Gonso System

CrypticWibblyWoo

So, i dont understand the Gonzo System much... or at all really. I had learned about it when i started messing with leaked avatars but i still dont understand how it works. I know what its supposed to do is lock you out of an avatar you dont own. But i heard it logs your ip and basically flags you to creators? Writing it out, i know it sounds silly, but im not that tech savvy so im not sure what unity does or doesnt allow. So im not sure if something like that can happen.

My main question is:
What happens to a model with gonzo if the creator no longer uses gonzo?
And, how does one manually remove gonzo?

A preferred avatar creator Birdy says on her shop that she doesnt use gonzo anymore. Personally dont believe it but why lie to your buyers? She has a new model whose original files include gonzo. It was leaked prior to the announcement and no one has the files without that i know of but id really like to use the avatar.

dead soul

bump cause im pretty interested in the system myself
there are two people that could answer some of these questions but they havent been online in a while so

taikeru

But i heard it logs your ip and basically flags you to creators?

unconfirmed, but given the closed-source nature of the system i wouldn't put it out of the equation - so far though Gonso himself has told me directly (and proven to me) that he does not have interest in logging IPs; as far as i can tell that remains the case now

What happens to a model with gonzo if the creator no longer uses gonzo?

hopefully, like Whituu's Sakura from a while ago, it is simply updated for the purchasers to not have the system in the package; otherwise it's just up to the creator to do that themselves

And, how does one manually remove gonzo?

this one is an involved process. there isn't a singular way to remove this system, and there is definitely not a simple way to do so without a decent handle on programming and cybersec tools

both @halcyon and i have worked on ways to get around this and she still works on them now; i just help with code stuff occasionally as i've mostly lost interest in it

it boils down to a few methods:

• the first, is to decompile the GonsoLicense DLL (most versions are obfuscated with ConfuserEX - it's very easy for a user to see this by loading the DLL into something like Ghidra or DnSpy); and once you've obtained the source code, you can write your own Unity scripts to "fake" requests to the API, basically copy-pasting the Decrypt method so it can be decrypted manually with the key from the API
  • there was a tool developed by a few acquaintances of mine that circulated around this forum a while ago; it was based off of my original methods and code that ended up being heavily edited for public use
• the second is to hijack the Unity process and "stall" it while the Licenser does its tricks. the drawback of GonsoLicense is that it has one major flaw: Unity cannot load or upload encrypted files. at some point during the upload process, these files have to be decrypted to be packaged - giving users a small window in which they can grab the files if they can get around Unity's directory locking. while simpler on paper, Unity's directory lock is pretty robust and isn't easy to bypass

Personally dont believe it but why lie to your buyers?

money. i wish i could say most creators using the GonsoLicense system are doing it without malicious intent, but the bottom line is many of them are looking for quick ways to maximize their profit margins for mediocre avatar work (not the case for all, but many), where some creators like Strawbunny don't even do most of the work and outsource it - there's a reason you don't see larger, more confident creators using the system (to name a few, such as Godfall and Nikkie) - the quality of their work speaks for itself (and is usually worth the price); most importantly their interaction with the community they've built doesn't give many users a reason to maliciously steal their products

it's all business practices, and predatory ones at that

i'm aware specifically for Birdy's case that they did actually stop using Gonso, but released the non-GonsoLicense'd package under a completely separate listing on their Gumroad. whether they forced previous buyers to re-buy it or not is unknown to me

feel free to ping myself or @halcyon for more answers - we're happy to help

taikeru

basically flags you to creators?

i'll add a bit more to this:

• the licenser itself logs your vrchat account's username and display_name - this is used to identify you to the key and that's how you are flagged
• many creators are using Payhip, and Payhip's anti-leak signs files with a nearly invisible identifier that allows the creator to upload a leaked unitypackage and immediately find the info of the buyer who leaked it - which also gives them the GonsoLicense key, and can be used to identify/blacklist the user
  • while Payhip's antileak is robust, i've personally found an interest in how it works and have been testing possible workarounds

at the end of the day, there isn't a reason for logging IPs; Gonso and the creators have simpler, more robust methods of identifying users

CrypticWibblyWoo

@taikeru I had figured that was a rumor, but i figured asking was better than assuming.
So basically itd be in my best interest to wait for decrypted avatars to be shared? (Im fine with that)
I figured theres a lotta shady practices going on but thankfully i dont buy avatars very often so it limits what creators i buy from.
Could you tell me more about payhips system, and do sellers normally notify buyers before they purchase? Usually sellers disclose that sorta thing with Gonzo but i wouldnt be surprised if it was sneakily hidden. Kinda sounds like it is.
Thank you so much for properly explaining it to me c :

taikeru

Could you tell me more about payhips system, and do sellers normally notify buyers before they purchase?

payhip's anti-leak is currently in closed-beta and requires a vouch directly from another creator that has it enabled to gain access - some creators do explicitly state that a package is protected by payhip's anti-leak, but i've seen that most do not

payhip's anti-leak works by injecting identifying bits into the unitypackage per buyer, generating a completely unique unitypackage for you as you click the download button

as far as i can tell, older versions of the anti-leak would edit files within the package like animations which would cause GonsoLicense to throw errors upon uploading; it seems now that isn't the case

i don't know very well how the anti-leak works right now. from my testing, it seems it no longer edits files within the package, and instead injects identifying hex-data into the unitypackage in specific places (of which seem to be very consistent across many payhip-signed packages); i'm working with Hal to develop a potential bypass for it, but we cannot make any promises

So basically itd be in my best interest to wait for decrypted avatars to be shared? (Im fine with that)

yes, this is unfortunately one of those situations where it's better to leave these processes up to those who know properly how to manage them; but understand that we also don't have infinite funds and the generosity of this community that donates their avatars and license keys cannot be understated

behind shady business practices are some very expensive "products" that likely aren't worth the price, and very commonly should not be "protected" by these things to begin with; the entire idea of giving a user encrypted, unmodifiable files of mostly kit-bashed assets is absurd in both conception and practice