When you are exporting your project you will get these two files
MyProject.exe is a runner, a mini Godot Engine with Editor options stripped out, they call this as template. MyProject.pck is basically your whole Godot project directory, zipped tight into a single file. By default your runner will look for .pck file of the same name.
Now if you did not put encryption key, public tool such as gdsdecomp can prick it open, and can even restore your whole godot project as if they have the original source code. The decompiled godot .pck will be a complete godot project folder that you can open in editor and press play again, and it will work the same, with all the connections stay as it is. Complete with the comments that you put in your .gd files
Now if you do put encryption key, your MyProject.pck will be unreadable because it’s encrypted. Normal/vanilla template will not work. This is why you need to compile your own custom template with key enabled where the compiler will slide in the decryption key somewhere within your MyProject.exe.
How difficult is it to compile your own Godot Engine? Very easy. Clone the godot engine repository, Install all the requirements to build the engine, Build the engine for your current platform. Is there a video tutorial on this? There isn’t, but mohzen zare has a playlist on how to build your own GDExtension in C++, you can apply the same technique to compile the source
Now how much secure is it with Encryption you might ask? Not that secure since your key is somewhere in the exe, public tools such as gdke can try to grab the key from the memory for particular signature.
Is there is an easy way to do it? To secure your code? No there isn’t. That is the cons of open source software, every steps is laid bare, and it will just a matter of making a tool that retrace the steps backward, and there you go a decompiler. Either accept that godot exported project can be decompiled in few minutes using public tools, and they will have your original project files.
Or if you are really serious in protecting your assets, then start looking at C++, while it’s hard to avoid decompilation, it shouldn’t be that hard to protect your code from common script kiddies. Just modify your load_and_parse method, add some salts, split the earth, or something so that even if the public tool can find your encryption key, they still need to figure out what they should do with it, now that the procedure has changed from the original.
But if I use embed .pck?
Is it better or not?
And if I use embed .pck and I didnt use script encrypt export. How difficult to get code?
And if I use embed .pck and I use script encrypt export. How difficult to get code?
I reject all deals | 2023-05-27 16:14
Can you tell me if I use embed .pck and I didnt use script encrypt export. How difficult to get code? And if I use embed .pck and I use script encrypt export. How difficult to get code? And you said
… then start looking at C++, while it’s hard to avoid decompilation
… Just modify your loadandparse method, add some salts, split the earth, or something
the sound is great but how I can do it? I mean to say can you explain what I need to do and in godot source, which page I need to modify? Do you know something about that?
I reject all deals | 2023-05-31 20:13
Embed .PCK means that your PCK is added to your .exe, there’s nothing fancy going on.
As for changing the way your PCK is encrypted… I’ll give you some pointer, first make sure you can compile the godot from the source. Second, find this file
/core/io/file_access_encrypted.cpp specifically take a look at this function called
FileAccessEncrypted::open_and_parse, this is the function that is responsible in encrypting and decrypting the PCK file.
Try to change this line
Into something like this
You see what I did there? Now if they managed to use public tool and grab your private key, they didn’t know that the key now has to be “reversed” in order to prick open your PCK. At this point gdsdecomp will not work anymore since the mechanism has changed. This is just a simple example just for a starter. Any veteran reverse engineer will understand what the heck is going on.
Thank you so much, I will check it
I reject all deals | 2023-06-02 05:47