Aluratek AIREC01F #4

http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/crypto/blowfish/bf_pi.h

static const BF_KEY bf_init= {

{

0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L,

0xa4093822L, 0x299f31d0L, 0x082efa98L, 0xec4e6c89L,

0x452821e6L, 0x38d01377L, 0xbe5466cfL, 0x34e90c6cL,

0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L,

0x9216d5d9L, 0x8979fb1b

},{

0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L,

0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L,

0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L,

...

0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,

0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,

}

};

The cipher used is Blowfish. In this header file, the first array corresponds to the P-array, and the second to the S-box.

$ hd ShrekW.BIN | grep "88 6a 3f 24"

0008bc90 88 6a 3f 24 d3 08 a3 85 2e 8a 19 13 44 73 70 03 |.j?$Ó.£.....Dsp.|

We can see the P-array starting at 0x0008bc90.

$ hd ShrekW.BIN | grep "a6 0b 31 d1"

0008bcd0 d9 d5 16 92 1b fb 79 89 a6 0b 31 d1 ac b5 df 98 |ÙÕ...ûy.Š.1Ѭµß.|

$ hd ShrekW.BIN | grep "e6 72 c3 3a"

0008ccd0 e3 df 8f 57 e6 72 c3 3a ff ff ff ff ff ff ff ff |ãß.WærÃ:ÿÿÿÿÿÿÿÿ|

The S-box starts at 0x0008bcd8 and ends at 0x0008ccd8.