i know this has been asked many times over many forums, but the motive was always to prevent ‘hacking/pirating/reselling/cheating’. I accept these things, I know they will happen no matter what I do. It already happened to one of my own previous games.
However, my goal is not to prevent any of those things. Let them happen. What I want is to protect my c# code and make it impossible to view. My project is based solely on code, with only 1 gameobject in the scene and 3 monobehaviors on it. The code uses lots of reflection, but very few Unity api calls. Code base is in the low tens of thousands of lines.
From what I understand reading other threads, obfuscating code that uses a lot of Unity api and reflections is going to either not hide the part of the code concerned, or it will introduce bugs or will make it slower. However this asset right here
Claims that it has consistent naming across builds and platforms. Does that mean that reflection will also be obfuscated and still work? My only targeted platform is Windows.
I’ve also learned about the existence of ‘deobfuscators’ recently. Does anyone know if that asset above falls for that?
All in all, is it possible to guarantee that the source code won’t be visible to the naked eye after delivered to a client machine, ever?
Maybe so, but you don’t see the source code of google and tons of other companies flying around the internet.
When it comes to Steam games for example, the vast majority of them can be easily cracked by simply messing with the Steam files, not the game’s code. I’ve tried il2spy with a unity based game and another, non unity based game.Guess which one I could read the code of? However, both were still cracked and that’s because of Steam’s bad DRM. What I want to achieve is to just hide my code like the non unity game, not to make it crack proof, which I understand is a different thing. I don’t care if people use hex editors or whatever other low memory methods they can find to edit game data or behavior, but what I do care about is to hide the source c# code. So please don’t try to convince me otherwise. I’ve read a lot of opinions on that regard already
I just found out that Karl from Unity actually recommended that asset in this thread Can Decompiler IL2CPP ?
That thread also seems to imply that il2cpp,while still hackable since you can just look at machine code and analyze it, makes it impossible to turn that machine code back into actual c++ or c# unless a human tries to go over the machine code and manually convert it. That’s all I’m looking for. Does anyone know if that assumption is correct?
It’s not completely impossible to revert machine code back into C++. It just won’t look anything like the original unless optimizations were disabled for some reason.
Your code will never be impossible to view, and there is always some sort of tool to give someone disassembling the program a reasonable view of the code. The people that do these sorts of hacking and stealing will know how to do this, and this is why eventually commercial DRM solutions have fizzled out over the years, because there is always some armchair hacker child who will manage to get in and get at your code and/or assets, and circumvent whatever you have put in there to try and stop them or make it more difficult - making the enormous work involved pointless.
Honestly, if the aim is to stop hacking/stealing/etc then its not worth all this effort.
There isnt really any production-viable method of doing that, otherwise all the AAAs would be doing it. You dont really think that your going to come across some sort of revolutionary way to do this that the massive 100+ man teams involved in AAA games havent already thought of, do you?
AAA games get hacked all the time, assets and code gets peeked at and even extracted. You just have to accept this as part of the industry and build something that is a compelling enough product to intice people to spend money on it, as well as make enough revenue to not be hurt too much by people hacking it etc.
And then there are the scary talented developers who can sit down with machine code and determine how everything works to the point that they can add their own functionality with no real problems coming from it. A great example of this is the Skyrim Script Extender. If they wanted our code there is nothing any of us could do to stop them.
When I think about things like that I wonder, how they manage to keep their sanity doing that for something that gets them no money?
I mean I guess SKSE is so widely used, I guess as a portfolio piece it is as good as having worked on a major production, but still, must be super passionate about what they are doing to trawl through machine code, all so that they can provide (extra) modding functionality!
The only way to truly protect your code is to deliver the game via streaming, running the actual game on your own servers, and never actually releasing the binary of your game into the wild. Otherwise the machine code to run the game is in the players’ hands, and with that is everything needed by someone determined enough to look at.
The way you describe your code, it sounds like your code base is only very-loosely coupled with the Unity Engine. So it would probably be pretty reasonable to separate your core code to a server and have it communicate with a Unity thin-client across the internet.
You mentioned that you don’t see the source code of Google flying around the internet. That’s precisely because the code never leaves the server. The client never has the source code (obfuscated or otherwise).
Wrong! Incentives > motivational punishments if that’s what you’re saying.
@kdgalla the thing about that is I am running the Chrome browser. So technically the code is leaving the google campus, just not all 2 Billion lines of it.
I would also add that nothing enters Google’s servers either, unless its been sanitized and security checked. Google is very good at what they do!
Or the other set of clever developers who can sit down and play a game, then reverse engineer all the mechanics and systems. Once a game is in the wild, its not hard to simply play it and work out what is going on under the hood.
If you want to protect your code, you have two options:
Never release a product
Host all important stuff on a separate server that the user does not have access to and kill anyone who attempts to reverse engineer the server instructions
Ok, google was a bad idea. A better example would be photoshop which runs properly without an internet connection. Photoshop’s code, as best as I know, isn’t visible to the naked eye no matter how good of a hacker you are (that being said, the original 1990’s photoshop source code has been released by Adobe). However, the best hacker can do is to slice off only a very small bit of it, enough to allow it to be pirated. As such, most if not all versions of photoshop can be torrented.
This is what I want to achieve. I don’t care (ok yes I do a little, but can’t do anything about it) if people can reverse engineer the code using memory dumps or whatever other tools they have at their disposal to recreate behavior and pirate it. I know they’ll be able to get all my textures and my audio files. Again, to be perfectly clear, that is not what I’m trying to fight here. What I’m trying to protect is simply the c# source code from being visualized. It sounds like that is a perfectly achievable goal despite all the doomsayings.
Server solutions are sadly not an option, especially when there are solutions out there that can accomplish this even on client machines.
Photoshop’s code doesn’t have to be reverse engineered. There’s no point. Even if somebody did it, the real prevention is being taken to court for doing so.
Your protection is not going to come from technical means because your security has already been broken down by the time the user has access to the program itself.
Wrong again. Photoshop’s binaries are right there in the folder the program was installed to just as susceptible to being reverse engineered by a talented hacker as any other application. That’s just how it works with a locally stored program.
And the real reason it doesn’t have to be reverse engineered is that the white papers covering the technology the software employs are freely available on the Internet. Anyone that wants to build their own solution can use them to implement the same functionality.
Can’t be done. Fundamentally. While the user won’t see the source code, language being C#, they’ll have very easy time extracting and reconstructing it.
All things that user has on their machine can be viewed, torn apart and reverse engineered. And this cannot be prevented, only delayed.
Basically, on their machine the user is a god. They’re omnipotent in relation to their program. The good thing is that they’re not omniscient.
Because of this, all things you want to hide from the user, you put onto external server, and lock behind an API. Then they become inaccessible. If they have a standalone file, then they can reverse engineer the hell out of it.
That’s because their code is running on servers and not on user’s desktop.
Photoshop uses C++. C++ does not rely IL code and has no reflection, because of this easy automated decompilation of C++ code does not exist. It is still possible to rebuild the codebase from binaries, though. Even in this case.
However, there’s no point in stealing code of photoshop. First , there are no secrets. You can read documentation, and likely would be able to duplicate entirety of functionality, the problem is it will take truckload of time to match features with the original.
Second, Photoshop is too big to be stolen. YOu can’t steal the codebase and then hide the fact that it is photoshop. It will be obvious to everybody that this is photoshop, and then Adobe’s legal team will spring into action.
Projects like this are leviathans, and compared to them your project is TINY. For example, you can’t steal unreal engine 4, because it has 2 million lines of code, and you won’t be able to alter it to degree where it will stop looking like unreal. Likewise you can’t alter photoshop (rumored to have ten million lines of code) to stop resembling Photoshop, due to it being huge.
Basically all things conssidered, if you build your project using IL2CPP (which has limitations. Also I believe IL2CPP does not suport reflection which you said to be using), the user will have harder time decompiling it. However, they’ll still be able to hack your game with impunity and determine/reconstruct its behavior, if they’re determined.
