Hello Ren,
The easiest way would probably be to get the encrypted value from the config XML or the pipeline config API and use the cipher.aes file (usually in /etc/go) and run a test such as this:
https://github.com/gocd/gocd/blob/bc5413918eb9c792352710a4b6b79c64cea4f439/config/config-api/src/test/java/com/thoughtworks/go/security/AESEncrypterTest.java#L51
The code which does the decryption is here:
https://github.com/gocd/gocd/blob/bc5413918eb9c792352710a4b6b79c64cea4f439/config/config-api/src/main/java/com/thoughtworks/go/security/AESEncrypter.java#L81
It's standard AES which should be reproducible.
The variables were also (at least temporarily) stored in the DB, for re-running pipelines, but that might not be true any more.
Cheers,
Aravind
PS: You could also run a pipeline, write the value out to a file and read the file, I guess. :) At the end of the day, GoCD will need to decrypt that variable and make it available to the running job. So, whatever GoCD or any system does, in this kind of a use case, it'll need to be available somewhere.