09-08-2024, 11:02 AM
Ok, here's what I've found out so far. Unforutnately I'm not familiar with Windows ABI, nor with MSVC generated code, nor with IDA (I'm a UNIX guy) so I'm not sure and I'm flying pretty much blind here.
Data
I was looking for the IV bytes in the data segment, see data_A03FC8.png It says this data is used in two functions: sub_49B510 and sub_49B750.
Decrypting the key?
If I'm guessing right, sub_49B510 is the one that reads in the key from the json. In sub_49B510.png we can see that after the IV is loaded, it is passed to another function, sub_49CA40.
I believe sub_49CA40 is the function that does the key bitshuffling and XORing with the IV, because it has a considerable amount of ROR, SHR and XOR instructions, see sub_49CA40.png. This could also be the Twofish initialialization maybe?
It looks like it is XORing with the IV key, which makes me assuem this is the key decryption.
Decrypting assets?
Similarly I'm assuming that sub_49B750 does the asset decryption. This calls sub_49D850 after it loads the IV.
Again, sub_49D850 could be a Twofish initialization or maybe one round of Twofish decryption? Not sure. See sub_49D850.png.
The similarity between sub_49CA40 and sub_49D850 are uncanny which makes me wonder if I've found the Twofish routines instead and I'm completely off-track. However sub_49D850 does call sub_49CA40, meaning sub_49D850 can't be Twofish initialization for sure.
Any help from someone more familar with these would be very much appreciated!
Data
I was looking for the IV bytes in the data segment, see data_A03FC8.png It says this data is used in two functions: sub_49B510 and sub_49B750.
Decrypting the key?
If I'm guessing right, sub_49B510 is the one that reads in the key from the json. In sub_49B510.png we can see that after the IV is loaded, it is passed to another function, sub_49CA40.
I believe sub_49CA40 is the function that does the key bitshuffling and XORing with the IV, because it has a considerable amount of ROR, SHR and XOR instructions, see sub_49CA40.png. This could also be the Twofish initialialization maybe?
It looks like it is XORing with the IV key, which makes me assuem this is the key decryption.
Decrypting assets?
Similarly I'm assuming that sub_49B750 does the asset decryption. This calls sub_49D850 after it loads the IV.
Again, sub_49D850 could be a Twofish initialization or maybe one round of Twofish decryption? Not sure. See sub_49D850.png.
The similarity between sub_49CA40 and sub_49D850 are uncanny which makes me wonder if I've found the Twofish routines instead and I'm completely off-track. However sub_49D850 does call sub_49CA40, meaning sub_49D850 can't be Twofish initialization for sure.
Any help from someone more familar with these would be very much appreciated!