I currently have a problem with Unity's network system. I have a band of colleagues who test my networkgame for me to find any bugs. Recently they decompiled the game, and found themselves able to recompile it again with their new code in it.
Now normally this wouldnt give any problems as my game is working with authoritive server, but they can also call upon Network.Instantiate and Network.Destroy.
I Guess I can prevent Network.Instantiate, by checking wether the object was made by the server or not, and banning the networkView.viewID, but I can't do anything against Network.Destroy.
For example, I have a GameObject in the scene which manages the server (Slots, chat and such). Therefor, it uses a networkView to allow RPC messages. Once you decompile it and add Network.Destroy in a OnConnectedToServer() function, that corrupted client will crash the entire game for all players once he connects to the server because he destroys the server GameObject for everyone.
Are there any methods of preventing this abuse?
Many thanks in advance.
Edit: Additionally, I just found out that they can also add RPC calls themselves. Can anyone shed some light on how to make sure that clients ony accept RPC calls send by the server? I tried to ensure that the NetworkMessageInfo.sender was equal to Network.connections, but that didnt work out.
I don't think that would make much difference. For every method of obfuscation, theres a method of de-obfuscation.
I managed to rewrite all my RPC calls in a way that they cannot be abused anymore for hacking, that was just a case of using my own common sense.
I cannot make any changes to the Network.* functions though, so clients can still call Network.Destroy(gameObject); in a OnConnectedToServer() function.
I am thinking of a few possibilities that I might have missed, and I wonder if any of them are possible:
Or any other way that would yield same result?
A awnser on this problem would be most exhilarating!
answered Mar 18 '12 at 04:21 PM
Just use a obfuscator, they make it hard to decompile the game (I think thats what it's called...)
answered Mar 15 '12 at 11:49 AM