Obfuscation

Hello everyone
The reason I started this thread is that the available documentation for obfuscation, specially for Unity is really rare and I know some asset developers (specially those assets that deal with scripting) would really like to dive into this process.
Many people say that if someone want to pirate something, there is no real protection, that is correct, but at the same time, what is the chance of a professional hacker sitting and putting time to decrypt an obfuscated Unity asset ? specially when that asset is obfuscated deeply enough?
also, there is a reason you may want to dive into obfuscation : did you ever thought about how to protect your game data saves from cheaters? some wise people started this process of thinking and one or two assets are available in asset store. also, there was a really interesting blog post on how to encrypt data and save that encrypted info to player prefs or text files.
bottom line is, no matter how good your algorithm for encryption / decryption of data is, if you won’t obfuscate the scripts that do it… using a freely available tool like dot peek, any newbie script righter can easily look into your assembly dll and find the algorithm and with little time and effort (much less than many of you think) all the effort that you put for encryption goes to waste !
So, the question is not doing or not doing it. Really, you would need to do it sooner or later. The question is how to do it.
To start this discussion, i need to identify two different assemblies you may have in your unity project :

1- The scripts that are directly related to UnityEngine and UnityEditor and few other Unity related ones.
2- The scripts that you have and use like Helpers, Utilities, and other stuff, these scripts can be thought of stand alone methods and static classes that you may use in more than one project.

There is big difference between these two categories. For obfuscating the first one, you will have tons of restrictions, for example, the class name itself can’t be obfuscated, the inheritance from Monobehaviour can’t be obfuscated, the mono methods like Update, Awake and many more should keep their names in the obfuscated assembly intact and many more things.

The second category on the other hand, should be decided as stand alone assemblies that you should be able to call into different projects.

Lets use an example here, lets say I have a simple mono class with a simple integer property, I would like to keep track of that property by using player prefs but at the same time i would like to encrypt and decrypt the data. At the same time, because i know i would use encryption / decryption of different data in more than one project, I would like to sit and develop a totally stand alone assembly that i could later import as dll into this project and call it’s methods from the mono script to encrypt the integer value, put that encrypted version in player pref, then read that encrypted version, decrypt it and assign it to the property later on.

As you see in any serious game development project you would want to have that simple scenario at hand and ready to use. Now, if i develop the cryptography assembly and don’t use the obfuscation, all my effort is wasted because any script kiddie would use dot peek and find the method names and the algorithm inside that i used and encryption would loose it’s meaning. At the same time, i would like to obfuscate the cryptography assembly in a way that i can access it’s members out side later on.

few days ago I thought it would be really easy, just keep the method and class names intact during obfuscation, hide the internals of the method to look like the lines bellow and you would be golden, correct?

public string encrypt (string .)
{
return .();
}

The lines above can be produced easily using any obfuscation program. So, it will work correct? You are dead wrong !

After trying Crypto Obfuscator Enterprise for more than few days non stop, trying every possible option and rule i can mix with each other, I had one of these two results :

1- The assembly would work without any problem but opening it in dot peek, you would see that there is no real obfuscation going on and the algorithm inside the method is visible to naked eye.
2- The assembly would obfuscate enough to make it impossible to be understood unless you were really professional hacker with years of experience, but it wouldn’t work in unity giving errors about missing name space or something close to it.

So? First thing i did was contacting the company for support and right now i am waiting for guide lines from them, but i thought to myself,…, there should be people in community that has experience on such stuff, if not, at least, there should be a centralized place to discuss this. That is why i started this thread.

To finish the wall of text i already made (sorry for that), i want to name few obfuscators i found online that claim they are working properly for Unity 3d.

1- Crypto Obfuscator : The enterprise version, this obfuscator lets you define rules for obfuscation, excluding or including any rule and any number of times, not only on the assembly, but also on even single method or field separately.
2- Babel Obfuscator : I didn’t have a chance to try this one, but they have a blog post and in that post they give a xml file that is rules set for unity obfuscation.
3- eazFuscator : this one claims to work without needing any rules. The interface is really simple but I have doubt about it’s level of obfuscation.

Remember, there are tons of obfuscator programs out there, but in my opinion, if they don’t give enough flexibility for setting rules, they won’t be good. For that, i think crypto obfuscator is the best.

The only problem is that, I am not sure how to obfuscate good enough to hid the cryptography algorithms (or any critical part of a code) and still be able to read that assembly later on in different projects.

If anyone has experience doing obfuscation, please inform others. By the way, doing even bother mentioning that so called Unity Obfuscator program, go to forums related to the product, you will see absolutely 0 response to questions the costumers ask and many people yelling, kicking and complaining that the developed assemblies are not working.

Just as a side note, in WebGL builds, the level of difficult to disassemble and extract meaningful code increased in several orders of magnitude.

By webgl you mean the IL2CPP ?? but how about hiding the algorithm for cryptography and how about having such a library for more than just this project and using it in future projects? the fact is that IL2CPP is still in early development process and even their developers don’t have any estimation on when it will be ready themselves. So the question remains on how we can use obfuscation to have stand alone assemblies that will be reusable in projects

Instead of spending a year of reasearch to find out that this is actually a waste of time, you can just wait for il2cpp to be ready on your relevant platforms.

2 Likes

I can’t agree with you Dantus, IL2CPP is nice for sure, but think about it, how many asset developers you know that are developing unity editor extensions, lets say i have a very nice and fast class for cryptography on your data, if i send it to asset store without obfuscation, i easily give out all the algorithms and people can buy my asset, use something like dot peek, or .net reflector and my very useful algorithms for security will be non secure and in front of their eyes and any one bought my asset and using that assembly to encrypt their data to prevent cheating wasted their money because my own asset will be vulnerable.
The point is that, although IL2CPP will make nice turn toward security of built games, but for asset developers that want to keep their code secure but still add to unity itself, it does nothing !!!

There have been numerous discussions about obfuscation in this forum already. Read them carefully to find out that obfuscation is not worth the effort as long as you don’t have to pretend to your management that you are unnecessarily burning money with it.
Could you shortly describe what you are trying to achieve exactly and what you are trying to protect?

This is a good summary of obfuscation in general. It never truly stops anyone that is determined to use your code.

2 Likes

“Security through obscurity” is the absolute best you can hope for in regard to protecting your scripts. If no one cares about you, no one will bother trying to break through your obfuscation techniques. If, on the other hand, you have something actually worth stealing, then obfuscation is not long-term security so much as a short-lived roadblock. Try to sell as much as you can in the three days it takes someone to lay out your “life’s work” on the internet, then cry.

Use half-assed obfuscation techniques to put a stop to the ten year old script-kiddies who can’t actually program anything, then call it a day IMO. If you want world-class security you’re going to have to wait until the world-class programmers actually create it- right now it simply doesn’t exist.

1 Like

If you want better security, stay away from .NET when building your ‘cryptography assembly’;
Unity is very supportive to C++ external classes, you can use a not so popular compiler to build your algorithms and link them to the C# environment via interfaces. If anyone wants your crypto gold, they won’t find it diving into the C# DLLs and it’s harder to decompile than anything C#. Forget about obfuscation.

You can also use the GPU, storing your cryptographic functions and sensible data inside ‘innocent’ simple shaders… Hell, you can even encrypt secrets into a texture data.

Ok, let me give you an example of a game i play online and what i see, Call Of Roma Cor II (old known as Caesary), in these type of games, you play real time strategy games, and you can buy gold with money, you can argue that the data can be stored server side and no one would be able to hack it, but even after 10 years of this game evolving and constantly fixing bugs and problems, there are people who glitch it daily based and sometimes, very nasty hacks show up and they are not even touching the server.
another example are games like WoW, you install the client, all personal game data remaining on client and only interact with servers on limited data transfer. in any one of these type of games, there are tons of integers, floats and other normal field types that are being constantly saved and then loaded.
for example, integer, a simple way to encrypt it is by using bit shift operation at run time so that players won’t be able to use memory cheat programs like cheat engine to tweak the real number. but, if your asset is not secure, people knowing that this game is developed by Unity, will easily use the available asset opener, get the dll, and look and easily find your algorithm.
trust me when i say this, there are more than what think players that not only enjoy hacking the game for easier game play, but also, ruining your business. COR II for example for over 2 months, they lost near half of their customers that they collected during 8 years !!!
I never thought about saving data as a shader, that was a nasty but smart idea. I know that some of the data can be saved as color values in textures, but non of these remove the need for a way to add another layer of security on top of what ever algorithm you use.
I don’t know why when ever someone ask something that is not daily stuff for people, instead of productive discussions people try to change the subject or tell the person that the question he has is stupid or not worthy.
as i said, another aspect of all of this, is when you are developing an asset for unity users themselves. for example, who knows how long it took leslie to develop plyGame, or angry ants for his behave asset. without any security, i can simply open their dll, look inside their code, get near half of their code, tweak, change the look of editor wizards, and claim that i developed a new asset, in other words destroying the person’s effort and knowledge by abusing their code like this.
you can argue that they can go open source on their customers and be safe, but we all know about piracy (don’t even start discussing this one, more than enough said everywhere about it.). but at least, if we were able to obfuscate our code to some extend, at least, more than 60-70% of the asset users would leave diving into it the moment they see it is obfuscated simply because they don’t have the deep knowledge needed for deciphering it.
long story short, instead of saying that obfuscation is not worth the trouble, lets sit and find at least the smallest possible way to get another layer of trouble for those who want to investigate closed source assets. if we can figure something like this, although it may take 2-3 weeks, from then on, we can use that as fast as few minutes to have that extra layer of security even if it is small but few minutes of that extra layer would worth it.

No one’s saying you’re stupid, we’re just saying that you’re wrong. You’re still wrong, even with the TL;DR rant. If you’re really just trying to get around the random ten year olds, then ANY amount of obfuscation (including what’s readily available already) is sufficient. If you’re trying to get around the pros, then NO amount is sufficient. You’re making claims about how you’d protect IP rights and such, but every single script that uses obfuscation that someone really wanted has ALREADY been cracked- and the masses don’t need to crack it themselves, because the “cracked version” is already out there on the internet in plain text. Your ideas seem predicated on the concept that everyone’s hacking for themselves, like in order to enjoy your source code they have to crack the safe with their own hands, but all it takes is one bored software engineer to ruin your day a hundred thousand times over.

Anyways, this discussion has already happened a hundred times this year, I’m going to find something else to do >_>;

1 Like

That is exactly what i am after to learn. if you read my very first post, i said that i tried use crypto obfuscator, although it would change some parts of code, still some parts (specially my bit shifting algorithms) were not obfuscated at all, simply because i needed to encrypt static values, the moment i do it, the script stops working completely.

I am not after fancy, deepest possible obfuscation that makes codes not possible to be read even in .net reflector, i am after a little bit of extra security on those little algorithms i would use in cryptography asset that i am developing, knowing that i would use it in more than just a single project and there is a possibility i would like to put it in asset store.

I am really after getting help from someone knowing how to obfuscate an assembly project in the way that it encrypt static values but still being able to use it by porting it to new projects but i think people jumped to conclusion that i want crazy amount of obfuscation and 100% security? maybe that was my fault on speaking what i am after ?

Let me make myself very clear.
first take a look at this method :

public static int Shuffle(int x)
{
    int num = (x ^ (x >> 8)) & 0xff00;
    x = (x ^ num) ^ (num << 8);
    num = (x ^ (x >> 4)) & 0xf000f0;
    x = (x ^ num) ^ (num << 4);
    num = (x ^ (x >> 2)) & 0xc0c0c0c;
    x = (x ^ num) ^ (num << 2);
    num = (x ^ (x >> 1)) & 0x22222222;
    x = (x ^ num) ^ (num << 1);
    x ^= 0x55555555;
    return x;
}

As you see, this is the base for my shuffling an integer number algorithm, when my encryption asset is ready i would really like the whole algorithm if possible, if it is not possible, i would like to at least hide those constant values like 8,4, 0xf000f0 (still a number but written in hexadecimal format) so that anyone wanting to look into it, won’t understand what am i doing. that is the real thing i like to do, also, i have an encrypting/decrypting section, preferably i would hide the encryption method that i am using, because if the person could see that i am using DES or AES for example, and see how i am generating the salt and the sizes on it, then i really did nothing to make my own asset secure.
I really don’t mind if people can see the code but at least, hiding the constant values should be possible?

I’ve heard Unity’s serialisation system is surprisingly difficult to break. Why not put constant values in the inspector?

This also gives you the advantage if being able to change them easily when they are broken.

Shuffling is probably not that great of a method of encryption. Have you looked at public key encryption? That way it wouldn’t matter if your public key falls into the hands of anybody else.

@Jiraiyah , sorry, but your posts are way too long to read and my question is unfortunately still not answered.

The important aspect here is short and I would like to know what you are trying to protect in your game.

sorry for long posts
the shuffling system will only shuffle integers at run time to stop memory hacks by something like cheat engine. for securing data on the hard drive or registry, i will use encrypting them with AES, DES or any other available methods.
@Kiwasi : The reason i don’t want to put values in inspector is that encrypting algorithms are very specific and if the user be able to tweak those values, the whole system will fail
@Dantus : preferably the whole algorithm inside that bit shifting method or the cryptography methods. if not possible, at least the constant values i use for salt size, and other values like what you are seeing in that bit shifting method. i would like to keep the algorithm secret even from those who would possible get my assembly to use it. not only for security measures but also if you ever worked with cryptography then you would know tampering with algorithms are bad idea, so i would like to keep it hidden from even asset users themselves.

My question was not how you want to protect your data, but what exactly you want to protect and what kind of game you are planning to make.

sorry
the plan is not for a game itself but an API core for RPG games. that is the project i am working on it, the data differs from player stats up to serialized data in xml format or any other format i decide in future (maybe json or possibly personal invented format). because i am developing an API core for others, i would prefer to give them ways and API to encrypt their data too. not sure if i answered you properly this time or not :face_with_spiral_eyes:

Online RGP?

both offline and online, the start is offline one but with keeping in mind that i would convert it to online one. but i want to have the possibility of people spending money and get stuff in game even on offline games.

as i said, it won’t be a game but a core API asset to be used by game developers themselves