This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=472

Vuze, posted Sun Dec 28, 2014 6:49 pm (2359)

---

Hey everybody,

I'm currently trying to find out the blowfish key that is used to decrypt and encrypt some files from Monster Hunter 4G (N3DS).
I know that the files in question are encrypted in ECB mode and I think that I've located the subroutines that are in charge for Blowfish tasks in the game executable (ARM) judging from some pseudo-code by IDA. There is also a text string to be found in the executable that contains "blowfish key..." but I wasn't able to decrypt the files using it.

Code:

sub_10EB24(*(_DWORD *)(v1   272), (int)&Blowfish_p_init, 0x48u, v4);
  v6 = 0;
  v7 = 0;
  do
  {
    sub_10EB24(*(_DWORD *)(v1   276)   4 * v6, (int)((char *)&Blowfish_s_init   1024 * v7  ), 0x400u, v5);
    v6  = 256;
  }

Here is a pastebin of the routine, guess it's useless without further linkings but what do I know.

These are the relevant IDA offsets I found:
002AB82C uses the above mentioned key, also links to 00B70434
002AB880 identical to the former
00B70434 Actual blowfish routine? uses p_init and s_init
01056100 Blowfish_p_init
01056148 Blowfish_s_init

Now obviously I'm not able to proceed from here since it took me long enough to figure this out as somebody who is new to the whole RE-stuff. I'd greatly appreciate any help in the matter (I'd also offer a little "donation" if you want to).

Please find some example files and the ELF file here: https://www.dropbox.com/s/oii54jraru18j ... s.rar?dl=1