From what I hear it's not GoG who set this password but it's automatically generated by Inno Setup.
Except from using brute force, there are not any tools that would allow you to find the password; IMHO it would probably be easier to try to find the password in the EXE or using a debugger rather than trying to brute force it.

By the way, which games exactly are affected by this? I just extracted Indiana Jones and the Fate of Atlantis with innoextract just fine.

From the first glance at the source it appears that innoup would need that password to be provided explicitly, so I'm not sure how it can work otherwise. So far I don't know what to test it on. What installers are actually affected by this junk?

While examining innounp or the InnoSetup source is likely to be the more fruitful route, I get the impression you're overselling the amount of assembly knowledge needed. The most obvious approach would require it, certainly, but I don't think that's the only one.

(Disclaimer: I'm not an expert in this sort of thing)

Both InnoSetup and UnRAR have source available, which opens up a lot of avenues for making a custom build specifically designed to aid in drawing inferences about the layout of the code in another build. (Maybe even generating debugging symbols for the GOG installer, if you can find the right compilers and settings to produce identical code, but with a symbols file alongside.)

Heck, I don't remember how InnoSetup handles things but, if it's using the InstallShield "stub unpacks the installer to temp folder" approach and unrar is handled via unrar.dll, then you should be able to use whatever mechanism is employed by LD_PRELOAD and its Windows equivalent to find the "set extraction password" function.

Once you've got that, GDB supports reverse debugging, which might allow you to follow the password back in time to its source.

I see from the innoextract bug that Divinity Original Sin is affected. Did anyone try to unpack it using innoup? I didn't buy it yet (waiting for the Linux version) and it's too expensive to buy it just for debugging purposes. What other games are affected?
So far I'm not entirely convinced that innoup can do that for archives with a password without knowing it. I want to test it first. From the code it appears to ask for that password explicitly.

If the game wasn't such a huge download I'd download it to test it out but I can't spare that much bandwidth atm. If there's a smaller game just name it :D

Ditto. I don't own Original Sin for similar reasons (price and lack of Linux version) but I do own over 60% of GOG's catalog and I download and make a DVD+R backup of every update that gets posted, so I should have something.

I wonder if it's just new games that are affected? So something released recently can be the case. And I doubt Larian asked GOG to include that password in the installer. It must be GOG's oversight. Probably innosetup allows disabling all those passwords during archive creation.

We should get GOG to comment on this somehow.

Asked the question here. Feel free to add your details.

Thanks, I’m going to report there ;)

Yep, I don't own it. Can you please test unpacking it with innounp? Just run it in Wine. If it works without asking that password it means innounp can somehow deduce it from the package itself.

Done.
innounp fails silently to extract the game data, the same way innoextract do.

OK, so it proves that it's not a solution and password is not deduced. There is something fishy going on in innosetup step.