Jump to content

イーブ&#

Member
 View Profile  See their activity

  • Posts

    26

  • Joined

  • Last visited

 Content Type 

Everything posted by イーブ&#

  1. イーブ&#
    It would certainly make sense; bit odd to jam them in the header like that otherwise. Okay, noted. I'll make my parser work like that, and try some of the other mystery bytes tomorrow.
  2. イーブ&#
    The PP legality checker, at least, doesn't balk at a Pokémon with junk in 0x04 and 0x05. Interesting.
  3. イーブ&#
    There are some bytes in the save struct that are apparently unused by the games: for example, 0x04–0x05 and 0x42–0x43. I'm considering using these for my own nefarious purposes. So: 1. Do retail saves always set these to zero, or can they be garbage? I would hope the whole struct is memset to zero right off the bat, but you never know. 2. If so, do any legality checks—including Legality Checker and anything Nintendo uses—verify that these bytes are zero? Please note: I am not talking about "trash bytes". If you don't know what I mean, you probably don't know the answer.
  4. イーブ&#
    We were trying to build fake GTS servers. Now we have.
  5. イーブ&#
    The handshake is SSL with some other server. We don't know how it works.
  6. イーブ&#
    There are several third-party GTSes that can already do this. I think.
  7. イーブ&#
    Uh, it's part of my entire site. Not really meant for people to run for themselves, especially if you're not a developer.
  8. イーブ&#
    Yes, you could do that. Actually, just remove the line that deletes the Pokémon from the beta table, and it will do exactly that.
  9. イーブ&#
    veekun is already running its own DNS server, so dnsspoof wasn't really an option 8) veekun's GTS is still just a dumb roundtrip; working on some backend stuff before I try to make it cooler. And of course I need to actually finish veekun and all.
  10. イーブ&#
    For the curious, the veekun setup is as follows: - BIND thinks it's a master server for nintendowifi.net. It returns the veekun IP for gamestats2.gs, but the correct IPs for conntest and nat. - In Apache, gamestats2.gs.nintendowifi.net is a ServerAlias for veekun.com. Requests to http://gamestats2.gs.nintendowifi.net/pokemondpds/common/setProfile.asp, for example, as treated the same way as though they were for http://veekun.com/pokemondpds/common/setProfile.asp. - App side, I have these two route rules: map.connect('/pokemondpds/worldexchange/{page}.asp', controller='fake_gts', action='dispatch') map.connect('/pokemondpds/common/{page}.asp', controller='fake_gts', action='dispatch') Anything that starts with /pokemondpds, I send off to a custom dispatch function in its own controller. - The dispatch function takes care of challenge/response and decrypting the data, then dispatches to the right method based on the page name. Source here, although it'll be moving later. The thing to remember is that the Nintendo server isn't doing anything special whatsoever; it's just a regular Web app, running on IIS (gross), that happens to return binary junk instead of HTML.
  11. イーブ&#
    Do you really need a restarter...? Just make sendpkm.py not exit after sending the Pokémon off.
  12. イーブ&#
    It is done. DNS: 72.232.182.50 Simple roundtripping GTS. Deposit a Pokémon, and next time you check GTS status it'll come back to you. And no blue screen! No searching, etc., and I don't save your Pokémon after you take it back. (Disclaimer: Please don't put anything important in here; this is a proof of concept, and I reserve the right to nuke everything at any time.)
  13. イーブ&#
    Also, for the hacker crowd, this is a drop-in rewrite of pkmlib.py that might be a bit easier to work with: http://eevee.pastebin.com/fP4YH33Q
  14. イーブ&#
    BIND is happy to be a master zone for whatever domain you want, whether or not it's actually acting as the main nameserver for that domain. eevee@tekkanin ~ $ host gamestats2.gs.nintendowifi.net gamestats2.gs.nintendowifi.net has address 207.38.11.146 eevee@tekkanin ~ $ host gamestats2.gs.nintendowifi.net 72.232.182.50 gamestats2.gs.nintendowifi.net has address 72.232.182.50
  15. イーブ&#
    I'll have a simple GTS server running as part of veekun by the end of the weekend.
  16. イーブ&#
    Messages with the same sums of bytes have the same "key". Progress.
  17. イーブ&#
    The header is 0x4a3b2c1d ^ sum(bytes).
  18. イーブ&#
    Can we get the tech support out of the *research* thread? Here is some data, courtesy of.. mignot? Someone from IRC. Sorted by encrypted. 0x pid 0b pid 0x encrypted 0b encrypted 0d593d2b 00001101010110010011110100101011 4a 3b 2c d3 ad 0c 39 03 0100101000111011001011001101001110101101000011000011100100000011 0f4a4b55 00001111010010100100101101010101 4a 3b 2c e4 48 ac 3d 2e 0100101000111011001011001110010001001000101011000011110100101110 01050000 00000001000001010000000000000000 4a 3b 2c 1b 9e 9b cb 8e 0100101000111011001011000001101110011110100110111100101110001110 01000302 00000001000000000000001100000010 4a 3b 2c 1b 9c 98 ce 8e 0100101000111011001011000001101110011100100110001100111010001110 00000005 00000000000000000000000000000101 4a 3b 2c 18 5c 02 8c c4 0100101000111011001011000001100001011100000000101000110011000100 00000004 00000000000000000000000000000100 4a 3b 2c 19 10 68 4a f9 0100101000111011001011000001100100010000011010000100101011111001 00000002 00000000000000000000000000000010 4a 3b 2c 1f 88 36 c6 64 0100101000111011001011000001111110001000001101101100011001100100 00000001 00000000000000000000000000000001 4a 3b 2c 1c 44 9d 84 99 0100101000111011001011000001110001000100100111011000010010011001 00000003 00000000000000000000000000000011 4a 3b 2c 1e cc cf 08 2e 0100101000111011001011000001111011001100110011110000100000101110 10003020 00010000000000000011000000100000 4a 3b 2c 7d c0 5b 03 f2 0100101000111011001011000111110111000000010110110000001111110010 10500000 00010000010100000000000000000000 4a 3b 2c 7d e0 6b 53 f2 0100101000111011001011000111110111100000011010110101001111110010 0f5eee8a 00001111010111101110111010001010 4a 3b 2d f8 33 ea 0c 28 0100101000111011001011011111100000110011111010100000110000101000 0daf3ecc 00001101101011110011111011001100 4a 3b 2d db 92 45 fc 9b 0100101000111011001011011101101110010010010001011111110010011011 0d6b85f2 00001101011010111000010111110010 4a 3b 2d f2 99 7a 8d 19 0100101000111011001011011111001010011001011110101000110100011001 0f64931f 00001111011001001001001100011111 4a 3b 2d 38 e6 a5 ab 0f 0100101000111011001011010011100011100110101001011010101100001111 0f497b4f 00001111010010010111101101001111 4a 3b 2d 3f 65 10 40 90 0100101000111011001011010011111101100101000100000100000010010000 0f656682 00001111011001010110011010000010 4a 3b 2d 41 4e 7f 9b 99 0100101000111011001011010100000101001110011111111001101110011001 0f2ac754 00001111001010101100011101010100 4a 3b 2d 49 f0 96 c4 30 0100101000111011001011010100100111110000100101101100010000110000 0bdd5ba0 00001011110111010101101110100000 4a 3b 2d fe 8f 89 13 9a 0100101000111011001011011111111010001111100010010001001110011010 098fbd52 00001001100011111011110101010010 4a 3b 2d ba 51 4f da 0c 0100101000111011001011011011101001010001010011111101101000001100 0f4ab199 00001111010010101011000110011001 4a 3b 2d be 76 3f 07 d5 0100101000111011001011011011111001110110001111110000011111010101 0da9a07a 00001101101010011010000001111010 4a 3b 2d cd 6a d6 4e 8e 0100101000111011001011011100110101101010110101100100111010001110 0a99faed 00001010100110011111101011101101 4a 3b 2e 97 df 57 47 e3 0100101000111011001011101001011111011111010101110100011111100011
  19. イーブ&#
    I believe this would be possible by replying to result.asp with several different Pokémon in a row, but it won't actually work unless we can figure out why Pt/HG/SS report a communication error. Process exit codes use 0 for success and 1–255 for error, yes. The only place sendpkm.py explicitly exits is if you don't provide a filename, which is indeed an error. Otherwise it drops out and Python will exit with 0. Edit: Oh, the 0x0001 response. I can't recall ever seeing 0 used for success outside process exit, actually. But that's what was sniffed from D/P, and we have no idea what it actually means either way; result.asp uses 0x0004 and 0x0005 to mean yes/no. (What.) Dumps of the same operations performed by both D/P and Pt/HG/SS should tell us for sure. It would probably work, but I doubt it would be useful. We don't know the encryption used for sending data, you need to respond to a challenge every time you send a request, and the response is binary.
  20. イーブ&#
    Current thoughts on the cipher itself: Pokémon sent to the GTS have an extra eight bytes added. What are these? The data sent to post_finish.asp is also eight bytes long; is it the same thing? Pokémon sent to exchange.asp have *another* four bytes added -- presumably the receiver's pid. I'm assuming here that info.asp has an empty payload. Here are four data sent to info.asp, from two of magical's games, LordLandon's game, and my Platinum: pid 0x05da5237: 0x752d3b4a 0x1dcc143f pid 0x0f3ad0df: 0xe52d3b4a 0x3902b107 pid 0x06fab95b: 0x092e3b4a 0x608aa63f pid 0x0b7b1424: 0xa32c3b4a 0x6b3bb412 LordLandon did an experiment, slightly changing his game's pid. The results were: pid 0x06fab95b: 0x092e3b4a 0x608aa63f pid 0x06fab95c: 0x082e3b4a 0x374801f5 pid 0x07fab95b: 0x082e3b4a 0x364801f2 pid 0x07fab95c: 0x0b2e3b4a 0xfb0ee8b2 pid 0x07faba5c: 0x0a2e3b4a 0xc0cc506f In inconvenient binary form: 00000110 11111010 10111001 01011011 pid 00001000 00101110 00111011 01001010 01100000 10001010 10100110 00111111 00000110 11111010 10111001 01011100 pid 00001000 00101110 00111011 01001010 00110111 01001000 00000001 11110101 00000111 11111010 10111001 01011011 pid 00001000 00101110 00111011 01001010 00110110 01001000 00000001 11110010 00000111 11111010 10111001 01011100 pid 00001011 00101110 00111011 01001010 11111011 00001110 11101000 10110010 00000111 11111010 10111010 01011100 pid 00001010 00101110 00111011 01001010 11000000 11001100 01010000 01101111 We know: - Flipping one bit in good data makes bad data. Flipping two separated bits in good data makes good data. - The same pid sends the same data to info.asp every time. Different pids send different data to info.asp. - Posting the same Pokémon *from a box* twice sends radically different data (magical). Posting the same Pokémon *from the party* twice sends exactly the same data (LordLandon). It seems both the pid and a checksum of the data are used to generate the key.
  21. イーブ&#
    magical has performed a fascinating experiment. He posted this Pokémon: 0000000: 0bbe 49d0 0000 cb1e 3764 78b1 74f3 97b2 ..I.....7dx.t... 0000010: b24c fab5 37fd f13c 40f5 bfdd 7355 0281 .L..7..<@...sU.. 0000020: c754 1f06 9538 4e24 6b56 7231 d74a d352 .T...8N$kVr1.J.R 0000030: 2c5d 334f 3f5e b54b 45cb 861b f78e f4fa ,]3O?^.KE....... 0000040: f41d b4e5 7195 1be1 8769 abb8 2fe2 7360 ....q....i../.s` 0000050: 4419 a39d df5f 46f5 e959 a6c4 8748 f86a D...._F..Y...H.j 0000060: a8a3 894c 4057 54ee 991d 32eb 59cf a276 ...L@WT...2.Y..v 0000070: 8ed7 a70e 60d8 3268 c9d7 87f5 cec5 6c7f ....`.2h......l. 0000080: be37 c58a e9ff 2659 cfee 064d 8f09 3f4a .7....&Y...M..?J 0000090: 128b 9dec 0aab 7472 dc1d 8f88 a6c8 b6f0 ......tr........ 00000a0: 40e7 6bcc c1e2 22ad 5cae 5d39 b797 7dac @.k...".\.]9..}. 00000b0: 48d6 7d21 e5fb 140a e703 41c9 1cbd 1d8b H.}!......A..... 00000c0: 3f9f cb50 344a 1ff5 3131 45c6 a63d f7b4 ?..P4J..11E..=.. 00000d0: 77f5 9147 152a f1b0 a36f 5c6d 6e68 8a95 w..G.*...o\mnh.. 00000e0: c19b 5b61 dd0a 0c61 3a3d 8226 9f01 020c ..[a...a:=.&.... 00000f0: 3f00 0264 6400 0000 da07 0315 1025 0200 ?..dd........%.. 0000100: 0000 0000 0000 0000 3752 da05 2b01 5201 ........7R..+.R. 0000110: 4801 5601 4901 5b01 ffff 0000 47bc 0000 H.V.I.[.....G... 0000120: 3300 0a02 3... which resulted in this data: 0000000: 4a3b 52db b7c2 32b5 afda bd0d 913e 2c78 J;R...2......>,x 0000010: a9fb 8b27 ecda 9953 0173 fa95 9a1c 5f33 ...'...S.s...._3 0000020: 0532 18d7 aee9 ef84 ab6b 19cc 3d6e 0a5c .2.......k..=n.\ 0000030: 1ae5 2008 5541 d316 78ee 625c 6c23 71ac .. .UA..x.b\l#q. 0000040: 0018 6661 0f9c f7fe d937 d997 b3e1 9303 ..fa.....7...... 0000050: a3bc d0dc daf0 838d be6a 8001 97c3 6bc7 .........j....k. 0000060: 59f0 2909 eec1 fb8c 563e 09c7 38c5 d833 Y.).....V>..8..3 0000070: 5460 f525 d3f9 1463 3320 6a7d 45ee f343 T`.%...c3 j}E..C 0000080: 5716 8a49 06dc a89d 4626 5247 8b58 01f8 W..I....F&RG.X.. 0000090: 49cd 8b62 5766 17b9 a633 35a3 88ef 2d75 I..bWf...35...-u 00000a0: fb8e 3d76 0b71 a8c0 731b 613d d949 13c8 ..=v.q..s.a=.I.. 00000b0: 3991 7b79 ce21 5d6c b1fa 77c8 1247 d80b 9.{y.!]l..w..G.. 00000c0: 8594 9585 b3de f481 f848 f9ff 06dc 9c97 .........H...... 00000d0: b378 ad7f a53c 8200 d538 dcbf 09bd 03ff .x...<...8...... 00000e0: cb2a 9133 0666 7433 0d80 3ddf 9a6a f8ae .*.3.ft3..=..j.. 00000f0: cd87 af77 904b 020a f611 cb51 ecce a329 ...w.K.....Q...) 0000100: 5116 f4eb 6eb2 353c 593f ffd6 f101 5ce5 Q...n.5<Y?....\. 0000110: db08 4dc1 1e86 c5ee cb73 8259 9d59 e3c8 ..M......s.Y.Y.. 0000120: ca7f a2ab 1dfb 6405 bbba 5eb3 ......d...^. To which he applied: if req.action == 'post' and 'data' in req.qvars: data = b64decode(req.qvars['data'][0].encode('ascii')) data = bytearray(data) data[-56 + 0x04] ^= 1 # requested pokemon data[-56 + 0x12] ^= 1 # second dep'd data = bytes(data) req.qvars['data'][0] = b64encode(data).decode('ascii') Which resulted in: 0000000: 4a3b 52db b7c2 32b5 afda bd0d 913e 2c78 J;R...2......>,x 0000010: a9fb 8b27 ecda 9953 0173 fa95 9a1c 5f33 ...'...S.s...._3 0000020: 0532 18d7 aee9 ef84 ab6b 19cc 3d6e 0a5c .2.......k..=n.\ 0000030: 1ae5 2008 5541 d316 78ee 625c 6c23 71ac .. .UA..x.b\l#q. 0000040: 0018 6661 0f9c f7fe d937 d997 b3e1 9303 ..fa.....7...... 0000050: a3bc d0dc daf0 838d be6a 8001 97c3 6bc7 .........j....k. 0000060: 59f0 2909 eec1 fb8c 563e 09c7 38c5 d833 Y.).....V>..8..3 0000070: 5460 f525 d3f9 1463 3320 6a7d 45ee f343 T`.%...c3 j}E..C 0000080: 5716 8a49 06dc a89d 4626 5247 8b58 01f8 W..I....F&RG.X.. 0000090: 49cd 8b62 5766 17b9 a633 35a3 88ef 2d75 I..bWf...35...-u 00000a0: fb8e 3d76 0b71 a8c0 731b 613d d949 13c8 ..=v.q..s.a=.I.. 00000b0: 3991 7b79 ce21 5d6c b1fa 77c8 1247 d80b 9.{y.!]l..w..G.. 00000c0: 8594 9585 b3de f481 f848 f9ff 06dc 9c97 .........H...... 00000d0: b378 ad7f a53c 8200 d538 dcbf 09bd 03ff .x...<...8...... 00000e0: cb2a 9133 0666 7433 0d80 3ddf 9a6a f8ae .*.3.ft3..=..j.. 00000f0: cd87 af77 904b 020a f711 cb51 ecce a329 ...w.K.....Q...) 0000100: 5116 f4eb 6eb2 343c 593f ffd6 f101 5ce5 Q...n.4<Y?....\. 0000110: db08 4dc1 1e86 c5ee cb73 8259 9d59 e3c8 ..M......s.Y.Y.. 0000120: ca7f a2ab 1dfb 6405 bbba 5eb3 ......d...^. Flipped bits are in 0xf8 and 0x106. Which was accepted by the server and resulted in this Pokémon coming back: 0000000: 0bbe 49d0 0000 cb1e 3764 78b1 74f3 97b2 ..I.....7dx.t... 0000010: b24c fab5 37fd f13c 40f5 bfdd 7355 0281 .L..7..<@...sU.. 0000020: c754 1f06 9538 4e24 6b56 7231 d74a d352 .T...8N$kVr1.J.R 0000030: 2c5d 334f 3f5e b54b 45cb 861b f78e f4fa ,]3O?^.KE....... 0000040: f41d b4e5 7195 1be1 8769 abb8 2fe2 7360 ....q....i../.s` 0000050: 4419 a39d df5f 46f5 e959 a6c4 8748 f86a D...._F..Y...H.j 0000060: a8a3 894c 4057 54ee 991d 32eb 59cf a276 ...L@WT...2.Y..v 0000070: 8ed7 a70e 60d8 3268 c9d7 87f5 cec5 6c7f ....`.2h......l. 0000080: be37 c58a e9ff 2659 cfee 064d 8f09 3f4a .7....&Y...M..?J 0000090: 128b 9dec 0aab 7472 dc1d 8f88 a6c8 b6f0 ......tr........ 00000a0: 40e7 6bcc c1e2 22ad 5cae 5d39 b797 7dac @.k...".\.]9..}. 00000b0: 48d6 7d21 e5fb 140a e703 41c9 1cbd 1d8b H.}!......A..... 00000c0: 3f9f cb50 344a 1ff5 3131 45c6 a63d f7b4 ?..P4J..11E..=.. 00000d0: 77f5 9147 152a f1b0 a36f 5c6d 6e68 8a95 w..G.*...o\mnh.. 00000e0: c19b 5b61 dd0a 0c61 3a3d 8226 9f01 020c ..[a...a:=.&.... 00000f0: 3e00 0264 6400 0000 da07 0315 1036 3a00 >..dd........6:. 0000100: 0000 0000 0000 0000 3752 da05 2b01 5201 ........7R..+.R. 0000110: 4801 5601 4901 5b01 ffff 0000 47bc 0000 H.V.I.[.....G... 0000120: 3300 0a02 3... The only differences are in 0xf0 and 0xfd. His pid is 98193975 (0x05da5237). The snapshots may have a different timestamp. Before, the requested Pokémon was an Abra; after, it was set to Poliwrath. Decoded (probably): Before: 0000000: 0bbe 49d0 0000 cb1e 4601 ffff 3701 2c01 ..I.....F...7.,. 0000010: 2f01 2f01 ffff 0000 0000 0000 0000 000a /./............. 0000020: 0000 0000 0000 0000 9f01 5e00 47bc 11ea ..........^.G... 0000030: cd03 0000 4676 0002 0000 0000 0000 0000 ....Fv.......... 0000040: 0000 0000 0000 0000 2b01 5201 4801 5601 ........+.R.H.V. 0000050: 4901 5b01 ffff 0000 0000 000a 0204 0000 I.[............. 0000060: 1600 0004 0c00 0000 e600 1000 0000 0000 ................ 0000070: 1423 0000 0000 0000 ff0c 719f 0000 0000 .#........q..... 0000080: 0200 0000 0000 0000 0000 0000 0c00 2000 .............. . 0000090: 2000 0d00 1000 1300 0e00 1000 0000 0000 ............... 00000a0: 0002 0aff ffff ffff ffff ffff ffff ffff ................ 00000b0: ffff ffff ffff ffff ffff 2602 ffff 0000 ..........&..... 00000c0: ffff ffff ffff 3a01 ffff ffff ffff 4301 ......:.......C. 00000d0: ffff ffff 0000 0000 0000 0000 0000 0000 ................ 00000e0: 0000 0000 0000 0000 0000 0003 d666 7673 .............fvs 00000f0: 210a d853 c854 0561 a024 57ea e7ec 5e99 !..S.T.a.$W...^. 0000100: da68 fc92 3387 c1db 38d2 b5c5 c32d ed69 .h..3...8....-.i 0000110: 7a94 dc04 8864 aec1 17e9 6371 37ba 2eb1 z....d....cq7... 0000120: d5f2 77a2 ..w. After: 0000000: 0bbe 49d0 0000 cb1e 4601 ffff 3701 2c01 ..I.....F...7.,. 0000010: 2f01 2f01 ffff 0000 0000 0000 0000 000a /./............. 0000020: 0000 0000 0000 0000 9f01 5e00 47bc 11ea ..........^.G... 0000030: cd03 0000 4676 0002 0000 0000 0000 0000 ....Fv.......... 0000040: 0000 0000 0000 0000 2b01 5201 4801 5601 ........+.R.H.V. 0000050: 4901 5b01 ffff 0000 0000 000a 0204 0000 I.[............. 0000060: 1600 0004 0c00 0000 e600 1000 0000 0000 ................ 0000070: 1423 0000 0000 0000 ff0c 719f 0000 0000 .#........q..... 0000080: 0200 0000 0000 0000 0000 0000 0c00 2000 .............. . 0000090: 2000 0d00 1000 1300 0e00 1000 0000 0000 ............... 00000a0: 0002 0aff ffff ffff ffff ffff ffff ffff ................ 00000b0: ffff ffff ffff ffff ffff 2602 ffff 0000 ..........&..... 00000c0: ffff ffff ffff 3a01 ffff ffff ffff 4301 ......:.......C. 00000d0: ffff ffff 0000 0000 0000 0000 0000 0000 ................ 00000e0: 0000 0000 0000 0000 0000 0003 d666 7673 .............fvs 00000f0: 200a d853 c854 0561 a024 57ea e7ff 6699 ..S.T.a.$W...f. 0000100: da68 fc92 3387 c1db 38d2 b5c5 c32d ed69 .h..3...8....-.i 0000110: 7a94 dc04 8864 aec1 17e9 6371 37ba 2eb1 z....d....cq7... 0000120: d5f2 77a2 ..w. Differences are in the same places. So. Flipped bits at 0xf8 and 0x106 in the data. Discarding the 0x08 bytes for the header, that leaves offsets 0xf0 and 0xfd -- which are the exact bytes that differ in the decoded Pokémon. Awesome. Here's the bit-twiddled data, minus the first eight bytes, XORed with the Pokémon that came back: 0000000: a464 f4dd 913e e766 9e9f f396 9829 0ee1 .d...>.f.....).. 0000010: b33f 0020 ade1 ae0f 45c7 a70a ddbc ed05 .?. ....E....... 0000020: 6c3f 06ca a856 4478 71b3 5239 820b 0044 l?...VDxq.R9...D 0000030: 54b3 5113 537d c4e7 45d3 e07a f812 0304 T.Q.S}..E..z.... 0000040: 2d2a 6d72 c274 88e2 24d5 7b64 f512 f0ed -*mr.t..$.{d.... 0000050: fa73 239c 489c 2d32 b0a9 8fcd 6989 03e6 .s#.H.-2....i... 0000060: fe9d 808b 7892 8cdd cd7d c7ce 8a36 b615 ....x....}...6.. 0000070: bdf7 cd73 2536 c12b 9ec1 0dbc c819 c4e2 ...s%6.+........ 0000080: f811 97cd 62a7 27a1 8623 8d2f d86f 28f3 ....b.'..#./.o(. 0000090: b4b8 a84f 8244 5907 2793 b2fe adb9 1e30 ...O.DY.'......0 00000a0: 33fc 0af1 18ab 3165 653f 2640 79b6 20c0 3.....1ee?&@y. . 00000b0: f92c 0ae9 f7bc cc01 6297 d44c af63 e90a .,......b..L.c.. 00000c0: c7d7 32af 3296 8362 8249 e8b9 0301 75b4 ..2.2..b.I....u. 00000d0: a2cd 4df8 1c97 f24f 6845 cd5e 680e fea6 ..M....OhE.^h... 00000e0: cc1b 66be 4760 f4cf f7ba 2d51 0f4a 0006 ..f.G`....-Q.J.. 00000f0: c911 c935 88ce a329 8b11 f7fe 7e84 0e3c ...5...)....~..< 0000100: 593f ffd6 f101 5ce5 ec5a 97c4 3587 97ef Y?....\..Z..5... 0000110: 8372 d458 d458 b8c9 3580 a2ab 5a47 6405 .r.X.X..5...ZGd. 0000120: 88ba 54b1 ..T.
  22. イーブ&#
    Okay, attempting to think through this out loud, and IRC doesn't really cut the size of this stuff. I'm basing the following on LordLandon's depundep.txt. The Pokémon he sent out (based on the response from get.asp) was this: 0000000: ae38 6151 0000 0701 bb92 b2de e153 5dba .8aQ.........S]. 0000010: d0af 248a 8d23 cbf4 ed52 a78d 4550 5c77 ..$..#...R..EP\w 0000020: ec29 6f56 892a 40dc 28a9 df4c e1fa ae9b .)oV.*@.(..L.... 0000030: ef0c 99eb 4518 0da1 0da3 9d23 5440 ba9b ....E......#T@.. 0000040: bc5d c9cc b251 8019 21f3 9604 2e7f 977a .]...Q..!......z 0000050: b80a ab11 ac82 b276 f4c8 5d94 8a00 be44 .......v..]....D 0000060: 99be ae22 f2d2 d402 dadc ebe0 f931 5d93 ...".........1]. 0000070: 6cb7 b37d 73d7 a3ed 8ddd 6b86 9246 4657 l..}s.....k..FFW 0000080: 84c5 3346 0a5a f0f4 3e4a 9380 c5ee 5bec ..3F.Z..>J....[. 0000090: c7a9 2134 14e2 fc35 645c 0ad4 053e acd3 ..!4...5d\...>.. 00000a0: 428d 103b 24be 09eb 13cd 1aea 5f9b bcea B..;$......._... 00000b0: 71ec deb5 3edb 19ca 48fb 64c6 21c3 5d34 q...>...H.d.!.]4 00000c0: afeb 9d2b 1cae e261 3307 9784 a691 bfb9 ...+...a3....... 00000d0: 62d1 9ab2 f9de e3ea e978 4116 8244 6784 b........xA..Dg. 00000e0: 7db9 9624 cbee a0d2 0154 db5d 8901 0101 }..$.....T.].... 00000f0: cc01 0300 0000 0000 da07 021b 0e38 0700 .............8.. 0000100: 0000 0000 0000 0000 5bb9 fa06 3601 4501 ........[...6.E. 0000110: 5201 4801 5301 5201 ffff 0000 0e5f 0000 R.H.S.R......_.. 0000120: 3200 0a02 2.. That Pokémon, decoded: 0000000: ae38 6151 0000 0701 0100 3900 7f00 0000 .8aQ......9..... 0000010: 230f 0f00 0000 0000 f534 f518 0000 0000 #........4...... 0000020: 0000 0000 d007 1800 3a01 3301 3a01 3601 ........:.3.:.6. 0000030: 3f01 3a01 ffff 19c0 18b3 0c02 3037 000c ?.:.........07.. 0000040: 0000 0000 0000 0000 3301 3d01 2b01 2b01 ........3.=.+.+. 0000050: 2d01 ffff 0000 0000 0a02 050a 0205 d007 -............... 0000060: 1800 0004 0000 0000 8901 0000 255f a912 ............%_.. 0000070: 0000 0000 4643 0002 0000 0000 0000 0000 ....FC.......... 0000080: 0000 0000 0000 0000 0000 0000 0100 0c00 ................ 0000090: 0c00 0600 0600 0500 0500 0600 0000 0000 ................ 00000a0: 0002 0aff ffff ffff ffff ffff ffff ffff ................ 00000b0: ffff ffff ffff ffff ffff 2602 ffff 0000 ..........&..... 00000c0: ffff ffff ffff 3a01 ffff ffff ffff 4301 ......:.......C. 00000d0: ffff ffff 0000 0000 0000 0000 0000 0000 ................ 00000e0: 0000 0000 0000 0000 0000 0003 8901 0101 ................ 00000f0: cc01 0300 0000 0000 da07 021b 0e38 0700 .............8.. 0000100: 0000 0000 0000 0000 5bb9 fa06 3601 4501 ........[...6.E. 0000110: 5201 4801 5301 5201 ffff 0000 0e5f 0000 R.H.S.R......_.. 0000120: 3200 0a02 2.. The data he actually sent: pid: 117094747 challenge token: TQzGoOU4R5M3CzCkomJqXFcrupqnKquF response hash: 328c76b3e37832732566c14ae596b7856956c48d data, as decoded by Python's urlsafe_b64decode: 0000000: 4a3b aea9 fcae abec e42b 58c8 5907 e38e J;.......+X.Y... 0000010: 0cca 7fa7 44dc f343 9ebc 0183 1c00 6e64 ....D..C......nd 0000020: e24a 07c9 338a afb6 e188 fbb1 08c5 38a6 .J..3.........8. 0000030: d862 17b9 d5ba eb2b 9c1a 60d8 a0c8 2d7b .b.....+..`...-{ 0000040: e844 ca88 6806 bfee 165a c1e7 053c 2199 .D..h....Z...<!. 0000050: 9bd0 34c1 09ca 407a a646 185f 9e2d 8f0a ..4...@z.F._.-.. 0000060: 8cbf 6775 5b92 233b e342 837e 2069 a319 ..gu[.#;.B.~ i.. 0000070: b1c5 1f3f ac17 26f1 c4d9 592f 222f b100 ...?..&...Y/"/.. 0000080: 925c 8a58 9cb1 920f 50fc ae37 a055 e136 .\.X....P..7.U.6 0000090: 602f c5bd 5223 10a3 af9d 190c 0d06 4492 `/..R#........D. 00000a0: 56e0 ee4f cf93 6ea5 52fb fe5f 3c1f 8006 V..O..n.R.._<... 00000b0: fb73 453c 9b44 e1d4 c6ba ed43 5c70 5feb .sE<.D.....C\p_. 00000c0: 421a bfc8 ff28 2267 2881 2707 ef04 1772 B....("g(.'....r 00000d0: 50da 3e26 1206 751f 895b ee37 fc5a 3539 P.>&..u..[.7.Z59 00000e0: 17d0 1c26 a3ae 45e2 f277 01e5 d88c ce7c ...&..E..w.....| 00000f0: 272d 11c4 b62a ab00 928a 90de d9a8 7e35 '-...*........~5 0000100: 67c8 03fa 6be1 c527 8359 1e1b 5100 0b35 g...k..'.Y..Q..5 0000110: 8a4b 5bb2 08d2 50c7 3a0e 60f6 e54e 0abe .K[...P.:.`..N.. 0000120: 6405 6562 9a56 7e0d 8ac4 ec30 d.eb.V~....0 This is 300 bytes -- eight bytes longer than the size of a Pokémon save struct with the extra 56 GTS bytes. The post_finish was: token: RopF90e9azV0W2mqhIWuLIbn5qSqqrDT hash: 97f3488b0caa742140e4bdc2a118c091b66d0355 data: 0000000: 4a3b 2f96 23e0 d995 b2a9 455b f955 fbba J;/.#.....E[.U.. As magical said, posting the same Pokémon twice results in entirely different data. It then seems likely that the token or hash is used as a key... but requests to info.asp et al send the same eight bytes. And what is being sent to post_finish that it has another eight bytes? 4a3b aea9 fcae abec -- first eight bytes to post.asp 4a3b 2f96 23e0 d995 -- first eight bytes to post_finish.asp Looking at some of magical's experiments, I've noticed the following. These are data sent to info.asp, from three different pids (two magical, the third depundep): 0000000: 4a3b 2d75 3f14 cc1d J;-u?... 0000000: 4a3b 2de5 07b1 0239 J;-....9 0000000: 4a3b 2e09 3fa6 8a60 J;..?..` And these are data sent to post_finish.asp, from the same two different pids: 0000000: 4a3b 2f33 51ef f2e5 a09e d65f 3ca0 3bf3 J;/3Q......_<.;. 0000000: 4a3b 2fe9 1af2 0cc6 887a c2f3 24ad dc68 J;/......z..$..h 0000000: 4a3b 2f96 23e0 d995 b2a9 455b f955 fbba J;/.#.....E[.U.. pids are: 98193975 (0x05da5237) 255512799 (0x0f3ad0df) 117094747 (0x06fab95b) So the third byte seems to stay the same across requests to the same page. Except for depundep's info.asp, which is off by 1..? The info.asp data might be a null payload. So what are the other five bytes? Hash of the pid?
  23. イーブ&#
    I've started making an attempt at documenting this: http://projectpokemon.org/wiki/GTS_protocol
  24. イーブ&#
    No, the script only allows sending a single Pokémon to your game; then it shuts down. It's being looked into.
  25. イーブ&#
    Whoa, I guess I'm late to this party. I grabbed a packet dump of a wifi trade just this past weekend, intending to reverse engineer a fake client for third-party GTS/self-trading/storage/other shenanigans. Never thought to try reversing the GTS instead. If nobody else has attempted it yet, I'd certainly be interested in hacking together a more permanent fake trading server.
×
×
  • Create New...