From d6f1c2ad83dc62b6136dd28c8b69dcdcc74b9c0d Mon Sep 17 00:00:00 2001 From: Luna <44528100+pozm@users.noreply.github.com> Date: Sat, 27 Aug 2022 18:00:15 +0100 Subject: [PATCH 1/4] Update README.md --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 0ffb964..aaf8c11 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,16 @@ # godot_key_extract extracts the secret key used to encrypt gdscript files upon build + + + +## how to use? +download or [build](https://github.com/pozm/godot_key_extract#build) the dll, then use your favourite dll injector to inject the dll into the godot game. + +examples of dll injectors: + +• [extreme injector](https://github.com/master131/ExtremeInjector) + + +## build +clone the repo (git clone https://github.com/pozm/godot_key_extract.git) then open the visual studio workspace and then build either release or debug, probably doesn't matter. From c4b2746d49e28a4ba0ddac34a650e0f338477907 Mon Sep 17 00:00:00 2001 From: Luna <44528100+pozm@users.noreply.github.com> Date: Sat, 27 Aug 2022 18:00:32 +0100 Subject: [PATCH 2/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aaf8c11..44cf11d 100644 --- a/README.md +++ b/README.md @@ -13,4 +13,4 @@ examples of dll injectors: ## build -clone the repo (git clone https://github.com/pozm/godot_key_extract.git) then open the visual studio workspace and then build either release or debug, probably doesn't matter. +clone the repo (`git clone https://github.com/pozm/godot_key_extract.git`) then open the visual studio workspace and then build either release or debug, probably doesn't matter. From 1a37dc1e0b1a17e2c0cfed352a7ed16816b50926 Mon Sep 17 00:00:00 2001 From: Luna <44528100+pozm@users.noreply.github.com> Date: Sat, 27 Aug 2022 18:01:16 +0100 Subject: [PATCH 3/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 44cf11d..118c41f 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ extracts the secret key used to encrypt gdscript files upon build ## how to use? -download or [build](https://github.com/pozm/godot_key_extract#build) the dll, then use your favourite dll injector to inject the dll into the godot game. +[download](https://github.com/pozm/godot_key_extract/releases) or [build](https://github.com/pozm/godot_key_extract#build) the dll, then use your favourite dll injector to inject the dll into the godot game. examples of dll injectors: From b5ba9434ef057e335b1b8595948860a837740f32 Mon Sep 17 00:00:00 2001 From: Luna <44528100+pozm@users.noreply.github.com> Date: Sat, 27 Aug 2022 18:09:55 +0100 Subject: [PATCH 4/4] Update README.md --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 118c41f..c1a2256 100644 --- a/README.md +++ b/README.md @@ -14,3 +14,13 @@ examples of dll injectors: ## build clone the repo (`git clone https://github.com/pozm/godot_key_extract.git`) then open the visual studio workspace and then build either release or debug, probably doesn't matter. + + +## how does this work? +basically when you want to build with encryption you must first compile your own godot template with the aes script key stored as an env variable (this automatically gets embedded into executable via the buildsystem), so the key is generated and stored in some random space in the executable, we can retrieve this via two different ways: either while it's in memory or while it's out of. The latter is much more complex and requires a custom disassembler, which i cannot be bothered writing. + +so for retriving this from memory, we can find where the key is used, and where else better to look than the load bytecode function? So within this function it checks if the script even needs to be decrypted (via a ext check), and if it does then it does some steps, but most importantly it reads the secret key. we can now open up our favourite static analsys program (for example ida) and find this function, there are many ways to find this function but probably the easiest is to just search for strings. + +Godot has a ton of macros and relies heavily on them for error handling, so we can easily find what we're looking for by searching just for "load_byte_code" and you will find the function we're looking for. now in the function it will do a ton of things, but the most important thing is loading the secret key. it does this with the opcode LEA, the function doesn't use it alot and it's pretty easy to tell which one is the secret key. so after we know the address of the instruction we can create a signature to it. + +nd then in the dll we can use that signature to find the instruction while loaded in memory. after doing that all you need to do is read the instruction and calculate the offset. once done you should have the address to where the secret key is loaded in memory and you can just print it out.