Search Unity

Discussion How to prevent IL2CPP source code decomplie ?

Discussion in 'General Discussion' started by DungDajHjep, Nov 8, 2023.

Thread Status:
Not open for further replies.
  1. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    From a friend I know that the source code can be stolen even if you build with IL2CPP, is there any way to prevent this?

     
  2. FaithlessOne

    FaithlessOne

    Joined:
    Jun 19, 2017
    Posts:
    320
    Unfortunately you can't prevent that they get your code decompiled when they have your game/app regardless whether it is a C/CPP or .NET library. It is because they have your libraries on their machine and can do with it whatever they like. However there are so called Obfuscators. These are code scramblers and making it much more difficult for the guys which are decompiling your libs to read and undersand your code. But it only slows them down in the process and cannot prevent code stealing, like you called it. Also obfuscators may have drawbacks. Depending on their way of code obfuscation they may cause code not working anymore or introduce performance issues. Also it is unclear to me whether these obfuscators can be applied to IL2CPP or .NET libraries compiled by Unity. Maybe some other developers can state here, I would also be intressted to know.

    Edit: Only when they don't get your libraries like using Game Streaming for your game would prevent that.
     
    DungDajHjep likes this.
  3. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    I bought the Obfuscators tool on the assetstore but was wondering if changing the variable names would lose all references, maybe there is a way to obfuscate the code without renaming the variables?
     
  4. Antypodish

    Antypodish

    Joined:
    Apr 29, 2014
    Posts:
    10,776
    I suspect the obfiusticator you have acquired is the one, which just changes methods and variable names.

    If that Is the case, once you decompile built code, you will see random strings corresponding for each variable and method.

    In fact, you could name variables and methods really anything, to make it more difficult to read. But you would make more difficult for yourself than anyone else.

    Minecraft does that. Or at least did that using java. But that didn't stop modders from creating mods. However since each version of game had different obfuscation seed, modders had to chase for game changes. So there was some delay that modders adapted their mods, to new version of released minecraft.

    If someone wants to steal and decompile game, they will anyway. Best thing you can do, is to push constant updates, rather than fire and forget. This way, you have guarantee, to be always ahead of any of your stolen code. Plus you keep the community on your side.

    If you considering for cheating prevention, obfuscation wont work anyway.
     
  5. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,569
    No, there is no way to prevent this. Stealing source code is handled by the court/lawsuits. Someone uses your source in their product, you sue them.
     
    Ryiah and CodeRonnie like this.
  6. Antypodish

    Antypodish

    Joined:
    Apr 29, 2014
    Posts:
    10,776
    You know that practically on not viable, or even worth it for small indie developers. Specially when comes to international field.
    For such developers best chance is to issue take down. Most likely withouth any compensations. But by the time someone's figure out, game x is their copy right, providing putting enough effort to discover as such, someone of x cop probably made enough gain on it by then.
     
    DungDajHjep likes this.
  7. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,569
    Stealing source code of a small indie developer is also not worth the time.
     
    zombiegorilla and Ryiah like this.
  8. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,152
    Your source code probably isn't worth stealing. This isn't just about you, but about everyone. What you'll likely see more than that are rudimentary reverse engineerings of systems you implement, and that doesn't require source code at all.
     
    zombiegorilla and Ryiah like this.
  9. Trigve

    Trigve

    Joined:
    Mar 17, 2013
    Posts:
    139
    The main problem with IL2CPP (in regards of decompilation) is "global metadata" file. Threre were some posts on this forum about encrypting the file (and the decrypting it on the fly).
     
    Neonlyte and DungDajHjep like this.
  10. andyz

    andyz

    Joined:
    Jan 5, 2010
    Posts:
    2,276
    If it is built to cpp and compiled, why would the names still be readable? I guess I don't understand that as surely compiled code needs no readable variable/method names - is the metadata file the problem?
    I guess it is not as good as decompiling C# which is just easy & clear.

    However if it shows you the optimised version of C# maybe it is not without benefit!

    Anyhow I think the technicalities are elsewhere il2cpp and global-metadata.dat - Unity Forum
     
    Last edited: Nov 9, 2023
    DungDajHjep likes this.
  11. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    You think so maybe because you don't work in the mobile game industry and don't know that an indie game can earn tens of millions of dollars :))
     
  12. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    I took a look and the code obfuscation asset I bought works great, the decompilation is unreadable . This will help limit my intellectual property from being stolen to some extent.
     
    Antypodish likes this.
  13. spiney199

    spiney199

    Joined:
    Feb 11, 2021
    Posts:
    7,925
    Chances of that happening are 0.001% or some other ostensibly low number. You need something worth stealing first, and by the time someone is interested enough to steal it, you probably made your millions already and can sue them to kingdom come.
     
  14. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,183
    The catch with that is if someone is capable of reverse engineering IL2CPP they shouldn't have any trouble getting the decrypted version of the file from memory. For that matter they shouldn't have problems reverse engineering a project even with obfuscation (I've done this before and at best it just slowed me down).

    If you make tens of millions of dollars you can afford the lawsuits. If you don't you're just wasting your time that could have been better spent making a game that people will stick to rather than jumping to the clones.
     
    MadeFromPolygons likes this.
  15. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    You don't understand the dirty competition in the mobile game development industry, they will clone your game as soon as your game has a good signal. And of course they use reverse engineering, it's scarier than you think :))

    With the obfuscation asset that turns my code into special characters, you cant read it and I believe my code will be protected.
     
  16. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,569
    If someone stole source code of your ten million game, you'd be discussing it with a lawyer and not here.

    People, especially beginners, tend to think that their code has value and someone wants it. This is usually no the case. And in majority of cases people can clone your game without source code access.
     
    Ruslank100, Saniell, Lymdun and 3 others like this.
  17. Trigve

    Trigve

    Joined:
    Mar 17, 2013
    Posts:
    139
    Every code running on the client could be reverse engineered (RE). No one is arguing about that. The point of various obfuscation/encryption is to make the RE unpleasant as it could be.
     
  18. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,183
    Oh, I'm fully aware of the problem. I remember Ketchapp back in the day used to clone games in a few weeks.

    I've reverse engineered obfuscated code in the past (my favorite game of the time had a bug that annoyed me and I wanted to fix it). A competent developer will be slowed down but won't be stopped.

    Incidentally it doesn't turn code into random characters. It turns variable and method names into random strings of letters and numbers. They're still names though and must be consistent through the code to be able to function so it's just a case of determining what they do. You can very much read them.

    ChatGPT (and other LLMs) is a tremendous benefit here as it's able to determine some of the behavior of the code and rename the variables and methods to more sensible ones. I've not tried an entire code base but I've passed it nonsense and had it try to undo the nonsense to reasonable success.
     
    Last edited: Nov 9, 2023
  19. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    No need to waste such effort, I will just give you a tip. Use a versioned source code manager like git or something. Then, before you build, enable code obfuscate. After building, you just need to discard all the obfuscated code.
     
  20. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    Don't trust such a lawyer too much, even if you live in USA.
     
  21. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,183
    What made you come up with that after reading my post? Did you not understand anything that I wrote?
     
  22. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,152
    Code obfuscation won't help with this. Most games that do this don't change the code, they use pretty simple tools to do asset replacement if they even do that much. Even with obfuscation, it's not going to even remotely difficult for them to do what they want to: find where the user authentication API calls for things like login data and purchases are happening, replace that with their own system, maybe make a couple of other things.

    What you're doing here is a Sisyphean task in the most traditional sense: you will never win. That boulder is never getting over that hill. You are viewing this through a fundamentally narrow lens because if this was an at all solved problem this wouldn't be happening to anyone in the first place.
     
  23. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,569
    Your response does not match my comment. Are you using auto-translator?

    Ahem. (auto-translation)

    Đây là máy tự dịch. Tôi không Nói Tiếng Việt.

    Tôi và những người dùng khác nói rằng obfuscator sẽ không bảo vệ trò chơi khỏi hành vi trộm cắp mã chương trình. Một tên trộm có thể thay thế các họa tiết và mô hình trong trò chơi mà không cần thay đổi mã. Một bản sao của trò chơi rất dễ viết từ đầu, vì các trò chơi hiện đại rất đơn giản. Theo đó, bạn đang lãng phí thời gian của mình. Những vấn đề này không được giải quyết bởi obfuscator. Họ được quyết định tại tòa án.

    Ngoài ra, người mới bắt đầu thường mắc sai lầm khi nghĩ rằng mã của họ có giá trị. Trong thực tế, không ai cần nó, bởi vì một đội nhỏ có thể viết một bản sao của trò chơi của người khác từ đầu rất, rất nhanh.
     
  24. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    According to my 7 years of experience making games, there is no such thing as very fast, because if we are very fast, we will get rich very quickly. I advise you to stop thinking that everyone is a newbie, and don't mention things like newbie, impossible or lawyer because it's not helpful.

    Also I plan to use obfuscator with a little trick that causes the copy version to have trouble, probably something online authenticated, which if you can't read the code you won't be able to do.
     
  25. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    If it took you a year to copy my game instead of 1 week then I would have won, nothing is impossible, what you say makes no sense.
     
  26. You know that more "secure" systems don't live more than a day or two? But they also usually have zero-day cracks... Denuvo and co. A week? A year? ROFL... Just to clarify: they usually don't need to solve the entire codebase, "only" find the targeted memory addresses, but they could if they wanted. Maybe add plus two days.

    You need to face the facts that there is no source code guarantee. It doesn't exists. Just forget it.

    But if you can't, it's fine, just waste your money on some obscure obfuscation asset if that gives you a peace of mind, but be aware, it's placebo, nothing more.
     
    Last edited by a moderator: Nov 10, 2023
  27. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,152
    It's not going to take a year to copy your game even with obfuscation. You're not even going to make it to a week, most likely.

    You say you have loads of experience, but what you've described here is something that people have been bypassing in no time at all with and without obfuscated code for literal decades.
     
  28. spiney199

    spiney199

    Joined:
    Feb 11, 2021
    Posts:
    7,925
    If the most well funded AAA studios can't solve this then I don't think some random tool of the Unity asset store is going to solve this problem space. Nor is some indie mobile dev.
     
  29. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,569
    Making games fast will not make you rich, because most games fail. People actually try this thing, you know? On steam, there are several people releasing gimmick titles, one per month, or several. They fail or earn peanuts.

    And if you truly have 7 years of experience, you should be able to protecting the code is not worth it, and most of the development time is spent on art assets.

    In unity engine it is possible to make a game in two days in a jam. Do the math. For small mobile games most likely whatever it is you're making can be cloned in a week without source code access by sufficiently skilled team. And stuff that is hard to copy usually have multi million dollar budget. Meaning AAA level.
     
  30. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    If people could create a game like mine in a week, they wouldn't steal the source code. You overestimate studio thieves lol.

    Don't compare source code theft with cracking games, it's meaningless.

    AAA studios don't need to protect the source code because they probably use their own engine, your comparison is nonsense.

    You seem to despise indie games, do you think we only create nonsense hyper casual games?
     
  31. ippdev

    ippdev

    Joined:
    Feb 7, 2010
    Posts:
    3,853
    I can look at your game and replicate it's mechanics and artworks..probably in less than a week unless I had to make alot of art assets. The only game I ever said WTF..how did hey do that?? was Monument Valley. As for those ripping frameworks..well..good luck..they will need a network of buyers to make a buck and any mobile dev will tell you what a hill to clim that is.
     
    Ryiah likes this.
  32. ippdev

    ippdev

    Joined:
    Feb 7, 2010
    Posts:
    3,853
    Nope. But I guarantee you that at least four of the devs on your thread could replicate any game you developed without using your source code. Do you think they can only create hypercasual nonsense games?
     
    neginfinity, Lymdun and Ryiah like this.
  33. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,152
    I promise you that your Enter the Gungeon mobile clone is not nearly as difficult to develop as you think.
     
  34. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    I'm talking about my next game, with Enter The Gungeon, other studios will be afraid to copy because it needs quite a large amount of content to be attractive to players.

    I don't mind if they code a game like mine, what I want to prevent is code theft. There are things called game feelling and level design, those are secrets that I want to hide.

    I don't understand why people equate stealing code with coding from the beginning of an identical game, if those people are willing to put in the work, then nothing can stop them from making money legally.

    Note: Stop equating stealing code and rewriting an clone game from scratch.
     
  35. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,152
    The issue is that literally everything you've put forward that would prevent code theft won't actually do that. You say you've got grand ideas that will prevent your game from being ripped off for a year instead of in a week, but nothing you've said makes literally any sense because they're ideas people have been trying for literal decades.

    Everything you've said betrays your lack of knowledge.
     
    Lurking-Ninja likes this.
  36. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    If you can't provide useful information for my question then stop babbling, just because you can't do it doesn't mean someone else can't do it.

    I only prevent lazy people from stealing code, but I don't mind them coding a game clone from scratch.
     
  37. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,183
    Lazy people don't steal code. They hire developers to make the game for them. :p
     
    Last edited: Nov 10, 2023
  38. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,152
    Again, since this isn't sinking in, you are trying to prevent something from happening that has been happening across the industry for literal decades. This is not "I can't solve this problem," but "this is an unsolvable problem."
     
  39. halley

    halley

    Joined:
    Aug 26, 2013
    Posts:
    2,442
    It's a technical impossibility. It's up there with the Halting Problem of things that have no solution.

    Your computer must unpack and decrypt the code in order to run it. A thief's computer can have any number of special features that freeze execution, analyze what code changes what memory, and reconstruct a working copy of the system. If they cared to rename the variables to meaningful things, there are tools to do that too.

    "If one person says you're drunk, you can just ignore them. If ten people say you're drunk, you should probably lay down and sleep it off."
     
    Ruslank100 and Ryiah like this.
  40. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    If everything was as good as you said, I wouldn't have needed to create this thread, lol.

    Again:
    I only prevent lazy people from stealing code, but I don't mind them coding a game clone from scratch.
    And I hope you're not talking about cracking games.


    Not being able to stop it doesn't mean it's impossible to slow down the process, and the code obfucator that thieves can't read clearly makes it almost impossible to steal the source code. They can remake the game from scratch, but it will take time and there are many things that are not the same as the original game.

    You keep babbling about impossible while you don't explain how thieves are going to steal my encrypted source code and make it work as they want.
     
  41. halley

    halley

    Joined:
    Aug 26, 2013
    Posts:
    2,442
    You didn't even read what I wrote. Nothing to do with re-writing or cracking. Duplication of your code, your algorithms. The only thing missing is the comments. It's exactly as your original video says. You're just too stuck up inside your own fantasy world to listen.
     
  42. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    And they get obfuscator code and can't read them? Or do you mean they can even decode obfuscator ?
     
  43. halley

    halley

    Joined:
    Aug 26, 2013
    Posts:
    2,442
    Obfuscators confuse humans. The tool you showed would not care about the obfuscator at all. It would just give a working copy of your code. Local variables and comments can be added if they wanted, but they really don't care. It's your code, doing their bidding.

    You've spent more energy defending your position in this thread, than a duplicator thief would spend in stealing your code. You should probably spend all this energy on, you know, actually making a game people want to buy.
     
    Ryiah likes this.
  44. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,183
    Have you looked at the code generated by an obfuscator?
     
  45. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    You didn't read the whole thread right? I said I would use it with a trick. Also if you can't modify the code then releasing a "thief code" version doesn't make much sense, they need to modify it to make a profit according to their design.

    upload_2023-11-11_0-8-20.png
     
    Last edited: Nov 10, 2023
    FaithlessOne likes this.
  46. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,183
    That video is deceptive because it's only looking at a section of code in isolation. Context is important when you reverse engineer code as that's how you learn what's happening and that video isn't showing any context at all.

    That said context may not even be important here as a quick search turns up deobfuscators for that obfuscator.

    https://github.com/OsOmE1/Beebyte-Deobfuscator
    https://github.com/ioncodes/beeless

    In fact I found a cheat site with the following information:
    https://www.unknowncheats.me/forum/general-programming-and-reversing/345912-beebytes-obfuscator.html

    So it's not even that competent of an obfuscator.

    My original response to this was a joke post but here's the thing. Lazy people can still steal your code. It's just that instead of trying to reverse engineer the obfuscation process they instead use premade tools that skip those steps for them. It's not just deobfuscators either.

    Another option available to them is simply looking to see if someone else already stole it and obtaining their copy of the source code and/or information on how the source code works from them. Because some people like to reverse engineer but they don't have any interest in using the results themselves.

    Indeed if it confused software too the compiler wouldn't be able to make an executable.
     
    Last edited: Nov 10, 2023
    ippdev likes this.
  47. ippdev

    ippdev

    Joined:
    Feb 7, 2010
    Posts:
    3,853
    The assets are much easier to rip. Be really nice if people decided that making money the legit route was the way to go but look around you in this world. Best to not get wound up about an event that did not yet occur, finish your game and see how it does. Make updated content that can only be downloaded thru legit channels.
     
    zombiegorilla and Ryiah like this.
  48. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    Nothing is absolute, but creating difficulties and discouraging thieves is a great thing.
    Also, those thieves won't release a copy where they can't modify the code for profit, since this is a mobile game.

    upload_2023-11-11_0-53-29.png
     
  49. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    21,183
    I'm not positive what this line is even trying to say, but if you're talking about people treating stolen apps as templates they can just reskin it.
     
  50. DungDajHjep

    DungDajHjep

    Joined:
    Mar 25, 2015
    Posts:
    202
    Dear friends, I created this thread because I discovered the thieves. I don't have time to sit around imagining and creating this thread to argue with you guys.
     
Thread Status:
Not open for further replies.