naughtyroad

Active Member
Donor
Game Developer
Jan 8, 2019
972
13,162
It's certainly a good idea to do that, but if you do, I think it's also important to put this in the proper context.

1) This isn't something that's newly discovered, it has always been true since the very beginning of Ren'Py.
Save game sharing is pretty common here, but I haven't seen a single post from anyone suspecting something fishy is going on after using someone else's save file. So, is it possible? Absolutely. Is it likely? Not really.
(...)
It is something that is newly getting some more attention, that vid coming out just over 6 months ago, and the change in renpy where it warns you when loading a save is from last May. And be honest, did you know ren'py saves are basically software? I sure as heck didn't, and I guess 99% of people on thread didn't either.

IDK about you, but I don't wanna put security of user level access to my computer down to "it's probably gonna be fine, no-one's been targeted yet that I know of so it's unlikely they ever will".

(...)
2) Ren'Py can execute code in the context of the current user running the game. Which means if you run your games as Administrator, any bad code could theoretically modify your OS, steal your files, passwords and so on...
But who actually runs their games as Admin? My guess is the answer is somewhere between a few people and absolutely nobody. If you run your games as a regular user there isn't much any possible malware could do, because it lacks the necessary Windows permissions to access anything interesting.
I can tell you from personal experience with my user base that most of them will do absolutely nothing of the sort, and wouldn't even know that's even a thing.

As to can't access anything important when not an admin (and mind, in my estimation, that's a small minority of users that protect themselves that way), just, you know, take a scroll through your documents and photos. Any financial info there? Copy of your passport from a few years back when HR asked for it. All those scans and forms for when you applied for that loan? How about them cookies in your browser caches, any chance it'll be able to get onto a ton of websites without having to log in if executed from within the context of that user? Yum yum, scrape all that data, and put it up on the dark web for the highest bidder.

Bottom line though is "Don't ever use a ren'py save you did not create yourself. Ever."
 

Joshy92

Devoted Member
Mar 25, 2021
10,849
23,641
This just further proves why I think Naughtroad
Is one of the coolest & Nicest devs here

Thank you for the warning Naughty
I honestly had no idea before your post yesterday that saves could be harmful.
Hopefully more people read your message.
Because I see so many people in other threads asking for saves

And with how everything is connected these days it's better to be safe than sorry
 

manneychin

Member
May 8, 2017
432
1,246
It is something that is newly getting some more attention, that vid coming out just over 6 months ago, and the change in renpy where it warns you when loading a save is from last May. And be honest, did you know ren'py saves are basically software? I sure as heck didn't, and I guess 99% of people on thread didn't either.

IDK about you, but I don't wanna put security of user level access to my computer down to "it's probably gonna be fine, no-one's been targeted yet that I know of so it's unlikely they ever will".



I can tell you from personal experience with my user base that most of them will do absolutely nothing of the sort, and wouldn't even know that's even a thing.

As to can't access anything important when not an admin (and mind, in my estimation, that's a small minority of users that protect themselves that way), just, you know, take a scroll through your documents and photos. Any financial info there? Copy of your passport from a few years back when HR asked for it. All those scans and forms for when you applied for that loan? How about them cookies in your browser caches, any chance it'll be able to get onto a ton of websites without having to log in if executed from within the context of that user? Yum yum, scrape all that data, and put it up on the dark web for the highest bidder.

Bottom line though is "Don't ever use a ren'py save you did not create yourself. Ever."
I also have to admit I didn't suspect it's that bad. I imagined Ren'Py does heavy serialization to support its fundamental roll back<>forward feature but I didn't imagine it saves code in save files, I thought it saves some public object properties but mostly it saves just a list of public simple (int, etc.) variables capturing game state. Indeed NOBODY should ever use saves from untrusted sources. You are literally downloading an .exe from a random person who might pass it on to you from someone else and any modern evil code is not easily obvious, it may not even manifest for some/most if it doesn't find something juicy. It's very bad.

As a side-note, it's a VERY good idea to at least run all these games under a separate Windows desktop session opened with a dedicated non-admin account. Even better would be to run them in a VM but I don't know if this solution has any smooth path because it runs into the non-trivial problem of having "enough" video/3D hardware acceleration in a VM. I've been meaning to look into it for ages...
 

PowerFlower

Newbie
Jul 1, 2017
71
177
It is something that is newly getting some more attention, that vid coming out just over 6 months ago, and the change in renpy where it warns you when loading a save is from last May. And be honest, did you know ren'py saves are basically software? I sure as heck didn't, and I guess 99% of people on thread didn't either.
Ren'Py uses the python pickle module to serialize/deserialize its data and it's well known that this module is insecure. There's a giant warning about it in the official documentation.

So yes, I did know, but you're correct that most game devs probably don't. It's an implementation detail of the engine.
My point was that this isn't new information to "hackers" and yet nobody seems to have taken advantage it so far.

IDK about you, but I don't wanna put security of user level access to my computer down to "it's probably gonna be fine, no-one's been targeted yet that I know of so it's unlikely they ever will".
Fair enough. I wasn't criticizing your post bringing awareness to it. It's still a fallacy though in my opinion.

2 quick points:

1. You make the "stranger danger" argument, which is good advice in general. It's however not obvious to me why I should trust a complete stranger with an F95 account called "pussylicker69" more or less than a complete stranger with a Patreon account called "PussyLicker69 Games". The former can hide malware in a save file, the latter can hide malware in the game itself. You can of course convince yourself that the stranger with the Patreon account is somehow more trustworthy, but that's faith not security.

Everyone here is running unverified code from complete strangers since the moment they signed up. No two ways about it.

2. Cost vs. benefit: Sure, someone could manipulate a save file and then post it here, in the hopes that a few people will actually download and use it. Or... they could cook up a few shitty DAZ renders and post a v0.1 incest harem game where an insufferable mc returns home to his family after studying abroad. It will be called "My returning home to the Milftown" Something along those lines, only with even worse grammar. Now all of a sudden, hundreds/thousands of people will happily run the malware. And if the game pops up a splash screen saying "This game is 10x hotter if you run it as Administrator" some people will do that too.

It's just not worth it trying to mess with save files when there are much better ways to achieve the same thing.

Bottom line though is "Don't ever use a ren'py save you did not create yourself. Ever."
No. The bottom line is, if you care about security run any and all Ren'Py games in a Virtual Machine and never on your real machine. Anything else is merely a false sense of security.
 
Last edited:

Biscardone

Member
May 2, 2020
104
514
As a side-note, it's a VERY good idea to at least run all these games under a separate Windows desktop session opened with a dedicated non-admin account. Even better would be to run them in a VM but I don't know if this solution has any smooth path because it runs into the non-trivial problem of having "enough" video/3D hardware acceleration in a VM. I've been meaning to look into it for ages...
Well, did you know that Windows 10 Pro has a little something called Windows Sandbox, which is akin to a lightweight VM? No? Don't be surprised, nobody does. It's an very interesting feature that can be used to build a secure testing environment... So it's very well hidden and not advertised at all. Figures.
 

Neko-Chan Pacifica

Active Member
Jul 6, 2021
919
921
I really like this weird game, it would be nice if you could release updates much sooner than it currently takes, etc more than a year! can't you make smaller updates and release sooner like every 3 or 4 months, surely so much easier and your keeping everyone happy?
 

Neko-Chan Pacifica

Active Member
Jul 6, 2021
919
921
Guide has been updated with Chapter 6!

Here is the Official Point Guide for the game, now containing chapter 6 (Please don't suddenly delete the link out of nowhere this time F95 mods, thank you.)

As usual, and described in the guide too, Naughty and I recommend to play the game without any sort of Walkthrough/Guide for the best experience.

Whether you decide to use this or not, have fun with this great game!
can you make this into a game mod please? i hate pdf files, sorry.
 

satoshilee

New Member
Sep 4, 2017
3
0
Does anyone know of a way to extract your save file from android so that when you play you won't lose the data If you delete the app on your device?
 

misha958

Member
Jan 21, 2018
135
179
Does anyone know of a way to extract your save file from android so that when you play you won't lose the data If you delete the app on your device?
I remember, I did it manually with PC connection. But I don't remember the folder.


There is what's the internet says:

"On Android your save files can be found in SD:/Android/data/com.andrealphusgames.love and sex second base


This is a protected folder and you will need to connect your device to a computer to access this folder.


Downloading another file manager might work too (no guarantee)"


Maybe not exactly SD, but it can be a phone.
 
  • Like
Reactions: satoshilee

FishMonger

New Member
Apr 10, 2020
10
5
They went to a concert once when she was married. He was 15 and his older brother drove them.
If only there was a place to look without having to ask.
View attachment 2832542
Only the weak need saves. The strong play through the game every update! I am prepared! I am ready! I am strong!

View attachment 2832998
Totally agree, real players download, start from scratch and go. Each and every update. Why? Because you are worth it. Save files is for weaklings. There I said it. Weaklings. Now discuss.
 
  • Like
Reactions: MaviusJones

naughtyroad

Active Member
Donor
Game Developer
Jan 8, 2019
972
13,162
(...)
So yes, I did know, but you're correct that most game devs probably don't. It's an implementation detail of the engine.
My point was that this isn't new information to "hackers" and yet nobody seems to have taken advantage it so far.
(...)
I have no idea what the point is you're trying to make. An exploit isn't a risk because right now nobody's actively exploiting it? Seriously...

(...)
No. The bottom line is, if you care about security run any and all Ren'Py games in a Virtual Machine and never on your real machine. Anything else is merely a false sense of security.
Apples and oranges. A dev with a big following has a vested interest to build trust and keep that so as to make good on the significant investment of time and effort that goes into making a VN, because once you pull the trigger it's just a matter of time before the jig is up. Same as the builder of an App on your phone, or a game in your Steam library. You don't jeapardize that kind of investment on purpose.

A rando with a throw away account and some python skills that can plop a doctored save into a forum just to see which one of the thousands and thousands of viewers will bite on the other hand has every reason to give it a shot.

So yeah, its a risk as much as it is a risk to pull some app on your phone. It's still a world apart from firing up a random executable you stumbled across in some forum in the underbelly of the internet.

Like I said, I'm not really sure what the point is you're trying to argue, but it feels like an argument for argument's sake, and I'm kinda done with this discussion now.

I really like this weird game, it would be nice if you could release updates much sooner than it currently takes, etc more than a year! can't you make smaller updates and release sooner like every 3 or 4 months, surely so much easier and your keeping everyone happy?
Nope. I've talked about this in the past but the short of it is that I do whole chapters, and they take time. If that frustrates anyone, that's really too bad, because the alternative is not doing LomL at all.

can you make this into a game mod please? i hate pdf files, sorry.
No, that's not happening, mainly because there's no need for it.

There's no narrow line you have to walk to unlock everything, just answer questions normally and you get content you like. E.g., you like a character, act normal towards them (no need to kiss their asses either, just act like a normal person), and if they propose, accept, and you get their content. Treat them bad, actively avoid them, or turn them down, you don't get their content.

There's no puzzle or hidden stuff there, no moment where you find out you had to pick a specific set op options at the start of the game so you can get a special scene at the end of it. The game even has an option to simply not present you with any choice that would lock you out of the main character's storylines, if you really, really need guardrails.

So don't sweat it, you really have to try to mess things up.

On a philosophical note, having a dev sanctioned WT mod implies there's a "best path" through the game, which feels kind silly because why then did they go through all the trouble of creating alternative paths. It just encourages players to treat the game as a visual novel, so then why not make a visual novel, much less work, really.

Does anyone know of a way to extract your save file from android so that when you play you won't lose the data If you delete the app on your device?
They're just stored under a folder in your install folder on your phone, same as with the PC version. Just browse to it and you'll find the files, and you can copy them to some backup location. No extracting needed.
Nm, answered above.
 

misha958

Member
Jan 21, 2018
135
179
Totally agree, real players download, start from scratch and go. Each and every update. Why? Because you are worth it. Save files is for weaklings. There I said it. Weaklings. Now discuss.
Ahah) To be serious, I played the game a year ago and was going to load my old save, but decided to play again to remind myself, what was in the story. It turned out that I've forgot A LOT. Even, that Macy and Denise have a
You don't have permission to view the spoiler content. Log in or register now.

I advice to everyone to replay at least the 6th chapter, to remember all the things))
 

Turning Tricks

Rendering Fantasies
Game Developer
Apr 9, 2022
1,282
2,414
I have no idea what the point is you're trying to make. An exploit isn't a risk because right now nobody's actively exploiting it? Seriously...

Reminds me a lot of back when public WiFi was getting hugely popular. Many software devs raised the red flag about the vulnerability of website cookies in public WiFi and the industry just shrugged ... well, because nobody was really exploiting it.

So one of these guys made an app for Firefox called "Firesheep" to show how bad it was. I read about it and I installed that app and then headed to my local mall to test it. With no coding skills and only having to download a simple Addon for my browser, I hijacked 5 different people's social media accounts in the first 5 mins. After that, I absolutely never logged into any accounts when using a public WiFi, lol.
 

affen123

Active Member
Oct 6, 2017
521
1,373
Last edited:
4.70 star(s) 495 Votes