Private Key embedded in executable

:information_source: Attention Topic was automatically imported from the old Question2Answer platform.
:bust_in_silhouette: Asked By skovborg

Hello devs.

I was just casually looking through the hex code of the executable of a game on Steam, and found something quite precarious. See the image.

I suspect that this is from the Steam integration, and talking with the developer of said game, who said that he does not have an RSA key himself, I figured the bug likely resides with the Engine, hence the question.

In either way, I’m rather sure that the .exe file is not a place to store a private key, let alone in plain text.

img: Imgur: The magic of the Internet

:bust_in_silhouette: Reply From: Calinou

The Steam integration is not official – it’s maintained by a third party.

As for script encryption or PCK encryption (which the game you mentioned doesn’t seem to use)*, the decryption key has to be stored somewhere. It’s physically impossible to have the decryption key not be readable somehow – otherwise, it would be impossible for the game to decrypt the PCK in the first place.

*: The game doesn’t use script encryption or PCK encryption because these use an AES key (symmetric encryption), not RSA (asymmetric encryption).

:bust_in_silhouette: Reply From: Akien

As further discussed in Embedded RSA private key in source code · Issue #240 · CoaguCo-Industries/GodotSteam · GitHub (which turned out not to be related to GodotSteam in the end), this is a false positive.

This private key is part of mbedTLS’ testing framework, it’s not an actual private key used in production, but one made specifically for the library to test its own capabilities.

No Godot code actually uses it, so it should be optimized away by the linker and indeed it can’t be found in official standard (non-Mono) binaries built with target=release_debug use_lto=yes. For some reason official Mono builds do still include it. I’ll look into it, but there’s no security issue here.