manuel.gysin Posted July 23, 2011 Share Posted July 23, 2011 Hello When creating a ung file with password protection I can not start the engine: PackageUng::read_string(): CRC error PackageUng::load(): can't load "/home/mgysin/Downloads/03_sort/UnigineSDK-binary-2011-07-21/data/core.ung" file FileSystem::load_file(): can't open "/home/mgysin/Downloads/03_sort/UnigineSDK-binary-2011-07-21/data/core.ung" package Some releaes ago this worked and it was possible to start the engine without providing the password for the ung archive, since there is: Unigine::Engine::init static Engine * init(int version,App * app,int argc,char ** argv,const char * project,const char * password) I have to start the engine with this right? (Somehow I don't like to provide the password in a shipped binary) This works without problems but there is no usable way to store the password safely in a binary file shipped to the client. Is there something I missing? main.h #include "Unigine.h" using namespace Unigine; int main(int argc,char **argv) { Engine *engine = Engine::init(UNIGINE_VERSION,argc,argv, 0, "mypassword"); engine->main(); Engine::shutdown(); return 0; } main compiled .... <C4>^H<C3>^@^@^A^@^B^@mypassword^@^@^AESC^C;$^@ ... Is there a best practices for this? Thanks Manuel Link to comment
steve3d Posted July 25, 2011 Share Posted July 25, 2011 No better way to store the password, any experienced hacker can read out the password, no matter how you store the password in plain text or encrypted format. Link to comment
manuel.gysin Posted July 25, 2011 Author Share Posted July 25, 2011 Thats my problem. I can create a char array and freak with it but like you say, at one point I have to make the engine call and the password is readable in the memory. (security by obsucrity...) So this means that anyone who gets access to the ung_xXX archiver and invest some time to get the password is able to extract the ung-archives? Link to comment
manuel.gysin Posted July 26, 2011 Author Share Posted July 26, 2011 Can an Unigine member please give a statement about this? (I think this is a important topic which affect not only us) There is only some information under https://developer.unigine.com/en/docs/1.0/code/environment/linux_app#build_app_releasen Disassembly a binary file is something but in this case when the password is known the attacker has full access to the game logic with everything! (I know this is a long know problem of every developer which needs to store sensitive data in the client and there is no solution other then security by obscurity. But maybe there is something already implemented in the unigine library to help. If an attacker get the password there is too unigine system code which is readable and not only our code which can be a legal problem) Link to comment
manguste Posted July 27, 2011 Share Posted July 27, 2011 There is a Resource tool for password encryption (<UnigineSDK>/bin/resource_*). The password will be zipped and encoded to base64. Link to comment
manuel.gysin Posted July 28, 2011 Author Share Posted July 28, 2011 There is a Resource tool for password encryption (<UnigineSDK>/bin/resource_*). The password will be zipped and encoded to base64. Hi manguste Thanks for the help. I played around the the resource_*, when I run resource_* password.txt ("MySecretPassword") I get a const char* [] static const char *password_resource[] = { "24 16", "eJzzrQxOTS5KLQlILC4uzy9KAQA1uwaAAA=="}; What the first entry in the array mean? (16 seems the string length, but what is 24?) Too how I "unzip" and decode it so that I pass it to the engine call? There is no documentation about this topic but is the workflow like: Run resource_* for the password file Copy the const char *[] into the source code where engine is called Compile and deploy it Thanks Manuel Link to comment
manguste Posted July 30, 2011 Share Posted July 30, 2011 static const char *password_resource[] = { "24 16", "eJzzrQxOTS5KLQlILC4uzy9KAQA1uwaAAA=="}; What the first entry in the array mean? (16 seems the string length, but what is 24?) The first one is the uncompressed length and the second is the compressed one. The workflow is as follows: Create a password.txt file that contains your password. Run resource_*. You will get password.resource file as the result. (If your txt file has some other name, specify a -o password flag when running Resource). Copy password.resource into <UnigineSDK>/source/engine folder. Compile the engine via SCons with password flag set: scons password=1 Link to comment
manuel.gysin Posted July 30, 2011 Author Share Posted July 30, 2011 The first one is the uncompressed length and the second is the compressed one. The workflow is as follows: Create a password.txt file that contains your password. Run resource_*. You will get password.resource file as the result. (If your txt file has some other name, specify a -o password flag when running Resource). Copy password.resource into <UnigineSDK>/source/engine folder. Compile the engine via SCons with password flag set: scons password=1 Hello manguste Thanks for the detailed workflow. While we are only have a license for the binary version we can not recompile the engine. There is no other way or? Thanks and a nice weekend Manuel Link to comment
manguste Posted August 3, 2011 Share Posted August 3, 2011 Nope, sorry. From our side, it's just this tool. Link to comment
manuel.gysin Posted March 26, 2012 Author Share Posted March 26, 2012 I'm still fighting with this problem. Some dirty hacks are protecting the password in the memory, but when calling unigine the password is for a short time accessible in the memory. Question to others unigine customers: How did you solved the problem? Link to comment
renato.semadeni Posted January 14, 2015 Share Posted January 14, 2015 Hi there, I'm trying to follow the above description to encrypt my packages. Recompiling the main with the below line and the password "test" works fine, if I use this command to create the archive: CLI> ung_x64 -p "test" -o myData.ung myData.h Engine *engine = Engine::init(UNIGINE_VERSION, argc, argv, 0, "test"); If I try to increase the security by using the resource_* command I get the following variable, which I use to recompile the main. static const char *pwd_resource[] = { "12 4", "eNorSS0uAQAEXQHBAA==" }; static const char *pwd_resource[] = { "12 4", "eNorSS0uAQAEXQHBAA==" }; Engine *engine = Engine::init(UNIGINE_VERSION, argc, argv, 0, *pwd_resource); Do I have now to recreate the archive myData.ung? And how do I get Unigine to load the encrypted archive? Because I always get the error: PackageUng::load(): can't read string ... Thanks for the help Renato Link to comment
silent Posted January 14, 2015 Share Posted January 14, 2015 Hi Renato, According to this article passwords from Archiver tool and from C++ side should match. So, you need to rebuild ung package with new password. You can try to load ung archive via -extern_package command on startup (main_x86d.exe -extern_package "/path/to/package.ung"). Thanks! How to submit a good bug report --- FTP server for test scenes and user uploads: ftp://files.unigine.com user: upload password: 6xYkd6vLYWjpW6SN Link to comment
renato.semadeni Posted January 14, 2015 Share Posted January 14, 2015 Hi Silent As it is described here, it works properly. Although there is a little semantic fault in the Docs: Engine *engine = Engine::init(UNIGINE_VERSION, argc, argv, 0, 123456); This line won't compile, due to the fact that the init function wants a const char* as last argument. Or do I overlook something? It should be "123456" in parenthesis... I was reading the question by manuel.gysin and tried to increase the security with resource_*.exe. Or isn't it nescessary to use resource_*.exe anymore? What do you propose? Thanks a lot, Renato Link to comment
unclebob Posted January 14, 2015 Share Posted January 14, 2015 Hi, Renato! You're absolutely right about char* argument. It's our mistake in docs, we'll fix that. The "resource_* thing" they discussed in this thread is not an .exe file, it's just a resource file which will be included during compilation of the binary. That said, it requires full engine recompilation from the source and if you don't have source license then all you can do (I assume you're going to use .ung archives) is to obfuscate your password string or calculate it dynamically but it'll be in memory anyway. Another thing you can do is to implement your own protected archives with proper toolchain and tell Unigine's filesystem how to use them. Link to comment
renato.semadeni Posted January 15, 2015 Share Posted January 15, 2015 Hi Andrey Thanks for the explanation, for now we will use the .ung archives. I was just looking for approaches for a future deployement of our software. Cheers, Renato Link to comment
Recommended Posts