Search Unity

  1. Get the latest news, tutorials and offers directly to your inbox with our newsletters. Sign up now.
    Dismiss Notice

Hack resistance?

Discussion in 'Editor & General Support' started by Hanford, Jan 24, 2009.

  1. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,434
    I'm trying to remember where I saw it, but one of the on line game portals that posts Unity games managed to hide the .unity3d file somehow. Perhaps I'm not explaining myself clearly, but what I mean by "hiding" a .unity3d file is that the path and name of the file doesn't appear when you select "view source" in your browser. I know it would be a very weak level of protection, at best, but might at least keep the honest people from accessing the player so easily.

    Regarding obfuscators, is there one that people here are using and have been happy with?
     
    Last edited: Apr 5, 2011
  2. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,434
    @Quietus - I was talking about webplayers which don't use .DLL's.

    Granted, hiding the .unity3d file offers very poor protection, it just bugs me that the default html web page makes it so easy to steal the entire player. :p
     
  3. Dreamora

    Dreamora

    Joined:
    Apr 5, 2008
    Posts:
    26,601
    That and you could just hook an intercepter in form of a plugin to pull automatically any data with the unity webplayer mimetype
     
  4. Quietus2

    Quietus2

    Joined:
    Mar 28, 2008
    Posts:
    2,058
    Webplayers do use DLL's, what makes you believe they don't? Parts of that Unity3d file of yours are extracted into memory as your standard unityscript and csharp dll's, the same ones from the standalone build.

    Info on that around half way through this thread, where we were using OllyDbg to save them off.

    The process turns out to be rather trivial and there are video tutorials about showing you step by step how to go about it Generally not for unity, but the same process to defeat obfuscators that decrypt dll's into memory from a packed disk format.
     
  5. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,434
    @Quietus - I stand corrected. I was confusing "external" .DLL's with those that are packed into a .unity3d file.

    Does anyone know what the major portals that post Unity webplayers are doing to protect the game's assets? Or are they doing anything at all? I looked at a Kongregate html file and it appeared that they had at least hidden a direct link to the file some how. Do they also obfuscate the code?
     
  6. Quietus2

    Quietus2

    Joined:
    Mar 28, 2008
    Posts:
    2,058
    An unsavory individual would tend to pirate a game by stealing it directly from the browser cache, not by downloading it from the webserver with a secret hidden link. Same goes for shockwave files too.

    If you don't want your game stolen, your game needs to be aware of where it is running. There is nothing you can do to stop them from obtaining your Unity3d file. You are after all sending it to them!

    That's up to the developer not them.

    I do wonder though what security measures they take with their subscription games and such as there is more than monopoly money involved.

    You can decompile a flash game as easily as you can a Unity game. However it's a hell of a lot easier to re-inject your own modified version of the Flash game. You just replace the version in the cache with your recompile that has god-mode turned on or whatever.

    A lot of mmo gaming guilds have forums which include those cheesy flash arcades. It's a lot of fun to beat everyone's score by 1 point in every game... including the ones that increment their score by 10! Flash games were never obfuscated making such a task effortless.
     
  7. nikko

    nikko

    Joined:
    Mar 20, 2009
    Posts:
    436
    I never asked how to do it. I just want to be sure it is not a gossip. I was posting webplayer of my demos, now I removed them... do I overreacted? I just want to be sure.

    Also if you intercept the graphics, you get them in such a shame way that it is very hard to reuse them.
    What I am scared about is to have a way that people can take the assets0.asset and unpak it with the folders and everything, so that you can re-create the project.
    Having a bunch of textures and mesh in a messy way would ask so much work to put them together that it is not worth doing it.
     
    Last edited: Apr 5, 2011
  8. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    I have very little knowledge of technical things like that, but even I could take a webplayer and pull practically all I wanted out of it. I never would cause a) I'm too lazy b) that's not who I am. But the point is, if I could do it, thousands could. :(

    I did though once try the GPU thing with Guild Wars, to see if it worked at all.. it does work, results weren't great, but it worked, and we all know how well protected Arenanet keep that game.
     
  9. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,434
    @nikko - Understood. Like yourself, my only interest in testing it was to see for myself if it could be done. There are a couple people here who don't post webplayers and now that I've learned how unprotected a webplayer is, I can't say that I blame them.
     
  10. Frank Oz

    Frank Oz

    Joined:
    Oct 13, 2010
    Posts:
    1,561
    I'm assuming the same hack issues apply to standalone PC too? And that Mac's are safe cause nobody uses those.. ;)
     
  11. bigkahuna

    bigkahuna

    Joined:
    Apr 30, 2006
    Posts:
    5,434
    Yup.
     
  12. nikko

    nikko

    Joined:
    Mar 20, 2009
    Posts:
    436
    Well, I made my homework and someone found a way to extract the Assets :(

    It is complicated but a guy posted a video and it is on the way to become easy as 1,2,3.
    (and it is done with an editor script right into Unity, they should post it on the Asset Store, it would sell a lot!)

    So hide you assets. Lesson learned.
     
  13. lubo3d

    lubo3d

    Joined:
    Mar 23, 2011
    Posts:
    75
    muheydari likes this.
  14. dogzerx2

    dogzerx2

    Joined:
    Dec 27, 2009
    Posts:
    3,886
    What about hacking the 3D fbx files out of a unity web player? Is that easy to do for people?
    Say I want to display 3D models for selling the asset store or something, would it be safe to use a webplayer to display them?
     
  15. Quietus2

    Quietus2

    Joined:
    Mar 28, 2008
    Posts:
    2,058
    That would be meaningless, as the vertex and texture data of your model have to be sent to the video card to be rendered. At the driver level is where they'll steal your models, not from decrypting the webplayer.
     
  16. AnomalusUndrdog

    AnomalusUndrdog

    Joined:
    Jul 3, 2009
    Posts:
    1,514
    My take on this is, UT should change their engine to allow us developers the freedom to add our own countermeasures ourselves. Its just an idea though; I'm not really sure how to pull that off without engine source code access.
     
  17. prefix

    prefix

    Joined:
    Sep 26, 2011
    Posts:
    73
    Im new to programming myself, but having played multiple games in which others were hack/cheating. In this case of health, it might be as simple as creating a checksum constantly. I dont know what that means in the hardcore programming world, but it seems to me that.... writing a script that constantly checks players for their status.

    If "health" is >= (developers known health cap), player dies. As you would if health reached zero. This is not necessarily combating cheating or hacking, but it seriously renders that specific hack a pain in the arse :)

    Sure they can have maximum health. But having maximum health isnt necessarily cheating if the game was designed to be played with said health with the proper gear / potions / stats etc..

    Just my 2 cents, but probably worthless to people that know and understand programming. :)
     
  18. DryTear

    DryTear

    Joined:
    Nov 30, 2012
    Posts:
    312
    I know that this thread is outdated since 2011, and now its 2013. I realized that in the UnifyCommunityWiki theres a Obfuscation program in the Tips section. Its very wierd how no one was yet able to decompile a game and hack it, and then theres a program for that when its barely possible
     
  19. ChrispGames

    ChrispGames

    Joined:
    Dec 31, 2012
    Posts:
    13
    There are allready Unity Games out there wich were hacked. For Example Brickforce, a multiplayer game wich was also made in Unity
     
    Last edited: Feb 16, 2013
  20. Paradoks

    Paradoks

    Joined:
    Oct 13, 2009
    Posts:
    429
  21. S3dition

    S3dition

    Joined:
    Jan 6, 2013
    Posts:
    252
    There have been a lot of posts already (11 pages... yikes) but the brief answer is: no. Any information held in a client's memory is suspect. Ask anyone who has studied infosec (raises hand). Without having data stored offsite in a secure location to compare the client data to, there is no way to know for absolute certain that the data has not been modified.

    Encryption has 2 flaws with game design:

    1) It eats CPU power
    2) Data has to be decrypted before it's used (example, health has to be decrypted before you can reduce it and then re-encrypt it). During this time, it's possible to manipulate it.

    Checking stats against expected normals isn't reliable either, as you can alter what exactly the system is expecting or freeze the data at an acceptable value .For example, if you want to check to see if the player's health is over 100%, that's great. But I could, for example, freeze my health at 90%. It will never fail your check.

    Each level of redundancy you build requires more system resources. This is why MMO's and newer FPS's are played entirely server side, with the client serving as a glorified dumb terminal. Even the pathing is handled remotely by the server.

    Bottom line - if you want to start securing your program, the first step is to remove any and all decision making from the client. If you're worried about decompiling and reverse engineering, then look into obsfucation, though you're still limited in how much of the code you can protect. Again, code has to be decrypted before it is used, and there are programs that can reverse the obsfucation.

    A better bet, especially if you're using micro transactions, is to accept that there will be a certain amount of hacking and institute methods to detect it, reverse the changes, and ban the account.
     
  22. codestage

    codestage

    Joined:
    Jul 27, 2012
    Posts:
    1,492
  23. ZDS-Alpha

    ZDS-Alpha

    Joined:
    Jun 1, 2013
    Posts:
    11
    Try this code but first save your project :D :

    using UnityEngine;
    using System.Collections;

    public class gjhsdfjhgegf : MonoBehaviour {
    int jdfdjrjkvd = 77;
    int djghiuj = 66;
    int jghdrujghdrhgdh = 0;
    string fuhjdhg = "fdihb";

    void Start () {
    if (jghdrujghdrhgdh == 2){
    Debug.Log ("Script Updated");
    }
    Do ();
    }
    void Update () {
    if (jghdrujghdrhgdh == 576){
    fuhjdhg = "fghfbju";
    }
    fuhjdhg = "gfihjg";
    Do ();
    }
    void Do(){
    if ( fuhjdhg == jdfdjrjkvd.ToString() + jghdrujghdrhgdh.ToString() ){
    djghiuj=67;
    fuhjdhg = "gfhsikg";
    }
    if (fuhjdhg == "fdihb"){
    jghdrujghdrhgdh = 576;
    }
    if (fuhjdhg =="fghfbju"){
    Debug.Log ("Script Started");
    }
    if (fuhjdhg == "gfihjg"){
    jghdrujghdrhgdh = 2;
    Start ();
    }
    djghiuj = djghiuj +1;

    }
    }
     
  24. shkar-noori

    shkar-noori

    Joined:
    Jun 10, 2013
    Posts:
    833
    any news?
     
  25. codestage

    codestage

    Joined:
    Jul 27, 2012
    Posts:
    1,492
    @Shkarface Noori what news do you expect to see? Yeah, I updated my Anti-Cheat Toolkit multiple times since my last post in this thread, but that's all from me, no more news =)
     
  26. shkar-noori

    shkar-noori

    Joined:
    Jun 10, 2013
    Posts:
    833
    Thanks. gonna check out Anti-CheatT now.
     
  27. muheydari

    muheydari

    Joined:
    Jun 7, 2012
    Posts:
    6
    how can I download this UMPatcher
     
  28. codestage

    codestage

    Joined:
    Jul 27, 2012
    Posts:
    1,492
    @muheydari don't bother, it's useless since all dlls are decrypted and loaded at runtime so they are not protected from dump with any managed code dumpng tools like MegaDumper.
     
  29. Shadowing

    Shadowing

    Joined:
    Jan 29, 2015
    Posts:
    1,530
    how about this idea. I don't know if this would work. But what if you saved on a web server the last time you updated your project and then compared that with the clients last updated file. If its different player has the wrong version. But maybe they can just copy that information from the last updated file idk?

    Or how about store the file size in a web server and match the file size. If file size is different they obviously changed something.

    idk if that would work though. maybe file sizes are dependent on operating systems, hardware and all that jaz
     
    Last edited: Feb 5, 2015
  30. jamius19

    jamius19

    Joined:
    Mar 30, 2015
    Posts:
    96
  31. sysmaya

    sysmaya

    Joined:
    Nov 30, 2013
    Posts:
    14
    Key saved in PlayerPrefs = 99:AABBCCDDEE
    99 -> ID Stage Level.
    AABBCCDDEE -> Md5( 99 + "SecretKeyword");

    If modifiy 99, Must modify md5 key.
    When you read the variable, verify checksum.
     
unityunity