Download

Security - Blueprint Reverse Engineering? BP's decoded after compile? Obfuscation of a BP Variable

I’m sorry if this is a repeat post. I tried to search for the answer.

I’m creating a global inventory and economy system for my project. I’m going to use CouchDB, JSON, and Blueprints to communicate this information over HTTPS.

I’m going to pass credentials from a Variable in Blueprints to CouchDB over HTTPS. This Variable will be stored in a Blueprint at compile.

Is it possible to discover the credentials by decompiling the project? I’m worried about security risks. If someone discovers the credentials they can make changes to CouchDB and thus modify their inventory and stuff.

If it is possible to discover BP Variables through a decompile process, do you guys know of any techniques to obfuscate the credentials variable? Maybe someone has a better method?

Thanks!
Sorry if this is an ignorant question and thanks for your inputs!

You should never store any unique security relating values in program code, neither c++ nor blueprint - it’s possible to get your hands on it, yes.

The HTTPS is designed to protect client-server communication from a 3rd party. I’ve no idea how this protocol is implemented by Epic, but as a client it could be possible capture the traffic as well.

You should use the initial connection only to authenticate the client and afterwards send him only personalised data or a key or whatever that is unique to this connection / session.

Blueprints(actors) are stored as .uasset files inside .PAK files and is possible to extrac them from the pak and read any data it contain using a free HEX explorer app.
Blueprint code, that is built on Level Blueprint and such, seems to be embedded directly into the compiled .exe game.

It’s not as easy as decompiling Unity games back to source code, but yeah… Anything you add to the Client code can be read if ppl knows where to look for.
You could encrypt .PAK files, but engine source is open, would be a waste of your time.
You should make your server give credentials when requested by a recognized game client instead of adding security stuff in it; if that is not possible, I would build an splitted and encrypted string, store each piece in different blueprint actors or components and then run a function to merge them before sending the json data. Silly stuff like that, while praying for nobody taking the time to reverse the game code and go around looking for pieces of the key.
I used to do that on Unity games to frustate cheat-engine users and it worked :slight_smile:

Most commonly used in json https networking transfer is asymmetric cryptography.

You have a public key inside of your project which encrypts your data communication
You have a private key on your server decrypts the message from your project do all kinds of security checks.

in short therms Public_Key_Encryption(YOUR_MESSAGE) -> HTTPS_SERVER -> Private_Key_Decryption(YOUR_ENCRYPTED_MESSAGE)

It wouldn’t matter if they get there hands on the public key in this approach, you would need the private key to decrypt the message, but it also all depends on your server security checks to make it save.

Similar approach would be OAUTH2 or OAUTH1.0 wich is commonly used in (outside source communication) on social platforms for either apps, games, ect.

If your worried about people changing values or data, always compare your values, stats, level, exp, user data with the server, this prevents something like cheat engine.

Your never 100% safe but you can make it as difficult as possible.