Gizmo III

HardMalware Reverse Engineering

Overview

You’ve uncovered a mysterious Godot game executable that hides its true content behind encrypted resources. Your task is to dig into the game’s internals, uncover how its data is protected, and peel back the layers of encryption to access what’s hidden inside. Along the way, you’ll explore how game engines safeguard their assets, how encryption keys are embedded and used, and how reversing can reveal the secrets tucked away in compiled binaries. Your goal is to unlock the game’s concealed script and retrieve the flag waiting inside.

flag format:

flag{***_*_******_****_**_*******_***_*****}

Lab Details

Prerequisites & Requirements

  • Godot Engine & Web Exports:
    • Understanding how Godot exports games to the web using WebAssembly (WASM) and WebGL .
    • Knowledge of the Template System : How Godot uses pre-compiled binaries ("export templates") to package games.
    • Familiarity with Godot's AES-256 Script Encryption mechanism and how it embeds the key into the binary during compilation.
  • WebAssembly (WASM) Analysis:
    • Understanding the structure of .wasm files.
    • Recognizing the limitations of standard WASM decompilers (like wabt) when dealing with threaded or large binaries.
  • Build Automation (CI/CD):
    • Proficiency with GitHub Actions to automate complex compilation tasks.
    • Familiarity with SCons (Godot's build system) and Emscripten (the C++ to WASM compiler toolchain).

What will you learn?

  • Advanced Artifact Recreation:
    • Reference Build Analysis: Learning how to compile a custom Godot Engine export template from source with a known encryption key.
    • Using this custom build as a "Rosetta Stone" to identify the byte signature or memory offset where the encryption key is stored, allowing you to locate the unknown key in the target binary.
  • Automated Cross-Compilation:
    • Setting up a GitHub Actions Workflow to handle the heavy lifting of compiling the Godot Engine for the Web platform.
    • Configuring the build environment with Emscripten SDK , Python, and SCons to patch the engine source code with a specific encryption key.
  • Overcoming Decompilation Failures:
    • Developing strategies for when standard tools (like wabt or wasm2c) fail due to file size or specific flags ( e.g ., "memory may not be shared").
  • Asset Decryption:
    • Using the extracted key to decrypt the proprietary .pck file using gdsdecomp and recovering the original GDScript source code.

Tools

  • GitHub Actions:
    • Used as a Remote Build Server . Since compiling Godot from source (especially for Web/WASM) is resource-intensive and requires a complex environment (Emscripten), a CI/CD pipeline is used to build a reference binary with a known key.
  • Godot Engine Source Code:
    • The raw C++ code of the engine, modified/patched via the CI script to include the SCRIPT_AES256_ENCRYPTION_KEY.
  • Emscripten (emsdk):
    • The toolchain required to compile the C++ Godot source code into the WebAssembly (.wasm) format.
  • gdsdecomp:
    • The Godot reverse engineering tool used to extract and decrypt the contents of the .pck file once the key is recovered.
  • WABT (The WebAssembly Binary Toolkit):

Job Positions

Malware Analyst

Tags

Static AnalysisMalware AnalysisDecompilerUnpackingStringsCode FlowCryptor