after it started and it is in pauses mode right click on the debug window and choose "Search for"->"Alle referenced text strings"
search in that window for "itemtype.dat"
you will find
Code:
Text strings referenced in Conquer:.text, item 1736 Address=00495511 Disassembly=PUSH Conquer.0050F470 Text string=ASCII "ini/ItemType.dat"
press "F2" to set a breakpoint on it and press "F9" to continue the execution of the program.
now use "F7" to step into do that for all calls to conquer function, if there is a function call to outside function like
Code:
004A1D77 *|. FF15 84AD5100 *CALL DWORD PTR DS:[<&MSVCRT._fileno>] *; \_fileno
after seeing some function that opens the file, read the content to memory after the closing function it will call the decryption routine.
Code:
file getting close 004A1DCF *|> FF15 C0AC5100 *CALL DWORD PTR DS:[<&MSVCRT.fclose>] * *; \fclose decrypt function call 004A1DE2 *|. E8 C9000000 * *CALL Conquer.004A1EB0
charposition is set to eax
004A1ECF |> 8BC6 /MOV EAX,ESI
logical and done to get a number from 0-7f (7f is the keysize)
004A1ED1 |. 25 7F000080 |AND EAX,8000007F
jump to 04a1edd if the result is >=0
004A1ED6 |. 79 05 |JNS SHORT Conquer.004A1EDD
if the result is negative decrase it by 1
004A1ED8 |. 48 |DEC EAX
do a or on the result to get a positive number
004A1ED9 |. 83C8 80 |OR EAX,FFFFFF80
increase it by 1
004A1EDC |. 40 |INC EAX
(the steps above upto jns dont happen because to go into negativ the count must be >=80000000 (in hex) that are 2147483648 in bytes so the file should be 2 GB big before it happens :P)
here get the value from counter1 set to ecx (if you do some runs you see it counts from 0-7 in a loop)
004A1EDD |> 8B4C24 10 |MOV ECX,DWORD PTR SS:[ESP+10]
this is again charposition this time gets sets to edx
004A1EE1 |. 8BD6 |MOV EDX,ESI
here the byte value of the key is set eax is the actual keyposition ecx is the baseadress of the key and it always add 10 to it so the first 16 bytes of the key are unused
004A1EE3 |. 8A4408 10 |MOV AL,BYTE PTR DS:[EAX+ECX+10]
the char which is going to decrypt is set
004A1EE7 |. 8A0C3E |MOV CL,BYTE PTR DS:[ESI+EDI]
a xor is done on the char from the key and the char to decrypt
004A1EEA |. 32C1 |XOR AL,CL
it just do the same as at "004A1ED1" out of this time with a number from 0-7
004A1EEC |. 81E2 07000080 |AND EDX,80000007
004A1EF2 |. 79 05 |JNS SHORT Conquer.004A1EF9
004A1EF4 |. 4A |DEC EDX
004A1EF5 |. 83CA F8 |OR EDX,FFFFFFF8
004A1EF8 |. 42 |INC EDX
ecx gets 8 as value
004A1EF9 |> B9 08000000 |MOV ECX,8
the result of the xor which is saved in al get moved to bl
004A1EFE |. 8AD8 |MOV BL,AL
the 8 which was saved into ecx gets subtrace by edx this is what i call "counter2"
004A1F00 |. 2BCA |SUB ECX,EDX
now a shift left is done on the xor result which we got at "004A1EEA" with "counter2" value
004A1F02 |. D2E3 |SHL BL,CL
the "counter1" value gets set to cl
004A1F04 |. 8ACA |MOV CL,DL
a shift right is done on the xor result which we got at "004A1EEA" with "counter1" value
004A1F06 |. D2E8 |SHR AL,CL
the result of both shift operations is added together the result of that is the byte value of the decrypted char
004A1F08 |. 02D8 |ADD BL,AL
here the encrypted char gets overwritten with the decrypted
004A1F0A |. 881C3E |MOV BYTE PTR DS:[ESI+EDI],BL
esi get increase by 1 to step to the next char
004A1F0D |. 46 |INC ESI
check if there is a next char it compares actual char with maxchars
004A1F0E |. 3BF5 |CMP ESI,EBP
if lower jump to the beginning of the loop otherwise exit
004A1F10 |.^7C BD \JL SHORT Conquer.004A1ECF
example tool with source which does the decryption and also encryption at:
I'm sure that those who have basic knowledge in assembly would understand. 
