All resource encrypted with AES 128 (Key + IV) - CFB mode + compressed with ZLIB. For each file is generated key and IV seems from file size
Generated Keys and IV's for some files :
Manifest.dat - Not needed uncompress after decrypt
Key - 826757DB26C6BC74D0B7AFEF2C65E944
IV - AFE1B1BB3C908D7F6224D9260426CA37
data\texturessd\splashscreen_loading_en.dds - Need uncompress after decrypt
Key - 565824AB59423379E741AC2886501659
IV - 20584671121FD9C6CC2B06391D2DA4F9
data\settings\all.settings - Need uncompress after decrypt
Key - F19AB36BB3E4D8A7245A96EC74D9B8EC
IV - EADF84D02D9A4DDBDD726029D30D9060
Function generating key and iv
PHP Code:
int __thiscall Generate_Key_IV(int this)
{
int v1; // eax@1
int v2; // edx@1
v2 = (*(_DWORD *)this >> 16) + 36969 * (unsigned __int16)*(_DWORD *)this;
v1 = 18000 * (unsigned __int16)*(_DWORD *)(this + 4) + (*(_DWORD *)(this + 4) >> 16);
*(_DWORD *)this = v2;
*(_DWORD *)(this + 4) = v1;
if ( !v2 )
*(_DWORD *)this = 1;
if ( !v1 )
*(_DWORD *)(this + 4) = -1;
return *(_DWORD *)(this + 4) + (*(_DWORD *)this << 16);
}
PHP Code:
Generate_Key_IV proc near
mov eax, [ecx]
movzx edx, ax
imul edx, 9069h
shr eax, 10h
add edx, eax
mov eax, [ecx+4]
push esi ; Here file size
movzx esi, ax
imul esi, 4650h
shr eax, 10h
add eax, esi
mov [ecx], edx
mov [ecx+4], eax
pop esi
test edx, edx
jnz short loc_495EA2
mov dword ptr [ecx], 1
loc_495EA2:
test eax, eax
jnz short loc_495EAD
mov dword ptr [ecx+4], 0FFFFFFFFh
loc_495EAD:
mov eax, [ecx]
shl eax, 10h
add eax, [ecx+4]
retn
Generate_Key_IV endp
How it use game
PHP Code:
int __usercall sub_47AFA0<eax>(int a1<eax>, int a2<ebp>, void *a3, size_t a4, __int64 a5)
{
unsigned int v5; // edi@1
unsigned int v6; // edi@3
char v8; // [sp-1A0h] [bp-1ACh]@2
int v9; // [sp-198h] [bp-1A4h]@1
void *v10; // [sp-194h] [bp-1A0h]@1
char v11; // [sp-190h] [bp-19Ch]@5
char v12; // [sp-140h] [bp-14Ch]@5
int v13; // [sp-40h] [bp-4Ch]@6
void *v14; // [sp-3Ch] [bp-48h]@5
char v15; // [sp-34h] [bp-40h]@2
char v16; // [sp-24h] [bp-30h]@4
unsigned int v17; // [sp-14h] [bp-20h]@1
char *v18; // [sp-10h] [bp-1Ch]@1
int v19; // [sp-Ch] [bp-18h]@1
int (__cdecl *v20)(int, int); // [sp-8h] [bp-14h]@1
signed int v21; // [sp-4h] [bp-10h]@1
int v22; // [sp+0h] [bp-Ch]@1
void *v23; // [sp+4h] [bp-8h]@1
char v24; // [sp+8h] [bp-4h]@1
int v25; // [sp+Ch] [bp+0h]@1
v22 = a2;
v23 = (void *)v25;
v21 = -1;
v20 = sub_72CCC6;
v19 = a1;
v18 = &v24;
v17 = (unsigned int)&v22 ^ __security_cookie;
v10 = a3;
v9 = sub_5657C0(a4);
sub_495EC0(a4 * a5, (unsigned __int64)a4 * a5 >> 32);
v5 = 0;
do
*(&v15 + v5++) = Generate_Key_IV((int)&v8); <-------;Generating KEY
while ( v5 < 0x10 );
v6 = 0;
do
*(&v16 + v6++) = Generate_Key_IV((int)&v8); <-------;Generating IV
while ( v6 < 0x10 );
sub_47AC20(&v15, 16, &v16); <-------; AES Routine
v21 = 0;
sub_433E00(v9, v10, a4);
v21 = 1;
sub_4799F0(&v11);
if ( v14 == &v12 + (-(signed int)&v12 & 0xF) )
memset(v14, 0, 4 * v13);
return __security_check_cookie((unsigned int)&v22 ^ v17);
}