Hack resistance?

I'm trying to remember where I saw it, but one of the on line game portals that posts Unity games managed to hide the .unity3d file somehow. Perhaps I'm not explaining myself clearly, but what I mean by "hiding" a .unity3d file is that the path and name of the file doesn't appear when you select "view source" in your browser. I know it would be a very weak level of protection, at best, but might at least keep the honest people from accessing the player so easily.

Regarding obfuscators, is there one that people here are using and have been happy with?

 

@Quietus - I was talking about webplayers which don't use .DLL's.

Granted, hiding the .unity3d file offers very poor protection, it just bugs me that the default html web page makes it so easy to steal the entire player.

 

That and you could just hook an intercepter in form of a plugin to pull automatically any data with the unity webplayer mimetype

 

Webplayers do use DLL's, what makes you believe they don't? Parts of that Unity3d file of yours are extracted into memory as your standard unityscript and csharp dll's, the same ones from the standalone build.

Info on that around half way through this thread, where we were using OllyDbg to save them off.

The process turns out to be rather trivial and there are video tutorials about showing you step by step how to go about it Generally not for unity, but the same process to defeat obfuscators that decrypt dll's into memory from a packed disk format.

 

@Quietus - I stand corrected. I was confusing "external" .DLL's with those that are packed into a .unity3d file.

Does anyone know what the major portals that post Unity webplayers are doing to protect the game's assets? Or are they doing anything at all? I looked at a Kongregate html file and it appeared that they had at least hidden a direct link to the file some how. Do they also obfuscate the code?

 

An unsavory individual would tend to pirate a game by stealing it directly from the browser cache, not by downloading it from the webserver with a secret hidden link. Same goes for shockwave files too.

If you don't want your game stolen, your game needs to be aware of where it is running. There is nothing you can do to stop them from obtaining your Unity3d file. You are after all sending it to them!

That's up to the developer not them.

I do wonder though what security measures they take with their subscription games and such as there is more than monopoly money involved.

You can decompile a flash game as easily as you can a Unity game. However it's a hell of a lot easier to re-inject your own modified version of the Flash game. You just replace the version in the cache with your recompile that has god-mode turned on or whatever.

A lot of mmo gaming guilds have forums which include those cheesy flash arcades. It's a lot of fun to beat everyone's score by 1 point in every game... including the ones that increment their score by 10! Flash games were never obfuscated making such a task effortless.

 

I never asked how to do it. I just want to be sure it is not a gossip. I was posting webplayer of my demos, now I removed them... do I overreacted? I just want to be sure.

Also if you intercept the graphics, you get them in such a shame way that it is very hard to reuse them.
What I am scared about is to have a way that people can take the assets0.asset and unpak it with the folders and everything, so that you can re-create the project.
Having a bunch of textures and mesh in a messy way would ask so much work to put them together that it is not worth doing it.

 

I have very little knowledge of technical things like that, but even I could take a webplayer and pull practically all I wanted out of it. I never would cause a) I'm too lazy b) that's not who I am. But the point is, if I could do it, thousands could.

I did though once try the GPU thing with Guild Wars, to see if it worked at all.. it does work, results weren't great, but it worked, and we all know how well protected Arenanet keep that game.

 

@nikko - Understood. Like yourself, my only interest in testing it was to see for myself if it could be done. There are a couple people here who don't post webplayers and now that I've learned how unprotected a webplayer is, I can't say that I blame them.

 

I'm assuming the same hack issues apply to standalone PC too? And that Mac's are safe cause nobody uses those..

 

Yup.

 

Well, I made my homework and someone found a way to extract the Assets

It is complicated but a guy posted a video and it is on the way to become easy as 1,2,3.
(and it is done with an editor script right into Unity, they should post it on the Asset Store, it would sell a lot!)

So hide you assets. Lesson learned.

 

Try UMPatcher, make your code safe.

 

What about hacking the 3D fbx files out of a unity web player? Is that easy to do for people?
Say I want to display 3D models for selling the asset store or something, would it be safe to use a webplayer to display them?

 

That would be meaningless, as the vertex and texture data of your model have to be sent to the video card to be rendered. At the driver level is where they'll steal your models, not from decrypting the webplayer.

 

My take on this is, UT should change their engine to allow us developers the freedom to add our own countermeasures ourselves. Its just an idea though; I'm not really sure how to pull that off without engine source code access.

 

Im new to programming myself, but having played multiple games in which others were hack/cheating. In this case of health, it might be as simple as creating a checksum constantly. I dont know what that means in the hardcore programming world, but it seems to me that.... writing a script that constantly checks players for their status.

If "health" is >= (developers known health cap), player dies. As you would if health reached zero. This is not necessarily combating cheating or hacking, but it seriously renders that specific hack a pain in the arse

Sure they can have maximum health. But having maximum health isnt necessarily cheating if the game was designed to be played with said health with the proper gear / potions / stats etc..

Just my 2 cents, but probably worthless to people that know and understand programming.

 

I know that this thread is outdated since 2011, and now its 2013. I realized that in the UnifyCommunityWiki theres a Obfuscation program in the Tips section. Its very wierd how no one was yet able to decompile a game and hack it, and then theres a program for that when its barely possible

 

There are allready Unity Games out there wich were hacked. For Example Brickforce, a multiplayer game wich was also made in Unity

 

New topic created here :
http://forum.unity3d.com/threads/175054-Obfuscation-Community-requested?p=1197463#post1197463
feel free to help
thx

 

There have been a lot of posts already (11 pages... yikes) but the brief answer is: no. Any information held in a client's memory is suspect. Ask anyone who has studied infosec (raises hand). Without having data stored offsite in a secure location to compare the client data to, there is no way to know for absolute certain that the data has not been modified.

Encryption has 2 flaws with game design:

1) It eats CPU power
2) Data has to be decrypted before it's used (example, health has to be decrypted before you can reduce it and then re-encrypt it). During this time, it's possible to manipulate it.

Checking stats against expected normals isn't reliable either, as you can alter what exactly the system is expecting or freeze the data at an acceptable value .For example, if you want to check to see if the player's health is over 100%, that's great. But I could, for example, freeze my health at 90%. It will never fail your check.

Each level of redundancy you build requires more system resources. This is why MMO's and newer FPS's are played entirely server side, with the client serving as a glorified dumb terminal. Even the pathing is handled remotely by the server.

Bottom line - if you want to start securing your program, the first step is to remove any and all decision making from the client. If you're worried about decompiling and reverse engineering, then look into obsfucation, though you're still limited in how much of the code you can protect. Again, code has to be decrypted before it is used, and there are programs that can reverse the obsfucation.

A better bet, especially if you're using micro transactions, is to accept that there will be a certain amount of hacking and institute methods to detect it, reverse the changes, and ban the account.

 

Hey, guys! Just to let you know I recently released Anti-Cheat Toolkit on Asset Store to make your life a bit easier. It handles protection from memory scanners and PlayerPrefs protection on all platforms and has some extra functionality as bonus)
Here is it if you're interested: https://www.assetstore.unity3d.com/#/content/10395/
And forum link: http://forum.unity3d.com/threads/196578-Anti-Cheat-Toolkit-RELEASED/

 

Try this code but first save your project :

using UnityEngine;
using System.Collections;

public class gjhsdfjhgegf : MonoBehaviour {
int jdfdjrjkvd = 77;
int djghiuj = 66;
int jghdrujghdrhgdh = 0;
string fuhjdhg = "fdihb";

void Start () {
if (jghdrujghdrhgdh == 2){
Debug.Log ("Script Updated");
}
Do ();
}
void Update () {
if (jghdrujghdrhgdh == 576){
fuhjdhg = "fghfbju";
}
fuhjdhg = "gfihjg";
Do ();
}
void Do(){
if ( fuhjdhg == jdfdjrjkvd.ToString() + jghdrujghdrhgdh.ToString() ){
djghiuj=67;
fuhjdhg = "gfhsikg";
}
if (fuhjdhg == "fdihb"){
jghdrujghdrhgdh = 576;
}
if (fuhjdhg =="fghfbju"){
Debug.Log ("Script Started");
}
if (fuhjdhg == "gfihjg"){
jghdrujghdrhgdh = 2;
Start ();
}
djghiuj = djghiuj +1;

}
}

 

any news?

 

@Shkarface Noori what news do you expect to see? Yeah, I updated my Anti-Cheat Toolkit multiple times since my last post in this thread, but that's all from me, no more news =)

 

Thanks. gonna check out Anti-CheatT now.

 

how can I download this UMPatcher

 

@muheydari don't bother, it's useless since all dlls are decrypted and loaded at runtime so they are not protected from dump with any managed code dumpng tools like MegaDumper.

 

how about this idea. I don't know if this would work. But what if you saved on a web server the last time you updated your project and then compared that with the clients last updated file. If its different player has the wrong version. But maybe they can just copy that information from the last updated file idk?

Or how about store the file size in a web server and match the file size. If file size is different they obviously changed something.

idk if that would work though. maybe file sizes are dependent on operating systems, hardware and all that jaz

 

this might be of some kind of interest
http://forum.unity3d.com/threads/tool-simple-anti-cheat-tool-for-memory-hackers.376113/

 

Key saved in PlayerPrefs = 99:AABBCCDDEE
99 -> ID Stage Level.
AABBCCDDEE -> Md5( 99 + "SecretKeyword");

If modifiy 99, Must modify md5 key.
When you read the variable, verify checksum.