Search Unity

  1. Unity 2019.2 is now released.
    Dismiss Notice

Hack resistance?

Discussion in 'Editor & General Support' started by Hanford, Jan 24, 2009.

  1. the_gnoblin

    the_gnoblin

    Joined:
    Jan 10, 2009
    Posts:
    722
    I am talking about art assets.
     
  2. the_gnoblin

    the_gnoblin

    Joined:
    Jan 10, 2009
    Posts:
    722
    Oops.
    Scenes can be opened too.

    ----> great. Take a build, open it up almost like the original source project :eek:
     
  3. the_gnoblin

    the_gnoblin

    Joined:
    Jan 10, 2009
    Posts:
    722
    And assetbundles can be opened and used in Editor.
     
  4. xomg

    xomg

    Joined:
    Sep 27, 2010
    Posts:
    330
    You can also open up and re-use every data file from any game written in the Unreal 3 engine, including any scripts they've written. That's usually most of the game logic. The world has not yet ended, though.
     
  5. Fluffy-Tails

    Fluffy-Tails

    Joined:
    Jun 28, 2009
    Posts:
    113
    No offense... but if you don't want people cheating by messing with their health or ammo, why would that matter anyway?
    Its curiosity.

    Its a different story if you didn't want your game hacked and all the models and such dissected... but why would it matter if that just makes your game just as valuable?

    I actually found some games FAR more enjoyable when I found cheats, glitches and other stuff which wasn't mean to be in it... that is really fun when the game is over.
     
  6. LamentConfig

    LamentConfig

    Joined:
    Sep 28, 2010
    Posts:
    292
    I think people are more concerned not about cheating, but when results of cheating are saved to a high score table etc; Fine to have infinite health locally, but when it means your score is 50 million times more than the person who didn't cheat on the online high score table it doesn't seem fair.
     
  7. Fluffy-Tails

    Fluffy-Tails

    Joined:
    Jun 28, 2009
    Posts:
    113
    I agree with you on that Lament.
    Cheating online is a big no-no and I can see why you would say that.

    If like you said its locally and not on a server, that should be fine.
    My idea was that it was a stale game where it only records information on the computer, not on a server.

    Good luck on that though, just wanted to provide my two cents on that pet peeve of mine lol
     
  8. Brad-Keys

    Brad-Keys

    Joined:
    May 1, 2006
    Posts:
    161
  9. Vinícius Sanctus

    Vinícius Sanctus

    Joined:
    Dec 14, 2009
    Posts:
    282
    Grown men talking about important stuff. I wish i had something worth to protect from hackers! =)
     
  10. gamestudio

    gamestudio

    Joined:
    Mar 10, 2010
    Posts:
    27
    I try to search a lot of obfuscator programs to protect my source. I think everyone can solve it too. Please try.

    Result of my game in .Net Reflector :
    $image1.jpg

    Result of my game in Dis# :
    $image2.jpg

    Please visit my page :
    http://www.arcadeindy.com/unity3d1.html

    This is a Example WebPlayer games :
    Othello
     
  11. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    Unbelievable!

    I just read TWO years of messages and no decent answer from UT.

    In a industry so IP-centric it's inconceivable a game engine/editor not
    having a decent solution for IP theft. It's too easy for someone to steal
    someone else's work. Game ASSETS INCLUDED! Unbelievable!

    And the argument that goes like "we are not alone / that's a problem
    with .net / engine xyz has the same issue" is a weak excuse. If everybody
    started jumping from buildings it isn't a reason for me to follow suit.

    UT could and should have a decent solution for this!

    --
    Inovora
     
  12. Eric5h5

    Eric5h5

    Volunteer Moderator Moderator

    Joined:
    Jul 19, 2006
    Posts:
    32,121
    At least for graphics/sounds, it's completely impossible to prevent it. This is true for every single game ever: if it exists in memory in a usable form (which it must), then you can take it if you want. There's nothing anyone can do about it, unless you want to ban all computer games everywhere and force everyone to use nothing but OnLive. UT could do something about making the code not so trivial to get, though, which is more important anyway.

    --Eric
     
  13. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    Anything Unity does to prevent hacking, will be considered a challenge to those who would hack it, which they would, and probably in a couple of days. The more secure, the bigger the challenge, the more who'll try it. The methods will then filter down through the ranks until it's finally made into a click and not think form for the script kiddies to use. Even then you can't pin all the blame on the Unity devs either. There's software out there which intercepts data going to and from the video card, so you can grab practically any model you want in practically any DirectX game (and I suppose there's ways to do it just as easily in OGL too).

    Take sound for example. No matter what protection, security, and millions spent on making it un-piratable.. A guy with a tape recorder and a small amount of patience would be entirely unaffected.

    There's really nothing to be done about it, you can put enough security in to keep the script kiddies away for the most part, but if someone REALLY wants your assets, they're gonna get it. It's like having sex with Kobe Bryant. You can kick and scream all you want... but it's still gonna happen. - Family Guy
     
  14. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,435
    There are methods to prevent (or at least deter) hacking. You just need to do a bit of homework to find them.
     
  15. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    If someone really wants to have a specific game asset or script he will get it.
    Ok. That was already said here many times.

    So why do we all use keys and locks? There must have a reason we all have
    doors in our houses.

    The point is: it's too easy to steal IP from any unity game. Too easy. And it's
    amazing no decent answer has been given all this time.

    The current state it's like parking your car in a desert street with the windows
    open and the key on the ignition. If you're a publisher of some game assets
    like the ones in the asset store, don't publish an online demo of your tool!
    Heck, nobody... don't publish a demo of your game!

    A good built-in obsfucator + some other measures (like a proprietary format)
    could get away with the majority (say 90%) of the cases. I'm sure it isn't rocket
    science for UT to come with a decent solution.

    As I once read about anti-piracy measures: "just do enough to keep honest
    people honest"


    --
    Inovora
     
  16. Don-Gray

    Don-Gray

    Joined:
    Mar 18, 2009
    Posts:
    2,270
    "why do we all use keys and locks"

    For one thing the people that want in on this property can do it pretty much without fear of getting caught
    where if in your neighbohood it's much easier to catch and enforce the breakin,
    though much of that has gone by the wayside too if you've ever had a break in,
    unless the property is somehow marked or unique.
    Though I am already looking into some sort of copy protection here, too.
     
  17. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    Like I said, to put off the opportunists, but if someone wants in, they'll kick down the door. Make it a thick steel door, they'll bring cutting tools and explosives. Make it fancy computer systems and encryption, Alan Rickman and a bad German impression.


    I really don't think it's worth worrying about, well it is, but it's not worth losing sleep over. If someone wants it, they'll get it. The real problem isn't so much the "pro" hackers who see it all as a challenge. It's the script kiddies. Thing about them is, they'll download all kinds of stuff illegally, then not know what to do with it, get frustrated, bored, give up and move on. While the "pro's" simply wont care, but it's their abilities to hack the things in the first place as a challenge, that ultimately makes it more accessible to the bottom feeders. Remove that challenge, you remove their involvement, and any real helpline for the ones at the bottom.

    An alternative I'm looking at, is simply making all the assets available. If it's all there, there's nothing to hack, no challenge for that group of people, while the script kiddies will use whatever, but since everyone knows where it all came from, they'll not be able to pass it off as their own and simply provide free advertising every time someone calls them on it and links back to the source if they try claim they did it. It'll be like using Poser models. Everyone knows it's a poser model they didn't make themselves, nobody is impressed.

    Another alternative is to tie everything so strictly into your project, with such a distinctive visual style, that having it used elsewhere would stick out like a sore thumb.

    You could also make all your scripts really complicated and difficult to understand and use outside of your project. Those who could understand them, would be quite capable of writing their own and be able to do it quicker than trying to clean yours up. While those most likely to steal them, wouldn't have the knowledge to get them working properly. Those types will always want something NOW that requires no effort to use, they don't read manuals (slows down their torrents, why download em lol) and due to lack of any real study (requires effort) assume everything can be done with a few clicks.

    Heck, go visit a few piracy forums. You have your small group of moral pirates, who'll pirate expensive software but refuse to steal from regular guys trying to make an honest living. Then you've got a large percentage of leeches, mostly kids, who'll download whatever they can, contribute nothing, get angry a lot, and quickly move onto the next "big thing" a few days later. Hell most of those don't even know how to use .rar files, so it's not like you're facing off against supreme masterminds in that case. Make things difficult enough to tax those types and they'll be gone in a few days.

    So I suppose that's what it sums up to. You'll never stop things being hacked, but you can make it annoying enough to put off the majority.
     
  18. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    Good point on the script kids vs pro hackers creating tools for them.

    But what if you spent 1 year developing a game and another unity
    developer don't want to start from the scratch and "have a look" on
    your year-worth project?

    Certainly he could do it anyway. But I bet he wouldn't if "it's more
    expensive to break the lock than the treasure inside the chest".

    So what UT could do about it? Very much... only they have access
    to file formats etc

    --
    Inovora
     
  19. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    Well taking a peek is fine, IMO anyway. Everyone is curious how things are put together. Nobody on this forum I don't think, can say they've never had a game with an editor and didn't load up one of the maps to "take a peek" and see how it's done. It's just part of the learning process, can be quite an eye opener, and is almost always interesting. It's not much different to asking how to do some technique on a forum. In all honesty I wish more would do that. It makes me cringe when I see unoptimized webplayer uploads where no thought has gone into behind the scenes stuff, or they're expecting insane effects they -thought- they saw in another game, only for that game to have faked it, but since they didn't look under the hood, they don't know that.

    If they start pulling out chunks of it and calling it their own, that's another story. Though most that start cutting corners that early on will generally go the way of the many indie MMO "devs" that appear and disappear just as quickly.
     
  20. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    I put the quotes on "have a look" sarcastically...

    The idea of developing a game for so long and have no protection whatsoever is scary...

    That is not the way you build a meritocracy system...
     
    Last edited: Feb 27, 2011
  21. Don-Gray

    Don-Gray

    Joined:
    Mar 18, 2009
    Posts:
    2,270
    My main goal is to keep the number of copies of the game to the number of people who bought it,
    the rest for me isn't all that important since my models aren't that sophisticated and the code
    most likely isn't going to be of much use to anyone who isn't already capable of creating their own.

     
  22. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    Not to mention the fact that you can't write your hash keys (md5 etc) safely in your code...
     
  23. Eric5h5

    Eric5h5

    Volunteer Moderator Moderator

    Joined:
    Jul 19, 2006
    Posts:
    32,121
    You don't seem to get it: it's exactly as easy to steal IP from any game, including AAA games that cost millions of dollars to develop and have heavy copy protection, and this will not change, nor is there anything UT can do. In order for graphics cards to display graphics, and for sound cards to produce sound, the assets must exist in memory in a form that can be easily ripped. Unity does bundle graphics and sounds into a custom file format, which many games don't even bother with, so that's the best "lock" you will ever get for those assets.

    In order for any useful discussion to take place, this needs to focus on code only. Forget about other assets; you have to rely on copyright law to protect those.

    --Eric
     
  24. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    @Eric

    Without being combative: Yeah I get it. It's possible! I already recognized that.

    The point again is, to hack a unity game is TOO EASY! Look at this:

    http://en.unity3d.netobf.com/unity3d_decompiler

    just a few clicks to hack a webplayer game (the "harder" one).

    Why should I pay $150 for a basic layer of security like their product?

    http://en.unity3d.netobf.com/unity3dobfuscator

    Also my main concern IS code decompilation and security (hash key
    discovery).

    And yeah, UT doesn't need to give a definitive answer to the question
    but could do a lot to help protect IP. That's not rocket science.

    --
    Inovora
     
  25. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    I don't think you're reading anything anyone is saying. Yeah so it's too easy now (even easier thanks to people linking to said programs, cheers for that btw, saved me going to look myself, lol). So Unity does some changes, makes programs like the above no longer work. Three weeks later, another bunch of programs come along that can get around the even more advanced protection Unity added, and you're back to square one, and so on and so on and so forth, every time a brief period of safety followed by "it's too easy to hack".

    Do you not see? You're asking for more protection, but as that protection WILL be hacked into, a few weeks later you'll be exactly where you are right now. Do you see?
     
  26. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33

    Sure I already thought about an arms race.

    About the links, they are gone to be spread anyway, don't you think? The problem lies
    not on these links but exactly on the lack of a reasonable solution for this issue.

    Well I think the product the page I linked above isn't useful at all then? So why people
    all over the world are using obfuscators?

    I think you are the one not reading what I wrote. We don't need a solution that solves
    definitely the problem. We need a solution that makes the effort to try to steal someone
    else's work a pain in the as*.

    --
    Inovora
     
    Last edited: Feb 27, 2011
  27. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    This whole discussion is worthless.

    Obviously, UT don't give a damn to this issue. It has been 2 years since the start of this thread.

    --
    Inovora
     
  28. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    Well that's back to what's been said already, it's down to different types of people. What will be a pain in the ass for one kind, wont be for another.

    So from my perspective, Unity would already be a pain in the ass to rip assets from other people's games, I'd not know where to begin, or really make much of an effort to do it due to apathy. Or it was until you provided those links, now you've made it too easy "from my perspective".

    So wouldn't that mean that the solution to make the effort to try steal someone else's work a pain in the ass, be to get rid of you? lol, I'm sorry, but I was cracking up laughing as I wrote this and we shouldn't take all this too seriously really. It's not worth getting angry over. :)
     
  29. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    That's was funny. :)
    But being ripped off isn't... :(
     
    Last edited: Feb 27, 2011
  30. Quietus2

    Quietus2

    Joined:
    Mar 28, 2008
    Posts:
    2,060
    This was all covered previously in this thread. I wish people who decided to bump this thread wouldn't just read the first and last pages.

    Oobfuscators are worthless, for there is a de-obfuscator for every obfuscator. At least, for the popular commercial packages. Having one built into Unity would be worthless.

    1) Webplayer type packing/encryption for standalones.
    2) AOT.
    3) Light obfuscation with an unknown package written by some univ guy in his basement.
    4) Use coroutines for everything instead of Update();

    All covered and discussed in detail previously in this thread.

    #1 and #2 would require action from Unity, which after 2 years now I seriously doubt they have any interest in. #3 and #4 you can manage yourself.
     
  31. vortexilation

    vortexilation

    Joined:
    Sep 25, 2009
    Posts:
    285
    For the best solution would be built-in dynamic obfuscator by unity player, so it have different random method to obfuscated whenever each time the game/web player run, it's quite easy for a cracker to resolve obfuscated code if the obfuscated code the same, so if somehow unity can implement dynamic obfuscated code it would be harder for them :), not to mention on top of it AOT :D, this is not crack-proof but good enough to scares away kiddies but for scene cracker who cracking dongle and AAA games everyday it's just matter of days :), if your game not famous enough this kind protection more than enough. Moreover added with simple encryption, relying too heavily on encryption would be damaging our fps :(, there should be a perfect balance between protection and games performance.

    Few months ago i've been tinkering around the mono AOT for windows and webplayer but it seems at the end i've found out it's not supported.

    Oh yeah btw the term hacker has been miss used for 'bad' people infiltrate a system, they should be called cracker, hacker mostly the good guys :) like the one who made open source kinect driver.
     
  32. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    Supose there was a basic obfuscator inside Unity and UT give us the ability
    to inherit and modify methods for, say, string scrambling/unscrambling.

    That would easy hash key protection. It would be hard for a cracker to come
    with a solution for thousands of different specialized obsfucators.

    Similar solutions could be created for other "extensions points" of the
    built-in obsfucator.

    Inovora
     
  33. Quietus2

    Quietus2

    Joined:
    Mar 28, 2008
    Posts:
    2,060
    That makes no sense and would fall prey to Occam's Razor.

    Any such utility needs to be a post-build function, as you want it working on the output assembly not your source code. Unity doesn't need to do anything to 'grant' you hooks into any obfuscation...they already exist!

    You have the assembly sitting on your hard drive which you can obfuscate to your heart's content. You have the source, into which you can code your own string encryption methods similar to the bit twiddling functions for scores posted previously in this thread.
     
  34. Inovora

    Inovora

    Joined:
    Oct 29, 2009
    Posts:
    33
    Not my source code. Unity´s internal obsfucator code. Eventually someone could
    come with a partial solution using the postprocessbuildplayer and modifying
    an existing obfuscator. Too much trouble and no focus on one´s game...

    BTW, I really don´t understand your attitude. I´m just trying to help...

    --
     
  35. nikko

    nikko

    Joined:
    Mar 20, 2009
    Posts:
    436
    does anyone has a proof that the asset (graphics etc...) can be extracted?
    I was giving demo of my assets and I am not sure if I will do it in the future.
    As far as I can read, the .NET can be extracted but the Assets themselves?
     
  36. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    There's ways to get the entire code, and ways to get the art and models. The art side of things is probably a lost cause due to the method it can be done. But encryption would at least save the code itself.
     
  37. Rugnor

    Rugnor

    Joined:
    Apr 4, 2011
    Posts:
    2
    I think I dont really get the limits of what they can or cannot make.
    Could they (I'm facing this fear right now), by some way, in the context of an authoritative server networked game, spam game objects on all clients by repeating a network instantiate of some random transform from the game? (of course supposing you do not give this possibility in the original code)
     
  38. 2dfxman1

    2dfxman1

    Joined:
    Oct 6, 2010
    Posts:
    1,065
    If your game has a poor version and server check and lets in modified games, sure it can. If your serverside is poor, you could do quite a lot with clear access to code.

    But if your server is actually properly coded, most of these problems can be eliminated.
     
  39. Rugnor

    Rugnor

    Joined:
    Apr 4, 2011
    Posts:
    2
    Ok, I see, thank you so much for the fast reply.

    Could I get a good version/game check with just tools provided by Unity or some not-built-in, external file integrity checker would be necessary?
    I'm really new into this kind of security problems, I'm sorry if I'm asking obvious things.
     
    Last edited: Apr 4, 2011
  40. nikko

    nikko

    Joined:
    Mar 20, 2009
    Posts:
    436
    Sorry to insist but the only thing I can read here and there is that, the assets (graphics, meshes etc...) can be decrypted but nobody comes with any proof of it, like it has been posted for the scripts and .net.
    I know that .net can be opened and it is the case for long time, but the assets are something else.
    Saying yes it is possible, is not enough.
    I want to know if someone did it and have some pictures showing that it is possible.
    Otherwise it is only gossips to scare the people around.
     
  41. 2dfxman1

    2dfxman1

    Joined:
    Oct 6, 2010
    Posts:
    1,065
    Not possible. If you do it only with unity tools, someone can just change the code to skip the check altogether lol.
     
  42. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    I'm not going to be the one responsible for giving the names of two programs that can easily grab the textures and models, out on the forum and let even more people know about their existence, that would be a stupid thing for me to do.

    I'll just remind you that anything sent to the GPU is up for grabs, and that google is your friend (or if you're afraid of losing your art, your enemy too).
     
  43. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,435
    Believe what you want. It can be done and I've done it to see for myself how difficult or easy it is to do. As I said in another thread, the hardest part of the process was installing some of the tools that are used to steal the assets. I also agree with Frank, posting a detailed description of how it was done and the end result would not be in the best interest of my fellow Unity developers, so I won't do it either.
     
  44. coin-god

    coin-god

    Joined:
    Jan 21, 2010
    Posts:
    325
    It works with AAA games, so it can be done with Unity aswell. Your 3D Assets and Textures will never be safe if you make a game.
     
  45. Gutterpunk

    Gutterpunk

    Joined:
    Nov 20, 2009
    Posts:
    25
    Of course it's possible. No applications in the history of computing made it's assets to be completely obscured. People have been ripping all sort of assets from games for ages. Heck, I remember writing a Doom WAD reader/extractor 20 years ago...

    Now, the question is : Does anyone care enough about Unity, or a particular game made in Unity, to do it? Who knows.... but asking for proof is kinda useless. If Unity can read your assets, then someone else can. If Unity gets big enough, or some game get popular enough, tools will be made.

    Imagine if Minecraft had been made in Unity... you'd be knee deep in mod tools as we speak, regardless of the language/tools used to make it.
     
  46. Quietus2

    Quietus2

    Joined:
    Mar 28, 2008
    Posts:
    2,060
    You must not be very good with google.

    They are generally configured as a device driver which intercepts the vertex and texture information being sent to the video card. Encryption is irrelevant at that stage.
     
  47. Dreamora

    Dreamora

    Joined:
    Apr 5, 2008
    Posts:
    26,603
    Correct.
    The only two things you can halfway protect are
    1. Animations - as they are not sent as a stream or alike only their impact
    2. Code

    For the former you don't need to do anything, the custom format used by unity does it
    For the later, a good obfuscation tool does the job.
     
  48. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,435
    One thing that should be easy to do and might at least limit a non-hacker's access to the code would be to hide the location of the .unity3d file. I haven't tried this yet (and I'm by no means an HTML coder), but perhaps it could be done with PHP? The default html file that Unity creates for a webplayer is just too easy to defeat, even still, it's what most of us use anyways.
     
  49. Dreamora

    Dreamora

    Joined:
    Apr 5, 2008
    Posts:
    26,603
    hiding makes no sense unhappily as its always offered as ref and not as binary to the users browser, otherwise the plugin won't pick it up.
     
  50. Quietus2

    Quietus2

    Joined:
    Mar 28, 2008
    Posts:
    2,060
    If a DLL is in memory to be executed and is instead being saved off via OllyDbg, then it is long past the being hidden stage.