I hate to be the bringer of bad news. IMVU tries to protect your project and asset files through “security by obscurity”. Your Cal3D files (XMF, XSF, XAF, etc.) are encrypted in the local cache (C:\Users\{your login}\AppData\Roaming\IMVU\HttpCache folder), while PNG and JPG files are merely renamed. When you upload a project, the Cal3D XML files are converted to binary format, which is not human-readable.
That may sound okay to you, but with the release of IMVU Next, they created a way to be able to download project files, including all of the contained assets. And you don’t even have to be logged into the IMVU website to download them! It turns out that IMVU hosts all our creations using Akamai’s servers.
By the request of IMVU staff, I’ve hidden the details of how this is done.
This should be terrifying news to IMVU creators. I’m even terrified by it! But I just had to show how easy it is to crack IMVU products. There’s nothing anyone can do about it, because you have to be able to freely download these files into the IMVU Next SPA (single page app) when you’re trying on products.