Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Obfuscation - [Community requested]

Discussion in 'Scripting' started by Paradoks, Mar 22, 2013.

  1. ScriptingPaul

    ScriptingPaul

    Joined:
    Dec 8, 2013
    Posts:
    10
    Only Serverside Code is protected and also that only apply if you really check incoming packets if they are valid.

    Any Code on Clientside is exposed atleast in the Memory, so changing Values there is easy and there is nothing what you can about it
     
  2. lordofduct

    lordofduct

    Joined:
    Oct 3, 2011
    Posts:
    8,514
    If they have your code, they have your code. Obfuscated or not.

    If they turn around and use that code and profit from it. They're breaking copyright law. You press charges in that case.
     
  3. luxel

    luxel

    Joined:
    Mar 17, 2014
    Posts:
    3
    This is a good discussion and after reading all these posts I finally decided to do nothing on code obfuscation. =)

    But recently i'm working on a project which is similar to Paradoks - a multiplayer game based on photon and where most logic is handled by client. Yes, unfortunately, right now we cannot afford for a server side logic development.

    So just wondering does Paradoks have any further study/information on this?
     
  4. Paradoks

    Paradoks

    Joined:
    Oct 13, 2009
    Posts:
    436
  5. cmcpasserby

    cmcpasserby

    Joined:
    Jul 18, 2014
    Posts:
    315
    evilBoy no matter how much encryption you toss on things, they can still be edited, since during runtime its all in your systems memory, and can be accessed and modified.
     
  6. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    actually, to make thing worse, this isn't an option either since your ability to enforce/sue is entirely dependent on your financial status.

    simply put? no money for attorney, no lawsuit.
     
  7. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    btw, i think folks are missing the obvious. your stuff isn't going to be reversed by every single user. it only needs to be reversed by *1* and then uploaded..
     
  8. Epictickle

    Epictickle

    Joined:
    Aug 12, 2012
    Posts:
    431
    @Marionette, that's wrong bro. Most attorneys, if they know they have a case, will go through the lawsuit for free and take a percentage once the suit is settled.

    Furthermore, I'm not very worried about people viewing my code. If they try to sell it, I will sue.. Period. If they wish to have the source for educational purposes, they can always just ask and I will most likely give it to them for free. I put most of my source code on the internet for people to review anyways. Only an idiot would try to sell a game that is already on the market..

    I do have one question, though..

    Are these people able to obtain the 3d models, sounds, animations, etc, or are they able to obtain only the code itself? I feel like if they can only get their hands on the code, then they aren't going to get very far anyways... They might make a "reskinned" version of the game with all of my same code in place, but imo, doing something like that would be harder than making a game from scratch.. Plus, let's be honest here, if you've ever done 3D modeling, texturing, and animating, those are the most time-consuming parts of game-dev. I could have a full-fledged game programmed in less than a year, but the models, animations, textures, etc wouldn't be done by then.. Which means that even if they did get their hands on the code it would take them a very long time just to make the 3d models they want in their reskinned version.

    I am, however, a HUGE fan of moddable games. I love it when game companies release games that can be modded by the community. If I ever do release a AAA game, or even a game that sells, I believe I would offer modding as an option. In essence, when people steal your code, that's all they want to do is mod it.. Why not offer something like that? Let them import their own models, etc... I'm sure that would cut back on a lot of code/project stealing.
     
  9. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349

    ok, let me give a scenario:

    you have an indy, such as myself, that makes some middleware etc.. the code and stuff i offer will be for developers that are fully capable of reversing if they so choose. the onus is then on me and becomes, just *how* do i know exactly? secondly, there is no attorney in the world that would take a case on contingency if the offender doesn't have any money either. thirdly? while it sounds good in principle to sue for your rights, in application, without the finances to do so, won't protect your IP.

    and lastly, all it takes is *1* developer to crack it, then upload it, or make a variation of it to compete for example. are you telling me you would have finances to not only audit, but then sue the potential multitudes of folks that might've used it? and btw? we're not just talking about stealing code, we're talking about cracks too.

    not to toot my own horn, but i've been a developer for nigh on 30 years, and have contributed and written many graphics engines from truevision3d, to geneis3d to jet3d to many of my own. i am fully aware of how time intensive art assets can be ;)

    the argument isn't to allow modding. the argument is whether obfuscation in any form is worth the effort and cost. i was simply trying to point out what i thought was obvious, but hadn't been brought up in the conversation.
     
  10. Epictickle

    Epictickle

    Joined:
    Aug 12, 2012
    Posts:
    431
    My thought process is:
    If I'm not making enough money off of the IP to sue their asses for reversing it, then I'm not going to care.

    No matter WHAT you do, there will be deobfuscators out there for every obfuscator made. It seems pretty pointless to me.. Why waste the time on an IP that isn't making you money anyways? If you're not making enough out of that IP to sue them for it, then obviously it isn't worth the time lol. I'd rather move on the something that WILL make me money, and when it does, and someone tries to reverse it, I'll sue them.

    Also, I mean, how many people are out there actually doing this?

    My point still remains, though, that it would seriously take them more time and effort to reskin the game than it's worth.. If they can't get my textures, animations, sounds, models, etc, then I really don't care about them getting to my code and reading through it.. Hopefully it helps them out in the long run! I'm all about educating people.. Even if they do it in a not-so-ethical way. If they seriously can't obtain all of the other assets in my game, then how many people do you think are out there releasing reversed games? Probably none.. They don't want to take the time to make new models, textures, and animations.

    I get that some coders out there want to keep their code a secret, and that is definitely their right! But, in my mind, if I'm not making any money off of the game, I'm going to release the source on my website so that anyone who wants to be educated can do so. It's really a simple way of thinking.. One man's trash is another's treasure.

    Btw, I'm thinking about writing a rudimentary Raytrace 3D engine.. Any tips?
     
  11. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    About your first point. You're assuming that you WERE able to make enough money from the IP to begin with. A lot of folks are hit in the beginning, and are thus unable to mount a serious challenge. Not to mention the time, money and effort it costs to even patent or copyright something properly. Believe me, dealing with patent attorneys is neither fun nor cheap.

    Second point. I'm kind of neutral about obfuscation to be honest. I think where it provides either a deterrent or sense of security but doesn't cripple or compromise it's own functionality, why not? There are plenty of decent free obfuscators out there. Are there deobfuscators? Sure. But in most cases, and if done correctly, it can provide a small level of protection. This all depends on your product as well. The steps you need to take to prevent cracking are different, from those taken to protect the actual formulas used in a product. In my case, protecting the actual code itself is more important, and thus obfuscation meets my specific needs more than others possibly. Shrug.

    As far as there not that many out there reversing things? Don't kid yourself, there are a larger amount than you think. There are whole websites and groups dedicated to hacking, cracking and reversing stuff with huge active memberships..

    As far as a 'rudimentary' ray tracing engine? There's nothing rudimentary about it ;)

    From threading to memory management to asset management to pipeline management, regardless whether you use directx or opengl or your own ala carmack, it can quickly become daunting.

    Been there, done that lol. Good luck ;)
     
  12. Jonten

    Jonten

    Joined:
    Dec 19, 2014
    Posts:
    4
    Any more success on this? Did you manage to get your web build obfuscated and working? Do you know about any asset store product (that you have used or tested) except for CodeGuard that can handle ofuscation for a web build (or commercial software)?
     
  13. Tom163

    Tom163

    Joined:
    Nov 30, 2007
    Posts:
    1,290
    I've been developing games as a hobby for about 20 years now. Never, not once, was illegal copying, or someone having the same idea, or anything like that a decisive problem in the beginning. Unless you are EA and coming out with your next AAA title, and we are explicitly not about talking those kinds of people, then your problem is getting enough audience in the first place. People not even knowing about your game is much, much more serious than people downloading a torrent of it. The $$$ you need to spend to prevent one illegal download would probably generate at least two additional sales if put into marketing.
     
    tanoshimi likes this.
  14. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    First of all you're taking my words out of context. Second, just because it hasn't happened to you, doesn't mean that it doesn't happen. Thirdly, shrug, could be that no one wants your specific IP. And lastly, it's not just games that we're talking about here. It's also the Middleware folks that provide tools and such for game developers where if they obtained my source it could be devastating to me, and to be honest I probaby couldn't mount the kind of defense that would be required for me to recoup any damages. There are many folks, Middleware or not, that are in the same boat.
     
  15. Tom163

    Tom163

    Joined:
    Nov 30, 2007
    Posts:
    1,290
    I'm always interested in data that makes me change my mind. Show it to me. Which game or company failed and can show that it was because of illegal copying?


    My best-selling Tom's Terrain Tools was found on a download site by my co-developer recently, with a YouTube video that advertised this download. I sent takedown notices to both sites, it was taken down, that's that. So yes, it happens. Yes maybe we lost some sales because of it. Does it bother me? Enough to send two e-mails, not enough to lose sleep over it. Spending my time and energy on things that actually generate money will gain me more. I'm not just talking from theory, Marionette. I am in this same boat you're talking about, and I do as I say.
     
  16. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    Ok.

    What you're on about, I'm not sure, nor the antagonistic way you've attacked the opinions I've expressed. But if you truly believe this whole conversation is about copying, you're wrong. It's not. It's about obfuscation. The reasons for and against. You want me to provide proof to you about an argument *you* made. Not me. I stated as much in both of my recent posts. Please tell me that you're serious about your question. Do you honestly believe that folks *haven't* been hurt or even given up the ghost because or hacking, copying or reversing? Because that's what you're implying. The 'big deal, so I found my stuff on a site and sent them emails and they took it down' mentality might be ok for you, but I have a different view. Shrug. Go back and reread my posts. Then do it without taking anything out of context and pertaining to the thread at hand. Please point out where I talk about copying at all. Or that it was just about games and gaming studios.

    If folks want to use obfuscation, and it doesn't hurt their code management or performance I say why the hell not. Why give the script kiddies and hackers a golden ticket when you don't have to? Shrug. At least make them work for it. In my case, it's not the art assets or game, but algorithms that I personally want to protect. Read that again. That I *personally* want to protect. You can do whatever the hell you want. Am I going to do whatever I can to protect the last 2 years of research and code that I've been working on? Damn skippy I am. 'Nuff said.
     
  17. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    And just so that we're *crystal* clear on this: it's not up to me to 'change your mind'. It's up to *you* to do your own diligence.
     
  18. Tom163

    Tom163

    Joined:
    Nov 30, 2007
    Posts:
    1,290
    The topic is about obfuscation, but preventing copying was mentioned in the topic start as one of the reasons for it.

    If folks want obfuscation they ought to have the full picture, including the information that it will likely not do as much for them as they think. For Javascript, where people request the same all the time, my professional opinion, as I work in IT Security, is that you should minify it and that's it. That will make it difficult enough for most people, while the pros will not be stopped by obfuscation, either.

    If you have algorithms that are so valuable and unique that it took 2 years to make them, maybe you should be running them server-side as a SaaS instead of delivering them to customers at all? De-obfuscating your code will definitely take much, much less than 2 years, so it would be worth the effort, compared to re-inventing the same solution.
     
  19. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    Wtf are you talking about? What is it that you think I'm advocating? You obviously have not read the entire thread very well because you'd see that I said basically what you are and that while *my personal* reasons for wanting to use it or not would be different than someone else's.

    You just having a bad day or something? Feel the need to just trash someone? Is that it?

    Why you feel the need to keep throwing your resume in my face I dunno, but I find your thinly veiled sarcasm tiresome.

    I have spent a great deal of time developing an asynchronous grain engine for unity. There isn't another solution like it. No real guidelines, nothing. So yeah, working out the tech, then working out how to implement it into unity and additionally having to write a rudimentary VBAP/ambisonic component as well has taken me a bit of time. Along with the editors and visualizations etc.. I plan on protecting it. You don't want to obfuscate? Then don't, but don't just jump on the last post and blast *me* for all its ills. Try having a bit of decorum.

    Dunno if you think I'm ignorant or what, but I started developing back when hacker/cracker groups were prevalent. Paradigm, razor 1911 etc.. I also was the lead developer for SunnComm international writing DRM/encryption stuff for Sony/BMG. So please, step down off of the pedestal you've placed yourself on.
     
  20. Tom163

    Tom163

    Joined:
    Nov 30, 2007
    Posts:
    1,290
    I don't know what's wrong with you that you go into personal attacks. I'm here to tell my opinion about what obfuscation is good for and why I think it's a waste of time. I don't have time for a flamewar.

    If your code is that special, and I meant no disrespect by saying that, because quite a few packages available really are incredibly cool and complex, then don't look to obfuscation to save your day. That is still my professional opinion, and you can choose to take it or disregard it, but I've not seen one argument here to change my mind.
     
  21. Dameon_

    Dameon_

    Joined:
    Apr 11, 2014
    Posts:
    542
    You spent time programming DRM for Sony? No wonder you think obfuscation is a good idea.

    No skin off my back if others feel a need to obfuscate, but if you're trying to protect your IP, there are a dozen more viable and actually effective ways to do it.

    Any programmer should be familiar with "security through obscurity" and be able to draw some parallels here.
     
    Last edited: Jan 3, 2015
  22. Marionette

    Marionette

    Joined:
    Feb 3, 2013
    Posts:
    349
    All I can do is just shake my head.. seems that both of you have critical thinking issues. It's really amazing how much you assume you know about me from the little bit I shared. Shrug.

    Use it. Don't use it. I really don't care to be honest. I expressed my opinions backed by my experience as well. If you honestly believe that obfuscation serves no purpose then that's on you. Or not. Like I said, I personally plan to take steps to protect my IP. What exactly is wrong with that again? Because *you* think it's a waste of time? I'm planning on using other means to help shore up my stuff too, but that's off topic since what the OP wanted to know is whether it was worth it or not. You dug up an old thread to slam my opinion? Ffs. Really? Sigh.

    Btw? Just because you have an opinion, doesn't mean that it's *the* opinion.

    Lastly? If you're expecting to get more of a rise out of me on this, don't bother. I'm done with this thread.
     
    Last edited: Jan 3, 2015
  23. mescalin

    mescalin

    Joined:
    Dec 19, 2012
    Posts:
    67
    seriously it takes the average programmer 2 seconds to think of a solution, and about 2 weeks to take apart someone else's solution


    working out other peoples programs is the very definition of work, starting from scratch is usually easier




    edit: lol i didn't dig the thread up i thought it was trending :S
     
  24. larku

    larku

    Joined:
    Mar 14, 2013
    Posts:
    1,422
    I think that Marionette and .Tom. have valid points but they are not mutually exclusive points.

    1. Obfuscation does little (or nothing) to stop copying a game or simple ideas.

    2. Not everyone is using obfuscation to stop copying (there are other reasons)

    3. Some complex code certainly will benefit from good obfuscation (ie one that can not get back legible identifiers etc ) Since as you've indicated it will often take longer to decipher than recreate yourself (that's the goal here) This is typically only true for complex problems - simple ones are simple to understand and hence benefit less from obfuscation.

    4. Trade secrets are worth protecting. Claims were made that it only takes 1 person to reverse something and to upload it - sure that's true, but there are many situations where this simply won't happen. Assume person X has the ability to reverse what ever protection/obfuscation/whatever you've used, that's great, but the person X would also need the motivation to do so! Let's say that person Y does not have that ability but does have the motivation (ie they want it). So person X has the ability (and therefore most likely the ability to create it on their own too). Person Y does not have the ability (and possibly also not have the ability to create it on their own). So either person X knows person Y and gets them to do it for them (seems unlikely) or some how person Y manages to track down person X and convinces them to do it for them (also seems a bit unlikely). This may happen for AAA titles etc where the shear mass of people who even know about the product can increase the chances of the motivated and able people to come together. But for small indie products I think it's unlikely these will occur often. Therefore I conclude that in some cases protection/obfuscation/etc CAN (but doesn't always) provide SOME benefit.

    5. Running all code that contains trade secrets server side is an option in only a few scenarios - anything that operates on large sets of data in real time are not going to work well if you're throwing all the data between the client and server to do the calculations. If the computation is somewhat expensive you're going to need some very beefy hardware which will likely negate any profit you expect to make - simply not practical.
    I know the analogy is a bit crass and crude but lets face it, the locks on your house and car doors do not stop anyone entering if they want to. Do you not use your locks since some may choose to circumvent them? I doubt it. Are they 100% effective, certainly not. Are they a useful deterrent - absolutely. People tend to take the easiest route, make it more difficult they may just move on to the next.

    Will obfuscation protect your game from pirates? Nup, never, that's almost (or is) impossible. Will obfuscation increase the effort required for someone to gain insight into some trade secrets - absolutely. Will it stop all, unlikely. Is it worth using? In some cases I'd say yes.

    Having said all that - I think the ideal solution is to employ something like IL2CPP on all platforms (come on Unity do all platforms!! :) ) since that is basically 'natural obfuscation' sure some can reverse this still and it can certainly still be hacked, but it's FAR from giving the source out on a golden platter (as is the case right now).

    There was also mention that copying rarely causes issues - this sounds like you have no experience with mobile platforms. Ever released a title on Android? Yeah? Go check the Chinese app stores - wow, there's your app released by someone else, with their ad network replacing yours, getting your income. Now try and add your legitimate version - what's that? they wont let you? they don't believe it's your product? WOW. That's a daily occurrence. I have first hand experience with this. That's an entire market that you're now excluded from, we're talking serious income opportunity here... Go sue them? Right, good luck there! Would obfuscation have helped here? I don't know. But is copying/reverse engineering an issue for some cases - absolutely.
     
    Kurius likes this.
  25. Foxxis

    Foxxis

    Joined:
    Jun 27, 2006
    Posts:
    1,108
    Bumping this thread as we are nearing release, and I think our code is worth protecting, even if it is just from script kiddies.
    Are there any *good* up to date obfuscation solutions that work well with Unity 5.x? Are there any binary encryption / packing solutions that work with Unity3d on multiple plaforms (Win/OSX)?

    Thanks in advance!
     
  26. lordofduct

    lordofduct

    Joined:
    Oct 3, 2011
    Posts:
    8,514
    Did you miss the point of the entire thread?

    It doesn't protect your code.

    It still gets decompiled, it still is accessible (even from those script kiddies), the only thing is that the names of stuff are more gibberishy than not.

    What are you protecting it from, and for what? Is there some algorithm in it that you don't want used/abused?

    Here's the thing... script kiddies don't care about your crazy optimized algorithm that performs some weird process in a super efficient method. Script kiddies are concerned about either playing pranks, or hacking free access to your program. Is your program easily exploitable for pranking? (it has an online feature that you've put a lot of code that aught to be on the server into the client) Or are you afraid they'll crack the game and distribute it freely? (obfuscation doesn't really help with this)

    If you explain what you're attempting to block people from abusing in your game, we could probably give you a much better alternative to obfuscation.
     
  27. Sylafrs

    Sylafrs

    Joined:
    Jun 25, 2013
    Posts:
    65
    Hey,

    Just bumping this thread to know what would be a **good** obfuscator to use for Unity3d assemblies?
    I know that it won't completely protect anything but it can dissuade.

    Best regards,
    Sylafrs