I recently passed my way through the entire assembly assembly to try to determine how the program decrypts some data. So far, I have determined how IV is extracted, that IV is 16 bytes and that the encryption block chain is used in the decryption method. Therefore, I believe that the encryption method used is AES-128-CBC.
The next step was to try to determine the key used for decryption, the problem is that the assembly for a separate encryption of the block encryption is about 2.5 MB. However, I noticed that this is a very similar form, for example, a fragment:
add.w r0, r12, #0x13 str.w r0, [lr, #0x44] tst.w r0, #0xff mov r0, r12 it eq eoreq r0, r12, #0x75 add.w r1, r12, #0x5d str.w r1, [sp, #0xf00] tst.w r1, #0xff it eq addeq r0, #0x3b
r12 contains encrypted data loaded from the passed argument ( r0 ) as follows:
mov r4, r0 add.w lr, sp, #0x1000 ldrb.w r12, [r4]
The entire assembly in the subroutine is an exemplary form, some offset is added to the encrypted data, it is saved, checked for 0xff ( always 0xff ), and then some operation is performed: XOR, OR, ADD or MOV, affecting another register (in examples r0 ) .
It looks like AES-128 is for you, and do you agree that the encryption was intentionally confused to hide the key? If so, how was this confusing and could a key be found?
Additional Information
Here's a link to the complete ASM file for the block encryption encryption routine.
And this is a link to a subroutine that uses CBC, and calls the aforementioned subroutine that the main question refers to.