dodgy tool, he says it "Extract encryption key from godot binaries externally with a gui.". Make sure it don't work on ours.
Go to file
pozm a7087a89ea
Update README.md
2024-02-19 07:13:44 +00:00
gdkeinj some work on older versions 2024-02-12 10:09:16 +00:00
src some work on older versions 2024-02-12 10:09:16 +00:00
.gitignore cli 2022-12-25 12:45:25 +00:00
Cargo.lock some work on older versions 2024-02-12 10:09:16 +00:00
Cargo.toml some work on older versions 2024-02-12 10:09:16 +00:00
README.md Update README.md 2024-02-19 07:13:44 +00:00
z421.exe lib works, now for frontend 2024-02-11 17:16:11 +00:00
z421.pck lib works, now for frontend 2024-02-11 17:16:11 +00:00

README.md

gdke

A external and gui based version of godot-key-extract

🚧currently waiting for nvim-treesitter to be updated

Images

image image

How does this work?

When you build a godot template with an encryption key set, the build tool (scons) will inline somewhere into the file. And so the key is in a random location pretty much every time you build.

We are still able to retrive this key though as it is obviously used to decrypt, encrypted scripts. and the place where it happens is in a function called gdscript::load_byte_code

image

Finding statically

Thankfully it's really easy to find functions in ida, or any other modern static analysis program, as godot has verbose error logging. and we can abuse this to easily find the function.

image

In ida, im able to go to where it is in rdata, and then find references as such:

image

So now we've located the function which uses the secret key, all that's left to do is find where it's loaded (I recommend using graph view for next part). We can pretty easily find where it's loaded, although varies depending if the template was built in release or debug mode. Generally if it was built in release mode the key will be loaded near the beginning of the function, else in debug it will be right before it increments a for loop. We're looking for an instruction called lea (Load effective address) which takes a offset and loads it into a register. since our encryption key is pretty much static, it doesn't get passed in like a variable or what ever, it will always have a static offset. which makes it very easy to find. pretty much all the other lea instructions will load from a offset of a register.

If you have debug symbols it is extremely easy to find it as it will just be called script_encryption_key

image

If you do not have debug symbols it will be a bit harder to find, but still pretty trivial, it should look generally like:

image

Once you have found the instruction, you should just be able to follow the offset, and read the bytes.