I’m currently working on a project that requires a lot of client-side security. I’ve determined that it would be important to add some kind of obfuscation or other protection to the .NET assembly DLLs to help prevent them from being reverse engineered by programs such as Reflector.
If I were making a standalone game this task would be fairly trivial. However I’m planning to use a streaming web player as my main method of deployment. Since these DLLs are packaged into the .unity3D file I need a way to edit these DLL files BEFORE they are packaged, but AFTER they are compiled.
However so far I haven’t been able to find a way to do this. I did have a look as the postbuild script information but it seems like this only allows modification after the .unity3D file has already been packaged?
Is there some way of building the assembly DLLs and then packaging them to the webplayer seperately? If not is there any other way that I might be able to achieve this?
P.S I own the pro edition of Unity if that makes any difference.
I started poking around the editor directory and found US.exe which is apparently a UnityScript compiler (I’m using JS/US). However doesn’t seem to be any documentation for it.
Anyone got any ideas?
Hi, welcome to the forum!
There isn’t really any obfuscation strategy that can be used with Unity webplayers that will make any real difference to security. Is there any way to construct your project so that sensitive code can be executed on the server?
We already do a significant amount of processing server side but unfortunately some things are just not practical for us to protect in this way. As stated we’re not trying to make it 100% full proof since we’re fully aware that isn’t a possibility. We just want to make it challenging.
You mention that obfuscation doesn’t make a significant difference to security. How is that so? Understanding a function called ‘ew423.sdftsdt4wt()’ is still going to be much harder than understanding one called ‘Security.SHA1Sum()’. I would be fairly happy if we could achieve something along those lines.
Well, I meant that while obfuscation has some nuisance value and may deter casual attackers, it isn’t really secure in any serious way. However, I guess it’s adequate if you just want it as a bit of extra front line defence.
Anyway… unfortunately, I don’t know of any obfuscation software that works directly with Unity webplayers. Also, I suspect that scrambling the source code manually or with a script will likely cause problems with Unity - the links between objects made in the editor rely on the names staying the same.