ok some more information and the confirmation that this is definately AES cbc.
Basic info for the first packet.
the cipher key is
Code:
31dc4a65c4d06334b61bc43653544915
The data is full encrypted tag
Code:
0c0000000055e6de3d0000ffff8f107971716510636c4095195d0687592f7a2f5353315f31403330393730312f6b65795f415142534c5a6843507677387a7a3365356c58705a777461445958304644763345455a686e4c78576232524443376c705754382b5274427644614643385075396b5763394e396c720001399eedccbc8f2a0e59cecdd0f899410435387fce8bf4a20289a91a20d64254f50000000000000000000000000000000000000000b159aee6bed571bb8449ad3ab868d8be420a487379ffc80dea46f51351a892e6e0ef8b26b0af6998979c68e0f945f155075aaa9f14c7335f093b79355e15b039947655ce468001000428f96bc8
based on above packet
This is header
This is IV
This is Key Url Data
This is encrypted data
if you chop the encrypted data in 16bytes multiple then you get
79ffc80dea46f51351a892e6e0ef8b26b0af6998979c68e0f9 45f155075aaa9f14c7335f093b79355e15b039947655ce
They cipher key converts into global key which is
Code:
a930fb441df4db669815e4bbab0e33c9
so use the above encrypted data, then use the IV listed above and the globak key, apply AES cbc and you should endup with 48 bytes of data starting with 0x1700
remaining data will then append to make the final output which is
Code:
1700000000014d401fffe10025274d401fb90c02802dd80880000003008000001970300013d6200027ac77bdc07c2211468001000428f96bc8
You can use
http://aes.online-domain-tools.com/ to get the result without writing any code.
so now i have to find proper methods to know when the encrypted data starts and when the header finishes! feeling i am getting there. the global key calculation is not very far off but i am reusing the same key for the same data till i get reliably generate that.