Hi,
I’m using Unity Free for two years. I’ve been working on a simple game project. I just experienced something. Today, I compiled the game and opened the dll files with a program (I won’t give name of the program here). Program showed me all the scripts I wrote, either Unity classes!
There are some mistakes in codes which the program shows me, but it shows the most of the codes. Eventhough I know it is not impossible to prevent to get the source somehow, I want to ask; Can Unity Developers do something for that?
This isn’t something new, it’s common knowledge C# can be easily retrieved with any C# decompiler. You can obfuscate the code, but still there are ways to get the code without obfuscation.
Maybe best secure implementation will be using encryption, but even with encryption isn’t guaranteed your code can’t be reached, nothing is 100% secure or unbreakable. Also, you need to think about implementation costs.
In short: if anyone want to view your C# code, will do, no matter what you do.
I know it isn’t… But I did guess that Unity converts our codes (like game maker. to understand what I mean, take a look at sources of a HTML5 game that made with gamemaker.). I saw my codes as I wrote. What If someone gets the serial-key algorithm of my game and hacks it somehow? OK. Maybe my codes are not so important. What about Unity’s codes? Programmers generally be ungenerous, so do I. I think Unity developers should do something. Maybe they should make the next version that can convert all codes to C/C++ and that can compile it.
Anyone enough motivated will get your serial-keys with source code or without it. Big companies also have this “problem”, if they can’t solve this issue (with millions of dollars and a big team), what can an indie developer do?
You just can make the way to reverse this a bit more challenging, maybe add server-side verifications or similar. But if anyone want to get it will do.
But I think, there must be a function to make it hard at least. For example, changing names of variables, classes and functions can make it hard. (playerHealth → var62b1df4a -or- void SaveGame() → void Funca25bef12) But if I do this when I code, it may confuse. Unity must do it. I can’t step in Unity’s builder.
That’s what a code obfuscator does, there are many out there for C#. Unity has nothing to do with this, you just need to put your assemblies and obfuscate with any C# obfuscator to get this result.
Did you run against a debug(development) build? Debug builds specifically have symbol files which help to ensure their is a very direct correlation between the compiled code and the written code (how else could the debugger allow you to step through your code as it executes).
If you count on obfuscation to protect your code you are doing very little to stop a determined thief. What is needed are methods that do not count on “security by obscurity” - since it’s merely a matter of time until your attacker finds the algorithm you have used and codes up an inverter to turn your work back into clear text.
People interested in that methodology should look into the old USENET forums like sci.crypto.
