Protect .rpa and .rpyc from unpackers and decompilers

[ARGAMX]

Hello, friends.

Anybody knows, how to protect .rpa and .rpyc files from unpackers and decompilers?
Target: protect Renpy game sources and resources (music, images) from been unpack and stolen.

Is there any instruments and ways to make this today?
Has the Renpy project the aim to provide such abilities to game developers?

Thanks.

[PyTom]

Unfortunately, this is impossible. For a game to run, it has to be able to read all of the resources involved in the game - all the information has to be present on the system to allow for unpacking to take place. So at best, all a game can do is obfuscate things a little, but as you can see from http://tlwiki.org/index.php?title=Tools , that doesn't work well.

Ren'Py is an open source project, we can't obfuscate as well as closed source ones can. Since closed source projects don't really handle obfuscation either, I'd prefer to just leave everything open.

[ARGAMX]

Unfortunately, this is impossible. For a game to run, it has to be able to read all of the resources involved in the game - all the information has to be present on the system to allow for unpacking to take place. So at best, all a game can do is obfuscate things a little, but as you can see from http://tlwiki.org/index.php?title=Tools , that doesn't work well.

Ren'Py is an open source project, we can't obfuscate as well as closed source ones can. Since closed source projects don't really handle obfuscation either, I'd prefer to just leave everything open.

PyTom, big thanks for your answer.
Sounds not good for commercial professional developers.
Renpy is pretty good project, and I think it can be open source and provide making non-open source games at the same time - this is would be big attract to many developers to develop Ren'py games.

[PyTom]

Honestly, Ren'Py is used by a number of commercial developers - I don't think the situation is very different form other open-source and commercial game engines. The technical situation is all the same, so the only engines without unpackers are those lacking games important enough.

[firecat]

PyTom, big thanks for your answer.
Sounds not good for commercial professional developers.
Renpy is pretty good project, and I think it can be open source and provide making non-open source games at the same time - this is would be big attract to many developers to develop Ren'py games.

people do try to hack into the game, many do it for translating to their language, find any broken code, and try to steal (as already been known). people have been doing this from stream app all the way into console games, there is no absolute protection for them, only sensitive data like credit cards are well protected.

[uyjulian]

If you want to obfuscate, randomizing the names of your resource files/variables might be a good idea.

Of course, if you do obfuscate, it will be hard for people to fix your game if it gets broken by a new renpy/OS/library update. So I advise you shouldn't obfuscate for the better.

[Marqin]

Target: protect Renpy game sources and resources (music, images) from been unpack and stolen.

There is one half-good way for protecting game sources (but it won't protect strings, like text told by characters)

1. Write all your VN logic as python module
2. Import that and use in your VN (documentation)
3. Use Cython or Nuitka to compile that python module to C code
4. For each platform/operating system you release, compile that C into .so/.dll and package it with your game

That way it won't be easy(but still possible) to steal your scripts (eg. minigames/logic),
because for that someone will have to know assembly and python's C api calls.

P.S. sorry for necro

[Jibus]

Could you provide an example?

[Karl_C]

Target: protect Renpy game sources and resources (music, images) from been unpack and stolen.

Can you clarify what you mean with 'stolen'?

Even if I would find a way to extract music or images, they are still copyrighted ('protected'). When I would use the 'stolen' resources for an own game and would upload it somewhere, there's a high possibility that I would run into *very* serious problems.

Let's say, I would create a game with 'stolen' resources and would upload it to Google's Play Store: The owner of the files would simply have to file an complaint online and Google would ban me from publishing software for the rest of my life. Without any court session and without any explanation from Google. And if the owner would sue me for copyright infringement, then I would be really in deep sh..

Two main FBI divisions investigate intellectual property crimes:

Cyber Division
-investigates intellectual property crimes involving all digital and electronic works (including Internet, CDs, DVDs, etc) http://www.fbi.gov/ipr
Financial Institution Fraud Unit
-all other intellectual property crimes
There are three ways a complaint made be filed:

Complainants may contact their local FBI field office, and the complaint will be properly referred.
A complaint may be filed online at the Internet Crime Complaint Center http://www.ic3.gov and, again, it will be properly routed.
Suspected criminal activity of any nature may be reported online at https://tips.fbi.gov and will be routed accordingly.

U.S. Copyright Office

I don't want to get an email, letter or even visit from the FBI because of a stolen image or song, do you?

BTW: There are tons of games around with cracked DRM (Digital Rights Management) and this games were made by big industry players (total revenues for the game industry in the U.S. hit $23.5 billion in 2015). I think it's a waste of time to try to protect your resources that way. Better start small by putting a proper copyright notice into your game.

[Ocelot]

I don't want to get an email, letter or even visit from the FBI because of a stolen image or song, do you?

This is the place where I usually post a world map. I would like to see FBI visiting some Chinese mobile games shop, but it is highly unlikely to happen. International IP violations are relly hard to resolve. And it will cost you. Indie developers are especially vulnerable here. Also, unlike media assets, proving that code was stolen is really hard, if it was modified even a little.

I agree that it is impossible to protect your code and assets from determined hacker. However, each additional obstacle will deter some people, who otherwise would try to access them. Basic stuff, like obfuscating script, archiving assets and compiling code would make messing with your game not worth their time for many.

[Darim]

Free your code. Trying to put a copyright on code is like getting a copyright on the alphabet and math.
You can't protect it from reverse engineering anyway.
Also people who want to learn how to make games in Ren'Py can benefit from it.

Same goes for audio and images. There is always a risk that someone will steel it. The only thing you can do is to send a takedown notice to Steam, Google...

I don't want to get an email, letter or even visit from the FBI because of a stolen image or song, do you?

No one outside USA cares about the FBI or copyright notices.

[Karl_C]

This is the place where I usually post a world map. I would like to see FBI visiting some Chinese mobile games shop, but it is highly unlikely to happen. International IP violations are relly hard to resolve. And it will cost you. Indie developers are especially vulnerable here. Also, unlike media assets, proving that code was stolen is really hard, if it was modified even a little.

You're right.

However, each additional obstacle will deter some people, who otherwise would try to access them. Basic stuff, like obfuscating script, archiving assets and compiling code would make messing with your game not worth their time for many.

They won't spend much time or money in reading your compiled code or obfuscated script. They will simply crack your game. And that's not all: They will even copy the original packaging and it's original hologram sticker.

If you ever come to Asia, I can show you places where you can buy illegal copies of the latest games even before the official launch, compiled, obfuscated and DRM'd by an army of programmers.
So how does compiling and obfuscating will help indie developers?

[ShadowScaleFTL]

May be its possible to create some additional code-key wich will be needs to decode .rpa file and place it in uncoded .rpu file, so game take it and encode files, but unrpatools and etc. without this additional code will not alowed to uncode them.

If it posible it looks viable

[NialGrenville]

*Thinks protecting against hackers will work

I am afraid to say; it will always be a battle sorely lost.

*Remembering other events in the past week*

You can however DRM creatively. If you're good enough. If it is possible with python.

That is probably the best way to get back at thieves and crooks. Just look at these: Good Game DRMs

[dvemail]

Although this is a very old thread, I'll add my $0.02 to it. All of the doomsaying 'you can't stop hackers' misses the point entirely. Even if all that your protection measures do is discourage the casual hack attempt, you've made giant strides commercially. Most users of most games do not haunt the pirate sites and exchange tips on how to get away with criminal behavior. Most kids who would happily use a pirated game won't do so if it's a little complicated and difficult to do. This is precisely why the game companies continue to pursue copy protection and DRM. Just because it might seem easy to *you* doesn't mean that it's actually easy.

Dropbox is a viable commercial entity with an interest in preventing the decompiling of their product. As a result, they have taken the effort to make their client more secure, even though it's in Python. What did they do? Here's an investigation: https://www.usenix.org/system/files/con ... kholia.pdf
The conclusion of the security researchers was that DropBox's measures were more than enough to deter any casual attack.

The value for me in all this is protecting (to whatever extent I can) the value to my company of the code being written. What we want to protect against is what happened to Princess Trainer and Witch Trainer. Those games were (pardon the pun) seminal in that particular area, and as a result were decompiled and copied and modified. While Akabur had / has no particular interest in monetizing those games, he would have been screwed if he had wanted to do so. In fact, one 'company' I'll refer to by the initials SC ripped his game completely and used it as a launch point for their own product.

Any argument that 'it's futile' misses the point that reducing theft of the code is what I'm interested in. You can't eliminate piracy. It's like ants... do you want a few ants in your house, or are you okay with tens of thousands?