1569ca2dae | ||
---|---|---|
gdkeinj | ||
src | ||
.gitignore | ||
Cargo.lock | ||
Cargo.toml | ||
README.md | ||
z421.exe | ||
z421.pck |
README.md
gdke
A external and gui based version of godot-key-extract
Images
How does this work?
When you build a godot template with an encryption key set, the build tool (scons) will inline somewhere into the file. And so the key is in a random location pretty much every time you build.
We are still able to retrive this key though as it is obviously used to decrypt, encrypted scripts. and the place where it happens is in a function called gdscript::load_byte_code
Finding statically
Thankfully it's really easy to find functions in ida, or any other modern static analysis program, as godot has verbose error logging. and we can abuse this to easily find the function.
In ida, im able to go to where it is in rdata, and then find references as such:
So now we've located the function which uses the secret key, all that's left to do is find where it's loaded (I recommend using graph view for next part). We can pretty easily find where it's loaded, although varies depending if the template was built in release or debug mode. Generally if it was built in release mode the key will be loaded near the beginning of the function, else in debug it will be right before it increments a for loop. We're looking for an instruction called lea
(Load effective address) which takes a offset and loads it into a register. since our encryption key is pretty much static, it doesn't get passed in like a variable or what ever, it will always have a static offset. which makes it very easy to find. pretty much all the other lea
instructions will load from a offset of a register.
If you have debug symbols it is extremely easy to find it as it will just be called script_encryption_key
If you do not have debug symbols it will be a bit harder to find, but still pretty trivial, it should look generally like:
Once you have found the instruction, you should just be able to follow the offset, and read the bytes.