I believe I get the wrong key when running this?

[otDan]

I am testing with this game demo: https://store.steampowered.com/app/2427700/Backpack_Battles/ trying to use the key I get with gdre tools it fails to recover the scripts

[char-ptr]

This game most likely uses godot 4, which wasn't properly supported. i'm currently working on a rewrite to make it work on 4. in the mean time you can still reverse it manually using what is stated in the readme (if it is on 4.0 you will need to look for open_and_parse rather than bytecode ... )

[otDan]

@pozm the game is running on 3.5.3, not 4.x

[char-ptr]

Hi sorry i've been busy recently. old version of gdke probably doesn't work, but i've working on new version which has a different detection mechanism which hopefully should be able to do most of godot 3

[manjaroman2]

@otDan It's funny, I was trying to get the key for BackpackBattles as well and I did some digging in IDA. They use a little bit of modified engine code here (I think) and modify the key bytes just a little so the key in the static binary is not the right key. I got the right key by setting a breakpoint before the open_and_parse function and reading it out the register (rax i think) in gdb. Any debugger will work.

[Asaliah14]

@otDan It's funny, I was trying to get the key for BackpackBattles as well and I did some digging in IDA. They use a little bit of modified engine code here (I think) and modify the key bytes just a little so the key in the static binary is not the right key. I got the right key by setting a breakpoint before the open_and_parse function and reading it out the register (rax i think) in gdb. Any debugger will work.

It's probably related to this project tho': https://github.com/CredibleOpossum/godot-key-extractor

@manjaroman2 Can you explain how you did it? I gave it a try but as a newbie I didn't get precisly how to do it using IDA. All I can do is to find the open_and_parse function disassembling the original exe

[manjaroman2]

I misremembered where it set the breakpoint sorry. Here is the full tutorial if you will:

As you can see in the image above, there is a call to open_and_parse which takes in a to reference the key as a parameter.

Furthermore, you can track the reference to the key to a library call to mbedtls:

The method where I set the breakpoint is set_decode_key. You need to find that method in IDA and get the address of that call. You can see it here in IDA:

If I Rightclick and switch to Textview, I can see the call to set_decode_key happening at address 0x000000014152330B. (Im using the latest demo version available on steam)

Now you need to be a bit familiar with a debugger, I only use gdb so I can just explain how I did it with gdb on Linux. If you're on Windows you don't need to change the proton version. There is gdb for Windows, but I don't know how to attach it to steam games, you need to find that out yourself. There is also x64dbg

• set proton version to 8.0-5
• set the launch options to: PROTON_DUMP_DEBUG_COMMANDS=1 %command%
• launch game once and close game
• on linux there now exists a /tmp/proton_$USER directory which contains gdb_run, I execute this file, which launches the game with gdb attached.
• I set a breakpoint at set_decode_key: br *0x14152330B
• hit 'c' to continue
• Breakpoint gets hit, now: info reg

• As you can see there is something looking like an address in rbx. The address could be in any of the registers for all I know so you maybe have to try the others as well.
• With 0x44084f0 being the address I chose, I know read out the 32 bytes at that address: x/32xb 0x44084f0
• These should be the key bytes, you can throw them in gdre_tools and if they don't work read the bytes at another address from the registers.

[xiaofengzhiyu]

@manjaroman2 hi bro , what is version 0.9 godot game extract key , can't find it . 😭😭😭

[manjaroman2]

Ok now I booted up my VM and I found the key on Windows just by using IDA:

1. Open Backpack exe in IDA and wait for it to load everything (you can see it scanning the binary in the top row (blue), wait for the little arrow to load through, you can close all sub windows except IDA-View-A, which will accelerate the scanning process a bit)
2. In IDA-View-A, on your keyboard hit 'G' and enter the address of set_decode_key (I gave it to you in my last post)
3. Right click 'Add breakpoint' at the exact address. (the line should be red now)
4. Find this button to start the windows debugger:
5. Now with the game started it should hit the breakpoint and halt execution. Go back to IDA and find the General registers tab on the right side. In RBX there is an address value. Copy that value. (As you can see in my case the key lies at the address 1E221258560)
6. Go into the hex view window on the bottom left.
7. Hit 'G' in that window and enter the address you copied from the register RBX.
8. You can read the key bytes

(gTANb_lIQth/eb.utuoy//:sptth)

[jeuxdevilains]

Thanks for all the helpful comments! Following @manjaroman2 instructions, I was able to retrieve the key (64 characters hex) on Windows, using x64dbg. IDA wasn't showing the function names, though so I had to rely on the adresses he provided. I guess you need to do something else for that? Fortunately, everything was the same, even for the EA version. I just had to convert the relative address (displayed in IDA) to the address in the memory (when running the application) before setting the breakpoint. Here's a guide. At breakpoint, the first address in rbx was the right one.

[singlesparkshine]

@jeuxdevilains can you tell me the key? I am a newbie ，thanks

[manjaroman2]

Thanks for all the helpful comments! Following @manjaroman2 instructions, I was able to retrieve the key (64 characters hex) on Windows, using x64dbg. IDA wasn't showing the function names, though so I had to rely on the adresses he provided. I guess you need to do something else for that? Fortunately, everything was the same, even for the EA version. I just had to convert the relative address (displayed in IDA) to the address in the memory (when running the application) before setting the breakpoint. Here's a guide. At breakpoint, the first address in rbx was the right one.

IDA does show the function names but it needs some time to analyze. Even if IDA doesn't show them: The source code is available and with all the logging and going on, the 'strings' tab in IDA is very helpful

[singlesparkshine]

@manjaroman2 , The key i got( 8671*****E849) is the same as you got by IDA settting breaking points in the function of set_decode_key Throughing searching the strings "FileAccessEncrypted::open_and_parse" , but i cannot get codes by GDRE tools ,it is very very strange.It's outrageous

[singlesparkshine]

thanks all. I have successed.I strongly agree that the 'strings' tab in IDA is very helpful

[xiaofengzhiyu]

thanks all. I have successed.I strongly agree that the 'strings' tab in IDA is very helpful

Did GDRE working fine ?

[singlesparkshine]

yes, the tool is very useful

[bobozai2019]

@singlesparkshine

yes, the tool is very useful

i also get the key 867142......4CE849，but with GDRE 0.6.2 version ,it can't be correctly work. how do you successed with gdre?i will appreciate you response.

[fgknnc]

Can't this method find the encryption key now? I set a breakpoint on set _ decrypt _ key, read the register, and the value I got is wrong.

[manjaroman2]

@fgknnc considering my github account got banned after posting this, they prob noticed and changed the encryption method. my guess is that they use another version of godot (more likely) or a custom version of the tls lib or another encryption (less likely). The binary changed (due to a update of the game, the compiled binary changes) so the address I provided in my second post is not correct anymore. You'd also have to find the address again, this is in the case that nothing changed about the godot version or the encryption. In any case: open IDA and find out yourself. If you want to get into reverse engineering, I learned it from youtube (liveoverflow etc.)