Fairly recently, I got really into using godot as a game engine to develop games either for fun or for release, or both. But I read some posts on the security of godot and… it’s not great. What is the current state of the security of the source code of godot games? Is there a difference in using gdscript or c# in terms of security?
And yes I am aware that you can do some basic encryption but the encryption key is also within the application itself and can be ripped with a decompiler and reading some machine code, at least that was the state of things about 1 year ago from what I can gather.
1 Like
All software can be decompiled and encryptions can be cracked or bypassed, especially when the software is run on the users hardware. There are just levels of difficulty in reverse engineering.
Scripting language engines like Godot and Unity can expose more of the original game code because the scripts are intact and need to be dynamically compiled, C# can have the same issue but may not have the same symbol names. But even if the game is compiled in a native language, it too can still be decompiled. It just depends on how vigilant and skilled the hacker is.
I also have heard and read things, but could you also link some sources in case there are some take aways from others experiences?
Here is the current guidance to make it difficult for the average user.
9 Likes
Also, there are some people who don’t need to decompile the program. They can just look at the binary codes and read it.
2 Likes
There are differences between decompiling a software and having direct access to the code. The main difference being that decompiled code is not human readable, and as such a headache to use.
So if gdscript is used “as is” by Godot, with symbols and such, and considering that Godot’s code is open source so encrypting the pck is just a joke to crack, then we can consider that our code is accessible with a couple days of work from a skilled developer. So it’s very close to public. That’s a rather concerning issue.
1 Like
What kind of security are we talking about here? DRM? Cheating? Hacking? Stealing code?
We are speaking of code stealing.
If you are good enough to revere-engineer an encrypted game to expose its code, you probably are just good enough to code the original game itself.
Maybe I’m blind-sided here, but who would steal game code and for what use? Is this a thing I am not aware about in the indie-game space?
I mean, of course, if you write an algorithm so novel and worth so much, you should be able to register it properly and sue anyone copying its behavior.
2 Likes
Definitely. But not in a couple of hours.
If people were fine with anyone using their code freely there would not be private repositories on GitHub.
There are examples of indie games being copied and released. So it’s definitely a thing happening. Actually, indie games are very vulnerable to that, because indie devs are not famous and big enough to sue anyone. So if you steal their game and use your marketing network so your game becomes more known quickly you can just steal their bread. It happened to indie developers starting to have some visibility with their prototype/demo but not having the time to quickly deliver the final product. Obviously, those doing that are living in countries where copyrights are rarely respected.
This is not the same as stealing code. Or do you mean, they copy the code and release the same game?
1 Like
Yes, that’s it.
When you realize a game has some potential, you just steal it. Indie devs won’t be able to retaliate, they don’t have the money/power for that.
Do you have an example? I have never heard of this being a thing.
I understand the nature of the concern, but struggle to see the reality of it.
Most of the times this discussion leads to people advocating for DRM in some kind to not protect their codebase but their sales. This kind of protection is - for the most part - a farce and leads to frustration with players.
I have heard the Butterscotch Shananigans people talk about their release of Crashlands back then. It was cracked after release in the chinese market. They saw that, properly release the game there and now it is 50+% of their target market.
1 Like
I can’t find the example that I’ve found previously because a Google search on “indie game getting stolen” just gets too many results.
It is a thing. And with AIs, it’s now much more of a concern (as it’s extremely easy to review all the art in a couple of days and release the exact same game but with different graphics/music and proving that the code is the same between both games is really hard).
1 Like
Again, I struggle to see the point here. This seems not to be a “concerning Godot problem” but a general problem of software - or anything for that matter.
5 Likes
Yes, it’s a general concern. But if my gdscript code is easily accessible in a usable form, then it’s a Godot issue, too. If my gdscript code is hardly usable as is, then it’s fine.
1 Like
Do you honestly think a company such as EA for example would care? A company like that will have the top 1% of the best game programmers in the industry anyway (you would hope).
And if you are that good a programmer you should be working for them.
The code behind a game isnt the sum of its parts not by a long way.
EA hires people out of college and burns them out by working them 80 hour weeks and paying them less money than they could make elsewhere because “they get to work in games.” They certainly have great programmers too in more senior roles, but they typically lose them after the shine working in games wears off and those programmers either move up into management/producers or they go somewhere where they can make better money outside the game industry.
1 Like
To @pennyloafers’ original point, if you have a great indie game and someone wants to steal it - you can’t stop them. Peak is going through that right now with a Chinese rip-off clone. If someone from China or India decides to rip-off their game, they don’t need a decompiler or AI to do it. Technical human labor is so cheap in those countries that they can afford to pay people to make the game from scratch. And just because they’re cheaper doesn’t mean they aren’t as smart.
If someone is ripping off a game to make money, they have money to burn, and how well you protect your source code isn’t going to stop them. It probably won’t even slow them down because they likely rip off software for a living.
You can spend your time worrying about how to protect your game or you can make your game.
10 Likes
