Hello there,
today i found this tools who can decompile unity3d
tools : http://devxdevelopment.com/
this is so sad how we can protect our game from this ?
On the page you have linked, there is an obfuscation package…
Wow I didn’t know that. I knew how to use ILSpy to convert some dll but this is insane. You can just make your game open source, there barely is any difference. I will certainly look into how to prevent this, at least there are ways.
@Both of you… Don’t spend too much time on it.
This is a common thing people are always concerned about. It has actually been discussed alot of times on these forums, in other forums, all over the internet and in every branch of the software industry. And the software industry has invested millions and millions to find ways to prevent this.
You cannot completely avoid it. Someone’s gonna find a way and publish it, if it’s worth the effort.
That’s how it is.
Therefore you shouldn’t care too much about it and should not invest too much time or money in it. You can make it more difficult, but like mentioned above, there’ll always be reverse engineering of assemblies / projects.
2 Likes
It’s just that I had a totally different understanding of how compilation works. I know it is a runtime environment but that you get scripts that are 95% the same is crazy. If you look at compressed JS code that is certainly not readable anymore, i just thought this is something you would get by default. But well stuff like reflection and SendMessage() wouldn’t work then but I don’t use that anyway.
At least now I know not to put any sensitive information in code. I actually thought I might store a key that is used for encryption, now I can forget that because you could find it anyway.
That’s something you never do, no matter how obfuscated your code is. If your app has the keys the users have the keys. The only undecryptable files are the ones you haven’t sent the keys to.
Keys can be sniffed out through external tools, either live or offline. Passwords are smaller targets, but have patterns which are easy to find even if you somehow obfuscate them. If the program can decode it, a dedicated user can too. Even secret keys for online stuff can be as easily found as a public website is through a search engine with an ethernet debugger.
For anything private you should rely on accounts and existing OS crypto. Passwords should be locked in the system’s key store, network-communicated private information should be passed through secure connections (SSL/TLS) protected via user accounts, and REALLY secret stuff should at least use client certificates as keys instead of passwords.
But if you want to hide something from a user, don’t give it to them 
3 Likes