I used to reverse engineer clients for a living. And this is why you should obfuscate.

TLDR: Just obfuscate your game already. This applies to mobile, PC, and console games, if you do it from the beginning, you will thank yourself later. 

In the final stages of our launch at Get Wrecked, I have been preparing our code to securely go out to the entire world without too many problems. I come from a Java background, in particular, I used to reverse-engineer Java clients for a living. To my surprise, I have come to the conclusion that the Unity community is not extremely fond of obfuscation. In almost every post I find comments on why obfuscation is pointless, and why you should worry about the competition instead of pirates. In my opinion, this is flat-out wrong and dangerous. This is going to be a long post, but for the sake of your business, if you are considering whether or not to obfuscate your code, read it.

In particular, this answer, marked as “correct”, blew my mind. Please do not see this as an attack on the original poster – he is a very smart dude and definitely gets some things right. But it is important to warn people of the risks of believing everything you read online. This reply simply summarized most of the misconceptions in one, so I’m using it as an example.

blewmymind

Please read this reply and let it sink in for a minute.

I mentioned I reverse-engineered clients for a living. I can tell you that the market for reverse-engineering Runescape clients alone is about $5 million a year, and it is driven by 12-25 year olds who have built an entire community around deobfuscating and releasing their own version of RS because they can make money off it. Can you imagine how big the CSGO modding market is, WoW modding market maybe? You get it – there are people out there making a living on your work, and they can protect themselves so well that it becomes nearly impossible for you to take down their content.

To date, Runescape Private Servers carry about 20% of what RS itself has online in players. Servers are sophisticated enough to even “fake” their online player count to make it look like the market is smaller than it is (I invented that trick, and I’m not necessarily proud of it, but it’s become a norm now).

1) Self-hosted versions/clones (and private servers) of your game by others

And while there is a sense of truth in providing “better service” to the customers than the pirated game, there are always going to be cheaters who prefer faster experience gaining on private servers/clones and quicker access to the same items over a good and long-term grind.

The risk here is that these cheaters are sophisticated enough to target your players through targeted campaigns. Especially if they are monetizing off their work. It just becomes a normal business for them, and slowly but surely you’ll see their market grow and your own chip away.

Obfuscation will NOT stop intruders from getting access to your game. If they are incredibly driven to do so, they most definitely will be able to deobfuscate your client and release it to the world, or create their own business out of it. Without obfuscation this is a matter of minutes, with obfuscation it can take weeks, if not months, if not years to deobfuscate 1 simple version of your client.

This matters, because by the time they are done, you are already 10 steps ahead. Obfuscation does not buy you security, it buys you the time you need to stay ahead of the cheaters and give your community the great service they need in order to prevent them from cheating. This way, cheaters will never be able to add the features you have to their game and keep up with you. They will always be a few months/years behind, which usually stops people  from starting in the first place.

In order to effectively do this, make sure that your obfuscation changes frequently, and don’t throw your methods through the exact same hash each time for example. You can keep the same hashes for a few versions, no problem, as long as you change them every few weeks/months.

In order to effectively do this, make sure that your identifiers change each time you obfuscate. Don’t throw your methods through the exact same hash each time for example. You can keep the same hashes for a few versions, no problem, as long as you change them every few weeks/months. Most obfuscators offer obfuscation logs which you can use to still read the error codes you receive back from the client. It should take you no more than 5 minutes to write a quick “convert obfuscated stack trace to human-readable” program that your developers can use. The logs look somewhat like this (minus the black stripes, it’s just there so that people can’t figure out what obfuscator we use and reverse-engineer our seed)

forsecurity

To give you an idea of how big this threat is – this was my private server when I was 16 years old, now imagine if all those people invite just 1 friend over, or if I would have continued it for a longer period of time.

 

hacker
This kid can decompile your game in about 10 minutes with a Youtube tutorial.

 

2) Publisher Negotiations and Direct Clones

Secondly, it is important that you always keep your competitive advantage. In our case, we are negotiating with some publishers in China about publishing our game. If you really think that they are not sophisticated enough to deobfuscate your game, maybe change some assets, and release it before you even sign, think again. Or how about if 1 of their developers decides to leave the publishing company, but still has your build on their device, and does the same thing, but be completely untraceable? If your game is really good, you do not want to send over unobfuscated builds anywhere other than to your own developers for debugging purposes. The risk is simply too high, especially if negotiations don’t work out with that particular org/person and they have already seen the potential.

3) Cheat Clients

One thing we didn’t necessarily touch on yet is the usage of cheat clients (or bots) for your games. If you obfuscate, you significantly slow down the creators of these cheats, and you will even have the time to write the code to detect cheats before they even exist. In fact, when they are done, you probably already changed your codebase so much that their cheat won’t even work on the current version that a normal personal has installed, or your obfuscation  changed and the method they are calling no longer exist in the same form. This can be the difference between life and death for some games.

4) What I’m not saying

I’m not saying you should run sensitive logic on the client. Obfuscation won’t help you. Always run sensitive logic on the server if cheating is a risk. Don’t ship things to users that you don’t want them to be able to eventually modify if they really want to.

If there are any reasons listed that I did not mention, please let me know. Oh, and share this with your game developer friends.

5) What you should obfuscate:

  1. At the very least, obfuscate your method names and class names, and parameters, and then add fake code through your obfuscator. Nothing drives people more crazy than figuring out you just spent an hour renaming a throwaway method.
  2. If you use unity, also go for fields, properties, and events.
  3. Don’t forget to change your obfuscation algorithm every few weeks/months (this is as simple as adding a new seed to the hash)
  4. Keep in mind that if you use serialization and deserialization. You likely will not be able to obfuscate your model class fields. This is not ideal, but if you have enough fake code it should be fine.

Pim

 

 

Advertisements