Search Unity

  1. Unity 2019.1 is now released.
    Dismiss Notice

Can hackers decompile inspector values?

Discussion in 'Scripting' started by mahdiii, Sep 2, 2016.

  1. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    I want to know that hackers can decompile inspector values? and how can to do?
    for example
    Code (CSharp):
    1. public class example:MonoBehaviour{
    2. public int a; // initialize into the inspector
    3. }
    what is the best strategy to initialize important variables like keys etc
     
  2. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    Is it a hard question? :)
     
  3. Kurt-Dekker

    Kurt-Dekker

    Joined:
    Mar 16, 2013
    Posts:
    3,637
    Yes they can.
     
    SparrowsNest likes this.
  4. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    Hi .so how? if you decompile you only see codes. where do you see the inspector values?
    and solution to prevent to hack plz
     
  5. Kurt-Dekker

    Kurt-Dekker

    Joined:
    Mar 16, 2013
    Posts:
    3,637
    This is a forum to discuss Unity-specific scripting issues.

    Preventing users from modifying binary data after compilation is not related to Unity.

    You may want to try checking around the interwebs to find yourself a 1337 skeeld haxor who can answer your questions.
     
    SparrowsNest likes this.
  6. Lysander

    Lysander

    Joined:
    Feb 24, 2013
    Posts:
    1,556
    Yeah, you're stepping into a minefield here. The methods are varied, the usefulness of each (or even bothering in the first place) is heavily debatable. Even big-name companies have tons of problems with this topic, and whenever it's brought up here it always devolves into "obfuscation" versus "encryption", "useful" versus "pointless", with most of it being conceptual and theoretical rather than constructive.

    The short answer is that making your game "hack proof" is simply impossible if you have any sort of network capabilities built-in. Functionality leads to the potential for abuse, DRMs always fall in the end, and obfuscation lasts only hours (or days at the most) against a serious effort. Anything beyond that is simply debating effort versus reward, and this really isn't the place for that. Sorry.
     
    dadude123 and Timelog like this.
  7. Kurt-Dekker

    Kurt-Dekker

    Joined:
    Mar 16, 2013
    Posts:
    3,637
    Meanwhile I am spending time to try and make my games worthy enough of getting a hacker's attention to even begin playing it, let alone modifying it!
     
  8. Lysander

    Lysander

    Joined:
    Feb 24, 2013
    Posts:
    1,556
    Haha, I hear you- someone found one of my products being shared on a torrent site and it made me pretty happy honestly. It's like a badge of honor! Didn't stop me from sending out a C&D, but whatever, lol.
     
    image28 and Kurt-Dekker like this.
  9. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    It is the unity discussion. you see my question?"
    "Can hackers decompile inspector values in unity?"
    you probably don't see many forums about hacking unity here and solution!!

    if I don't ask the question where I ask?!!! it is absolutely about unity
    If the question has been answered before plz show me(refer)
     
  10. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    I asked where the private key and site names must be.(in the code with obfuscation or into inspector or server ...)
     
  11. jimroberts

    jimroberts

    Joined:
    Sep 4, 2014
    Posts:
    560
    Your entire game can be decompiled/disassembled in less than a few seconds. You should be storing "private keys" on a server somewhere and using some form of server side authentication. If you explain in further detail what your "private key" is for it would help us get a better picture of what you're trying to do.
     
  12. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    thx. private key for example AES key to store data in local database
    so I will have url php address for the server right?
    so hackers can see the address and authentication server key and can easily send data to the server
    so why we need to keep private key into the online server?
    they can connect to online database through php address!
    unity example: it has been implemented like that
    Code (CSharp):
    1. public class example:MonoBehaviour{
    2. string url_php="www.aaa.php";
    3. string server_privateKey="fd5kjerkjreb8";
    4. string json_data;
    5. void Start(){
    6. }
    7. IEnumerator send_data(){
    8.      WWWForm wwwform = new WWWForm();
    9.      wwwform.AddField("pk", server_privateKey);
    10.      wwwform.AddField("data", json_data);
    11.      WWW www = new WWW(url_php,wwwform);
    12.      yield return www;
    13. }
    14. }
     
    Last edited: Sep 2, 2016
  13. jimroberts

    jimroberts

    Joined:
    Sep 4, 2014
    Posts:
    560
    I'm still slightly confused by your reply.. I assume you're storing an AES key in your client and using it to authenticate with a remote database?? It doesn't really matter regardless as you should never allow clients to connect directly to your database. You need to take a step back and create an actual server that communicates with your clients. It's extremely important that your server and only your server has direct read/write access to your database.
     
  14. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    no I said AES key is a key to encypt data(and then json string is stored). I wanted to keep my data in the local database
    but you said it is better to keep them into the online server. So I see hackers can connect to my php url easily and if I use a private_key to authenticate a client and send them with data to the server hackers can do that too.
    Code (CSharp):
    1. <?php
    2. if($server_privateKey=="fd5kjerkjreb8"){
    3. //connect to server
    4. }
    5. >?
     
  15. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    yes I know that clients must never be allowed connected to the server directly
    I only said in this condition, a hacker can send the desired data(for his own) to the sever.
     
  16. jimroberts

    jimroberts

    Joined:
    Sep 4, 2014
    Posts:
    560
    Your wording is insanely confusing but like I said.. You probably need to design an authoritative server that communicates with your clients. This includes a data packet format protocol. Once you design the protocol you wont have any need for storing your "private key" in the client. Any received data that does not match the protocol should be considered invalid and result in a client disconnect. If all the incoming data is valid then you could only assume the client is also valid.

    This is why most online games require a username and password. They use it to authenticate the client connection.
     
    Last edited: Sep 2, 2016
  17. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    plz see http://wiki.unity3d.com/index.php?title=Server_Side_Highscores
    it is not a secure method to add score. I don't know how to do that
    you said authoritative server:
    A client sends a packet(his username and password)+data to the server and the server checks and verifies it. Then if it was verified for example his score is updated?
    So can't a hacker register into the game(username+password) and then send the desirable data? huge score?
     
    Last edited: Sep 2, 2016
  18. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
  19. jimroberts

    jimroberts

    Joined:
    Sep 4, 2014
    Posts:
    560
    It doesn't matter if you use an encrypted connection. If your client is authoritative and is allowed to send important data that is accepted by your server then there is nothing you can do to prevent "hacking". Most online games simulate the entire game on the server and simply use the client to determine input. You could come up with some convoluted way to verify incoming data is more realistic but it would still be easily "hackable". You'd include the time played with the score and figure out if the score could actually be achieved by the client on the server.

    Basically what I'm trying to say is that a leaderboard will always be "hackable" as long as the server is not completely authoritative.
     
  20. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    thank you. It is true but my game is not online. it only has the leaderboard.
     
  21. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,366
    There was an excellent unite presentation on security a few years back. I think it's this one, but haven't watched to verify.



    Some short points
    • Code in Unity games is totally unencrypted and can be opened by simply dropping the dll file into MonoDevelop or VisualStudio. Any hard coded values in code are totally transparent
    • Memory hacks are relatively straight forward for numbers
    • Inspector calues are compiled into the binary, and are inherently hard to extract
    • Often the weakest link is the communication with the server. You must ensure that server communication is properly encrypted and verified
     
    mahdiii likes this.
  22. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    Thank you. My question was not memory hack or how to encrypt data
    I said hackers can find url php and security private key so easily and we cant do anything.
    and between keep them into a script and the inspector you said it is better to keep in the inspector :) so cool.
    jimroberts said you must have authoritative server that I cant have in this project.
    and finally the leaderboard can always be hacked if you don't have an authoritative server
     
  23. Baste

    Baste

    Joined:
    Jan 24, 2013
    Posts:
    3,850
    If you have an online leaderboard where users simply post the data from their single-player game, it will be filled by cheaters. See every single flash game ever - leaderboards consistently have minimum times of 0 and maximum scores of 9999999999, because users snap up the browser-server communication and change the value.

    If I understand what you're trying to do here, you want to add a private-key to the game, and then sign the score with that key. That would make it impossible to just snag the result and then change a value, since the information sent to the server is encrypted.

    The problem here is that you can't hide that private key from the user, so they will be able to sign their own data with your key. It's also trivial for them to change the value you're signing before it gets signed, even if you come up with some crazy scheme where you manage to make it really hard to figure out that signing.

    If you want online leaderboards, you either have to accept cheaters (and manually/automatically remove outrageous scores), or have a game that runs at least partially on the server. Or, you could filter the leaderboard somehow, so the max score doesn't show up. Devil Daggers is brilliant here - it shows your place in the global rankings, and how far away you're from whomever's just above you. This means that if somebody cheats in an impossible score on the top of the boards, that doesn't affect you - you just see how far you're away from getting further up the board.
     
    mahdiii likes this.
  24. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,366
    Another common way is to only show the user high scores in their own social net work.
     
  25. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    Yes it is perfect to show only the user ranking and local adjacent scores to the user. So only hackers can see their scores. Thank you all
    Thank you. You said I can restrict top scores and recognize but I don't know how many scores are huge!
     
  26. jimroberts

    jimroberts

    Joined:
    Sep 4, 2014
    Posts:
    560
    There is a rather simple solution you could implement by making your server track the start and end time of your game levels.. When you start a new level send the level identifier to the server and authenticate by returning a connection token, a completely unique identifier, to the client. On the server create a timestamp when the level begins; pair it with the token and the users ip address. Expire the token when the user submits a new score, fails the level, or a significant amount of time passes without any activity from the client. You should then be able to determine if the submitted score is coming from the correct client and is achievable within the starting time and expiration time. If the score is valid you can then add it to your leaderboard.

    This of course requires that you know the maximum possible score based on elapsed play time for each of your levels... Which you should be able to calculate easily.
     
    SparrowsNest, olonge and Kiwasi like this.
  27. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    yes it is perfect and the score can be computed. if the game is runner for example you can count coins etc and compute max score :) but it can be hacked with fewer score not 999999999999;
    If a game always add/subtract a special range of values to a score (for example [-50,+50]) like in competitive games, you can check in the server that the sent additional value must be between [-50,+50] but hackers can send many +50 and finally it is hacked but by delay.
     
  28. jimroberts

    jimroberts

    Joined:
    Sep 4, 2014
    Posts:
    560
    Yes, you could still "hack" your score but at least the score should be within humanly achievable ranges. All you can really do is help prevent people from being discouraged when trying to climb the leaderboards.

    There is no way(that I can think of..) to completely stop cheating in a computer game. People can always just make bots that are capable of beating your game with a perfect score even if your game is fully simulated on a server and the client is just for input. You ultimately shouldn't waste much time worrying about it.
     
  29. Dameon_

    Dameon_

    Joined:
    Apr 11, 2014
    Posts:
    505
    Your current method isn't just insecure in that anybody can add whatever score they want, they can also perform SQL injection attacks. That's one of many reasons not to allow direct connection. You can design a simple server-side API that handles all these security problems. If making a server API is beyond you, there's lots of solutions out there. For mobile, there's Google Play Games Services for a free option. Just do not do it with your current method; you're not just opening up your leaderboards to hacking, but your entire server.
     
  30. mahdiii

    mahdiii

    Joined:
    Oct 30, 2014
    Posts:
    799
    Yes they can, if they find secret key+php address , as if you use google play services the leaderboard can easily be hacked with the same method.
    SQL injection can completely be removed with enough knowledge about php coding
     
  31. ReGaSLZR

    ReGaSLZR

    Joined:
    Jun 11, 2015
    Posts:
    7
    I was very interested in this topic because of the question. I was hoping someone was able to provide some steps on the solution but I was disappointed to see that the topic drifted off somewhere.

    Honestly though, has anyone actually tried peeking on the (built game's) values of the variables assigned via Inspector during development?
     
  32. Doug_B

    Doug_B

    Joined:
    Jun 4, 2017
    Posts:
    1,584
    To be fair, the question as stated was fully answered by Kurt-Dekker back in 2016 (in post #3 above). So it could not have drifted off topic. :)

    You can see quite a detailed discussion above around some of the issues involved here. So what question exactly are you looking for a solution to?

    If you can clarify your question to yourself and realise that the discussion above really isn't a sufficient answer, then could I suggest creating a new thread with a very clear statement of the problem you want a solution for. :)
     
  33. xVergilx

    xVergilx

    Joined:
    Dec 22, 2014
    Posts:
    1,635
    Lots of offtopic here. Didn't read it.

    On the topic though - Yes, they can.
    Initial values can be decompiled directly from the source. Serialized values usually taken from packed assets, such as prefabs and scenes.
     
  34. ReGaSLZR

    ReGaSLZR

    Joined:
    Jun 11, 2015
    Posts:
    7
    I was looking for posts here in this forum regarding the core question "Can hackers decompile inspector values" and steps on the process (if anyone has tried it). I found no definite answer. :)

    Yeah.. :(

    Bottom line, it's possible but no one's ever tried decompiling inspector values from the source yet as there are no steps to replicate this.
     
  35. lordofduct

    lordofduct

    Joined:
    Oct 3, 2011
    Posts:
    6,429
    Nah, people have tried it and succeeded.

    We just don't really discuss it here. None of us are trying to hack unity games.

    But if you search the internet, people have made tools to read the binary data of the various level files, asset files, and resource files of a compiled unity game. With them they can extract textures, audio, and prefabs. And with them they can rewrite those things too.

    It's not like this data is heavily encrypted or anything. It's mostly just binary data in specific formats. If you know the format, you can write a program to read/write it.

    ...

    Here's the thing. Games are hackable, hell entire communities build up around the hacking of games, many game developers cut their teeth in the game hacking communities (mario/sonic hacks for instance).

    No single game engine is fool proof at protecting all the data with their games. No matter what encryption/obfuscation you employ, that data has to be used by the game, so some path to making it intelligible exists.

    Protecting your game from such things come in various methods.

    For example, if you're afraid of your assets getting stolen. Well, that's what Intellectual Property Law (copyright, trademark, etc) exists for. If someone steals your models and uses them, you sue them.

    If you want to protect your multi-player games from being cheated while people are online. You move the logic to the server and you validate your clients from there. Hackers can't access the server (or at least shouldn't be able to). This can get very complicated and there are entire career paths that focus on this sort of thing.

    As for people cheating on a locally played game. Big whoop. Oh no, someone gave themselves infinite lives in your game! I used Game Genie, Action Replay, Game Shark when I was a kid... Konami didn't freak out that I beat 'Contra' with infinite lives. (well you could argue Nintendo freaked out since they tried to sue galoob, but they didn't win)

    If you're concerned about piracy, well... the inspector values isn't your area of concern here. Various copy protection systems exist out there. A good deal of them cost money, or you can roll your own. We don't really discuss that stuff here because it's not really on topic with 'scripting'. If you had a specific DRM library you were trying to implement and needed to write a script that integrates with it... well then that'd be a post you might post here.

    ...

    In the end I refer back to @Kurt-Dekker
     
    Last edited: Jun 4, 2018
    Doug_B, xVergilx and Kiwasi like this.
  36. newjerseyrunner

    newjerseyrunner

    Joined:
    Jul 20, 2017
    Posts:
    598
    why don’t you just write your own encrypted communication using randomly generated private keys?

    Have your server generate a key and encrypt it using itself. Send that to client. Have client generate its own key, then lock the data again using that and send it to the server. Have the server unlock the package using its own key then send it back. The client can now use its own key to decide the original server’s private key and can use that for the rest of the session but never again because it’s randomly generated on both sides.
     
  37. Armend

    Armend

    Joined:
    Aug 8, 2015
    Posts:
    5
    The SAME key is needed to decrypt the message. So when a client generates a random key and encrypts the information with that random key, then the server needs exactly that key, to decrypt the message and read the data. If the server could just generate a random key and read the data, then the whole thing of encrypting the data would be senseless.

    And if the key is send over the internet to the server, then hacker kann filter it out of the communication - "man in the middle attack".
     
  38. Baste

    Baste

    Joined:
    Jan 24, 2013
    Posts:
    3,850
    Please don't necro one year old threads.

    Please, please don't necro one year old threads to pick up an argument.

    Please, please, please don't necro one year old threads to show off how you don't understand private key encryption.
     
  39. lordofduct

    lordofduct

    Joined:
    Oct 3, 2011
    Posts:
    6,429
    @Armend - please see public-private key encryption:
    https://en.wikipedia.org/wiki/Public-key_cryptography

    The general idea is that 2 keys exist... the public key locks messages, private keys unlock. You can freely give out your public key since people can only lock messages for you to read with it. You hold onto your private key and unlock them whenever you want to read a message someone sent you.
     
    Lysander likes this.