Hi,
It is needed to obfuscate Unity games builded as Universal Windows Platform and uploaded to Windows Store as a appxupload package or is the code and the string literals safe from reverse engineering?
If it’s needed to obfuscate, do you recommend any special asset obfuscator to do that?
Thank you,
Obfuscators only make minor adjustments to the code. They change the names of variables, methods, etc but the actual contents are almost entirely untouched. A string that says “Hello world” will still say “Hello world”.
Nothing is safe from reverse engineering. An obfuscator is intended to slow down the process but it can’t stop it.
Thank you for your answer! So do you recommend me something special to slow down the process of revers engineering in a Microsoft Store app?
I suggest the popular Obfuscation on the Asset Store. If you are worried about cheaters, any extra hurdle is good in my opinion.
Someone did a nice write up on reasons why it can be useful - https://pimdewitte.me/2016/11/06/game-obfuscation-and-security-why-you-should-definitely-obfuscate-your-game/
You mean from 1 minute to 2 minutes? I wouldn’t pay for it and I wouldn’t spend my time on this. I really think any indie is better off to invest in the game play instead of this kind of security.
If you’re working with money or with competitive multi-player, then you want to make a client-server set up regardless and not allow the client to make any crucial decisions.
Obfuscation is a great bate-product to separate you from your money with the promise of false security.
There is no such thing.
In general I agree that you should focus on doing best by paying customers rather than messing with non-customers, but…
Once an obfuscator is set up, doesn’t it pretty much become a transparent part of your toolchain? Assuming that’s the case I wouldn’t consider it a big deal to set up. Unlike other forms of software-based security this one at least shouldn’t have the risk of messing with you as a developer or your paying customers.
Nothing is 100% safe. You need to figure out what particular threats or risks you care about, and then address them specifically. If there’s particular data or algorithms you want to protect then figure out the best way to do that.
Yea, I am currently using an obfuscator in production with no issues. Set up was simple & it has otherwise gone noticed, besides disabling it from time to time when debugging.
I don’t recommend it.
Obfuscation is purely a scaremongering tactic by companies wishing to sell that sort of thing. You can’t obtain any actual benefits from it now.
Even Unreal and Unity’s source code is available, without being obfuscated. If the concern is cheating in an online game, the right answer is don’t store the important stuff locally. Anti cheat prevention in online games should just be server authoritative, I think the entire internet will agree with that one.
Also you should take a look at the IL2CPP compiled code. It’s pretty obfuscated, if you want to call it that. Pretty much the same amount you’d get running a tool on a mono compiled project.
Maybe you’re worried people will steal stuff? You’re legally protected from that, however I’ve got to wonder how much value C# code has, especially if it’s code that interacts with an engine, typically it’s very specific to the game and hard to copy in a useful manner.
IL2CPP. Basically it compiles C# down into CIL like normal but after that it translates the CIL into C++ and compiles it yet again. This additional step is intended to provide faster executing code thanks to C++'s optimizer, but it has the secondary effect that it acts like an obfuscator. Trying to decompile the code won’t produce anything like the original C#.
A normal C# compiler will store the variable name in the executable that it creates, which is why a C# decompiler is able to recover the name, but a C++ compiler will store an address for where the variable is in memory without the name making it impossible to recover. Without a variable name you’re left guessing the purpose of it.
I am, I suppose, a reverse engineer. The statement that obfuscation has no value is not true. For C#/.NET I’ve disassembled and deofuscated, for example, a popular World of Warcraft bot called WRobot. The obfuscation, string encryption and other clever things slowed me down and made it more difficult to reconstruct. When it comes to Runescape the obfuscation slowed me down as well when porting it from Java to C# and even more so when I decided to rip out the networking and replace it with my own custom solution. Even just going from source to ASM is enough to prevent a large majority of would be exploiters, that process alone significantly raises the bar and that’s the point usually. Not to win, but to delay and cost the other party more time and money.
Obfuscation matters as it slows down people like me who will take your product apart. There are much more advanced developers than myself in this area and often times they are malicious. I am not though =).
This is also not true and the most popular online games, such as Fortnite and World of Warcraft, do not depend on server authority for completely protecting their product. That is why Blizzard uses Warden which helps protect the client from modification. Movement in WoW was not for at least a decade server authorative and modifying the client would allow you to more easily spoof movement packets, which is publicly documented in some forums, which would allow you to move around at will. One funny approach was to send MSG_MOVE_HEARTBEAT packets in quick succession to teleport around. This is not even getting into the issue of automation/botting.
Fortnite gives client some authority when it comes to vehicle physics and more. This game is protected by off-the-shelf anti-cheat though, unlike World of Warcraft. Plenty of people would be cheating way more often if not for that. The cost of developing for-profit cheat software, which people do, is significantly higher when you have barriers like that.
These are billion dollar titles who know complete server authority is idealism and who depend on clientside protection for various reasons.
OK I stand corrected for what examples you’ve given. But for every example like that I have had clients who’s obfuscation efforts are obliterated in a trivial manner, so I’m seeing not a great amount of value for Unity developers.
The amount of engineering effort put toward cracking the two biggest online games in the world, is never going to be a problem for a guy asking on a forum. And these games require a lot more than obfuscation. In fact they probably could run without.
It’s not the same value or use case for the majority of indie developers. Same reason DRM for indie developers is also largely pointless.
But thanks for correcting, and it did need correcting. However, I’m not sure the advice is still “you should rely on obfuscation” for the OP.
For the big developers, they save millions by not having full authoritative solutions.
Are you able to estimate the time it took you to reach the point you were able to make the changes you wanted to make?
And are you able to estimate how long it would have taken a far more skilled individual?
Great post.
I had a friendly hacker chat with me about an old game I did, he was able to do unbelievable things to my game so I had a bunch of questions for him. “Unbelievable things” meaning every cheat you could think of.
Server authority is ideal, but like Glader said, even AAA titles do not rely on server authority solely, for several reasons.
His key recommendation besides server authority was to use some form of obfuscation, because pretty much its a pain in the ass to figure out. He said he likely wouldn’t have bothered with touching our game, had we used obfuscation.
He also mentioned that obfuscation can be less useful if you have previously released a non obfuscated version which someone malicious has a hold of, because they can compare parts of the code. Not sure if this is accurate, but worth keeping in mind.
Whether obfuscation is necessary or not is up to the developer, personally I would recommend it, just don’t rely on it solely for anti-cheat, start with server authority.
All the best
Aren’t you only considering one threat vector for one use case there, though?
@Labewo hasn’t even told us what they want to protect and/or from what potential threats. Without knowing those things we can’t give any specific, useful advice.
They also make their games feel better. 50ms of latency in your physics can make a huge difference.
Our game is fully physics driven, you would never be able to do this with 100% authoritative solution
What we can do is validate sanity of the data sent from clients. Which we do for the most critical stuff like when they discharge a firearm. But we need todo it for more things.
Obfuscation isn’t necessarily bad. Using it as a crutch to avoid relatively simple correct solutions is a problem.
Genre’s have fairly well known and specific attack vectors. Authenticating things that can be game breaking is pretty straight forward. If you authenticate things that can change the game world, then any actions leading up to that which are hacked, are limited in what they can do. A good practical approach is just keep adding more data for better checking where actions that can impact the game world occur.
Obfuscation is also a never ending battle. Having a good authentication strategy in place in my experience costs you less time and money. I think it’s definitely a case of doing it right to start with pays off.
But like anything else it takes time to learn how to solve well. That’s where I think a lot of studios fail. It’s not a hard problem it’s just a problem they don’t understand. Which is why we keep seeing things like speed/vision hacking in modern games. Even though those are trivial to solve for and we should have stopped seeing them many years ago.
https://www.photonengine.com/en-US/Quantum
Unity’s up coming will do this stuff in 3D with their new network and physics DOTS tech. So I think it will be viable authoritatively.
Necessary, even.
2D Physics Engine
Kids toy
We do it today with ZERO latency, look here in our trailer (at 87 seconds if unity forum fails to get correct time)
I see that yet another thread is turning into an Anders devlog