Jump to content
Bond697

Pkx: The New Pokemon Format For Gen 6

Recommended Posts

The games have a certificate as well. I won't pretend that I understand TLS fully, but I highly doubt it's the same thing. This is also assuming what you just linked is from the TLS server that X/Y use.

Its the Certificate my X uses when initiating a connection to the internet during the TLS Handshake, you can read the certificate binary data with wireshark and dump it pretty easily.

Unfortunately the important part is the servers private key which while crackable by throwing enough computation power at it is crazy hard to obtain.

Share this post


Link to post
Share on other sites

While extracting PKX files of wonder traded Pokémon once or twice I could only find the incoming packets, but not the outgoing... My wireshark filter should not exclude any significant packages, though. Even with manual scanning I could not find them. Has anyone else encountered this?

Anyway, I will try and put together a little program that inserts PKX files into the incoming traffic later, that is when I get some priority stuff done (wish I had more time for this...). I plan to use ones that I extracted earlier (with known checksums and other header values) and check if the game cares about what was named unk3 earlier in terms of the checksum, but I'd suppose it's only the PKX data itself.

@Zaneris: In case you already created something it would be a waste of time, of course. In that case: Have you tried that?

I would agree it's probably a salted MD5. If it wasn't for the 16 bytes I would have thought of a sha1 hash, as that's what Nintendo used in previous games for the GTS protocol (sha1(salt+data)). I guess the only thing we can really do is use hashcat to bruteforce it, with todays GPU power it shouldn't even take tooooo long.

The real problem I see, though, is that Nintendo can easily patch all this and I see it coming down to the good old cat-and-mouse game.

Share this post


Link to post
Share on other sites
Its the Certificate my X uses when initiating a connection to the internet during the TLS Handshake, you can read the certificate binary data with wireshark and dump it pretty easily.

Unfortunately the important part is the servers private key which while crackable by throwing enough computation power at it is crazy hard to obtain.

I didn't notice that the client was also sending its certificate. Documentation I had read didn't indicate that there was some key alongside the certificate, rather than contained within. There must be something, as there's no way simply having both certificates is all it takes... that's just too easy.

Share this post


Link to post
Share on other sites
I didn't notice that the client was also sending its certificate. Documentation I had read didn't indicate that there was some key alongside the certificate, rather than contained within. There must be something, as there's no way simply having both certificates is all it takes... that's just too easy.

Wikipedia has a pretty good overview of how it works: http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake

If you have the client cert and corresponding private key (both will be hard-coded into the ROM somewhere) then you can emulate a client. Emulating the server on the other hand would require Nintendo's private key, which you could only get through (presumably unauthorized) access to their server. Technically brute force is an option too but I see that as being even less plausible then someone hacking Nintendo.

EDIT: It might actually be possible that the client certificate and private key are unique to each 3DS and stored somewhere outside the ROM.

Share this post


Link to post
Share on other sites

I just found some more time to put into this and put together some small programs to programatically extract all wonder traded Pokémon and insert them, well that is what I planned to. I have not figured the checksum thing yet, so I just took ones I extracted earlier of which I knew the checksum. I tried both replacing only the header + actual data and replacing the whole packet. Both did not work as intended however, I still received the random pokemon from someone. I confirmed, using another MitM, that the packets were actually modified. The only reasonable explanation I have is that the data must also be transmitted in other packets which override the 'obvious' ones in case of a conflict.

Has anyone managed to inject Pokémon successfully so far?

Share this post


Link to post
Share on other sites
I just found some more time to put into this and put together some small programs to programatically extract all wonder traded Pokémon and insert them, well that is what I planned to. I have not figured the checksum thing yet, so I just took ones I extracted earlier of which I knew the checksum. I tried both replacing only the header + actual data and replacing the whole packet. Both did not work as intended however, I still received the random pokemon from someone. I confirmed, using another MitM, that the packets were actually modified. The only reasonable explanation I have is that the data must also be transmitted in other packets which override the 'obvious' ones in case of a conflict.

Has anyone managed to inject Pokémon successfully so far?

Can (or rather will) you elaborate the mitm method you are using ? My idea was a transparent proxy for total control, i dont really like the classic packet crafting method but i have not had time to delve deeper. Maybe on the weekend :)

In cases where you modify something but the client doesn't seem to care you should start simply blocking packets to see how much you can kill before the wonder trade stops working to get a sense of how redundant the communication is.

Apparenly the game loves redundancy, the UDP Packets to establish a wonder trade are usually sent 5x or 10x times. However thats not really uncommon when using UDP ^^

Share this post


Link to post
Share on other sites
Isn't the gible edited?

It is, really. That means Bond697 and Xfr have not only managed to inject, but also got their heads around the checksum. Or they found something completely different, which is yet unknown to us. I wonder whether they used a hardware mod... I don't think so though as they nicknamed the Gible "Wireshark". Only time will tell...

Share this post


Link to post
Share on other sites
Can (or rather will) you elaborate the mitm method you are using ? My idea was a transparent proxy for total control, i dont really like the classic packet crafting method but i have not had time to delve deeper. Maybe on the weekend :)

In cases where you modify something but the client doesn't seem to care you should start simply blocking packets to see how much you can kill before the wonder trade stops working to get a sense of how redundant the communication is.

Apparenly the game loves redundancy, the UDP Packets to establish a wonder trade are usually sent 5x or 10x times. However thats not really uncommon when using UDP ^^

I both can and will. I'm using ARP poisoning to route all the traffic through my mashine. It just seemed easiest to me. An early, but admittedly half-hearted attempt, to do the same using a proxy failed. The 3DS refused to wonder trade, etc. I will try dropping select packages later, but currently I do unfortunately not have any time at all.

I also suggest we already start working on the checksum, just in case we get injection working soon. I just wanted to start a bruteforce attack using oclHashcat-plus, but appaerantly a salt of 232 bytes (the PKX data) is too much for it to handle. In case anyone knows a program that could bruteforce such a long 'password', I suggest we just have a list of all tried algorithms, so that we can distribute the workload.

Share this post


Link to post
Share on other sites

Zaneris and I, as well as other users have been eliminating methods that don't work. We haven't been successful yet, but there are still methods that we are able to implement. Hopefully we'll get closer over the next few days.

Share this post


Link to post
Share on other sites
Zaneris and I, as well as other users have been eliminating methods that don't work. We haven't been successful yet, but there are still methods that we are able to implement. Hopefully we'll get closer over the next few days.

Emulating the whole friend safari would be cool if possible. example.

Log when friend is added untill pokemon are in your friend safari.

Then find the friend code bit and change it to a random code. Change pokemon you get for whatever you want. Then add that friend code you made up as a friend. If that makes sense.

Share this post


Link to post
Share on other sites

On the checksum:

This is the exact same pokemon being sent during 3 different wondertrades -

0000  00 00 19 00 6f 08 00 00  a4 d3 0d eb 00 00 00 00   ....o... ........
0010 12 6c 85 09 80 04 db a7 00 88 01 2c 00 4c e6 76 .l...... ...,.L.v
0020 a9 9a 1f 34 af 2c be 24 b6 4c e6 76 a9 9a 1f 90 ...4.,.$ .L.v....
0030 1e 00 00 aa aa 03 00 00 00 08 00 45 00 03 cf 0f ........ ...E....
0040 ed 00 00 40 11 cf 98 c0 a8 02 29 3c 29 98 9e e2 ...@.... ..)<)...
0050 06 d0 2a 03 bb 05 69 ea d0 01 03 92 03 11 11 e2 ..*...i. ........
0060 08 af 00 0c 00 32 16 fa 74 b1 82 6c eb 01 87 6d .....2.. t..l...m
0070 14 a4 bb 41 16 02 01 00 53 5c 7e 03 02 00 00 00 ...A.... S\~.....
0080 01 02 00 00 04 01 00 00 01 02 00 00 01 00 00 00 ........ ........
0090 76 03 00 00 [b]5c 97 b1 dc 00 00 d9 29 a5 80 ff c3 v...\... ...)....
00a0 78 af d3 07 79 bc 09 cd 5c 9d 05 9c ee cc da b1 x...y... \.......
00b0 c7 ed 79 5c 0d f5 85 37 3a 8e 4b bd 92 4b 17 6b ..y\...7 :.K..K.k
00c0 cc 47 a3 4a 55 69 3c 6c 0f c9 6d d5 c2 fd f9 f5 .G.JUi<l ..m.....
00d0 e7 da d7 8a 26 a0 03 87 91 5f 88 8f a1 7a 2f 21 ....&... ._...z/!
00e0 fa 24 57 47 db 13 78 1d e8 8a 17 a4 7b 8c e9 ff .$WG..x. ....{...
00f0 6d 0e 89 2c fc 50 12 e4 06 d0 67 93 cd 20 5c 76 m..,.P.. ..g.. \v
0100 e1 ac 78 09 c0 09 22 ce ff 4b 7d ac e7 b6 ef e6 ..x...". .K}.....
0110 d6 c5 87 30 83 38 db a4 05 a9 4b d6 13 fa 57 8b ...0.8.. ..K...W.
0120 87 27 e6 46 30 fd 1e 22 02 e4 95 a1 17 89 c4 c9 .'.F0.." ........
0130 65 10 2e 77 a0 33 73 bc c4 37 89 21 b1 3b 18 a1 e..w.3s. .7.!.;..
0140 78 d2 48 64 21 d6 a3 b7 cf d6 ba 54 9c 95 d3 4b x.Hd!... ...T...K
0150 0e 43 62 c4 4e 73 7c 4b b7 75 14 1c 24 64 a2 a8 .Cb.Ns|K .u..$d..
0160 24 a7 45 be c0 fd d0 d2 83 a4 38 c5 c9 36 58 f1 $.E..... ..8..6X.
0170 1d 25 6e f4 61 65 e7 2d 94 02 dc 21 00[/b] 00 00 00 .%n.ae.- ...!....
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0190 00 00 00 00 00 00 00 00 27 a4 1f 53 18 00 01 01 ........ '..S....
01a0 e1 27 b9 aa 03 ac 26 f6 73 95 b7 b1 ef 57 2c e6 .'....&. s....W,.
01b0 73 95 b7 b1 ef 57 2c e6 2e dc 21 6c 00 00 08 4e s....W,. ..!l...N
01c0 14 26 1a 07 02 02 00 00 48 64 09 05 01 cb 08 03 .&...... Hd......
01d0 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
01e0 46 00 65 00 6c 00 69 00 78 00 00 00 00 00 00 00 F.e.l.i. x.......
01f0 00 00 00 00 00 00 00 00 00 00 46 00 65 00 6c 00 ........ ..F.e.l.
0200 69 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 i.x..... ........
0210 00 00 00 00 4e 00 69 00 63 00 65 00 20 00 74 00 ....N.i. c.e. .t.
0220 6f 00 20 00 6d 00 65 00 65 00 74 00 20 00 79 00 o. .m.e. e.t. .y.
0230 61 00 21 00 00 00 4c 00 65 00 74 00 19 20 73 00 a.!...L. e.t.. s.
0240 20 00 62 00 61 00 74 00 74 00 6c 00 65 00 21 00 .b.a.t. t.l.e.!.
0250 00 00 00 00 00 00 00 00 4c 00 65 00 74 00 19 20 ........ L.e.t..
0260 73 00 20 00 74 00 72 00 61 00 64 00 65 00 21 00 s. .t.r. a.d.e.!.
0270 00 00 00 00 00 00 00 00 00 00 57 00 61 00 74 00 ........ ..W.a.t.
0280 63 00 68 00 20 00 6d 00 79 00 20 00 56 00 69 00 c.h. .m. y. .V.i.
0290 64 00 65 00 6f 00 21 00 00 00 00 00 55 00 73 00 d.e.o.!. ....U.s.
02a0 65 00 20 00 61 00 6e 00 20 00 4f 00 2d 00 50 00 e. .a.n. .O.-.P.
02b0 6f 00 77 00 65 00 72 00 21 00 00 00 00 00 00 00 o.w.e.r. !.......
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02e0 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0300 4a 89 1d 00 00 00 00 00 53 72 af 3c 33 9d a3 9d J....... Sr.<3...
0310 5f d7 a6 32 02 93 7e 1a 5a 15 2f cc 9c 06 4e ce _..2..~. Z./...N.
0320 d3 1c fa e4 5c a7 72 15 5e e4 76 11 ee da b9 28 ....\.r. ^.v....(
0330 02 5f 2a a4 59 bd a4 00 7e 72 7c b1 10 7f 62 59 ._*.Y... ~r|...bY
0340 73 4b ec 81 6e 9f 2f 03 b0 00 b7 10 8e aa ad 73 sK..n./. .......s
0350 1e 6f f3 e6 38 22 e7 b4 2d a0 b4 25 62 d7 2d 44 .o..8".. -..%b.-D
0360 f4 a0 0e de 51 bb f1 88 cd 0a 5c ee 70 b8 7b 69 ....Q... ..\.p.{i
0370 f5 3e 8a 54 28 35 96 5c a2 b9 a2 e1 7f 72 69 11 .>.T(5.\ .....ri.
0380 42 4b 6b a1 fc cc 9b 47 98 2a 8a 11 98 46 48 85 BKk....G .*...FH.
0390 b0 1c d6 05 3f 22 50 8d 88 e5 16 c3 1e fa fc d7 ....?"P. ........
03a0 eb 78 1b d9 3a 2a 11 de 1b e5 60 ef c8 2c aa 67 .x..:*.. ..`..,.g
03b0 71 86 c0 64 4d 03 90 0d 95 b7 a0 1a 91 ab 90 19 q..dM... ........
03c0 3c 25 36 46 d8 59 f8 d3 74 6f f5 38 da a0 c7 f0 <%6F.Y.. to.8....
03d0 52 8d d8 5c 7f 88 08 cf 32 2e cb 40 1d 4f a4 c6 R..\.... 2..@.O..
03e0 85 e7 e0 5a 16 1d c7 fa 9a d4 e3 fd 15 e8 e5 0d ...Z.... ........
03f0 38 23 9a 62 6c 56 37 a3 23 e8 da 45 60 cb c2 84 8#.blV7. #..E`...
0400 99 f0 5c 54 01 a2 55 22 04 00 cd d5 aa 34 ..\T..U" .....4
[/Code]

[Code]0000 00 00 19 00 6f 08 00 00 b2 1c aa f2 00 00 00 00 ....o... ........
0010 12 6c 85 09 80 04 d9 a9 00 88 01 2c 00 4c e6 76 .l...... ...,.L.v
0020 a9 9a 1f 34 af 2c be 24 b6 4c e6 76 a9 9a 1f d0 ...4.,.$ .L.v....
0030 0f 00 00 aa aa 03 00 00 00 08 00 45 00 03 cf 07 ........ ...E....
0040 6e 00 00 40 11 e3 c4 c0 a8 02 29 50 1f 78 fb ed n..@.... ..)P.x..
0050 1e f5 b7 03 bb 88 38 ea d0 01 03 92 03 11 11 e2 ......8. ........
0060 08 83 00 0e 00 d7 6a 31 8e 13 c4 8d af 83 3a 09 ......j1 ......:.
0070 7f f7 13 15 5a 02 01 00 5b 3a 7e 03 05 00 00 00 ....Z... [:~.....
0080 01 02 00 00 04 01 00 00 01 02 00 00 01 00 00 00 ........ ........
0090 76 03 00 00 [b]5c 97 b1 dc 00 00 d9 29 a5 80 ff c3 v...\... ...)....
00a0 78 af d3 07 79 bc 09 cd 5c 9d 05 9c ee cc da b1 x...y... \.......
00b0 c7 ed 79 5c 0d f5 85 37 3a 8e 4b bd 92 4b 17 6b ..y\...7 :.K..K.k
00c0 cc 47 a3 4a 55 69 3c 6c 0f c9 6d d5 c2 fd f9 f5 .G.JUi<l ..m.....
00d0 e7 da d7 8a 26 a0 03 87 91 5f 88 8f a1 7a 2f 21 ....&... ._...z/!
00e0 fa 24 57 47 db 13 78 1d e8 8a 17 a4 7b 8c e9 ff .$WG..x. ....{...
00f0 6d 0e 89 2c fc 50 12 e4 06 d0 67 93 cd 20 5c 76 m..,.P.. ..g.. \v
0100 e1 ac 78 09 c0 09 22 ce ff 4b 7d ac e7 b6 ef e6 ..x...". .K}.....
0110 d6 c5 87 30 83 38 db a4 05 a9 4b d6 13 fa 57 8b ...0.8.. ..K...W.
0120 87 27 e6 46 30 fd 1e 22 02 e4 95 a1 17 89 c4 c9 .'.F0.." ........
0130 65 10 2e 77 a0 33 73 bc c4 37 89 21 b1 3b 18 a1 e..w.3s. .7.!.;..
0140 78 d2 48 64 21 d6 a3 b7 cf d6 ba 54 9c 95 d3 4b x.Hd!... ...T...K
0150 0e 43 62 c4 4e 73 7c 4b b7 75 14 1c 24 64 a2 a8 .Cb.Ns|K .u..$d..
0160 24 a7 45 be c0 fd d0 d2 83 a4 38 c5 c9 36 58 f1 $.E..... ..8..6X.
0170 1d 25 6e f4 61 65 e7 2d 94 02 dc 21 00[/b] 00 00 00 .%n.ae.- ...!....
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0190 00 00 00 00 00 00 00 00 27 a4 1f 53 18 00 01 01 ........ '..S....
01a0 e1 27 b9 aa 03 ac 26 f6 73 95 b7 b1 ef 57 2c e6 .'....&. s....W,.
01b0 73 95 b7 b1 ef 57 2c e6 2e dc 21 6c 00 00 08 4e s....W,. ..!l...N
01c0 14 26 1a 07 02 02 00 00 48 64 09 05 01 cb 08 03 .&...... Hd......
01d0 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
01e0 46 00 65 00 6c 00 69 00 78 00 00 00 00 00 00 00 F.e.l.i. x.......
01f0 00 00 00 00 00 00 00 00 00 00 46 00 65 00 6c 00 ........ ..F.e.l.
0200 69 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 i.x..... ........
0210 00 00 00 00 4e 00 69 00 63 00 65 00 20 00 74 00 ....N.i. c.e. .t.
0220 6f 00 20 00 6d 00 65 00 65 00 74 00 20 00 79 00 o. .m.e. e.t. .y.
0230 61 00 21 00 00 00 4c 00 65 00 74 00 19 20 73 00 a.!...L. e.t.. s.
0240 20 00 62 00 61 00 74 00 74 00 6c 00 65 00 21 00 .b.a.t. t.l.e.!.
0250 00 00 00 00 00 00 00 00 4c 00 65 00 74 00 19 20 ........ L.e.t..
0260 73 00 20 00 74 00 72 00 61 00 64 00 65 00 21 00 s. .t.r. a.d.e.!.
0270 00 00 00 00 00 00 00 00 00 00 57 00 61 00 74 00 ........ ..W.a.t.
0280 63 00 68 00 20 00 6d 00 79 00 20 00 56 00 69 00 c.h. .m. y. .V.i.
0290 64 00 65 00 6f 00 21 00 00 00 00 00 55 00 73 00 d.e.o.!. ....U.s.
02a0 65 00 20 00 61 00 6e 00 20 00 4f 00 2d 00 50 00 e. .a.n. .O.-.P.
02b0 6f 00 77 00 65 00 72 00 21 00 00 00 00 00 00 00 o.w.e.r. !.......
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02e0 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0300 4a 89 1d 00 00 00 00 00 53 72 af 3c 33 9d a3 9d J....... Sr.<3...
0310 5f d7 a6 32 02 93 7e 1a 5a 15 2f cc 9c 06 4e ce _..2..~. Z./...N.
0320 d3 1c fa e4 5c a7 72 15 5e e4 76 11 ee da b9 28 ....\.r. ^.v....(
0330 02 5f 2a a4 59 bd a4 00 7e 72 7c b1 10 7f 62 59 ._*.Y... ~r|...bY
0340 73 4b ec 81 6e 9f 2f 03 b0 00 b7 10 8e aa ad 73 sK..n./. .......s
0350 1e 6f f3 e6 38 22 e7 b4 2d a0 b4 25 62 d7 2d 44 .o..8".. -..%b.-D
0360 f4 a0 0e de 51 bb f1 88 cd 0a 5c ee 70 b8 7b 69 ....Q... ..\.p.{i
0370 f5 3e 8a 54 28 35 96 5c a2 b9 a2 e1 7f 72 69 11 .>.T(5.\ .....ri.
0380 42 4b 6b a1 fc cc 9b 47 98 2a 8a 11 98 46 48 85 BKk....G .*...FH.
0390 b0 1c d6 05 3f 22 50 8d 88 e5 16 c3 1e fa fc d7 ....?"P. ........
03a0 eb 78 1b d9 3a 2a 11 de 1b e5 60 ef c8 2c aa 67 .x..:*.. ..`..,.g
03b0 71 86 c0 64 4d 03 90 0d 95 b7 a0 1a 91 ab 90 19 q..dM... ........
03c0 3c 25 36 46 d8 59 f8 d3 74 6f f5 38 da a0 c7 f0 <%6F.Y.. to.8....
03d0 52 8d d8 5c 7f 88 08 cf 32 2e cb 40 1d 4f a4 c6 R..\.... 2..@.O..
03e0 85 e7 e0 5a 16 1d c7 fa 9a d4 e3 fd 15 e8 e5 0d ...Z.... ........
03f0 38 23 9a 62 6c 56 37 a3 23 e8 da 45 60 cb c2 84 8#.blV7. #..E`...
0400 99 f0 5c 54 01 a2 55 22 04 00 05 55 60 61 ..\T..U" ...U`a
[/Code]

[Code]0000 00 00 19 00 6f 08 00 00 62 80 1f f9 00 00 00 00 ....o... b.......
0010 12 6c 85 09 80 04 fd a9 00 88 01 2c 00 4c e6 76 .l...... ...,.L.v
0020 a9 9a 1f 34 af 2c be 24 b6 4c e6 76 a9 9a 1f c0 ...4.,.$ .L.v....
0030 0e 00 00 aa aa 03 00 00 00 08 00 45 00 03 cf 07 ........ ...E....
0040 3c 00 00 40 11 35 31 c0 a8 02 29 4e d2 29 0e e9 <..@.51. ..)N.)..
0050 60 d2 76 03 bb 41 20 ea d0 01 03 92 03 11 11 e2 `.v..A . ........
0060 08 7f 00 0e 00 d3 ca 02 fd 5d 63 ac 35 31 80 61 ........ .]c.51.a
0070 95 8c c4 06 ab 02 01 00 5b 3a 7e 03 05 00 00 00 ........ [:~.....
0080 01 02 00 00 04 01 00 00 01 02 00 00 01 00 00 00 ........ ........
0090 76 03 00 00 [b]5c 97 b1 dc 00 00 d9 29 a5 80 ff c3 v...\... ...)....
00a0 78 af d3 07 79 bc 09 cd 5c 9d 05 9c ee cc da b1 x...y... \.......
00b0 c7 ed 79 5c 0d f5 85 37 3a 8e 4b bd 92 4b 17 6b ..y\...7 :.K..K.k
00c0 cc 47 a3 4a 55 69 3c 6c 0f c9 6d d5 c2 fd f9 f5 .G.JUi<l ..m.....
00d0 e7 da d7 8a 26 a0 03 87 91 5f 88 8f a1 7a 2f 21 ....&... ._...z/!
00e0 fa 24 57 47 db 13 78 1d e8 8a 17 a4 7b 8c e9 ff .$WG..x. ....{...
00f0 6d 0e 89 2c fc 50 12 e4 06 d0 67 93 cd 20 5c 76 m..,.P.. ..g.. \v
0100 e1 ac 78 09 c0 09 22 ce ff 4b 7d ac e7 b6 ef e6 ..x...". .K}.....
0110 d6 c5 87 30 83 38 db a4 05 a9 4b d6 13 fa 57 8b ...0.8.. ..K...W.
0120 87 27 e6 46 30 fd 1e 22 02 e4 95 a1 17 89 c4 c9 .'.F0.." ........
0130 65 10 2e 77 a0 33 73 bc c4 37 89 21 b1 3b 18 a1 e..w.3s. .7.!.;..
0140 78 d2 48 64 21 d6 a3 b7 cf d6 ba 54 9c 95 d3 4b x.Hd!... ...T...K
0150 0e 43 62 c4 4e 73 7c 4b b7 75 14 1c 24 64 a2 a8 .Cb.Ns|K .u..$d..
0160 24 a7 45 be c0 fd d0 d2 83 a4 38 c5 c9 36 58 f1 $.E..... ..8..6X.
0170 1d 25 6e f4 61 65 e7 2d 94 02 dc 21 00[/b] 00 00 00 .%n.ae.- ...!....
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0190 00 00 00 00 00 00 00 00 27 a4 1f 53 18 00 01 01 ........ '..S....
01a0 e1 27 b9 aa 03 ac 26 f6 73 95 b7 b1 ef 57 2c e6 .'....&. s....W,.
01b0 73 95 b7 b1 ef 57 2c e6 2e dc 21 6c 00 00 08 4e s....W,. ..!l...N
01c0 14 26 1a 07 02 02 00 00 48 64 09 05 01 cb 08 03 .&...... Hd......
01d0 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
01e0 46 00 65 00 6c 00 69 00 78 00 00 00 00 00 00 00 F.e.l.i. x.......
01f0 00 00 00 00 00 00 00 00 00 00 46 00 65 00 6c 00 ........ ..F.e.l.
0200 69 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 i.x..... ........
0210 00 00 00 00 4e 00 69 00 63 00 65 00 20 00 74 00 ....N.i. c.e. .t.
0220 6f 00 20 00 6d 00 65 00 65 00 74 00 20 00 79 00 o. .m.e. e.t. .y.
0230 61 00 21 00 00 00 4c 00 65 00 74 00 19 20 73 00 a.!...L. e.t.. s.
0240 20 00 62 00 61 00 74 00 74 00 6c 00 65 00 21 00 .b.a.t. t.l.e.!.
0250 00 00 00 00 00 00 00 00 4c 00 65 00 74 00 19 20 ........ L.e.t..
0260 73 00 20 00 74 00 72 00 61 00 64 00 65 00 21 00 s. .t.r. a.d.e.!.
0270 00 00 00 00 00 00 00 00 00 00 57 00 61 00 74 00 ........ ..W.a.t.
0280 63 00 68 00 20 00 6d 00 79 00 20 00 56 00 69 00 c.h. .m. y. .V.i.
0290 64 00 65 00 6f 00 21 00 00 00 00 00 55 00 73 00 d.e.o.!. ....U.s.
02a0 65 00 20 00 61 00 6e 00 20 00 4f 00 2d 00 50 00 e. .a.n. .O.-.P.
02b0 6f 00 77 00 65 00 72 00 21 00 00 00 00 00 00 00 o.w.e.r. !.......
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02e0 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0300 4a 89 1d 00 00 00 00 00 53 72 af 3c 33 9d a3 9d J....... Sr.<3...
0310 5f d7 a6 32 02 93 7e 1a 5a 15 2f cc 9c 06 4e ce _..2..~. Z./...N.
0320 d3 1c fa e4 5c a7 72 15 5e e4 76 11 ee da b9 28 ....\.r. ^.v....(
0330 02 5f 2a a4 59 bd a4 00 7e 72 7c b1 10 7f 62 59 ._*.Y... ~r|...bY
0340 73 4b ec 81 6e 9f 2f 03 b0 00 b7 10 8e aa ad 73 sK..n./. .......s
0350 1e 6f f3 e6 38 22 e7 b4 2d a0 b4 25 62 d7 2d 44 .o..8".. -..%b.-D
0360 f4 a0 0e de 51 bb f1 88 cd 0a 5c ee 70 b8 7b 69 ....Q... ..\.p.{i
0370 f5 3e 8a 54 28 35 96 5c a2 b9 a2 e1 7f 72 69 11 .>.T(5.\ .....ri.
0380 42 4b 6b a1 fc cc 9b 47 98 2a 8a 11 98 46 48 85 BKk....G .*...FH.
0390 b0 1c d6 05 3f 22 50 8d 88 e5 16 c3 1e fa fc d7 ....?"P. ........
03a0 eb 78 1b d9 3a 2a 11 de 1b e5 60 ef c8 2c aa 67 .x..:*.. ..`..,.g
03b0 71 86 c0 64 4d 03 90 0d 95 b7 a0 1a 91 ab 90 19 q..dM... ........
03c0 3c 25 36 46 d8 59 f8 d3 74 6f f5 38 da a0 c7 f0 <%6F.Y.. to.8....
03d0 52 8d d8 5c 7f 88 08 cf 32 2e cb 40 1d 4f a4 c6 R..\.... 2..@.O..
03e0 85 e7 e0 5a 16 1d c7 fa 9a d4 e3 fd 15 e8 e5 0d ...Z.... ........
03f0 38 23 9a 62 6c 56 37 a3 23 e8 da 45 60 cb c2 84 8#.blV7. #..E`...
0400 99 f0 5c 54 01 a2 55 22 04 00 18 98 3b a3 ..\T..U" ....;.
[/Code]

So its definitely not a simple checksum of only the pokemon data :) so its either heavily seeded or something else entirely

/E: In fact, the whole data section ONLY differs in that "checksum"

hSPswKO.png

zi6zirp.png

Edited by codemonkey85
Added spoiler tags for my sanity.

Share this post


Link to post
Share on other sites
On the checksum:

This is the exact same pokemon being sent during 3 different wondertrades -

0000  00 00 19 00 6f 08 00 00  a4 d3 0d eb 00 00 00 00   ....o... ........
0010 12 6c 85 09 80 04 db a7 00 88 01 2c 00 4c e6 76 .l...... ...,.L.v
0020 a9 9a 1f 34 af 2c be 24 b6 4c e6 76 a9 9a 1f 90 ...4.,.$ .L.v....
0030 1e 00 00 aa aa 03 00 00 00 08 00 45 00 03 cf 0f ........ ...E....
0040 ed 00 00 40 11 cf 98 c0 a8 02 29 3c 29 98 9e e2 ...@.... ..)<)...
0050 06 d0 2a 03 bb 05 69 ea d0 01 03 92 03 11 11 e2 ..*...i. ........
0060 08 af 00 0c 00 32 16 fa 74 b1 82 6c eb 01 87 6d .....2.. t..l...m
0070 14 a4 bb 41 16 02 01 00 53 5c 7e 03 02 00 00 00 ...A.... S\~.....
0080 01 02 00 00 04 01 00 00 01 02 00 00 01 00 00 00 ........ ........
0090 76 03 00 00 [b]5c 97 b1 dc 00 00 d9 29 a5 80 ff c3 v...\... ...)....
00a0 78 af d3 07 79 bc 09 cd 5c 9d 05 9c ee cc da b1 x...y... \.......
00b0 c7 ed 79 5c 0d f5 85 37 3a 8e 4b bd 92 4b 17 6b ..y\...7 :.K..K.k
00c0 cc 47 a3 4a 55 69 3c 6c 0f c9 6d d5 c2 fd f9 f5 .G.JUi<l ..m.....
00d0 e7 da d7 8a 26 a0 03 87 91 5f 88 8f a1 7a 2f 21 ....&... ._...z/!
00e0 fa 24 57 47 db 13 78 1d e8 8a 17 a4 7b 8c e9 ff .$WG..x. ....{...
00f0 6d 0e 89 2c fc 50 12 e4 06 d0 67 93 cd 20 5c 76 m..,.P.. ..g.. \v
0100 e1 ac 78 09 c0 09 22 ce ff 4b 7d ac e7 b6 ef e6 ..x...". .K}.....
0110 d6 c5 87 30 83 38 db a4 05 a9 4b d6 13 fa 57 8b ...0.8.. ..K...W.
0120 87 27 e6 46 30 fd 1e 22 02 e4 95 a1 17 89 c4 c9 .'.F0.." ........
0130 65 10 2e 77 a0 33 73 bc c4 37 89 21 b1 3b 18 a1 e..w.3s. .7.!.;..
0140 78 d2 48 64 21 d6 a3 b7 cf d6 ba 54 9c 95 d3 4b x.Hd!... ...T...K
0150 0e 43 62 c4 4e 73 7c 4b b7 75 14 1c 24 64 a2 a8 .Cb.Ns|K .u..$d..
0160 24 a7 45 be c0 fd d0 d2 83 a4 38 c5 c9 36 58 f1 $.E..... ..8..6X.
0170 1d 25 6e f4 61 65 e7 2d 94 02 dc 21 00[/b] 00 00 00 .%n.ae.- ...!....
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0190 00 00 00 00 00 00 00 00 27 a4 1f 53 18 00 01 01 ........ '..S....
01a0 e1 27 b9 aa 03 ac 26 f6 73 95 b7 b1 ef 57 2c e6 .'....&. s....W,.
01b0 73 95 b7 b1 ef 57 2c e6 2e dc 21 6c 00 00 08 4e s....W,. ..!l...N
01c0 14 26 1a 07 02 02 00 00 48 64 09 05 01 cb 08 03 .&...... Hd......
01d0 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
01e0 46 00 65 00 6c 00 69 00 78 00 00 00 00 00 00 00 F.e.l.i. x.......
01f0 00 00 00 00 00 00 00 00 00 00 46 00 65 00 6c 00 ........ ..F.e.l.
0200 69 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 i.x..... ........
0210 00 00 00 00 4e 00 69 00 63 00 65 00 20 00 74 00 ....N.i. c.e. .t.
0220 6f 00 20 00 6d 00 65 00 65 00 74 00 20 00 79 00 o. .m.e. e.t. .y.
0230 61 00 21 00 00 00 4c 00 65 00 74 00 19 20 73 00 a.!...L. e.t.. s.
0240 20 00 62 00 61 00 74 00 74 00 6c 00 65 00 21 00 .b.a.t. t.l.e.!.
0250 00 00 00 00 00 00 00 00 4c 00 65 00 74 00 19 20 ........ L.e.t..
0260 73 00 20 00 74 00 72 00 61 00 64 00 65 00 21 00 s. .t.r. a.d.e.!.
0270 00 00 00 00 00 00 00 00 00 00 57 00 61 00 74 00 ........ ..W.a.t.
0280 63 00 68 00 20 00 6d 00 79 00 20 00 56 00 69 00 c.h. .m. y. .V.i.
0290 64 00 65 00 6f 00 21 00 00 00 00 00 55 00 73 00 d.e.o.!. ....U.s.
02a0 65 00 20 00 61 00 6e 00 20 00 4f 00 2d 00 50 00 e. .a.n. .O.-.P.
02b0 6f 00 77 00 65 00 72 00 21 00 00 00 00 00 00 00 o.w.e.r. !.......
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02e0 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0300 4a 89 1d 00 00 00 00 00 53 72 af 3c 33 9d a3 9d J....... Sr.<3...
0310 5f d7 a6 32 02 93 7e 1a 5a 15 2f cc 9c 06 4e ce _..2..~. Z./...N.
0320 d3 1c fa e4 5c a7 72 15 5e e4 76 11 ee da b9 28 ....\.r. ^.v....(
0330 02 5f 2a a4 59 bd a4 00 7e 72 7c b1 10 7f 62 59 ._*.Y... ~r|...bY
0340 73 4b ec 81 6e 9f 2f 03 b0 00 b7 10 8e aa ad 73 sK..n./. .......s
0350 1e 6f f3 e6 38 22 e7 b4 2d a0 b4 25 62 d7 2d 44 .o..8".. -..%b.-D
0360 f4 a0 0e de 51 bb f1 88 cd 0a 5c ee 70 b8 7b 69 ....Q... ..\.p.{i
0370 f5 3e 8a 54 28 35 96 5c a2 b9 a2 e1 7f 72 69 11 .>.T(5.\ .....ri.
0380 42 4b 6b a1 fc cc 9b 47 98 2a 8a 11 98 46 48 85 BKk....G .*...FH.
0390 b0 1c d6 05 3f 22 50 8d 88 e5 16 c3 1e fa fc d7 ....?"P. ........
03a0 eb 78 1b d9 3a 2a 11 de 1b e5 60 ef c8 2c aa 67 .x..:*.. ..`..,.g
03b0 71 86 c0 64 4d 03 90 0d 95 b7 a0 1a 91 ab 90 19 q..dM... ........
03c0 3c 25 36 46 d8 59 f8 d3 74 6f f5 38 da a0 c7 f0 <%6F.Y.. to.8....
03d0 52 8d d8 5c 7f 88 08 cf 32 2e cb 40 1d 4f a4 c6 R..\.... 2..@.O..
03e0 85 e7 e0 5a 16 1d c7 fa 9a d4 e3 fd 15 e8 e5 0d ...Z.... ........
03f0 38 23 9a 62 6c 56 37 a3 23 e8 da 45 60 cb c2 84 8#.blV7. #..E`...
0400 99 f0 5c 54 01 a2 55 22 04 00 cd d5 aa 34 ..\T..U" .....4
[/Code]

[Code]0000 00 00 19 00 6f 08 00 00 b2 1c aa f2 00 00 00 00 ....o... ........
0010 12 6c 85 09 80 04 d9 a9 00 88 01 2c 00 4c e6 76 .l...... ...,.L.v
0020 a9 9a 1f 34 af 2c be 24 b6 4c e6 76 a9 9a 1f d0 ...4.,.$ .L.v....
0030 0f 00 00 aa aa 03 00 00 00 08 00 45 00 03 cf 07 ........ ...E....
0040 6e 00 00 40 11 e3 c4 c0 a8 02 29 50 1f 78 fb ed n..@.... ..)P.x..
0050 1e f5 b7 03 bb 88 38 ea d0 01 03 92 03 11 11 e2 ......8. ........
0060 08 83 00 0e 00 d7 6a 31 8e 13 c4 8d af 83 3a 09 ......j1 ......:.
0070 7f f7 13 15 5a 02 01 00 5b 3a 7e 03 05 00 00 00 ....Z... [:~.....
0080 01 02 00 00 04 01 00 00 01 02 00 00 01 00 00 00 ........ ........
0090 76 03 00 00 [b]5c 97 b1 dc 00 00 d9 29 a5 80 ff c3 v...\... ...)....
00a0 78 af d3 07 79 bc 09 cd 5c 9d 05 9c ee cc da b1 x...y... \.......
00b0 c7 ed 79 5c 0d f5 85 37 3a 8e 4b bd 92 4b 17 6b ..y\...7 :.K..K.k
00c0 cc 47 a3 4a 55 69 3c 6c 0f c9 6d d5 c2 fd f9 f5 .G.JUi<l ..m.....
00d0 e7 da d7 8a 26 a0 03 87 91 5f 88 8f a1 7a 2f 21 ....&... ._...z/!
00e0 fa 24 57 47 db 13 78 1d e8 8a 17 a4 7b 8c e9 ff .$WG..x. ....{...
00f0 6d 0e 89 2c fc 50 12 e4 06 d0 67 93 cd 20 5c 76 m..,.P.. ..g.. \v
0100 e1 ac 78 09 c0 09 22 ce ff 4b 7d ac e7 b6 ef e6 ..x...". .K}.....
0110 d6 c5 87 30 83 38 db a4 05 a9 4b d6 13 fa 57 8b ...0.8.. ..K...W.
0120 87 27 e6 46 30 fd 1e 22 02 e4 95 a1 17 89 c4 c9 .'.F0.." ........
0130 65 10 2e 77 a0 33 73 bc c4 37 89 21 b1 3b 18 a1 e..w.3s. .7.!.;..
0140 78 d2 48 64 21 d6 a3 b7 cf d6 ba 54 9c 95 d3 4b x.Hd!... ...T...K
0150 0e 43 62 c4 4e 73 7c 4b b7 75 14 1c 24 64 a2 a8 .Cb.Ns|K .u..$d..
0160 24 a7 45 be c0 fd d0 d2 83 a4 38 c5 c9 36 58 f1 $.E..... ..8..6X.
0170 1d 25 6e f4 61 65 e7 2d 94 02 dc 21 00[/b] 00 00 00 .%n.ae.- ...!....
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0190 00 00 00 00 00 00 00 00 27 a4 1f 53 18 00 01 01 ........ '..S....
01a0 e1 27 b9 aa 03 ac 26 f6 73 95 b7 b1 ef 57 2c e6 .'....&. s....W,.
01b0 73 95 b7 b1 ef 57 2c e6 2e dc 21 6c 00 00 08 4e s....W,. ..!l...N
01c0 14 26 1a 07 02 02 00 00 48 64 09 05 01 cb 08 03 .&...... Hd......
01d0 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
01e0 46 00 65 00 6c 00 69 00 78 00 00 00 00 00 00 00 F.e.l.i. x.......
01f0 00 00 00 00 00 00 00 00 00 00 46 00 65 00 6c 00 ........ ..F.e.l.
0200 69 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 i.x..... ........
0210 00 00 00 00 4e 00 69 00 63 00 65 00 20 00 74 00 ....N.i. c.e. .t.
0220 6f 00 20 00 6d 00 65 00 65 00 74 00 20 00 79 00 o. .m.e. e.t. .y.
0230 61 00 21 00 00 00 4c 00 65 00 74 00 19 20 73 00 a.!...L. e.t.. s.
0240 20 00 62 00 61 00 74 00 74 00 6c 00 65 00 21 00 .b.a.t. t.l.e.!.
0250 00 00 00 00 00 00 00 00 4c 00 65 00 74 00 19 20 ........ L.e.t..
0260 73 00 20 00 74 00 72 00 61 00 64 00 65 00 21 00 s. .t.r. a.d.e.!.
0270 00 00 00 00 00 00 00 00 00 00 57 00 61 00 74 00 ........ ..W.a.t.
0280 63 00 68 00 20 00 6d 00 79 00 20 00 56 00 69 00 c.h. .m. y. .V.i.
0290 64 00 65 00 6f 00 21 00 00 00 00 00 55 00 73 00 d.e.o.!. ....U.s.
02a0 65 00 20 00 61 00 6e 00 20 00 4f 00 2d 00 50 00 e. .a.n. .O.-.P.
02b0 6f 00 77 00 65 00 72 00 21 00 00 00 00 00 00 00 o.w.e.r. !.......
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02e0 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0300 4a 89 1d 00 00 00 00 00 53 72 af 3c 33 9d a3 9d J....... Sr.<3...
0310 5f d7 a6 32 02 93 7e 1a 5a 15 2f cc 9c 06 4e ce _..2..~. Z./...N.
0320 d3 1c fa e4 5c a7 72 15 5e e4 76 11 ee da b9 28 ....\.r. ^.v....(
0330 02 5f 2a a4 59 bd a4 00 7e 72 7c b1 10 7f 62 59 ._*.Y... ~r|...bY
0340 73 4b ec 81 6e 9f 2f 03 b0 00 b7 10 8e aa ad 73 sK..n./. .......s
0350 1e 6f f3 e6 38 22 e7 b4 2d a0 b4 25 62 d7 2d 44 .o..8".. -..%b.-D
0360 f4 a0 0e de 51 bb f1 88 cd 0a 5c ee 70 b8 7b 69 ....Q... ..\.p.{i
0370 f5 3e 8a 54 28 35 96 5c a2 b9 a2 e1 7f 72 69 11 .>.T(5.\ .....ri.
0380 42 4b 6b a1 fc cc 9b 47 98 2a 8a 11 98 46 48 85 BKk....G .*...FH.
0390 b0 1c d6 05 3f 22 50 8d 88 e5 16 c3 1e fa fc d7 ....?"P. ........
03a0 eb 78 1b d9 3a 2a 11 de 1b e5 60 ef c8 2c aa 67 .x..:*.. ..`..,.g
03b0 71 86 c0 64 4d 03 90 0d 95 b7 a0 1a 91 ab 90 19 q..dM... ........
03c0 3c 25 36 46 d8 59 f8 d3 74 6f f5 38 da a0 c7 f0 <%6F.Y.. to.8....
03d0 52 8d d8 5c 7f 88 08 cf 32 2e cb 40 1d 4f a4 c6 R..\.... 2..@.O..
03e0 85 e7 e0 5a 16 1d c7 fa 9a d4 e3 fd 15 e8 e5 0d ...Z.... ........
03f0 38 23 9a 62 6c 56 37 a3 23 e8 da 45 60 cb c2 84 8#.blV7. #..E`...
0400 99 f0 5c 54 01 a2 55 22 04 00 05 55 60 61 ..\T..U" ...U`a
[/Code]

[Code]0000 00 00 19 00 6f 08 00 00 62 80 1f f9 00 00 00 00 ....o... b.......
0010 12 6c 85 09 80 04 fd a9 00 88 01 2c 00 4c e6 76 .l...... ...,.L.v
0020 a9 9a 1f 34 af 2c be 24 b6 4c e6 76 a9 9a 1f c0 ...4.,.$ .L.v....
0030 0e 00 00 aa aa 03 00 00 00 08 00 45 00 03 cf 07 ........ ...E....
0040 3c 00 00 40 11 35 31 c0 a8 02 29 4e d2 29 0e e9 <..@.51. ..)N.)..
0050 60 d2 76 03 bb 41 20 ea d0 01 03 92 03 11 11 e2 `.v..A . ........
0060 08 7f 00 0e 00 d3 ca 02 fd 5d 63 ac 35 31 80 61 ........ .]c.51.a
0070 95 8c c4 06 ab 02 01 00 5b 3a 7e 03 05 00 00 00 ........ [:~.....
0080 01 02 00 00 04 01 00 00 01 02 00 00 01 00 00 00 ........ ........
0090 76 03 00 00 [b]5c 97 b1 dc 00 00 d9 29 a5 80 ff c3 v...\... ...)....
00a0 78 af d3 07 79 bc 09 cd 5c 9d 05 9c ee cc da b1 x...y... \.......
00b0 c7 ed 79 5c 0d f5 85 37 3a 8e 4b bd 92 4b 17 6b ..y\...7 :.K..K.k
00c0 cc 47 a3 4a 55 69 3c 6c 0f c9 6d d5 c2 fd f9 f5 .G.JUi<l ..m.....
00d0 e7 da d7 8a 26 a0 03 87 91 5f 88 8f a1 7a 2f 21 ....&... ._...z/!
00e0 fa 24 57 47 db 13 78 1d e8 8a 17 a4 7b 8c e9 ff .$WG..x. ....{...
00f0 6d 0e 89 2c fc 50 12 e4 06 d0 67 93 cd 20 5c 76 m..,.P.. ..g.. \v
0100 e1 ac 78 09 c0 09 22 ce ff 4b 7d ac e7 b6 ef e6 ..x...". .K}.....
0110 d6 c5 87 30 83 38 db a4 05 a9 4b d6 13 fa 57 8b ...0.8.. ..K...W.
0120 87 27 e6 46 30 fd 1e 22 02 e4 95 a1 17 89 c4 c9 .'.F0.." ........
0130 65 10 2e 77 a0 33 73 bc c4 37 89 21 b1 3b 18 a1 e..w.3s. .7.!.;..
0140 78 d2 48 64 21 d6 a3 b7 cf d6 ba 54 9c 95 d3 4b x.Hd!... ...T...K
0150 0e 43 62 c4 4e 73 7c 4b b7 75 14 1c 24 64 a2 a8 .Cb.Ns|K .u..$d..
0160 24 a7 45 be c0 fd d0 d2 83 a4 38 c5 c9 36 58 f1 $.E..... ..8..6X.
0170 1d 25 6e f4 61 65 e7 2d 94 02 dc 21 00[/b] 00 00 00 .%n.ae.- ...!....
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0190 00 00 00 00 00 00 00 00 27 a4 1f 53 18 00 01 01 ........ '..S....
01a0 e1 27 b9 aa 03 ac 26 f6 73 95 b7 b1 ef 57 2c e6 .'....&. s....W,.
01b0 73 95 b7 b1 ef 57 2c e6 2e dc 21 6c 00 00 08 4e s....W,. ..!l...N
01c0 14 26 1a 07 02 02 00 00 48 64 09 05 01 cb 08 03 .&...... Hd......
01d0 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
01e0 46 00 65 00 6c 00 69 00 78 00 00 00 00 00 00 00 F.e.l.i. x.......
01f0 00 00 00 00 00 00 00 00 00 00 46 00 65 00 6c 00 ........ ..F.e.l.
0200 69 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 i.x..... ........
0210 00 00 00 00 4e 00 69 00 63 00 65 00 20 00 74 00 ....N.i. c.e. .t.
0220 6f 00 20 00 6d 00 65 00 65 00 74 00 20 00 79 00 o. .m.e. e.t. .y.
0230 61 00 21 00 00 00 4c 00 65 00 74 00 19 20 73 00 a.!...L. e.t.. s.
0240 20 00 62 00 61 00 74 00 74 00 6c 00 65 00 21 00 .b.a.t. t.l.e.!.
0250 00 00 00 00 00 00 00 00 4c 00 65 00 74 00 19 20 ........ L.e.t..
0260 73 00 20 00 74 00 72 00 61 00 64 00 65 00 21 00 s. .t.r. a.d.e.!.
0270 00 00 00 00 00 00 00 00 00 00 57 00 61 00 74 00 ........ ..W.a.t.
0280 63 00 68 00 20 00 6d 00 79 00 20 00 56 00 69 00 c.h. .m. y. .V.i.
0290 64 00 65 00 6f 00 21 00 00 00 00 00 55 00 73 00 d.e.o.!. ....U.s.
02a0 65 00 20 00 61 00 6e 00 20 00 4f 00 2d 00 50 00 e. .a.n. .O.-.P.
02b0 6f 00 77 00 65 00 72 00 21 00 00 00 00 00 00 00 o.w.e.r. !.......
02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02e0 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0300 4a 89 1d 00 00 00 00 00 53 72 af 3c 33 9d a3 9d J....... Sr.<3...
0310 5f d7 a6 32 02 93 7e 1a 5a 15 2f cc 9c 06 4e ce _..2..~. Z./...N.
0320 d3 1c fa e4 5c a7 72 15 5e e4 76 11 ee da b9 28 ....\.r. ^.v....(
0330 02 5f 2a a4 59 bd a4 00 7e 72 7c b1 10 7f 62 59 ._*.Y... ~r|...bY
0340 73 4b ec 81 6e 9f 2f 03 b0 00 b7 10 8e aa ad 73 sK..n./. .......s
0350 1e 6f f3 e6 38 22 e7 b4 2d a0 b4 25 62 d7 2d 44 .o..8".. -..%b.-D
0360 f4 a0 0e de 51 bb f1 88 cd 0a 5c ee 70 b8 7b 69 ....Q... ..\.p.{i
0370 f5 3e 8a 54 28 35 96 5c a2 b9 a2 e1 7f 72 69 11 .>.T(5.\ .....ri.
0380 42 4b 6b a1 fc cc 9b 47 98 2a 8a 11 98 46 48 85 BKk....G .*...FH.
0390 b0 1c d6 05 3f 22 50 8d 88 e5 16 c3 1e fa fc d7 ....?"P. ........
03a0 eb 78 1b d9 3a 2a 11 de 1b e5 60 ef c8 2c aa 67 .x..:*.. ..`..,.g
03b0 71 86 c0 64 4d 03 90 0d 95 b7 a0 1a 91 ab 90 19 q..dM... ........
03c0 3c 25 36 46 d8 59 f8 d3 74 6f f5 38 da a0 c7 f0 <%6F.Y.. to.8....
03d0 52 8d d8 5c 7f 88 08 cf 32 2e cb 40 1d 4f a4 c6 R..\.... 2..@.O..
03e0 85 e7 e0 5a 16 1d c7 fa 9a d4 e3 fd 15 e8 e5 0d ...Z.... ........
03f0 38 23 9a 62 6c 56 37 a3 23 e8 da 45 60 cb c2 84 8#.blV7. #..E`...
0400 99 f0 5c 54 01 a2 55 22 04 00 18 98 3b a3 ..\T..U" ....;.
[/Code]

So its definitely not a checksum of only the pokemon data :) so its either heavily seeded or something else entirely

Oh lord... I was afraid that would happen... How did you manage to get the same Pokémon three times, though? Or was it just a regular trade? I have unfortunately not had a chance to test that...

The checksum obviously needs to be calculated from data available to both systems, so some seeds might be exchanged in other packets. This is gonna be a nightmare to figure out :(

Share this post


Link to post
Share on other sites
I both can and will. I'm using ARP poisoning to route all the traffic through my mashine. It just seemed easiest to me. An early, but admittedly half-hearted attempt, to do the same using a proxy failed. The 3DS refused to wonder trade, etc. I will try dropping select packages later, but currently I do unfortunately not have any time at all.

I also suggest we already start working on the checksum, just in case we get injection working soon. I just wanted to start a bruteforce attack using oclHashcat-plus, but appaerantly a salt of 232 bytes (the PKX data) is too much for it to handle. In case anyone knows a program that could bruteforce such a long 'password', I suggest we just have a list of all tried algorithms, so that we can distribute the workload.

The problem is that we aren't even sure how long the salt is, whether the salt is placed before or after the data payload (or both), or even what sections of data are being hashed. If it's anywhere near as long as the 20 character SHA1 salt used in the GTS, then it's not even worth trying to brute-force. You'd have better luck finding/hiring a hardware engineer to reproduce what neimod and smea can do, and pull it out of RAM.

This deeply confuses me. Assuming we're right that this is a hash, and assuming that this hash is absolutely required by the game and that we're not just making mistakes elsewhere in our injection process, then it should've been impossible for bond and xfr to inject an edited Pokemon using wonder trade. Unless, of course, they happen to have the same hardware setup as neimod and smea.

Share this post


Link to post
Share on other sites
Oh lord... I was afraid that would happen... How did you manage to get the same Pokémon three times, though? Or was it just a regular trade? I have unfortunately not had a chance to test that...

The checksum obviously needs to be calculated from data available to both systems, so some seeds might be exchanged in other packets. This is gonna be a nightmare to figure out :(

I waited till the 1038 byte frame was sent and ejected my pokemon cartridge :P

Share this post


Link to post
Share on other sites
The problem is that we aren't even sure how long the salt is, whether the salt is placed before or after the data payload (or both), or even what sections of data are being hashed. If it's anywhere near as long as the 20 character SHA1 salt used in the GTS, then it's not even worth trying to brute-force. You'd have better luck finding/hiring a hardware engineer to reproduce what neimod and smea can do, and pull it out of RAM.

This deeply confuses me. Assuming we're right that this is a hash, and assuming that this hash is absolutely required by the game and that we're not just making mistakes elsewhere in our injection process, then it should've been impossible for bond and xfr to inject an edited Pokemon using wonder trade. Unless, of course, they happen to have the same hardware setup as neimod and smea.

Given the 16byte checksum I figured it would be MD5 and bruteforcing like 12-16 bytes is definitely possible on modern hardware. Hail to GPGPU processing ;)

Then again we don't even know what of the actual data is hashed. And the previous use of sha1 in the GTS would also make md5 unlikely. Maybe it's just arbitrary data that we don't need to change at all... Or it really is a checksum and calculated from data in other packets which might explain why injecting doesn't work, because even if we use an extracted checksum it is not the correct one...

If they had a RAM reading/writing setup why would they have named the gible 'Wireshark'? To confuse us O.o?

I waited till the 1038 byte frame was sent and ejected my pokemon cartridge :P

Oh well, hardware exploits :D Didn't think about them...

Do you get 1038 or 994 byte frames more often? About 9 out of 10 are 994 for me...

Share this post


Link to post
Share on other sites

If it's true that it uses MD5, then according to Wikipedia, the checksum isn't very secure nowadays.

I don't think Nintendo would use a hash tag checksum that has been proven to no longer be as secure as in the past.

Then again, I don't know Nintendo's decisions, so...

Share this post


Link to post
Share on other sites

I've been collecting 0 data packets to look for some that match in checksum, and found some that in fact do...

The only thing differing between the ones that are different is part of the header.

ead001000000a1af93008c0004008b3d086c8d37bfd2bc9e556f8373ddfc
ead001000000a1af93008c0004008b3d086c8d37bfd2bc9e556f8373ddfc
ead001000000a1af93008c0004008b3d086c8d37bfd2bc9e556f8373ddfc
ead001000000a1af9300ff000400a80cb50b2df825c4a1d19890bba72157
ead001000000a1af9300ff000400a80cb50b2df825c4a1d19890bba72157
ead001000000a1af9300ff000400a80cb50b2df825c4a1d19890bba72157
ead001000000a1af930093000400a9e5d4be3da3e2b0e472e027f16e45ff
ead001000000a1af930093000400a9e5d4be3da3e2b0e472e027f16e45ff
ead001000000a1af930093000400a9e5d4be3da3e2b0e472e027f16e45ff
ead001000000a1af9300020004003d87795e6cad682c430d8751f79fc0f0
ead001000000a1af9300020004003d87795e6cad682c430d8751f79fc0f0
ead001000000a1af9300020004003d87795e6cad682c430d8751f79fc0f0
ead001000000a1af930040000400b8f17af75971928c461bea59a847cbef
ead001000000a1af930040000400b8f17af75971928c461bea59a847cbef
ead001000000a1af930040000400b8f17af75971928c461bea59a847cbef
ead001000000a1af930088000400a480a844a2bab1c1d79bafa9aeefc327
ead001000000a1af930088000400a480a844a2bab1c1d79bafa9aeefc327

I logged off and on again to reset the packet ID, and that's how I got matching packets.

Share this post


Link to post
Share on other sites

I at least want to share my findings for this. Attached the hex data and the .bin for a Bunnelby I acquired via Wonder Trade. I may not be as knowledgeable on this than any of you here, but I'd like to help if needed. :)

bunnelby..zip

bunnelby..zip

Share this post


Link to post
Share on other sites

People, remember what Bond, said. Direct contributions only. This is still a work in progress, and when it is ready for people to use you will know about it.

Not sure if this will help, but I've dumped some PKX files from my game and will continue to do so: http://projectpokemon.org/forums/showthread.php?33180-Pok%E9mon-X-and-Y-PKX-Contribution

If you don't mind, a better use of your time and resources would be to document the index numbers of new moves and new abilities as you dump the data.

Share this post


Link to post
Share on other sites
Then i can not use it right now ,Am i correct?

It's currently a very user unfriendly process, because it's still in the making. Wait until a tool is released because you may have a hard time with capturing packets of data and extracting certain bytes.

Share this post


Link to post
Share on other sites

Ugh. Got the Move IDs, special thanks to Stormfront, Griver, Arphage, Faust, and watsbeef for helping me find Pokemon with the moves, and codemonkey85 for a nice little converter he made to help me out.

Don't have it all, done yet, have 6 moves yet to be associated with an ID but there are more than 6 unassociated IDs though o_O

Edit: 2 more moves, "Celebration (Sylveon Event) and Happy Time (doubles the amount of money won, Inkay Event)" -Veganosaure

560 Flying Press

561 Mat Block

562

563 Rototiller

564 Sticky Web

565

566 Phantom Force

567 Trick-or-Treat

568 Noble Roar

569

570 Parabolic Charge

571 Forest's Curse

572 Petal Blizzard

573 Freeze-Dry

574 Disarming Voice

575 Parting Shot

576 Topsy-Turvy

577 Draining Kiss

578 Crafty Shield

579 Flower Shield

580 Grassy Terrain

581 Misty Terrain

582 Electrify

583 Play Rough

584 Fairy Wind

585 Moonblast

586 Boomburst

587 Fairy Lock

588 King's Shield

589 Play Nice

590 Confide

591

592

593

594 Water Shuriken

595 Mystical Fire

596 Spiky Shield

597 Aromatic Mist

598 Eerie Impulse

599 Venom Drench

600 Powder

601 Geomancy

602 Magnetic Flux

603

604 Electric Terrain

605 Dazzling Gleam

606

607

608 Baby-Doll Eyes

609 Nuzzle

610

611 Infestation

612 Power-Up Punch

613 Oblivion Wing

614

615

616 Land's Wrath

Spreadsheet link: http://sdrv.ms/17znyCW

Edit: Data added to veekun's spreadsheet.

Edited by ReignOfComputer
Updating movelist

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...