I'm currently trying to find out the blowfish key that is used to decrypt and encrypt some files from Monster Hunter 4G (N3DS).
I know that the files in question are encrypted in ECB mode and I think that I've located the subroutines that are in charge for Blowfish tasks in the game executable (ARM) judging from some pseudo-code by IDA. There is also a text string to be found in the executable that contains "blowfish key..." but I wasn't able to decrypt the files using it.
Code: Select all
sub_10EB24(*(_DWORD *)(v1 + 272), (int)&Blowfish_p_init, 0x48u, v4);
v6 = 0;
v7 = 0;
do
{
sub_10EB24(*(_DWORD *)(v1 + 276) + 4 * v6, (int)((char *)&Blowfish_s_init + 1024 * v7++), 0x400u, v5);
v6 += 256;
}Here is a pastebin of the routine, guess it's useless without further linkings but what do I know.
These are the relevant IDA offsets I found:
002AB82C uses the above mentioned key, also links to 00B70434
002AB880 identical to the former
00B70434 Actual blowfish routine? uses p_init and s_init
01056100 Blowfish_p_init
01056148 Blowfish_s_init
Now obviously I'm not able to proceed from here since it took me long enough to figure this out as somebody who is new to the whole RE-stuff. I'd greatly appreciate any help in the matter (I'd also offer a little "donation" if you want to).
Please find some example files and the ELF file here: https://www.dropbox.com/s/oii54jraru18j ... s.rar?dl=1