Skip to content

Linux binary and ELF Parser#18

Open
bearlikelion wants to merge 3 commits intoTitoot:mainfrom
bearlikelion:elf
Open

Linux binary and ELF Parser#18
bearlikelion wants to merge 3 commits intoTitoot:mainfrom
bearlikelion:elf

Conversation

@bearlikelion
Copy link

@bearlikelion bearlikelion commented Jan 24, 2026
edited
Loading

Followup from #11 with feedback and additions.
Built an export using default templates from Godot 4.5.1, seemingly returns the same output for both Windows and Linux binaries.

Previous issue:
The ELF key scanner failed to find encryption keys in Linux Godot binaries, while the PE scanner worked correctly for Windows binaries. Debug logs showed:

  • Windows (PE): [find_lea] Found LEA at VA=0x14279126c - GOOD
  • Linux (ELF): [find_lea] No matching LEA instruction found. - BAD

ELF section headers contain absolute virtual addresses, unlike PE which uses RVAs relative to ImageBase. The code was adding a hardcoded base address (0x400000) to already-absolute section addresses, causing all VA calculations to be off by 0x400000.

GCC on Linux generates different code than MSVC on Windows:

Compiler Pattern Example
MSVC (Windows) LEA reg, [rip+disp32] 48 8D 05 xx xx xx xx
GCC (Linux) MOV r32, imm32 41 B8 xx xx xx xx

For non-PIE binaries where addresses fit in 32 bits, GCC uses direct immediate loads instead of RIP-relative LEA instructions.

Changes

src/elf/elf_image.cpp

  • Set m_base_address = 0 for ET_EXEC binaries since section VAs are already absolute

src/elf/elf_patterns.cpp

  • Added MOV r32, imm32 pattern support (5-byte and 6-byte forms)
  • Fixed REX prefix matching: rex == 0x48(rex & 0xF8) == 0x48
  • Removed .bss from data section filter (encryption keys are in .data)
  • Fixed text_va_base calculation to use section VA directly

src/elf/elf_scanner.cpp

  • Increased search window from 4KB to 64KB for key blob detection

src/pe/pe_patterns.cpp

  • Applied same REX prefix fix for consistency

Testing

Windows Binary

./build/keydot /mnt/Storage/Godot/Source/GodotXor/bin/release_build_46.exe
Godot Engine version: 4.5.1.stable.official
Anchor           : Can't open encrypted pack directory.
String VA00000000: 0x144D78BE0
LEA at00000000000: 0x14279126C
off_* qword VA000: 0x14492E310
Blob VA0000000000: 0x14492E310
32-byte (hex)    : 0000000000000000000000000000000000000000000000000000000000000000

Linux Binary

./build/keydot /mnt/Storage/Godot/Source/GodotXor/bin/release_build_46.x86_64
Godot Engine version: 4.5.1.stable.official
Anchor           : Can't open encrypted pack directory.
String VA00000000: 0x3FD0270
LEA at00000000000: 0x2C4A0F5
off_* qword VA000: 0x46E1888
Blob VA0000000000: 0x46E1888
32-byte (hex)    : 0000000000000000000000000000000000000000000000000000000000000000

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bearlikelion