How to store salt (secret key) invisible for decompilers

Question

Hello, developers. I need a solution to hide salt variable or it's value from decompilers like Ilspy. I'm using salt to test md5 hashes with data provided from web player.

alt text

Answer 1

Answer by Julien-Lynge · Apr 13, 2014 at 07:51 PM

It is impossible to place a key in an application that is invisible to an end-user. The key has to be readable from the application so that it can be used (e.g. in making requests). If the application can read the key, and therefore the system running the application can read the key, a user can read the key.

1 Show 2 · Share

alienmax22 · Apr 13, 2014 at 08:05 PM 0

Share

And there is no solution for this situation?

Julien-Lynge · Jun 07, 2015 at 12:55 PM 0

Share

Unfortunately, no, there is no perfect solution. You can definitely make things harder, but a skilled programmer can always read the key, because your computer can. This doesn't just apply to code, BTW: skilled folks can pull all of the images, 3D models, audio, and more out of an application that runs on your computer.

This is the reason that many games to remote logins. When the game starts, the user logs in to your server, and your server (after validating the user) issues a session key that's good for one period of playing. The user never has access to the algorithm that's generating these session keys, so they don't suffer the same issue. And because they expire and rely on a user to successfully log in before generating one, they are much more secure.

If you can't do a remove login / session key, then I suppose you could stick your salt in an unmanaged code in a separate dll so that it can't be opened in ILSpy. Now, that doesn't mean someone skilled couldn't still access it (there are fairly easy ways), but it's at least one more step, and a bit harder.

Answer 2

Answer by Phastin · Jun 07, 2015 at 12:09 PM

Obfuscation is the solution here: Try a salt that's generated at runtime using a variable that no one would guess. For instance:

 string actual_data = "your data here";
 
 string md5_result = md5( actual_data + xSpeed.ToString() );

In this case, (going by your source code) the 'salt' would be the string '300.0'.

1 Show 1 · Share

tanoshimi · Jun 07, 2015 at 12:46 PM 2

Share

That doesn't help at all since the decompiler can see the variable you used and the method used to calculate the salt from it...

How to store salt (secret key) invisible for decompilers

2 Replies

Unity Answers is in Read-Only mode

Follow this Question

Related Questions