Jump to content

GTS: website research


Recommended Posts

  • Replies 652
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Very nice, Vlad. Also, my host is crap. They don't respond to any of my emails, and they keep their sites on one IP. Also, it won't let me configure an A or CNAME on my cpanel. Even if I ask for a new IP or CNAME to be activated, they won't respond to emails.

I'm thinking about switching to Linode, unless anyone else has any other better suggestions on VPS servers. =/

Link to comment
Share on other sites

but what if u browse the internet? how does the router knows what pc to send it to?

Hehe, well I made that mostly to try and explain why we need port forwarding to make the dnsserver.py and pkmserver.py (DNS and HTTP applications) work, why some get errors and are unable to connect to their DNS server or their HTTP server when behind a router -basically not configured port forwarding.

If you browse the internet, the router contains a table with information about where to send your packet (browsing the net is TCP port 80 packets). It sends your packet to the nearest router it knows is in the right "direction", then that router continues the same process -sending that packet to the next router closer to your target host, and so on until the host is reached. On top of this (application layer) we have services, in this case DNS (http://en.wikipedia.org/wiki/Domain_Name_System#Address_resolution_mechanism).

Link to comment
Share on other sites

To start, Awesome work. I have wanted a full pokedex since i first played Red(never happened ><) and this really gives me a chance now.

More than that, i saw a post some pages ago dealing with GTS_Nuker. As i read it sounded like it can send Multiple pkms in one connect? or is it Multiple Connections for a single hosted .PKM?

Link to comment
Share on other sites

I experienced, when i connected with my SoulSilver and got an event pokémon, that I was not booted from the server. I could access the normal GTS menu, but without anyother trainers. I was using the GTS_Nuke combo for only myself.

Link to comment
Share on other sites

You're lucky then, cuz my friends and I always have a BSOD when using Platinum or HG/SS (actually, it worked once for me).

If you can access the GTS menu when using a fake GTS server, then never send a Pokémon from the game, because you can't take it back, it'll be lost between time and space.

Link to comment
Share on other sites

Alright thanks. (And darnit)

Also a point that i am sure has been brought up. If we know how the .PKM is formatted and encoded, can we not also extract one via the GTS?

I am working with a limited know how of the system but as i understand you for all intents and purposes send a .pkm to a server with some fiddly bits of code about trade requirements.

Shouldn't extracting the .pkm out of this be fairly simple?

Link to comment
Share on other sites

Can we get the tech support out of the *research* thread?

Here is some data, courtesy of.. mignot? Someone from IRC.

Sorted by encrypted.

0x pid   0b pid                             0x encrypted            0b encrypted
0d593d2b 00001101010110010011110100101011   4a 3b 2c d3 ad 0c 39 03 0100101000111011001011001101001110101101000011000011100100000011
0f4a4b55 00001111010010100100101101010101   4a 3b 2c e4 48 ac 3d 2e 0100101000111011001011001110010001001000101011000011110100101110
01050000 00000001000001010000000000000000   4a 3b 2c 1b 9e 9b cb 8e 0100101000111011001011000001101110011110100110111100101110001110
01000302 00000001000000000000001100000010   4a 3b 2c 1b 9c 98 ce 8e 0100101000111011001011000001101110011100100110001100111010001110
00000005 00000000000000000000000000000101   4a 3b 2c 18 5c 02 8c c4 0100101000111011001011000001100001011100000000101000110011000100
00000004 00000000000000000000000000000100   4a 3b 2c 19 10 68 4a f9 0100101000111011001011000001100100010000011010000100101011111001
00000002 00000000000000000000000000000010   4a 3b 2c 1f 88 36 c6 64 0100101000111011001011000001111110001000001101101100011001100100
00000001 00000000000000000000000000000001   4a 3b 2c 1c 44 9d 84 99 0100101000111011001011000001110001000100100111011000010010011001
00000003 00000000000000000000000000000011   4a 3b 2c 1e cc cf 08 2e 0100101000111011001011000001111011001100110011110000100000101110
10003020 00010000000000000011000000100000   4a 3b 2c 7d c0 5b 03 f2 0100101000111011001011000111110111000000010110110000001111110010
10500000 00010000010100000000000000000000   4a 3b 2c 7d e0 6b 53 f2 0100101000111011001011000111110111100000011010110101001111110010
0f5eee8a 00001111010111101110111010001010   4a 3b 2d f8 33 ea 0c 28 0100101000111011001011011111100000110011111010100000110000101000
0daf3ecc 00001101101011110011111011001100   4a 3b 2d db 92 45 fc 9b 0100101000111011001011011101101110010010010001011111110010011011
0d6b85f2 00001101011010111000010111110010   4a 3b 2d f2 99 7a 8d 19 0100101000111011001011011111001010011001011110101000110100011001
0f64931f 00001111011001001001001100011111   4a 3b 2d 38 e6 a5 ab 0f 0100101000111011001011010011100011100110101001011010101100001111
0f497b4f 00001111010010010111101101001111   4a 3b 2d 3f 65 10 40 90 0100101000111011001011010011111101100101000100000100000010010000
0f656682 00001111011001010110011010000010   4a 3b 2d 41 4e 7f 9b 99 0100101000111011001011010100000101001110011111111001101110011001
0f2ac754 00001111001010101100011101010100   4a 3b 2d 49 f0 96 c4 30 0100101000111011001011010100100111110000100101101100010000110000
0bdd5ba0 00001011110111010101101110100000   4a 3b 2d fe 8f 89 13 9a 0100101000111011001011011111111010001111100010010001001110011010
098fbd52 00001001100011111011110101010010   4a 3b 2d ba 51 4f da 0c 0100101000111011001011011011101001010001010011111101101000001100
0f4ab199 00001111010010101011000110011001   4a 3b 2d be 76 3f 07 d5 0100101000111011001011011011111001110110001111110000011111010101
0da9a07a 00001101101010011010000001111010   4a 3b 2d cd 6a d6 4e 8e 0100101000111011001011011100110101101010110101100100111010001110
0a99faed 00001010100110011111101011101101   4a 3b 2e 97 df 57 47 e3 0100101000111011001011101001011111011111010101110100011111100011

Link to comment
Share on other sites

Alright thanks. (And darnit)

Also a point that i am sure has been brought up. If we know how the .PKM is formatted and encoded, can we not also extract one via the GTS?

I am working with a limited know how of the system but as i understand you for all intents and purposes send a .pkm to a server with some fiddly bits of code about trade requirements.

Shouldn't extracting the .pkm out of this be fairly simple?

When the encryption process is fully decrypted, that should be possible.

I think that the final goal is to have a fully-functionnal fake GTS server that works with .pkm, that would be really great.

could somebody help me port forward port 53? I tried the same thing i did with 80 but only 80 is open. 53 is still closed/unactivated

Be careful, online port-checkers don't work with UDP ports.

If you did the same thing with TCP 80 and UDP 53, there's no reason for it to fail.

Link to comment
Share on other sites

Hello all,

I've been reading this thread and forgive me if I've missed something, but there are several references to a "GTS Nuker" method of sending pkm files, but no download links. Can anyone point me to where to obtain this version of the script? I understand it's threaded and allows multiple transfers as opposed to the Python script which ends after each successful transaction.

Thanks for your time,

Gryphhg

Link to comment
Share on other sites

I'm gonna try to figure out the Wonder Card problem. Now, when the gameboy connects to the WFC, trying to get a mystery gift, it contacts a server called dls1.nintendowifi.net. First it goes through nintendo's NAS, and verifies that the connectee is indeed a DS. We need to reroute the dls1.nintendowifi.net using the dns server script (Shouldn't be a problem, just a small change in the code frome gamestat2 to dls1) and make a script to broadcast wondercard info.

Link to comment
Share on other sites

Thanks. So when i used it and entered my ip i got a 0.0.0.0.53. What do i do then?

I said it already :

"DNS server started on 0.0.0.0:53" only means that the socket was successfully bound on the port 53 of your computer, this is NOT the equivalent of sendpkm.py's "Please set your DS's DNS server to 192.168.1.7" (for example).

This was more for debugging purpose actually.

So, step by step, you must :

- Know your external IP address, go here to have it for example

- Launch DNS_Server.exe, and input that IP when asked

- You are done with the DNS part, now start SendPKM.exe with a 236-byte .pkm or .bin file (you can drag and drop it on the .exe, that's much easier). It should say that it is ready and waiting for a connection.

That's all.

If both UDP port 53 and TCP port 80 are forwarded and reachable from the Internet, then any person who sets your external IP as his DS's primary DNS server and connects to the GTS should receive the .pkm you chose.

But remember that it may not work when connecting with a DS in the same network, in that case you have to replace your external IP by your computer's private IP in both DNS_Server.exe and your DS's DNS settings.

Link to comment
Share on other sites

I didn't like having to sit at the computer, and manually change the pokemon I wanted.

So, I made this simple .bat script, using LordLandon's script(post #43).

Place the .bat into the same directory as the sendpkm.py script.

Have a pkm folder inside the same directory, and put your *.pkm files inside that folder

It cycles through the whole directory, then loops back to the beginning

@@echo off
:start
@@dir pkm\*.pkm /A:-D /b /n /O:N > dir.txt
 @@setlocal enabledelayedexpansion
 @@FOR /F "usebackq delims=" %%G IN ("dir.txt") DO @@ (
 @@Set Line=%%G
 @@Set Line=!Line:~0,-4%!
@@echo File is now: pkm\!Line!.pkm
 @@C:\Python26\Python.exe sendpkm.py pkm\!Line!.pkm
)
@@goto start

Interestingly enough, when I started using my .bat, instead of throwing me an error, it sent me to the GTS menu, after I received the pokemon. Though, probably just a coincidence.

Link to comment
Share on other sites

So.

As mentioned earlier in the thread, we now know how the checksum is obsfuscated, thanks to Jalada and nicholas on IRC. (That is, by xoring it with 0x4a3b2c1d.)

By looking for the magic number 0x4a3b2c1d, i was able to find where in the ROM the encryption takes place, and to pinpoint the encryption algorithm. I'm sure you will not be surprised to learn that it uses yet another LCG, which i'm naming the GRNG, for "GTS Random Number Generator". (Terrible, i know. Also it sounds a bit like "grunge".)

Ladies and Gentlemen, the GRNG:

GRNG[n+1] = (GRNG[n] * 0x45 + 0x1111) & 0x7fffffff

The data is encrypted by xoring each byte with the low byte of the high word of the corresponding GRNG value, like so:

ciphertext[n] = plaintext[n] ^ ((GRNG[n] >> 16) & 0xff)

The checksum is used to seed the GRNG:

GRNG[0] = checksum | (checksum << 16)

(Oh, and for anyone interested, the routine for seeding the GRNG is at 0x02211E60 in Diamond, and the routine for advancing it is at 0x02211E70. These routines are found in overlay 79.)

So there you have it. I guess the floodgates are open. And now that i've figured out both the challenge-response hash and the data encryption, i'm kind of done with this GTS stuff. Honestly though, i'm a little worried about the SSL connection that takes place. Since we don't know much about it, and aren't even close to being able to spoof it, that means that when Nintendo eventually shuts down the official GTS server, all the fan servers will go with it. Enjoy it while it lasts.

And, as a parting note, i'm interested in seeing where the Wonder Card spoofing research goes.

Peace.

Link to comment
Share on other sites

Very nice, Vlad. Also, my host is crap. They don't respond to any of my emails, and they keep their sites on one IP. Also, it won't let me configure an A or CNAME on my cpanel. Even if I ask for a new IP or CNAME to be activated, they won't respond to emails.

I'm thinking about switching to Linode, unless anyone else has any other better suggestions on VPS servers. =/

I don't think BIND (at least I think that's what your host is using) allows you to specify CNAMEs for domains not in your domain's zone.

Link to comment
Share on other sites

BIND is happy to be a master zone for whatever domain you want, whether or not it's actually acting as the main nameserver for that domain.

eevee@tekkanin ~ $ host gamestats2.gs.nintendowifi.net
gamestats2.gs.nintendowifi.net has address 207.38.11.146
eevee@tekkanin ~ $ host gamestats2.gs.nintendowifi.net 72.232.182.50
gamestats2.gs.nintendowifi.net has address 72.232.182.50

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...