• Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
  • Asset Store
  • Get Unity

UNITY ACCOUNT

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account
  • Blog
  • Forums
  • Answers
  • Evangelists
  • User Groups
  • Beta Program
  • Advisory Panel

Navigation

  • Home
  • Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
    • Blog
    • Forums
    • Answers
    • Evangelists
    • User Groups
    • Beta Program
    • Advisory Panel

Unity account

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account

Language

  • Chinese
  • Spanish
  • Japanese
  • Korean
  • Portuguese
  • Ask a question
  • Spaces
    • Default
    • Help Room
    • META
    • Moderators
    • Topics
    • Questions
    • Users
    • Badges
  • Home /
avatar image
Question by alienmax22 · Apr 13, 2014 at 04:00 PM · c#securityhashdecompile

How to store salt (secret key) invisible for decompilers

Hello, developers. I need a solution to hide salt variable or it's value from decompilers like Ilspy. I'm using salt to test md5 hashes with data provided from web player.

alt text

salt.jpg (61.8 kB)
Comment

People who like this

0 Show 2
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image ZDS Alpha · Apr 13, 2014 at 04:06 PM 0
Share

I dont understand. ILSpy cannot decompile unity application.

avatar image alienmax22 · Apr 13, 2014 at 07:13 PM 0
Share

sorry, my bad. I meant Assembly-CSharp.dll after unpacking unity application

2 Replies

  • Sort: 
avatar image

Answer by Julien-Lynge · Apr 13, 2014 at 07:51 PM

It is impossible to place a key in an application that is invisible to an end-user. The key has to be readable from the application so that it can be used (e.g. in making requests). If the application can read the key, and therefore the system running the application can read the key, a user can read the key.

Comment
tanoshimi

People who like this

1 Show 2 · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image alienmax22 · Apr 13, 2014 at 08:05 PM 0
Share

And there is no solution for this situation?

avatar image Julien-Lynge · Jun 07, 2015 at 12:55 PM 0
Share

Unfortunately, no, there is no perfect solution. You can definitely make things harder, but a skilled programmer can always read the key, because your computer can. This doesn't just apply to code, BTW: skilled folks can pull all of the images, 3D models, audio, and more out of an application that runs on your computer.

This is the reason that many games to remote logins. When the game starts, the user logs in to your server, and your server (after validating the user) issues a session key that's good for one period of playing. The user never has access to the algorithm that's generating these session keys, so they don't suffer the same issue. And because they expire and rely on a user to successfully log in before generating one, they are much more secure.

If you can't do a remove login / session key, then I suppose you could stick your salt in an unmanaged code in a separate dll so that it can't be opened in ILSpy. Now, that doesn't mean someone skilled couldn't still access it (there are fairly easy ways), but it's at least one more step, and a bit harder.

avatar image

Answer by Phastin · Jun 07, 2015 at 12:09 PM

Obfuscation is the solution here: Try a salt that's generated at runtime using a variable that no one would guess. For instance:

 string actual_data = "your data here";
 
 string md5_result = md5( actual_data + xSpeed.ToString() );

In this case, (going by your source code) the 'salt' would be the string '300.0'.

Comment
Wolfdog

People who like this

1 Show 1 · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image tanoshimi · Jun 07, 2015 at 12:46 PM 2
Share

That doesn't help at all since the decompiler can see the variable you used and the method used to calculate the salt from it...

Unity Answers is in Read-Only mode

Unity Answers content will be migrated to a new Community platform and we are aiming to launch a public beta on June 13. Please note, Unity Answers is now in read-only so we can prepare for the final data migration.

For more information and updates, please read our full announcement thread in the Unity Forum.

Follow this Question

Answers Answers and Comments

24 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Multiple Cars not working 1 Answer

Distribute terrain in zones 3 Answers

Making a bubble level (not a game but work tool) 1 Answer

Checking a hash with random salt 2 Answers

Is C# more secure than Javascript? 1 Answer


Enterprise
Social Q&A

Social
Subscribe on YouTube social-youtube Follow on LinkedIn social-linkedin Follow on Twitter social-twitter Follow on Facebook social-facebook Follow on Instagram social-instagram

Footer

  • Purchase
    • Products
    • Subscription
    • Asset Store
    • Unity Gear
    • Resellers
  • Education
    • Students
    • Educators
    • Certification
    • Learn
    • Center of Excellence
  • Download
    • Unity
    • Beta Program
  • Unity Labs
    • Labs
    • Publications
  • Resources
    • Learn platform
    • Community
    • Documentation
    • Unity QA
    • FAQ
    • Services Status
    • Connect
  • About Unity
    • About Us
    • Blog
    • Events
    • Careers
    • Contact
    • Press
    • Partners
    • Affiliates
    • Security
Copyright © 2020 Unity Technologies
  • Legal
  • Privacy Policy
  • Cookies
  • Do Not Sell My Personal Information
  • Cookies Settings
"Unity", Unity logos, and other Unity trademarks are trademarks or registered trademarks of Unity Technologies or its affiliates in the U.S. and elsewhere (more info here). Other names or brands are trademarks of their respective owners.
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Spaces
  • Default
  • Help Room
  • META
  • Moderators
  • Explore
  • Topics
  • Questions
  • Users
  • Badges