a python script that decrypts foscam firmware encryption given args found in FirmwareUpgrade (see post for more details: https://hacked.codes/2023/extracting-firmware-reverse-engineering-encryption-keys-foscam/

reformstring.py

"""
Psuedo C code from Ghidra:
ReformString(char*, char const*, unsigned int, ...)

char * ReformString(char *param_1,char *param_2,uint param_3,...) {
  char *pcVar1;
  int in_r3;
  uint uVar2;
  int local_4;
  
  local_4 = in_r3;
  pcVar1 = param_1;
  if ((param_1 != (char *)0x0) && (pcVar1 = param_2, param_2 != (char *)0x0)) {
    for (uVar2 = 0; uVar2 != param_3; uVar2 = uVar2 + 1) {
      param_1[uVar2] = param_2[(&local_4)[uVar2]];
    }
    param_1[uVar2] = '\0';
    pcVar1 = param_1;
  }
  return pcVar1;
}
"""

def ReformString(charset, length, *args):
    buff = [0] * (length + 1)
    if charset != None:
        for n in range(length):
            buff[n] = charset[args[n]]
        buff[n + 1] = '\0'
    return ''.join(str(x) for x in buff)

charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*()_+|`-={}[]:;'<>?,./\" \\"
length = 0x3c

result = ReformString(
    charset,
    length,
    0xe,0xf,4,0xd,0x12,0x12,0xb,0x5d,4,0xd,2,0x5d,0x4d,3,0x5d,0x4d,0,4,0x12,0x4d,
    0x35,0x36,0x3c,0x4d,2,1,2,0x5d,0x4d,0xc,3,0x5d,0xc,3,0x39,0x5d,0x4d,10,0x5d,0x30,0x30,
    0x33,0x3b,0x19,0x18,0x46,0x15,0x36,0x5d,0x4d,8,0xd,0x5d,0x43,0x12,0x5d,0x57,0x5d,
    0x43,0x12
)

print(result)
# openssl enc -d -aes-128-cbc -md md5 -k WWZ7zy*v2 -in %s > %s