AlexRyder

18 minutes ago, Icarus said:

If I would make a room public just for friends. Is it still possible to steal it for not-friends(people, which are not able to enter)?

Yes. The room only needs to be uploaded to the server to be accessible, doesn't matter if it's open or the owner is online or not.

Unmoddable 3dxChat? Where's the fun in that? 

5 minutes ago, Heden said:

Something I forgot in suggestions to secure game is to do a hash check on the compiled DLL (that's what I do on the software I'm working on). After compilation, the DLL hashes are crypted and stored in Unity assets (which are quite hard to access the content). Then on launch the game checks what DLL has been modified and reacts depending on which DLL has been modified (in my case I close software without warning).

That would be pretty easy to fix once you have figured out where the hash check is (there are even ways to use a code debugger with a compiled game, so shouldn't be impossible even for an obfuscated dll), I have done this with unmanaged binaries, and I'm a complete C++ and ASM noob

Also, may be tricky to do this with Unity since it recompiles all the dlls on game builds, but is probably doable, can't say since I haven't digged into it. And there also ways to browse and patch serialized Unity assets, UABE is a nice example +

11 minutes ago, Heden said:

The whole method(s) to check the DLL hash is obfuscated, in IEnumerator and not obvious to spot (like in a Monobehavior class).

Can be detected with a debugger.

11 minutes ago, Heden said:

Removing the thread on 3DX forum is dumb and just proves game developers don't care about game development.

I think they're not very fond of complaints in general. Though I'm kinda fine with this "zero security" approach and just accept it, fortunately all the banking data is handled by a specialized company

The more secure way would probably be to create a native C/C++ security and networking dll and access all the sensitive data via native api calls.

We can always suggest e-mail free give-away days. Just please inform the spam bots in advance!

53 minutes ago, Pierrousss said:

they deleted my thread on the forum and look what gizmo throw here...

53 minutes ago, Pierrousss said:

wtf ? ... so this means we can all hack everyone, its totally normal for him and also he is proving the entire community that nothing is secure on their server lol.. well well 

I think this is how it's been since day 1 anyway?

I sorta expected an answer like that, making secure code is hard

13 minutes ago, TamaraX said:

At least not room data.

Hm, what do you mean?

1 hour ago, LetMeAnswer said:

My first account "Heden" has been banned here and the attached email address leaked to pierrousss. I don't care but that's not cool...

Then my second account to answer has been removed.

I just wanted to have a chance to explain a bit things.

There is probably too many admin accounts for a single site, apparently someone got trigger happy 

1 hour ago, LetMeAnswer said:

Anyway, compiled C# will never been 100% secured but with all those (simple) methods applied, the game will be a lot more "safe".

For the 4) I am talking about simple methods like for example "Download(string nameOfDataToDownload)". This is so obvious to spot and easy to modify... There is no security at all in such method, nothing controlled, not permissions or rights management.

Well, to be fair, 3dx uses a sort of a native obfuscation, sometimes referred to as "spaghetti code"  

I'm pretty sure it's been "zero security" approach since day one, they can just add it to the EULA and be done with it, I think

28 minutes ago, LetMeAnswer said:

Here are some ways to secure a lot rooms and DLL:

1) Obfuscation! Obfuscation is good for commercial games and it's also possible to obfuscate with uncommon characters that most decompilers can't deal with.

2) IEnumerator! Put sensitive methods in IEnumerator methods. Most decompilers can't fully decompile IEnumerators.

3) Encrypt! Currently data are download without any encryption, just pure json gzipped... The Zip should at least have a password (encrypted in DLL).

4) No generic method! Avoid generic methods to download world files

5) Restricted Access! Do not allow WORLD files to be downloaded when owner is offline

1. This is the most obvious solution (though I'm not looking forward to it for obvious reasons XD). Also, Unity obfuscators are usually less harsh than generic .Net ones due to the way Unity needs to work with the assemblies.
2. dnSpy can handle them nicely since v4 (which is awesome!), and they were not that hard to fix after decompilation even when they are in "raw" decompiled format.
3. There was an "encryption" for pre-world-editor files with ridiculous keys stored in plain text in the dll
4. Not sure what you mean here exactly.
5. This sounds like a reasonable measure, but it only narrows down the "window of opportunity".

In any case a user will still be able to grab the room data by joining it when it's shared (encrypted or not, that's another matter).

There is also an ultimate IL2CPP solution on the newest versions of Unity, but I really hope this never happens in 3dx O:)

Uhm, I didn't ban anyone or give out anyone's e-mails O_o

Not really. A good idea would be to consult somebody who really knows something about web security

If I let people use their own passwords, only people knowing the password will be able to join the room (and they will have to type it in every time they join). If I hardcode a password in code, this will make zero sense since it's easy to decompile the dll and find it.

And in any case this will just crash the vanilla clients since they won't be expecting any password protection.

What does she has to do with anything? You can just take the original dll and play with it however you want.

Rochi's is pretty much the same vanilla dll with a few insertions and replaced variables, people probably base off on it because they like the added features, other than that it is not different from basing off the vanilla one.

I'm not really checking all the stuff that gets on the forum, but I don't think so.

Once again, you don't need an "automated tool", I can do that in Firefox with a single line request, for example. And any programmer will be able to write a simple one-button tool for that in a few minutes, I guess.

Just now, MasterXavier said:

Alex,

Can you think of something security wise that can be written? some how protect the server and local copies of the .world files?

Nothing without modifying the server side code first, and this still will not prevent people from dumping the data while accessing the room normally.

Giant media corporations like Adobe can't make their streams secure with rtmp and stuff, what do you expect from a small company like SGD? )

Well, I can add password protection to the uploaded zip file, but then no one will be able to open it at all

I've replied you on the 3dx forums about it.

You don't even need a 3dxChat account to get a person't room, it's accessible via an url like you would access any web site. Well, a tiny bit more complicated than that because you need to perform a POST request instead of a GET, but other than that pretty much the same.

There is already a topic about that...

They probably have some personal issues? Other than that, that blatantly copying someone's room and opening it is just stupid.

In any case, if something is open for public access, there will always be ways of copying it no matter the security measures.

It's hard to tell anything for sure, the error is pretty generic.

Most likely you still have some leftovers from messing with the game previously (you should manually delete the game folder if it's still there after uninstalling it with the program manager to make sure everything is deleted). There may also be more details in the game log.

If the game is not the case, you may either have an issue with your Visual C++ redistributable installation (there is a lot of info in Google on how to reinstall it), or your antivirus software may be messing with the game in some way (AVG and BitDefender have been noticed to cause weird bugs), try disabling it.

I think it's the camera pivot point visualization the devs have forgotten to clear out (or put there intentionally, dunno), you can simply ignore it.

1 minute ago, Ayon said:

Interesting, I wonder why the Dev's stopped the encryption for the new  .world format.

Because I told them so?

But seriously, the encryption was pretty pointless since it had all the keys inside the client code in plain text.

The room sharing system could probably be more secure, but no matter how secure it is, once you share something with others, there will always be ways to copy it.

1 minute ago, Ayon said:

to save someones room file as its sent/rendered on their computer as they enter the room?

That, too. But it would be easier to just download it as I described.

It worked like that even before the World editor, the only difference is that the room files were "encrypted" before and are zipped now.

There is no need for any dlls or anything to download any person's room. You can even do this using a web browser with a POST request plugin installed (Firefox, for example, has one), or any program that can perform POST requests. The only things you need to know are the char's name and the request url (well, you also need to know the request parameters, but those are easily detected by a network sniffer).

Uhm, you're confusing 3d modeling software with a game which just allows you to position and scale existing models. The ".world format" is not some common file format, it's just a game-generated JSON with a list of object properties, you won't find it anywhere else.

Ah? What? Who's there?

Hey, I will certainly make an updated version at some point, but right now I'm playing with the game's code