Analyzing Akamai BMP 4.1.3 - Part 2

PART 1 This article was uploaded to a self-published website because the engine here doesn't support KAPEX or LATEX. If you want to see a cleaner and more readable article, go to https://xve-e.github.io/2026/03/23/analyzing-akamai-bmp-part-2.html . App showcase: Iberia 14.81.0 IDA Pro: 9.3 1. Analyzing the post-decompress lib The decompiler often misidentified the number of arguments and return values for the polymorphic dispatcher, i used a secret technique to get around this using asm. As we saw earlier, sub_25E0AC is a large polymorphic dispatcher. sub_25E0AC(string_ptr) → strlen or string copy sub_25E0AC(string_ptr, 0x8641, 0xFFFFFFFF) → string deobfuscation sub_25E0AC(plaintext, output, len, key, iv) → AES-128-CBC encrypt sub_25E0AC(qword_2466A8) → MT19937 extract JNI Entry Points VA Java Name Purpose 0x9D394 SensorDataBuilder.buildN Main entry: serialize + encrypt sensor data 0x9D074 SensorDataBuilder.encryptKeyN Generate session ID (20-char base62 → base64) 0xA0144 addOne Set MT