MH4U DLC Encryption - svanheulen/mhff GitHub Wiki

User Agent

The Monster Hunter 4 Ultimate DLC servers will only service requests that have Capcom Browser Services for MonsterHunter_4G as the User-Agent HTTP header.

Obtaining Encryption Key

To obtain the encryption key used for all the DLC pages and files you first need to send a special code to the login.cgi page. Each region has a slightly different URL but for the USA version of the game it will be: [https://goshawk.capcom.co.jp/3ds/mh4g_us/login.cgi]

The special code appears to be a string encoded with some form of base64. Part of the code also appears to be time based since it changed about every 24 hours. Unfortunately The algorithm for creating this code is unknown but the current code can be read from the game's memory.

The server will respond with the Blowfish encryption key used for all the DLC pages and file and also the base URL for accessing the DLC pages.

Encrypted File Format

The first 4 bytes of an encrypted page or file, from the DLC website, is the size of the decrypted data in big-endian format. The remaining part of the file is the Blowfish encrypted data.

It appears that the reference implementation of Blowfish was used in MH4U, which has a bug causing it always assume it's running on a big-endian system. To handle this, you must byte swap each 32bit block of the data before and after the decryption.

After the data is decrypted, use the size to remove any padding. Now the last 20 bytes of the file will be the SHA1 hash of the rest of the file, which you can use to verify it.