How to protect Windows Phone 8 game from being recompiled?
We are facing the problem: someone repacks our XAP, modifies WMAppManifest.xml, and posts it somewhere on the internet. How does he do this? When I download legal XAP from Windows Phone Marketplace it is not the original XAP built by me, but rather package encrypted by Microsoft, so it cannot be simply unzipped. How come that someone can crack it? Does he use dowloaded package, or rather extract installed and decrypted package from his phone?
On Android platform I check integrity in runtime by comparing actual package-name/signature with intended. It’s very simple and effective, though one still can decompile (obscured) Assembly-CSharp.dll and cut this check off. How can I detect similar tampering on Windows Phone 8? All the assemblies I see in built package are not signed (strongly named).
it’s really not the place to discuss the ways of ripping XAPs here, so I won’t talk about it.
However, you could probably check the hash of your application at runtime. Also, although you cannot strongly sign your script files, but you can sign the resulting executable which you build from Visual Studio.
[quote=Tautvydas Zilys, post: 1658320, member:
359058]
it’s really not the place to discuss the ways of ripping XAPs here, so I won’t talk about it.
[/quote]
Could you please provide me with link (if you know any) where such discussion is appropriate? :-`
Don’t see any simple ways of doing this from inside the assembly. Checking the Assembly hash is basically comparison with expected one. Even if I don’t embed expected value into the assembly, saying, store it in scene (binding to public field of script through the Editor) — it has to be recalculated after each source modification. Imho, it’s better to keep close to standard crypto approaches; they are about the same: computing hash automatically, then encoding it with private RSA key — what actually is “digital signature”. Then user can verify the signature with public RSA key, which does not change from build to build.
By the way, why Unity doesn’t support signing assemblies? I mean not the whole packages of different formats for different platforms — just inner Assembly-*.dll’s. It’s out-of-the-box functionality for CLR (Mono or .NET, doesn’t matter).
Don’t see “Code Signing” tab in project settings in “Visual Studio Express 2012 for Windows Phone” :-` Or probably XAP can be signed by direct edit of MSBuild script (.csproj-file)?