Aurora 4x

C# Aurora => Development Discussions => Topic started by: Steve Walmsley on November 07, 2018, 03:14:13 AM

Title: Aurora C# Code Protection
Post by: Steve Walmsley on November 07, 2018, 03:14:13 AM
I received the following personal message today:

Hi i am a programmer and i Live C#, been my favorite language for 8 years now,
Im hopping to write a modkit(open source, for any other codes to use) for Aurora C# when it comes out, to this i will Use Mono. Cecil to reweave the . net assembly so i can easily override/hook into any Method,
And all the rest will be done using  System. Reflections, as such i don't need your co-operation, to make it happen.

But i would respect your project, and ask if you are ok with this?
(I know aurora C# release is a long ways away but i thought i might ask so long)

My Thinking for why i want to write the modkit:
Your project is closed source(total cool i understand), but this makes it so that other developers cant help fix bug/expand the game etc.
And it would bring a lot to the table, now i don't expect you to add mod-ing support, but because its C# running in Cil Jit i can easily manipulate/Inject etc,
what ever i want into the Assembly, so i can do it my self, because writing a Hook Inject is a lot of work and not the easiest thing in the world, i want to write a kit,
that any program can very very easily use with a nice api ontop to create mods for aurora, that way more things can be added to the game bug can be fixed etc,
with out needing to access the source code of the game.


I have been previously warned about the vulnerability of C# to decompilation and had planned to take steps such as code obfuscation to limit the damage. However, there are a lot of smart people on the forum so I would welcome advice on how to avoid the above.

Aurora is a hobby for me, rather than any sort of commercial application. In fact, it is a game I write for me to play that I also happen to make available to others. To be brutally honest, the former is more important to me than the latter.

I have always expressed my view that it is closed source and I want to maintain control over the code. I would rather not release it than see the chaos caused by a plethora of modified versions. Bug reporting would be a complete nightmare and I really don't want anyone taking advantage of my work in other ways (taking the code and releasing as their own modified commercial game for example).

I responded to the above message and expressed my strong opinion that I would not be happy about it. However, if anyone has recommendations on how to protect my work, they would be very welcome.
Title: Re: Aurora C# Code Protection
Post by: Panopticon on November 07, 2018, 05:00:21 AM
It may be a language barrier, but this guy sounds like a dick and I am not entirely certain he can do all he claims to do without more access to the source code than the methods he described can give him. Probably an break the program pretty good though.

That said I think if someone wants to crack Aurora C# and are determined enough they are gonna be able to do it, Here's a decent thread on Stack Overflow for making it harder though. https://stackoverflow.com/questions/506282/protect-net-code-from-reverse-engineering/506301#506301 (https://stackoverflow.com/questions/506282/protect-net-code-from-reverse-engineering/506301#506301)


Title: Re: Aurora C# Code Protection
Post by: Froggiest1982 on November 07, 2018, 05:19:53 AM
Hi Steve,

I have done so many research on that for work and below are the most relative ones. The source is Stack Overflow: you can find lots there on the argument.


source Stack Overflow:
Some suggestions I have for you to help protect your application:

Obfuscate your code. Dotfuscator has a free edition and comes with Visual Studio. Eazfuscator.NET is good too.

Use public/private key or asymmetric encryption to generate your product licenses. This ensures that only you can generate your license codes. Even if your application is cracked, you can be sure that they won't be releasing a key generator for your application, because it is impossible to reverse the key generating algorithm.

Use a third-party packer to pack your .NET executable into an encrypted Win32 wrapper application. Themida is one of the better ones.

Write your own custom packer. If the third-party packers are too expensive, consider writing your own. Sometimes custom packers can be very effective because there aren't well-published methods on how to unpack them. The tutorial How to write your own packer gives a ton of good information on writing your own Win32 packer.

My thoughts
I think you should obfuscate your code and maybe spend some time writing your own packer which knowing you could be fun, also a year more or less at this stage won't change anything in terms of waiting for Aurora C#. This will make it very very hard and only somebody really motivated will go through that process. Ultimately there is only one method to do that as and if they want to crack the code with the above...well they will.
As said there's only one way to make sure that your users don't get your code: don't give them your code!

source Stack Overflow:
This can be achieved with Software as a service (SaaS), that is, you run your software on your server and only let your users access it remotely. This is the model that Stack Overflow uses, for example. I'm pretty sure that Stack Overflow doesn't obfuscate their code, yet you can't decompile it.

Consider also using:

Web Services Keep your marketable content server side and beyond the reach of your clients. They can use it, but not examine the code.

Encrypted Binaries and Online Binaries Maybe even streaming assemblies in an encrypted format to a wrapper application. Keep your decryption keys server side to prevent offline disassembly. This might be circumvented however if someone found a way of exporting the assembly from the app domain of the application, once it has loaded it. (You cannot load an encrypted binary, so an end user might wait until your application has done the work of decryption, then exploit that to export the finished binary) (I was investigating a way to accomplish this (the exporting) - I didn't quite get it working, doesn't mean someone else won't)

My thoughts
I gave up a year ago in finding an answer, so unless there is something new on the horizon I think you have to assume the worst when you put binaries on other people's system.
Title: Re: Aurora C# Code Protection
Post by: Jorgen_CAB on November 07, 2018, 08:58:48 AM
It sickens me when people simply don't respect your creative wills on project like these. It's not like you sell the game or anything... it is a hobby.

The most straight forward and easy thing to do is obfuscating the code and using a license key to verify if someone is using yours or someone elses code. If your code is not used in a bug report you can just dismiss it.

Code can always be cracked if given enough time and dedication, more or less. But obfuscating it will make it pretty decently hard to do and the key will at least make sure you know that the code used is yours or not.

I hope this does not discourage you too much... I understand if it would.
Title: Re: Aurora C# Code Protection
Post by: Steve Walmsley on November 07, 2018, 09:57:41 AM
I think to be fair to the person who sent the PM, English was not their first language so I think the PM was over-enthusiasm rather than malicious intent. Even so, if not that person, it could be someone else so I need to resolve the issue.

BTW I realise I cannot completely protect the code from someone who is both skilled and very determined. I would settle for reaching the point where the majority of people would struggle and it would probably not be worth the effort for anyone who could do it.
Title: Re: Aurora C# Code Protection
Post by: Bremen on November 07, 2018, 12:14:45 PM
The PM seems to be asking permission, so yeah, I think people are getting the wrong first impression from it.

Unfortunately I barely know anything about C# but I hope you're able to protect your work if that's your wish.
Title: Re: Aurora C# Code Protection
Post by: clement on November 07, 2018, 12:34:26 PM
Steve,

I have also had to deal w/ this and similar issues at work. It is very easy to remove a strong name from a DLL and extract code when "protected" via a strong name. Microsoft specifically states that strong names should not be relied on for security. They provide a unique identity only. We deal with it mostly via SaaS delivery for most of our products. However, for those we must provide as downloads for local installation, we do perform obfuscation as part of the build/deploy pipeline.

With the original person's PM appearing to be English as a second language, I agree that it could be enthusiasm but the person also combines 'respect for your wishes' with 'I can do it anyway'.

My suggestion would be include obfuscation if you want to take the time. But since this not open source, you can simply include a license file stating terms of use are not to do those things and not to reuse the code or ideas within. Obviously the person can just ignore that, but that is always the case as they stated in the message.

An additional option to allow you to easily filter bug issues is to include a hash of the primary dll in the bug report. After catching an exception, you can generate a hash of the executing assembly from the harddrive.

Code: [Select]
var assembly = typeof(GameObject).Assembly;

// object.GetHashCode() is only slightly useful, in that it should provide you a first pass test, however it is not considered a permanent value.
// The method for generating it could change from version to version of .NET
// this will not match the SHA256 hash but both of them could be used as a sort of 2 key confirmation that the bug report is valid
// if someone modifies your code, the GetHashCode() value should be different as the module manifest and lookup tables will be different inside the assembly
int runtimeHashCode = assembly.GetHashCode();
byte[] hashValue;

using (SHA256 sha = SHA256.Create())
using (FileStream fileStream = File.Open(assembly.CodeBase, FileMode.Open, FileAccess.Read))
{
     fileStream.Position = 0;
     byte[] hashValue = sha.ComputeHash(fileStream);
}

// put runtimeHashCode into the bug report
// put hashValue into the bug report
// I assume you are planning on logging exceptions out to a log file as JSON or something like that


Title: Re: Aurora C# Code Protection
Post by: Myvar on November 07, 2018, 01:01:37 PM
I wrote the pm, and reading the replies i realize that i totally miscommunicated, so here is a clarification:

1.  I was asking permission and it was not granted and there for i will not do it, im totally cool with this
2.  I had no intention of steeling, using, abusing or profiting from steves game in any way
3.  Nor did i have any intent of Cracking the game

What i wanted to do was make a mod kit, so people can use to mod there aurora, to do things like,
adding new content, adding tools and utility Forms like a tech tree for eg, etc.

as for the "as such i don't need your co-operation, to make it happen. " part, i was not trying to say i can do it any way.
What i was trying to communicate is that it would not take any of his time up, he does not have
to worry about bug reports/breaking changes etc, ie. 
i dont want to make it his problem, since he wants to keep it a hobby.

I just wanted to make it clear that i had no malicious intent, i just wanted to mod the game.
And thought i might be smart to ask permissions first.

Im sorry for the terrible miss communication.
(im Dyslexic sorry for bad spelling and grammer)
Title: Re: Aurora C# Code Protection
Post by: Panopticon on November 07, 2018, 02:11:20 PM
I wrote the pm, and reading the replies i realize that i totally miscommunicated, so here is a clarification:

1.  I was asking permission and it was not granted and there for i will not do it, im totally cool with this
2.  I had no intention of steeling, using, abusing or profiting from steves game in any way
3.  Nor did i have any intent of Cracking the game

What i wanted to do was make a mod kit, so people can use to mod there aurora, to do things like,
adding new content, adding tools and utility Forms like a tech tree for eg, etc.

as for the "as such i don't need your co-operation, to make it happen. " part, i was not trying to say i can do it any way.
What i was trying to communicate is that it would not take any of his time up, he does not have
to worry about bug reports/breaking changes etc, ie. 
i dont want to make it his problem, since he wants to keep it a hobby.

I just wanted to make it clear that i had no malicious intent, i just wanted to mod the game.
And thought i might be smart to ask permissions first.

Im sorry for the terrible miss communication.
(im Dyslexic sorry for bad spelling and grammer)

I apologize for saying you seemed like a dick then, that was probably more harsh of me than you deserved anyway.
Title: Re: Aurora C# Code Protection
Post by: Puciek on November 07, 2018, 08:12:15 PM
I generally work on the other side of the bench - decompiling and analyzing code that doesn't want to be decompiled and analyzed, and to be perfectly frank the best thing you can do is add a checksum to easily validate if a bug report is coming from a pristine version and simply ignore what else people will do with your creation.   Short of few commercials, and very expensive projects, all the obfuscation/security work will only make the software more annoying to work with (either for you as having to make sure to handle all the security for each release, or for users where compatibility/performance may be hurt) and it will not require almost any skill to crack - just install and run out of the box tools.   Actually securing software is going to bring the type of crowd which will crack it for the sake of it. 
Title: Re: Aurora C# Code Protection
Post by: Vitellus on November 07, 2018, 11:49:15 PM
I think the other responses have covered code protection pretty well, but it's probably worth saying that the original question wasn't really about source code modification, but about modifying the functionality of the executable in a remote execution environment.   

As such, it isn't generally about forking a product and producing an imitation, but about changing the function (or form) of the product itself as it's being run on someone else's hardware.   This could be incidental (flipped bits in non-ECC memory causing chaos, compatibility issues due to hardware/software variations, etc), more or less benign (e. g.  "community patches" that try to preserve the spirit while fixing some issue or other, or mods), or arguably benign or malicious depending on context (e. g.  cheating, or piracy, but given it's single player and not sold, malice is perhaps hard to argue).   

I don't think it's practically worth any effort beyond selecting some sort of license to protect your IP and some sort of hashing mechanism to allow you to filter out bugs that you wouldn't be able to reproduce easily.   E. g.  ensure they can't profit off your work, that you are not responsible for chaos caused, and that you don't end up debugging chaos.   

That said, for a survey of approaches to 'fixing' this, since you aren't running an online game or any servers, you are more or less limited to attempts to secure the end user environment.   There are lots of approaches, but none really apply as most boil down to a combination of verifying licenses with a central server and/or installing monitoring software on a users computer.   Success in this area probably ultimately stems more from cost-benefit ratios than anything else; e. g.  making it easier to pay for the product, difficult or risky to participate in an online community while benefiting from such techniques, or legally risky to engage in the behavior.   None of those approaches are really technological; it's practically impossible to protect your application while it's executing in someone else's environment. 
Title: Re: Aurora C# Code Protection
Post by: Froggiest1982 on November 09, 2018, 03:45:52 PM
Hi @Steve Walmsley

Question part:
sorry if I don't create a new thread for this but while we talking about code I was wondering if you are coding everything under one database as you were doing on the vb6 version or if you are doing it under different dll with saves separate from the main database?

Where it comes from:
I was just a bit concerned about performance in the long run. I mean after all this time and effort you have put into it and considering the addition of the ground units, it would be a pity to have the same performances issues after the first 50 years. I'll have no problem with the eventual waiting time once we are 500 or 600 years into it with 2 or 3 races. I guess we have to wait for you to keep testing it.

Reason:
For a performance point of view translate the code in .NET would have been easier, faster (1 or 2 months top job?) and probably more efficient. Now I do know and understand that when you started the main goal was for you to practice and have fun with C# and I do remember initially you weren't sure of remaking Aurora but maybe a tactical combat simulator it was 2010...wow time flies!

Conclusion:
Would you consider to release a .NET version of Aurora I? I am sure I will be super hooked with the new mechanics and also the ground units and the AIs...but still would be nice sometimes to have access to the original flavour...
Title: Re: Aurora C# Code Protection
Post by: Erik L on November 09, 2018, 04:50:25 PM
Conclusion:
Would you consider to release a .NET version of Aurora I? I am sure I will be super hooked with the new mechanics and also the ground units and the AIs...but still would be nice sometimes to have access to the original flavour...

Look at Quasar 4x on the site here. It is supposed to be a faithful replica of Aurora VB in a .NET language.
Title: Re: Aurora C# Code Protection
Post by: Steve Walmsley on November 09, 2018, 07:11:19 PM
Hi @Steve Walmsley

Question part:
sorry if I don't create a new thread for this but while we talking about code I was wondering if you are coding everything under one database as you were doing on the vb6 version or if you are doing it under different dll with saves separate from the main database?

Where it comes from:
I was just a bit concerned about performance in the long run. I mean after all this time and effort you have put into it and considering the addition of the ground units, it would be a pity to have the same performances issues after the first 50 years. I'll have no problem with the eventual waiting time once we are 500 or 600 years into it with 2 or 3 races. I guess we have to wait for you to keep testing it.

Reason:
For a performance point of view translate the code in .NET would have been easier, faster (1 or 2 months top job?) and probably more efficient. Now I do know and understand that when you started the main goal was for you to practice and have fun with C# and I do remember initially you weren't sure of remaking Aurora but maybe a tactical combat simulator it was 2010...wow time flies!

Conclusion:
Would you consider to release a .NET version of Aurora I? I am sure I will be super hooked with the new mechanics and also the ground units and the AIs...but still would be nice sometimes to have access to the original flavour...

C# Aurora loads everything into memory at start up into collection objects and doesn't touch the database again until you save the game. It is MUCH faster.

The C# development in its current form began in March 2016.
Title: Re: Aurora C# Code Protection
Post by: Barkhorn on November 09, 2018, 10:35:00 PM
I understand you want control over the code, but I'd just like to point out what another dev has done in a similar situation.

Dwarf Fortress is a similarly complex game made mostly by one guy, Tarn Adams.  He protects his game with licensing, not code obfuscation.  He also allows some pretty serious modding, but hasn't actually endorsed most of it.  I don't fully understand it, but DFHack is a very popular utility that allows third-party scripts to access Dwarf Fortress's RAM.  This utility allows the player to use tons of scripts that drastically improve their quality of life.  A few examples include quicker bugfixes, mouse support, even 3D graphics.

I am totally fine with it if you don't want other people toying with your code, but just know that other games with similar communities have greatly benefited from openness.
Title: Re: Aurora C# Code Protection
Post by: Panopticon on November 10, 2018, 01:43:46 AM
This topic pops up once every year or two and Steve has always been pretty clear that he doesn't care about that, it's a personal project he chooses to share, and doesn't seem to want it to be more than that, which is fine.
Title: Re: Aurora C# Code Protection
Post by: ndkid on November 10, 2018, 06:38:30 PM
C# Aurora loads everything into memory at start up into collection objects and doesn't touch the database again until you save the game. It is MUCH faster.

The C# development in its current form began in March 2016.
You might want to put in at least some sort of occasional async writeback, or else an app or computer crash after a few years of play could make someone *real* unhappy. :-)
Title: Re: Aurora C# Code Protection
Post by: alex_brunius on November 11, 2018, 03:24:59 AM
You might want to put in at least some sort of occasional async writeback, or else an app or computer crash after a few years of play could make someone *real* unhappy. :-)

Autosave have been a standard feature, or even default enabled feature of most other games that you play for a prolonged time  ::)
Title: Re: Aurora C# Code Protection
Post by: Father Tim on November 11, 2018, 02:06:38 PM
You might want to put in at least some sort of occasional async writeback, or else an app or computer crash after a few years of play could make someone *real* unhappy. :-)

Autosave have been a standard feature, or even default enabled feature of most other games that you play for a prolonged time  ::)

And the description of C# Aurora includes it, way back on page 1 of the Changelist.
Title: Re: Aurora C# Code Protection
Post by: Jovus on November 14, 2018, 08:42:07 AM
I think the best thing you could do is use a license that is as restrictive as you want it to be. This should discourage all 'good faith' mucking about while requiring minimal work or maintenance from you.

As for 'bad faith' mucking about, there's not much you could do about it, and what you could do would probably make working on your own project a bother to you. As has already been mentioned, building a checksum mechanic so you can distinguish between your release and some modded version is probably your best bet, technically.
Title: Re: Aurora C# Code Protection
Post by: TMaekler on November 14, 2018, 10:47:25 AM
On a different side of code stealing: code for an 4x isn't of that much interest to the general public - so there won't be a lot of people who could have an interest (other than maybe for "sports").

The only people I can imagine being interested would be those who do commercial 4X games - and honestly they could benefit from the planned AI routines in Aurora quite a lot :-D
Title: Re: Aurora C# Code Protection
Post by: Erik L on November 14, 2018, 12:10:49 PM
The only people I can imagine being interested would be those who do commercial 4X games - and honestly they could benefit from the planned AI routines in Aurora quite a lot :-D

Shhh. Don't tell them.
Title: Re: Aurora C# Code Protection
Post by: Puciek on November 14, 2018, 05:36:54 PM
Quote from: TMaekler link=topic=10217. msg111038#msg111038 date=1542214045
On a different side of code stealing: code for an 4x isn't of that much interest to the general public - so there won't be a lot of people who could have an interest (other than maybe for "sports").

The only people I can imagine being interested would be those who do commercial 4X games - and honestly they could benefit from the planned AI routines in Aurora quite a lot :-D
And they would be as stupid as oculus if they decided to re-use someone else code without permission ;) https://www. irishtimes. com/business/technology/facebook-owned-oculus-hit-by-500m-judgment-over-stolen-code-1. 2960645
Title: Re: Aurora C# Code Protection
Post by: Karlito on November 15, 2018, 09:20:49 PM
Steve, it's probably not worth investing too much effort into code protection. No matter what, you won't be able to stop a lone person with knowledge and time from doing whatever they want with their own computer, and if you're worried about distribution and reuse, the correct mechanisms to use are legal ones, rather than technical ones.
Title: Re: Aurora C# Code Protection
Post by: Bughunter on November 20, 2018, 06:54:08 AM
Agree with previous posters it doesn't seem worth it. Did anyone ever try something like this with VB6 Aurora? That may give some indication if it is likely to happen with the C# version.

Someone may decompile and look at the code or at least parts of it, for their own curiosity or whatever. Would surprise me if this had not happened already.
Actually modifying it successfully raises the bar some.
And the next step, releasing and claiming as your own raises it a lot more. You have a sizable community of players here likely to spot something like that quickly and bring the wrath of the internetz on anyone trying.
Title: Re: Aurora C# Code Protection
Post by: canshow on November 20, 2018, 08:16:13 PM
Besides obfuscation you can try injecting fake code.

Additionally, you could configure it to act as malware when tampered with.
Title: Re: Aurora C# Code Protection
Post by: Whitecold on November 21, 2018, 12:49:10 AM
Besides obfuscation you can try injecting fake code.

Additionally, you could configure it to act as malware when tampered with.

That sounds like a hideous idea that will in no way inconvenience an attacker, but is highly prone to do damage to legitimate users. In fact someone might even tamper with Aurora to provide a clean version without this "feature"
Title: Re: Aurora C# Code Protection
Post by: sloanjh on November 21, 2018, 07:50:06 AM
Agree with previous posters it doesn't seem worth it. Did anyone ever try something like this with VB6 Aurora? That may give some indication if it is likely to happen with the C# version.

I was speaking with a colleague about the philosophy of "since determined and skilled attackers can do it (decompile the code), there's no sense in trying to protect code at all", which is very common in the industry.  His response was "that's equivalent to saying 'I might as well not lock my front door, since a determined burglar can always break in'".

(My understanding is) There's a fundamental difference between C# (and probably all other managed code) and VB6 or C++: the decompiled code is human readable and very close to the original source code, rather than assembly code gobbledygook (sp?).  I haven't done this myself, but for years I've heard that the output from Reflector looks just like original code.  One of the reasons for this is that variable and method names are built into the code because reflection depends on them, and so the information is available for a decompiler.  I think that of Steve's main concern is that people not be able to browse his source code to understand the algorithms and then either modify them or code them up themselves. 

Note that this is a different concern preventing someone from hacking code to disable a licensing system and then posting the cracked version online for non-paying people to use (e.g. for games) - Aurora is free and openly downloadable, so unlike games there's no incentive/harm here.  In this case, the philosophy of "assume someone somewhere will be able to crack it" is valid.  In Steve's case, I think he would benefit from moderate efforts to keep the equivalent of a script kiddy from reading his source code.

With this in mind, I would recommend two things to Steve:
1)  At the very least, run the released product through an obfuscation tool.  This raises the bar of understanding for someone who's e.g. using Reflector.  If he can find a free or cheap encryption tool, that would be even better.  So if anyone knows of such tools, I'm sure he'd appreciate hearing about them.
2)  Create a EULA that specifically forbids reverse engineering (and disclaims warranties and all that other good stuff).  One problem with copyright protection is that if someone understands your algorithms and recodes them in their own words, you're not protected.  But if you tell people not to decompile your DLLs/exes (which you also have protection over), then that (legally) prevents them from running the decompiler to be able to understand your algorithms.  I'm not a lawyer, so all of the above is just my understanding - it might be worth it for Steve to ask a professional about the pros and cons of a EULA - this could be one of the places where putting something out that's poorly worded is worse than saying nothing at all.  A simple "reverse engineering prohibited" statement might be better.

Both of the above should be low cost/low risk for Steve, and have a good chance of knocking out a large fraction of non-expert curious people.  A different way of saying it is that the higher you make the bar/effort to decompile, the harder it is for well-intentioned people to rationalize that they aren't doing harm to Steve by reverse engineering his code.

John
Title: Re: Aurora C# Code Protection
Post by: canshow on November 21, 2018, 02:06:56 PM
Besides obfuscation you can try injecting fake code.

Additionally, you could configure it to act as malware when tampered with.

That sounds like a hideous idea that will in no way inconvenience an attacker, but is highly prone to do damage to legitimate users. In fact someone might even tamper with Aurora to provide a clean version without this "feature"
It would not need to act in a way to harm the user but thank you for your opinion.
Title: Re: Aurora C# Code Protection
Post by: Gyrfalcon on November 21, 2018, 03:36:30 PM
Malware: software which is specifically designed to disrupt, damage, or gain authorized access to a computer system.

Maybe you meant something entirely different and used the wrong word? Because malware is harmful to the user by definition.
Title: Re: Aurora C# Code Protection
Post by: Barkhorn on November 21, 2018, 05:29:27 PM
Malware: software which is specifically designed to disrupt, damage, or gain authorized access to a computer system.

Maybe you meant something entirely different and used the wrong word? Because malware is harmful to the user by definition.
I think he's saying Steve should add code that does nothing on a legitimate install, but acts like malware on a reverse engineered install.

Kinda like how the piracy prevention worked in Red Alert 2; if you played on a pirated copy, after 30 seconds, all your units would explode.
Title: Re: Aurora C# Code Protection
Post by: Person012345 on November 21, 2018, 06:00:03 PM
Malware: software which is specifically designed to disrupt, damage, or gain authorized access to a computer system.

Maybe you meant something entirely different and used the wrong word? Because malware is harmful to the user by definition.
I think he's saying Steve should add code that does nothing on a legitimate install, but acts like malware on a reverse engineered install.

Kinda like how the piracy prevention worked in Red Alert 2; if you played on a pirated copy, after 30 seconds, all your units would explode.
This would be highly illegal and unethical. Your Red Alert 2 example isn't malware, it's code within the game that modifies how the game behaves and does nothing to the user's system.
Title: Re: Aurora C# Code Protection
Post by: canshow on November 21, 2018, 07:50:46 PM
It's the closest definition to what I am thinking of.

Malware: software which is specifically designed to disrupt, damage, or gain authorized access to a computer system.

Maybe you meant something entirely different and used the wrong word? Because malware is harmful to the user by definition.
I think he's saying Steve should add code that does nothing on a legitimate install, but acts like malware on a reverse engineered install.

Kinda like how the piracy prevention worked in Red Alert 2; if you played on a pirated copy, after 30 seconds, all your units would explode.
This would be highly illegal and unethical.
By US law malware is only illegal if activated without consent. That's where the ToS come in- it is basically the developers protection for messing with things that can be considered intrusive. There are definitely some "moral bounds" associated with it but it would have to be extreme in order for a court to throw away the ToS.
Title: Re: Aurora C# Code Protection
Post by: Korsar13 on November 21, 2018, 11:35:22 PM
Quote from: canshow link=topic=10217. msg111109#msg111109 date=1542766573
Additionally, you could configure it to act as malware when tampered with. 

two words: FALSE POSITIVE
Title: Re: Aurora C# Code Protection
Post by: Person012345 on November 22, 2018, 02:06:08 AM
By US law malware is only illegal if activated without consent. That's where the ToS come in- it is basically the developers protection for messing with things that can be considered intrusive. There are definitely some "moral bounds" associated with it but it would have to be extreme in order for a court to throw away the ToS.
Are you proposing a popup saying "I see you're trying to modify Aurora. Would you like to activate malware?". You'd be on shakey legal ground as far as just slapping a ToS saying "if you try to modify aurora you consent to me trashing your PC". I have to say I have serious doubts such a thing would stand up in court.
Title: Re: Aurora C# Code Protection
Post by: Garfunkel on November 22, 2018, 09:25:03 AM
This is getting pretty silly  :o

Terms of Use and Terms of Service are not actually legally enforceable in the EU if they are in conflict with any EU law or regulation, or the national laws or regulations of member countries. Nor do they provide any sort of safe haven from customer protection standards and such. Many EU member countries have passed laws regulating Terms of Use and Terms of Service. While companies are free to write whatever they want in them, customers can generally violate them freely without consequences and they do not offer any special protection to the companies in question. Same goes for End User Licence Agreements. They are not 100% airtight in the US either.

https://www.blakemorgan.co.uk/news-events/news/consumer-rights-act-2015-change-consumer-contracts/ (https://www.blakemorgan.co.uk/news-events/news/consumer-rights-act-2015-change-consumer-contracts/)
Quote
An unfair consumer notice is not binding on the consumer – we look at what an unfair notice is below.
There are many examples available, basically proving that you cannot claim freedom for unethical or unfair acts in your EULA/TOS/TOU and have a get out of jail free card.

https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing (https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing)
Quote
Good news: another federal judge has ruled that violating a website terms of service is not a crime. But there's bad news, too — the court also found that bypassing technical or code-based barriers intended to limit access to or uses of a website may violate California's computer crime law.
Websites, and by extension software companies, cannot legally enforce terms of service against their users.

https://www.lexology.com/library/detail.aspx?g=d1ff4369-afcc-4879-97fa-7a8afd8b3380 (https://www.lexology.com/library/detail.aspx?g=d1ff4369-afcc-4879-97fa-7a8afd8b3380)
Quote
This decision does not mean only that software developers cannot prevent second hand sales of their software by their European licensees. It means software licence agreements and all their terms and conditions (not just the one prohibiting transfer) can be ignored by European courts if the licence period is indefinite, and probably even if it is tied to the lengthy period of copyright ­­­in Europe - 70 years after death of last surviving programmer.
Unfair or unethical restrictions written in licenses, especially if they go against previous customs, are illegal. In that case, a corporation tried to prevent second-hand sales of their software and failed. Similar cases have been tried, with the same outcome, for second-hand video-game sales as well.

So please do not even think that you could put anything remotely malware-like in a program, write in the EULA/TOS/TOU something about it and call it a day. You will be sued and you will lose.
Title: Re: Aurora C# Code Protection
Post by: canshow on November 22, 2018, 09:02:10 PM
This is getting pretty silly  :o

Terms of Use and Terms of Service are not actually legally enforceable in the EU if they are in conflict with any EU law or regulation, or the national laws or regulations of member countries. Nor do they provide any sort of safe haven from customer protection standards and such. Many EU member countries have passed laws regulating Terms of Use and Terms of Service. While companies are free to write whatever they want in them, customers can generally violate them freely without consequences and they do not offer any special protection to the companies in question. Same goes for End User Licence Agreements. They are not 100% airtight in the US either.

https://www.blakemorgan.co.uk/news-events/news/consumer-rights-act-2015-change-consumer-contracts/ (https://www.blakemorgan.co.uk/news-events/news/consumer-rights-act-2015-change-consumer-contracts/)
Quote
An unfair consumer notice is not binding on the consumer – we look at what an unfair notice is below.
There are many examples available, basically proving that you cannot claim freedom for unethical or unfair acts in your EULA/TOS/TOU and have a get out of jail free card.

https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing (https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing)
Quote
Good news: another federal judge has ruled that violating a website terms of service is not a crime. But there's bad news, too — the court also found that bypassing technical or code-based barriers intended to limit access to or uses of a website may violate California's computer crime law.
Websites, and by extension software companies, cannot legally enforce terms of service against their users.

https://www.lexology.com/library/detail.aspx?g=d1ff4369-afcc-4879-97fa-7a8afd8b3380 (https://www.lexology.com/library/detail.aspx?g=d1ff4369-afcc-4879-97fa-7a8afd8b3380)
Quote
This decision does not mean only that software developers cannot prevent second hand sales of their software by their European licensees. It means software licence agreements and all their terms and conditions (not just the one prohibiting transfer) can be ignored by European courts if the licence period is indefinite, and probably even if it is tied to the lengthy period of copyright ­­­in Europe - 70 years after death of last surviving programmer.
Unfair or unethical restrictions written in licenses, especially if they go against previous customs, are illegal. In that case, a corporation tried to prevent second-hand sales of their software and failed. Similar cases have been tried, with the same outcome, for second-hand video-game sales as well.

So please do not even think that you could put anything remotely malware-like in a program, write in the EULA/TOS/TOU something about it and call it a day. You will be sued and you will lose.
Thanks for educating me on the topic.
Title: Re: Aurora C# Code Protection
Post by: Retropunch on November 23, 2018, 02:41:38 PM
Having worked on a lot of relatively sensitive software projects in the past, it's impossible to stop regardless of what you do and C# is one of those languages which is pretty easy to mess about with (relatively speaking). 

My suggestions would be:

At that point, I think you've done everything you can - anything else is overkill. If a determined user wants to mess about with it on their own then that's fine/unavoidable (as it should be really) but it won't become something that is commonly used or distributed as I'm sure most people will accept your wishes.

My only, very humble request (and something that I think would pacify a lot of people who want to tinker) is that you lift the ban if you decide to abandon development completely. I'm always in favour of developers releasing source code if they're completely abandoning a project, but it's asking a lot. Just something to think about.
Title: Re: Aurora C# Code Protection
Post by: Father Tim on November 24, 2018, 02:07:49 AM
I would strongly recommend:

4.  -Include a checksum so you (Steve) can tell if a particular bug report / databse is running modified code.
Title: Re: Aurora C# Code Protection
Post by: Alucard on November 28, 2018, 03:48:28 AM
If you just don't want other people modifing your code, I can understand that and as was mentioned, you can use custom loader and some obfuscation techniques but there is a limit to what they can do.    One thing I should mention is there is a version of SQLite that supports encryption, so you can protect your database that way.    You can find one such version (one I used and works great) here: https://github.   com/utelle/wxsqlite3/tree/master/sqlite3secure

But if you are really just worried about bug reports and nothing else, then I recommend you include checksums as mentioned above + release two versions of the game.    Aurora C# that would be the original version released by you and Some other name, that would be version meant for modding.    You could even make it opensource if you want or not if you don't.    Because it would have different name and presented as different game, it should be much easier to distinguish which bug reports you should handle and which should be redirected to the community.   

Of course, this is purely a suggestion related to the bugs.   I don't think you owe us anything, not even an explanation and should allow or disallow modifications as you see fit and feel like.   
Title: Re: Aurora C# Code Protection
Post by: Myvar on November 29, 2018, 02:48:56 AM
Quote from: Alucard link=topic=10217. msg111217#msg111217 date=1543398508
If you just don't want other people modifing your code, I can understand that and as was mentioned, you can use custom loader and some obfuscation techniques but there is a limit to what they can do.     One thing I should mention is there is a version of SQLite that supports encryption, so you can protect your database that way.     You can find one such version (one I used and works great) here: https://github.    com/utelle/wxsqlite3/tree/master/sqlite3secure

But if you are really just worried about bug reports and nothing else, then I recommend you include checksums as mentioned above + release two versions of the game.     Aurora C# that would be the original version released by you and Some other name, that would be version meant for modding.     You could even make it opensource if you want or not if you don't.     Because it would have different name and presented as different game, it should be much easier to distinguish which bug reports you should handle and which should be redirected to the community.   

Of course, this is purely a suggestion related to the bugs.    I don't think you owe us anything, not even an explanation and should allow or disallow modifications as you see fit and feel like. 

This is true, Its a hobby, not a company your not obligated to anything(Bug reports, updates, etc), if you made a version of aurora that your ok with modding, then the modders will understand that that thay cant expect help or fixes from your end and that thay are on there own.  There is nothing wrong with this attitude.
Title: Re: Aurora C# Code Protection
Post by: Seolferwulf on November 29, 2018, 04:58:24 AM
Steve already said he doesn't want people accessing his code at all since that would give them the opportunity to copy his code.
Having your code you put effort in used by others to make money is really unpleasant.

That said is it possible to write modding hooks without giving people access to the source code?
Title: Re: Aurora C# Code Protection
Post by: Myvar on November 29, 2018, 05:06:06 AM
Quote from: Seolferwulf link=topic=10217. msg111222#msg111222 date=1543489104
Steve already said he doesn't want people accessing his code at all since that would give them the opportunity to copy his code.
Having your code you put effort in used by others to make money is really unpleasant.

That said is it possible to write modding hooks without giving people access to the source code?

Yes it it totally 100% possible to mod a . net assembly with out accessing the source code.
Title: Re: Aurora C# Code Protection
Post by: Myvar on November 29, 2018, 06:28:49 AM
Thinking about it, i might make more sense to have build in modding loading support(that is official), it should not be hard to implement, or take very long to do.   

The advantage is that modders will have no reason to try, inject stuff into it, and if thay add the mod using official means the bug reporting, can easily reflect that there are mods installed, and state so in the bug report, and it would permit steve to have more control over what mods do in the game.   This way there is no need to mess with decompiling/deobfuscation/crack/etc the official game. 
Title: Re: Aurora C# Code Protection
Post by: Alucard on November 29, 2018, 08:51:39 AM
Quote from: Myvar link=topic=10217.    msg111224#msg111224 date=1543494529
Thinking about it, i might make more sense to have build in modding loading support(that is official), it should not be hard to implement, or take very long to do.       

Speaking from experience, doing a good modding support is a lot harder than it seems.     It may be simple to support one mod but once the modding framework has to manage interactions between mods, it quickly becomes a nightmare.     That is why I never suggested it.     It also requires quite a different skill set, that Steave may or may not have.  Also Steave is likely not passionate about making modding support available, as it is of little use to him, so asking him to work on it does not seem right.  That is why I secretly hope it will one day be open-sourced, so others can work on modding support.

As for people stealing his code, copyright laws are ridiculously over-powered these days.    It seems unlikely anyone would steal more than few lines of his code and made any substantial amount of money from it (if he releases under a GPL-style license).   People would likely at most copy some general purpose functions, as that is not something anyone guards. 
Title: Re: Aurora C# Code Protection
Post by: Retropunch on December 06, 2018, 04:05:05 PM
I'd completely agree with a checksum - I'd also add that putting a bug report button in the program itself may help; it could automatically deliver the checksum (as well as any other variables you wanted it to pass) and save a lot of hassle.


There already is decent enough mod support built in (or there was) in terms of naming/flags/colours etc. The thing most people want to do in terms of modding is play as their own race/kingdom against other preset ones (Stargate/Star Wars/Trek etc.) - as such I don't think there's any need to cover anything else which would be a lot more work.
Title: Re: Aurora C# Code Protection
Post by: Alucard on December 09, 2018, 04:01:54 PM
Quote from: Retropunch link=topic=10217. msg111281#msg111281 date=1544133905
There already is decent enough mod support built in (or there was) in terms of naming/flags/colours etc.  The thing most people want to do in terms of modding is play as their own race/kingdom against other preset ones (Stargate/Star Wars/Trek etc. ) - as such I don't think there's any need to cover anything else which would be a lot more work.

There are many different types of mods, that could be made, if there is source or at least no protection against injection. 
One type I can imagine being popular is a mod, that would bring the game mechanics to correspond closer to some fictional universe. For example Battlestar Galactica mod making point defense for large ships next to useless while making missile interception by fighters much easier + making missiles much more expensive.  It could also add sort of fleet persuit similar to the show and maybe change hangars and on-board production modules.
Title: Re: Aurora C# Code Protection
Post by: ab9rf on January 18, 2019, 01:58:36 PM
Quote from: Barkhorn link=topic=10217. msg110990#msg110990 date=1541824500
I understand you want control over the code, but I'd just like to point out what another dev has done in a similar situation.

Dwarf Fortress is a similarly complex game made mostly by one guy, Tarn Adams.   He protects his game with licensing, not code obfuscation.   He also allows some pretty serious modding, but hasn't actually endorsed most of it.   I don't fully understand it, but DFHack is a very popular utility that allows third-party scripts to access Dwarf Fortress's RAM.   This utility allows the player to use tons of scripts that drastically improve their quality of life.   A few examples include quicker bugfixes, mouse support, even 3D graphics.

I am totally fine with it if you don't want other people toying with your code, but just know that other games with similar communities have greatly benefited from openness.
I'm a minor participant in the DFHack project.  Dwarf Fortress is in C++, which makes it much harder to decompile than something written in C#.  Tarn takes no specific steps to obfuscate his code because he doesn't have to: it's compiled to native machine code, and with modern compilers, that makes it essentially fully obfuscated by default.  We can't even reliably identify classes that don't have virtual methods.  Even identifying function boundaries in the compiled machine code is challenging, due to inlining.  Despite all that, DFHack exists.  Tarn seems to tolerate us fairly well.  We've done a lot to help with this by being persistently respectful of his efforts and by providing useful feedback about the bugs we find in the course of our explorations.

C# code (when compiled to the CIL, at least, which is the default) is frankly trivial to decompile.  About all you can do is obfuscate variable names.  With baseline obfuscation, all (or essentially all) of the classes and methods you define in your source will be recoverable from the compiled code; all that will be lost is the names you gave them (and possibly also any code the compiler has identified as dead).  This is, essentially, the same obfuscation that Mojang uses to obfuscate Minecraft.  The thousands of mods that exist for Minecraft should tell you how successful that has been. 
Some of the . NET obfuscators do things to your code that make it harder to decompile (with varying degrees of success), but also make it slower.  But all of these methods are reversible, and frankly none of them is more difficult to reverse than the "obfuscation" that compiling C++ to machine language does.

It is essentially impossible to stop people from modding a managed . NET executable.  However, at the same time, it's unlikely that the people who do such modding will be dicks about it.  However, the fact that decompiling C# is much easier than decompiling C++ does suggest that the probability of at least one asshole modder popping up is somewhat higher than it is for the C++ case exemplified by Dwarf Fortress.
Title: Re: Aurora C# Code Protection
Post by: Whitecold on January 19, 2019, 10:55:04 AM
Quote from: Barkhorn link=topic=10217. msg110990#msg110990 date=1541824500
I understand you want control over the code, but I'd just like to point out what another dev has done in a similar situation.

Dwarf Fortress is a similarly complex game made mostly by one guy, Tarn Adams.   He protects his game with licensing, not code obfuscation.   He also allows some pretty serious modding, but hasn't actually endorsed most of it.   I don't fully understand it, but DFHack is a very popular utility that allows third-party scripts to access Dwarf Fortress's RAM.   This utility allows the player to use tons of scripts that drastically improve their quality of life.   A few examples include quicker bugfixes, mouse support, even 3D graphics.

I am totally fine with it if you don't want other people toying with your code, but just know that other games with similar communities have greatly benefited from openness.
I'm a minor participant in the DFHack project.  Dwarf Fortress is in C++, which makes it much harder to decompile than something written in C#.  Tarn takes no specific steps to obfuscate his code because he doesn't have to: it's compiled to native machine code, and with modern compilers, that makes it essentially fully obfuscated by default.  We can't even reliably identify classes that don't have virtual methods.  Even identifying function boundaries in the compiled machine code is challenging, due to inlining.  Despite all that, DFHack exists.  Tarn seems to tolerate us fairly well.  We've done a lot to help with this by being persistently respectful of his efforts and by providing useful feedback about the bugs we find in the course of our explorations.

C# code (when compiled to the CIL, at least, which is the default) is frankly trivial to decompile.  About all you can do is obfuscate variable names.  With baseline obfuscation, all (or essentially all) of the classes and methods you define in your source will be recoverable from the compiled code; all that will be lost is the names you gave them (and possibly also any code the compiler has identified as dead).  This is, essentially, the same obfuscation that Mojang uses to obfuscate Minecraft.  The thousands of mods that exist for Minecraft should tell you how successful that has been. 
Some of the . NET obfuscators do things to your code that make it harder to decompile (with varying degrees of success), but also make it slower.  But all of these methods are reversible, and frankly none of them is more difficult to reverse than the "obfuscation" that compiling C++ to machine language does.

It is essentially impossible to stop people from modding a managed . NET executable.  However, at the same time, it's unlikely that the people who do such modding will be dicks about it.  However, the fact that decompiling C# is much easier than decompiling C++ does suggest that the probability of at least one asshole modder popping up is somewhat higher than it is for the C++ case exemplified by Dwarf Fortress.

DFhack is a wonderful project making Dwarf Fortress much more user friendly with some of the management tools that make you forget that it is not actually part of vanilla. But DFhack is insofar officially endorsed as it has its own section on the forums. Without the forum and mentions on the wiki, I doubt many people would even know about it.
So as far as the problem of bug reports caused by mods go it should be sufficient to just not offer any platform. It tends to be the people that downloaded a mod, installed it and it does a weird thing that come running back claiming a bug. If you do any modding work yourself, you know very well any bug is most likely created by yourself.
Title: Re: Aurora C# Code Protection
Post by: MarcAFK on February 13, 2019, 08:07:24 PM
In the case of DFhack there is a significant amount of people who probably wouldn't be able to play without the extra tools it provides, specifically I'm talking about therapist, which is bundled with DF hack these days if I'm not mistaken.
Title: Re: Aurora C# Code Protection
Post by: tobijon on February 14, 2019, 05:31:50 AM
In the case of DFhack there is a significant amount of people who probably wouldn't be able to play without the extra tools it provides, specifically I'm talking about therapist, which is bundled with DF hack these days if I'm not mistaken.

no you can get therapist separately, I never actually use hack but I do use therapist
Title: Re: Aurora C# Code Protection
Post by: Garfunkel on February 14, 2019, 11:27:10 AM
There are packs that bundle both together and make installing and setting them up easy, but they are also available separately.
Title: Re: Aurora C# Code Protection
Post by: QuakeIV on February 15, 2019, 03:21:32 PM
Therapist is built on top of the DFHack teams memory maps, you are arguably using a DFHack plugin by using therapist.
Title: Re: Aurora C# Code Protection
Post by: HavingPhun on February 16, 2019, 12:16:27 PM
I wonder if using a tool which compiles your c# to machine code directly instead of IL would help? Looks like . NET Native can do that for you.  Might be the case that there's still a lot of info left behind for use with reflection, but still, it's an option that you could look into.  I'd imagine it would at least increase the barrier of entry for people trying to reverse the game.  Instead of being able to use an off the shelf deobfuscator and IL decompiler.  Anyone have experience with . NET native?
Title: Re: Aurora C# Code Protection
Post by: Steve Walmsley on February 16, 2019, 03:22:49 PM
I wonder if using a tool which compiles your c# to machine code directly instead of IL would help? Looks like . NET Native can do that for you.  Might be the case that there's still a lot of info left behind for use with reflection, but still, it's an option that you could look into.  I'd imagine it would at least increase the barrier of entry for people trying to reverse the game.  Instead of being able to use an off the shelf deobfuscator and IL decompiler.  Anyone have experience with . NET native?

Thanks - I will take a look.
Title: Re: Aurora C# Code Protection
Post by: Myvar on February 17, 2019, 12:16:28 AM
I have played around with . net native, and it only helps out the JIT by pre compiling some of the bootstrap code to AOT, so it will not help, granted last time i tried it was years a go so things might be different, now a days.
Title: Re: Aurora C# Code Protection
Post by: TinkerPox on March 07, 2019, 10:12:33 AM
Hey Ghidra was just released, which allows decompilation/disassembly to reveal, then analyze source code. 
Title: Re: Aurora C# Code Protection
Post by: TMaekler on March 08, 2019, 03:45:57 AM
Hey Ghidra was just released, which allows decompilation/disassembly to reveal, then analyze source code.
Wow. Looks like good bye to keeping your code to yourself, I guess... .
Title: Re: Aurora C# Code Protection
Post by: Scandinavian on March 08, 2019, 05:41:41 AM
You can still make them work a little for it by running your code through an obfuscator that strips out all the comments, indentation, and other superfluous characters, and renames all the variables to VARIABLE[running number]. A decompiler may be able to correctly reconstruct the original code, but for a program of any real size it would still be unreadable gibberish.
Title: Re: Aurora C# Code Protection
Post by: MarcAFK on March 08, 2019, 07:18:08 AM
You underestimate the capability of anyone with enough skill and determination, hell people program in machine code. Even I can use memory trainers for modding console games running on an emulator and thats basically just brute forcing numbers and seeing what breaks and what doesn't :s.
I'm no coder though :/
Title: Re: Aurora C# Code Protection
Post by: Madrawn on April 06, 2019, 06:06:37 PM
I understand that you want to keep your hard work to yourself and I get that a hacked/modded game will produce completely useless bug reports. 

But lets be honest, this is the internet, the second you release the binary there will be some lurker decompiling the code to mod in pink laser resilient hair that grows on ships as long they're watered in orbit of planet with water, or whatever.  And he'll probably share it with his pink hair loving friends.  I just don't see how that affects you negatively in any way and therefore justifies any time put into security measures.  Legally you should be on pretty solid ground, if someone distributes your code you have the power to have them shutdown.  But if you do, the only effect that will have is that no one will show you the mods they made.

I'm not sure if this whole line of thinking is that healthy.  The people most likely to mod your source code are the people who love the game, who want to add features they want while playing, just like you already do.  The devs over at Dwarf Fortress seem to be in a very similar situation and they just ignore it for the most part, they say they never touch the mods and they won't read bug reports from modded versions.  The lack of security measures doesn't look like its hurting them.  In contrary, there are a plethora of tools to make the game more accessible for people.  There are graphics packs, 3D visualizers, data visualizers, templates and other automation tweaks.  By doing nothing more than tolerating the behavior, I feel, the community of Dwarf Fortress became so much richer.

I mean, in the end this is your project and if in 2 years someone puts out a memory access library it is completely in your right to have them take it down.  That will at least limit it's spread.  But I would urge you to at least consider if such an action is actually worth your time.
Title: Re: Aurora C# Code Protection
Post by: ReviewDude01 on April 10, 2019, 04:12:12 PM
I actually posted some post in forums about this but I just wanted to remind you that I actually accidentally modded original Aurora (not C# one) simply by finding password from your access database on google.  (rly)

I never told this password to anyone but from what I learned from modding older Aurora (not this one) is that it is basically easier to code a new game than to try to mod a game such complex as this and hope that there are no bugs.  (Im not trying to hack/mod Aurora atm.  or in future)

So any person that is going to waste time with this is just, well, mostly wasting time.  Happy bug hunting.  Just my 2 cents.

Very Off topic: But, you should at least maybe consider adding at least some limited mod support to some people you know/aurora veterans and maybe consider adding some form of background (instead of blue colors).  Plus adding anti missile countermeasures (decoys), Holo Ship (false radar signatures), and some forms of combined armor (star ruler 2) + Making(taking) some form of procedural space background for example SPACE for Unity - Space Scene Construction *** and taking pictures of it with printscreen + a turn on/off button (blue background or pictures)

Title: Re: Aurora C# Code Protection
Post by: Profugo Barbatus on April 10, 2019, 04:35:55 PM
Database edits are very different from actual code modification. Making something happen with just database edits is quite difficult as its very limited in what the code does with the database, and when.

This is about protecting the Executable itself. C#, without any additional protections, is fairly easy to pop open and read right through, barring a few compiler optimizations here and there. Combine that with existing, free libraries like Harmony who's entire purpose is injecting code into these sorts of things dynamically, and you can, in theory, make it sing and dance whatever tune you want without a great deal of trouble.
Title: Re: Aurora C# Code Protection
Post by: ReviewDude01 on April 12, 2019, 03:08:05 PM
I do not know if this is good idea but: (this would still not prevent code stealing, but should delay C# cracking and code injecting significantly, preferably also with other methods mentioned here)

Writing a part of the code in different programming language (c++) that simply periodically (every 1 minute or so) checks exact filesize of some of the main C# files running of Aurora (compiled)?
If exact filesize is different or other condition is not met then Aurora quits.


Title: Re: Aurora C# Code Protection
Post by: littleWolf on April 13, 2019, 07:02:57 AM
If Steve no plaing commercialize Aurora, maybe simple make C# Aurora (or old  VB6 Aurora) as OpenSource Project?   
Title: Re: Aurora C# Code Protection
Post by: Bughunter on April 13, 2019, 03:49:36 PM
He already said he is not interested in open-sourcing it, doesn't want to become a community manager etc. I can see both pros/cons, but that's a different topic.
Title: Re: Aurora C# Code Protection
Post by: HavingPhun on April 19, 2019, 03:37:15 PM
Quote from: TMaekler link=topic=10217. msg113068#msg113068 date=1552038357
Quote from: TinkerPox link=topic=10217. msg113063#msg113063 date=1551975153
Hey Ghidra was just released, which allows decompilation/disassembly to reveal, then analyze source code. 
Wow.  Looks like good bye to keeping your code to yourself, I guess. . .  .
It's not really that dire.  Tools like Ghidra have been available for a long time now, it's just that the most competitive one, IDA, has had a solid grip on the market for some time.  IDA Freeware has been available, which has very good disassembly, but limits you on more exotic processor architectures and has no decompilation.  The paid version with the decompiler is 5K+ USD (I don't remember the exact number), only because there was no competitor who could challenge them on that.  The benefit of Ghidra is that now people can get many of the features of IDA Pro but it's completely free and open source, and the community can improve it.  It's not really bringing any tools that didn't exist before into existence.

You also have to consider that, at least for fully ahead of time compiled languages like c++, much of the information in source is lost discarded during compilation, so even with a good decompiler you'll end up with a jumbled mess of code that'll need someone skilled to spend some time discerning what it does and cleaning it up.  For something like C# there is much more information in a binary, and without an obfuscator you can get really nice decompiled code with free tools that existed before Ghidra.  Using an Obfuscator or maybe figuring out a way to completely ahead of time compile the game before releasing it would probably be the best defense against reverse engineering from what I understand.  Of course it won't stop the most determined of people, but it'll raise the bar on skill needed to do so and make it much more time consuming.
Title: Re: Aurora C# Code Protection
Post by: Erik L on April 19, 2019, 04:25:22 PM
If Steve no plaing commercialize Aurora, maybe simple make C# Aurora (or old  VB6 Aurora) as OpenSource Project?

In the past Steve has not been averse to people recreating Aurora. See Pulsar and Quasar.
Title: Re: Aurora C# Code Protection
Post by: Bughunter on April 21, 2019, 08:02:52 AM
Never tried using it, but I noticed Visual Studio 2019 comes with a built in obfuscator.
Title: Re: Aurora C# Code Protection
Post by: rhiwaow on June 07, 2019, 01:49:32 PM
i just saw a presentation on youtube about counters to reverse engineering: https://www. youtube. com/watch?v=HlUe0TUHOIc

i don't know how performance will hold up, but there's now at least a c compiler that only uses mov instructions (as that's turing complete); the presentation also covers other techniques to make someone give up reverse engineering your code
Title: Re: Aurora C# Code Protection
Post by: Steve Walmsley on June 08, 2019, 05:45:37 AM
i just saw a presentation on youtube about counters to reverse engineering: https://www. youtube. com/watch?v=HlUe0TUHOIc

i don't know how performance will hold up, but there's now at least a c compiler that only uses mov instructions (as that's turing complete); the presentation also covers other techniques to make someone give up reverse engineering your code

Thanks, I'll take a look.
Title: Re: Aurora C# Code Protection
Post by: theoderic on June 10, 2019, 02:43:06 PM
One problem I've noticed with games who are "impossible to reverse-engineer" is that they tend to produce lots of undesirable side-effects.   For example; STALKER (entire series) by GSC GameWorld was said to be copy-proof due to adding "bugs" in the physics engine if the game wasn't DRM proof.   But that eventually just turned out to make the game explode in the hands of most casual users instead. 

This thread is counter-intuitively a pretty good starting point if anyone would want to hack aurora to begin with.   
Title: Re: Aurora C# Code Protection
Post by: theoderic on June 10, 2019, 02:58:07 PM
By the way Steve you might want to look into DRM for Aurora since I assume you're really interested in making sure that the game won't be tampered with or have code stolen?

Steam Release when??