How to prevent IL2CPP source code decomplie ?

From a friend I know that the source code can be stolen even if you build with IL2CPP, is there any way to prevent this?

Unfortunately you can’t prevent that they get your code decompiled when they have your game/app regardless whether it is a C/CPP or .NET library. It is because they have your libraries on their machine and can do with it whatever they like. However there are so called Obfuscators. These are code scramblers and making it much more difficult for the guys which are decompiling your libs to read and undersand your code. But it only slows them down in the process and cannot prevent code stealing, like you called it. Also obfuscators may have drawbacks. Depending on their way of code obfuscation they may cause code not working anymore or introduce performance issues. Also it is unclear to me whether these obfuscators can be applied to IL2CPP or .NET libraries compiled by Unity. Maybe some other developers can state here, I would also be intressted to know.

Edit: Only when they don’t get your libraries like using Game Streaming for your game would prevent that.

I bought the Obfuscators tool on the assetstore but was wondering if changing the variable names would lose all references, maybe there is a way to obfuscate the code without renaming the variables?

I suspect the obfiusticator you have acquired is the one, which just changes methods and variable names.

If that Is the case, once you decompile built code, you will see random strings corresponding for each variable and method.

In fact, you could name variables and methods really anything, to make it more difficult to read. But you would make more difficult for yourself than anyone else.

Minecraft does that. Or at least did that using java. But that didn’t stop modders from creating mods. However since each version of game had different obfuscation seed, modders had to chase for game changes. So there was some delay that modders adapted their mods, to new version of released minecraft.

If someone wants to steal and decompile game, they will anyway. Best thing you can do, is to push constant updates, rather than fire and forget. This way, you have guarantee, to be always ahead of any of your stolen code. Plus you keep the community on your side.

If you considering for cheating prevention, obfuscation wont work anyway.

No, there is no way to prevent this. Stealing source code is handled by the court/lawsuits. Someone uses your source in their product, you sue them.

You know that practically on not viable, or even worth it for small indie developers. Specially when comes to international field.
For such developers best chance is to issue take down. Most likely withouth any compensations. But by the time someone’s figure out, game x is their copy right, providing putting enough effort to discover as such, someone of x cop probably made enough gain on it by then.

Stealing source code of a small indie developer is also not worth the time.

Your source code probably isn’t worth stealing. This isn’t just about you, but about everyone. What you’ll likely see more than that are rudimentary reverse engineerings of systems you implement, and that doesn’t require source code at all.

The main problem with IL2CPP (in regards of decompilation) is “global metadata” file. Threre were some posts on this forum about encrypting the file (and the decrypting it on the fly).

If it is built to cpp and compiled, why would the names still be readable? I guess I don’t understand that as surely compiled code needs no readable variable/method names - is the metadata file the problem?
I guess it is not as good as decompiling C# which is just easy & clear.

However if it shows you the optimised version of C# maybe it is not without benefit!

Anyhow I think the technicalities are elsewhere il2cpp and global-metadata.dat - Unity Forum

You think so maybe because you don’t work in the mobile game industry and don’t know that an indie game can earn tens of millions of dollars :))

I took a look and the code obfuscation asset I bought works great, the decompilation is unreadable . This will help limit my intellectual property from being stolen to some extent.

Chances of that happening are 0.001% or some other ostensibly low number. You need something worth stealing first, and by the time someone is interested enough to steal it, you probably made your millions already and can sue them to kingdom come.

The catch with that is if someone is capable of reverse engineering IL2CPP they shouldn’t have any trouble getting the decrypted version of the file from memory. For that matter they shouldn’t have problems reverse engineering a project even with obfuscation (I’ve done this before and at best it just slowed me down).

If you make tens of millions of dollars you can afford the lawsuits. If you don’t you’re just wasting your time that could have been better spent making a game that people will stick to rather than jumping to the clones.

You don’t understand the dirty competition in the mobile game development industry, they will clone your game as soon as your game has a good signal. And of course they use reverse engineering, it’s scarier than you think :))

With the obfuscation asset that turns my code into special characters, you cant read it and I believe my code will be protected.

If someone stole source code of your ten million game, you’d be discussing it with a lawyer and not here.

People, especially beginners, tend to think that their code has value and someone wants it. This is usually no the case. And in majority of cases people can clone your game without source code access.

Every code running on the client could be reverse engineered (RE). No one is arguing about that. The point of various obfuscation/encryption is to make the RE unpleasant as it could be.

Oh, I’m fully aware of the problem. I remember Ketchapp back in the day used to clone games in a few weeks.

I’ve reverse engineered obfuscated code in the past (my favorite game of the time had a bug that annoyed me and I wanted to fix it). A competent developer will be slowed down but won’t be stopped.

Incidentally it doesn’t turn code into random characters. It turns variable and method names into random strings of letters and numbers. They’re still names though and must be consistent through the code to be able to function so it’s just a case of determining what they do. You can very much read them.

ChatGPT (and other LLMs) is a tremendous benefit here as it’s able to determine some of the behavior of the code and rename the variables and methods to more sensible ones. I’ve not tried an entire code base but I’ve passed it nonsense and had it try to undo the nonsense to reasonable success.

No need to waste such effort, I will just give you a tip. Use a versioned source code manager like git or something. Then, before you build, enable code obfuscate. After building, you just need to discard all the obfuscated code.

Don’t trust such a lawyer too much, even if you live in USA.