[GEN 3] Mystery Event/Gift Research

[Guest]

Missed a step, but the result is correct:

0xFFFF03E3 + 0x00000000 + 0x00000008 + 0x00000000 +

0x00000000 + 0xC9CCCFBB + 0xC3CEBBCC + 0xCEBFC5BD

= 0x5C5A552F AND 0xFFFFFFFF

= 0x5C5A552F

Thank you. Bad mistake.

There's a blue Old Sea Map Wonder Card . (The real one was Green.)

Not sure about the Tamago no Pokémon Wonder Card.

I thought it could be the Egg Pokémon Present Event from 2004.

But the card says あき which is Autumn, so this doesn't fit since the Event was distributed in Spring.

I got to check later what's in the egg.

I added RAW Codes and Save Files to this post for research purpose only.

Edited October 17, 2015 by ajxpkm
Removed Save Files and RAW Codes

[lostaddict]

Really nice info!!!

There is a small mistake in you example: E8 03 FF FF will become FF FF 03 E8

I have write a quick script in java to compute this automatically... It reads the bytes from a file and computes the checksum. Here is the result when running it on you example:

FFFF03E8
00000000
00000008
00000000
00000000
C9CCCFBB
C3CEBBCC
CEBFC5BD
Sum: 5C5A5534
Final Checksum: B18E

The bad news is that when i use this algorithm to the actual wonder card data, the result does not match with the one in the .sav file...

Here are the results when running it on the actual wonder card data:

FFFF03E8
00000000
00000008
00000000
00000000
C9CCCFBB
C3CEBBCC
CEBFC5BD
00000000
00000000
00000000
00000000
00000000
00000000
00000000
DCD7ECBF
D9DBE2D5
E6D5BD00
000000D8
00000000
00000000
00000000
E3C10000
00E3E800
00D9DCE8
E3D7D9E7
DA00D8E2
E6E3E3E0
00DAE300
00D9DCE8
1BC5C9CA
00C8C9C7
BFBD0000
CCBFCEC8
D8E2D500
D9D9E100
DCE800E8
D9D800D9
D9EADDE0
E400EDE6
E3E7E6D9
E2DD00E2
E6DB0000
ADE2D9D9
D7D9CC00
D9EADDD9
D9DCE800
CCCFBB00
CEBBCCC9
BFC5BDC3
E2D500CE
000000D8
DCE80000
E700E2D9
00D9EAD5
00D9DCE8
D9E1D5DB
0000ABAB
00000000
00000000
00000000
00000000
E3BE0000
E8E3E200
E7E3E800
DCE800E7
BF00E7DD
D5DCD7EC
00D9DBE2
D8E6D5BD
00000000
00000000
D9D60000
D9E6E3DA
D7D9E600
DDEADDD9
E800DBE2
BB00D9DC
CCC9CCCF
BDC3CEBB
ABCEBFC5
000000AB
00000000
00000000
Sum: 5DFDA06E
Final Checksum: FE6B

It should give 85 FC instead....

Is there any information on Taka's website regarding the blocks we should use to calculate the checksum?

[Guest]

Really nice info!!!

There is a small mistake in you example: E8 03 FF FF will become FF FF 03 E8

I have write a quick script in java to compute this automatically... It reads the bytes from a file and computes the checksum. Here is the result when running it on you example:

FFFF03E8
00000000
00000008
00000000
00000000
C9CCCFBB
C3CEBBCC
CEBFC5BD
Sum: 5C5A5534
Final Checksum: B18E

The bad news is that when i use this algorithm to the actual wonder card data, the result does not match with the one in the .sav file...

Here are the results when running it on the actual wonder card data:

FFFF03E8
00000000
00000008
00000000
00000000
C9CCCFBB
C3CEBBCC
CEBFC5BD
00000000
00000000
00000000
00000000
00000000
00000000
00000000
DCD7ECBF
D9DBE2D5
E6D5BD00
000000D8
00000000
00000000
00000000
E3C10000
00E3E800
00D9DCE8
E3D7D9E7
DA00D8E2
E6E3E3E0
00DAE300
00D9DCE8
1BC5C9CA
00C8C9C7
BFBD0000
CCBFCEC8
D8E2D500
D9D9E100
DCE800E8
D9D800D9
D9EADDE0
E400EDE6
E3E7E6D9
E2DD00E2
E6DB0000
ADE2D9D9
D7D9CC00
D9EADDD9
D9DCE800
CCCFBB00
CEBBCCC9
BFC5BDC3
E2D500CE
000000D8
DCE80000
E700E2D9
00D9EAD5
00D9DCE8
D9E1D5DB
0000ABAB
00000000
00000000
00000000
00000000
E3BE0000
E8E3E200
E7E3E800
DCE800E7
BF00E7DD
D5DCD7EC
00D9DBE2
D8E6D5BD
00000000
00000000
D9D60000
D9E6E3DA
D7D9E600
DDEADDD9
E800DBE2
BB00D9DC
CCC9CCCF
BDC3CEBB
ABCEBFC5
000000AB
00000000
00000000
Sum: 5DFDA06E
Final Checksum: FE6B

It should give 85 FC instead....

Is there any information on Taka's website regarding the blocks we should use to calculate the checksum?

Damn.

I really messed up in my tutorial.

You're quick! I already thought about writing a script. Would be cool if you could give the java script to me.

Unfortunately my japanese is not good enough to understand everything what he wrote there.

But if you like you could use Google Translate to check it out. Maybe I missed something?

I've read it many times but it's still confusing.

https://translate.google.com/translate?sl=ja&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fweb.archive.org%2Fweb%2F20080106083812%2Fhttp%3A%2F%2Fwww.h6.dion.ne.jp%2F~taka.999%2Fpage002.html&edit-text=

I still don't know yet how the blocks are added together exactly.

There must be more steps to the actual checksum...

[lostaddict]

Damn.

I really messed up in my tutorial.

You're quick! I already thought about writing a script. Would be cool if you could give the java script to me.

Unfortunately my japanese is not good enough to understand everything what he wrote there.

But if you like you could use Google Translate to check it out. Maybe I missed something?

I've read it many times but it's still confusing.

https://translate.google.com/translate?sl=ja&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fweb.archive.org%2Fweb%2F20080106083812%2Fhttp%3A%2F%2Fwww.h6.dion.ne.jp%2F~taka.999%2Fpage002.html&edit-text=

I still don't know yet how the blocks are added together exactly.

There must be more steps to the actual checksum...

For anyone who is interesting here is the script:

The file contains the source code, a jar file that you can run from the command line and the legit Aurora Wonder Card. To run it open a command prompt and type:

java -jar ComputeChecksum.jar WonderCard.bin

You should see the results in the output :smile: Make sure you have java installed on your computer...

PS: Google Translate is not so good with the Japanese...

ComputeChecksum.rar

[Guest]

Thanks!

I will play around with this later.

Eventually I will get the right checksum, who knows.

Yeah, the translation is horrible. But unfortunately this is the only source we have.

I don't know why the spanish speaking guys make such a big secret of this, would be cool if they shared more with us.

Btw. you could be right about your guess with the Event Type, but I'm not sure...

I also paid attention to this part of the code. At first I thought this could be the value who determines the color of the card.

Because it's exactly the same values in the Japanese versions.

The weird thing is the value which you guessed could be for the color.

In the Aurora Wonder Card we have the value is "08" but in Morfeo's code it's "88".

I will check later what it is in the Japanese Versions the save file.

I wanted to see it in the RAW codes which I converted and to my surprise... this part is entirely missing there...

Or maybe it's on an different offset and I just couldn't find it.

Some small notes...

EDIT:

About Checksums, thanks to BlackShark's Thread I found this here on Bulbapedia:

http://bulbapedia.bulbagarden.net/wiki/Save_data_structure_in_Generation_III#Checksum

Checksum

Used to validate the integrity of saved data.

A 16-bit checksum generated by adding up bytes from the section. The algorithm is as follows:

Initialize a 32-bit checksum variable to zero.

Read 4 bytes at a time as 32-bit word (little-endian) and add it to the variable. The number of bytes to process in this manner is determined by Section ID.

Take the upper 16 bits of the result, and add them to the lower 16 bits of the result.

This new 16-bit value is the checksum.

Edited August 25, 2015 by ajxpkm

[BlackShark]

Checksum is calculated for the area from 0x56C to 0x6BB, so exactly 336 Bytes.

The bytes before and after that location won't corrupt the wc if you edit them.

Though there's a second part a few offsets after the first one which also belongs to the wondercard event.

That one also should have its own checksum.

The checksum should be included in the said area.

But somehow I believe it's computed different to what Taka is talking about. The algorithm he mentioned is exactly the same as the one used to validate each save section.

The are at least to other algorithms used for checksums ( one for pkm data the other for injected e-Reader trainer data). The one used to validate save data as well as the other two dont seem to match here.

If I didn't make a mistake I would guess the checksum is different in this case.

[lostaddict]

About Checksums, thanks to BlackShark's Thread I found this here on Bulbapedia:

http://bulbapedia.bulbagarden.net/wiki/Save_data_structure_in_Generation_III#Checksum

This is the exact same algorithm we have already implemented. If you run the algorithm on the block containing the wonder card data (using all block data) then it gives the correct checksum that you can add at the footer of the block.

This resolves the corrupted file issue when you inject the wonder card code in the .sav file. I have already tested it and works ok :biggrin:

NOW THE REALLY GOOD NEWS:

Morfeo has left behind actual instructions on how to compute this checksum... It's in a .rar file that it supposed to contain all the information needed to implement wonder card functionality and generate the AR Codes... I have this since yesterday and the algorithm is already implemented. :wink:

But while it works perfectly on his example, it does not work on the actual wonder card data... :rolleyes:

I will post more details on this later today...

[Guest]

These are really great informations, thanks for the effort.

Unfortunately I'm at a loss, got nothing new to share.

I tried every type of checksum computing I know, none of them is fitting into this.

I really hope we can get some more informations, it could save us a lot of time.

NOW THE REALLY GOOD NEWS:

Morfeo has left behind actual instructions on how to compute this checksum... It's in a .rar file that it supposed to contain all the information needed to implement wonder card functionality and generate the AR Codes... I have this since yesterday and the algorithm is already implemented.

But while it works perfectly on his example, it does not work on the actual wonder card data...

I will post more details on this later today...

I'm excited to hear more about the rar archive you got, lostaddict.

Where did you found it? It's good to know Morfeo left something for us.

I'm very interested!

Checksum is calculated for the area from 0x56C to 0x6BB, so exactly 336 Bytes.

The bytes before and after that location won't corrupt the wc if you edit them.

Thanks for confirming this. So with this at least we know that we have the right bytes for the calculation process.

Though there's a second part a few offsets after the first one which also belongs to the wondercard event.

That one also should have its own checksum.

The checksum should be included in the said area.

You're right, there's a 2nd block for the Script a few offsets later with another checksum. But for now it's all about the Wonder Card itself.

And btw. one thing that was coming through my mind about this... I think we also should look how things in the Rom are working when it comes to Scripts.

I wouldn't be too surprised if there are some simiralities. The same goes for the Wonder Card. I wonder if Mails having checksums, too... just for an example.

I thought about this also because the Mail text is not saved in the 100-byte structure of a Pokémon but somewhere else.

But this is just a wild theory of course...

But somehow I believe it's computed different to what Taka is talking about. The algorithm he mentioned is exactly the same as the one used to validate each save section.

Yeah, I realized this yesterday when I found the Bulbapedia article and after reading the diary again. Sorry, this was my fault.

The only thing Taka was mentioning about is how to compute the checksums for the save sections, not the one we try to understand.

I think I got confused because he showed the text part offset in his diary.

But this diary was just about how he managed to inject a original Wonder Card. (Without editing.)

He wasn't saying anything about editing the text from the card and later in the diary all he talked about was just the corrupt the save file.

I know they managed to do this tho', because some of the Wonder Cards are customized.

Anyway, I think the Japanese site won't help us much more since these are all the informations they shared.

Edited October 17, 2015 by ajxpkm

[BlackShark]

You're right, there's a 2nd block for the Script a few offsets later with another checksum. But for now it's all about the Wonder Card itself.

The second block from 0x8B0 to 0xC93 (996 Bytes) has to be validated too. Otherwise the wondercard gets corrupted.

Probably there's a checksum for both together.

[Guest]

The second block from 0x8B0 to 0xC93 (996 Bytes) has to be validated too. Otherwise the wondercard gets corrupted.

Probably there's a checksum for both together.

A checksum for both together? That could make sense. Haven't thought about this yet.

Now I hope lostaddict will share what he got with us soon.

[lostaddict]

OK so here is what i have regarding the info and the algorithm Morfeo left behind:

1) General Information:

As we already know there are 2 relevant data blocks for each Wonder Card. At the beginning of each of those 2 blocks there is a key (checksum value) which is 4 Bytes

Wonder Card Data (332 bytes)

Green Man Script (1000 bytes)

2) Algorithm Information

The algorithm seems to use the same method that rom uses to encrypt things... Before proceed with the actual algorithm there are 2 things needs to be defined. What is "Seed" and what is "Tab"

"Seed" is a 2 byte value that is compute in each step of the algorithm and used as input to the next step. Initial value of "Seed" is always "8530"

"Tab" is an index value. This points to a 2 byte value that can be found in a file. This file is actually a lookup table. You look on a specific address and you retrieve the specific value to use it in the algorithm... According to Morfeo is really important to group the file data in "tabs". Each tab has 2 bytes.

More info on how the Tabs are created:

So if the tab file contains the following data

00 00 00 01 0F CF E0 17 30 01 0F 00 BO 19 30 2D

The tabs should be:

00 00 Tab 0

00 01 Tab 1

0F CF Tab 2

E0 17 Tab 3

30 01 Tab 4

0F 00 Tab 5

BO 19 Tab 6

30 2D Tab 7

The Tab file is provided by Morfeo (tab.bin). I did some search to find it's origin... The data in the file seems to be part of the actual rom (I found them both in Emerald and Green Leaf roms). That's why I'm assume that this is the same method of encryption the game itself uses...

3) The Algorithm

2 More definitions:

"upperSeed": The upper 2 bytes of the "Seed"

"reverseTab": The reverse value of the "Tab" (if Tab value is XXYY the reverse is YYXX)

For Each Byte:
     Tab Index = (Current Byte [b]XOR [/b]"Seed") [b]AND [/b]0xFF
     Tab Value = Value at position "Tab Index" in tab.bin file
     newSeed = reverseTab [b]XOR [/b]upperSeed
End For

Tab Values for the Example:

                Offset      Data  ##Tab

	00000000  00 00  00Tab
	00000002  00 01  01Tab
	00000004  0F CF  02Tab
	00000006  E0 17 "03Tab"<-- 1st Byte
	00000008  30 01  04Tab
	0000000A  0F 00  05Tab
		¡	¡
		¡	¡
		¡	¡
	00000130  10 06  98Tab
	00000132  00 10  99Tab
	00000134  01 ED "9ATab"<-- 2nd Byte
	00000136  10 1C  9BTab
	00000138  51 2F  9CTab
		¡	¡
		¡	¡
		¡	¡
	00000160  00 BB  B0Tab
	00000162  0B B0  B1Tab
	00000164  17 B0 "B2Tab"<-- 4th Byte
	00000166  EF 50  B3Tab
	00000168  17 D0  B4Tab
		¡	¡
		¡	¡
		¡	¡
	000001CE  20 BF  E7Tab
	000001D0  A0 2F  E8Tab
	000001D2  A0 30 "E9Tab"<-- 3rd Byte
	000001D4  17 20  EATab
	000001D6  1A F0  EBTab

Example: Input Data "33 FF FF FF"

Step 1: [b]"33"[/b] FF FF FF
     8530 ^ 33 =  8503 & 0xFF = 03
     Tab03 = E0 17
     17E0 ^ 85 = 1765
     newSeed = 1765

Step 2: 33 [b]"FF"[/b] FF FF
     1765 ^ FF =  179A & 0xFF = 9A
     Tab9A = 01 ED
     ED01 ^ 17 = ED16
     newSeed = ED16

Step 3: 33 FF [b]"FF"[/b] FF
    ED16 ^ FF = EDE9 & 0xFF = E9
    TabE9 = A0 30
    30A0 ^ ED = 304D
    newSeed = 304D

Step 4: 33 FF FF [b]"FF"[/b]
    304D ^ FF = 30B2 & 0xFF = B2
    TabB2 = 17 B0
    B017 ^ 30 = B027
    newSeed = B027

Once all the calculations for all the bytes are made we need to compute the final "Key" value which is the actual checksum. This is how this is done:

a. Get the Last Seed the algorithm compute.

b. Convert it to binary.

c. Replace "zeros" with "ones" and "ones" with "zeros"

d. Convert back to hex

Example:

B027 ---> 1011 0000 0010 0111

4FD8 ---> 0100 1111 1101 1000

"Key"= 4FD8

In sav file: D8 4F 00 00

4) Where this information is coming from?

Morfeo left behind this information for those who actually care enough to mess with his codes... If you check closely in a .sav file that contains a Morfeo Wonder Card, you should find some bytes that are translating to a URL... From that URL you can download a .rar file containing: A .txt file with the above instructions in spanish and the tab.bin file for the encryption...

Also you can find some other thoughts of Morfeo regarding why he is not sharing this information... :rolleyes:

5) Implementation of the algorithm

I have implemented this yesterday... I'm planning to provide it later.

As i have already explained while it works perfectly on the example, when it comes with the actual wonder card data, it fails to give the correct checksum... It can be either a code bug, wrong initial "Seed" value or missing data from the "tab.bin" file...

Hopefully is a code bug since we don't have more info on the other 2 factors (initial seed and tab.bin file) that may affect the result...

Enjoy :biggrin:

[Guest]

Interesting stuff.

Thanks for the explanation...

So I was not so wrong with my thought that we could find the answer in the ROM.

Now we just have to find out why you couldn't get the right checksum for the Wonder Card.

I think we're close to it.

[lostaddict]

Ok I have check my code and I'm 99% sure that my implementation is correct. So at the moment I have reach a dead end... :confused:

I'm posting below the url to the original archive from Morfeo. You can take a look at it, maybe I'm missing something regarding the algorithm... Also here is how i find the archive with the algorithm info in the first place (it's part of a save file that contains Morfeo aurora ticket):

Here is the complete text in Spanish:

.NOTA 
No muestro a nadie el mé todo para crear Wonder Cards, por lo que no respondo a esas preguntas. 

Pero si tienes los conocimientos necesarios y sobre todo SENTIDO COMÚN, tal vez puedes merecer la última pieza para lograrlo en:

galeon.com/albumpokemon/llaveWC.rar

Also here are the results of my implementation running the Morfeo's example:

Step 1:
Input Byte: 33
Tab index: 3(0x3)
Tab value: E017
Tab value reverse: 17E0
New Seed: 1765
New Alta Seed: 17
----------------------------
Step 2:
Input Byte: FF
Tab index: 154(0x9A)
Tab value: 01ED
Tab value reverse: ED01
New Seed: ED16
New Alta Seed: ED
----------------------------
Step 3:
Input Byte: FF
Tab index: 233(0xE9)
Tab value: A030
Tab value reverse: 30A0
New Seed: 304D
New Alta Seed: 30
----------------------------
Step 4:
Input Byte: FF
Tab index: 178(0xB2)
Tab value: 17B0
Tab value reverse: B017
New Seed: B027
New Alta Seed: B0
----------------------------
Final Seed: B027
Binary Conversion:
0xB027 --> 1011000000100111
0x4FD8 <-- 0100111111011000

Save File Checksum: D8 4F

And the results when running it on the actual Wonder Card data (the last step):

New Seed: F018
New Alta Seed: F0
----------------------------
Step 332:
Input Byte: 00
Tab index: 24(0x18)
Tab value: 6130
Tab value reverse: 3061
New Seed: 3091
New Alta Seed: 30
----------------------------
Final Seed: 3091
Binary Conversion:
0x3091 --> 11000010010001
0x0F6E <-- 00111101101110

Save File Checksum: 6E 0F

[BlackShark]

Wow, I didn't expect they used something as complicated as this to validate the wondercard data.

I also tried calculating the checksum the way Morfeo described it. But I'm getting a false checksum as well, even though it's correct for the example.

I doubt the problem is the initial seed. I looped my function through all values from 0 to 0xFFFF (which could have been an initial seed) without getting a matching checksum.

I also don't think the tab.bin is incomplete. With the given algorithm you could only get values from 0 to 0xFF, the file contains 256 values.

In worst case both the initial seed and the algorithm are wrong...

[Guest]

Same here.

I always get wrong results.

To be honest, I don't trust Morfeo... After reading his note in the txt file I thought there is no way he would hand out everything. When you ask me, he didn't gave us the full algorithm. If we're lucky there is only 1 step missing or an built-in error.

I think the hint on the save file says it all:

.NOTA

No muestro a nadie el mé todo para crear Wonder Cards, por lo que no respondo a esas preguntas.

Pero si tienes los conocimientos necesarios y sobre todo SENTIDO COMÚN, tal vez puedes merecer la última pieza para lograrlo en:

galeon.com/albumpokemon/llaveWC.rar

He talks about earning the last piece.

I think this is a challenge...

But where is the key to solve this puzzle?

I also hoped it's maybe just an false initial seed. That's what I wanted to try next, but since BlackShark already tried it... The bin file seems ok, too. I will check more about this later because there are still open questions.

Now I already reaching my limit. What could we try next? Change the algorithm? I think the step with the binaries (changing 0s to 1s and 1s to 0s) is a bit awkward. Looks suspicious IMO even tho' I have seen this before. Just my feeling.

What could we change else? We should try everything possible we could do with this.

If this doesn't help I think there's more research to do. I want to avoid making it too complicated, if nothing is left it's all about trial and error.

As mentioned before, I got this feeling that the key is in the Rom itself. We have to consider Rom Research as an option. I already try to get informations about the checksum validations inside the Rom. It's just a bit difficult to get exact informations about them, maybe it's better to ask someone who knows about this well. If we could find something that sounds similar to Morfeo's Algorithm this would be great.

And I have another idea. What about the e-Cards? The e-Card Events work in a very similar way to the Mystery Gift Events. They are also temporarely saved, I guess even in the same locations as our Mystery Gift Events. There was another Thread on the Board about this Topic which btw. inspired me to open this one here.

EDIT:

Some more informations regarding the Japanese Wonder Cards from the Tools.

While looking a few years back on Taka's Page. In found some interesting stuff he mentioned...

http://web.archive.org/web/20040929044716/http://www.h6.dion.ne.jp/~taka.999/index.html

コメント：ＦＲ／ＬＧのチケット差分修正進行状況。09/27時点ようやくＳＵＭチェックルーチンロジック解析完了。データ改変開始。

ＲＯＭ内テキストで注目すべき内容 − 詳細不明 −

ふしぎなおくりもの ごりよう いただき ありがとう ございます！

どうぞ ポケモンセンター から この ポケモンの たまごを プレゼントいたします！

だいじに そだてて ください！

ふしぎなおくりもの ごりよう いただき ありがとう ございます

この ふしぎなカードを もっていると フレンドリーショップの アンケートで

いろいろな トレーナーを ルネシティに よぶことが できますよ！

‥‥ないしょで ひとつ アンケートの あいことばを おしえて あげましょう

「すごい トレーナー くれ くれ」

このことばを アンケートに かいて ぜひ ジョイスポットと つうしんして

みてください！

ふしぎなおくりもの ごりよう いただき ありがとう ございます

ルネシティに トレーナーが きている ようですよ

ぜひ たいせんを たのしんで くださいませ！

ほかの あいことば でも べつの トレーナーが よべますので あいことばを

いろいろと さがして みて ください

ふしぎなおくりもの ごりよう いただき ありがとう ございます

おめでとう ございます！

ただいま たいせんで ３しょうした トレーナーには プレゼントを

さしあげて います！

これからも どんどん たいせんを たのしんで ください！

ふしぎなおくりもの ごりよう いただき ありがとう ございます

さいきん １０３ばんどうろ にある へんげのどうくつで めずらしい

ポケモンが でる という うわさが ながれてる ようです

ぜひ いって たしかめて みては いかがで しょうか？

ふしぎなおくりもの ごりよう いただき ありがとう ございます

？？？？？ さま ですね

あなたさま あてに この かいずが おくられて きました

ミナモシティの ふなつきば で つかえる ようですね

ぜひ ごりよう してみては いかがでしょうか？

Translation powered by Google Translate:

Comments: FR / LG tickets differential correction progress. 09/27 point finally SUM check routine logic analysis completed. Data modification start.

Content that should be noted in the ROM within the text - unspecified -

Gift Thank you for using a strange!

We will present the eggs of this Pokemon from please Pokemon Center!

Please grow cherish!

Thank you for mysterious gift for your use

In it is and friendly shop of the questionnaire have this mysterious card

You can call a variety of trainer to Runeshiti!

We'll tell the watchword of one questionnaire in ‥‥ secret

"Let me give me great trainer."

By all means communicate with Joy spot to write these words to the questionnaire

please look!

Thank you for mysterious gift for your use

It seems trainer has come to Runeshiti

Please do not miss enjoying the War!

The other watchword because trainer on another is can call even watchword

Please try variously looking

Thank you for mysterious gift for your use

congratulations!

You can get a gift to the 3 award was trainer at War

We give!

Please do more and more enjoying the competition in the future!

Thank you for mysterious gift for your use

Recently rare in altering cave in 103 Bando filtration

It seems that rumors Pokemon comes out

A how to fire fighting and try to make sure it all means go?

Thank you for mysterious gift for your use

? ? ? ? ? It is sama

This chart has been sent to your customers addressed

It seems to use in wharf of Minamoshiti

Why not by all means try to use?

He's said that he starts the modification of the Wonder Card.

He found several Texts in the Rom which seem to be connected to the Mystery Gift feature.

One is for an Egg Present, another one for the Trainer Room in Sootopolis City, one for the Altering Cave and the last one for the Old Sea Map. That's how he came to the idea about making custom Wonder Cards.

As you can see this was in September 2004. It was a bit later after he wrote the diary where he dumped the Aurora Ticket and the Mystic Ticket and created the first tool. It also explains why one of the Old Sea Map Wonder Cards is blue ,because the Old Sea Map wasn't distributed yet and it also explains the other custom WCs from the Tools and PAR Codes.

Edited August 28, 2015 by ajxpkm

[BlackShark]

About the e-card data.

It is different to the wondercards as far as I know.

The Eon Ticket e-card doesn't have a wondercard and no checksum.

Also it is saved to another location which is in section 3. I successfully changed that text without validation needed.

The e-Reader trainer data in section 0 is validated by a checksum which is very similar to the one that's used for the save. It is a 32 bit sum of the data summed up as half-words (2 bytes).

The e-Reader berries are in section 4, they should be validated as you can see in this thread http://projectpokemon.org/forums/showthread.php?31210-Index-numbers-of-the-eReader-berries&p=171472&viewfull=1#post171472

I haven't looked into it yet. So I don't know if it could help with wondercard checksums.

Edited August 28, 2015 by BlackShark

[Guest]

I'm sorry... was a bit lazy today...

Thank you so much for all the informations.

Especially the enigma berry e-card checksum looks very interesting to me.

But it needs some dmp files. I'm curious about the content of these files.

It's definitely worth to be checked out. Even tho' I can't tell if this really is what we need just by the look of it. It's a complex routine too, but different than what we have from Morfeo. Still... very interesting.

Currently I try to get some informations about the Rom. Hopefully to find more informations about all the checksum validations the game makes use of... but I couldn't get much informations yet.

There's a hack which caught my attention. The name is CrystalDust. It even has hacked Wonder Cards as you can see here:

[video=youtube;rbuO7dMWqEg]

Maybe the creator knows something about the checksum or he just have set the checksum validation off.

It's a hack after all. But I wanted to post this for those who like hacks. Funny stuff...

[lostaddict]

Not much but here are some new findings...

In the Delivery Man Script:

33 FF FF FF B8 58 02 00 08 6A 5A 2B 3A 01 BB 01 
BC 02 00 08 2B AD 01 BB 01 BC 02 00 [color="#FF0000"][b]08 47 73 01[/b] [/color]
01 00 21 0D 80 01 00 BB 01 BC 02 00 08 BD C5 02 
00 08 66 6D 46 73 01 01 00 21 0D 80 00 00 BB 01 
B3 02 00 08 1A 00 80 73 01 1A 01 80 01 00 09 00 
29 D5 08 29 3A 01 BD 22 03 00 08 66 6D 6C 02 BD 
B3 03 00 08 66 6D 6C 02 BD 86 03 00 08 66 6D 6C 
02 CE DC D5 E2 DF 00 ED E3 E9 00 DA E3 E6 00 E9 
E7 DD E2 DB 00 E8 DC D9 00

This is the location of the item he delivers. The first 2 bytes are always the same. The other 2 is the hex value of the in game item... So theoretically you can change this value to put any item you want...

08 47 72 01 - Mystic Ticket

08 47 73 01 - Aurora Ticket

08 47 78 01 - Old Sea Map

And Some new colors (I messed up with the Japanese cards):

0C --> Green

12 --> Blue

Wish we had a way to figure out how to compute that checksum... :rolleyes:

Is there any tool that we can use to find the actual function used for encryption/decryption in the rom? If we can find that function maybe we can reverse engineer it...

Edit:

Also for some reason the Japanese cards are much smaller...

This is the complete Japanese Aurora Card:

E8 03 FF FF 00 00 00 00 08 00 55 AE 7B 77 61 59 
A0 64 00 1B 07 06 04 00 56 AE 95 00 A3 A1 A1 A5 
00 01 07 00 00 00 00 00 00 8A AE 71 2D 00 1A 3D 
22 13 00 9F 59 73 7E 5E 7E 60 AE 19 00 A3 06 02 
1D 00 02 0A 03 AB 00 55 AE 7B 77 61 59 A0 64 2D 
00 23 27 03 0A 14 37 00 44 07 29 26 AB 00 00 00 
00 00 00 00 00 61 59 A0 64 2D 00 23 27 50 10 27 
00 0D 39 7A 9F AE 64 AB 00 61 59 A0 64 2D 00 23 
27 03 1F 04 16 00 0A 19 56 AE 95 2D 00 0D 13 15 
02 44 00 08 41 0B 02 AB 00 00 00 00

[Guest]

33 FF FF FF...

Wait a minute... these values look pretty familiar! Aren't these exact the same values like in Morfeo's example? O_O

I have a guess... Maybe we should try to compute the checksum for the script first, the checksum could be the seed for the Wonder Card checksum. Just an idea... I can't try it in the moment so it would nice if someone else could do this.

About the Japanese Wonder Cards, they need less space because Hiragana & Katana are based on syllables and therefore need less characters. Maybe they just reserved more space for the Wonder Cards in the west because they needed more space for the text...

These are good informations lostaddict, thank you so much.

Some great NEWS

I also have something to share, something very interesting regarding the Wonder Card Egg Events.

One of the Egg Events of the Tools from the Japanese Site which I mentioned before was a an obvious hack. Inside the Egg was an Pichu with Surf, the PID method was A-B-D-E.

The cool thing is, it's not always the same Egg you get, it's generated right when you pick it up.

Everytime I picked up the Egg from the 2F Guy in the Pokémon Center the PID and IVs was different.

So it's possible to RNG here.

On the Site there is another Tool for the PokéPark Egg Event which seems pretty legit.

Even Taka said he didn't went to this Event and just reconstructed it, he did a great job, the Wonder Card matches exactly the one from the official Page.

He has found the script before during is his research as you can see in my post above.

You can find this Tool here and here are the PAR Codes for them.

In this Tool you can simply chose which of the Eggs you want, which is pretty cool.

But one thing that got me really interested about is the PID method.

I was always sure that the method for the PokéPark Eggs is "Common GBA (Restricted").

But then I found this Thread and this Thread in the forum.

In fact, every Egg I picked up had the PID method A-B-D-E.

Which confirms that all the Eggs from the Mystery Gift Events made use of this Method.

Since this whole script is an exact replica of the Original Egg Events and I guess it's found somewhere inside the Rom.

But this doesn't means that all GBA Common Eggs are hacks.

I also have a theory why some of the PokéPark Eggs are B-A-C-D (Restricted).

And this is maybe why this is a bit confusing...

According to Bulbapedia they were also distributed to Ruby & Sapphire who didn't had the Mystery Gift System. So the PID & IV were generated by the Distribution System and in their case just like other Events GBA Common (Restricted). But for FireRed, LeafGreen and Emerald when they were downloaded via through the Mystery Gift System, they were generated ingame and GBA Uncommon.

This is huge because it means we could basically reconstruct the PCJP2004 Event and just if we manage to find the script in english, even the PCNY/Wish Event as an addition to the Ticket Events. But I can't promise it at this point now, For this it would be good to know if they had Wonder Cards as well. From my understanding of the functionality of the Myster Gift Events they should. But there is still a lack of informations and if I recreate these Events I would like to make them as legit as possible. If someone has informations about this, please post your informations to this Thread.

Thank you.

Edited August 31, 2015 by ajxpkm

[King Impoleon]

And this is maybe why this is a bit confusing...

According to Bulbapedia they were also distributed to Ruby & Sapphire who didn't had the Mystery Gift System. So the PID & IV were generated by the Distribution System and in their case just like other Events GBA Common (Restricted). But for FireRed, LeafGreen and Emerald when they were downloaded via through the Mystery Gift System, they were generated ingame and GBA Uncommon.

in Ruby and Sapphire they are directly transfared into a free Team place ( as then my 10JAHRE/Aura)

This Tool didn't work?!

If i Download the tool and use it, it don't show me the AR code...

And what he means with: PAR and アドレス 02026950 XX　　 ?

It's then possible to create a SLOT 2 Wireless Distribution to send the Tickets?

[Guest]

in Ruby and Sapphire they are directly transfared into a free Team place ( as then my 10JAHRE/Aura)

This Tool didn't work?!

If i Download the tool and use it, it don't show me the AR code...

And what he means with: PAR and アドレス 02026950 XX　　 ?

It's then possible to create a SLOT 2 Wireless Distribution to send the Tickets?

Yes, all Events who were compatible with all 5 games were generated from the distribution device and then transfered directly to the Team, just like the first Event Pokémon for Ruby & Sapphire. The PokéPark Eggs had the additional option to be transfered via Wireless Adapter just like PCJ2004 and PCNY Wish were distributed.

The Codes are actually here, not in the Tool.

It's patching the Wonder Card into the save file just like the other Tools.

Please keep in mind that this only works with Japanese Versions.

It's the RAM Address for the flag.

If you want more Eggs you can set the flag back to 0xEF. (-10h)

But this only works with Anti DMA Code.

About the other question. No... I'm sorry... this would be impossible.

I'm not planning to make Tools for Flash Cards if that's what you mean. I would love to have distribution cartridges, then we could make something like this. But they're very rare and expensive.

EDIT:

I updated the starting post and uploaded some Wonder Card screenshots.

Edited August 31, 2015 by ajxpkm

[lostaddict]

I did some research on Morfeo Algorithm. It's a CRC16 checksum algorithm with a lookup table. It's seems to be a common checksum computation algorithm.

The bad thing is that there are a lot of variations of the algorithm... Including custom lookup tables (using different polynomial to generate them), in some cases different computation functions (but similar ones) and even different initial crc value (seed)...

E-Reader uses a similar algorithm (CRC32) for checksum computation. Here you can find very interesting information regarding E-Reader and an implementation of the CRC32 algorithm (under technical details)

https://www.caitsith2.com/ereader/index.htm

I think we should try to use the same algorithm and in our case... You never know...

EDIT (1/9/2015):

No News on checksum but here is some text i found regarding the Delivery Man dialog:

Egg:

Thank you for using the MYSTERY
GIFT System.

From the POKéMON CENTER we
have a gift - a POKéMON EGG!

Please raise it with love and
kindness.

Oh, your party appears to be full.

Please come see me after storing
a POKéMON on a PC.

Tickets:

Thank you for using the MYSTERY
GIFT System.

You must be {RED}.
There is a ticket here for you.

It appears to be for use at the
VERMILION CITY port.

Why not give it a try and see what
it is about?

Thank you for using the MYSTERY
GIFT System.


Oh, I’m sorry, {RED}. Your BAG’s
KEY ITEMS POCKET is full.

Please store something on your PC,
then come back for this.

Altering Cave:

Thank you for using the MYSTERY
GIFT System.

Recently, there have been rumors
of rare POKéMON appearances.

The rumors are about ALTERING
CAVE on OUTCAST ISLAND.

Why not visit there and check if
the rumors are indeed true?

And some really interesting ones:

Thank you for using the MYSTERY
GIFT System.

By holding this WONDER CARD, you
may take part in a survey at a
POKéMON MART.

Use these surveys to invite
TRAINERS to the SEVII ISLANDS.

…Let me give you a secret
password for a survey:

“GIVE ME
AWESOME TRAINER”

Write that in on a survey and send
it to the WIRELESS
COMMUNICATION SYSTEM.

Thank you for using the MYSTERY
GIFT System.

A TRAINER has arrived in the SEVII
ISLANDS looking for you.

We hope you will enjoy
battling the visiting TRAINER.

You may invite other TRAINERS by
entering other passwords.

Try looking for other passwords
that may work.

Thank you for using the MYSTERY
GIFT System.

Your BATTLE COUNT CARD keeps
track of your battle record against
TRAINERS with the same CARD.

Look for and battle TRAINERS who
have the same CARD as you.

You may check the overall rankings
by reading the NEWS.

Please do give it a try!

Thank you for using the MYSTERY
GIFT System.

Congratulations!

You have won a prize for winning
three battles!

We hope you will be inspired to
battle some more.

Old Sea Map (Emerald):

MYSTERY
GIFT System.

Let me confirm--you are [PLAYER]?

We received this OLD SEA MAP
addressed to you.

Source: http://iimarck.us/dumps/dfirered.txt

Edited September 1, 2015 by lostaddict

[Guest]

These are really great finds!

All the scripts Taka mentioned before on the website...

Guess they were meant to be as templates for the planned future Events.

It's unbelievable that they scrapped almost all of their plans...

Making the Altering Cave for a relict of a scrapped feature and a place of myths.

Very interesting to see that they all even got all translated. Good for us.

You even found the Egg Script which I would need to recreate the PCNY Wish Event.

Pretty cool! Thanks.

I wonder if there's some text for the Wonder Cards as well... I have this theory because Taka predicted the Texts of the Wonder Cards perfectly, which you can see by comparing the Wonder Card of his ("Fantasy") Pokémon Egg Event which was released earlier by him through his tool, with the one from the PokéPark Egg Event which was distributed later.

It's impossible to predict this so I think there could be more text in the game.

When I have more time I will see if I can find them in the Roms.

We also need more text for the other languages as well.

Update

Unfortunately there's not much new from my side.

I wished I could show some first results by now, but without the checksum we can't do anything.

Most of my time on this project, I spent with this damn checksum and I I think it will take a while until we have solved it... If there's anyone who knows anything about this checksum routine, please let us know.

To know how this checksum validation works would be necessary to make a tool such as an Wonder Card Editor for example.

However we may not be able to do this anytime soon. But even without the algorithm there's still some hope that we could make some progress. A few days ago I contacted Diegoisawesome, the creator of the CrystalDust romhack.

He told me that there is a way to work around, with this we could at least be able to create Wonder Cards.

I'm thinking about distributing them as PAR codes or maybe we could make a little injection tool. We'll see what this brings in the future.

I hope to get more informations about this and I can't wait to deliver something fruitful for this project.

Until then... Stay tuned...

[Hidraslick]

Hey guys I created my account just to thank you, because I now have more knowledge about how this games work.

I have 3 questions:

1. Have you made any progress in general?

2. On the save file that was posted before I saw one thing that is impossible as it is:

there is a event Ageto Celebi unmodified from japanese colosseum bonus disc, does this means

that it would be posible to actually replicate the japanese Celebi event as a wonder card to use it on non-japanese versions?

3. Could you please make a save from the previous save but one that could work for wireless transfer?

An idea could be to make save files that allow access to the nintendo official events by trading wonder cards instead of using Action Replay codes. That Would be awesome.

[lostaddict]

That's the point of this topic to share the knowledge... :biggrin:

Regarding your questions:

1. Personally I haven't make any actual progress... I was really busy in the past days, but i take a look in the function that validates the checksum in the firered rom. I have to share some info (see the rest of the post).

2. I had the impression that you can link Japanese Colosseum with English GBA (But I'm not sure... maybe I'm wrong)

3. That is the ultimate target of this thread... To create some save games that can used to distribute those events. If we find a way to solve the checksum issue, then this is possible...

Now some new info...

ajxpkm send me a link few days ago with a description of a function in FireRed rom that does what we are actually try to do... That function reads a checksum value from 2 different places and tries to validate it with some data with lengths 332 and 1000 bytes each...

I take a look at the assembly code and i found several evidences that this is actually the correct function. For example one of the validations that this function does is this:

cmp r0, #0x0
beq $08069e9c  (label end)
ldrb r0, [r4, #0x0]
cmp r0, #0x33
bne $08069e9c
ldrb r0, [r4, #0x1]
cmp r0, #0xff
bne $08069e9c
ldrb r0, [r4, #0x2]
cmp r0, #0xff
bne $08069e9c
ldrb r0, [r4, #0x3]
cmp r0, #0xff
bne $08069e9c

This chunk of asm code checks if the first 4 bytes of the data is "33 FF FF FF". If is not then retuns... This data is the start of the Delivery Man script which is always "33 FF FF FF".

This is what we are actually looking for. The part that does the checksum validation. This is a loop over the data:

lsr r1, r2, #0x08           //SHIFT RIGHT R2 (SEED) TO TAKE FIRST 2 DIGITS (UPPER SEED)
add r0, r5, r3               //READS DATA FROM A SPECIFIC ADDRESS 
ldrb r0, [r0, #0x0]
eor r2, r0                     //XOR DATA WITH SEED (WHICH IS 0x1121 BTW)
lsl r0, r2, #0x18           //DO SOME SHIFTING
lsr r0, r0, #0x17
add r0, r0, r6               //USE PREVIOUS RESULT TO COMPUTE A NEW ADDRESS
ldrh r0, [r0, #0x0]        //GET HALF WORD (2 BYTES) FROM THAT SPECIFIC ADDRESS (THIS IS THE LOOKUP TABLE)
add r2, r0, #0x0
eor r2, r1                    //XOR UPPER SEED WITH THE VALUE FROM THE LOOKUP TABLE
add r0, r3, #0x1
lsl r0, r0, #0x10           //DO AGAIN SOME SHIFTING
lsr r3, r0, #0x10
cmp r3, r4

What this asm code does is to loop ever the data and do the same or similar calculations with the ones that Morfeo describes (see my commends above)...

Edited September 11, 2015 by lostaddict