AES Key Dumping - GHFear/AESDumpster GitHub Wiki

UE 4.0 ‐ 5.1

To dump the AES key from an Unreal Engine 4.0 -> 5.1 game, you can dump it from memory by hooking DecryptData() with MinHook.

  1. First you need to hook DecryptData(), which can be found in /Engine/Source/Runtime/Core/Private/Misc/AES.cpp
void FAES::DecryptData(uint8* Contents, uint32 NumBytes, const uint8* KeyBytes, uint32 NumKeyBytes)
  1. Then you dump the key from the data pointer location const uint8* KeyBytes by reading the memory from that location with a length of uint32 NumKeyBytes

UE 4.0 - 5.1 Method 2

To dump the AES key from an Unreal Engine 4.0 -> 5.1 game:

  1. First you need to hook rijndaelSetupEncrypt(), which can be found in /Engine/Source/Runtime/Core/Private/Misc/AES.cpp
static int32 rijndaelSetupEncrypt( uint32* rk, const uint8* key, int32 keybits )
  1. Then you dump the key from the data pointer location const uint8* key by reading the memory from that location with a length of int32 keybits / 8

UE 5.2 -> 5.5

To dump the AES key from an Unreal Engine 5.2 -> 5.5 game:

  1. First you need to hook AesDecryptExpand(), which can be found in /Engine/Source/Runtime/Core/Private/Misc/AES.cpp
static inline void AesDecryptExpand(FAesExpandedKey* DecryptKey, const uint8* Key)
  1. Then you dump the key from the data pointer location const uint8* Key by reading the memory from that location with a length of 256 / 8

CryptoPP

To dump the AES key from an application using CryptoPP AES encryption:

  1. First you need to hook UncheckedSetKey(), which can be found in https://github.com/weidai11/cryptopp/blob/master/rijndael.cpp
void Rijndael::Base::UncheckedSetKey(const byte *userKey, unsigned int keyLen, const NameValuePairs &)
  1. Then you dump the key from the data pointer location const byte *userKey by reading the memory from that location with a length of unsigned int keyLen / 8

OpenSSL < 3.0

To dump the AES key from an application using OpenSSL < 3.0 AES encryption:

  1. First you need to hook AES_set_encrypt_key(), which can be found in https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/aes/aes_core.c
int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
  1. Then you dump the key from the data pointer location const unsigned char* userKey by reading the memory from that location with a length of const int bits / 8

GNU gcrypt / Libgcrypt

To dump the AES key from an application using GNU gcrypt / Libgcrypt AES encryption:

  1. First you need to hook do_setkey(), which can be found in https://github.com/Chronic-Dev/libgcrypt/blob/master/cipher/rijndael.c
static gcry_err_code_t do_setkey(RIJNDAEL_context *ctx, const byte *key, const unsigned keylen)
  1. Then you dump the key from the data pointer location const byte *key by reading the memory from that location with a length of const unsigned keylen / 8

matt-wu AES

To dump the AES key from an application using matt-wu AES encryption:

  1. First you need to hook aes_encrypt(), which can be found in https://github.com/matt-wu/AES/blob/master/rijndael.c
int aes_encrypt(AES_CYPHER_T mode, uint8_t *data, int len, uint8_t *key)

  1. Then you dump the key from the data pointer location uint8_t *key by reading the memory from that location.

  2. Then you need to set the key mode using the int mode function argument with these modes:

int g_aes_key_bits[] = { 128, 192, 256, };
  1. Finally we log it using the right key mode: log_aes_key(key, g_aes_key_bits[mode]);