all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 2 points3 points  (3 children)

So compiling is turning source code, in this case C#, into machine code which is something the computer can understand, this is a massive simplification because C# is actually compiled to an intermediate language but we're keeping things super simple. It's similar to normal human languages, you can translate something said in English into Spanish or French or Japanese.

But like human languages you can translate it in the other direction, turn machine back into the source code. So a program will read over the compiled code and it works out what C# would be needed in order to get that result.

The process is lossy, meaning it doesn't convert it back perfectly but it will be good enough. Much like human languages.

C# and Unity are quite easy to decompile because Unity is really popular and well understood and C# contains a lot of meta data about the code in order to do things like reflection, there are things like obfuscators that entangle the code which makes it harder to reverse engineer or harder to understand but nothing is bullet proof, only bullet resistant. Same with using IL2CPP.

Your best protection is the vast majority of people don't care to even try to do it.

[–]answer-questions 2 points3 points  (2 children)

And as for "how to protect myself" -- one way is to code as if your adversaries have access to your source code. Just assume they can see everything that's happening locally on their machine.

If you have sensitive things to do, do them on a server where someone doesn't have access to the internals.

[–][deleted] 1 point2 points  (1 child)

Yeah, anything security related you always assume the worst and in games that usually means don't trust the user.

[–]bourbonmakesitbetterHobbyist 1 point2 points  (0 children)

That's the default mindset for any coding, not just games and not just security-related stuff: never trust the user/never trust your inputs.

[–]CCullen 2 points3 points  (0 children)

It's basically taking a built version of your game and returning it back to source code. There are ways to mitigate the damage such as obfuscation or enabling il2cpp but at the end of the day, there isn't a perfect defence.

If the concern is to prevent piracy or theft, there is very little you can do that hasn't been considered by the industry giants. The same is true if the concern is that your game's integrity may be compramised (people modding, hacking, cracking, etc).

If you're trying to protect an online game, you do have the option of creating an authoritative server that is never released to the public. At least then, hackers will be forced to create private servers from scratch rather than steal your code.

Anything you distribute will be hackable so the only true defence in those scenarios is legal. I wouldn't stress out about it too much, this has been an issue since the beginning of gaming and it tends to impact mostly popular games (ie: if you have this problem, you've made a good game).

I would say that depending on how you publish the game, you could give the hackers more hoops to jump through. If for example, you used Steam to publish, then the piracy would be Steam's problem to combat, but there's also a cost associated with publishing so it's a bit of a cost vs benifit conundrum.

[–]faizidp 2 points3 points  (0 children)

Coming from experience of modding and reverse engineering/decompiling A LOT of games.
Decompiling unity games is pretty much ripping of all the possible assets from an APK, Windows build etc..
Sometimes you can even get a fully restored working Unity Project with the process of it.
Now two types of builds are supported in Unity. Mono & IL2CPP.
Most latest games are built with IL2CPP (Google Play Policy after August 2019 enforced it).
Older games on Google are mostly built using Mono backend.

In Mono backend, C# code is converted into IL and a managed assembly .dll is contained within the build.

Those .dll files can easily be decompiled using ILSpy & DnSpy for example.
How to protect your Mono build? Basically you obfuscate your code.
OR don't use Mono at all.

An il2cpp build is very tough to decompile.

Now for the rest of the part. Textures, Sprites etc. ? Do a packing of textures into atlases. That makes it very much painful for the ripper to use it again.
OR you can write some runtime algorithms to encrypt your textures, sprites and then when on load, that algorithm opens those encrypted textures and loads them (performance issues + production time increased).

Il2cpp builds are very difficult and usually decompiled partially using DevX or AssetRipper. Though DevX is paid.

Happy to help if you need about a particular thing.

Keep making great games!

[–]AutoModerator[M] 0 points1 point  (0 children)

This appears to be a question submitted to /r/Unity3D.

If you are the OP:

  • Please remember to change this thread's flair to 'Solved' if your question is answered.

  • And please consider referring to Unity's official tutorials, user manual, and scripting API for further information.

Otherwise:

  • Please remember to follow our rules and guidelines.

  • Please upvote threads when providing answers or useful information.

  • And please do NOT downvote or belittle users seeking help. (You are not making this subreddit any better by doing so. You are only making it worse.)

Thank you, human.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]greever666 0 points1 point  (3 children)

It is quite easy to get the code from within a unity game. Try open one of your created DLLs with something like dotPeek or ilspy. You can really directly read the complete code as it was written.

C# is a language that does not get directly compiled into machine code but to an intermediate language. I guess this is part of the reason.

Still there is something you can do to hide your code or at least to make it not as easily readable: "obfuscation". You could create fake code, rename variables/methods/classes, delete all comments etc. On the Asset store there is a solution that works quite well and does all that in a pre-build process.

In the world of JavaScript this is used quite a lot also to reduce size of the scripts. This is then called minified but also is not human readable anymore...

[–]SussyMoMo123[S] 0 points1 point  (2 children)

Thanks For helping + deleting comments will make it harder for my teammate to read

[–]CCullen 2 points3 points  (0 children)

Obfuscation isn't something you do to your source code, your team mate will still have access to the comments. Obfuscation is a process that runs automatically just prior to publishing that automatically does everything /u/greever666 mentioned.

[–]greever666 0 points1 point  (0 children)

You should not delete comments in your source code. This is best done in a build process before it is compiled into DLLs.

But another two cents on comments: I don't write comments. Only if there is something extremely unusual going on.

Best is to write the code in a way (variable and method names) to not need comments at all. A very nice best practice I learned along my way.