# 02 — Cryptographic Obfuscation & the Runner-Oracle Flaw ## Cipher type Stream cipher applied to the appended `.gmd` payload. **Bitwise XOR** with key — either: - Statically seeded (deterministic per IDE build), or - Dynamically generated per session (still recoverable from runtime memory). Goal of the cipher = stop trivial archiver inspection. Not cryptographically robust. ## The fundamental flaw: runner is its own decryption oracle The runner stub **must** decrypt the payload at startup to run the game. Therefore: - The unencrypted XOR key sequence **must** exist in active memory during execution. - The fully decrypted `.gmd` payload **must** transit through RAM. So: launch the game in a debugger / memory-dumper → key + plaintext are both visible. Encryption algorithm itself does not need to be cracked. This is the entire premise of dynamic decompilation. See [09-tool-gmd-recovery](09-tool-gmd-recovery.md). ## Static-attack alternative Because XOR keys often repeat or follow a known pattern, **known-plaintext attacks** work statically: - `.gmd` headers contain predictable magic bytes / strings. - XOR `cipherbyte ^ knownplainbyte = keybyte` recovers key without execution. - GMD-Recovery's repository ships explicit lookup tables: `bruteforcekey.txt`, `bothkey.txt`, `final50.txt`, `final51.txt`. See [09-tool-gmd-recovery](09-tool-gmd-recovery.md). - GM Decompiler v2.1 uses pure static algorithmic key derivation (no execution). See [10-tool-gm-decompiler-v21](10-tool-gm-decompiler-v21.md). ## Practical attack tree ``` Have .exe? ├── Want safety (no execution)? → GM Decompiler v2.1 (static) ├── Heavy outer packer (UPX, etc.)? → GMD-Recovery (dynamic, in sandboxed XP VM) └── Only assets needed, structure trashed? → raw byte-carving (BMP/WAV magic headers) ``` ## See also - [01-runner-architecture](01-runner-architecture.md) — why the oracle exists - [09-tool-gmd-recovery](09-tool-gmd-recovery.md) — dynamic memory attack - [10-tool-gm-decompiler-v21](10-tool-gm-decompiler-v21.md) — static attack - [15-extraction-pipeline](15-extraction-pipeline.md)