- Home /
How to store salt (secret key) invisible for decompilers
Hello, developers. I need a solution to hide salt variable or it's value from decompilers like Ilspy. I'm using salt to test md5 hashes with data provided from web player.
I dont understand. ILSpy cannot decompile unity application.
sorry, my bad. I meant Assembly-CSharp.dll after unpacking unity application
Answer by Julien-Lynge · Apr 13, 2014 at 07:51 PM
It is impossible to place a key in an application that is invisible to an end-user. The key has to be readable from the application so that it can be used (e.g. in making requests). If the application can read the key, and therefore the system running the application can read the key, a user can read the key.
Unfortunately, no, there is no perfect solution. You can definitely make things harder, but a skilled programmer can always read the key, because your computer can. This doesn't just apply to code, BTW: skilled folks can pull all of the images, 3D models, audio, and more out of an application that runs on your computer.
This is the reason that many games to remote logins. When the game starts, the user logs in to your server, and your server (after validating the user) issues a session key that's good for one period of playing. The user never has access to the algorithm that's generating these session keys, so they don't suffer the same issue. And because they expire and rely on a user to successfully log in before generating one, they are much more secure.
If you can't do a remove login / session key, then I suppose you could stick your salt in an unmanaged code in a separate dll so that it can't be opened in ILSpy. Now, that doesn't mean someone skilled couldn't still access it (there are fairly easy ways), but it's at least one more step, and a bit harder.
Answer by Phastin · Jun 07, 2015 at 12:09 PM
Obfuscation is the solution here: Try a salt that's generated at runtime using a variable that no one would guess. For instance:
string actual_data = "your data here";
string md5_result = md5( actual_data + xSpeed.ToString() );
In this case, (going by your source code) the 'salt' would be the string '300.0'.
That doesn't help at all since the decompiler can see the variable you used and the method used to calculate the salt from it...
Your answer
Follow this Question
Related Questions
Multiple Cars not working 1 Answer
Distribute terrain in zones 3 Answers
Server side security: dynamic hash salt 0 Answers