Search Unity

  1. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

XAP protection

Discussion in 'Windows' started by Qbit86, Jun 9, 2014.

  1. Qbit86

    Qbit86

    Joined:
    Sep 2, 2013
    Posts:
    487
    How to protect Windows Phone 8 game from being recompiled?

    We are facing the problem: someone repacks our XAP, modifies WMAppManifest.xml, and posts it somewhere on the internet. How does he do this? When I download legal XAP from Windows Phone Marketplace it is not the original XAP built by me, but rather package encrypted by Microsoft, so it cannot be simply unzipped. How come that someone can crack it? Does he use dowloaded package, or rather extract installed and decrypted package from his phone?

    On Android platform I check integrity in runtime by comparing actual package-name/signature with intended. It's very simple and effective, though one still can decompile (obscured) Assembly-CSharp.dll and cut this check off. How can I detect similar tampering on Windows Phone 8? All the assemblies I see in built package are not signed (strongly named).
     
  2. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,628
    Hi,

    it's really not the place to discuss the ways of ripping XAPs here, so I won't talk about it.

    However, you could probably check the hash of your application at runtime. Also, although you cannot strongly sign your script files, but you can sign the resulting executable which you build from Visual Studio.
     
  3. Qbit86

    Qbit86

    Joined:
    Sep 2, 2013
    Posts:
    487
    Could you please provide me with link (if you know any) where such discussion is appropriate? :-`

    Don't see any simple ways of doing this from inside the assembly. Checking the Assembly hash is basically comparison with expected one. Even if I don't embed expected value into the assembly, saying, store it in scene (binding to public field of script through the Editor) — it has to be recalculated after each source modification. Imho, it's better to keep close to standard crypto approaches; they are about the same: computing hash automatically, then encoding it with private RSA key — what actually is “digital signature”. Then user can verify the signature with public RSA key, which does not change from build to build.

    By the way, why Unity doesn't support signing assemblies? I mean not the whole packages of different formats for different platforms — just inner Assembly-*.dll's. It's out-of-the-box functionality for CLR (Mono or .NET, doesn't matter).

    Don't see “Code Signing” tab in project settings in “Visual Studio Express 2012 for Windows Phone” :-` Or probably XAP can be signed by direct edit of MSBuild script (.csproj-file)?
     
  4. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,628
    That would be an excellent opportunity for a feature request.

    I'm not sure you can do it automatically, however, you should be able to add a post-build event for it.
     
    Qbit86 likes this.
  5. Qbit86

    Qbit86

    Joined:
    Sep 2, 2013
    Posts:
    487
  6. tswalk

    tswalk

    Joined:
    Jul 27, 2013
    Posts:
    1,109
    got my vote... anything to strengthen protection is a step in the right direction.