Engine:
Import Addresses:
Code: Select all
1.0.0.0 - VAT: 0x0000000147BE4000 Size: 0x1770
Code: Select all
.xcode:0000000144D73AB0 fb::FileObfuscationHeader::validateSignature
.xcode:0000000144D73B12 call cs:j_BCryptOpenAlgorithmProvider_0
.xcode:0000000144D73B54 call cs:j_BCryptImportKeyPair
.xcode:0000000144D73C08 call cs:j_BCryptVerifySignature
.xcode:0000000144D73C18 call cs:j_BCryptDestroyKey
.xcode:0000000144D73C25 call cs:j_BCryptCloseAlgorithmProvider
Thanks to WV + weiyun
Code: Select all
private void Decrypt(byte[] p_Buffer, byte p_Key)
{
var s_Key = p_Key;
for (var i = 0; i < p_Buffer.Length; ++i)
{
var l_Key = p_Key;
l_Key ^= p_Buffer[i];
l_Key -= (byte)i;
p_Buffer[i] ^= s_Key;
s_Key = l_Key;
}
}
private void Decrypt_MEA2()
{
var s_Dialog = new OpenFileDialog
{
Filter = "Encrypted File (*.*)|*.*",
FileName = ".toc",
Title = "Open Encrypted File"
};
if (s_Dialog.ShowDialog() != DialogResult.OK)
return;
using (var s_Reader = new RimeReader(new MemoryStream(File.ReadAllBytes(s_Dialog.FileName))))
{
if (s_Reader.BaseStream.Length < 36)
{
MessageBox.Show("File is not encrypted.");
return;
}
// Seek to 36 bytes to the end of the file
s_Reader.Seek(s_Reader.BaseStream.Length - 36, SeekOrigin.Begin);
// Read out the encrypted footer length
var s_FooterLength = s_Reader.ReadUInt32();
// Read out the static magic
var s_FooterMagic = new string(s_Reader.ReadChars(32));
// Check that this file is actually encrypted
if (s_FooterMagic != "@e!adnXd$^!rfOsrDyIrI!xVgHeA!6Vc")
{
MessageBox.Show("File is not encrypted.");
return;
}
// Seek back to the beginning of the file
s_Reader.Seek(0, SeekOrigin.Begin);
var s_Data = s_Reader.ReadBytes((int)s_Reader.BaseStream.Length - (int)s_FooterLength);
Decrypt(s_Data, s_Data[0]);
var s_SaveDialog = new SaveFileDialog
{
Title = "Save decrypted data",
FileName = s_Dialog.FileName + ".decrypted",
Filter = "Save decrypted file (*.*)|*.*"
};
if (s_SaveDialog.ShowDialog() == DialogResult.OK)
{
File.WriteAllBytes(s_SaveDialog.FileName, s_Data);
MessageBox.Show("File decrypted.");
}
}
}