Said unnamed platform announced today that it is shutting down from screenshots I’ve seen out of their Discord server, evidently they gave up even before they had to try. If this is all it takes, VRC should have threatened tighter security sooner 
I wont trust a word out of their mouths til i see their pages 404’d and their server deleted
Sorry but this answer is confusing
It’s really disappointing to see a feature going from “always planned” to “eventually”. 
1 Like
LZMA is not an encryption method, it is a compression method.
On the contrary, the Unity Editor and Unity Engine won’t “cease to exist” — If Unity actually goes under, what will happen is likely one of four things:
- Unity is purchased by another company and its tools are either maintained or rolled into another software package.
- Unity is purchased by another company for its assets and Unity Engine is discontinued. The engine and editor will continue to exist, but will no longer receive updates or bug fixes.
- Unity Engine becomes open source, and is maintained by the game development community.
- Unity Engine remains IP of a defunct Unity, and is discontinued. The engine and editor will continue to exist, but will no longer receive updates or bug fixes.
In any sense, the Unity Engine and Unity Editor won’t just vanish, but it would pose potential issues with VRChat going forward into the future. Being said, it would be unlikely much more of an issue than they already have by using legacy Unity systems like SPS, or the BIRP. If VRChat is to be forced to consider changing graphics pipelines, and deprecating the existing catalog of VRChat content, at that point they would be just as well off switching engines if this were the case.
I mean, neither are mutually exclusive; “Always planned” means that it has always been the intent from day one to make the feature available. “Eventually” means that said feature will eventually be added, just not at the current time. One is intent, the other is time.
I tested it again yesterday in one of my worlds and noticed that it’s not out yet…
wait whaaaat? @tupper
As you can imagine we use these a lot at Vket. We have official instances at the end of every world so you can go with your group to the next world.
I didn’t notice these being broken, but I wonder if people are not selecting the tool correctly in the vrcportalmarker.
To be fair it’s not very clear and there isn’t many tooltips for what is probably one of vrchat’s oldest, crustyest scripts lol.
Suspiciously every word after this is quite alarming. It’s currently Sept 15th, and this policy takes effect January 1st 2024 from what I’ve heard. So 3.5 months.
Worth keeping an eye on. Yeah. But lots of time for tweaks and clarifications and backtracking. How many new installs is VRChat going to have per month?
VRchat is big enough that they’ll get a response from Unity if a botnet decides to install VRChat 50 trillion times or whatever is most hyped up this hour.
Vket is actually the exact event I’ve been avoiding them in yeah, specifically because they never work for me… I genuinely just thought it was expected behavior.
1 Like
agree 
It’s generally a best practice to have the “default” state of your avatar (with default shaders and no animations) be something presentable anyway. I use Poiyomi’s UV Tile Discard on my main, but I still have two meshes (one for the parts I have shown by default and one for the parts I have hidden by default).
1 Like
Going by the fact that no one else has solved this issue, security through obscurity might either not exist or that it hard to know if there is a hole or not.
For sure. In general, they can certainly encrypt various levels of it.
But all of that is for naught because:
- It’s still a Unity game with plenty of hook-in mods to see how the game state is running and what it’s doing.
- Once people get the key, they can find a way to easily replicate getting the key so it’s faster next time, and then use that to decrypt the asset bundles.
It does make it more difficult, but big downsides of this are:
- It adds even more complexity on top of a game that already has performance issues, and will cause hitching to be even worse.
- It requires the VRChat devs to spend a ton of time on something that, frankly, barely impacts their bottom line. VRChat is a business and for a business to survive, business-needs come first. That’s a simple truth.
This adds a ton of complexity that VRChat would need to develop, which ultimately probably leads to far more bugs, especially if they’re modifying core Unity functionality that will be harder to get support with from Unity.
Besides, people get past EAC really easily, and like I said, they have programs that hook into Unity/VRChat and can see the current state of everything in memory.
Not really, not without the copyright holders providing DMCA takedowns to the host provider. But even that process is not super easy or effective.
Unless they change how unity assets bundles work, no. There are generic ripping tools that you can find easily and for free that can rip content from asset bundles.
Eh… you can still get shaders, materials, textures, meshes, etc. Besides functionality, you can still grab everything.
Like… if people grab the shaderfest world, it’s like a jackpot, lol.
No, they really can’t. Shaders are compiled into d3d assembly, and to reverse a shader from assembly back into C# you have to have the knowledge beyond the point you’d know how to just remake the shader yourself from scratch. I’m moderately decent in shader dev myself, and use my own shaders for everything, and have both attempted to reverse shaders (particularly lost shaders, or understand how a unity game did something specific), and been around many others who have as well; it’s obscenely impractical.
I’ve used many tools for dismantling and re-building unity3d bundles in other games for quite some time (for modding) and am very familiar with how it works. Unity in how it works, as well as it using C# instead of C++, it is just very easy to dismantle and dump source code for things (just a consequence of it’s convenience as an engine, this has it’s benefits for workflow), but this does not apply to shader compilation.
Also, people rarely own the models they put into worlds. Usually it’s stuff they found, ripped or purchased.
misutaaasriel
That’s why i suggested DexProtect, because the key is local to your system only, and unique per avatar. They’d have to put in a similar amount of effort to crack a game with encrypted assets just to crack your one avatar.
Also runtime performance, cuz you have to run decryption on everything.
Speaking of which, we are okay with people (including members of groups that are around the vrchat dev team regularly) ripping content from licensed copyrights, including games and such, but condemn people for ripping inside the platform?
You all must realize, someone who rips, i dunno, star wars, or mario for example, could get find with obscene amounts of monetary charges, OR go to jail,* someone who rips an avatar made mostly of assets neither party actually owns rights to, doesn’t have really any significant legally actionable foundation outside of formal DMCA takedown requests. — Just make an easier and more readily available DMCA form system for vrchat.
…Also security through obscurity is long proven nonsense, as it only slightly delays the inevitable. If your security is good (enough) you can be transparent about it.
*note there are loopholes and exceptions for fair use under transformative art, and non-profit conditions, but these are still grey and are debated in court if the case rises to that level
. . . Can nobody see the contradiction here?
Really should have been mentioned that it’s IMPOSSIBLE to stop people stealing models. If companies with billions of dollars can’t stop it then no one can. It really needs to be stated so people have realistic expectations.
1 Like
I mean… they did say that… 
2 Likes
Yes they can. At least in my experience with VRChat, it just is the original HLSL and I can use the shader in any other Unity project. I just checked with a world I have and it shows all the shaders in their original HLSL format.
This seems fine. But also, I really wonder what it’s doing. It seems like it is just generating blendshapes for everything. I don’t understand how it can re-construct an avatar with animations or blendshapes, but I also can’t imagine this runs very fast and probably would contribute to even more poorly optimized avatars.
Yep, precisely.
Generally choose AES128 or 256
Approximately 3.5GB/s(128) with ~4Ghz i5 skylake(4core)
Now the new architecture is estimated to have twice the performance and more cores (the newer architecture has an extremely high IPC of AES in this regard)
256 is 2.5GB/s
Nowadays, the size of avatar generally does not exceed 100MB. Even thirty avatars take about one second on older CPUs, and you can choose AES128 instead of AES256.
Under the new architecture of the CPU, it is estimated that the impact of about 0.5 seconds will not be too great. Other overheads such as initializing the instance are much higher than this, which takes more than five or six seconds (thirty intensive).
However, due to the dense load, it is easy for the profile type tool to accurately capture the address. It needs to quickly switch a lot of memory addresses. To a certain extent, it will cause the instruction miss of x86/ARM to be high, and the speed may be reduced by about single digits. %.
However, it should not cause L2 (instructions can be read to L2 in the page at high speed, and instruction branches can be predicted), so the cost will not be too high.
Address randomization comes at a cost
This is a matter of considering the base address offset. This means that there is actually a possibility to be correctly captured and successfully injected to modify the instruction context, thereby directly using the key and side channel means.
But compared to more complex solutions, the efficiency is much higher.
More complex solutions and intensive switching will bring more instruction misses and at the same time lead to the most expensive page hit rate problem. Generally speaking, instructions are about 0.1% miss and 1% data miss, and then recovery is achieved through cache and system management mechanisms. The cost of the page is very low (although it is not in the TLB, it is still in the cache rather than in the memory. It is also necessary to ensure that the page of the page is not retrieved from the memory multiple times, otherwise it will cause huge performance overhead)
In extremely exaggerated cases, the performance will only be 10 to 1% of the memory access capacity. A ten-cycle operation will take at least a thousand cycles to complete, causing the IO performance to completely collapse. The encryption system will cause the CPU to Fully loaded and performance on the main thread is erratic to a fraction.
Yeah sure if we ignore the defaming that has happened to many people, some far more publically than others, all that could be true. Sadly, your fake anecdote on pretending to ignore the defamation isn’t an argument. I’m signing off again to lurk for months again after this post.
Avatar ripping has many more ways to cause harm than just defamation as well, you can impersonate others alongside the advent of AI voice changers, just because you aren’t clever enough or pretend to not be observant enough to not notice any of it going on, doesn’t mean anything.
Shaders aren’t written in C#…