking. 3D models, texture or sound is copyright material so not much point of getting that. Its the code we want to protect.

I agree with you there is no unbreakable solutions, but there are does who are more secure than others obfuscation is a solution not a evolution. It would be nice to see a obfuscation integration or encryption in Unity as well.

 

I wouldn't call obfuscation and encryption a waste but as usual, making money boils down to business activities rather than technical ones.

Encryption
As a few people have pointed out already, everything eventually needs to get decrypted and run in memory, so the truly creative hackers will simply unload directly from memory after the content is decrypted

Obfuscation
The meaning of this word gives a hint as to why the activity, as applied to computer code, doesn't keep things safe.

1. to confuse, bewilder, or stupefy.

Those who are clever and determined enough will eventually understand and be able to reverse the obfuscation.

Business
A good business heuristic is: sell to the 90%. If you can make certain activities or products attractive to the majority, then you can make money and (usually) safely ignore the minority. So, to make something attractive you can:

1. Price it right and make it easy
2. Make the alternatives expensive or difficult

As far as gaming - or any intellectual property - goes, encryption and obfuscation are just tools in the business owners arsenal to make stealing code difficult. Someone already mentioned lawyers - a great way to make the alternatives expensive. But there are a lot of other options. One of the biggest concerns of our economic and legal system are to protect this stuff.

 

I want to point out that code is ALSO copyright protected.

 

Of course it is its just bad right away, if some one can access your codes. Codes are not visual and you can not tell if some one else are using your code or not that easily

 

So... you're suggesting someone is going to decompile your game, and only use small parts of said "codes" to make their own game that is indistinguishable from your game???

There's a... huge market of that... right?

Why don't they just use Unity?

I have an answer to that. The reusable parts of my games are all on github with a free to use license:
https://github.com/lordofduct/spacepuppy-unity-framework

No need to decompile my game to use small bits of code from it to make your own game. Have at it. I'm happy if people want to come into the game design community!

Otherwise... they're pirates, and I highly doubt pirates are decompiling your code to check out your leet skillz at designing a pathfinding algorithm.

I mean hell, this entire thread hinges on the idea that the people are going to strip out the code, the assets, and then BUILD THE LEVELS AGAIN!

... what? Dude, if someone rips apart my game and does that... wow, that's some dedication. S***, I might wanna talk to them and hire them on as a level designer. They figured out how to do all that and make a dup of my game???

::slow clap::

I'm impressed.

 

I believe there was a KSP developer hired this way. Decompile the project, added dynamic dll loading for modders. Recompiled it. Submitted it as a community mod. Got hired.

 

All in all I think this energy would be better utilized if it were channeled into making a game that people actually gave a crap about. If you have lots of people hacking the game that they bought from you - that's a pretty good problem to have.

 

What? I totally just hang out on these forums to get links to unreleased noob games. I then decompile them and rerelease them. Totally profitable business strategy.

If someone has obfuscated their code I instead steal noob ideas for MMOs and implement those.

And in case it wasn't obvious.

 

Hi all,

I used to reverse engineer games for a living and I wrote a post about this specific topic. It's a bit too long to post in a reply, but I definitely recommend that you check it out if you are considering to obfuscate or not. TLDR: Just obfuscate.

https://medium.com/@pimdw/i-used-to-reverse-engineer-clients-for-a-living-a9369942c179#.hp50kb667

Pim

 

Sooo... right away in your article you say:

So... there is a community deobfuscating stuff.

So, it's not stopping them from doing it.

All I read is:

I want to return back to what @Baste said:

It doesn't matter if it's obfuscated.

Have you ever wondered how DRM gets cracked on C++ compiled games?

Or how about applications like Photoshop and the sort.

Heck, even the Unity editor to turn on the dark skin.

There is software that lets you hack this stuff... sure, it's not pretty to read. It's usually interpreted out into some assembly code, but with skill it's not hard to read really. And you can run the program and trace it in memory to see what is doing what when... and... find the part that does the DRM.

Done... toggle a boolean, that's it.

To the regular joe, it looks just as much like gibberish as does obfuscated code. There's no english words in here... it's all numbers and machine code. And people figure it out pretty damn quickly.



It's why AAA developers realeasing PC games have gone a completely different route in recent years. A route gamers freaking hate.

Always online.

And not always online where it validates with a server.

No... always online in that the distributed software that you give to the customer is missing a part. The game literally does not work at all, because certain logic in the game is performed on a server elsewhere.

And you never release that server software.

There's no code to be decompiled. There's no code that can be seen. It's behind lock and key on your servers.

At best they can reverse engineer by seeing the interface of the server, and know what inputs result in what outputs. But you never truly know what's going on behind the scenes. A AI algorithm held on the server would mean that a knock off version could only ever approximate the AI, never actually do it right.

And that's only after a butt ton of work.



So yeah... even they have given up on this nonsense and went to actually effective manners of thwarting pirates.


At what cost though?


Pissing off customers?


...

So yeah, Runescape has a $5 million dollar a year hacking community behind it (not sure where the numbers came from, but OK... I'll take your word for it). Thing is... did Runescape fail? Did the company behind Runescape go bankrupt from this hacking scene that exists to this day?

How about Minecraft, a widely hacked and redistributed game, built with Java and not obfuscated. Is Notch struggling?

Or could one just say... maybe these games have such a large hacking community, because these games are good. That they were popular.

If one of my games were popular enough to be hacked and generate a $5 million dollar a year industry within the hacking community alone... I could happily commit suicide knowing I've made it in life.

 

Minecraft's actually obfuscated! Or at least it was a while back, but the last mention I can find of it online's from 2011, so idk if it's the case anymore. It was only name-obfuscation, though, so it wasn't horrible, but still.

Don't try to make it solely for the reason that it'll be easier to commit suicide! That's really sad!

 

Since the thread has been revived I thought I'd chime in by saying that someone knowledgeable with programming and reverse engineering won't be held back in the slightest by obfuscation. There was a game that I used to play years ago that was written in Visual BASIC 3. It had a bug that was quite annoying. One day I had enough and decided to fix it. Decompiled the executable, searched for the problem, fixed it, and then recompiled it again.

Actually hunting down the bug was trivial even with the tools available back then. Just think of how much easier it is now.

 

IMO piracy has no good technical solution, except "online only". With pure online game you can always hunt down popular private servers. People hate DRM and encryption/obfuscation systems hurt modding.

 

Which it says in the article:

For most games, a week of cheat/copy free days right after launch is more important than what happens after the game's been out for months or years. Even if obfuscating code only slows people down for a few days, that's something worth doing - and it's not like obfuscation is a big time sink, there are plenty "out of the box" options.

 

Online only is actually not that great for players either. Plenty of places still have weak or expensive internet connectivity. Plus it means you have an ongoing expense of maintaining the server.

 

A friend and I reverse engineered the Myth I network protocol (partially by reverse engineering the client using a disassembler) and created our own game matching server after Bungie was purchased by Microsoft and moved to Redmond and was unable to get their server working again (which apparently had hard coded IP addresses). We eventually incorporated Myth 2 and 3 and Bungie's original game Marathon into the server as well. It ran for years, but the folks who were still running never revived it after the hardware crashed awhile back.

If someone wants something bad enough and has access to the code in any way, you're not going to be able to stop them from getting it.

 

And the game stops working when you decide you don't want to run the server anymore. There's been quite a bit of backlash against always-online for single player games; is it even really done anymore? Ubisoft patching games to remove always-online, the whole SimCity fiasco, etc.

--Eric

 

It's not really that simple to just refactor a well obfuscated code, the meta data is total altered. Reflection wont do it.. Obfuscation is not a type of protection, it can be many and even custom obfuscation. Obfuscation just mean that you "confuse" the content of your code. On top of that you have encryption. So it's not so easy to just open up and refactor it.

A good advice is to have some type of "key" validation from a server, rather than from the dll content. So that the "bricks" comes down together again only with sever signature.

 

Anyway, IL2CPP.

 

The AOT compiler compiles the C# scripts to native for memory. You can always manipulate your memory. Hence why server siganture is a good way to go. AOT Compiler is not going to help you refactor C# scrip that is protected.

 

In the absolute best case, that just narrows your vulnerability to the sort of cracking that was almost trivial by the late 90s.

https://msdn.microsoft.com/en-us/library/windows/hardware/ff538165(v=vs.85).aspx

 

Diablo 3 is still online only, even when playing single player. I want to say starcraft II may also be online only for single player, but not 100% sure on that one.

But I know that there were huge complaints about it when D3 was released, so it's certainly not the best way to go if you can help it, unless you have the funding of a company like Blizzard.

 

StarCraft 2 has a monthly authorization system, so you only need to be online ones every 30 days to verifiy your client/account.

Diablo 3 still has always online because it basically it only has online functionality, unlike for example Assassins Creed or SimCity which just had a constant verification system. In Diablo 3 you always play on a server (as you'll notice, you can open your sessions to friends/other people whenever you like).

Basically, Diablo 3 is a Multiplayer game masquerading as a Single Player game, as opposed to Single Player game with added online control/security checks.

A nice example of Ubisofts system is Assassins Creed 2, which next to the warning screen you got if you were offline, also had specific checks whenever you went to a new area, that locked the area until verification was done, which was the main reason pirates took so long to fully crack the game.

 

Blizzard does have a history of removing DRMs in the late stages of the game. For example the last patches on Starcraft and Diablo 2 both removed the need to have the CD in to play.

I imagine they will do something similar when the server finally goes down for Diablo 3.

 

Mostly all blizzard products use server signature..