ok so let me understand this. the suggestion here is to salt the encryption
whatever the hell this code means, in a way is salting. looks more like the code used for ROT13 but with random values stapled to it. anyway the CPU and MACAddress + "XXXXX" act as a salt
byte[] bCPU = Encoding.ASCII.GetBytes(CPU);
byte[] bHex = Encoding.ASCII.GetBytes("XXXXX" + MACAddress);
Result = (byte)(bKey ^ ((bHex + bCPU) % 256));
it could be better but it works. I don't even know if knowing the CPU and MACAddress value will get you anywhere. so being on the same computer to scout how the key.dat file is made is essential.
to expand on your suggestion you said to salt using CSPRNG, the best way to salt as its
completely random because apparently they have algorithms to detect their own generations and make sure no patterns or whatever exist within it. well is it really necessary? its a lego game thats hosting its files locally. its not some super famous cloud system thats targeted by the biggest and baddest hackers in the world.
the easier route here is to suggest better security to the people doing these silly hosting services and not badspot because its a waste of time. the current system works fine, its security was never meant to be some professional grade A locked down convoluted encryption algorithm because its not worth it.
why report a bug to the creator directly when you can do that AND get everyone to kiss your ass at the same time??
this guy knows whats up. but at the same time I fail to see an actual issue here