Okay... I'm not sure if I'm getting anywhere here, but it feels like I'm on the right track. MPGMXBVR.DLL has several functions, but the most prominently interesting is
SND_fn_lPlayMPEG, which I saw running in memory by using Cheat Engine.
That led me to experimenting with OllyDbg, which offered the very much enticing prospect of loading a DLL. Unfortunately, I hit some roadblocks when I discovered that SND_fn_lPlayMPEG wants 5 different integers passed to it, which I have yet to determine how to define...
Using IDA, I was able to get some pseudo-code which looks like it could possibly be the decryption method:
Code: Select all
signed int __stdcall SND_fn_lPlayMPEG(int a1, int a2, int a3, int a4, int a5)
{
int v6; // [sp+4h] [bp-10h]@5
int v7; // [sp+4h] [bp-10h]@16
__int16 v8; // [sp+8h] [bp-Ch]@7
__int16 v9; // [sp+8h] [bp-Ch]@18
if ( !dword_10024CBC )
return -1;
if ( dword_10024CB8 )
{
sub_10006BA2(dword_10024CAC);
dword_10024CB8 = 0;
}
if ( *(_DWORD *)(a1 + 40) )
{
v6 = sub_100046E3(a1 + 48, *(_DWORD *)(a1 + 64));
if ( v6 )
{
if ( *(_DWORD *)(a1 + 24) )
v8 = *(_BYTE *)(a1 + 12) * *(_BYTE *)(a2 + 4) >> 7;
else
v8 = *(_BYTE *)(a1 + 12);
*(_BYTE *)(v6 + 146) = *(_BYTE *)(a1 + 12);
*(_BYTE *)(v6 + 147) = v8;
*(_BYTE *)(v6 + 148) = byte_100266A0[v8];
*(_DWORD *)(v6 + 60) = *(_DWORD *)(a1 + 24);
if ( *(_DWORD *)(v6 + 160) )
{
*(_BYTE *)(*(_DWORD *)(v6 + 160) + 146) = *(_BYTE *)(a1 + 12);
*(_BYTE *)(*(_DWORD *)(v6 + 160) + 147) = v8;
*(_BYTE *)(*(_DWORD *)(v6 + 160) + 148) = byte_100266A0[v8];
*(_DWORD *)(*(_DWORD *)(v6 + 160) + 60) = *(_DWORD *)(a1 + 24);
}
if ( a4 )
{
*(_DWORD *)(v6 + 40) = a4;
*(_DWORD *)(v6 + 36) = a5;
}
else
{
*(_DWORD *)(v6 + 40) = 0;
}
return v6;
}
return -1;
}
v7 = sub_100048A6(*(_DWORD *)(a1 + 48), *(_DWORD *)(a1 + 56));
if ( !v7 )
return -1;
if ( *(_DWORD *)(a1 + 24) )
v9 = *(_BYTE *)(a1 + 12) * *(_BYTE *)(a2 + 4) >> 7;
else
v9 = *(_BYTE *)(a1 + 12);
*(_BYTE *)(v7 + 146) = *(_BYTE *)(a1 + 12);
*(_BYTE *)(v7 + 147) = v9;
*(_BYTE *)(v7 + 148) = byte_100266A0[v9];
*(_DWORD *)(v7 + 60) = *(_DWORD *)(a1 + 24);
if ( *(_DWORD *)(v7 + 160) )
{
*(_BYTE *)(*(_DWORD *)(v7 + 160) + 146) = *(_BYTE *)(a1 + 12);
*(_BYTE *)(*(_DWORD *)(v7 + 160) + 147) = v9;
*(_BYTE *)(*(_DWORD *)(v7 + 160) + 148) = byte_100266A0[v9];
*(_DWORD *)(*(_DWORD *)(v7 + 160) + 60) = *(_DWORD *)(a1 + 24);
}
if ( a4 )
{
*(_DWORD *)(v7 + 40) = a4;
*(_DWORD *)(v7 + 36) = a5;
}
else
{
*(_DWORD *)(v7 + 40) = 0;
}
return v7;
}
I am still having a really hard time making sense of it. I would love to have one of our many forum experts give a helping hand!
You do not have the required permissions to view the files attached to this post.