Gizmo II
MediumMalware Reverse Engineering
Overview
You’ve uncovered a mysterious Godot game executable that hides its true content behind encrypted resources. Your task is to dig into the game’s internals, uncover how its data is protected, and peel back the layers of encryption to access what’s hidden inside. Along the way, you’ll explore how game engines safeguard their assets, how encryption keys are embedded and used, and how reversing can reveal the secrets tucked away in compiled binaries. Your goal is to unlock the game’s concealed script and retrieve the flag waiting inside.
flag format: flag{}
Lab Details
Prerequisites & Requirements
- Godot Engine Internals:
- Understanding how Godot handles Script Encryption and the role of the .pck file format.
- Knowledge of how game engines embed resources and how gdsdecomp interacts with them.
- C++ & Source Code Analysis:
- Ability to read Open Source C++ code (specifically the Godot Engine source on GitHub) to identify specific function signatures and variable names (
e.g., script_encryption_key) that handle decryption.
- Ability to read Open Source C++ code (specifically the Godot Engine source on GitHub) to identify specific function signatures and variable names (
- Reverse Engineering & Debugging:
- Proficiency with IDA Pro (or similar disassemblers) to navigate the binary.
- Understanding x86/x64 Assembly to identify how arguments are passed to functions.
- Experience with Dynamic Debugging (setting breakpoints, stepping through code) to inspect memory registers at runtime.
- Cryptography Basics:
- Understanding AES Encryption concepts (specifically AES-256) to recognize what a 256-bit key looks like in memory or static data sections.
What will you learn?
- Cryptographic Key Extraction:
- Learning how to extract AES-256 encryption keys embedded within a compiled binary.
- Using Source-Code Assisted Reversing : Using the official Godot source code as a map to find specific routines (like get_script_encryption_key) inside the target executable.
- Hybrid Analysis Techniques:
- Combining Static Analysis (finding string references and functions in IDA) with Dynamic Analysis (hooking/breaking at the function call) to dump the key from memory.
- Decryption & Unpacking:
- Learning how to bypass asset protection by feeding the recovered key back into tooling (gdsdecomp) to unlock and decompile the hidden scripts.
Tools
- IDA Pro:
- Used for both Static and Dynamic Analysis . It allows you to search for string constants associated with Godot's encryption routines, view the assembly to locate the script_encryption_key variable, and set breakpoints to retrieve the key during execution.
- gdsdecomp (Godot Decompiler):
- The specialized tool used to reverse the Godot package. Unlike the previous level, this tool is used here with the --key argument to decrypt the protected resources before decompiling the
PlayerMovement.gdscript.
- The specialized tool used to reverse the Godot package. Unlike the previous level, this tool is used here with the --key argument to decrypt the protected resources before decompiling the
- Godot Engine Source Code (GitHub):
- Used as a reference manual to locate the specific C++ implementation details of the encryption mechanism, providing the search terms needed to find the relevant code in IDA.
Job Positions
Malware Analyst
Tags
Ida ProDebuggerStatic AnalysisDynamic AnalysisMalware AnalysisAssemblyDisassemblerDecompilerStringsUnpackingObfuscationCryptorCode Flow