is it possible to hack/decode asset files?

is it possible to hack built asset files? i know in theory all encrypted files can be decrypted. is the algorithm a strong one? is there any way for us to choose the algorithm that unity uses for encrypting .asset files in the exe build or web player build? did anyone hacked these files before? many archiving formats like EA's big is hacked and can be modified now and it's a good idea to have the ability to change the encryption algorithm.

more ▼

asked Jan 31, 2010 at 04:34 AM

avatar image

10.3k 77 121 167

Please note that nothing is unhackable! It's only a matter of time. And the more you are trying to encrypt, the more someone will try to decrypt. Plus, none the less, everything can be reverse engineered. Like, models can be rebuilt polygon per polygon too, involves a lot of time again, but possible.

Aug 05, 2011 at 08:56 AM Psycke

But how can I download the file.unity3d from webpage ?

Apr 10, 2014 at 11:27 AM MisterX_Dev
(comments are locked)
10|3000 characters needed characters left

5 answers: sort voted first

It's not a matter of the encryption algorithm, it's a matter of the decryption key being compromised the moment you distribute your game.

Suppose you determine that Unity is currently storing assets encrypted with ROT13. You decide you're going to plug in AES and encrypt all asset bundles with it. You now need to distribute your game to players. You've basically run into the same problem that DVD encryption runs into, which is:

  1. Your game needs to be able to access the assets.
  2. You need to put this game in the hands of players.
  3. The executable needs to have the key included to decrypt the encrypted assets.
  4. Anyone can dig into your application for the key.

Now, I'm doing it with a web-based game, you say. I'm not distributing an executable at any point, so I can distribute the key securely via https! That does not save you, for several reasons:

  1. You'd need the Unity plugin to support your asset encryption/decryption scheme.
  2. You're still sending the asset password over the wire, even if over https, so someone could pretend to be the Unity webplayer and just grab the key from you.
  3. If you were to convince Unity to do some sort of public-key approach where you can encrypt your asset password so that only the Unity webplayer can read it... well, now the Unity webplayer plugin needs to have their own private key stored somewhere, doesn't it? You're back at square one.

Even if you were to do something crazy, like having a .unity3d file server that responds solely to signed requests from the webplayer, and sends then a just-packaged copy encrypted with a one-time key agreed by both parties via something like Diffie-Hellman; do you really want to run that much computational expense on your server, knowing that at some point the webplayer will need to decrypt your assets in order to play them, which means they'll be decrypted somewhere in memory (and maybe the temp files or swamp)?

It doesn't seem to be worth it. Any approach that doesn't involve a trusted third-party server ( la having a Unity Certificate Authority) can be bypassed without that much grief, and the worst thing is that it only needs to be circumvented one and it's broken, forever.

I guarantee you that the reason because the film industry can't solve the problem is not because they're incompetent, but because it's not a trivial one, even when you have their pockets.

more ▼

answered Feb 19, 2010 at 11:32 PM

avatar image

5.7k 31 105 144

thank you ricardo! you are right but having multiple algorithms for encryptions and multiple keys can help us in some situations. at least a general viewer for all of our game archives can not be written. i use RC4, you use AEs and others use other algorithms. it's not completely safe but it's safer.

Feb 20, 2010 at 04:36 AM Ashkan_gc

I appreciate this theoretical answer, but, just to be clear, are asset bundles (.unity3d) files encrypted in any way? I would suspect not. Is there a way to protect an aribtrary unity3d file that a user can download from being used in their Unity game?

Jun 14, 2010 at 06:57 PM Eric 1

Not the unity3d itself, as you would need to have your decryption code integrated with the webplayer for it to know how to open it. And not for the assets, since it needs to be able to get those as well. You could place the bulk of your code into an obfuscated DLL that your MonoBehaviors then reference, but you can't obfuscate the MonoBehaviors because Unity doesn't support having them in DLLs. All schemes will be defeated sooner or later (usually sooner), and they only need to be defeated one. Do you want to spend your time in a futile attempt to hide your assets, or making a game?

Jun 14, 2010 at 08:00 PM Ricardo

Thanks Ricardo. This is what I understand. Just to clarify I am less interested in protecting our code and more interested in protecting third party skeletons/meshes/materials that are encoded in asset bundle files. If the asset bundle has a fully skinned character (and you can get ahold of the bundle file), it is trivial to use it in your own Unity game.

Jun 15, 2010 at 07:42 PM Eric 1

Certainly Eric. But as it is Unity's engine that ends up decoding the resources, and as far as I know you can't plug hooks into either Resources.Load or Application.LoadLevel, that means you're at the mercy of however Unity encodes the assets. Do contact Unity, they may have a way, but I'm afraid that's the extend of what is evident from the API.

Jun 15, 2010 at 08:15 PM Ricardo
(comments are locked)
10|3000 characters needed characters left

This gets hashed out on the forum from time to time. You can search there for details but the short answer is: "You're pretty safe from casual hackers/thieves but someone who is determined can steal from you". The question you have to ask yourself is "how big of a threat is this really?".

more ▼

answered Feb 19, 2010 at 10:43 PM

avatar image

JDonavan 1
562 8 10 28

(comments are locked)
10|3000 characters needed characters left

To my knowledge and as stated in the forums, there is no evidence that anyone had successfully open and decrypted the assets part of an Unity 3D package. It is not the same for the code, as it is based on .net and as everyone knows, .net can be opened and hacked in many ways. But so far, unless someone come with a demonstration that he did it successfully, it is not yet the case and your assets are protected.

more ▼

answered Apr 04, 2011 at 04:45 PM

avatar image

1 2

(comments are locked)
10|3000 characters needed characters left

Taking apart a .unity3d file is a pretty well documented exercise in the hacker community these days. Source code and assets to games are easily obtainable.

Use this software to pull out the DLL from the .unity3d package: http://unity3d.netobf.com/Unity3dObfuscatorSetup.exe

Use this software to dump the .NET MSIL code: http://reflector.red-gate.com/download.aspx?TreatAsUpdate=1

Rename .assets to .asset and then in Unity just import new asset to access all of the models, textures, etc. Not all assets are obtainable but most of them are.

more ▼

answered Aug 05, 2011 at 06:52 AM

avatar image

1 3 2 3

(comments are locked)
10|3000 characters needed characters left

Practically the best way to defeat this is not to have an unhackable encryption scheme, but rather one that gets updated frequently and changes constantly. If your game gets updates every week and the encryption scheme is changed each week, you make it very difficult and frustrating to keep hacked versions of your game from working. Typically in the industry, they are not concerned about files being ripped etc, but rather from players being able to cheat using known vulnerabilities usually by using bot programs/hacks made by actual hackers and distributed enmasse. The idea is not to prevent hacking altogether, but rather to prevent casual hacking or "click 'hack' button" hacking. If the person trying to hack your game knows their way in and out of low level pointers, c, and hex editors they're going to get in, if they just know how to google search a wall hack and then download a program and run it, you can keep them out with frequent updates.

more ▼

answered Jul 31, 2014 at 01:20 AM

avatar image

Darth Futuza

(comments are locked)
10|3000 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



asked: Jan 31, 2010 at 04:34 AM

Seen: 39689 times

Last Updated: Jul 31, 2014 at 01:20 AM