I have recently been sifting my way through a whole load of assembly to try to identify how a program is decrypting some data. Thus far I have identified how the IV is extracted, that the IV is 16 bytes long and that the decryption method uses Cipher Block Chaining. Consequently I believe that the encryption method being used is AES-128-CBC.
The next step has been to try to identify the key being used to decrypt with, the issue is that the assembly for the individual block cipher encryption is about 2.5MB in size. However, what I have observed is that it is all of a very similar form, for example, a snippet:
add.w r0, r12, #0x13 str.w r0, [lr, #0x44] tst.w r0, #0xff mov r0, r12 it eq eoreq r0, r12, #0x75 add.w r1, r12, #0x5d str.w r1, [sp, #0xf00] tst.w r1, #0xff it eq addeq r0, #0x3b r12 contains the encrypted data, loaded from a passed in argument (r0) as follows:
mov r4, r0 add.w lr, sp, #0x1000 ldrb.w r12, [r4] All of the assembly in the subroutine is of the exemplar form, some offset is added to the encrypted data, stored, tested against 0xff (always 0xff) and then some operation is performed as a result, either XOR, OR, ADD or MOV affecting another register (in the examples that is r0).
My current hunch is that this may be an AES-128 implementation with unrolled rounds.
Does this look AES-128 to you and do you agree the encryption been deliberately obfuscated to hide the key? If so then how has it been obfuscated and would it be possible to find the key?
Additional info
Here's a link to the full ASM file for the block cipher encryption subroutine.
And this is a link to the subroutine that uses CBC and calls the above subroutine referenced in the main question.