Pls help: Encrypting or obfuscating passcode and Gallery images

[jospaghettio]

I'm not a coder, so i need an explanation like I'm 5.
I'm the dev's writer. He can't speaka the English so I'm his intermediary.

So, he wants to up his cheat prevention, by preventing "hacking" access to gallery code and gallery images.

I know (vaguely) that renpy launcher has its own obfuscation process. But no native encryption(Aes256).

So the idea is to encrypt script containing the passcode and also encrypt the 16 gallery images. When the passcode is entered, access is granted.

The gallery images have to also be located in the game(hidden cards). I don't know if this is relevant resolving the encryption.

Thank you for being patient and for wanting to help!
Ask any questions.

 

[Nadekai]

... ... I imagine this game is gonna be on F95 eventually ...
... won't the code just get leaked in the game's thread ...

 

[Winterfire]

He's just wasting his time. He could make the game in a better engine (Unity) have a Patreon Auth (so no code at all) and people would still easily crack it as it happened time and time before.

 

[79flavors]

So, he wants to up his cheat prevention, by preventing "hacking" access to gallery code and gallery images.

Don't bother.
It's a single player game, by cheating - the player is only cheating themselves.

He may stop a few people, but someone will just come here onto the forums and request someone bypass the cheat protection. At that point, there will be a patch - and everything will be available.

A few years ago, for a short period, some developers started disabling rollback. The logic was simple - ensure that player choices mattered, by making it difficult for the player to easily go back an choose a more favorable outcome. Hardly anyone does that anymore... because generally the first question that got asked here on the forums was "how can I switch rollback back on?".
Let the player play the game however they like... even if that's cheating.

[...] But no native encryption(Aes256).

RenPy can do anything python can do - and python has AES/RSA libraries. There's one built into RenPy by default (but I can't find the example I wrote a few years ago). No special knowledge required. Just an import ... line at the top of the script.

The problem is implementation.

To decrypt anything, the script needs to include the (public) decryption key. And because the decryption key needs to be included within the game, someone WILL find it.
You can make things difficult for players. You can even make it difficult for the coders who hang around here on the forums. You can't "prevent" someone bypassing it.

There is very little difference at that point between implementing AES/RSA and just having if passcode = "6031769":. Just complexity.

And while AES/RSA might sound like a complex solution, it will ultimately come down to a line that reads something like if success_password == True:. Changing that to if success_password == False: is child's play. Now the gallery is shown to anyone who gets the password wrong! Maybe I'm oversimplifying there, but you get the point. With decryption, there is always an attack vector... a weak spot - and with RenPy, it's not even hard to find.

Or put another way. If big software houses like E*A, Bet*hesda, Son*y, Ub*isoft and Tak*e-Two Interactive can't protect their games using bespoke protection schemes - how do you expect to do it in RenPy, a gaming engine that lets practically everyone view the source code?

Just my opinion, but have the developer focus on the game content.

 

[jospaghettio]

Don't bother.
It's a single player game, by cheating - the player is only cheating themselves.

He may stop a few people, but someone will just come here onto the forums and request someone bypass the cheat protection. At that point, there will be a patch - and everything will be available.

A few years ago, for a short period, some developers started disabling rollback. The logic was simple - ensure that player choices mattered, by making it difficult for the player to easily go back an choose a more favorable outcome. Hardly anyone does that anymore... because generally the first question that got asked here on the forums was "how can I switch rollback back on?".
Let the player play the game however they like... even if that's cheating.




RenPy can do anything python can do - and python has AES/RSA libraries. There's one built into RenPy by default (but I can't find the example I wrote a few years ago). No special knowledge required. Just an import ... line at the top of the script.

The problem is implementation.

To decrypt anything, the script needs to include the (public) decryption key. And because the decryption key needs to be included within the game, someone WILL find it.
You can make things difficult for players. You can even make it difficult for the coders who hang around here on the forums. You can't "prevent" someone bypassing it.

There is very little difference at that point between implementing AES/RSA and just having if passcode = "6031769":. Just complexity.

And while AES/RSA might sound like a complex solution, it will ultimately come down to a line that reads something like if success_password == True:. Changing that to if success_password == False: is child's play. Now the gallery is shown to anyone who gets the password wrong! Maybe I'm oversimplifying there, but you get the point. With decryption, there is always an attack vector... a weak spot - and with RenPy, it's not even hard to find.

Or put another way. If big software houses like E*A, Bet*hesda, Son*y, Ub*isoft and Tak*e-Two Interactive can't protect their games using bespoke protection schemes - how do you expect to do it in RenPy, a gaming engine that lets practically everyone view the source code?

Just my opinion, but have the developer focus on the game content.

Thank you very much for the informative answer! I didn't know it was so easy to bypass aes encryption in renpy. Of course I didn't know much about encryption or renpy. Haha. Well, I'll pass on the information.

 

[pikolinian]

One could always set up simple web service, and game send passcode to said service for evaluation. That would hide your password checking, but... If game is good, password will appear here. If not, well... who cares?

 

[n00bi]

One could always set up simple web service, and game send passcode to said service for evaluation. That would hide your password checking, but... If game is good, password will appear here. If not, well... who cares?

Doesnt help.

As was stated above.

it will ultimately come down to a line that reads something like if success_password == True:. Changing that to if success_password == False:

You just open a debugger step though the code execution until youre at the point for inputting password etc.
nop it out. force a jump etc. there are many ways to bypass encryption.