That key comes straight from GetPUBKEY.php. Here's the whole exchange:
POST /GetPUBKEY.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
Ryeol-Magic: My Magic Header
User-Magic: User's Magic Header
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: fus.samsungmobile.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 19 Sep 2009 18:50:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
Content-type: text/html
Via: 1.1 s0-kt10-sel (jaguar/3.0-11), 1.1 usls02slh009 (jaguar/3.0-11)
Connection: close
GETPUBKEY=BgIAAACkAABSU0ExAAQAAAEAAQBLkRxedbb7YE15 wHuDYnVNmzD/RRXRAQ8HMu+q7fkQ7TQNckTKID3cp+rxcUBRJ9Eu2os4IL6sO+ +e58yZkCTAJp5Rfa5jwDQS0dtvpEXyHpwMPdT/s5RqVLmy+abiJ3BErnkoFLmhXgkBLNJWsLOC77gWyj5xi0VoUn jyALFtvQ==
Presumably that's then used to send the public key of the pair generated by FUSCrypt, but we'd need to know the decrypted content in order to re-generate the requests. Maybe we can grab the keys from memory after they're generated to decrypt the session, but... what a pain.
As expected, my attempt from last night failed. Interestingly, here are the passwords it reports to have worked on one of the .zip.enc files I tested with. (It may be possible that each binary has a different key, too.):
Success: )]\"\\\"]
Success: \t0\t@\t
Success: 0<<,_
Success: -455
Success: 5drD
Success: *\tA\t(\t
Success: .?AUIRegistrarBase@@
Success: D$4PU
Success: D$lPQ
Success: g?w&
Success: [hmm
Success: !jD}
Success: +\t<\tK\t(\t
Success: Kb:gck(W
Success: L&177
Success: *\tM\t0\t>\t
Success: W0~0[0
Success: wcstol
|