Jump to content

[POC] Wondercard data stored in RAM, before accepting "Yes" to receive it.


Recommended Posts

You might think this is a weird thing to prove, but as an event collector, it bugged me for a while.

Why does the game display the same text that will be shown in the wondercard?

And why does the game take a while to communicate with server, before displaying it?

Does this mean that it is saved in RAM first?

Why is this important?

Because if the Wondercard Data is stored on RAM,

it can be ripped out from RAM, while the Serial Code is seen as unused on server side,

meaning the serial code can be used again!

[well, this should only matter if you have a friend who can't bear to let go of the serial code, but your friend can't extract the save file]

My setup

I'm doing this on a US console with Gateway 3DS, game is eshop version, with NTR to change region to Japanese, to collect the New Year Infernape.

I also set up my in-game menu to be L+R

What I did

Basically what I did was enter Gateway Menu before hitting "yes" to collect the Infernape.

Hover the cursor on no (so that when I leave the menu, it will select "No")

Access in game menu and did a RAM dump,

Exited menu and turned off console.

Opened the RAM dump with HXD and went to 00D516CC

[no fear if the location is slightly different, just search by name of pokemon in hex]

Copied length:108, and it looks exactly the same on pkhex!

However, I did notice the lack of receive date in WC editor (cause it wasn't received LOL)

Images in spoiler

Hovering on "No"

e9TuV6S.jpg

Entering in game menu

YPOJ4Pg.jpg

Dumping of Ram

3dUhsgM.jpg

Looking at the ram file

Edp1Eby.jpg

The chunk that makes up a wondercard is found!

xyqCxt5.jpg

Look, distribution message is here (obviously)

EP9xAOX.jpg

View in Pkhex

cTKLXxW.jpg

View in WC6 editor

5gMDYdp.jpg

So, do tell me what you think peeps.

<also, this Infernape is horrible. does not even have minimally 3 31 IVs>

Link to comment
Share on other sites

Out of curiosity how is the gender set? Since like the date that is set when the card is received.

For mine, Gender is already set as male.

My assumption is as follows:

Basically the server decides on what it would gender it would be (not sure if already preset during serial code phase),

and sends it out to the 3DS

3DS stores data in RAM.

When "YES" is selected,

3DS moves data to a freed up wondercard slot, and inserts date.

[edit]

Using the same serial code, we could probably attempt to reroll for gender using this method.

Or also during future scenarios like the 19 Arceus event (the movie distribution that had the shiny).

Link to comment
Share on other sites

That is good that the gender is set at this point, so if I wanted to know the gender first I assume I could just open the on screen hex editor and go to the correct offset and check the value to know before choosing to accept the card or not.

If so what offset would I go to and what values would correspond to each gender?

Edit: I successfully found the wc6 data and dumped it with NTR debugging thanks to all your info. Also nicely NTR doesn't cause unwanted key presses.

Command used (must change pid)

data(0x08c695bc, 0x108, filename='infernape.wc6', pid=0x28)

I still would like to know how to check gender before accepting the card. I just need to know where in the wc6 data to look. Since loading it in the editor doesn't help since it has a known problem with genders.

Edited by shadowofdarkness
Link to comment
Share on other sites

That is good that the gender is set at this point, so if I wanted to know the gender first I assume I could just open the on screen hex editor and go to the correct offset and check the value to know before choosing to accept the card or not.

If so what offset would I go to and what values would correspond to each gender?

Edit: I successfully found the wc6 data and dumped it with NTR debugging thanks to all your info. Also nicely NTR doesn't cause unwanted key presses.

Command used (must change pid)

data(0x08c695bc, 0x108, filename='infernape.wc6', pid=0x28)

I still would like to know how to check gender before accepting the card. I just need to know where in the wc6 data to look. Since loading it in the editor doesn't help since it has a known problem with genders.

NTR as in the actual CFW? or are you using the .cia add on.

That's interesting! since it helps to rip out the file, I should try using that!

After the data is ripped out, go to 0x00A1.

00 is Male, 01 is Female, 02 is Genderless, 03 is random.

so far, there is no legit wondercard with 03, because it is observed that the system or the server decides the gender.

<also, thanks for your PM on gbatemp xD>

Link to comment
Share on other sites

EDIT: how to rip it out from RAM

EDIT2:

For GW ram dump,

XY offset: 00D430B0

ORAS offset: 00D516CC

NTR ram dump

XY offset:??????

ORAS offset: 08C695BC

1. loaded NTR.cia

2. accessed Pokemon AS game

3. Held buttons XY to enter in-game menu

4. enabled debugger mode, and exited in-game menu

5. punched in serial code for mystery gift (and hover the cursor on NO, so that you won't accidentally accept it. It'll be good if your "L" button isn't set to "A", so that you won't tap it by accident too)

6. command in NTR client, connecting to 3DS that is on the same network as computer, using 3DS IP address-> connect('192.168.x.xx', 8000)

7. listprocess and find the pid=?? value for your game, which an example would be 0x28 -> listprocess()

8. command in NTR client, to rip out the data-> data(0x08c695bc, 0x108, filename='dummy.wc6', pid=0x28)

Profit!

NTR cfw (or the .cia): https://gbatemp.net/threads/release-ntr-cfw-3-2-with-experimental-real-time-save-feature.385142/

NTR debugger client: https://gbatemp.net/threads/release-ntr-debugger-2-with-source-the-first-public-real-time-debugger-for-n3ds.384858/

ensure you install the IronPython dependency: http://ironpython.net/

edit::

If you accidentally accept the mystery gift,

immediately turn off the wifi on your 3DS,

and proceed to force shut down.

As long as your 3DS doesn't get the chance to send to the server that "you accepted",

the serial code can be reused.

Edited by theSLAYER
Link to comment
Share on other sites

EDIT: how to rip it out from RAM 1. loaded NTR.cia 2. accessed Pokemon AS game 3. Held buttons XY to enter in-game menu 4. enabled debugger mode, and exited in-game menu 5. punched in serial code for mystery gift 6. command in NTR client, connecting to 3DS that is on the same network as computer, using 3DS IP address-> connect('192.168.x.xx', 8000) 7. command in NTR client, to rip out the data-> data(0x08c695bc, 0x108, filename='dummy.wc6', pid=0x28) Profit! NTR cfw (or the .cia): https://gbatemp.net/threads/release-ntr-cfw-3-2-with-experimental-real-time-save-feature.385142/ NTR debugger client: https://gbatemp.net/threads/release-ntr-debugger-2-with-source-the-first-public-real-time-debugger-for-n3ds.384858/ ensure you install the IronPython dependency: http://ironpython.net/
Also in that process the pid could be different so people have to know how to find it. After the connect command run listprocess() and find the line with the right games titleid and get the correct pid from it.
Link to comment
Share on other sites

Also in that process the pid could be different so people have to know how to find it. After the connect command run listprocess() and find the line with the right games titleid and get the correct pid from it.

That is a really useful piece of information.

Guess it must be luck, that I used the same pid as you and it was correct.

Link to comment
Share on other sites

I'll find the XY offset as soon as I can. I just can't now since I don't have X or Y on my Japanese system to test with the Infernape code and no code right now that will work on my NA system which has XY. It shouldn't be long until I get a Mew code and can test with that. So people realize they can check the gender live on system before accepting with Gateway by using the on screen hex editor and going to offset 0x8C6965D (0x08c695bc + 0xa1) and checking the values you posted before

Link to comment
Share on other sites

I'll find the XY offset as soon as I can. I just can't now since I don't have X or Y on my Japanese system to test with the Infernape code and no code right now that will work on my NA system which has XY. It shouldn't be long until I get a Mew code and can test with that. So people realize they can check the gender live on system before accepting with Gateway by using the on screen hex editor and going to offset 0x8C6965D (0x08c695bc + 0xa1) and checking the values you posted before

Yeah, I'm not too good with NTR, in regards to finding the offset.

Do let us know, so I can update that post!

Link to comment
Share on other sites

I'm not sure if it would show the changes live and I sort of hope not since it would just be a way for people to fake proofs but you could try and see.

I believe it would work but I don't think it would update on screen until you exit the screen and go back to the wondercard screen, most RAM edits don't take effect until you change what's on the screen due to how it puts things into memory

Link to comment
Share on other sites

  • 4 weeks later...
These are very nice findings! Is there any use for a EUR mew code? I still haven't used mine.

Also, note that offsets are probably tied to the game update. I could make cheat plugin that dumps the ram, but I think dumping to pc is easier...

We've gotten all the mews already >< (well, besides the Gen I Mew.)

Dumping to PC is indeed easier,

but there's the benefit of dumping to RAM when outdoors, especially if it can use a naming system where it keeps increasing.

example: local event, with different formes or genders.

basically keep collecting and pressing no, in hopes of farming the different formes/genders

I'm not sure if it would show the changes live and I sort of hope not since it would just be a way for people to fake proofs but you could try and see.

True, it may be possible for people to fake their cards on the go.

With serial code loaning, best method of verification is through trusted members on this site, or best through me.

(I mean, I have no reason to fake the cards)

Link to comment
Share on other sites

I've coded a simple ntr cfw plugin that should dump the wc6 when enabled to the root of sdcard.

The same plugin has the cheat for XY and the cheat for ORAS, using the ntrdebugger ram offsets posted here. I advise to backup SDcard before trying it out, just in case I messed up something and the card corrupts (I know this doesn't sound very trustful).

Basically when you select the cheat, the 0x108 bytes from that memory offset are read, then written to a file in sd card. The plugin should check if the file already exists, and if it does, a new file with increased number count is created (filename may be weird, I couldn't use advanced string functions in the plugin, so it might end up as a little endian hex number in the filename...)

I couldn't test since I don't have my 3ds here right now

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...