Guest Posted August 25, 2015 Posted August 25, 2015 (edited) Missed a step, but the result is correct:0xFFFF03E3 + 0x00000000 + 0x00000008 + 0x00000000 + 0x00000000 + 0xC9CCCFBB + 0xC3CEBBCC + 0xCEBFC5BD = 0x5C5A552F AND 0xFFFFFFFF = 0x5C5A552F Thank you. Bad mistake. There's a blue Old Sea Map Wonder Card . (The real one was Green.) Not sure about the Tamago no Pokémon Wonder Card. I thought it could be the Egg Pokémon Present Event from 2004. But the card says あき which is Autumn, so this doesn't fit since the Event was distributed in Spring. I got to check later what's in the egg. I added RAW Codes and Save Files to this post for research purpose only. Edited October 17, 2015 by ajxpkm Removed Save Files and RAW Codes
lostaddict Posted August 25, 2015 Posted August 25, 2015 Really nice info!!! There is a small mistake in you example: E8 03 FF FF will become FF FF 03 E8 I have write a quick script in java to compute this automatically... It reads the bytes from a file and computes the checksum. Here is the result when running it on you example: FFFF03E8 00000000 00000008 00000000 00000000 C9CCCFBB C3CEBBCC CEBFC5BD Sum: 5C5A5534 Final Checksum: B18E The bad news is that when i use this algorithm to the actual wonder card data, the result does not match with the one in the .sav file... Here are the results when running it on the actual wonder card data: FFFF03E8 00000000 00000008 00000000 00000000 C9CCCFBB C3CEBBCC CEBFC5BD 00000000 00000000 00000000 00000000 00000000 00000000 00000000 DCD7ECBF D9DBE2D5 E6D5BD00 000000D8 00000000 00000000 00000000 E3C10000 00E3E800 00D9DCE8 E3D7D9E7 DA00D8E2 E6E3E3E0 00DAE300 00D9DCE8 1BC5C9CA 00C8C9C7 BFBD0000 CCBFCEC8 D8E2D500 D9D9E100 DCE800E8 D9D800D9 D9EADDE0 E400EDE6 E3E7E6D9 E2DD00E2 E6DB0000 ADE2D9D9 D7D9CC00 D9EADDD9 D9DCE800 CCCFBB00 CEBBCCC9 BFC5BDC3 E2D500CE 000000D8 DCE80000 E700E2D9 00D9EAD5 00D9DCE8 D9E1D5DB 0000ABAB 00000000 00000000 00000000 00000000 E3BE0000 E8E3E200 E7E3E800 DCE800E7 BF00E7DD D5DCD7EC 00D9DBE2 D8E6D5BD 00000000 00000000 D9D60000 D9E6E3DA D7D9E600 DDEADDD9 E800DBE2 BB00D9DC CCC9CCCF BDC3CEBB ABCEBFC5 000000AB 00000000 00000000 Sum: 5DFDA06E Final Checksum: FE6B It should give 85 FC instead.... Is there any information on Taka's website regarding the blocks we should use to calculate the checksum?
Guest Posted August 25, 2015 Posted August 25, 2015 Really nice info!!!There is a small mistake in you example: E8 03 FF FF will become FF FF 03 E8 I have write a quick script in java to compute this automatically... It reads the bytes from a file and computes the checksum. Here is the result when running it on you example: FFFF03E8 00000000 00000008 00000000 00000000 C9CCCFBB C3CEBBCC CEBFC5BD Sum: 5C5A5534 Final Checksum: B18E The bad news is that when i use this algorithm to the actual wonder card data, the result does not match with the one in the .sav file... Here are the results when running it on the actual wonder card data: FFFF03E8 00000000 00000008 00000000 00000000 C9CCCFBB C3CEBBCC CEBFC5BD 00000000 00000000 00000000 00000000 00000000 00000000 00000000 DCD7ECBF D9DBE2D5 E6D5BD00 000000D8 00000000 00000000 00000000 E3C10000 00E3E800 00D9DCE8 E3D7D9E7 DA00D8E2 E6E3E3E0 00DAE300 00D9DCE8 1BC5C9CA 00C8C9C7 BFBD0000 CCBFCEC8 D8E2D500 D9D9E100 DCE800E8 D9D800D9 D9EADDE0 E400EDE6 E3E7E6D9 E2DD00E2 E6DB0000 ADE2D9D9 D7D9CC00 D9EADDD9 D9DCE800 CCCFBB00 CEBBCCC9 BFC5BDC3 E2D500CE 000000D8 DCE80000 E700E2D9 00D9EAD5 00D9DCE8 D9E1D5DB 0000ABAB 00000000 00000000 00000000 00000000 E3BE0000 E8E3E200 E7E3E800 DCE800E7 BF00E7DD D5DCD7EC 00D9DBE2 D8E6D5BD 00000000 00000000 D9D60000 D9E6E3DA D7D9E600 DDEADDD9 E800DBE2 BB00D9DC CCC9CCCF BDC3CEBB ABCEBFC5 000000AB 00000000 00000000 Sum: 5DFDA06E Final Checksum: FE6B It should give 85 FC instead.... Is there any information on Taka's website regarding the blocks we should use to calculate the checksum? Damn. I really messed up in my tutorial. You're quick! I already thought about writing a script. Would be cool if you could give the java script to me. Unfortunately my japanese is not good enough to understand everything what he wrote there. But if you like you could use Google Translate to check it out. Maybe I missed something? I've read it many times but it's still confusing. https://translate.google.com/translate?sl=ja&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fweb.archive.org%2Fweb%2F20080106083812%2Fhttp%3A%2F%2Fwww.h6.dion.ne.jp%2F~taka.999%2Fpage002.html&edit-text= I still don't know yet how the blocks are added together exactly. There must be more steps to the actual checksum...
lostaddict Posted August 25, 2015 Posted August 25, 2015 Damn. I really messed up in my tutorial. You're quick! I already thought about writing a script. Would be cool if you could give the java script to me. Unfortunately my japanese is not good enough to understand everything what he wrote there. But if you like you could use Google Translate to check it out. Maybe I missed something? I've read it many times but it's still confusing. https://translate.google.com/translate?sl=ja&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fweb.archive.org%2Fweb%2F20080106083812%2Fhttp%3A%2F%2Fwww.h6.dion.ne.jp%2F~taka.999%2Fpage002.html&edit-text= I still don't know yet how the blocks are added together exactly. There must be more steps to the actual checksum... For anyone who is interesting here is the script: The file contains the source code, a jar file that you can run from the command line and the legit Aurora Wonder Card. To run it open a command prompt and type: java -jar ComputeChecksum.jar WonderCard.bin You should see the results in the output :smile: Make sure you have java installed on your computer... PS: Google Translate is not so good with the Japanese... ComputeChecksum.rar
Guest Posted August 25, 2015 Posted August 25, 2015 (edited) Thanks! I will play around with this later. Eventually I will get the right checksum, who knows. Yeah, the translation is horrible. But unfortunately this is the only source we have. I don't know why the spanish speaking guys make such a big secret of this, would be cool if they shared more with us. Btw. you could be right about your guess with the Event Type, but I'm not sure... I also paid attention to this part of the code. At first I thought this could be the value who determines the color of the card. Because it's exactly the same values in the Japanese versions. The weird thing is the value which you guessed could be for the color. In the Aurora Wonder Card we have the value is "08" but in Morfeo's code it's "88". I will check later what it is in the Japanese Versions the save file. I wanted to see it in the RAW codes which I converted and to my surprise... this part is entirely missing there... Or maybe it's on an different offset and I just couldn't find it. Some small notes... EDIT: About Checksums, thanks to BlackShark's Thread I found this here on Bulbapedia: http://bulbapedia.bulbagarden.net/wiki/Save_data_structure_in_Generation_III#Checksum ChecksumUsed to validate the integrity of saved data. A 16-bit checksum generated by adding up bytes from the section. The algorithm is as follows: Initialize a 32-bit checksum variable to zero. Read 4 bytes at a time as 32-bit word (little-endian) and add it to the variable. The number of bytes to process in this manner is determined by Section ID. Take the upper 16 bits of the result, and add them to the lower 16 bits of the result. This new 16-bit value is the checksum. Edited August 25, 2015 by ajxpkm
BlackShark Posted August 26, 2015 Posted August 26, 2015 Checksum is calculated for the area from 0x56C to 0x6BB, so exactly 336 Bytes. The bytes before and after that location won't corrupt the wc if you edit them. Though there's a second part a few offsets after the first one which also belongs to the wondercard event. That one also should have its own checksum. The checksum should be included in the said area. But somehow I believe it's computed different to what Taka is talking about. The algorithm he mentioned is exactly the same as the one used to validate each save section. The are at least to other algorithms used for checksums ( one for pkm data the other for injected e-Reader trainer data). The one used to validate save data as well as the other two dont seem to match here. If I didn't make a mistake I would guess the checksum is different in this case.
lostaddict Posted August 26, 2015 Posted August 26, 2015 About Checksums, thanks to BlackShark's Thread I found this here on Bulbapedia: http://bulbapedia.bulbagarden.net/wiki/Save_data_structure_in_Generation_III#Checksum This is the exact same algorithm we have already implemented. If you run the algorithm on the block containing the wonder card data (using all block data) then it gives the correct checksum that you can add at the footer of the block. This resolves the corrupted file issue when you inject the wonder card code in the .sav file. I have already tested it and works ok :biggrin: NOW THE REALLY GOOD NEWS: Morfeo has left behind actual instructions on how to compute this checksum... It's in a .rar file that it supposed to contain all the information needed to implement wonder card functionality and generate the AR Codes... I have this since yesterday and the algorithm is already implemented. :wink: But while it works perfectly on his example, it does not work on the actual wonder card data... :rolleyes: I will post more details on this later today...
Guest Posted August 26, 2015 Posted August 26, 2015 (edited) These are really great informations, thanks for the effort. Unfortunately I'm at a loss, got nothing new to share. I tried every type of checksum computing I know, none of them is fitting into this. I really hope we can get some more informations, it could save us a lot of time. NOW THE REALLY GOOD NEWS:Morfeo has left behind actual instructions on how to compute this checksum... It's in a .rar file that it supposed to contain all the information needed to implement wonder card functionality and generate the AR Codes... I have this since yesterday and the algorithm is already implemented. But while it works perfectly on his example, it does not work on the actual wonder card data... I will post more details on this later today... I'm excited to hear more about the rar archive you got, lostaddict. Where did you found it? It's good to know Morfeo left something for us. I'm very interested! Checksum is calculated for the area from 0x56C to 0x6BB, so exactly 336 Bytes.The bytes before and after that location won't corrupt the wc if you edit them. Thanks for confirming this. So with this at least we know that we have the right bytes for the calculation process. Though there's a second part a few offsets after the first one which also belongs to the wondercard event.That one also should have its own checksum. The checksum should be included in the said area. You're right, there's a 2nd block for the Script a few offsets later with another checksum. But for now it's all about the Wonder Card itself. And btw. one thing that was coming through my mind about this... I think we also should look how things in the Rom are working when it comes to Scripts. I wouldn't be too surprised if there are some simiralities. The same goes for the Wonder Card. I wonder if Mails having checksums, too... just for an example. I thought about this also because the Mail text is not saved in the 100-byte structure of a Pokémon but somewhere else. But this is just a wild theory of course... But somehow I believe it's computed different to what Taka is talking about. The algorithm he mentioned is exactly the same as the one used to validate each save section. Yeah, I realized this yesterday when I found the Bulbapedia article and after reading the diary again. Sorry, this was my fault. The only thing Taka was mentioning about is how to compute the checksums for the save sections, not the one we try to understand. I think I got confused because he showed the text part offset in his diary. But this diary was just about how he managed to inject a original Wonder Card. (Without editing.) He wasn't saying anything about editing the text from the card and later in the diary all he talked about was just the corrupt the save file. I know they managed to do this tho', because some of the Wonder Cards are customized. Anyway, I think the Japanese site won't help us much more since these are all the informations they shared. Edited October 17, 2015 by ajxpkm
BlackShark Posted August 26, 2015 Posted August 26, 2015 You're right, there's a 2nd block for the Script a few offsets later with another checksum. But for now it's all about the Wonder Card itself. The second block from 0x8B0 to 0xC93 (996 Bytes) has to be validated too. Otherwise the wondercard gets corrupted. Probably there's a checksum for both together.
Guest Posted August 26, 2015 Posted August 26, 2015 The second block from 0x8B0 to 0xC93 (996 Bytes) has to be validated too. Otherwise the wondercard gets corrupted.Probably there's a checksum for both together. A checksum for both together? That could make sense. Haven't thought about this yet. Now I hope lostaddict will share what he got with us soon.
lostaddict Posted August 26, 2015 Posted August 26, 2015 OK so here is what i have regarding the info and the algorithm Morfeo left behind: 1) General Information: As we already know there are 2 relevant data blocks for each Wonder Card. At the beginning of each of those 2 blocks there is a key (checksum value) which is 4 Bytes Wonder Card Data (332 bytes) Green Man Script (1000 bytes) 2) Algorithm Information The algorithm seems to use the same method that rom uses to encrypt things... Before proceed with the actual algorithm there are 2 things needs to be defined. What is "Seed" and what is "Tab" "Seed" is a 2 byte value that is compute in each step of the algorithm and used as input to the next step. Initial value of "Seed" is always "8530" "Tab" is an index value. This points to a 2 byte value that can be found in a file. This file is actually a lookup table. You look on a specific address and you retrieve the specific value to use it in the algorithm... According to Morfeo is really important to group the file data in "tabs". Each tab has 2 bytes. More info on how the Tabs are created: So if the tab file contains the following data 00 00 00 01 0F CF E0 17 30 01 0F 00 BO 19 30 2D The tabs should be: 00 00 Tab 0 00 01 Tab 1 0F CF Tab 2 E0 17 Tab 3 30 01 Tab 4 0F 00 Tab 5 BO 19 Tab 6 30 2D Tab 7 The Tab file is provided by Morfeo (tab.bin). I did some search to find it's origin... The data in the file seems to be part of the actual rom (I found them both in Emerald and Green Leaf roms). That's why I'm assume that this is the same method of encryption the game itself uses... 3) The Algorithm 2 More definitions: "upperSeed": The upper 2 bytes of the "Seed" "reverseTab": The reverse value of the "Tab" (if Tab value is XXYY the reverse is YYXX) For Each Byte: Tab Index = (Current Byte [b]XOR [/b]"Seed") [b]AND [/b]0xFF Tab Value = Value at position "Tab Index" in tab.bin file newSeed = reverseTab [b]XOR [/b]upperSeed End For Tab Values for the Example: Offset Data ##Tab 00000000 00 00 00Tab 00000002 00 01 01Tab 00000004 0F CF 02Tab 00000006 E0 17 "03Tab"<-- 1st Byte 00000008 30 01 04Tab 0000000A 0F 00 05Tab ¡ ¡ ¡ ¡ ¡ ¡ 00000130 10 06 98Tab 00000132 00 10 99Tab 00000134 01 ED "9ATab"<-- 2nd Byte 00000136 10 1C 9BTab 00000138 51 2F 9CTab ¡ ¡ ¡ ¡ ¡ ¡ 00000160 00 BB B0Tab 00000162 0B B0 B1Tab 00000164 17 B0 "B2Tab"<-- 4th Byte 00000166 EF 50 B3Tab 00000168 17 D0 B4Tab ¡ ¡ ¡ ¡ ¡ ¡ 000001CE 20 BF E7Tab 000001D0 A0 2F E8Tab 000001D2 A0 30 "E9Tab"<-- 3rd Byte 000001D4 17 20 EATab 000001D6 1A F0 EBTab Example: Input Data "33 FF FF FF" Step 1: [b]"33"[/b] FF FF FF 8530 ^ 33 = 8503 & 0xFF = 03 Tab03 = E0 17 17E0 ^ 85 = 1765 newSeed = 1765 Step 2: 33 [b]"FF"[/b] FF FF 1765 ^ FF = 179A & 0xFF = 9A Tab9A = 01 ED ED01 ^ 17 = ED16 newSeed = ED16 Step 3: 33 FF [b]"FF"[/b] FF ED16 ^ FF = EDE9 & 0xFF = E9 TabE9 = A0 30 30A0 ^ ED = 304D newSeed = 304D Step 4: 33 FF FF [b]"FF"[/b] 304D ^ FF = 30B2 & 0xFF = B2 TabB2 = 17 B0 B017 ^ 30 = B027 newSeed = B027 Once all the calculations for all the bytes are made we need to compute the final "Key" value which is the actual checksum. This is how this is done: a. Get the Last Seed the algorithm compute. b. Convert it to binary. c. Replace "zeros" with "ones" and "ones" with "zeros" d. Convert back to hex Example: B027 ---> 1011 0000 0010 0111 4FD8 ---> 0100 1111 1101 1000 "Key"= 4FD8 In sav file: D8 4F 00 00 4) Where this information is coming from? Morfeo left behind this information for those who actually care enough to mess with his codes... If you check closely in a .sav file that contains a Morfeo Wonder Card, you should find some bytes that are translating to a URL... From that URL you can download a .rar file containing: A .txt file with the above instructions in spanish and the tab.bin file for the encryption... Also you can find some other thoughts of Morfeo regarding why he is not sharing this information... :rolleyes: 5) Implementation of the algorithm I have implemented this yesterday... I'm planning to provide it later. As i have already explained while it works perfectly on the example, when it comes with the actual wonder card data, it fails to give the correct checksum... It can be either a code bug, wrong initial "Seed" value or missing data from the "tab.bin" file... Hopefully is a code bug since we don't have more info on the other 2 factors (initial seed and tab.bin file) that may affect the result... Enjoy :biggrin:
Guest Posted August 26, 2015 Posted August 26, 2015 Interesting stuff. Thanks for the explanation... So I was not so wrong with my thought that we could find the answer in the ROM. Now we just have to find out why you couldn't get the right checksum for the Wonder Card. I think we're close to it.
lostaddict Posted August 27, 2015 Posted August 27, 2015 Ok I have check my code and I'm 99% sure that my implementation is correct. So at the moment I have reach a dead end... :confused: I'm posting below the url to the original archive from Morfeo. You can take a look at it, maybe I'm missing something regarding the algorithm... Also here is how i find the archive with the algorithm info in the first place (it's part of a save file that contains Morfeo aurora ticket): Here is the complete text in Spanish: .NOTA No muestro a nadie el mé todo para crear Wonder Cards, por lo que no respondo a esas preguntas. Pero si tienes los conocimientos necesarios y sobre todo SENTIDO COMÚN, tal vez puedes merecer la última pieza para lograrlo en: galeon.com/albumpokemon/llaveWC.rar Also here are the results of my implementation running the Morfeo's example: Step 1: Input Byte: 33 Tab index: 3(0x3) Tab value: E017 Tab value reverse: 17E0 New Seed: 1765 New Alta Seed: 17 ---------------------------- Step 2: Input Byte: FF Tab index: 154(0x9A) Tab value: 01ED Tab value reverse: ED01 New Seed: ED16 New Alta Seed: ED ---------------------------- Step 3: Input Byte: FF Tab index: 233(0xE9) Tab value: A030 Tab value reverse: 30A0 New Seed: 304D New Alta Seed: 30 ---------------------------- Step 4: Input Byte: FF Tab index: 178(0xB2) Tab value: 17B0 Tab value reverse: B017 New Seed: B027 New Alta Seed: B0 ---------------------------- Final Seed: B027 Binary Conversion: 0xB027 --> 1011000000100111 0x4FD8 <-- 0100111111011000 Save File Checksum: D8 4F And the results when running it on the actual Wonder Card data (the last step): New Seed: F018 New Alta Seed: F0 ---------------------------- Step 332: Input Byte: 00 Tab index: 24(0x18) Tab value: 6130 Tab value reverse: 3061 New Seed: 3091 New Alta Seed: 30 ---------------------------- Final Seed: 3091 Binary Conversion: 0x3091 --> 11000010010001 0x0F6E <-- 00111101101110 Save File Checksum: 6E 0F
BlackShark Posted August 27, 2015 Posted August 27, 2015 Wow, I didn't expect they used something as complicated as this to validate the wondercard data. I also tried calculating the checksum the way Morfeo described it. But I'm getting a false checksum as well, even though it's correct for the example. I doubt the problem is the initial seed. I looped my function through all values from 0 to 0xFFFF (which could have been an initial seed) without getting a matching checksum. I also don't think the tab.bin is incomplete. With the given algorithm you could only get values from 0 to 0xFF, the file contains 256 values. In worst case both the initial seed and the algorithm are wrong...
Guest Posted August 27, 2015 Posted August 27, 2015 (edited) Same here. I always get wrong results. To be honest, I don't trust Morfeo... After reading his note in the txt file I thought there is no way he would hand out everything. When you ask me, he didn't gave us the full algorithm. If we're lucky there is only 1 step missing or an built-in error. I think the hint on the save file says it all: .NOTA No muestro a nadie el mé todo para crear Wonder Cards, por lo que no respondo a esas preguntas. Pero si tienes los conocimientos necesarios y sobre todo SENTIDO COMÚN, tal vez puedes merecer la última pieza para lograrlo en: galeon.com/albumpokemon/llaveWC.rar He talks about earning the last piece. I think this is a challenge... But where is the key to solve this puzzle? I also hoped it's maybe just an false initial seed. That's what I wanted to try next, but since BlackShark already tried it... The bin file seems ok, too. I will check more about this later because there are still open questions. Now I already reaching my limit. What could we try next? Change the algorithm? I think the step with the binaries (changing 0s to 1s and 1s to 0s) is a bit awkward. Looks suspicious IMO even tho' I have seen this before. Just my feeling. What could we change else? We should try everything possible we could do with this. If this doesn't help I think there's more research to do. I want to avoid making it too complicated, if nothing is left it's all about trial and error. As mentioned before, I got this feeling that the key is in the Rom itself. We have to consider Rom Research as an option. I already try to get informations about the checksum validations inside the Rom. It's just a bit difficult to get exact informations about them, maybe it's better to ask someone who knows about this well. If we could find something that sounds similar to Morfeo's Algorithm this would be great. And I have another idea. What about the e-Cards? The e-Card Events work in a very similar way to the Mystery Gift Events. They are also temporarely saved, I guess even in the same locations as our Mystery Gift Events. There was another Thread on the Board about this Topic which btw. inspired me to open this one here. EDIT: Some more informations regarding the Japanese Wonder Cards from the Tools. While looking a few years back on Taka's Page. In found some interesting stuff he mentioned... http://web.archive.org/web/20040929044716/http://www.h6.dion.ne.jp/~taka.999/index.html コメント:FR/LGのチケット差分修正進行状況。09/27時点ようやくSUMチェックルーチンロジック解析完了。データ改変開始。 ROM内テキストで注目すべき内容 − 詳細不明 − ふしぎなおくりもの ごりよう いただき ありがとう ございます! どうぞ ポケモンセンター から この ポケモンの たまごを プレゼントいたします! だいじに そだてて ください! ふしぎなおくりもの ごりよう いただき ありがとう ございます この ふしぎなカードを もっていると フレンドリーショップの アンケートで いろいろな トレーナーを ルネシティに よぶことが できますよ! ‥‥ないしょで ひとつ アンケートの あいことばを おしえて あげましょう 「すごい トレーナー くれ くれ」 このことばを アンケートに かいて ぜひ ジョイスポットと つうしんして みてください! ふしぎなおくりもの ごりよう いただき ありがとう ございます ルネシティに トレーナーが きている ようですよ ぜひ たいせんを たのしんで くださいませ! ほかの あいことば でも べつの トレーナーが よべますので あいことばを いろいろと さがして みて ください ふしぎなおくりもの ごりよう いただき ありがとう ございます おめでとう ございます! ただいま たいせんで 3しょうした トレーナーには プレゼントを さしあげて います! これからも どんどん たいせんを たのしんで ください! ふしぎなおくりもの ごりよう いただき ありがとう ございます さいきん 103ばんどうろ にある へんげのどうくつで めずらしい ポケモンが でる という うわさが ながれてる ようです ぜひ いって たしかめて みては いかがで しょうか? ふしぎなおくりもの ごりよう いただき ありがとう ございます ????? さま ですね あなたさま あてに この かいずが おくられて きました ミナモシティの ふなつきば で つかえる ようですね ぜひ ごりよう してみては いかがでしょうか? Translation powered by Google Translate: Comments: FR / LG tickets differential correction progress. 09/27 point finally SUM check routine logic analysis completed. Data modification start.Content that should be noted in the ROM within the text - unspecified - Gift Thank you for using a strange! We will present the eggs of this Pokemon from please Pokemon Center! Please grow cherish! Thank you for mysterious gift for your use In it is and friendly shop of the questionnaire have this mysterious card You can call a variety of trainer to Runeshiti! We'll tell the watchword of one questionnaire in ‥‥ secret "Let me give me great trainer." By all means communicate with Joy spot to write these words to the questionnaire please look! Thank you for mysterious gift for your use It seems trainer has come to Runeshiti Please do not miss enjoying the War! The other watchword because trainer on another is can call even watchword Please try variously looking Thank you for mysterious gift for your use congratulations! You can get a gift to the 3 award was trainer at War We give! Please do more and more enjoying the competition in the future! Thank you for mysterious gift for your use Recently rare in altering cave in 103 Bando filtration It seems that rumors Pokemon comes out A how to fire fighting and try to make sure it all means go? Thank you for mysterious gift for your use ? ? ? ? ? It is sama This chart has been sent to your customers addressed It seems to use in wharf of Minamoshiti Why not by all means try to use? He's said that he starts the modification of the Wonder Card. He found several Texts in the Rom which seem to be connected to the Mystery Gift feature. One is for an Egg Present, another one for the Trainer Room in Sootopolis City, one for the Altering Cave and the last one for the Old Sea Map. That's how he came to the idea about making custom Wonder Cards. As you can see this was in September 2004. It was a bit later after he wrote the diary where he dumped the Aurora Ticket and the Mystic Ticket and created the first tool. It also explains why one of the Old Sea Map Wonder Cards is blue ,because the Old Sea Map wasn't distributed yet and it also explains the other custom WCs from the Tools and PAR Codes. Edited August 28, 2015 by ajxpkm
BlackShark Posted August 28, 2015 Posted August 28, 2015 (edited) About the e-card data. It is different to the wondercards as far as I know. The Eon Ticket e-card doesn't have a wondercard and no checksum. Also it is saved to another location which is in section 3. I successfully changed that text without validation needed. The e-Reader trainer data in section 0 is validated by a checksum which is very similar to the one that's used for the save. It is a 32 bit sum of the data summed up as half-words (2 bytes). The e-Reader berries are in section 4, they should be validated as you can see in this thread http://projectpokemon.org/forums/showthread.php?31210-Index-numbers-of-the-eReader-berries&p=171472&viewfull=1#post171472 I haven't looked into it yet. So I don't know if it could help with wondercard checksums. Edited August 28, 2015 by BlackShark
Guest Posted August 28, 2015 Posted August 28, 2015 I'm sorry... was a bit lazy today... Thank you so much for all the informations. Especially the enigma berry e-card checksum looks very interesting to me. But it needs some dmp files. I'm curious about the content of these files. It's definitely worth to be checked out. Even tho' I can't tell if this really is what we need just by the look of it. It's a complex routine too, but different than what we have from Morfeo. Still... very interesting. Currently I try to get some informations about the Rom. Hopefully to find more informations about all the checksum validations the game makes use of... but I couldn't get much informations yet. There's a hack which caught my attention. The name is CrystalDust. It even has hacked Wonder Cards as you can see here: [video=youtube;rbuO7dMWqEg] Maybe the creator knows something about the checksum or he just have set the checksum validation off. It's a hack after all. But I wanted to post this for those who like hacks. Funny stuff...
lostaddict Posted August 30, 2015 Posted August 30, 2015 Not much but here are some new findings... In the Delivery Man Script: 33 FF FF FF B8 58 02 00 08 6A 5A 2B 3A 01 BB 01 BC 02 00 08 2B AD 01 BB 01 BC 02 00 [color="#FF0000"][b]08 47 73 01[/b] [/color] 01 00 21 0D 80 01 00 BB 01 BC 02 00 08 BD C5 02 00 08 66 6D 46 73 01 01 00 21 0D 80 00 00 BB 01 B3 02 00 08 1A 00 80 73 01 1A 01 80 01 00 09 00 29 D5 08 29 3A 01 BD 22 03 00 08 66 6D 6C 02 BD B3 03 00 08 66 6D 6C 02 BD 86 03 00 08 66 6D 6C 02 CE DC D5 E2 DF 00 ED E3 E9 00 DA E3 E6 00 E9 E7 DD E2 DB 00 E8 DC D9 00 This is the location of the item he delivers. The first 2 bytes are always the same. The other 2 is the hex value of the in game item... So theoretically you can change this value to put any item you want... 08 47 72 01 - Mystic Ticket 08 47 73 01 - Aurora Ticket 08 47 78 01 - Old Sea Map And Some new colors (I messed up with the Japanese cards): 0C --> Green 12 --> Blue Wish we had a way to figure out how to compute that checksum... :rolleyes: Is there any tool that we can use to find the actual function used for encryption/decryption in the rom? If we can find that function maybe we can reverse engineer it... Edit: Also for some reason the Japanese cards are much smaller... This is the complete Japanese Aurora Card: E8 03 FF FF 00 00 00 00 08 00 55 AE 7B 77 61 59 A0 64 00 1B 07 06 04 00 56 AE 95 00 A3 A1 A1 A5 00 01 07 00 00 00 00 00 00 8A AE 71 2D 00 1A 3D 22 13 00 9F 59 73 7E 5E 7E 60 AE 19 00 A3 06 02 1D 00 02 0A 03 AB 00 55 AE 7B 77 61 59 A0 64 2D 00 23 27 03 0A 14 37 00 44 07 29 26 AB 00 00 00 00 00 00 00 00 61 59 A0 64 2D 00 23 27 50 10 27 00 0D 39 7A 9F AE 64 AB 00 61 59 A0 64 2D 00 23 27 03 1F 04 16 00 0A 19 56 AE 95 2D 00 0D 13 15 02 44 00 08 41 0B 02 AB 00 00 00 00
Guest Posted August 30, 2015 Posted August 30, 2015 (edited) 33 FF FF FF... Wait a minute... these values look pretty familiar! Aren't these exact the same values like in Morfeo's example? O_O I have a guess... Maybe we should try to compute the checksum for the script first, the checksum could be the seed for the Wonder Card checksum. Just an idea... I can't try it in the moment so it would nice if someone else could do this. About the Japanese Wonder Cards, they need less space because Hiragana & Katana are based on syllables and therefore need less characters. Maybe they just reserved more space for the Wonder Cards in the west because they needed more space for the text... These are good informations lostaddict, thank you so much. Some great NEWS I also have something to share, something very interesting regarding the Wonder Card Egg Events. One of the Egg Events of the Tools from the Japanese Site which I mentioned before was a an obvious hack. Inside the Egg was an Pichu with Surf, the PID method was A-B-D-E. The cool thing is, it's not always the same Egg you get, it's generated right when you pick it up. Everytime I picked up the Egg from the 2F Guy in the Pokémon Center the PID and IVs was different. So it's possible to RNG here. On the Site there is another Tool for the PokéPark Egg Event which seems pretty legit. Even Taka said he didn't went to this Event and just reconstructed it, he did a great job, the Wonder Card matches exactly the one from the official Page. He has found the script before during is his research as you can see in my post above. You can find this Tool here and here are the PAR Codes for them. In this Tool you can simply chose which of the Eggs you want, which is pretty cool. But one thing that got me really interested about is the PID method. I was always sure that the method for the PokéPark Eggs is "Common GBA (Restricted"). But then I found this Thread and this Thread in the forum. In fact, every Egg I picked up had the PID method A-B-D-E. Which confirms that all the Eggs from the Mystery Gift Events made use of this Method. Since this whole script is an exact replica of the Original Egg Events and I guess it's found somewhere inside the Rom. But this doesn't means that all GBA Common Eggs are hacks. I also have a theory why some of the PokéPark Eggs are B-A-C-D (Restricted). And this is maybe why this is a bit confusing... According to Bulbapedia they were also distributed to Ruby & Sapphire who didn't had the Mystery Gift System. So the PID & IV were generated by the Distribution System and in their case just like other Events GBA Common (Restricted). But for FireRed, LeafGreen and Emerald when they were downloaded via through the Mystery Gift System, they were generated ingame and GBA Uncommon. This is huge because it means we could basically reconstruct the PCJP2004 Event and just if we manage to find the script in english, even the PCNY/Wish Event as an addition to the Ticket Events. But I can't promise it at this point now, For this it would be good to know if they had Wonder Cards as well. From my understanding of the functionality of the Myster Gift Events they should. But there is still a lack of informations and if I recreate these Events I would like to make them as legit as possible. If someone has informations about this, please post your informations to this Thread. Thank you. Edited August 31, 2015 by ajxpkm
King Impoleon Posted August 30, 2015 Posted August 30, 2015 And this is maybe why this is a bit confusing... According to Bulbapedia they were also distributed to Ruby & Sapphire who didn't had the Mystery Gift System. So the PID & IV were generated by the Distribution System and in their case just like other Events GBA Common (Restricted). But for FireRed, LeafGreen and Emerald when they were downloaded via through the Mystery Gift System, they were generated ingame and GBA Uncommon. in Ruby and Sapphire they are directly transfared into a free Team place ( as then my 10JAHRE/Aura) This Tool didn't work?! If i Download the tool and use it, it don't show me the AR code... And what he means with: PAR and アドレス 02026950 XX ? It's then possible to create a SLOT 2 Wireless Distribution to send the Tickets?
Guest Posted August 30, 2015 Posted August 30, 2015 (edited) in Ruby and Sapphire they are directly transfared into a free Team place ( as then my 10JAHRE/Aura)This Tool didn't work?! If i Download the tool and use it, it don't show me the AR code... And what he means with: PAR and アドレス 02026950 XX ? It's then possible to create a SLOT 2 Wireless Distribution to send the Tickets? Yes, all Events who were compatible with all 5 games were generated from the distribution device and then transfered directly to the Team, just like the first Event Pokémon for Ruby & Sapphire. The PokéPark Eggs had the additional option to be transfered via Wireless Adapter just like PCJ2004 and PCNY Wish were distributed. The Codes are actually here, not in the Tool. It's patching the Wonder Card into the save file just like the other Tools. Please keep in mind that this only works with Japanese Versions. It's the RAM Address for the flag. If you want more Eggs you can set the flag back to 0xEF. (-10h) But this only works with Anti DMA Code. About the other question. No... I'm sorry... this would be impossible. I'm not planning to make Tools for Flash Cards if that's what you mean. I would love to have distribution cartridges, then we could make something like this. But they're very rare and expensive. EDIT: I updated the starting post and uploaded some Wonder Card screenshots. Edited August 31, 2015 by ajxpkm
lostaddict Posted August 31, 2015 Posted August 31, 2015 (edited) I did some research on Morfeo Algorithm. It's a CRC16 checksum algorithm with a lookup table. It's seems to be a common checksum computation algorithm. The bad thing is that there are a lot of variations of the algorithm... Including custom lookup tables (using different polynomial to generate them), in some cases different computation functions (but similar ones) and even different initial crc value (seed)... E-Reader uses a similar algorithm (CRC32) for checksum computation. Here you can find very interesting information regarding E-Reader and an implementation of the CRC32 algorithm (under technical details) https://www.caitsith2.com/ereader/index.htm I think we should try to use the same algorithm and in our case... You never know... EDIT (1/9/2015): No News on checksum but here is some text i found regarding the Delivery Man dialog: Egg: Thank you for using the MYSTERY GIFT System. From the POKéMON CENTER we have a gift - a POKéMON EGG! Please raise it with love and kindness. Oh, your party appears to be full. Please come see me after storing a POKéMON on a PC. Tickets: Thank you for using the MYSTERY GIFT System. You must be {RED}. There is a ticket here for you. It appears to be for use at the VERMILION CITY port. Why not give it a try and see what it is about? Thank you for using the MYSTERY GIFT System. Oh, I’m sorry, {RED}. Your BAG’s KEY ITEMS POCKET is full. Please store something on your PC, then come back for this. Altering Cave: Thank you for using the MYSTERY GIFT System. Recently, there have been rumors of rare POKéMON appearances. The rumors are about ALTERING CAVE on OUTCAST ISLAND. Why not visit there and check if the rumors are indeed true? And some really interesting ones: Thank you for using the MYSTERY GIFT System. By holding this WONDER CARD, you may take part in a survey at a POKéMON MART. Use these surveys to invite TRAINERS to the SEVII ISLANDS. …Let me give you a secret password for a survey: “GIVE ME AWESOME TRAINER” Write that in on a survey and send it to the WIRELESS COMMUNICATION SYSTEM. Thank you for using the MYSTERY GIFT System. A TRAINER has arrived in the SEVII ISLANDS looking for you. We hope you will enjoy battling the visiting TRAINER. You may invite other TRAINERS by entering other passwords. Try looking for other passwords that may work. Thank you for using the MYSTERY GIFT System. Your BATTLE COUNT CARD keeps track of your battle record against TRAINERS with the same CARD. Look for and battle TRAINERS who have the same CARD as you. You may check the overall rankings by reading the NEWS. Please do give it a try! Thank you for using the MYSTERY GIFT System. Congratulations! You have won a prize for winning three battles! We hope you will be inspired to battle some more. Old Sea Map (Emerald): MYSTERY GIFT System. Let me confirm--you are [PLAYER]? We received this OLD SEA MAP addressed to you. Source: http://iimarck.us/dumps/dfirered.txt Edited September 1, 2015 by lostaddict
Guest Posted September 1, 2015 Posted September 1, 2015 These are really great finds! All the scripts Taka mentioned before on the website... Guess they were meant to be as templates for the planned future Events. It's unbelievable that they scrapped almost all of their plans... Making the Altering Cave for a relict of a scrapped feature and a place of myths. Very interesting to see that they all even got all translated. Good for us. You even found the Egg Script which I would need to recreate the PCNY Wish Event. Pretty cool! Thanks. I wonder if there's some text for the Wonder Cards as well... I have this theory because Taka predicted the Texts of the Wonder Cards perfectly, which you can see by comparing the Wonder Card of his ("Fantasy") Pokémon Egg Event which was released earlier by him through his tool, with the one from the PokéPark Egg Event which was distributed later. It's impossible to predict this so I think there could be more text in the game. When I have more time I will see if I can find them in the Roms. We also need more text for the other languages as well. Update Unfortunately there's not much new from my side. I wished I could show some first results by now, but without the checksum we can't do anything. Most of my time on this project, I spent with this damn checksum and I I think it will take a while until we have solved it... If there's anyone who knows anything about this checksum routine, please let us know. To know how this checksum validation works would be necessary to make a tool such as an Wonder Card Editor for example. However we may not be able to do this anytime soon. But even without the algorithm there's still some hope that we could make some progress. A few days ago I contacted Diegoisawesome, the creator of the CrystalDust romhack. He told me that there is a way to work around, with this we could at least be able to create Wonder Cards. I'm thinking about distributing them as PAR codes or maybe we could make a little injection tool. We'll see what this brings in the future. I hope to get more informations about this and I can't wait to deliver something fruitful for this project. Until then... Stay tuned...
Hidraslick Posted September 11, 2015 Posted September 11, 2015 Hey guys I created my account just to thank you, because I now have more knowledge about how this games work. I have 3 questions: 1. Have you made any progress in general? 2. On the save file that was posted before I saw one thing that is impossible as it is: there is a event Ageto Celebi unmodified from japanese colosseum bonus disc, does this means that it would be posible to actually replicate the japanese Celebi event as a wonder card to use it on non-japanese versions? 3. Could you please make a save from the previous save but one that could work for wireless transfer? An idea could be to make save files that allow access to the nintendo official events by trading wonder cards instead of using Action Replay codes. That Would be awesome.
lostaddict Posted September 11, 2015 Posted September 11, 2015 (edited) That's the point of this topic to share the knowledge... :biggrin: Regarding your questions: 1. Personally I haven't make any actual progress... I was really busy in the past days, but i take a look in the function that validates the checksum in the firered rom. I have to share some info (see the rest of the post). 2. I had the impression that you can link Japanese Colosseum with English GBA (But I'm not sure... maybe I'm wrong) 3. That is the ultimate target of this thread... To create some save games that can used to distribute those events. If we find a way to solve the checksum issue, then this is possible... Now some new info... ajxpkm send me a link few days ago with a description of a function in FireRed rom that does what we are actually try to do... That function reads a checksum value from 2 different places and tries to validate it with some data with lengths 332 and 1000 bytes each... I take a look at the assembly code and i found several evidences that this is actually the correct function. For example one of the validations that this function does is this: cmp r0, #0x0 beq $08069e9c (label end) ldrb r0, [r4, #0x0] cmp r0, #0x33 bne $08069e9c ldrb r0, [r4, #0x1] cmp r0, #0xff bne $08069e9c ldrb r0, [r4, #0x2] cmp r0, #0xff bne $08069e9c ldrb r0, [r4, #0x3] cmp r0, #0xff bne $08069e9c This chunk of asm code checks if the first 4 bytes of the data is "33 FF FF FF". If is not then retuns... This data is the start of the Delivery Man script which is always "33 FF FF FF". This is what we are actually looking for. The part that does the checksum validation. This is a loop over the data: lsr r1, r2, #0x08 //SHIFT RIGHT R2 (SEED) TO TAKE FIRST 2 DIGITS (UPPER SEED) add r0, r5, r3 //READS DATA FROM A SPECIFIC ADDRESS ldrb r0, [r0, #0x0] eor r2, r0 //XOR DATA WITH SEED (WHICH IS 0x1121 BTW) lsl r0, r2, #0x18 //DO SOME SHIFTING lsr r0, r0, #0x17 add r0, r0, r6 //USE PREVIOUS RESULT TO COMPUTE A NEW ADDRESS ldrh r0, [r0, #0x0] //GET HALF WORD (2 BYTES) FROM THAT SPECIFIC ADDRESS (THIS IS THE LOOKUP TABLE) add r2, r0, #0x0 eor r2, r1 //XOR UPPER SEED WITH THE VALUE FROM THE LOOKUP TABLE add r0, r3, #0x1 lsl r0, r0, #0x10 //DO AGAIN SOME SHIFTING lsr r3, r0, #0x10 cmp r3, r4 What this asm code does is to loop ever the data and do the same or similar calculations with the ones that Morfeo describes (see my commends above)... Edited September 11, 2015 by lostaddict
Recommended Posts