Search Unity

  1. Good news ✨ We have more Unite Now videos available for you to watch on-demand! Come check them out and ask our experts any questions!
    Dismiss Notice

Yet another obfuscation thread, different goal

Discussion in 'General Discussion' started by Radu392, Feb 20, 2020.

  1. Radu392

    Radu392

    Joined:
    Jan 6, 2016
    Posts:
    210
    i know this has been asked many times over many forums, but the motive was always to prevent 'hacking/pirating/reselling/cheating'. I accept these things, I know they will happen no matter what I do. It already happened to one of my own previous games.

    However, my goal is not to prevent any of those things. Let them happen. What I want is to protect my c# code and make it impossible to view. My project is based solely on code, with only 1 gameobject in the scene and 3 monobehaviors on it. The code uses lots of reflection, but very few Unity api calls. Code base is in the low tens of thousands of lines.

    From what I understand reading other threads, obfuscating code that uses a lot of Unity api and reflections is going to either not hide the part of the code concerned, or it will introduce bugs or will make it slower. However this asset right here

    https://assetstore.unity.com/packages/tools/utilities/obfuscator-48919#reviews

    Claims that it has consistent naming across builds and platforms. Does that mean that reflection will also be obfuscated and still work? My only targeted platform is Windows.

    I've also learned about the existence of 'deobfuscators' recently. Does anyone know if that asset above falls for that?

    All in all, is it possible to *guarantee* that the source code won't be visible to the naked eye after delivered to a client machine, ever?
     
  2. unit_dev123

    unit_dev123

    Joined:
    Feb 10, 2020
    Posts:
    996
    all obfuscators prone to fail.
     
  3. Radu392

    Radu392

    Joined:
    Jan 6, 2016
    Posts:
    210
    Maybe so, but you don't see the source code of google and tons of other companies flying around the internet.

    When it comes to Steam games for example, the vast majority of them can be easily cracked by simply messing with the Steam files, not the game's code. I've tried il2spy with a unity based game and another, non unity based game.Guess which one I could read the code of? However, both were still cracked and that's because of Steam's bad DRM. What I want to achieve is to just hide my code like the non unity game, not to make it crack proof, which I understand is a different thing. I don't care if people use hex editors or whatever other low memory methods they can find to edit game data or behavior, but what I do care about is to hide the source c# code. So please don't try to convince me otherwise. I've read a lot of opinions on that regard already :)
     
  4. unit_dev123

    unit_dev123

    Joined:
    Feb 10, 2020
    Posts:
    996
    ok just use obfuscator sir of your desire
     
  5. Radu392

    Radu392

    Joined:
    Jan 6, 2016
    Posts:
    210
    I just found out that Karl from Unity actually recommended that asset in this thread https://forum.unity.com/threads/can-decompiler-il2cpp.428561/

    That thread also seems to imply that il2cpp,while still hackable since you can just look at machine code and analyze it, makes it impossible to turn that machine code back into actual c++ or c# unless a human tries to go over the machine code and manually convert it. That's all I'm looking for. Does anyone know if that assumption is correct?
     
    Martin_H likes this.
  6. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    16,129
    It's not completely impossible to revert machine code back into C++. It just won't look anything like the original unless optimizations were disabled for some reason.
     
    MadeFromPolygons likes this.
  7. MadeFromPolygons

    MadeFromPolygons

    Joined:
    Oct 5, 2013
    Posts:
    2,547
    Your code will never be impossible to view, and there is always some sort of tool to give someone disassembling the program a reasonable view of the code. The people that do these sorts of hacking and stealing will know how to do this, and this is why eventually commercial DRM solutions have fizzled out over the years, because there is always some armchair hacker child who will manage to get in and get at your code and/or assets, and circumvent whatever you have put in there to try and stop them or make it more difficult - making the enormous work involved pointless.


    Honestly, if the aim is to stop hacking/stealing/etc then its not worth all this effort.

    There isnt really any production-viable method of doing that, otherwise all the AAAs would be doing it. You dont really think that your going to come across some sort of revolutionary way to do this that the massive 100+ man teams involved in AAA games havent already thought of, do you?

    AAA games get hacked all the time, assets and code gets peeked at and even extracted. You just have to accept this as part of the industry and build something that is a compelling enough product to intice people to spend money on it, as well as make enough revenue to not be hurt too much by people hacking it etc.
     
    Ryiah likes this.
  8. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    16,129
    And then there are the scary talented developers who can sit down with machine code and determine how everything works to the point that they can add their own functionality with no real problems coming from it. A great example of this is the Skyrim Script Extender. If they wanted our code there is nothing any of us could do to stop them.

    https://skse.silverlock.org/
     
    Ony and TonicMind like this.
  9. TonicMind

    TonicMind

    Joined:
    Nov 9, 2014
    Posts:
    1,211
    To think of one's code as unhackable is to deny the curiosity and ingenuity of the human mind.

    Obfuscation does exactly what the OP wants... the purpose of your obfuscation is irrelevant, as it doesn't alter what the end means are.
     
    Last edited: Feb 21, 2020
  10. MadeFromPolygons

    MadeFromPolygons

    Joined:
    Oct 5, 2013
    Posts:
    2,547
    When I think about things like that I wonder, how they manage to keep their sanity doing that for something that gets them no money?

    I mean I guess SKSE is so widely used, I guess as a portfolio piece it is as good as having worked on a major production, but still, must be super passionate about what they are doing to trawl through machine code, all so that they can provide (extra) modding functionality!
     
    Martin_H likes this.
  11. ptcmia

    ptcmia

    Joined:
    Nov 14, 2012
    Posts:
    107
    humans do their best work when their motivation doesn't come from money.
     
    Kiwasi likes this.
  12. Joe-Censored

    Joe-Censored

    Joined:
    Mar 26, 2013
    Posts:
    8,953
    The only way to truly protect your code is to deliver the game via streaming, running the actual game on your own servers, and never actually releasing the binary of your game into the wild. Otherwise the machine code to run the game is in the players' hands, and with that is everything needed by someone determined enough to look at.
     
    Ryiah likes this.
  13. kdgalla

    kdgalla

    Joined:
    Mar 15, 2013
    Posts:
    2,456
    The way you describe your code, it sounds like your code base is only very-loosely coupled with the Unity Engine. So it would probably be pretty reasonable to separate your core code to a server and have it communicate with a Unity thin-client across the internet.

    You mentioned that you don't see the source code of Google flying around the internet. That's precisely because the code never leaves the server. The client never has the source code (obfuscated or otherwise).
     
    Ryiah and Kiwasi like this.
  14. TonicMind

    TonicMind

    Joined:
    Nov 9, 2014
    Posts:
    1,211
    Wrong! Incentives > motivational punishments if that's what you're saying.

    @kdgalla the thing about that is I am running the Chrome browser. So technically the code is leaving the google campus, just not all 2 Billion lines of it. :p

    I would also add that nothing enters Google's servers either, unless its been sanitized and security checked. Google is very good at what they do!
     
  15. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,731
    Or the other set of clever developers who can sit down and play a game, then reverse engineer all the mechanics and systems. Once a game is in the wild, its not hard to simply play it and work out what is going on under the hood.
     
    Ryiah likes this.
  16. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    7,163
    If you want to protect your code, you have two options:
    1. Never release a product
    2. Host all important stuff on a separate server that the user does not have access to and kill anyone who attempts to reverse engineer the server instructions
     
    Joe-Censored, TonicMind and Ryiah like this.
  17. Radu392

    Radu392

    Joined:
    Jan 6, 2016
    Posts:
    210
    Ok, google was a bad idea. A better example would be photoshop which runs properly without an internet connection. Photoshop's code, as best as I know, isn't visible to the naked eye no matter how good of a hacker you are (that being said, the original 1990's photoshop source code has been released by Adobe). However, the best hacker can do is to slice off only a very small bit of it, enough to allow it to be pirated. As such, most if not all versions of photoshop can be torrented.

    This is what I want to achieve. I don't care (ok yes I do a little, but can't do anything about it) if people can reverse engineer the code using memory dumps or whatever other tools they have at their disposal to recreate behavior and pirate it. I know they'll be able to get all my textures and my audio files. Again, to be perfectly clear, that is not what I'm trying to fight here. What I'm trying to protect is simply the c# source code from being visualized. It sounds like that is a perfectly achievable goal despite all the doomsayings.

    Server solutions are sadly not an option, especially when there are solutions out there that can accomplish this even on client machines.
     
  18. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    7,163
    Photoshop's code doesn't have to be reverse engineered. There's no point. Even if somebody did it, the real prevention is being taken to court for doing so.

    Your protection is not going to come from technical means because your security has already been broken down by the time the user has access to the program itself.
     
    Kiwasi and Ryiah like this.
  19. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    16,129
    Wrong again. Photoshop's binaries are right there in the folder the program was installed to just as susceptible to being reverse engineered by a talented hacker as any other application. That's just how it works with a locally stored program.

    And the real reason it doesn't have to be reverse engineered is that the white papers covering the technology the software employs are freely available on the Internet. Anyone that wants to build their own solution can use them to implement the same functionality.
     
    Last edited: Feb 21, 2020
    Kiwasi likes this.
  20. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    8,256
    Who said that they managed to keep their sanity?

    Can't be done. Fundamentally. While the user won't see the source code, language being C#, they'll have very easy time extracting and reconstructing it.

    All things that user has on their machine can be viewed, torn apart and reverse engineered. And this cannot be prevented, only delayed.

    Basically, on their machine the user is a god. They're omnipotent in relation to their program. The good thing is that they're not omniscient.

    Because of this, all things you want to hide from the user, you put onto external server, and lock behind an API. Then they become inaccessible. If they have a standalone file, then they can reverse engineer the hell out of it.

    That's because their code is running on servers and not on user's desktop.

    Photoshop uses C++. C++ does not rely IL code and has no reflection, because of this easy automated decompilation of C++ code does not exist. It is still possible to rebuild the codebase from binaries, though. Even in this case.

    However, there's no point in stealing code of photoshop. First , there are no secrets. You can read documentation, and likely would be able to duplicate entirety of functionality, the problem is it will take truckload of time to match features with the original.

    Second, Photoshop is too big to be stolen. YOu can't steal the codebase and then hide the fact that it is photoshop. It will be obvious to everybody that this is photoshop, and then Adobe's legal team will spring into action.

    Projects like this are leviathans, and compared to them your project is TINY. For example, you can't steal unreal engine 4, because it has 2 million lines of code, and you won't be able to alter it to degree where it will stop looking like unreal. Likewise you can't alter photoshop (rumored to have ten million lines of code) to stop resembling Photoshop, due to it being huge.

    Basically all things conssidered, if you build your project using IL2CPP (which has limitations. Also I believe IL2CPP does not suport reflection which you said to be using), the user will have harder time decompiling it. However, they'll still be able to hack your game with impunity and determine/reconstruct its behavior, if they're determined.
     
    MadeFromPolygons, Radu392 and Ryiah like this.
  21. TonicMind

    TonicMind

    Joined:
    Nov 9, 2014
    Posts:
    1,211
    I would argue that Photoshop can be "stolen" simply by taking liberties and using more enabling technologies (ie. python and its plethora of available libraries vs CPP).

    Paint .NET was made with C# and MS's .NET framework. It's roughly comparable to Photoshop. Photoshop just has 1. an industry edge and 2. a slick UI and excellent branding.

    Just because a product was created in a dense workhour-heavy language like CPP doesn't mean it can't be done in a more enabling technology!
    Example.
    Granted there's a ton going on beneath the hood of those 5 lines of code, but that's what I am advocating for here!

    For every "can't" there's 100 or more ways to show you wrong. It just takes determination!
     
unityunity