/godot-key-extract

extracts the encryption key from godot binaries.

Primary LanguageC++GNU General Public License v3.0GPL-3.0

Notice of archival

I have rebuilt this program to be fully external, meaning you don't need a dll and it has a gui to simply choose programs from. That version will continue to recieve updates as godot versions roll out you can find that repo here

Build

clone the repo (git clone https://github.com/pozm/godot_key_extract.git) then open the visual studio workspace and then build either release or debug, probably doesn't matter.

Example Output

image

How does this work?

When you build a godot template with an encryption key set, the build tool (scons) will inline somewhere into the file. And so the key is in a random location pretty much every time you build.

We are still able to retrive this key though as it is obviously used to decrypt, encrypted scripts. and the place where it happens is in a function called gdscript::load_byte_code

image

Finding statically

Thankfully it's really easy to find functions in ida, or any other modern static analysis program, as godot has verbose error logging. and we can abuse this to easily find the function.

image

In ida, im able to go to where it is in rdata, and then find references as such:

image

So now we've located the function which uses the secret key, all that's left to do is find where it's loaded (I recommend using graph view for next part). We can pretty easily find where it's loaded, although varies depending if the template was built in release or debug mode. Generally if it was built in release mode the key will be loaded near the beginning of the function, else in debug it will be right before it increments a for loop. We're looking for an instruction called lea (Load effective address) which takes a offset and loads it into a register. since our encryption key is pretty much static, it doesn't get passed in like a variable or what ever, it will always have a static offset. which makes it very easy to find. pretty much all the other lea instructions will load from a offset of a register.

If you have debug symbols it is extremely easy to find it as it will just be called script_encryption_key

image

If you do not have debug symbols it will be a bit harder to find, but still pretty trivial, it should look generally like:

image

Once you have found the instruction, you should just be able to follow the offset, and read the bytes.