Author Topic: Aurora C# Code Protection  (Read 22759 times)

0 Members and 1 Guest are viewing this topic.

Offline Steve Walmsley (OP)

  • Moderator
  • Star Marshal
  • *****
  • S
  • Posts: 11649
  • Thanked: 20349 times
Aurora C# Code Protection
« on: November 07, 2018, 03:14:13 AM »
I received the following personal message today:

Hi i am a programmer and i Live C#, been my favorite language for 8 years now,
Im hopping to write a modkit(open source, for any other codes to use) for Aurora C# when it comes out, to this i will Use Mono. Cecil to reweave the . net assembly so i can easily override/hook into any Method,
And all the rest will be done using  System. Reflections, as such i don't need your co-operation, to make it happen.

But i would respect your project, and ask if you are ok with this?
(I know aurora C# release is a long ways away but i thought i might ask so long)

My Thinking for why i want to write the modkit:
Your project is closed source(total cool i understand), but this makes it so that other developers cant help fix bug/expand the game etc.
And it would bring a lot to the table, now i don't expect you to add mod-ing support, but because its C# running in Cil Jit i can easily manipulate/Inject etc,
what ever i want into the Assembly, so i can do it my self, because writing a Hook Inject is a lot of work and not the easiest thing in the world, i want to write a kit,
that any program can very very easily use with a nice api ontop to create mods for aurora, that way more things can be added to the game bug can be fixed etc,
with out needing to access the source code of the game.


I have been previously warned about the vulnerability of C# to decompilation and had planned to take steps such as code obfuscation to limit the damage. However, there are a lot of smart people on the forum so I would welcome advice on how to avoid the above.

Aurora is a hobby for me, rather than any sort of commercial application. In fact, it is a game I write for me to play that I also happen to make available to others. To be brutally honest, the former is more important to me than the latter.

I have always expressed my view that it is closed source and I want to maintain control over the code. I would rather not release it than see the chaos caused by a plethora of modified versions. Bug reporting would be a complete nightmare and I really don't want anyone taking advantage of my work in other ways (taking the code and releasing as their own modified commercial game for example).

I responded to the above message and expressed my strong opinion that I would not be happy about it. However, if anyone has recommendations on how to protect my work, they would be very welcome.
 
The following users thanked this post: Viridia

Offline Panopticon

  • Gold Supporter
  • Rear Admiral
  • *****
  • P
  • Posts: 883
  • Thanked: 37 times
  • Gold Supporter Gold Supporter : Support the forums with a Gold subscription
    2021 Supporter 2021 Supporter : Donate for 2021
    2022 Supporter 2022 Supporter : Donate for 2022
    2023 Supporter 2023 Supporter : Donate for 2023
Re: Aurora C# Code Protection
« Reply #1 on: November 07, 2018, 05:00:21 AM »
It may be a language barrier, but this guy sounds like a dick and I am not entirely certain he can do all he claims to do without more access to the source code than the methods he described can give him. Probably an break the program pretty good though.

That said I think if someone wants to crack Aurora C# and are determined enough they are gonna be able to do it, Here's a decent thread on Stack Overflow for making it harder though. https://stackoverflow.com/questions/506282/protect-net-code-from-reverse-engineering/506301#506301


 

Offline Froggiest1982

  • Gold Supporter
  • Vice Admiral
  • *****
  • F
  • Posts: 1331
  • Thanked: 589 times
  • Gold Supporter Gold Supporter : Support the forums with a Gold subscription
    2021 Supporter 2021 Supporter : Donate for 2021
    2022 Supporter 2022 Supporter : Donate for 2022
    2023 Supporter 2023 Supporter : Donate for 2023
Re: Aurora C# Code Protection
« Reply #2 on: November 07, 2018, 05:19:53 AM »
Hi Steve,

I have done so many research on that for work and below are the most relative ones. The source is Stack Overflow: you can find lots there on the argument.


source Stack Overflow:
Some suggestions I have for you to help protect your application:

Obfuscate your code. Dotfuscator has a free edition and comes with Visual Studio. Eazfuscator.NET is good too.

Use public/private key or asymmetric encryption to generate your product licenses. This ensures that only you can generate your license codes. Even if your application is cracked, you can be sure that they won't be releasing a key generator for your application, because it is impossible to reverse the key generating algorithm.

Use a third-party packer to pack your .NET executable into an encrypted Win32 wrapper application. Themida is one of the better ones.

Write your own custom packer. If the third-party packers are too expensive, consider writing your own. Sometimes custom packers can be very effective because there aren't well-published methods on how to unpack them. The tutorial How to write your own packer gives a ton of good information on writing your own Win32 packer.

My thoughts
I think you should obfuscate your code and maybe spend some time writing your own packer which knowing you could be fun, also a year more or less at this stage won't change anything in terms of waiting for Aurora C#. This will make it very very hard and only somebody really motivated will go through that process. Ultimately there is only one method to do that as and if they want to crack the code with the above...well they will.
As said there's only one way to make sure that your users don't get your code: don't give them your code!

source Stack Overflow:
This can be achieved with Software as a service (SaaS), that is, you run your software on your server and only let your users access it remotely. This is the model that Stack Overflow uses, for example. I'm pretty sure that Stack Overflow doesn't obfuscate their code, yet you can't decompile it.

Consider also using:

Web Services Keep your marketable content server side and beyond the reach of your clients. They can use it, but not examine the code.

Encrypted Binaries and Online Binaries Maybe even streaming assemblies in an encrypted format to a wrapper application. Keep your decryption keys server side to prevent offline disassembly. This might be circumvented however if someone found a way of exporting the assembly from the app domain of the application, once it has loaded it. (You cannot load an encrypted binary, so an end user might wait until your application has done the work of decryption, then exploit that to export the finished binary) (I was investigating a way to accomplish this (the exporting) - I didn't quite get it working, doesn't mean someone else won't)

My thoughts
I gave up a year ago in finding an answer, so unless there is something new on the horizon I think you have to assume the worst when you put binaries on other people's system.

Offline Jorgen_CAB

  • Admiral of the Fleet
  • ***********
  • J
  • Posts: 2822
  • Thanked: 673 times
Re: Aurora C# Code Protection
« Reply #3 on: November 07, 2018, 08:58:48 AM »
It sickens me when people simply don't respect your creative wills on project like these. It's not like you sell the game or anything... it is a hobby.

The most straight forward and easy thing to do is obfuscating the code and using a license key to verify if someone is using yours or someone elses code. If your code is not used in a bug report you can just dismiss it.

Code can always be cracked if given enough time and dedication, more or less. But obfuscating it will make it pretty decently hard to do and the key will at least make sure you know that the code used is yours or not.

I hope this does not discourage you too much... I understand if it would.
 

Offline Steve Walmsley (OP)

  • Moderator
  • Star Marshal
  • *****
  • S
  • Posts: 11649
  • Thanked: 20349 times
Re: Aurora C# Code Protection
« Reply #4 on: November 07, 2018, 09:57:41 AM »
I think to be fair to the person who sent the PM, English was not their first language so I think the PM was over-enthusiasm rather than malicious intent. Even so, if not that person, it could be someone else so I need to resolve the issue.

BTW I realise I cannot completely protect the code from someone who is both skilled and very determined. I would settle for reaching the point where the majority of people would struggle and it would probably not be worth the effort for anyone who could do it.
 
The following users thanked this post: Froggiest1982

Offline Bremen

  • Commodore
  • **********
  • B
  • Posts: 743
  • Thanked: 150 times
Re: Aurora C# Code Protection
« Reply #5 on: November 07, 2018, 12:14:45 PM »
The PM seems to be asking permission, so yeah, I think people are getting the wrong first impression from it.

Unfortunately I barely know anything about C# but I hope you're able to protect your work if that's your wish.
 
The following users thanked this post: Yonder, UberWaffe

Offline clement

  • Pulsar 4x Dev
  • Sub-Lieutenant
  • *
  • c
  • Posts: 137
  • Thanked: 13 times
Re: Aurora C# Code Protection
« Reply #6 on: November 07, 2018, 12:34:26 PM »
Steve,

I have also had to deal w/ this and similar issues at work. It is very easy to remove a strong name from a DLL and extract code when "protected" via a strong name. Microsoft specifically states that strong names should not be relied on for security. They provide a unique identity only. We deal with it mostly via SaaS delivery for most of our products. However, for those we must provide as downloads for local installation, we do perform obfuscation as part of the build/deploy pipeline.

With the original person's PM appearing to be English as a second language, I agree that it could be enthusiasm but the person also combines 'respect for your wishes' with 'I can do it anyway'.

My suggestion would be include obfuscation if you want to take the time. But since this not open source, you can simply include a license file stating terms of use are not to do those things and not to reuse the code or ideas within. Obviously the person can just ignore that, but that is always the case as they stated in the message.

An additional option to allow you to easily filter bug issues is to include a hash of the primary dll in the bug report. After catching an exception, you can generate a hash of the executing assembly from the harddrive.

Code: [Select]
var assembly = typeof(GameObject).Assembly;

// object.GetHashCode() is only slightly useful, in that it should provide you a first pass test, however it is not considered a permanent value.
// The method for generating it could change from version to version of .NET
// this will not match the SHA256 hash but both of them could be used as a sort of 2 key confirmation that the bug report is valid
// if someone modifies your code, the GetHashCode() value should be different as the module manifest and lookup tables will be different inside the assembly
int runtimeHashCode = assembly.GetHashCode();
byte[] hashValue;

using (SHA256 sha = SHA256.Create())
using (FileStream fileStream = File.Open(assembly.CodeBase, FileMode.Open, FileAccess.Read))
{
     fileStream.Position = 0;
     byte[] hashValue = sha.ComputeHash(fileStream);
}

// put runtimeHashCode into the bug report
// put hashValue into the bug report
// I assume you are planning on logging exceptions out to a log file as JSON or something like that


 
The following users thanked this post: Karlito

Offline Myvar

  • Leading Rate
  • *
  • Posts: 10
  • Thanked: 17 times
Re: Aurora C# Code Protection
« Reply #7 on: November 07, 2018, 01:01:37 PM »
I wrote the pm, and reading the replies i realize that i totally miscommunicated, so here is a clarification:

1.  I was asking permission and it was not granted and there for i will not do it, im totally cool with this
2.  I had no intention of steeling, using, abusing or profiting from steves game in any way
3.  Nor did i have any intent of Cracking the game

What i wanted to do was make a mod kit, so people can use to mod there aurora, to do things like,
adding new content, adding tools and utility Forms like a tech tree for eg, etc.

as for the "as such i don't need your co-operation, to make it happen. " part, i was not trying to say i can do it any way.
What i was trying to communicate is that it would not take any of his time up, he does not have
to worry about bug reports/breaking changes etc, ie. 
i dont want to make it his problem, since he wants to keep it a hobby.

I just wanted to make it clear that i had no malicious intent, i just wanted to mod the game.
And thought i might be smart to ask permissions first.

Im sorry for the terrible miss communication.
(im Dyslexic sorry for bad spelling and grammer)

Offline Panopticon

  • Gold Supporter
  • Rear Admiral
  • *****
  • P
  • Posts: 883
  • Thanked: 37 times
  • Gold Supporter Gold Supporter : Support the forums with a Gold subscription
    2021 Supporter 2021 Supporter : Donate for 2021
    2022 Supporter 2022 Supporter : Donate for 2022
    2023 Supporter 2023 Supporter : Donate for 2023
Re: Aurora C# Code Protection
« Reply #8 on: November 07, 2018, 02:11:20 PM »
I wrote the pm, and reading the replies i realize that i totally miscommunicated, so here is a clarification:

1.  I was asking permission and it was not granted and there for i will not do it, im totally cool with this
2.  I had no intention of steeling, using, abusing or profiting from steves game in any way
3.  Nor did i have any intent of Cracking the game

What i wanted to do was make a mod kit, so people can use to mod there aurora, to do things like,
adding new content, adding tools and utility Forms like a tech tree for eg, etc.

as for the "as such i don't need your co-operation, to make it happen. " part, i was not trying to say i can do it any way.
What i was trying to communicate is that it would not take any of his time up, he does not have
to worry about bug reports/breaking changes etc, ie. 
i dont want to make it his problem, since he wants to keep it a hobby.

I just wanted to make it clear that i had no malicious intent, i just wanted to mod the game.
And thought i might be smart to ask permissions first.

Im sorry for the terrible miss communication.
(im Dyslexic sorry for bad spelling and grammer)

I apologize for saying you seemed like a dick then, that was probably more harsh of me than you deserved anyway.
 
The following users thanked this post: GeaXle

Offline Puciek

  • Able Ordinary Rate
  • P
  • Posts: 2
  • Thanked: 4 times
Re: Aurora C# Code Protection
« Reply #9 on: November 07, 2018, 08:12:15 PM »
I generally work on the other side of the bench - decompiling and analyzing code that doesn't want to be decompiled and analyzed, and to be perfectly frank the best thing you can do is add a checksum to easily validate if a bug report is coming from a pristine version and simply ignore what else people will do with your creation.   Short of few commercials, and very expensive projects, all the obfuscation/security work will only make the software more annoying to work with (either for you as having to make sure to handle all the security for each release, or for users where compatibility/performance may be hurt) and it will not require almost any skill to crack - just install and run out of the box tools.   Actually securing software is going to bring the type of crowd which will crack it for the sake of it. 
 
The following users thanked this post: Yonder, GeaXle, Spaceman Spiff, UberWaffe

Offline Vitellus

  • Able Ordinary Rate
  • V
  • Posts: 1
Re: Aurora C# Code Protection
« Reply #10 on: November 07, 2018, 11:49:15 PM »
I think the other responses have covered code protection pretty well, but it's probably worth saying that the original question wasn't really about source code modification, but about modifying the functionality of the executable in a remote execution environment.   

As such, it isn't generally about forking a product and producing an imitation, but about changing the function (or form) of the product itself as it's being run on someone else's hardware.   This could be incidental (flipped bits in non-ECC memory causing chaos, compatibility issues due to hardware/software variations, etc), more or less benign (e. g.  "community patches" that try to preserve the spirit while fixing some issue or other, or mods), or arguably benign or malicious depending on context (e. g.  cheating, or piracy, but given it's single player and not sold, malice is perhaps hard to argue).   

I don't think it's practically worth any effort beyond selecting some sort of license to protect your IP and some sort of hashing mechanism to allow you to filter out bugs that you wouldn't be able to reproduce easily.   E. g.  ensure they can't profit off your work, that you are not responsible for chaos caused, and that you don't end up debugging chaos.   

That said, for a survey of approaches to 'fixing' this, since you aren't running an online game or any servers, you are more or less limited to attempts to secure the end user environment.   There are lots of approaches, but none really apply as most boil down to a combination of verifying licenses with a central server and/or installing monitoring software on a users computer.   Success in this area probably ultimately stems more from cost-benefit ratios than anything else; e. g.  making it easier to pay for the product, difficult or risky to participate in an online community while benefiting from such techniques, or legally risky to engage in the behavior.   None of those approaches are really technological; it's practically impossible to protect your application while it's executing in someone else's environment. 
 

Offline Froggiest1982

  • Gold Supporter
  • Vice Admiral
  • *****
  • F
  • Posts: 1331
  • Thanked: 589 times
  • Gold Supporter Gold Supporter : Support the forums with a Gold subscription
    2021 Supporter 2021 Supporter : Donate for 2021
    2022 Supporter 2022 Supporter : Donate for 2022
    2023 Supporter 2023 Supporter : Donate for 2023
Re: Aurora C# Code Protection
« Reply #11 on: November 09, 2018, 03:45:52 PM »
Hi @Steve Walmsley

Question part:
sorry if I don't create a new thread for this but while we talking about code I was wondering if you are coding everything under one database as you were doing on the vb6 version or if you are doing it under different dll with saves separate from the main database?

Where it comes from:
I was just a bit concerned about performance in the long run. I mean after all this time and effort you have put into it and considering the addition of the ground units, it would be a pity to have the same performances issues after the first 50 years. I'll have no problem with the eventual waiting time once we are 500 or 600 years into it with 2 or 3 races. I guess we have to wait for you to keep testing it.

Reason:
For a performance point of view translate the code in .NET would have been easier, faster (1 or 2 months top job?) and probably more efficient. Now I do know and understand that when you started the main goal was for you to practice and have fun with C# and I do remember initially you weren't sure of remaking Aurora but maybe a tactical combat simulator it was 2010...wow time flies!

Conclusion:
Would you consider to release a .NET version of Aurora I? I am sure I will be super hooked with the new mechanics and also the ground units and the AIs...but still would be nice sometimes to have access to the original flavour...

Offline Erik L

  • Administrator
  • Admiral of the Fleet
  • *****
  • Posts: 5654
  • Thanked: 366 times
  • Forum Admin
  • Discord Username: icehawke
  • 2020 Supporter 2020 Supporter : Donate for 2020
    2022 Supporter 2022 Supporter : Donate for 2022
    Gold Supporter Gold Supporter : Support the forums with a Gold subscription
    2021 Supporter 2021 Supporter : Donate for 2021
Re: Aurora C# Code Protection
« Reply #12 on: November 09, 2018, 04:50:25 PM »
Conclusion:
Would you consider to release a .NET version of Aurora I? I am sure I will be super hooked with the new mechanics and also the ground units and the AIs...but still would be nice sometimes to have access to the original flavour...

Look at Quasar 4x on the site here. It is supposed to be a faithful replica of Aurora VB in a .NET language.
 
The following users thanked this post: Froggiest1982

Offline Steve Walmsley (OP)

  • Moderator
  • Star Marshal
  • *****
  • S
  • Posts: 11649
  • Thanked: 20349 times
Re: Aurora C# Code Protection
« Reply #13 on: November 09, 2018, 07:11:19 PM »
Hi @Steve Walmsley

Question part:
sorry if I don't create a new thread for this but while we talking about code I was wondering if you are coding everything under one database as you were doing on the vb6 version or if you are doing it under different dll with saves separate from the main database?

Where it comes from:
I was just a bit concerned about performance in the long run. I mean after all this time and effort you have put into it and considering the addition of the ground units, it would be a pity to have the same performances issues after the first 50 years. I'll have no problem with the eventual waiting time once we are 500 or 600 years into it with 2 or 3 races. I guess we have to wait for you to keep testing it.

Reason:
For a performance point of view translate the code in .NET would have been easier, faster (1 or 2 months top job?) and probably more efficient. Now I do know and understand that when you started the main goal was for you to practice and have fun with C# and I do remember initially you weren't sure of remaking Aurora but maybe a tactical combat simulator it was 2010...wow time flies!

Conclusion:
Would you consider to release a .NET version of Aurora I? I am sure I will be super hooked with the new mechanics and also the ground units and the AIs...but still would be nice sometimes to have access to the original flavour...

C# Aurora loads everything into memory at start up into collection objects and doesn't touch the database again until you save the game. It is MUCH faster.

The C# development in its current form began in March 2016.
 
The following users thanked this post: Froggiest1982

Offline Barkhorn

  • Commodore
  • **********
  • B
  • Posts: 719
  • Thanked: 133 times
Re: Aurora C# Code Protection
« Reply #14 on: November 09, 2018, 10:35:00 PM »
I understand you want control over the code, but I'd just like to point out what another dev has done in a similar situation.

Dwarf Fortress is a similarly complex game made mostly by one guy, Tarn Adams.  He protects his game with licensing, not code obfuscation.  He also allows some pretty serious modding, but hasn't actually endorsed most of it.  I don't fully understand it, but DFHack is a very popular utility that allows third-party scripts to access Dwarf Fortress's RAM.  This utility allows the player to use tons of scripts that drastically improve their quality of life.  A few examples include quicker bugfixes, mouse support, even 3D graphics.

I am totally fine with it if you don't want other people toying with your code, but just know that other games with similar communities have greatly benefited from openness.
 
The following users thanked this post: SpikeTheHobbitMage, Spaceman Spiff, Xtrem532, Agoelia