Okay, the AssetList_hash_win.dat is AES secured
IV = is the first 16 characters, grab them as ASCII to string and convert by Encoding.UTF8 to bytes
Key = Key is calculated from 64-bit library of NativeLibrary.dll, function getCryKey2. Get's one uint argument which in code is passed as MainLoop.key (which is null uint)
Code is:
.text:0000000180001020 arg_0 = dword ptr 8
.text:0000000180001020
.text:0000000180001020 mov [rsp+arg_0], ecx
.text:0000000180001024 xor edx, edx
.text:0000000180001026 mov r8d, 0FFFFFFFEh
.text:000000018000102C lea r10, byte_18005B090
.text:0000000180001033 lea r9, byte_18005C950
.text:000000018000103A nop word ptr [rax+rax+00h]
.text:0000000180001040
.text:0000000180001040 loc_180001040: ; CODE XREF: getCryKey2+57j
.text:0000000180001040 lea eax, [r8-1]
.text:0000000180001044 mov rcx, r8
.text:0000000180001047 add rdx, 2
.text:000000018000104B and eax, 3
.text:000000018000104E and ecx, 3
.text:0000000180001051 add r8d, 2
.text:0000000180001055 movzx eax, byte ptr [rsp+rax+arg_0]
.text:000000018000105A movzx ecx, byte ptr [rsp+rcx+arg_0]
.text:000000018000105F xor al, [rdx+r10-2]
.text:0000000180001064 xor cl, [rdx+r10-1]
.text:0000000180001069 mov [rdx+r9-2], al
.text:000000018000106E mov [rdx+r9-1], cl
.text:0000000180001073 cmp rdx, 22h
.text:0000000180001077 jl short loc_180001040
.text:0000000180001079 mov rax, r9
.text:000000018000107C retn
EDIT: The file names are casual MD5, nothing much
I'll try to hack into process and grab the key from memory
UPDATE: There's some exception protection as it's throwing them like a crazy when started (may be related to webview of news) so it kind of kills my IDA64, attaching later to process after finishing web activity loading doesn't trigger getCryKey2 anymore (it's only at the semi-beginning to set the AESIV and AESKEY and is not used anymore. I'm still digging. Anyway, I found this:
$MEVIUS-PROJECT#,SQUARE-ENIX-BD1%
It has 33 characters
The managed code gets IntPtr to result of the getCryKey2, treats it via Marshal as ANSI text and splits to IV and key via string.split based on ',' character.
meaning, that this may be the secret key:
$MEVIUS-PROJECT# - for default IV
SQUARE-ENIX-BD1% - for default key
both have 16 characters, so 128bit, looks fine. Let's see..
@UPDATE
Yep:
AES128
IV : $MEVIUS-PROJECT#
Key: SQUARE-ENIX-BD1%
CipherMode.CBC
PaddingMode.ISO10126
What if they have seen that extracting Final Fantasy IX code was easy so they obfuscated the IL assembly and hid the key in AMD64 (x86-64) DLL?
Well, not really the key is hidden. Just let Mobius run and generate the keys, then attach to process, find NativePlugins DLL and getCryKey2 function and jump to byte array at getCryKey2+C. They don't flush the buffer after saving the key to managed Mevius.App.Api.AesKey and Mevius.App.Api.IV
@UPDATE3:
Found the dictionary for fileList, the two unknowns in entries are: fileRevision and fileSize
Content categories. First character is first hash name (not the files, it's far more complicated xD)
"pc",
"mon",
"npc",
"weapon",
"guardian",
"fa",
"summon",
"test",
"exte"
Now the server:
Sample HTTP 1.1 GET request for asset file:
cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/Hash/a1/092b86e0aa0970e80dbc9bc152fbe3_win.unity3d
Info file:
http://web.jp.mobiusfinalfantasy.com/asset/mobius_info_JP.txt