RMMZ Is obfuscating and domain-locking a safe way to redistribute 3rd Party Plugins in a Game?

Aerosys

Veteran
Veteran
Joined
Apr 23, 2019
Messages
698
Reaction score
671
First Language
german
Primarily Uses
RMMZ
Hey all,

I want to add a Minimap into my Sample Game and publish it as a browser game so people can try it out instantly but the Minimap is a paid one. Hence, I want to obfuscate and domain-lock it using https://obfuscator.io/. But is it safe? Googling for a few seconds I easily found websites that claim they can de-obfuscate JS codes.

Best regards
Aero
 

Andar

Veteran
Veteran
Joined
Mar 5, 2013
Messages
35,825
Reaction score
9,476
First Language
German
Primarily Uses
RMMV
but the Minimap is a paid one.
actually it doesn't really matter what you think on the method you're planning to use.

what matters is what the EULA/ToS of the paid plugin says in that regard.
Those are the requirements of what you have to follow - everything else is just optional add-on of your personal liking.

A lot of paid plugins make exceptions for distribution inside games, exactly because most protections fail somewhere.
 

Aerosys

Veteran
Veteran
Joined
Apr 23, 2019
Messages
698
Reaction score
671
First Language
german
Primarily Uses
RMMZ
@Andar I know about EULAs and T&C, but I wanted this thread to focus more on the security rather than the T&C. Assuming a rule says "protect my Plugin when distributing your game", would there be a legit way to do so, given JS is fully readable? In theory, no, but in practice?
 

The Stranger

The Faceless Friend
Veteran
Joined
Sep 14, 2012
Messages
3,686
Reaction score
24,501
First Language
-
Primarily Uses
N/A
What do you mean when you want to know if it's safe? Do you want to know if that website is legit? I have no clue. Do you want to know if it'll make your plug-in impossible to steal? The answer to that one is no. It'll deter lazy\opportunistic thieves, but won't stop more dedicated ones.
 

Andar

Veteran
Veteran
Joined
Mar 5, 2013
Messages
35,825
Reaction score
9,476
First Language
German
Primarily Uses
RMMV
In theory, no, but in practice?
not on a website.

as said above, obfuscating only makes the code unreadable to humans. It still has to be able to be read (and executed) by a computer, and as a result a computer can also be used to remove most of the obfuscation.

a better (but still not perfect) protection would be an exe-wrapper, but that doesn't work over the web, only locally.

there is nothing that will ever give a more than anecdotal protection to someone really interested if you want to play a html game over the web, because the browser needs to be able to read the code to run it.
That is because the browser is an interpreter with an open language standart - you would have to create your own data structure and a special browser program for it to get better protection, and that would defeat the purpose of the web deployment.
 

ATT_Turan

Forewarner of the Black Wind
Veteran
Joined
Jul 2, 2014
Messages
4,069
Reaction score
2,478
First Language
English
Primarily Uses
RMMV
I wanted this thread to focus more on the security...would there be a legit way to do so, given JS is fully readable?
As is mentioned in all of the many threads about security concerns, there's ultimately no way you can prevent a determined person from accessing your assets.

Professionally-published games with full access to paid encryption and the ability to devote teams to it if they like still get players writing tools to access the data and create mods and cheats. What can you do that they can't? :wink:

Take whatever basic measures you like - obfuscate the code, encrypt your deployment, stick it in an executable wrapper, but the only way to ensure that no one can get to your stuff is to not release the game.
 

HexMozart88

The Master of Random Garbage
Veteran
Joined
May 15, 2016
Messages
2,445
Reaction score
4,690
First Language
English
Primarily Uses
RMVXA
I don't think trying to find a foolproof method of protecting your code is really going to be fruitful. If a determined hacker finds a person's code which was paid for and used in someone's game, and redistributes it all over the internet, you can't blame the person who made the game. Sometimes stuff just happens. Also, would they even be able to trace it to you if that were to happen?
 

Arthran

Veteran
Veteran
Joined
Jun 25, 2021
Messages
194
Reaction score
173
First Language
English
Primarily Uses
RMMZ
Hey all,

I want to add a Minimap into my Sample Game and publish it as a browser game so people can try it out instantly but the Minimap is a paid one. Hence, I want to obfuscate and domain-lock it using https://obfuscator.io/. But is it safe? Googling for a few seconds I easily found websites that claim they can de-obfuscate JS codes.

Best regards
Aero
If your main goal is to prevent people from easily reading your code, then the obfuscation can help with that. But I'm assuming that your main goal in this situation is to stop people from using the plugin at all.

If it's the latter, then you're more interested in the domain locking, and the obfuscation is moreso just a means to protect the domain locking? If that's the case, then I'm afraid that it's not really very strong protection.

The thing is, a person could simply spoof their domain, and then they don't have to be able to read/edit your code in order to defeat the domain locking. Somewhere in the obfuscated mess of code, it's going to read the browser's document.domain property, in order to determine whether or not you're on the correct domain... so a person could just re-write the document.domain getter to always return the correct value, and then your domain locking code will always be happy. You could obfuscate the code all day, and it wouldn't matter.

I can think of a couple other cute ways to get around it as well, but it's probably better not to go into too much detail about these types of things here. The point is, a clever enough person could still steal your plugin.
 

Latest Threads

Latest Profile Posts

It's not about the engine, it's about the resources.
After several days, my new pc is finally built and working. What an ordeal!
Quest_Shop_Plugin.png

Harold will need to do a lot of shopping on his quest, so I thought I'd try tackling the shop design tonight.
Never play a random encounter RPG on the toilet. Just don't. Especially not one with save points instead of menu saving.
spent the entire day working on problems I was having in battle. enemy's tagging in and out was one of them.

Forum statistics

Threads
121,963
Messages
1,145,494
Members
160,237
Latest member
ConfusedPedestrian
Top