[POC] Wondercard data stored in RAM, before accepting "Yes" to receive it.

[theSLAYER]

You might think this is a weird thing to prove, but as an event collector, it bugged me for a while.

Why does the game display the same text that will be shown in the wondercard?

And why does the game take a while to communicate with server, before displaying it?

Does this mean that it is saved in RAM first?

Why is this important?

Because if the Wondercard Data is stored on RAM,

it can be ripped out from RAM, while the Serial Code is seen as unused on server side,

meaning the serial code can be used again!

[well, this should only matter if you have a friend who can't bear to let go of the serial code, but your friend can't extract the save file]

My setup

I'm doing this on a US console with Gateway 3DS, game is eshop version, with NTR to change region to Japanese, to collect the New Year Infernape.

I also set up my in-game menu to be L+R

What I did

Basically what I did was enter Gateway Menu before hitting "yes" to collect the Infernape.

Hover the cursor on no (so that when I leave the menu, it will select "No")

Access in game menu and did a RAM dump,

Exited menu and turned off console.

Opened the RAM dump with HXD and went to 00D516CC

[no fear if the location is slightly different, just search by name of pokemon in hex]

Copied length:108, and it looks exactly the same on pkhex!

However, I did notice the lack of receive date in WC editor (cause it wasn't received LOL)

Images in spoiler

Hovering on "No"

Entering in game menu

Dumping of Ram

Looking at the ram file

The chunk that makes up a wondercard is found!

Look, distribution message is here (obviously)

View in Pkhex

View in WC6 editor

So, do tell me what you think peeps.

<also, this Infernape is horrible. does not even have minimally 3 31 IVs>

[shadowofdarkness]

Out of curiosity how is the gender set? Since like the date that is set when the card is received.

[theSLAYER]

Out of curiosity how is the gender set? Since like the date that is set when the card is received.

For mine, Gender is already set as male.

My assumption is as follows:

Basically the server decides on what it would gender it would be (not sure if already preset during serial code phase),

and sends it out to the 3DS

3DS stores data in RAM.

When "YES" is selected,

3DS moves data to a freed up wondercard slot, and inserts date.

[edit]

Using the same serial code, we could probably attempt to reroll for gender using this method.

Or also during future scenarios like the 19 Arceus event (the movie distribution that had the shiny).

[shadowofdarkness]

That is good that the gender is set at this point, so if I wanted to know the gender first I assume I could just open the on screen hex editor and go to the correct offset and check the value to know before choosing to accept the card or not.

If so what offset would I go to and what values would correspond to each gender?

Edit: I successfully found the wc6 data and dumped it with NTR debugging thanks to all your info. Also nicely NTR doesn't cause unwanted key presses.

Command used (must change pid)

data(0x08c695bc, 0x108, filename='infernape.wc6', pid=0x28)

I still would like to know how to check gender before accepting the card. I just need to know where in the wc6 data to look. Since loading it in the editor doesn't help since it has a known problem with genders.

Edited January 30, 2016 by shadowofdarkness

[theSLAYER]

That is good that the gender is set at this point, so if I wanted to know the gender first I assume I could just open the on screen hex editor and go to the correct offset and check the value to know before choosing to accept the card or not.

If so what offset would I go to and what values would correspond to each gender?

Edit: I successfully found the wc6 data and dumped it with NTR debugging thanks to all your info. Also nicely NTR doesn't cause unwanted key presses.

Command used (must change pid)

data(0x08c695bc, 0x108, filename='infernape.wc6', pid=0x28)

I still would like to know how to check gender before accepting the card. I just need to know where in the wc6 data to look. Since loading it in the editor doesn't help since it has a known problem with genders.

NTR as in the actual CFW? or are you using the .cia add on.

That's interesting! since it helps to rip out the file, I should try using that!

After the data is ripped out, go to 0x00A1.

00 is Male, 01 is Female, 02 is Genderless, 03 is random.

so far, there is no legit wondercard with 03, because it is observed that the system or the server decides the gender.

<also, thanks for your PM on gbatemp >

[shadowofdarkness]

Thanks for the gender info it shows that my dump was a female now I wish I would of finished the redeem.

For NTR I have it the only way I know of which is the ntr.bin and bootntr.cia to start it.

[theSLAYER]

Thanks for the gender info it shows that my dump was a female now I wish I would of finished the redeem.

For NTR I have it the only way I know of which is the ntr.bin and bootntr.cia to start it.

Glad to hear about it.

Let me know if it rerolls to male

[shadowofdarkness]

Glad to hear about it.

Let me know if it rerolls to male

Just tested it and they can change gender. I accidentally lost that code so I started using new ones and one came up female I just hit cancel then went in again (the code still filled in so I didn't retype) and when I checked that one it was male on the second try.

[theSLAYER]

I'm glad to read that its refilling server side, which helps to confirm the hypothesis.

This would largely help with any of the events with multiple variations

Edited January 30, 2016 by theSLAYER

[theSLAYER]

EDIT: how to rip it out from RAM

EDIT2:

For GW ram dump,

XY offset: 00D430B0

ORAS offset: 00D516CC

NTR ram dump

XY offset:??????

ORAS offset: 08C695BC

1. loaded NTR.cia

2. accessed Pokemon AS game

3. Held buttons XY to enter in-game menu

4. enabled debugger mode, and exited in-game menu

5. punched in serial code for mystery gift (and hover the cursor on NO, so that you won't accidentally accept it. It'll be good if your "L" button isn't set to "A", so that you won't tap it by accident too)

6. command in NTR client, connecting to 3DS that is on the same network as computer, using 3DS IP address-> connect('192.168.x.xx', 8000)

7. listprocess and find the pid=?? value for your game, which an example would be 0x28 -> listprocess()

8. command in NTR client, to rip out the data-> data(0x08c695bc, 0x108, filename='dummy.wc6', pid=0x28)

Profit!

NTR cfw (or the .cia): https://gbatemp.net/threads/release-ntr-cfw-3-2-with-experimental-real-time-save-feature.385142/

NTR debugger client: https://gbatemp.net/threads/release-ntr-debugger-2-with-source-the-first-public-real-time-debugger-for-n3ds.384858/

ensure you install the IronPython dependency: http://ironpython.net/

edit::

If you accidentally accept the mystery gift,

immediately turn off the wifi on your 3DS,

and proceed to force shut down.

As long as your 3DS doesn't get the chance to send to the server that "you accepted",

the serial code can be reused.

Edited February 1, 2016 by theSLAYER

[shadowofdarkness]

EDIT: how to rip it out from RAM 1. loaded NTR.cia 2. accessed Pokemon AS game 3. Held buttons XY to enter in-game menu 4. enabled debugger mode, and exited in-game menu 5. punched in serial code for mystery gift 6. command in NTR client, connecting to 3DS that is on the same network as computer, using 3DS IP address-> connect('192.168.x.xx', 8000) 7. command in NTR client, to rip out the data-> data(0x08c695bc, 0x108, filename='dummy.wc6', pid=0x28) Profit! NTR cfw (or the .cia): https://gbatemp.net/threads/release-ntr-cfw-3-2-with-experimental-real-time-save-feature.385142/ NTR debugger client: https://gbatemp.net/threads/release-ntr-debugger-2-with-source-the-first-public-real-time-debugger-for-n3ds.384858/ ensure you install the IronPython dependency: http://ironpython.net/

Also in that process the pid could be different so people have to know how to find it. After the connect command run listprocess() and find the line with the right games titleid and get the correct pid from it.

[theSLAYER]

Also in that process the pid could be different so people have to know how to find it. After the connect command run listprocess() and find the line with the right games titleid and get the correct pid from it.

That is a really useful piece of information.

Guess it must be luck, that I used the same pid as you and it was correct.

[shadowofdarkness]

That is a really useful piece of information. Guess it must be luck, that I used the same pid as you and it was correct.

Yes it was just luck, but I do find most of the time that is the pid I get also, but regularly I get others. In my testing of this I went through about 5 different pids

[shadowofdarkness]

I'll find the XY offset as soon as I can. I just can't now since I don't have X or Y on my Japanese system to test with the Infernape code and no code right now that will work on my NA system which has XY. It shouldn't be long until I get a Mew code and can test with that. So people realize they can check the gender live on system before accepting with Gateway by using the on screen hex editor and going to offset 0x8C6965D (0x08c695bc + 0xa1) and checking the values you posted before

[theSLAYER]

I'll find the XY offset as soon as I can. I just can't now since I don't have X or Y on my Japanese system to test with the Infernape code and no code right now that will work on my NA system which has XY. It shouldn't be long until I get a Mew code and can test with that. So people realize they can check the gender live on system before accepting with Gateway by using the on screen hex editor and going to offset 0x8C6965D (0x08c695bc + 0xa1) and checking the values you posted before

Yeah, I'm not too good with NTR, in regards to finding the offset.

Do let us know, so I can update that post!

[shadowofdarkness]

Here is the wc6 offset from my Y game. 0x08c61fa0

[XerneusGuy]

Hm, this is interesting, I might do a RAM dump of the Mew event, if I can get my hands on a JP one I'll also contribute the event, if not I'll use Gateway's region changer to use another European one

[Destinyy]

Hi.

I had done a ram dump, but I can't find it inside the SD. Can you help me?

[shadowofdarkness]

Hi. I had done a ram dump, but I can't find it inside the SD. Can you help me?

Are you doing this with Gateway or NTR? NTR dumps directly to your computer and Gateway to the red cards memory card.

[Destinyy]

Are you doing this with Gateway or NTR? NTR dumps directly to your computer and Gateway to the red cards memory card.

Gateway, thx. Can I use The hex editor of The gateway menu to change The text of the WC live?

[shadowofdarkness]

Gateway, thx. Can I use The hex editor of The gateway menu to change The text of the WC live?

I'm not sure if it would show the changes live and I sort of hope not since it would just be a way for people to fake proofs but you could try and see.

[XerneusGuy]

I'm not sure if it would show the changes live and I sort of hope not since it would just be a way for people to fake proofs but you could try and see.

I believe it would work but I don't think it would update on screen until you exit the screen and go back to the wondercard screen, most RAM edits don't take effect until you change what's on the screen due to how it puts things into memory

[suloku]

These are very nice findings! Is there any use for a EUR mew code? I still haven't used mine.

Also, note that offsets are probably tied to the game update. I could make cheat plugin that dumps the ram, but I think dumping to pc is easier...

[theSLAYER]

These are very nice findings! Is there any use for a EUR mew code? I still haven't used mine.

Also, note that offsets are probably tied to the game update. I could make cheat plugin that dumps the ram, but I think dumping to pc is easier...

We've gotten all the mews already >< (well, besides the Gen I Mew.)

Dumping to PC is indeed easier,

but there's the benefit of dumping to RAM when outdoors, especially if it can use a naming system where it keeps increasing.

example: local event, with different formes or genders.

basically keep collecting and pressing no, in hopes of farming the different formes/genders

I'm not sure if it would show the changes live and I sort of hope not since it would just be a way for people to fake proofs but you could try and see.

True, it may be possible for people to fake their cards on the go.

With serial code loaning, best method of verification is through trusted members on this site, or best through me.

(I mean, I have no reason to fake the cards)

[suloku]

I've coded a simple ntr cfw plugin that should dump the wc6 when enabled to the root of sdcard.

The same plugin has the cheat for XY and the cheat for ORAS, using the ntrdebugger ram offsets posted here. I advise to backup SDcard before trying it out, just in case I messed up something and the card corrupts (I know this doesn't sound very trustful).

Basically when you select the cheat, the 0x108 bytes from that memory offset are read, then written to a file in sd card. The plugin should check if the file already exists, and if it does, a new file with increased number count is created (filename may be weird, I couldn't use advanced string functions in the plugin, so it might end up as a little endian hex number in the filename...)

I couldn't test since I don't have my 3ds here right now