LF TALLY NON GONSO

very hard to justify paying $40 just to be blacklisted or hunted down by an obsessive creator

if anything at least her obsessive nature prevents people from leaking her stuff, lol

Could you tell me more about payhips system, and do sellers normally notify buyers before they purchase?

payhip's anti-leak is currently in closed-beta and requires a vouch directly from another creator that has it enabled to gain access - some creators do explicitly state that a package is protected by payhip's anti-leak, but i've seen that most do not

payhip's anti-leak works by injecting identifying bits into the unitypackage per buyer, generating a completely unique unitypackage for you as you click the download button

as far as i can tell, older versions of the anti-leak would edit files within the package like animations which would cause GonsoLicense to throw errors upon uploading; it seems now that isn't the case

i don't know very well how the anti-leak works right now. from my testing, it seems it no longer edits files within the package, and instead injects identifying hex-data into the unitypackage in specific places (of which seem to be very consistent across many payhip-signed packages); i'm working with Hal to develop a potential bypass for it, but we cannot make any promises

So basically itd be in my best interest to wait for decrypted avatars to be shared? (Im fine with that)

yes, this is unfortunately one of those situations where it's better to leave these processes up to those who know properly how to manage them; but understand that we also don't have infinite funds and the generosity of this community that donates their avatars and license keys cannot be understated

behind shady business practices are some very expensive "products" that likely aren't worth the price, and very commonly should not be "protected" by these things to begin with; the entire idea of giving a user encrypted, unmodifiable files of mostly kit-bashed assets is absurd in both conception and practice

basically flags you to creators?

i'll add a bit more to this:

• the licenser itself logs your vrchat account's username and display_name - this is used to identify you to the key and that's how you are flagged
• many creators are using Payhip, and Payhip's anti-leak signs files with a nearly invisible identifier that allows the creator to upload a leaked unitypackage and immediately find the info of the buyer who leaked it - which also gives them the GonsoLicense key, and can be used to identify/blacklist the user
  • while Payhip's antileak is robust, i've personally found an interest in how it works and have been testing possible workarounds

at the end of the day, there isn't a reason for logging IPs; Gonso and the creators have simpler, more robust methods of identifying users

But i heard it logs your ip and basically flags you to creators?

unconfirmed, but given the closed-source nature of the system i wouldn't put it out of the equation - so far though Gonso himself has told me directly (and proven to me) that he does not have interest in logging IPs; as far as i can tell that remains the case now

What happens to a model with gonzo if the creator no longer uses gonzo?

hopefully, like Whituu's Sakura from a while ago, it is simply updated for the purchasers to not have the system in the package; otherwise it's just up to the creator to do that themselves

And, how does one manually remove gonzo?

this one is an involved process. there isn't a singular way to remove this system, and there is definitely not a simple way to do so without a decent handle on programming and cybersec tools

both @halcyon and i have worked on ways to get around this and she still works on them now; i just help with code stuff occasionally as i've mostly lost interest in it

it boils down to a few methods:

• the first, is to decompile the GonsoLicense DLL (most versions are obfuscated with ConfuserEX - it's very easy for a user to see this by loading the DLL into something like Ghidra or DnSpy); and once you've obtained the source code, you can write your own Unity scripts to "fake" requests to the API, basically copy-pasting the Decrypt method so it can be decrypted manually with the key from the API
  • there was a tool developed by a few acquaintances of mine that circulated around this forum a while ago; it was based off of my original methods and code that ended up being heavily edited for public use
• the second is to hijack the Unity process and "stall" it while the Licenser does its tricks. the drawback of GonsoLicense is that it has one major flaw: Unity cannot load or upload encrypted files. at some point during the upload process, these files have to be decrypted to be packaged - giving users a small window in which they can grab the files if they can get around Unity's directory locking. while simpler on paper, Unity's directory lock is pretty robust and isn't easy to bypass

Personally dont believe it but why lie to your buyers?

money. i wish i could say most creators using the GonsoLicense system are doing it without malicious intent, but the bottom line is many of them are looking for quick ways to maximize their profit margins for mediocre avatar work (not the case for all, but many), where some creators like Strawbunny don't even do most of the work and outsource it - there's a reason you don't see larger, more confident creators using the system (to name a few, such as Godfall and Nikkie) - the quality of their work speaks for itself (and is usually worth the price); most importantly their interaction with the community they've built doesn't give many users a reason to maliciously steal their products

it's all business practices, and predatory ones at that

i'm aware specifically for Birdy's case that they did actually stop using Gonso, but released the non-GonsoLicense'd package under a completely separate listing on their Gumroad. whether they forced previous buyers to re-buy it or not is unknown to me

feel free to ping myself or @halcyon for more answers - we're happy to help

@Rotting newest and quickest methods will probably require both a license key and the account details of the linked vrchat account - you're free to dm either @halcyon or myself about this, but i'll keep parroting these simple statements:

you cannot post files without a license key and just expect it to magically be decrypted. that is not how the licenser works

do a quick google search on encryption to understand why the key is required

most of all, if anyone pms either me or Hal to do a decrypt for you, how about not ghosting us as we're trying to help you? this isn't in specific to the user i'm replying to (my apologies, Rotting) - but in general we'd like to keep pms moving so we don't have to sit here for years bumping the same posts

@RubyLuna probably shoot a pm to @halcyon - she knows the newer systems better than i do

@totallyoriginal1 it's unfortunate, truly; especially as i know some methods still require you to decrypt the DLL included and write scripts to reverse engineer the systems - time consuming and financial investment

i've had some shiny new methods (more like i've been enlightened by @halcyon ) that don't require decompilation of the DLL or much else, considering the backend API is hardening significantly and userscripts are becoming more easily flagged

if my financial situation wasn't so terrible, i'd have probably gotten around to some of the avatars that have been floating around, though i did agree not to publicly post them - i feel like some creators still don't really deserve this platform they keep abusing

it's maybe not a good idea to announce when we plan on purchasing and/or decrypting avatars of creators that keep a hysterical eye on these forums

really though that's unfortunate - i was looking a little forward to seeing this finally be resolved

@osukzins essentially, yes. without a license key and linked vrchat account, you can't do anything but stare at the encrypted files angrily

this should be used as a note to stop posting GonsoLicense avatar files on this forum hoping someone will magically decrypt them from thin air.

pm those who know how to remove these systems. some like @halcyon have offered directly on some posts to do decrypts (and i can vouch for them specifically, they know what they're doing); i wouldn't even mind trying my hand at it out of curiosity

it's not a perfect system, but take note who has been actively helping and trying to help; support and chat with them and you'll have a higher chance of getting this done over just yelling into the void here

@Blue_Boi without a valid purchase license or vrchat account to decrypt these with, nothing can be done unless someone wants to sit here for a couple of months remaking the avatar from scratch

posting the files and hoping someone will magically get around this system makes it easier for the creators to track who shared them, and now makes it more difficult to find a package without the potential of being blacklisted

the bottom line - you need a purchase license and access to the vrchat account to get anywhere with this system. sharing the base files without either of those does nothing for you and for the users you share it with

you're free to pm me with the details required and I can pass it on to a handful of friends I know might be willing to do this, potentially would do it myself, but otherwise tagging me has done you nothing

@Rotting I don't have any plans to purchase either of those avatars; I'm sure there are some who are willing to decrypt these given the chance

@sakurish it should, yes - I have obviously not confirmed that myself though, so do be careful

please don't use this tool for newer gonso avatars (including Tally). it does not support the latest updates of the licenser and will very likely be flagged in their API / simply will not work properly

Gonso has explicitly stated (and proven to me fully multiple times) that he does not log IPs - he uses a public VPN detection API temporarily while he reworks some internal checks to protect his API from spam; you can see this in the newer versions of the licenser's source code after decompilation

still - be careful and be vigilant, as always remain a step ahead and be watching a step behind~

overall it isn't much different, and it's not hard to get around, but it is progressively becoming more and more sketchy with every update. stay safe, be vigilant

@kittyyyy ofc, also to add: take a look at d4rk's optimizer for a really well made tool that uses custom material trickery among a lot of other methods to optimize even the heaviest avatars

learn how to bake and atlas your textures - doing this for a model can easily bring 200mb down to around 40mb - 50mb

for most models with "over 90+ toggles!!!" which seems to be most eboy/egirl models with more outfits than anyone actually uses on the daily, there are simply so many things on the avatar that just lowering texture sizes will not come close to being enough to properly optimize them (im just using this as an example pls dont hurt me)

the best tool for this, imo, is SimpleBake, providing the ability to both atlas textures and bake multiple textures to single images without losing much visual quality; pairing this with a UV packer, you can very easily get the coveted "1 skinned mesh renderer" that hyper-optimized avatars boast; of course it varies though - any optimization is good optimization!

realistically, many of these creators that throw in 2k+ textures on 30+ mesh renderers do not care about performance or optimization, as a result it is going to be that much harder to optimize those avatars

if you are willing to sit in blender and fix the egregious ignorance of optimization, it can be done; otherwise, decimate textures*, maybe even remove some of the things you feel you won't use as often, and look into tools like Polytool; your results will vary

* textures generally shouldn't be more than 1024x, using DXT1 compression (not crunching)
maps (roughness, metallic, etc) can go even further down to 512x, also DXT1
even further, cubemaps and matcaps can go down to 256x or even 128x if it does not affect the overall look as much
normal maps are the only thing that should ever be at 2048x, and sparingly, using RG compressed BC5

instead of DXT1, you can also use BC7; in some cases this can look better but DXT1 has a higher compression ratio due to lack of the alpha channel - most textures and maps are not transparent, but if they are, try BC7

and the final note - don't be afraid to use Bilinear instead of Mitchell when compressing; Mitchell is great but does blur finer details while Bilinear tends to be more sharp at lower resolutions

there aren't any real good guides around but I do believe I've got a few good tips to give out - feel free to yell at me for more

@Strawbaby the file is probably flagged due to a randomized name and being a zip file - can confirm the file contains a unitypackage with the decrypted files I uploaded originally

only problem is Bunkr can be very slow sometimes, but hey at least it's there

the huge part of this message from Tori is "I understand that if you could pay for these models, that you likely would..." - and I think that applies to a very large portion of the community that shares models

creators in this space need to understand that without vrchat doing anything directly to protect the user-generated content they take advantage of, leaking/redistribution will always exist

while every creator has a different skillset and skill level, it always does seem to be the creators who manage a new vrchat avatar every other week that have the most explosive or negative responses to leaking - those who have accepted that it will happen regardless are probably more confident the quality of their products is high enough that they can cut the losses of leaking

it doesn't apply to every creator, and there are some people who rip/leak for selfish benefit, but I do think vrchat avatars work in the same way as any other software - the higher quality ones will be able to survive despite being shared underground because they simply are representative of the $40 price tag

slight rant, but too many egotistical creators exist and it's an absolute shitshow to know so many of them in this post are just that bad o7

@zeta-zaza a DLL is included inside the avatar unitypackage that handles the uploading of the avatar's main files (FX, Menu, Parameters, and Meshes) - these are pre-encrypted with AES-level encryption

the avatar FBX is not included, so there are no blender edits that can be made - the textures are editable, and you cannot remove/change parameters or FX items already on the avatar, you can only add to them and they get combined upon uploading

you cannot resolve this by simply removing the GonsoLicense DLL, as it is required to obtain an encryption key from a separate API that ingests your unique License key you receive upon purchase of the avatar