When I have an online Unity Player file, stored on my site as a .unity3d file, if someone could get access to my server, and to that file, could they open it somehow and get my individual scripts and assets out of it? Is that possible?
Thanks
scripts are more likely to get out than getting out assets as the assets are stored in a different format.
thought it must be clear that audio and textures can be grabbed very easily from the data stream to the hardware, independent of any kind of engine (this means you can grab them for all engines)
Anything is possible, if it can be created it can be destroyed. I’d say it would be fairly hard to do until someone creates an unpacker for the .unity3d file format.
I don’t think it’s something you should be worried about though, the code that is created to unpack the .unity3d would probably be more valuable than a single unity game 
So then scripts can be gotten in a compiled format, but not the actual source code, line by line, and certainly not comments, is that right? For example, class and variable names would be lost to the hacker, there would be numeric indexes instead?
Scripts are not compiled. They are in an intermediary language, think of it as akin to being tokenized. You lose comments, but you keep most everything else.
http://forum.unity3d.com/threads/17117-Hack-resistance
Look through that thread. All it takes is some knowledge of Ollydbg.
It’s completely possible to get the source, and pretty simple to do.
We used to compile our Unity projects written in JavaScript and then ‘unpack’ them to get the C# version of the same script. Your JavaScript is translated into C# for the actual build, and it’s completely accessible.
If your web player is public, then you’re also serving the .unity3d file public as well. They wouldn’t have to access your server harmfully in that way, you’re giving them the file.
Quietus, that thread has a different emphasis than what I’m after. I am using Unity3d to develop web apps for business. I’m worried about competitors taking my code, tweaking it for their own purposes, and using it. Every business I serve has competitors with similar products. My apps give them a competitive edge and I don’t want their competitors to be able to copy us directly.
For websites, there is the public_html file. Is it simply safer to create a different file directory that has the Unity files? Sorry I don’t have any knowledge of web security at all, but if someone could spell out the basics, and maybe link to some basic articles, that would be very helpful.
Thanks.
no, modifying the html does not change anything. the unity3d file always goes to the end user and as such the same applies.
anyone using any .NET technology is or should be well aware of its common limitations and implications and the CIL layer is one of them.
If they are worried about having code stolen they will need to use a technology that does not use a common plugin like Unity but something like T3D or any other with “per game webinstall” or they have to wait until Google chromes NaCL is available and only support chrome.
The thread is rather expansive, but if you read through it you’ll find that it touches on exactly that.
The html file has nothing to do with it, as dreamora said the Unity3d file is in the end user’s browser cache. But the unity3d file isn’t where they’ll grab your source code from. The unity3d file is encrypted. They’ll use Ollydbg to save the assemblies off right from memory. There is nothing you can do to stop it.
You can obfuscate the code, make it so the source they retrieve is pure spaghetti, but for every popular commercial obfuscation package there exists a de-obfuscator. This too was discussed in detail in the linked thread. I know it’s like 10 pages long, but it’s worth reading.
Thanks, Quietus. I’ll read through it.
When using a web service an API key should be used/stored inside the game client\webplayer… but then, can’t a malicious user easily find\retrieve it?. Not a nice thing.
That’s true for md5 keys and such being stored with a declared string in the source. That was discussed in the linked thread with some possible safeguards. However if it’s just a web service authentication that’s sent in plain text across a wire, a packet sniffer would be a far easier way to grab that than booting up Ollydbg.
Obviously if i’m using a webservice with sensitive data i’m using ssl encryption. Without ssl the protection of the api key would be the last one of my problems 