I am trying to use the Darktable’s Obfuscarator to obfuscate my webBuild.
I few time ago, i succed to obfuscate a build but the build was so obfuscated that i could not work.
So i tried many ways to improve the template.xml and the Obfuscarator.cs - with no succes.
Even worst, i could not figure out how i made it work the first time …
Darktable told me on his site that he had no time for support.
When doing my research on obfuscation over the unity forums and answers, i realised that obfuscation was something
requested by the community.
I am making a multiplayer game using a*Path + PhotonCloud, because of the non-server kind of the game people can cheat easily and ruin the game.
I can imagine also that people dont want to have their code stealed ( me too btw) - the guys that sells things on assets store for example.
So if you feel concerned, feel free to give a little help.
i found that the “combinePath” at line 227:
var frameworksPath = CombinePaths(EditorApplication.applicationContentsPath, “Frameworks”, “Mono”, “lib”, “mono”, “unity_web”);
had to be changed for web build by:
var frameworksPath = CombinePaths(EditorApplication.applicationContentsPath, “Mono”, “lib”, “mono”, “unity_web”);
also i found that all the DLL detection have to be hardcoded too.
I got not many time, but i will update this topic every time i got something new.
I think it is worth trying,
First of all, it will eliminate the little low level code stealers.
Then, i really thing that this obfuscator is pretty good - you should try to help
Personally i think it’s a waste of time, i don’t do it for my own software which i sell for 10K+€
It makes 0 sense, think it through and you’ll see you get 0 benefits out of this
I agree with Ronan. Just put the time and effort into making a game better and cooler so no one wants that lame ripped copy clone game of the one that stolen your code. A great example is Ridiculous Fishing which beats the clone Ninja Fishing by far.
As i said in the first post, i am running a client side game running with photon cloud.
I want my game to be funny to play, wich will not be the case if someone modifiy my client code and get for example lvl 20 at the begining of the game instead of lvl 1 - thats a example - and it is so easy to do for little coders.
Also, i talked many times on the chat with guys that are selling their products on the asset store, especially scripts.
they dont put webplayer links on their asset store description because they know that the code can be stealed in about 5 minutes by a totally inexperimented guy.
By not putting a working link on the description they loose a certain amount of money, people often want to test the script running before buying it.
And experimented people will not steal anyway, so its potentially a money loss.
If you are exprerimented, wich i am not, you could have made the obfuscator work by the time you wrote those lines.
So please help and dont try to make me change my mind.
If it’s possible to be lv 20 then your client code doesn’t need to be obfuscated but needs to RUN ON THE SERVER, you never trust the client period
Anyone who knows how to patch a game, can do it AS EASILY if it is obfuscated, period, it adds ZERO protection, simply making reading the code “marginally harder” at best, if you send me obfuscated code, i can pass it in a deobfuscator and the output will be nearly as easy to read as the original!
Edit: making the obfuscator work is not the problem, understanding it doesn’t protect you AT ALL is the problem, it’s MUCH EASIER to deobfuscate a program (there’s a simple command line tool that does this and support almost all versions of all obfuscators) than to read the unobfuscated code, so if you can do the later, you can do the former.
Been looking into this issue for the last couple of days, and while it saddens me that my code will be essentially exposed to anyone and nothing can be done about it, it also helped open my eyes early in the development process on how to never rely on the client side for processing any crucial data.
However I would still like to implement even some basic obfuscation to my code, just so that the sucker peeking at my code would have a slightly harder time stealing it. I know it’s pretty much useless but it should at least keep the kids out.
Ironically it won’t keep anyone but yourself out (harder to debug if you get crashes on a client machine and need to figure out what happened)
How do you like a bug report saying an exception has been thrown: outofmemoryexveption in method ÿùù3244?
I don’t think obfuscation is useless, and I do think it will make the cracker’s life much harder reading r.d(a) type of code all over than compared to myGuy.AddLife(life). Specially when your game code is complex to start with. I don’t think the deobfuscation would turn r.d(a) back into myGuy.AddLife(life) since that data is already lost.
Having said that, 90% of the crackers would just walk away but if someone is really determined, obfuscation would not stop him, just slow him down.
But most of the code won’t be r.d(a) type of code
You’re not going to be able to obfuscate code you don’t own, so all the external calls will stay as is (anything in unity for exemple)
Anything you want to expose publicly will also stay as is (so anything visibile in the editor for exemple)
So if you sell a player asset, and you have a public property life in it that is accessible from unity editor, and a private method named removelife, at most it will become
Not that cryptic now?
All you’ve won there is if this.Life is a nullable and it throws an exception because you have a bug that left it as null you’ll get customer reports saying “your plugin is crashing in Method theizth, nullreferenceexception” instead of “your plugin is crashing with a nullreferenceexception in Method ChangeLife”
So yea you get crappy customer relationships 0 advantage in protecting your code, your code will still be crystal clear readable based on what you can’t obfuscate around it, you can obfuscate decently only if the following 3 hold (code is still readable but harder)
You mostly use your own code, not external code
You don’t expose any form of public API (standalone program as a single assembly with no public classes/methods)
You’re not constrained by unity (the good obfuscation methods won’t work due to performance or api limitations like no code gen allowed on iphone etc)
Anything you do that fits none of those 3 criterias is basically giving you 0 protection, as i said try it, then pass it in a deobfuscator, you’ll see you’ve lost pretty much no info except private variable names such. Any public method will still be properly named as well as it’s parameters (else it wouldn’t be callable).
Based on the fact that I’ve only bothered obfuscating a native android game I made, and never a Unity game I made I will say: “Perhaps you are right!” But that’s because I have no clue what obfuscation in Unity is like. In native Android code, when I obfuscate, everything looks super cryptic.
Based on what I understand you’re saying, having any public properties in my class, the property name would not be obfuscated is that right? Is that because of the serialization? If so, what if I make that property not realizable, would that obfuscate that particular property then?
No it has nothing to do with serialisation, it’s just the way .net / mono / whatever based on the CLR code works, it’s fully readable because all metadata is encoded. So there’s no headers / lib whatever like in native to “find functions” , they’re in the dll self documented by the dll, so it’s not possible to remove that information if that information is actually necessary, anything you expose publicly, has to be fully unobfuscated, or it simply won’t be callable.
If you want i can make a small sample dll show you the dll in 3 states
Unobfuscated
Obfuscated with a basic obfuscator
Deobfuscated with a free tool.
It should make things clearer.
Sure that’d be great! But from what you say, that kinda sucks. In Java you can obfuscate the crap out of your code even when using 3rd party libs, it even obfuscates the 3rd party libs for you. My background is Java by the way so I know nothing much about c# except coding it as if it’s Java lol
The system is similar, except unity libraries aren’t 3rd party libs, and programs you make with unity aren’t your programs, so you can’t treat it that way as it’s unity that embeds your code, that references unity code, so 0 chance at obfuscating unity code (which means any code “calling” unity will be pretty readable), same for any code you actually want to expose.
This only applies for selling dlls on the store (where the public API the calls to unity would be visible), if you’re talking about making a game with unity shiping that obfuscated then that’s even more complex, there are 2 cases:
most of your code resides in a dll that you obfuscate, if you call that code from unity you’re still going to have the same issue, anything you need to call will be public, and thus the signature will be as readable as in plain code.
your code only resides in source form in unity, then it’s even more complex as unity is in charge of building it, i don’t even know what unity ships as but definately not as a .net assembly in all platforms so it wouldn’t be easy to simply obfuscate the output as the output is embededing the assembly, the whole thing isn’t .net at all (on ios android etc), so i don’t think it’s anywhere near doable, regardless of the merits of obfuscation.
Also, can you give me an example of “Any code calling unity will be pretty readable”.
For example, if my game has 100 classes that extends MonoBehavior
All my variables in there are not exposed to the editor, e.g. they are either private or public with [System.NonSerialized].
Will the obfuscation obfuscate all the code in my classes? if not, then which parts… any part in the Update for example? I’m not clear on how this works.
System.NonSerialized changes nothing to the fact it’s public so callable from elsewhere, MonoBehavior is unity specific but it changes nothing, as long as something is public, it’s exposed to outside assemblies, so your obfuscator won’t touch the signature (it can touch the code inside), or the dll won’t be usable from outside (unless you want your customers to actually call methods like MyClass.[["[#[ù;;()
