Jump to content

VC RBY - Virtual Console Mew (UK)


BlackShark
 Share

Recommended Posts

Mystery solved!



These are the OT Name Bytes again.

86 85 00 00 00 00 00 50 89 80 82
G  F                    J  A  C 


And these are the first 11 Bytes of the default names in Pokémon Red which you can select when you start the game.
Basically it's what you get when you select the first name... "RED". 
 

91 84 83 50 60 6B 67 50 89 80 82 
R  E  D     A  S  H     J  A  C



Actually what propably happened is they deleted the 2 default names RED and ASH and replaced it with GF but JAC is still there as a leftover.
When you select one of the names, the game also copies exactly 11 Bytes, so it copies the Bytes after the Selected name as well. 
This confirms which Pokémon Version they modified and also confirms that all Mews from the Event will likely be the same!

Edited by ajxpk
  • Like 3
Link to comment
Share on other sites

This is what happens if you modify the RED english rom like ajxpkm posted (not modifying the JACK name in any way):
0035bd6501.png

So, for the UK event, they used a custom VC Pokémon RED that patches the OT name to only be GF. Probably the patch prevents any other name input.
It would be interesting to get the patch to know exactly how the modifications for the distribution work, but in any case it seems every single Mew is exactly the same, and those trash bytes are only there because they slipped when patching the name selection screen because removing the second name prevents the third from showing at all, but it still gets into the OT trash bytes.

The JAP one does not have trash, mainly because the OT is only 5+terminator bytes long, or maybe because they did it correctly, who knows.

  • Like 2
Link to comment
Share on other sites

Fascinating, simply by examining the "trash" bytes and with intimate knowledge of the game's programming, you were able to deduce at the event was running a modified VC version of Pokémon Red.

The alterations could be done either patched on-the-fly or baked into the VC rom, but in either case coupled with the visible restore points is solid evidence of a special Distribution version of the game.

If it's a digital title, who knows, it might even exist on the eShop CDN like Sun/Moon did at some point. If it were though I would think it would've already been discovered though, and simply knowing about it's (possible) existence is probably insufficient to even acquire it.

Link to comment
Share on other sites

I know SciresM was checking the servers for uploads and found SM, I'll ask him, maybe we can get the files. They will be encrypted, but given the size of the VC games (~10mB) maybe bruteforcing the encryption is a viable solution.

edit: I feel like bruteforcing the aes key has nothing to do with the file size and that I just said something retarded

  • Like 1
Link to comment
Share on other sites

I have doubts about that, I don't think binary size is relative so much as there's an astronomical number of possible encryption values, so a bruteforcing attempt maybe wouldn't be shorter. I could be mistaken.

My other thought was that the VC versions might be hiding some functionality that haven't been looked into. What if a Mew distribution was planned in advance so that there exists an undocumented distribution mode in the commercial VC release of Red Version?

Link to comment
Share on other sites

Well, seems SciresM was well aware of the titles being in the servers:
CTR-N-RMWZ Mew Trading App(E) 000400000018C500
CTR-N-RMWA ミュウ引換用ソフト 000400000018C400

There's only a jap and an Eur versions, so if any more distros are ever made, they will be the same mews we already have.

EDIT: of course, Nintendo could just use a different title with different patch and distribution, but both the JAP and EUR distribution apps were uploaded 9 months ago, so it's not like they made it for the UK event.

  • Like 2
Link to comment
Share on other sites

After chating with SciresM:
- Bruteforcing the encryption is not a real solution and will never be (just wanted to make this clear)
- The OT name "trash" is intentional, as there's no way to get such a trainer name data legitimately.

- Gen 7 transfer could be potentially locked by OT, ID and DV combination. We'll see on January.

 

ps: In any case, I think it would still be great if @HMM dumped his save, same goes for RupeeClock's cousin's mew if he get's the chance. I like double checking.

Link to comment
Share on other sites

The trash being intentional is not unexpected, as it's maybe one of the few ways they can verify you have an event Mew instead of a glitched or save hacked Mew.

I hope we can get more samples too, just to confirm if there are data differences or not. At this stage it seems less likely.

Link to comment
Share on other sites

It would have been hilarious if someone showed up to the event and traded a Mew they got from Mew glitch to the event rep who trades them the actual event Mew.

Like instead of a Pidgey or some other random thing.

Anyway interesting they'd really go through the trouble of coding something like this when it would likely have been less effort to just fill the boxes with Mews, lol. The event was pretty exclusive already so it's not like they have to deal with thousands of people coming in every day. But I guess it's there if they ever felt like re-using it for a different kind of event *shrug*

Link to comment
Share on other sites

The 3ds doesn't have something like a 1-click save install, so they would have had to code an app that downloads and install the save to the vc game. A modified vc game that allways will have the event mew tradeable wathever you do seems better.

I wouldn't be surprised if the patch enabled the flags that allow trading and teleports you to a pokemon center once a new game is started, alongside patching a mew into party slot one, or that you can receive one by talking to an npc in the center. Probably the pokemon center is locked so you can't leave.

There are multiple options, this one seems the more reasonable. Patching the game like this doesn't need much effort and ensures the vendor will always have a mew, wathever the human factor.

Link to comment
Share on other sites

9 hours ago, suloku said:

Well, seems SciresM was well aware of the titles being in the servers:
CTR-N-RMWZ Mew Trading App(E) 000400000018C500
CTR-N-RMWA ミュウ引換用ソフト 000400000018C400

There's only a jap and an Eur versions, so if any more distros are ever made, they will be the same mews we already have.

EDIT: of course, Nintendo could just use a different title with different patch and distribution, but both the JAP and EUR distribution apps were uploaded 9 months ago, so it's not like they made it for the UK event.


whats funny about those IDs you pasted,

is that they extkey (seed) can be downloaded lol.

If we have the encrypted title key, it can be downloaded.

  • Like 1
Link to comment
Share on other sites

Yeah, but we're not getting that anytime soon, I'd wager.

Are the employees giving out the Mews actual Nintendo employees? I'd consider it impossible if that's the case, unless one of them went rogue lol.

It would be pretty cool just to be able to look at it and see how it works.

Link to comment
Share on other sites

1 hour ago, Ammako said:

Yeah, but we're not getting that anytime soon, I'd wager.

Are the employees giving out the Mews actual Nintendo employees? I'd consider it impossible if that's the case, unless one of them went rogue lol.

It would be pretty cool just to be able to look at it and see how it works.

In Japan, the trading staff appeared to be staff who work in the Pokemon Center.

Well, the 3DS will likely be on the latest firmware, so good luck going rogue and downgrading that xD

19 minutes ago, RupeeClock said:

if I'm not mistaken, the only way we could hope to get that key is if someone with the title installed on their system, hacked the system, and then dumped and shared the title key. That seems extremely unlikely.

Or someone with high computing power and network speed and working CDN-FX to just bruteforce the enc_titleKey,
which should take a few years,

but I won't count my chances on that too

Link to comment
Share on other sites

1 minute ago, theSLAYER said:

In Japan, the trading staff appeared to be staff who work in the Pokemon Center.

Well, the 3DS will likely be on the latest firmware, so good luck going rogue and downgrading that xD

Or someone with high computing power and network speed and working CDN-FX to just bruteforce the enc_titleKey,
which should take a few years,

but I won't count my chances on that too

Don't forget to exclude the enc_titleKeys for other titles. :D

Link to comment
Share on other sites

Bruteforcing this sort of thing seems like a silly thing to do too, seeing as it's just a small distro app.

We kinda sorta know how to reproduce the distro app as it is, as we have data on the Mew distributed and an understanding of how the rom/VC title works. That also seems silly as you can just inject the event data now.

Link to comment
Share on other sites

9 minutes ago, Thunder said:

Don't forget to exclude the enc_titleKeys for other titles. :D

tho it'll likely still take a long time.
There's a post on gbatemp about it.

8 minutes ago, RupeeClock said:

Bruteforcing this sort of thing seems like a silly thing to do too, seeing as it's just a small distro app.

We kinda sorta know how to reproduce the distro app as it is, as we have data on the Mew distributed and an understanding of how the rom/VC title works. That also seems silly as you can just inject the event data now.

I agree that brute-forcing this seems silly.

But, the it's kind of the same as being able to reproduce wonder cards VS only uploading actual ones.

It'll be valuable to preserve the original data itself,
cause that way we'll know without a shred of doubt the generation method and other stuff is correct.

For example, I've been looking to preserve the 10Anniv distribution cart backup,
but I haven't been able to find it online.

Imagine if people didn't preserve the wonder cards for gen III event,
we would not have the wonder card injection system up after 10 years.

  • Like 2
Link to comment
Share on other sites

1 hour ago, theSLAYER said:

I agree that brute-forcing this seems silly.

But, the it's kind of the same as being able to reproduce wonder cards VS only uploading actual ones.

It'll be valuable to preserve the original data itself

This exactly.

We can dump event files from our games to preserve those so they can still be injected into save files years into the future, but that's nothing compared to preserving the original distribution methods in the first place. It would just be a shame for those to be lost forever.

Unfortunately, most if not all of the Japanese distribution cartridges will likely be impossible to get since there was probably a lot more security around those. It'd be really cool to have one of those Slot-2 distribution cartridges for Gen 4, for example. But oh well, at least they sent a bunch of distribution cartridges over to the west where security wasn't as tight and a whole lot of them got out. We can't get all of them, but there's enough that the distribution method has been preserved pretty well I'd say, and the rom can be edited to distribute different Wondercards if we want to anyway.

Link to comment
Share on other sites

1 minute ago, Ammako said:

This exactly.

We can dump event files from our games to preserve those so they can still be injected into save files years into the future, but that's nothing compared to preserving the original distribution methods in the first place. It would just be a shame for those to be lost forever.

Unfortunately, most if not all of the Japanese distribution cartridges will likely be impossible to get since there was probably a lot more security around those. It'd be really cool to have one of those Slot-2 distribution cartridges for Gen 4, for example. But oh well, at least they sent a bunch of distribution cartridges over to the west where security wasn't as tight and a whole lot of them got out. We can't get all of them, but there's enough that the distribution method has been preserved pretty well I'd say, and the rom can be edited to distribute different Wondercards if we want to anyway.

At least Gen IV and Gen V have digital copies of the distribution in the wild.

Also, it hasn't been easy trying to secure a Gen III hard copy, as seen here.

Too bad CDN-FX isn't working for me
(even with correct title ID and enc title key, it prompts "download fail" to me),
else I'll be willing to let my computer run through the night to try to brute force a range, bit by bit.

Link to comment
Share on other sites

25 minutes ago, theSLAYER said:

At least Gen IV and Gen V have digital copies of the distribution in the wild.

Also, it hasn't been easy trying to secure a Gen III hard copy, as seen here.

Too bad CDN-FX isn't working for me
(even with correct title ID and enc title key, it prompts "download fail" to me),
else I'll be willing to let my computer run through the night to try to brute force a range, bit by bit.

So you're just unable to download it in general? You guys kept saying it would take an insanely long time to brute force it. I don't know much but I kept wondering how long it would take if you had multiple computers attempting to crack it and there was some way they were all able to communicate what's already been tried. If there's xxxxxxxxxxxxx possibilities, sure it might take a while. But if you had 17 computers running day and night, I doubt it could last forever. 

Link to comment
Share on other sites

34 minutes ago, HaxAras said:

So you're just unable to download it in general? You guys kept saying it would take an insanely long time to brute force it. I don't know much but I kept wondering how long it would take if you had multiple computers attempting to crack it and there was some way they were all able to communicate what's already been tried. If there's xxxxxxxxxxxxx possibilities, sure it might take a while. But if you had 17 computers running day and night, I doubt it could last forever. 

yeah anything I download is either through FBI or Freeshop.

Also, this may be applicable:

Quote

its a 128 bit key, so 2 ^ 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys
Number of seconds in one Year = 365 days x 24 hours x 60 minutes x 60 seconds = 31,536,000

Lets say you can test 10 BILLION keys per second, every second for a year...
(not exactly sure how many keys you could test per second, but lets say 10 billion per second)
31,536,000 x 10,000,000,000,000 = 315,360,000,000,000,000 keys per year per computer.

340,282,366,920,938,463,463,374,607,431,768,211,456 keys total (2 ^ 128)
000,000,000,000,000,000,000,315,360,000,000,000,000 keys checked per computer per year
(I've added leading zeros to show the huge difference between the numbers)

Lets say you can find the key after trying 50% of them, that is still
170,141,183,460,469,231,731,687,303,715,884,105,728 keys.

source: https://gbatemp.net/threads/needs-some-help-understanding-decrypted-title-keys-and-the-encryption-state-of-installed-cia-files.433394/#post-6510956
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...