Obfuscated Plugins - Something you should be aware of.

[myenemy]

It is clear it is forbidden to obfuscate the base code of the project, but...

In order to make our plugins work, we need to override many functions in the original code.
Terms of use and GPL say you cannot hide the code, so in theory, you should not obfuscate the name of the overriden functions.
If I am reading too much into this, this is the kind of confusion you get from reading the fine print in the fine print.

 

[Zeriab]

Nice to see some actual data
Data from stress testing can absolutely be useful as guiding principles and for testing techniques against each-other.
For optimizing your own game I recommend taking a holistic approach.
The profiler is key here. Record a session and then investigate what the time is spent on. Here is a recorded frame where I in test play opened the menu the first time. (old VisuMZ sample game - from November 22, 2020 - Update #14)

A bunch of graphic assets needs to be fetches so this takes a long time (163.9ms).
The width of a block is its total time. The left arrow shows where canvas calls 3 fairly lengths methods. The gap you see is time spent in the actual canvas method itself.

Profiling is great to figure out where optimizations actually matter. In my own game I noticed some code being in efficient. I could spend a day to implement a more efficient solution and probably cut the running time down to a 1/4th. This piece of code ran when I generatied a level. I profiled it and saw that with the current inefficient solution it took less than 0.1% of the level generation time. This is an example as to why checking the actual impact is important.

In the profiler you can select a task and then click on Bottom-Up:

Great function that allows you to see which methods actually are the most expensive. If you want to optimize your game I recommend focusing on the hot spots.
Notice the Scene_Menu.<computed>.<computed> method as well as the j>a.deflate.
This is another cost of using obfuscated code. The code paths that touch obfuscated code more difficult to follow.

Before actually trying to optimize it is important to ask yourself of the value. Does it really matter that opening the menu the first time takes a 1/6th of a second? (Didn't test following menu opens is quicker)


The information about the performance impact of obfuscated code is mainly important for programmers. Obfuscated code has a tendency to have uncessary chains of calls. Hot loops in obfuscated code are then places where may be worth reducing the callstack depth.
One can choose to consider the obfuscated code as the actual code (i.e. ignore its history). In this case you just have ugly unnecessarily complicated code.

For non-programmers I wouldn't worry about it too much. Instead I would rather consider the fact that programmers tend not to like to deal with ugly unnecessarily complicated code and take that into account when considering whether the plugins provide enough value for your game.
For Visustella stuff my experience is that the people behind it has been good at providing support. I would also consider that as well.

*hugs*
- Zeriab

 

[Frostorm]

@Zeriab Where/how do I access this profiler? Is it just part of the console(F8)? Sry, I r teh nub. XD

 

[Aesica]

Nice benchmark, it's good to see someone confirm something I stumbled upon accidentally when creating my own event plugin, as it performed substantially better despite having shoddy-at-the-time code.

Another fun thing about obfuscated plugins (disclaimer: I'm not accusing anyone of anything here) is that its harder to prove whether or not they contain stolen code. Again, I'm not saying a certain group that deals exclusively in obfuscated plugins does that, but when one runs their code through a blender to hide it from others, the only people who truly know for sure are those who create the products.

It also makes the files unnecessarily large and impractical for any code-savvy developers to work with, which isn't helpful to literally anyone.

BuT At LeAsT ItS HaRdeR FoR BaD PpLz To SteEl TeH CoDe~

i'm still scared to using Visustella Battle Plugin, 'cause that "Lowercase" problem, 'til now...

in the end, i'm still stick in MV. there's so many best plugin to get for my project

Have you considered trying FOSSIL for your MZ projects? You can skip VS and go straight to the vintage Yanfly plugins. No obfuscation and better performance.

 

[XickerskF]

I don’t wanna start stuff, but why do paying customers get a technically “worse” product than people that use the plugins in an unintended way.

There’s been the same arguement for games i.e Denuvo but the performance impact of that isn’t really proven in a unbiased way yet.

 

[TheAM-Dol]

Denuvo but the performance impact of that isn’t really proven in a unbiased way yet.

 

[gstv87]

question: obfuscation is just the scrambling of the function's names, right? why should it affect performance? names are only relevant to the programmer.... at run time, it's all memory addresses.
in fact, it should run faster, not slower, depending on how much shorter the scrambled names are, as there are a lot less bytes to read from the file.
Minecraft does this as well, and it's limitation on running speed comes from general graphic load and number of entities, not basic processing.

So here is an example of an obfuscated line of code. It wouldn't actually look exactly like this in the file though:

if (!VisuMZ[decrypt(0)][decrypt(230)][decrypt(77)][decrypt(1337)]) return;

Basically, decrypt() is a function that takes an integer argument, performs some operations on it to transform it into a different integer, and then passes it to yet another function, which then uses that integer to return a string from an array of strings.

whwhooehmshnbmhmm.... hang on a second here.
OF COURSE it's gonna run slower if you do it this way... you're calling 4 extra tasks EVERY TIME.
un-scrambling a scrambled code "on the fly" is always gonna be harder!
if you want to obfuscate the code, you do it after it's been completed, for good, not through functions!
it'd be the equivalent of compiling, hard-coded (kinda) but without the actual compiling.
is it the most efficient? probably not, but if you can't compile it and want to protect the algorithm, that's the best way.
can it be decoded? yes, but not by a random tinkerer.
like I said: that's how Minecraft does it, and it works!

what's the big news here, then?

 

[Indinera]

The point that it was meant to illustrate is that the obfuscated version of the plugin *does* perform significantly worse than the de-obfuscated version of the plugin. I feel that that point stands, and is undeniable.

It's not just about extreme situations IN the game. Some players may have extremely slow computers too, and therefore trouble running properly even 'normal' non extreme situations.
So for them, I suppose there would be a significant gain in fully optimised plugins.

 

[Yanfly]

The point that it was meant to illustrate is that the obfuscated version of the plugin *does* perform significantly worse than the de-obfuscated version of the plugin

This is where it is misleading. It does not perform "significantly worse" (as you claimed) than the de-obfuscated version of the plugin when not placed in a stress test environment. By no means would normal usage of the plugin result in such kind of frame drops.

To iterate on a analogy: Claiming that drinking water is harmful because if a person downs 50 gallons in one sitting, it'll kill them.

This is faulty reasoning by taking the fringe case and applying it as the answer to the norm.

It's not exactly uncommon to run into games that have some performance problems, and piling a bunch of highly de-optimized plugins into such a game is definitely not going to help the situation.

My team has projects that utilize the whole plugin library's obfuscated plugins (that's 100+) of them. Anything used within the norms of RPG Maker without going out of the way to intentionally dunk the FPS keeps the game at a stable 60 FPS.

Furthermore, we have tens of thousands of customers, making tens of thousands of games that we receive bug reports from and fix. These tens of thousands of games are being made on tens of thousands of computers with varying builds and strengths. In very rare cases, these bug reports involve FPS issues. We get those resolved, too. People know that FPS issues are bugs and do indeed report them. The library is extremely stable at 60 fps with the whole library installed.

It was certainly not malicious intent. It's just that, the purpose of a TL;DR is to give as concise of an explanation of the meat of the post as possible. If you add a bunch of explanations and disclaimers into a TL;DR, it stops being a TL;DR... it just becomes a post. And in this particular case, the reason I put it at the top of the post like that was moreso to try to interest people so that they *would* read the explanations and disclaimers. Due to the size of my post, I was worried that people would get scared off and just immediately leave, if I didn't state a clear point immediately.

Leaving out the variables used to reproduce the claims is intentionally misleading. Going back to the water example, using your reasoning, you could make a misleading tl;dr by leaving out words. Example:

"Drinking water can kill you."

Adding three extra words to your tl;dr would be suffice to include the disclaimer. Want an example?

"Obfuscated plugins can harm your game's performance under extreme scenarios."

Is that not a more clear message?

The thing is, people can't read your mind--especially not from all the way across the internet. So when you very clearly type "You may edit the source code to suit your needs", people are going to think that they can, in fact, edit the source code to suit their needs. Plus, I'm fairly certain that I've seen you state, on multiple occasions, that the reason you obfuscate your code is to prevent theft--not because you have some type of issue with people editing the plugins that they purchased from you.


I think that most people would wind up interpreting these two things as: "It's difficult to edit your code now, as an unfortunate side effect of us trying to protect against code thieves, but you are allowed to do it if you are able to."

I don't expect anyone to be able to read my mind. However, when people lock their doors at night, they don't feel the need to state their intentions either.

Editing of the source code primarily pertains to the Plugin Parameters as answered earlier due to curious members. We do allow editing of the actual source code, and you're right, it is to prevent theft.

However, our intentions remain that we want our works secure as many of our members are victims of theft in the past.

Please see my explanation in my response to your first point. But just to add on to it, I think it's fairly normal for a game dev to want to optimize their game. If I can easily double the performance of the weather system in my game, without losing anything in return... why wouldn't I? That could make the difference between whether or not someone with a weaker system is able to comfortably run my game. Please bear in mind that while *you* may (arguably) have something to gain from the obfuscation of your plugin, I certainly don't, and the people playing my game certainly don't. So if removing it can potentially improve their experience, and also make the product that I'm releasing even slightly more pride-worthy, then I would obviously prefer to do so.

1. The obfuscated plugin already runs at 60 fps when used outside of extreme situations.

2. This is also tested on computers that barely meet the RPG Maker MZ system requirements (we happen to have one lying around). They maintain 60 fps when used normally and not to produce unrealistic extreme scenarios.

3. Going back to the statements I've made in an earlier post, you wouldn't come across these kinds of situations unless you go to the absolute extremes. We have tens of thousands of customers making tens of thousands of games and they're being made on tens of thousands of different computer builds. If this is truly an ongoing problem, they would have spoken up and we would have fixed it.

Performance is far from an issue even in the obfuscated state.

----------

BuT At LeAsT ItS HaRdeR FoR BaD PpLz To SteEl TeH CoDe~

Since you have a habit of mocking VisuStella whenever you get a chance, but always shy away when one of our members ask you directly, I'll ask on behalf of them here:

"What is your proposal to keep code safe from theft?"

Each time our team members asked this, you go full silent. Can we get an actual answer this time?

 

[TheAM-Dol]

Can we get an actual answer this time?

In my opinion: you're asking the wrong question. You're asking what to do to keep the code safe when I think a better question should be "What is your proposal to benefit our customers and our business the most?"
Your focus on "what protects our code?" sounds more focused on your business and doesn't sound focused on your customers. It's about you, and not about the people who pay for the product.
What it looks like to me, and forgive me if I misunderstand, but it looks like distrust in your customers. It looks like you harbor cynicism towards your customers, and it looks even worse when you come here writing very lengthy paragraphs that seem somewhat accusatory rather than a leveled response.
My answer to the question is: You shouldn't worry about protecting the code. The reality is that bad actors exist and always will. I would do what I can to encourage customers to act in good faith. Accessibility, transparancy, and good customer relations. From my experience so far however, this community cares a lot of about it's developers, and especially a well respect dev such as yourself, I think this community would contact you in a heartbeat if they got a whiff of someone even slightly ripping your code (I suspect that's how you came to this thread in the first place). Honestly, of all people to obfuscate code, it's a big name that seems like the least appropriate since they have followers, fans, and loyal customers ready to protect your work. The smaller devs without a name don't have the same kind of legacy and respect, they are unknown, and therefore it's easy to rip their code and they likely would be none the wiser.

Yanfly, I definitely respect your work and glad to be able to use it in my projects. I hope you will at least reconsider some business practices - or otherwise, just ignore threads like these if you have no intent on changing.

 

[Frostorm]

This is where it is misleading. It does not perform "significantly worse" (as you claimed) than the de-obfuscated version of the plugin when not placed in a stress test environment. By no means would normal usage of the plugin result in such kind of frame drops.

Yea, the keyword here is "significantly". That's the misleading part, imo. I think a more accurate term would describe somewhere between "negligibly worse" and "somewhat worse".

 

[gstv87]

This is faulty reasoning by taking the fringe case and applying it as the answer to the norm.

it is also false reasoning to claim that since someone came up with a given solution to the same problem, it is invariably due to the fact that they stole code.
if there is one way and one way only to solve a certain problem, there's not much you can do to prevent people from finding it on their own, with or without your code in the picture.
if there is not, slapping a price tag on one of them isn't gonna make the difference.... people would just use the cheap alternative.

 

[123edc]

1. Using extremely fringe cases in unrealistic situations in order to "prove a point" does the exact opposite to anyone reading the literature.

dripple, dripple little drop ...
constant dripping wears away the stone

yes, he tried it in an unrealistic situation in order to "prove a point" ...
on the other hand, he tried it with onle one (!) plugin at a time ...

how many plugins are currently available again?
over 7-times the (financial) worth of the maker itself!

each and every plugin - by nature - will have a certain impact
and he kinda proofed (and thinking about it - it sounds kinda logical), that obfuscation will hurt the performance of a plugin

many littles can sum up to a big ...
and that's what he was saying (at least it's like how i understood the point he made)
... not more, not less

 

[Archeia]

I want to put my two cents in this topic and I do have some gripes with some of the "proof" of the issues.

Using a profiler for a project that is outdated by almost 2 years is misleading (2020 versus 2022). This is like saying RPG Maker MV 1.0.0 is the same as RPG Maker MV 1.6.x.

At least Athran used the latest plugin. I don't agree with how Athran tested the plugins and even he mentioned they're not a fair comparison to some extent. VisuStella MZ plugins, especially weather effects, have guides on how to stabilize your FPS and tells you exactly not what to do. It's important to know the limits of your creation and warn your users. Let's not fool ourselves that lighting plugins don't have some form of performance issues, especially RPG Maker.

FPS problems, at least from my perspective from doing games, can either be

1. a bug
2. my terrible eventing practices
3. bad implementation of resources or systems.

As someone who also had to test and talk about RPG Maker performance, it's not abnormal where we would get performance reports about RPG Maker's core scripts, my above points still apply.

Even if there is a ""slower"" loadup with encrypted plugins, is this slowdown so bad that it makes the plugins unusable aside from fringe cases which is something we will rarely encounter even as a power user?

Just because it's open it doesn't mean it's good or functional, or you know, better.

 

[Yanfly]

In my opinion: you're asking the wrong question. You're asking what to do to keep the code safe when I think a better question should be "What is your proposal to benefit our customers and our business the most?"
Your focus on "what protects our code?" sounds more focused on your business and doesn't sound focused on your customers. It's about you, and not about the people who pay for the product.
What it looks like to me, and forgive me if I misunderstand, but it looks like distrust in your customers. It looks like you harbor cynicism towards your customers, and it looks even worse when you come here writing very lengthy paragraphs that seem somewhat accusatory rather than a leveled response.
My answer to the question is: You shouldn't worry about protecting the code. The reality is that bad actors exist and always will. I would do what I can to encourage customers to act in good faith. Accessibility, transparancy, and good customer relations. From my experience so far however, this community cares a lot of about it's developers, and especially a well respect dev such as yourself, I think this community would contact you in a heartbeat if they got a whiff of someone even slightly ripping your code (I suspect that's how you came to this thread in the first place). Honestly, of all people to obfuscate code, it's a big name that seems like the least appropriate since they have followers, fans, and loyal customers ready to protect your work. The smaller devs without a name don't have the same kind of legacy and respect, they are unknown, and therefore it's easy to rip their code and they likely would be none the wiser.

Yanfly, I definitely respect your work and glad to be able to use it in my projects. I hope you will at least reconsider some business practices - or otherwise, just ignore threads like these if you have no intent on changing.

The question was directed at Aesica as a general prompt, not a business-related one.

However, to honor the rest of your suggestion, I've already done exactly that. It's called Yanfly Engine Plugins. Leaders of the community did not back me up and choose to side with the bad actors. The rest is history.

it is also false reasoning to claim that since someone came up with a given solution to the same problem, it is invariably due to the fact that they stole code.
if there is one way and one way only to solve a certain problem, there's not much you can do to prevent people from finding it on their own, with or without your code in the picture.
if there is not, slapping a price tag on one of them isn't gonna make the difference.... people would just use the cheap alternative.

Show me where I claimed this.

dripple, dripple little drop ...
constant dripping wears away the stone

yes, he tried it in an unrealistic situation in order to "prove a point" ...
on the other hand, he tried it with onle one (!) plugin at a time ...

how many plugins are currently available again?
over 7-times the (financial) worth of the maker itself!

each and every plugin - by nature - will have a certain impact
and he kinda proofed (and thinking about it - it sounds kinda logical), that obfuscation will hurt the performance of a plugin

many littles can sum up to a big ...
and that's what he was saying (at least it's like how i understood the point he made)
... not more, not less

You read one part of the post and not the rest:

"My team has projects that utilize the whole plugin library's obfuscated plugins (that's 100+) of them. Anything used within the norms of RPG Maker without going out of the way to intentionally dunk the FPS keeps the game at a stable 60 FPS.

Furthermore, we have tens of thousands of customers, making tens of thousands of games that we receive bug reports from and fix. These tens of thousands of games are being made on tens of thousands of computers with varying builds and strengths. In very rare cases, these bug reports involve FPS issues. We get those resolved, too. People know that FPS issues are bugs and do indeed report them. The library is extremely stable at 60 fps with the whole library installed."

 

[Frostorm]

Your focus on "what protects our code?" sounds more focused on your business and doesn't sound focused on your customers. It's about you, and not about the people who pay for the product.
What it looks like to me, and forgive me if I misunderstand, but it looks like distrust in your customers. It looks like you harbor cynicism towards your customers, and it looks even worse when you come here writing very lengthy paragraphs that seem somewhat accusatory rather than a leveled response.

However, to honor the rest of your suggestion, I've already done exactly that. It's called Yanfly Engine Plugins. The community did not back me up and choose to side with the bad actors. The rest is history.

Yes, before these "bad actors" spoiled the fun for the rest of us, all YEP plugins were free and very much "for the community". Anyone who's been following @Yanfly knows that everything done, was done so for the community. We're talking ~200+ FREE (at the time) plugins. Unfortunately, a couple of bad apples took advantage of Yanfly's goodwill. It still irks me to this day that people would have the audacity to plagiarize his work. :[

And while I'm not a fan of obfuscation, I think it's pretty plain to see why the decision was made to do so. We can blame those "bad actors" for that.

 

[gstv87]

Show me where I claimed this.

we want our works secure as many of our members are victims of theft in the past.

"theft" is only *theft* if you can claim ownership of the stolen object.
and you can't claim ownership of the one true solution to a problem.
you may register the design of the hammer, but *the act of applying force to a blunt object against the head of a nail for the purposes of joining two pieces of wood* can still be performed with a rock, a sledgehammer, the heel of a shoe, or a screw clamp.

you can try and protect your work all you want... but *deprecating the performance of your product for the sake of adding layers of protection to said product just in the odd case that it might get stolen* is stupid.
sometimes people end up with the same solution out of sheer luck, or rational analysis of the problem at hand, without knowing that you had the solution as well.
it's called "learning".

 

[Iron_Brew]

To be fair, from what I understand of the situation the VS team do seem to be taking reasonable steps to make sure their work isn't plagiarised, and I'm confused as to why people still feel entitled to their work for free simply because Yanfly used to provide the service for free.

It smells of entitlement to me to demand that people who have a marketable skillset should give you access to their work for nothing, especially if they've had their work stolen in the past. Aside from the whole "is it OK to use the RTP" argument that crops up every couple months it feels like this is the topic that gets the community most heated.

Simple fact is: Nobody's forcing you to use these scripts, and if people really were just taking modules of Yanfly's code wholesale and putting them in their projects as a "learning exercise" (and not crediting the creator of the code) then they've done even more damage as they've also reaped the educational rewards and the wider community is paying the price.

Whole situation sucks, honestly. Just wish nobody'd nicked the work in the first place.

 

[Yanfly]

"theft" is only *theft* if you can claim ownership of the stolen object.
and you can't claim ownership of the one true solution to a problem.
you may register the design of the hammer, but *the act of applying force to a blunt object against the head of a nail for the purposes of joining two pieces of wood* can still be performed with a rock, a sledgehammer, the heel of a shoe, or a screw clamp.

you can try and protect your work all you want... but *deprecating the performance of your product for the sake of adding layers of protection to said product just in the odd case that it might get stolen* is stupid.
sometimes people end up with the same solution out of sheer luck, or rational analysis of the problem at hand, without knowing that you had the solution as well.
it's called "learning".

We claimed theft for those instances because we have evidence of matching code used. aka code that imitate our own obscure coding habits that and doesn't match anything else the thieves use.

 

[Archeia]

Please keep in topic and stop bringing up theft or whatsoever. This is about obfuscation performance and should users be concerned.