If I need to use script encrypted export?

	Attention	Topic was automatically imported from the old Question2Answer platform.
	Asked By	I reject all deals

I want to ask a question.
Why I need to use Script Encrypted Export?
If I need to use it?
How much ıts secure?
Without it how much my export is secure?
How difficult to do it?
How difficult to compile engine from source?
Is there is an easy way to do it?
If just way to do it compiling engine from source, there is an video tutorial or something like that?

	Reply From:	0

When you are exporting your project you will get these two files

1. MyProject.exe
2. MyProject.pck

MyProject.exe is a runner, a mini Godot Engine with Editor options stripped out, they call this as template. MyProject.pck is basically your whole Godot project directory, zipped tight into a single file. By default your runner will look for .pck file of the same name.

Now if you did not put encryption key, public tool such as gdsdecomp can prick it open, and can even restore your whole godot project as if they have the original source code. The decompiled godot .pck will be a complete godot project folder that you can open in editor and press play again, and it will work the same, with all the connections stay as it is. Complete with the comments that you put in your .gd files

Now if you do put encryption key, your MyProject.pck will be unreadable because it’s encrypted. Normal/vanilla template will not work. This is why you need to compile your own custom template with key enabled where the compiler will slide in the decryption key somewhere within your MyProject.exe.

How difficult is it to compile your own Godot Engine? Very easy. Clone the godot engine repository, Install all the requirements to build the engine, Build the engine for your current platform. Is there a video tutorial on this? There isn’t, but mohzen zare has a playlist on how to build your own GDExtension in C++, you can apply the same technique to compile the source

Now how much secure is it with Encryption you might ask? Not that secure since your key is somewhere in the exe, public tools such as gdke can try to grab the key from the memory for particular signature.

Is there is an easy way to do it? To secure your code? No there isn’t. That is the cons of open source software, every steps is laid bare, and it will just a matter of making a tool that retrace the steps backward, and there you go a decompiler. Either accept that godot exported project can be decompiled in few minutes using public tools, and they will have your original project files.

Or if you are really serious in protecting your assets, then start looking at C++, while it’s hard to avoid decompilation, it shouldn’t be that hard to protect your code from common script kiddies. Just modify your load_and_parse method, add some salts, split the earth, or something so that even if the public tool can find your encryption key, they still need to figure out what they should do with it, now that the procedure has changed from the original.

Embed .PCK means that your PCK is added to your .exe, there’s nothing fancy going on.

As for changing the way your PCK is encrypted… I’ll give you some pointer, first make sure you can compile the godot from the source. Second, find this file /core/io/file_access_encrypted.cpp specifically take a look at this function called FileAccessEncrypted::open_and_parse, this is the function that is responsible in encrypting and decrypting the PCK file.

Try to change this line

enter image description here1234×306 32.9 KB

Into something like this

enter image description here1212×293 35 KB

You see what I did there? Now if they managed to use public tool and grab your private key, they didn’t know that the key now has to be “reversed” in order to prick open your PCK. At this point gdsdecomp will not work anymore since the mechanism has changed. This is just a simple example just for a starter. Any veteran reverse engineer will understand what the heck is going on.

0 | 2023-06-01 16:54