Quote:

byte[] encryteddata;

byte[] encryptedfooter;

int size; // 0x1dd it's the size from start of encryptedfooter to the end of file

byte[] signature; //always @e!adnXd$^!rfOsrDyIrI!xVgHeA!6Vc



Code:

static void Decrypt(byte[] buffer,byte iv)

{

byte key = iv;

for (int i=0;i<buffer.Length;i++)

{

byte key1 = iv;

key1 ^= buffer[i];

key1 -= (byte)i;

buffer[i] ^= key;

key = key1;

}

}



Code:

000000014B482CA0 | 48 89 5C 24 08 | mov qword ptr ss:[rsp+8],rbx |

000000014B482CA5 | 48 89 6C 24 10 | mov qword ptr ss:[rsp+10],rbp |

000000014B482CAA | 48 89 74 24 18 | mov qword ptr ss:[rsp+18],rsi |

000000014B482CAF | 48 89 7C 24 20 | mov qword ptr ss:[rsp+20],rdi |

000000014B482CB4 | 41 56 | push r14 |

000000014B482CB6 | 33 C0 | xor eax,eax |

000000014B482CB8 | 48 89 11 | mov qword ptr ds:[rcx],rdx |

000000014B482CBB | 4C 89 41 08 | mov qword ptr ds:[rcx+8],r8 |

000000014B482CBF | 44 0F B7 8A 88 01 00 00 | movzx r9d,word ptr ds:[rdx+188] |

000000014B482CC7 | 4D 8B F0 | mov r14,r8 |

000000014B482CCA | 48 8B F2 | mov rsi,rdx |

000000014B482CCD | 48 8B F9 | mov rdi,rcx |

000000014B482CD0 | 48 8D 9A 9A 01 00 00 | lea rbx,qword ptr ds:[rdx+19A] |

000000014B482CD7 | 44 8B D8 | mov r11d,eax |

000000014B482CDA | 4C 89 49 10 | mov qword ptr ds:[rcx+10],r9 |

000000014B482CDE | 4D 85 C9 | test r9,r9 |

000000014B482CE1 | 74 26 | je masseffectandromeda.14B482D09 |

000000014B482CE3 | 4C 8B C3 | mov r8,rbx |

000000014B482CE6 | 48 8B D3 | mov rdx,rbx |

000000014B482CE9 | 49 F7 D8 | neg r8 |

000000014B482CEC | 0F 1F 40 00 | nop dword ptr ds:[rax] |

000000014B482CF0 | 0F B6 0A | movzx ecx,byte ptr ds:[rdx] |

000000014B482CF3 | 48 8D 52 01 | lea rdx,qword ptr ds:[rdx+1] |

000000014B482CF7 | 44 03 D9 | add r11d,ecx |

000000014B482CFA | 45 03 DB | add r11d,r11d |

000000014B482CFD | 44 33 D9 | xor r11d,ecx |

000000014B482D00 | 49 8D 0C 10 | lea rcx,qword ptr ds:[r8+rdx] |

000000014B482D04 | 49 3B C9 | cmp rcx,r9 |

000000014B482D07 | 72 E7 | jb masseffectandromeda.14B482CF0 |

000000014B482D09 | 44 0F B6 8E 8D 01 00 00 | movzx r9d,byte ptr ds:[rsi+18D] |

000000014B482D11 | 0F B6 8E 8A 01 00 00 | movzx ecx,byte ptr ds:[rsi+18A] |

000000014B482D18 | 0F B6 96 8B 01 00 00 | movzx edx,byte ptr ds:[rsi+18B] |

000000014B482D1F | 44 0F B6 86 8C 01 00 00 | movzx r8d,byte ptr ds:[rsi+18C] |

000000014B482D27 | 44 8D 14 09 | lea r10d,dword ptr ds:[rcx+rcx] |

000000014B482D2B | 44 33 D1 | xor r10d,ecx |

000000014B482D2E | 0F B6 8E 87 01 00 00 | movzx ecx,byte ptr ds:[rsi+187] |

000000014B482D35 | 44 03 D2 | add r10d,edx |

000000014B482D38 | 45 03 D2 | add r10d,r10d |

000000014B482D3B | 44 33 D2 | xor r10d,edx |

000000014B482D3E | 8D 14 09 | lea edx,dword ptr ds:[rcx+rcx] |

000000014B482D41 | 45 03 D0 | add r10d,r8d |

000000014B482D44 | 33 D1 | xor edx,ecx |

000000014B482D46 | 0F B6 0E | movzx ecx,byte ptr ds:[rsi] |

000000014B482D49 | 45 03 D2 | add r10d,r10d |

000000014B482D4C | 45 33 D0 | xor r10d,r8d |

000000014B482D4F | 44 0F B6 46 02 | movzx r8d,byte ptr ds:[rsi+2] |

000000014B482D54 | 45 03 D1 | add r10d,r9d |

000000014B482D57 | 43 8D 2C 12 | lea ebp,dword ptr ds:[r10+r10] |

000000014B482D5B | 44 8D 14 09 | lea r10d,dword ptr ds:[rcx+rcx] |

000000014B482D5F | 44 33 D1 | xor r10d,ecx |

000000014B482D62 | 0F B6 8E 92 01 00 00 | movzx ecx,byte ptr ds:[rsi+192] |

000000014B482D69 | 41 33 E9 | xor ebp,r9d |

000000014B482D6C | 44 0F B6 4E 03 | movzx r9d,byte ptr ds:[rsi+3] |

000000014B482D71 | 41 03 EB | add ebp,r11d |

000000014B482D74 | 03 EA | add ebp,edx |

000000014B482D76 | 0F B6 56 01 | movzx edx,byte ptr ds:[rsi+1] |

000000014B482D7A | 44 03 D2 | add r10d,edx |

000000014B482D7D | 45 03 D2 | add r10d,r10d |

000000014B482D80 | 44 33 D2 | xor r10d,edx |

000000014B482D83 | 0F B6 96 93 01 00 00 | movzx edx,byte ptr ds:[rsi+193] |

000000014B482D8A | 45 03 D0 | add r10d,r8d |

000000014B482D8D | 45 03 D2 | add r10d,r10d |

000000014B482D90 | 45 33 D0 | xor r10d,r8d |

000000014B482D93 | 44 0F B6 86 94 01 00 00 | movzx r8d,byte ptr ds:[rsi+194] |

000000014B482D9B | 45 03 D1 | add r10d,r9d |

000000014B482D9E | 45 03 D2 | add r10d,r10d |

000000014B482DA1 | 45 33 D1 | xor r10d,r9d |

000000014B482DA4 | 44 0F B6 8E 95 01 00 00 | movzx r9d,byte ptr ds:[rsi+195] |

000000014B482DAC | 41 03 EA | add ebp,r10d |

000000014B482DAF | 44 8D 14 09 | lea r10d,dword ptr ds:[rcx+rcx] |

000000014B482DB3 | 44 33 D1 | xor r10d,ecx |

000000014B482DB6 | 0F B6 8E 96 01 00 00 | movzx ecx,byte ptr ds:[rsi+196] |

000000014B482DBD | 44 03 D2 | add r10d,edx |

000000014B482DC0 | 45 03 D2 | add r10d,r10d |

000000014B482DC3 | 44 33 D2 | xor r10d,edx |

000000014B482DC6 | 0F B6 96 97 01 00 00 | movzx edx,byte ptr ds:[rsi+197] |

000000014B482DCD | 45 03 D0 | add r10d,r8d |

000000014B482DD0 | 45 03 D2 | add r10d,r10d |

000000014B482DD3 | 45 33 D0 | xor r10d,r8d |

000000014B482DD6 | 44 0F B6 86 98 01 00 00 | movzx r8d,byte ptr ds:[rsi+198] |

000000014B482DDE | 45 03 D1 | add r10d,r9d |

000000014B482DE1 | 45 03 D2 | add r10d,r10d |

000000014B482DE4 | 45 33 D1 | xor r10d,r9d |

000000014B482DE7 | 44 0F B6 8E 99 01 00 00 | movzx r9d,byte ptr ds:[rsi+199] |

000000014B482DEF | 41 03 EA | add ebp,r10d |

000000014B482DF2 | 44 8D 14 09 | lea r10d,dword ptr ds:[rcx+rcx] |

000000014B482DF6 | 44 33 D1 | xor r10d,ecx |

000000014B482DF9 | 44 03 D2 | add r10d,edx |

000000014B482DFC | 45 03 D2 | add r10d,r10d |

000000014B482DFF | 44 33 D2 | xor r10d,edx |

000000014B482E02 | 45 03 D0 | add r10d,r8d |

000000014B482E05 | 45 03 D2 | add r10d,r10d |

000000014B482E08 | 45 33 D0 | xor r10d,r8d |

000000014B482E0B | 45 03 D1 | add r10d,r9d |

000000014B482E0E | 45 03 D2 | add r10d,r10d |

000000014B482E11 | 45 33 D1 | xor r10d,r9d |

000000014B482E14 | 4C 8D 4E 05 | lea r9,qword ptr ds:[rsi+5] |

000000014B482E18 | 41 03 EA | add ebp,r10d |

000000014B482E1B | 41 BA 81 00 00 00 | mov r10d,81 |

000000014B482E21 | 0F 1F 40 00 | nop dword ptr ds:[rax] |

000000014B482E25 | 66 66 66 0F 1F 84 00 00 | nop word ptr ds:[rax+rax] |

000000014B482E30 | 41 0F B6 49 FF | movzx ecx,byte ptr ds:[r9-1] |

000000014B482E35 | 41 0F B6 11 | movzx edx,byte ptr ds:[r9] |

000000014B482E39 | 45 0F B6 41 01 | movzx r8d,byte ptr ds:[r9+1] |

000000014B482E3E | 03 C1 | add eax,ecx |

000000014B482E40 | 4D 8D 49 03 | lea r9,qword ptr ds:[r9+3] |

000000014B482E44 | 03 C0 | add eax,eax |

000000014B482E46 | 33 C1 | xor eax,ecx |

000000014B482E48 | 03 C2 | add eax,edx |

000000014B482E4A | 03 C0 | add eax,eax |

000000014B482E4C | 33 C2 | xor eax,edx |

000000014B482E4E | 41 03 C0 | add eax,r8d |

000000014B482E51 | 03 C0 | add eax,eax |

000000014B482E53 | 41 33 C0 | xor eax,r8d |

000000014B482E56 | 49 FF CA | dec r10 |

000000014B482E59 | 75 D5 | jne masseffectandromeda.14B482E30 |

000000014B482E5B | 44 0F B7 9E 88 01 00 00 | movzx r11d,word ptr ds:[rsi+188] |

000000014B482E63 | 41 B8 78 12 EA 45 | mov r8d,45EA1278 |

000000014B482E69 | 40 02 E8 | add bpl,al |

000000014B482E6C | 45 8B C8 | mov r9d,r8d |

000000014B482E6F | 4D 85 DB | test r11,r11 |

000000014B482E72 | 74 65 | je masseffectandromeda.14B482ED9 |

000000014B482E74 | 0F 1F 40 00 | nop dword ptr ds:[rax] |

000000014B482E78 | 0F 1F 84 00 00 00 00 00 | nop dword ptr ds:[rax+rax] |

000000014B482E80 | 41 8B C9 | mov ecx,r9d |

000000014B482E83 | 41 8B C1 | mov eax,r9d |

000000014B482E86 | C1 E8 10 | shr eax,10 |

000000014B482E89 | C1 E9 18 | shr ecx,18 |

000000014B482E8C | 02 C8 | add cl,al |

000000014B482E8E | 41 8B C1 | mov eax,r9d |

000000014B482E91 | C1 E8 08 | shr eax,8 |

000000014B482E94 | 02 C8 | add cl,al |

000000014B482E96 | 41 02 C9 | add cl,r9b |

000000014B482E99 | 32 0B | xor cl,byte ptr ds:[rbx] |

000000014B482E9B | 0F B6 D1 | movzx edx,cl |

000000014B482E9E | 0F B6 C2 | movzx eax,dl |

000000014B482EA1 | 88 13 | mov byte ptr ds:[rbx],dl |

000000014B482EA3 | 24 1F | and al,1F |

000000014B482EA5 | 0F B6 C8 | movzx ecx,al |

000000014B482EA8 | 8B C2 | mov eax,edx |

000000014B482EAA | C1 E0 08 | shl eax,8 |

000000014B482EAD | 41 D3 C1 | rol r9d,cl |

000000014B482EB0 | 0B C2 | or eax,edx |

000000014B482EB2 | C1 E0 08 | shl eax,8 |

000000014B482EB5 | 0B C2 | or eax,edx |

000000014B482EB7 | C1 E0 08 | shl eax,8 |

000000014B482EBA | 0B C2 | or eax,edx |

000000014B482EBC | 44 03 C8 | add r9d,eax |

000000014B482EBF | 41 D1 C1 | rol r9d,1 |

000000014B482EC2 | 41 80 FA 10 | cmp r10b,10 |

000000014B482EC6 | 76 06 | jbe masseffectandromeda.14B482ECE |

000000014B482EC8 | 45 03 C9 | add r9d,r9d |

000000014B482ECB | 45 32 D2 | xor r10b,r10b |

000000014B482ECE | 41 FE C2 | inc r10b |

000000014B482ED1 | 48 FF C3 | inc rbx |

000000014B482ED4 | 49 FF CB | dec r11 |

000000014B482ED7 | 75 A7 | jne masseffectandromeda.14B482E80 |

000000014B482ED9 | 48 8B 07 | mov rax,qword ptr ds:[rdi] |

000000014B482EDC | BB 04 00 00 00 | mov ebx,4 |

000000014B482EE1 | 45 8B C8 | mov r9d,r8d |

000000014B482EE4 | 80 B0 87 01 00 00 B9 | xor byte ptr ds:[rax+187],B9 |

000000014B482EEB | 4C 8B 17 | mov r10,qword ptr ds:[rdi] |

000000014B482EEE | 8B F3 | mov esi,ebx |

000000014B482EF0 | 49 81 C2 8A 01 00 00 | add r10,18A |

000000014B482EF7 | 45 32 DB | xor r11b,r11b |

000000014B482EFA | 66 0F 1F 44 00 00 | nop word ptr ds:[rax+rax] |

000000014B482F00 | 41 8B C9 | mov ecx,r9d |

000000014B482F03 | 41 8B C1 | mov eax,r9d |

000000014B482F06 | C1 E8 10 | shr eax,10 |

000000014B482F09 | C1 E9 18 | shr ecx,18 |

000000014B482F0C | 02 C8 | add cl,al |

000000014B482F0E | 41 8B C1 | mov eax,r9d |

000000014B482F11 | C1 E8 08 | shr eax,8 |

000000014B482F14 | 02 C8 | add cl,al |

000000014B482F16 | 41 02 C9 | add cl,r9b |

000000014B482F19 | 41 32 0A | xor cl,byte ptr ds:[r10] |

000000014B482F1C | 0F B6 D1 | movzx edx,cl |

000000014B482F1F | 0F B6 C2 | movzx eax,dl |

000000014B482F22 | 41 88 12 | mov byte ptr ds:[r10],dl |

000000014B482F25 | 24 1F | and al,1F |

000000014B482F27 | 0F B6 C8 | movzx ecx,al |

000000014B482F2A | 8B C2 | mov eax,edx |

000000014B482F2C | C1 E0 08 | shl eax,8 |

000000014B482F2F | 41 D3 C1 | rol r9d,cl |

000000014B482F32 | 0B C2 | or eax,edx |

000000014B482F34 | C1 E0 08 | shl eax,8 |

000000014B482F37 | 0B C2 | or eax,edx |

000000014B482F39 | C1 E0 08 | shl eax,8 |

000000014B482F3C | 0B C2 | or eax,edx |

000000014B482F3E | 44 03 C8 | add r9d,eax |

000000014B482F41 | 41 D1 C1 | rol r9d,1 |

000000014B482F44 | 41 80 FB 10 | cmp r11b,10 |

000000014B482F48 | 76 06 | jbe masseffectandromeda.14B482F50 |

000000014B482F4A | 45 03 C9 | add r9d,r9d |

000000014B482F4D | 45 32 DB | xor r11b,r11b |

000000014B482F50 | 41 FE C3 | inc r11b |

000000014B482F53 | 49 FF C2 | inc r10 |

000000014B482F56 | 48 FF CE | dec rsi |

000000014B482F59 | 75 A5 | jne masseffectandromeda.14B482F00 |

000000014B482F5B | 4C 8B 1F | mov r11,qword ptr ds:[rdi] |

000000014B482F5E | 45 8B C8 | mov r9d,r8d |

000000014B482F61 | 45 32 D2 | xor r10b,r10b |

000000014B482F64 | 48 8B F3 | mov rsi,rbx |

000000014B482F67 | 66 0F 1F 84 00 00 00 00 | nop word ptr ds:[rax+rax] |

000000014B482F70 | 41 8B C9 | mov ecx,r9d |

000000014B482F73 | 41 8B C1 | mov eax,r9d |

000000014B482F76 | C1 E8 10 | shr eax,10 |

000000014B482F79 | C1 E9 18 | shr ecx,18 |

000000014B482F7C | 02 C8 | add cl,al |

000000014B482F7E | 41 8B C1 | mov eax,r9d |

000000014B482F81 | C1 E8 08 | shr eax,8 |

000000014B482F84 | 02 C8 | add cl,al |

000000014B482F86 | 41 02 C9 | add cl,r9b |

000000014B482F89 | 41 32 0B | xor cl,byte ptr ds:[r11] |

000000014B482F8C | 0F B6 D1 | movzx edx,cl |

000000014B482F8F | 0F B6 C2 | movzx eax,dl |

000000014B482F92 | 41 88 13 | mov byte ptr ds:[r11],dl |

000000014B482F95 | 24 1F | and al,1F |

000000014B482F97 | 0F B6 C8 | movzx ecx,al |

000000014B482F9A | 8B C2 | mov eax,edx |

000000014B482F9C | C1 E0 08 | shl eax,8 |

000000014B482F9F | 41 D3 C1 | rol r9d,cl |

000000014B482FA2 | 0B C2 | or eax,edx |

000000014B482FA4 | C1 E0 08 | shl eax,8 |

000000014B482FA7 | 0B C2 | or eax,edx |

000000014B482FA9 | C1 E0 08 | shl eax,8 |

000000014B482FAC | 0B C2 | or eax,edx |

000000014B482FAE | 44 03 C8 | add r9d,eax |

000000014B482FB1 | 41 D1 C1 | rol r9d,1 |

000000014B482FB4 | 41 80 FA 10 | cmp r10b,10 |

000000014B482FB8 | 76 06 | jbe masseffectandromeda.14B482FC0 |

000000014B482FBA | 45 03 C9 | add r9d,r9d |

000000014B482FBD | 45 32 D2 | xor r10b,r10b |

000000014B482FC0 | 41 FE C2 | inc r10b |

000000014B482FC3 | 49 FF C3 | inc r11 |

000000014B482FC6 | 48 FF CE | dec rsi |

000000014B482FC9 | 75 A5 | jne masseffectandromeda.14B482F70 |

000000014B482FCB | 4C 8B 17 | mov r10,qword ptr ds:[rdi] |

000000014B482FCE | 45 8B C8 | mov r9d,r8d |

000000014B482FD1 | 48 8B F3 | mov rsi,rbx |

000000014B482FD4 | 49 81 C2 92 01 00 00 | add r10,192 |

000000014B482FDB | 45 32 DB | xor r11b,r11b |

000000014B482FDE | 66 90 | nop |

000000014B482FE0 | 41 8B C9 | mov ecx,r9d |

000000014B482FE3 | 41 8B C1 | mov eax,r9d |

000000014B482FE6 | C1 E8 10 | shr eax,10 |

000000014B482FE9 | C1 E9 18 | shr ecx,18 |

000000014B482FEC | 02 C8 | add cl,al |

000000014B482FEE | 41 8B C1 | mov eax,r9d |

000000014B482FF1 | C1 E8 08 | shr eax,8 |

000000014B482FF4 | 02 C8 | add cl,al |

000000014B482FF6 | 41 02 C9 | add cl,r9b |

000000014B482FF9 | 41 32 0A | xor cl,byte ptr ds:[r10] |

000000014B482FFC | 0F B6 D1 | movzx edx,cl |

000000014B482FFF | 0F B6 C2 | movzx eax,dl |

000000014B483002 | 41 88 12 | mov byte ptr ds:[r10],dl |

000000014B483005 | 24 1F | and al,1F |

000000014B483007 | 0F B6 C8 | movzx ecx,al |

000000014B48300A | 8B C2 | mov eax,edx |

000000014B48300C | C1 E0 08 | shl eax,8 |

000000014B48300F | 41 D3 C1 | rol r9d,cl |

000000014B483012 | 0B C2 | or eax,edx |

000000014B483014 | C1 E0 08 | shl eax,8 |

000000014B483017 | 0B C2 | or eax,edx |

000000014B483019 | C1 E0 08 | shl eax,8 |

000000014B48301C | 0B C2 | or eax,edx |

000000014B48301E | 44 03 C8 | add r9d,eax |

000000014B483021 | 41 D1 C1 | rol r9d,1 |

000000014B483024 | 41 80 FB 10 | cmp r11b,10 |

000000014B483028 | 76 06 | jbe masseffectandromeda.14B483030 |

000000014B48302A | 45 03 C9 | add r9d,r9d |

000000014B48302D | 45 32 DB | xor r11b,r11b |

000000014B483030 | 41 FE C3 | inc r11b |

000000014B483033 | 49 FF C2 | inc r10 |

000000014B483036 | 48 FF CE | dec rsi |

000000014B483039 | 75 A5 | jne masseffectandromeda.14B482FE0 |

000000014B48303B | 4C 8B 17 | mov r10,qword ptr ds:[rdi] |

000000014B48303E | 45 8B C8 | mov r9d,r8d |

000000014B483041 | 49 81 C2 96 01 00 00 | add r10,196 |

000000014B483048 | 45 32 DB | xor r11b,r11b |

000000014B48304B | 0F 1F 44 00 00 | nop dword ptr ds:[rax+rax] |

000000014B483050 | 41 8B C9 | mov ecx,r9d |

000000014B483053 | 41 8B C1 | mov eax,r9d |

000000014B483056 | C1 E8 10 | shr eax,10 |

000000014B483059 | C1 E9 18 | shr ecx,18 |

000000014B48305C | 02 C8 | add cl,al |

000000014B48305E | 41 8B C1 | mov eax,r9d |

000000014B483061 | C1 E8 08 | shr eax,8 |

000000014B483064 | 02 C8 | add cl,al |

000000014B483066 | 41 02 C9 | add cl,r9b |

000000014B483069 | 41 32 0A | xor cl,byte ptr ds:[r10] |

000000014B48306C | 0F B6 D1 | movzx edx,cl |

000000014B48306F | 0F B6 C2 | movzx eax,dl |

000000014B483072 | 41 88 12 | mov byte ptr ds:[r10],dl |

000000014B483075 | 24 1F | and al,1F |

000000014B483077 | 0F B6 C8 | movzx ecx,al |

000000014B48307A | 8B C2 | mov eax,edx |

000000014B48307C | C1 E0 08 | shl eax,8 |

000000014B48307F | 41 D3 C1 | rol r9d,cl |

000000014B483082 | 0B C2 | or eax,edx |

000000014B483084 | C1 E0 08 | shl eax,8 |

000000014B483087 | 0B C2 | or eax,edx |

000000014B483089 | C1 E0 08 | shl eax,8 |

000000014B48308C | 0B C2 | or eax,edx |

000000014B48308E | 44 03 C8 | add r9d,eax |

000000014B483091 | 41 D1 C1 | rol r9d,1 |

000000014B483094 | 41 80 FB 10 | cmp r11b,10 |

000000014B483098 | 76 06 | jbe masseffectandromeda.14B4830A0 |

000000014B48309A | 45 03 C9 | add r9d,r9d |

000000014B48309D | 45 32 DB | xor r11b,r11b |

000000014B4830A0 | 41 FE C3 | inc r11b |

000000014B4830A3 | 49 FF C2 | inc r10 |

000000014B4830A6 | 48 FF CB | dec rbx |

000000014B4830A9 | 75 A5 | jne masseffectandromeda.14B483050 |

000000014B4830AB | 4C 8B 0F | mov r9,qword ptr ds:[rdi] |

000000014B4830AE | 41 BB 83 01 00 00 | mov r11d,183 |

000000014B4830B4 | 49 83 C1 04 | add r9,4 |

000000014B4830B8 | 45 32 D2 | xor r10b,r10b |

000000014B4830BB | 0F 1F 44 00 00 | nop dword ptr ds:[rax+rax] |

000000014B4830C0 | 41 8B C8 | mov ecx,r8d |

000000014B4830C3 | 41 8B C0 | mov eax,r8d |

000000014B4830C6 | C1 E8 10 | shr eax,10 |

000000014B4830C9 | C1 E9 18 | shr ecx,18 |

000000014B4830CC | 02 C8 | add cl,al |

000000014B4830CE | 41 8B C0 | mov eax,r8d |

000000014B4830D1 | C1 E8 08 | shr eax,8 |

000000014B4830D4 | 02 C8 | add cl,al |

000000014B4830D6 | 41 02 C8 | add cl,r8b |

000000014B4830D9 | 41 32 09 | xor cl,byte ptr ds:[r9] |

000000014B4830DC | 0F B6 D1 | movzx edx,cl |

000000014B4830DF | 0F B6 C2 | movzx eax,dl |

000000014B4830E2 | 41 88 11 | mov byte ptr ds:[r9],dl |

000000014B4830E5 | 24 1F | and al,1F |

000000014B4830E7 | 0F B6 C8 | movzx ecx,al |

000000014B4830EA | 8B C2 | mov eax,edx |

000000014B4830EC | C1 E0 08 | shl eax,8 |

000000014B4830EF | 41 D3 C0 | rol r8d,cl |

000000014B4830F2 | 0B C2 | or eax,edx |

000000014B4830F4 | C1 E0 08 | shl eax,8 |

000000014B4830F7 | 0B C2 | or eax,edx |

000000014B4830F9 | C1 E0 08 | shl eax,8 |

000000014B4830FC | 0B C2 | or eax,edx |

000000014B4830FE | 44 03 C0 | add r8d,eax |

000000014B483101 | 41 D1 C0 | rol r8d,1 |

000000014B483104 | 41 80 FA 10 | cmp r10b,10 |

000000014B483108 | 76 06 | jbe masseffectandromeda.14B483110 |

000000014B48310A | 45 03 C0 | add r8d,r8d |

000000014B48310D | 45 32 D2 | xor r10b,r10b |

000000014B483110 | 41 FE C2 | inc r10b |

000000014B483113 | 49 FF C1 | inc r9 |

000000014B483116 | 49 FF CB | dec r11 |

000000014B483119 | 75 A5 | jne masseffectandromeda.14B4830C0 |

000000014B48311B | 48 8B 07 | mov rax,qword ptr ds:[rdi] |

000000014B48311E | 44 89 B0 8E 01 00 00 | mov dword ptr ds:[rax+18E],r14d |

000000014B483125 | 48 8B 07 | mov rax,qword ptr ds:[rdi] |

000000014B483128 | 66 83 B8 45 01 00 00 01 | cmp word ptr ds:[rax+145],1 |

000000014B483130 | 75 04 | jne masseffectandromeda.14B483136 |

000000014B483132 | 40 30 68 05 | xor byte ptr ds:[rax+5],bpl |

000000014B483136 | 48 8B 0F | mov rcx,qword ptr ds:[rdi] |

000000014B483139 | 66 83 B9 45 01 00 00 02 | cmp word ptr ds:[rcx+145],2 |

000000014B483141 | 75 08 | jne masseffectandromeda.14B48314B |

000000014B483143 | 40 0F B6 C5 | movzx eax,bpl |

000000014B483147 | 66 31 41 05 | xor word ptr ds:[rcx+5],ax |

000000014B48314B | 48 8B 0F | mov rcx,qword ptr ds:[rdi] |

000000014B48314E | 66 83 B9 45 01 00 00 04 | cmp word ptr ds:[rcx+145],4 |

000000014B483156 | 75 07 | jne masseffectandromeda.14B48315F |

000000014B483158 | 40 0F B6 C5 | movzx eax,bpl |

000000014B48315C | 31 41 05 | xor dword ptr ds:[rcx+5],eax |

000000014B48315F | 48 8B 0F | mov rcx,qword ptr ds:[rdi] |

000000014B483162 | 66 83 B9 45 01 00 00 08 | cmp word ptr ds:[rcx+145],8 |

000000014B48316A | 75 08 | jne masseffectandromeda.14B483174 |

000000014B48316C | 40 0F B6 C5 | movzx eax,bpl |

000000014B483170 | 48 31 41 05 | xor qword ptr ds:[rcx+5],rax |

000000014B483174 | 48 8B 5C 24 10 | mov rbx,qword ptr ss:[rsp+10] |

000000014B483179 | 48 8B 6C 24 18 | mov rbp,qword ptr ss:[rsp+18] |

000000014B48317E | 48 8B 74 24 20 | mov rsi,qword ptr ss:[rsp+20] |

000000014B483183 | 48 8B 7C 24 28 | mov rdi,qword ptr ss:[rsp+28] |

000000014B483188 | 41 5E | pop r14 |

000000014B48318A | C3 | ret |

I wrote a simple toc decrypt tool.The format isThe code to decrypt the data is:The iv is the decrypt key. It's stored in the fifth byte of encryptedfooter.The code to decrypt encryptedfooter is quite complicated, so I simply skipped them and assumes the first byte of the decrypt data is always 0x00, thus the decrypt byte is the same as the first byte.