# 09 — Tool: GMD-Recovery (VBGAMER45)

**Repo**: `github.com/VBGAMER45/GMD-Recovery`
**Language**: Visual Basic 6.0 (open source)
**Target**: GameMaker 4.3 → 5.3a `.exe` files
**Method**: Dynamic memory injection + key brute-force

The historically vital decompiler for the 5.x era. Exploits the runner-as-oracle flaw documented in [02-encryption](02-encryption.md).

## Operational methodology

1. **Process initialization** — user manually launches target `.exe`. OS loads obfuscated runner into RAM.
2. **Memory hooking** — GMD-Recovery uses Win32 API to attach a debugger hook to the running process via "Attach Process".
3. **Base-address identification** — calculates lower + upper bounds of executable's virtual memory allocation.
4. **Key brute-force / heuristics** — as the runner natively decrypts the appended payload to load assets, the original `.gmd` structure is briefly exposed in RAM. GMD-Recovery scans the dump, identifies the XOR key (static or dynamic), reverse-engineers the cipher matrix.
   - Lookup tables shipped in repo: `bruteforcekey.txt`, `bothkey.txt`, `final50.txt`, `final51.txt`. These match known plaintext headers against ciphertext.
5. **Payload reconstruction** — once key is recovered, "Open Exe" applies it to the on-disk file, severs the payload from the runner stub, writes a clean valid `.gmd`.

## Fallback modules (when structural decryption fails)

For corruption cases, GMD-Recovery includes raw byte-carving:

- **Bmp Extractor** — scans memory for BMP magic header.
- **Wav Extractor** — scans memory for `52 49 46 46` (`RIFF`) WAV magic.

These bypass the `.gmd` logical structure entirely. Recovers art + audio only — total loss of GML, rooms, objects, variables.

## When to use

- Static decompilation ([10-tool-gm-decompiler-v21](10-tool-gm-decompiler-v21.md)) failed.
- `.exe` is wrapped in UPX or other packer that defeats static analysis.
- You have a sandboxed Windows XP VM available (recommended — running unknown legacy code is risky).

## When NOT to use

- Untrusted binary on a host you care about → prefer static tool.
- No ability to run WinXP → tool requires the runner to actually execute.

## See also

- [02-encryption](02-encryption.md) — the flaw being exploited
- [10-tool-gm-decompiler-v21](10-tool-gm-decompiler-v21.md) — safer static alternative
- [15-extraction-pipeline](15-extraction-pipeline.md) — Rank 3 method