Can hackers decompile inspector values?

I want to know that hackers can decompile inspector values? and how can to do?
for example

Code (CSharp):

1. public class example:MonoBehaviour{
2. public int a; // initialize into the inspector
3. }

what is the best strategy to initialize important variables like keys etc

 

Is it a hard question?

 

Yes they can.

 

Hi .so how? if you decompile you only see codes. where do you see the inspector values?
and solution to prevent to hack plz

 

This is a forum to discuss Unity-specific scripting issues.

Preventing users from modifying binary data after compilation is not related to Unity.

You may want to try checking around the interwebs to find yourself a 1337 skeeld haxor who can answer your questions.

 

Yeah, you're stepping into a minefield here. The methods are varied, the usefulness of each (or even bothering in the first place) is heavily debatable. Even big-name companies have tons of problems with this topic, and whenever it's brought up here it always devolves into "obfuscation" versus "encryption", "useful" versus "pointless", with most of it being conceptual and theoretical rather than constructive.

The short answer is that making your game "hack proof" is simply impossible if you have any sort of network capabilities built-in. Functionality leads to the potential for abuse, DRMs always fall in the end, and obfuscation lasts only hours (or days at the most) against a serious effort. Anything beyond that is simply debating effort versus reward, and this really isn't the place for that. Sorry.

 

Meanwhile I am spending time to try and make my games worthy enough of getting a hacker's attention to even begin playing it, let alone modifying it!

 

Haha, I hear you- someone found one of my products being shared on a torrent site and it made me pretty happy honestly. It's like a badge of honor! Didn't stop me from sending out a C&D, but whatever, lol.

 

It is the unity discussion. you see my question?"
"Can hackers decompile inspector values in unity?"
you probably don't see many forums about hacking unity here and solution!!
if I don't ask the question where I ask?!!! it is absolutely about unity
If the question has been answered before plz show me(refer)

 

I asked where the private key and site names must be.(in the code with obfuscation or into inspector or server ...)

 

Your entire game can be decompiled/disassembled in less than a few seconds. You should be storing "private keys" on a server somewhere and using some form of server side authentication. If you explain in further detail what your "private key" is for it would help us get a better picture of what you're trying to do.

 

thx. private key for example AES key to store data in local database
so I will have url php address for the server right?
so hackers can see the address and authentication server key and can easily send data to the server
so why we need to keep private key into the online server?
they can connect to online database through php address!
unity example: it has been implemented like that

Code (CSharp):

1. public class example:MonoBehaviour{
2. string url_php="www.aaa.php";
3. string server_privateKey="fd5kjerkjreb8";
4. string json_data;
5. void Start(){
6. }
7. IEnumerator send_data(){
8.      WWWForm wwwform = new WWWForm();
9.      wwwform.AddField("pk", server_privateKey);
10.      wwwform.AddField("data", json_data);
11.      WWW www = new WWW(url_php,wwwform);
12.      yield return www;
13. }
14. }

 

I'm still slightly confused by your reply.. I assume you're storing an AES key in your client and using it to authenticate with a remote database?? It doesn't really matter regardless as you should never allow clients to connect directly to your database. You need to take a step back and create an actual server that communicates with your clients. It's extremely important that your server and only your server has direct read/write access to your database.

 

no I said AES key is a key to encypt data(and then json string is stored). I wanted to keep my data in the local database
but you said it is better to keep them into the online server. So I see hackers can connect to my php url easily and if I use a private_key to authenticate a client and send them with data to the server hackers can do that too.

Code (CSharp):

1. <?php
2. if($server_privateKey=="fd5kjerkjreb8"){
3. //connect to server
4. }
5. >?

 

yes I know that clients must never be allowed connected to the server directly
I only said in this condition, a hacker can send the desired data(for his own) to the sever.

 

Your wording is insanely confusing but like I said.. You probably need to design an authoritative server that communicates with your clients. This includes a data packet format protocol. Once you design the protocol you wont have any need for storing your "private key" in the client. Any received data that does not match the protocol should be considered invalid and result in a client disconnect. If all the incoming data is valid then you could only assume the client is also valid.

This is why most online games require a username and password. They use it to authenticate the client connection.

 

plz see http://wiki.unity3d.com/index.php?title=Server_Side_Highscores
it is not a secure method to add score. I don't know how to do that
you said authoritative server:
A client sends a packet(his username and password)+data to the server and the server checks and verifies it. Then if it was verified for example his score is updated?
So can't a hacker register into the game(username+password) and then send the desirable data? huge score?

 

http://forum.unity3d.com/threads/how-to-stop-mysql-leaderboards-being-hacked.283980/
it is cool post but you see hackers can hack the leaderboard or other things easily
they can only hack their own scores not others.
what about SSL connection?

 

It doesn't matter if you use an encrypted connection. If your client is authoritative and is allowed to send important data that is accepted by your server then there is nothing you can do to prevent "hacking". Most online games simulate the entire game on the server and simply use the client to determine input. You could come up with some convoluted way to verify incoming data is more realistic but it would still be easily "hackable". You'd include the time played with the score and figure out if the score could actually be achieved by the client on the server.

Basically what I'm trying to say is that a leaderboard will always be "hackable" as long as the server is not completely authoritative.

 

thank you. It is true but my game is not online. it only has the leaderboard.

 

There was an excellent unite presentation on security a few years back. I think it's this one, but haven't watched to verify.

Some short points

• Code in Unity games is totally unencrypted and can be opened by simply dropping the dll file into MonoDevelop or VisualStudio. Any hard coded values in code are totally transparent
• Memory hacks are relatively straight forward for numbers
• Inspector calues are compiled into the binary, and are inherently hard to extract
• Often the weakest link is the communication with the server. You must ensure that server communication is properly encrypted and verified

 

Thank you. My question was not memory hack or how to encrypt data
I said hackers can find url php and security private key so easily and we cant do anything.
and between keep them into a script and the inspector you said it is better to keep in the inspector so cool.
jimroberts said you must have authoritative server that I cant have in this project.
and finally the leaderboard can always be hacked if you don't have an authoritative server

 

If you have an online leaderboard where users simply post the data from their single-player game, it will be filled by cheaters. See every single flash game ever - leaderboards consistently have minimum times of 0 and maximum scores of 9999999999, because users snap up the browser-server communication and change the value.

If I understand what you're trying to do here, you want to add a private-key to the game, and then sign the score with that key. That would make it impossible to just snag the result and then change a value, since the information sent to the server is encrypted.

The problem here is that you can't hide that private key from the user, so they will be able to sign their own data with your key. It's also trivial for them to change the value you're signing before it gets signed, even if you come up with some crazy scheme where you manage to make it really hard to figure out that signing.

If you want online leaderboards, you either have to accept cheaters (and manually/automatically remove outrageous scores), or have a game that runs at least partially on the server. Or, you could filter the leaderboard somehow, so the max score doesn't show up. Devil Daggers is brilliant here - it shows your place in the global rankings, and how far away you're from whomever's just above you. This means that if somebody cheats in an impossible score on the top of the boards, that doesn't affect you - you just see how far you're away from getting further up the board.

 

Another common way is to only show the user high scores in their own social net work.

 

Yes it is perfect to show only the user ranking and local adjacent scores to the user. So only hackers can see their scores. Thank you all

Thank you. You said I can restrict top scores and recognize but I don't know how many scores are huge!

 

There is a rather simple solution you could implement by making your server track the start and end time of your game levels.. When you start a new level send the level identifier to the server and authenticate by returning a connection token, a completely unique identifier, to the client. On the server create a timestamp when the level begins; pair it with the token and the users ip address. Expire the token when the user submits a new score, fails the level, or a significant amount of time passes without any activity from the client. You should then be able to determine if the submitted score is coming from the correct client and is achievable within the starting time and expiration time. If the score is valid you can then add it to your leaderboard.

This of course requires that you know the maximum possible score based on elapsed play time for each of your levels... Which you should be able to calculate easily.

 

yes it is perfect and the score can be computed. if the game is runner for example you can count coins etc and compute max score but it can be hacked with fewer score not 999999999999;
If a game always add/subtract a special range of values to a score (for example [-50,+50]) like in competitive games, you can check in the server that the sent additional value must be between [-50,+50] but hackers can send many +50 and finally it is hacked but by delay.

 

Yes, you could still "hack" your score but at least the score should be within humanly achievable ranges. All you can really do is help prevent people from being discouraged when trying to climb the leaderboards.

There is no way(that I can think of..) to completely stop cheating in a computer game. People can always just make bots that are capable of beating your game with a perfect score even if your game is fully simulated on a server and the client is just for input. You ultimately shouldn't waste much time worrying about it.

 

Your current method isn't just insecure in that anybody can add whatever score they want, they can also perform SQL injection attacks. That's one of many reasons not to allow direct connection. You can design a simple server-side API that handles all these security problems. If making a server API is beyond you, there's lots of solutions out there. For mobile, there's Google Play Games Services for a free option. Just do not do it with your current method; you're not just opening up your leaderboards to hacking, but your entire server.

 

Yes they can, if they find secret key+php address , as if you use google play services the leaderboard can easily be hacked with the same method.
SQL injection can completely be removed with enough knowledge about php coding

 

I was very interested in this topic because of the question. I was hoping someone was able to provide some steps on the solution but I was disappointed to see that the topic drifted off somewhere.

Honestly though, has anyone actually tried peeking on the (built game's) values of the variables assigned via Inspector during development?

 

To be fair, the question as stated was fully answered by Kurt-Dekker back in 2016 (in post #3 above). So it could not have drifted off topic.

You can see quite a detailed discussion above around some of the issues involved here. So what question exactly are you looking for a solution to?

If you can clarify your question to yourself and realise that the discussion above really isn't a sufficient answer, then could I suggest creating a new thread with a very clear statement of the problem you want a solution for.

 

Lots of offtopic here. Didn't read it.

On the topic though - Yes, they can.
Initial values can be decompiled directly from the source. Serialized values usually taken from packed assets, such as prefabs and scenes.

 

I was looking for posts here in this forum regarding the core question "Can hackers decompile inspector values" and steps on the process (if anyone has tried it). I found no definite answer.

Yeah..

Bottom line, it's possible but no one's ever tried decompiling inspector values from the source yet as there are no steps to replicate this.

 

Nah, people have tried it and succeeded.

We just don't really discuss it here. None of us are trying to hack unity games.

But if you search the internet, people have made tools to read the binary data of the various level files, asset files, and resource files of a compiled unity game. With them they can extract textures, audio, and prefabs. And with them they can rewrite those things too.

It's not like this data is heavily encrypted or anything. It's mostly just binary data in specific formats. If you know the format, you can write a program to read/write it.

...

Here's the thing. Games are hackable, hell entire communities build up around the hacking of games, many game developers cut their teeth in the game hacking communities (mario/sonic hacks for instance).

No single game engine is fool proof at protecting all the data with their games. No matter what encryption/obfuscation you employ, that data has to be used by the game, so some path to making it intelligible exists.

Protecting your game from such things come in various methods.

For example, if you're afraid of your assets getting stolen. Well, that's what Intellectual Property Law (copyright, trademark, etc) exists for. If someone steals your models and uses them, you sue them.

If you want to protect your multi-player games from being cheated while people are online. You move the logic to the server and you validate your clients from there. Hackers can't access the server (or at least shouldn't be able to). This can get very complicated and there are entire career paths that focus on this sort of thing.

As for people cheating on a locally played game. Big whoop. Oh no, someone gave themselves infinite lives in your game! I used Game Genie, Action Replay, Game Shark when I was a kid... Konami didn't freak out that I beat 'Contra' with infinite lives. (well you could argue Nintendo freaked out since they tried to sue galoob, but they didn't win)

If you're concerned about piracy, well... the inspector values isn't your area of concern here. Various copy protection systems exist out there. A good deal of them cost money, or you can roll your own. We don't really discuss that stuff here because it's not really on topic with 'scripting'. If you had a specific DRM library you were trying to implement and needed to write a script that integrates with it... well then that'd be a post you might post here.

...

In the end I refer back to @Kurt-Dekker

 

why don’t you just write your own encrypted communication using randomly generated private keys?

Have your server generate a key and encrypt it using itself. Send that to client. Have client generate its own key, then lock the data again using that and send it to the server. Have the server unlock the package using its own key then send it back. The client can now use its own key to decide the original server’s private key and can use that for the rest of the session but never again because it’s randomly generated on both sides.

 

The SAME key is needed to decrypt the message. So when a client generates a random key and encrypts the information with that random key, then the server needs exactly that key, to decrypt the message and read the data. If the server could just generate a random key and read the data, then the whole thing of encrypting the data would be senseless.

And if the key is send over the internet to the server, then hacker kann filter it out of the communication - "man in the middle attack".

 

Please don't necro one year old threads.

Please, please don't necro one year old threads to pick up an argument.

Please, please, please don't necro one year old threads to show off how you don't understand private key encryption.

 

@Armend - please see public-private key encryption:
https://en.wikipedia.org/wiki/Public-key_cryptography

The general idea is that 2 keys exist... the public key locks messages, private keys unlock. You can freely give out your public key since people can only lock messages for you to read with it. You hold onto your private key and unlock them whenever you want to read a message someone sent you.