Cubic Ninja Blowfish

Discussion in '3DS - Homebrew Development and Emulators' started by gudenau, Jun 9, 2015.

  1. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,300
    1,253
    Jul 7, 2010
    United States
    /dev/random
    How does one get the blowfish keys from Cubic Ninja? I would like to work on NINJHAX, but I do not know how to get the keys. How do I do this? Could I have a hash to check my keys as-well?
     
    Margen67 and pseudov like this.
  2. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,508
    1,155
    May 23, 2012
    Apparently you can get the processed key from a RAM dump. If someone gives a hash of the key, should be easy enough to find it with that.
     
    Margen67 likes this.
  3. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,300
    1,253
    Jul 7, 2010
    United States
    /dev/random
    Still, it has 129028 possibilities, based on my dump.
     
    Margen67 likes this.
  4. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,508
    1,155
    May 23, 2012
    StapleButter says it's 0x1048 bytes, so that narrows it down at least a little. :P
     
  5. dubbz82

    dubbz82 GBAtemp Advanced Maniac

    Member
    1,512
    815
    Feb 2, 2014
    United States

    If this could be brute force attempted, it might not be all that terrible to be honest.
     
  6. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,517
    5,474
    Mar 17, 2010
    Norway
    Alola
    Indeed. With a fast computer it should be a breeze.
     
  7. zoogie

    zoogie simple pimp tool

    Member
    6,573
    8,463
    Nov 30, 2014
    United States
    Funny the coincidence of this thread appearing. I think I found it today.

    Dump your CN RAM around the time when it's doing QR stuff, go to file offset 0x200000 and copy 0x1048 worth of data to a separate file.
    The checksums I have are,
    Code:
      File: blowfish_processed.bin
    CRC-32: 2bbc1e5c
       MD4: 549c79aa95a83d253ccd11aeb64cbff0
       MD5: 33f38ab6f0821bc64b6f6bf98c1494f0
    SHA-1: 5b1c58e93827a1b440fa2d33524affc9822a2688
     
    Slushie3DS, Margen67 and pseudov like this.
  8. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,300
    1,253
    Jul 7, 2010
    United States
    /dev/random
    I included that.
    That was an idea.
    Exactly.
    I will check that in a little while.
     
    Margen67 likes this.
  9. dubbz82

    dubbz82 GBAtemp Advanced Maniac

    Member
    1,512
    815
    Feb 2, 2014
    United States
    Since I'm apparently a little out of the loop and missing something here, what exactly are you trying to do with the blowfish key, anyways?
     
  10. zoogie

    zoogie simple pimp tool

    Member
    6,573
    8,463
    Nov 30, 2014
    United States
    Compile ninjhax, regionfour, etc.
     
  11. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,300
    1,253
    Jul 7, 2010
    United States
    /dev/random
    I want to compile NIJHAX, the key is used in the creation of the QR code that you scan.
     
  12. pseudov

    pseudov Member

    Newcomer
    23
    15
    Mar 23, 2015
    Canada
    Hey zoogie, which ram dumper are you using? I've used two different ones, and both of them contain just 00's (null) at offset 0x200000 and beyond. I timed my ramdumps while scanning a QR code.
     
  13. zoogie

    zoogie simple pimp tool

    Member
    6,573
    8,463
    Nov 30, 2014
    United States
    I'm using kazowar's memdumper (which one are you using?).
    I've noticed the zeros problem too with some of my more recent dumps. This dump I used that worked is from a while back. I faintly remember actually activating the dump right before the ninjhax text screen comes up (while "loading" and the -> moving left to right).

    The big break in finding the key was noticing the memory location is given away in the ninjhax repo right here:
    https://github.com/smealum/ninjhax/...ial_loader/WEST/cn_initial/source/main.c#L243

    I suspect though, that it's only there for an instant and my timing was lucky. My key is definitely legit because the QR's generated are valid and they install the payload. Tested with regionfour.
     
    pseudov likes this.
  14. pseudov

    pseudov Member

    Newcomer
    23
    15
    Mar 23, 2015
    Canada
    I used kazowar's as well, and the one from projectpokemon. Okay, I'll try a few more dumps at different timings and report back.
     
    Margen67 likes this.
  15. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,300
    1,253
    Jul 7, 2010
    United States
    /dev/random
    I frogot about the browser exploit.

    Could I have a link?

    Edit:
    For now I am brute forcing is, just in case I get lucky.
     
    Last edited by gudenau, Jun 10, 2015
    Margen67 likes this.
  16. pseudov

    pseudov Member

    Newcomer
    23
    15
    Mar 23, 2015
    Canada
    Margen67 likes this.
  17. Intronaut

    Intronaut An star maker

    Member
    726
    434
    Nov 18, 2014
    Cote d'Ivoire
    Are you trying to finish SpiderNinja?
     
    Margen67 likes this.
  18. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,300
    1,253
    Jul 7, 2010
    United States
    /dev/random
    No, I am trying to improve NINJHAX.
     
    TheGrayShow1467 likes this.
  19. pseudov

    pseudov Member

    Newcomer
    23
    15
    Mar 23, 2015
    Canada
    I tried around 8 ramdumps as close as possible before the ninjhax screen, but they resulted in all zeroes at 0x200000. Once "Loading ->" comes up, the home button doesn't respond anymore, and ninjhax loads all the way without a chance to dump.

    Any luck, gudenaurock?
     
  20. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,300
    1,253
    Jul 7, 2010
    United States
    /dev/random
    Can not check at the moment, I deleted my save so I could start the QR code thing. My camera is busted so I was hoping that would help.