ROM Hack MHX DLC Encryption

[Jan Tan]

Alright Was the key changed just today? Yesterday I was still able to import the quests. Also I'm currently working on a small editor too.
It seems like the monster only spawns in one area, although I edited the area in the boss file. Is this intended by the game or am I doing something wrong? Anyways, have a nice vacation!

EDIT: Jup, they changed it..

You can delete the update for now and it should work. I think.

 

[Deleted member 369977]

You can delete the update for now and it should work. I think.

if i'd delete the update it wouldn't work for 2 reasons.
1. I wouldn't be able to get in the DLC section at all
2. The encryption key is still changed

 

[Deleted member 369977]

I just got an idea how to inject the dlc data to the savedata.
Since there is an offset to the dlc in the savedata, wouldn't it be possible to add custom dlc this way?

 

[rexko]

I just got an idea how to inject the dlc data to the savedata.
Since there is an offset to the dlc in the savedata, wouldn't it be possible to add custom dlc this way?

maybe able to, good idea bro

 

[_eyCaRambA_]

I just got an idea how to inject the dlc data to the savedata.
Since there is an offset to the dlc in the savedata, wouldn't it be possible to add custom dlc this way?

Certainly, this is how I did Custom Quests in MH4G/U before dasding released his download menu approach. Haven't looked into it for MHX but I'm sure it's possible one way or another.

 

[lys1030]

thanks! I tried to run:
python dlc.py d X JPN eventQuestList.bin eventQuestList.txt
but get invalid SHA1 hash in footer error.

How can I resolve this problem? thx!

 

[Deleted member 369977]

thanks! I tried to run:
python dlc.py d X JPN eventQuestList.bin eventQuestList.txt
but get invalid SHA1 hash in footer error.

How can I resolve this problem? thx!

Capcom changed the encryption key. He'll update the files when he's back from his vacation.

 

[moghedien]

Ok, I'm back from vacation
I got the new encryption key and it's in the mhef code now. The funny thing is that they increased the length of the key... maybe they think I'm brute forcing it? Silly Capcom.
I'll be releasing my quest editor this upcoming Saturday (my birthday!)

Spoiler: For anyone interested on how to get the encryption key

To get the encryption key you need to find the function that initializes the Blowfish S-boxes/P-array, which you can do by following the reference to the default constants (https://www.schneier.com/code/constants.txt)
Once you have the Blowfish init function you can see that it's called 3 times in the games code: first call is used when decrypting the DLC and the next 2 calls are used for encrypted ARC files (which aren't used in MHX but the code is there anyway)
You can then use NTR debugger to hook the first call and copy the key to a secondary location that you can read later.

 

[Deleted member 369977]

Thank you very much
I really want to see your quest editor! Mine only edits the main .mib file,
also something I wanted to ask. It seems like the area the monsters are spawning is depending on the quest, not the boss file :/ I tried changing the area at the offset of 0xc ( don't quote me on that, that's just the offset I'm remembering currently ) but it didn't work :/

 

[moghedien]

Thank you very much
I really want to see your quest editor! Mine only edits the main .mib file,
also something I wanted to ask. It seems like the area the monsters are spawning is depending on the quest, not the boss file :/ I tried changing the area at the offset of 0xc ( don't quote me on that, that's just the offset I'm remembering currently ) but it didn't work :/

Sorry, I haven't done any testing on what works or doesn't work when modifying quests yet. My plan is to have no restrictions on what can be modified for my initial release so that people can test different things to see what the game will actually accept. Then later I can add checks to make sure it wont allow the user to make invalid quests.

 

[Deleted member 369977]

Sorry, I haven't done any testing on what works or doesn't work when modifying quests yet. My plan is to have no restrictions on what can be modified for my initial release so that people can test different things to see what the game will actually accept. Then later I can add checks to make sure it wont allow the user to make invalid quests.

I already made a small list of accepted values: https://docs.google.com/spreadsheet...nDwgsmGt7kEmzd4H8pm-bBJQCs/edit#gid=0&vpid=A1 but now I can compleate this list The monster ids are really wierd..
they don't really chain in a list. but rather chunks

 

[_eyCaRambA_]

Ok, I'm back from vacation
I got the new encryption key and it's in the mhef code now. The funny thing is that they increased the length of the key... maybe they think I'm brute forcing it? Silly Capcom.
I'll be releasing my quest editor this upcoming Saturday (my birthday!)

Spoiler: For anyone interested on how to get the encryption key

To get the encryption key you need to find the function that initializes the Blowfish S-boxes/P-array, which you can do by following the reference to the default constants (https://www.schneier.com/code/constants.txt)
Once you have the Blowfish init function you can see that it's called 3 times in the games code: first call is used when decrypting the DLC and the next 2 calls are used for encrypted ARC files (which aren't used in MHX but the code is there anyway)
You can then use NTR debugger to hook the first call and copy the key to a secondary location that you can read later.

Thanks for the update svan!

 

[NekoArt]

The new encryption key is not working now. The key was changed again.

 

[ice239]

new dlc.py is working，but arc.py cant extract

extracting: quest\questData\questData_1010002_jpn.gmd, type: rGUIMessage, compre
ssed size: 382, size: 568
Traceback (most recent call last):
File "F:\mh\mhff-master\n3ds\arc.py", line 384, in <module>
extract_arc(args.inputfile, args.outputpath)
File "F:\mh\mhff-master\n3ds\arc.py", line 344, in extract_arc
os.makedirs(os.path.dirname(file_name), exist_ok=True)
TypeError: makedirs() got an unexpected keyword argument 'exist_ok'

 

[Deleted member 369977]

Sadly I have to confirm, that a freshly downloaded original DLC file can't be decrypted using the new key. Capcom is really trying hard to keep us out.

 

[moghedien]

Yeah, they changed the key again. I got the new one and added it to mhef... hopefully this isn't a daily occurrence.
@ice239 the arc.py script only works on Python 3.5, sorry.

 

[Deleted member 369977]

Do they send the key with the port 443 connection that establishes at the beginning when you enter the DLC section? Or do they use a different connection?

 

[moghedien]

Do they send the key with the port 443 connection that establishes at the beginning when you enter the DLC section? Or do they use a different connection?

Yes, they use the SSL connection to send the key. The game send some special data and the server returns some special data that's used to calculate the key. I would love to figure out that process so that I could get the key directly from the server, but it's not easy reverse engineering that code. I tried with MH4U but I gave up after a while, and in MHX it's much more complicated.

 

[Deleted member 369977]

Well.. that's pretty unfortunate. But we do already know, that the length of the key is decieded by the server and it isn't in X itself. I haven't done any reverse engineering yet, so I won't be of much help, sadly

 

[moghedien]

It's easy enough to get the key the way I've been doing it. It'll just get tedious if they change it too often.
Either way we'll always be able to get/add quests directly in the save file since they can't change the format of that even with a game update. And since browserhax works on 10.3 now, everyone should be able to do that