653 posts in this topic

Recommended Posts

Thanks for the quick reply! Code works fine (and obviously works better) but still can't connect, even though ports are open. Beginning to wonder about latency, etc. Will probably just start grabbing packets and troubleshooting myself, I wonder if my computer is having trouble responding to the dns request or the actual http gts transfer.

Share this post


Link to post
Share on other sites

if i was to "deposit" a pokemon would i be able to edit the pokemon on my computer and the send it back?

Share this post


Link to post
Share on other sites

Wow. Great stuff here, LordLandon, Vlad.

Poking around in the ROM, i figured out how the hash is generated.

hash = sha1("sAdeqWo3voLeC5r16DYv" + token)

Breaking the encryption is going to be harder. Some random observations:

  • The data= parameter is base64-encoded
  • The base64-encoded data always begins with "Sj". Does anyone else find that odd? Wait—it's even better than that: the base64-decoded data always begins with "J;". Not sure what that means, though. Perhaps it indicates how the data is encrypted.
  • The data sent to post.asp is 300 bytes long. 8 bytes longer than the Pokémon data.
  • The data sent to exchange.asp is 304 bytes long. 12 bytes longer than the Pokémon data.
  • The data sent to post_finish.asp is 16 bytes long.
  • The data sent to info.asp, result.asp and get.asp is 8 bytes long and, for a given pid, is the same for every request. But it is different for different pids. This means that a change in the pid must correlate with a change in either the encryption OR the data. Personally, i'm betting on the data. It also means that the hash does not factor into the encryption.
  • If you post the same Pokémon twice, the data is completely different each time.
  • The API is not very RESTful.

Share this post


Link to post
Share on other sites

Okay, attempting to think through this out loud, and IRC doesn't really cut the size of this stuff.

I'm basing the following on LordLandon's depundep.txt.

The Pokémon he sent out (based on the response from get.asp) was this:

0000000: ae38 6151 0000 0701 bb92 b2de e153 5dba  .8aQ.........S].
0000010: d0af 248a 8d23 cbf4 ed52 a78d 4550 5c77  ..$..#...R..EP\w
0000020: ec29 6f56 892a 40dc 28a9 df4c e1fa ae9b  .)oV.*@.(..L....
0000030: ef0c 99eb 4518 0da1 0da3 9d23 5440 ba9b  ....E......#T@..
0000040: bc5d c9cc b251 8019 21f3 9604 2e7f 977a  .]...Q..!......z
0000050: b80a ab11 ac82 b276 f4c8 5d94 8a00 be44  .......v..]....D
0000060: 99be ae22 f2d2 d402 dadc ebe0 f931 5d93  ...".........1].
0000070: 6cb7 b37d 73d7 a3ed 8ddd 6b86 9246 4657  l..}s.....k..FFW
0000080: 84c5 3346 0a5a f0f4 3e4a 9380 c5ee 5bec  ..3F.Z..>J....[.
0000090: c7a9 2134 14e2 fc35 645c 0ad4 053e acd3  ..!4...5d\...>..
00000a0: 428d 103b 24be 09eb 13cd 1aea 5f9b bcea  B..;$......._...
00000b0: 71ec deb5 3edb 19ca 48fb 64c6 21c3 5d34  q...>...H.d.!.]4
00000c0: afeb 9d2b 1cae e261 3307 9784 a691 bfb9  ...+...a3.......
00000d0: 62d1 9ab2 f9de e3ea e978 4116 8244 6784  b........xA..Dg.
00000e0: 7db9 9624 cbee a0d2 0154 db5d 8901 0101  }..$.....T.]....
00000f0: cc01 0300 0000 0000 da07 021b 0e38 0700  .............8..
0000100: 0000 0000 0000 0000 5bb9 fa06 3601 4501  ........[...6.E.
0000110: 5201 4801 5301 5201 ffff 0000 0e5f 0000  R.H.S.R......_..
0000120: 3200 0a02                                2..

That Pokémon, decoded:

0000000: ae38 6151 0000 0701 0100 3900 7f00 0000  .8aQ......9.....
0000010: 230f 0f00 0000 0000 f534 f518 0000 0000  #........4......
0000020: 0000 0000 d007 1800 3a01 3301 3a01 3601  ........:.3.:.6.
0000030: 3f01 3a01 ffff 19c0 18b3 0c02 3037 000c  ?.:.........07..
0000040: 0000 0000 0000 0000 3301 3d01 2b01 2b01  ........3.=.+.+.
0000050: 2d01 ffff 0000 0000 0a02 050a 0205 d007  -...............
0000060: 1800 0004 0000 0000 8901 0000 255f a912  ............%_..
0000070: 0000 0000 4643 0002 0000 0000 0000 0000  ....FC..........
0000080: 0000 0000 0000 0000 0000 0000 0100 0c00  ................
0000090: 0c00 0600 0600 0500 0500 0600 0000 0000  ................
00000a0: 0002 0aff ffff ffff ffff ffff ffff ffff  ................
00000b0: ffff ffff ffff ffff ffff 2602 ffff 0000  ..........&.....
00000c0: ffff ffff ffff 3a01 ffff ffff ffff 4301  ......:.......C.
00000d0: ffff ffff 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0003 8901 0101  ................
00000f0: cc01 0300 0000 0000 da07 021b 0e38 0700  .............8..
0000100: 0000 0000 0000 0000 5bb9 fa06 3601 4501  ........[...6.E.
0000110: 5201 4801 5301 5201 ffff 0000 0e5f 0000  R.H.S.R......_..
0000120: 3200 0a02                                2..

The data he actually sent:

pid: 117094747

challenge token: TQzGoOU4R5M3CzCkomJqXFcrupqnKquF

response hash: 328c76b3e37832732566c14ae596b7856956c48d

data, as decoded by Python's urlsafe_b64decode:

0000000: 4a3b aea9 fcae abec e42b 58c8 5907 e38e  J;.......+X.Y...
0000010: 0cca 7fa7 44dc f343 9ebc 0183 1c00 6e64  ....D..C......nd
0000020: e24a 07c9 338a afb6 e188 fbb1 08c5 38a6  .J..3.........8.
0000030: d862 17b9 d5ba eb2b 9c1a 60d8 a0c8 2d7b  .b.....+..`...-{
0000040: e844 ca88 6806 bfee 165a c1e7 053c 2199  .D..h....Z...<!.
0000050: 9bd0 34c1 09ca 407a a646 185f 9e2d 8f0a  ..4...@z.F._.-..
0000060: 8cbf 6775 5b92 233b e342 837e 2069 a319  ..gu[.#;.B.~ i..
0000070: b1c5 1f3f ac17 26f1 c4d9 592f 222f b100  ...?..&...Y/"/..
0000080: 925c 8a58 9cb1 920f 50fc ae37 a055 e136  .\.X....P..7.U.6
0000090: 602f c5bd 5223 10a3 af9d 190c 0d06 4492  `/..R#........D.
00000a0: 56e0 ee4f cf93 6ea5 52fb fe5f 3c1f 8006  V..O..n.R.._<...
00000b0: fb73 453c 9b44 e1d4 c6ba ed43 5c70 5feb  .sE<.D.....C\p_.
00000c0: 421a bfc8 ff28 2267 2881 2707 ef04 1772  B....("g(.'....r
00000d0: 50da 3e26 1206 751f 895b ee37 fc5a 3539  P.>&..u..[.7.Z59
00000e0: 17d0 1c26 a3ae 45e2 f277 01e5 d88c ce7c  ...&..E..w.....|
00000f0: 272d 11c4 b62a ab00 928a 90de d9a8 7e35  '-...*........~5
0000100: 67c8 03fa 6be1 c527 8359 1e1b 5100 0b35  g...k..'.Y..Q..5
0000110: 8a4b 5bb2 08d2 50c7 3a0e 60f6 e54e 0abe  .K[...P.:.`..N..
0000120: 6405 6562 9a56 7e0d 8ac4 ec30            d.eb.V~....0

This is 300 bytes -- eight bytes longer than the size of a Pokémon save struct with the extra 56 GTS bytes.

The post_finish was:

token: RopF90e9azV0W2mqhIWuLIbn5qSqqrDT

hash: 97f3488b0caa742140e4bdc2a118c091b66d0355

data:

0000000: 4a3b 2f96 23e0 d995 b2a9 455b f955 fbba  J;/.#.....E[.U..

As magical said, posting the same Pokémon twice results in entirely different data. It then seems likely that the token or hash is used as a key... but requests to info.asp et al send the same eight bytes. And what is being sent to post_finish that it has another eight bytes?

4a3b aea9 fcae abec -- first eight bytes to post.asp

4a3b 2f96 23e0 d995 -- first eight bytes to post_finish.asp

Looking at some of magical's experiments, I've noticed the following.

These are data sent to info.asp, from three different pids (two magical, the third depundep):

0000000: 4a3b 2d75 3f14 cc1d                      J;-u?...

0000000: 4a3b 2de5 07b1 0239                      J;-....9

0000000: 4a3b 2e09 3fa6 8a60                      J;..?..`

And these are data sent to post_finish.asp, from the same two different pids:

0000000: 4a3b 2f33 51ef f2e5 a09e d65f 3ca0 3bf3  J;/3Q......_<.;.

0000000: 4a3b 2fe9 1af2 0cc6 887a c2f3 24ad dc68  J;/......z..$..h

0000000: 4a3b 2f96 23e0 d995 b2a9 455b f955 fbba  J;/.#.....E[.U..

pids are:

98193975 (0x05da5237)

255512799 (0x0f3ad0df)

117094747 (0x06fab95b)

So the third byte seems to stay the same across requests to the same page. Except for depundep's info.asp, which is off by 1..?

The info.asp data might be a null payload. So what are the other five bytes? Hash of the pid?

Edited by イーブイ
some example small data

Share this post


Link to post
Share on other sites

magical has performed a fascinating experiment.

He posted this Pokémon:

0000000: 0bbe 49d0 0000 cb1e 3764 78b1 74f3 97b2  ..I.....7dx.t...
0000010: b24c fab5 37fd f13c 40f5 bfdd 7355 0281  .L..7..<@...sU..
0000020: c754 1f06 9538 4e24 6b56 7231 d74a d352  .T...8N$kVr1.J.R
0000030: 2c5d 334f 3f5e b54b 45cb 861b f78e f4fa  ,]3O?^.KE.......
0000040: f41d b4e5 7195 1be1 8769 abb8 2fe2 7360  ....q....i../.s`
0000050: 4419 a39d df5f 46f5 e959 a6c4 8748 f86a  D...._F..Y...H.j
0000060: a8a3 894c 4057 54ee 991d 32eb 59cf a276  ...L@WT...2.Y..v
0000070: 8ed7 a70e 60d8 3268 c9d7 87f5 cec5 6c7f  ....`.2h......l.
0000080: be37 c58a e9ff 2659 cfee 064d 8f09 3f4a  .7....&Y...M..?J
0000090: 128b 9dec 0aab 7472 dc1d 8f88 a6c8 b6f0  ......tr........
00000a0: 40e7 6bcc c1e2 22ad 5cae 5d39 b797 7dac  @.k...".\.]9..}.
00000b0: 48d6 7d21 e5fb 140a e703 41c9 1cbd 1d8b  H.}!......A.....
00000c0: 3f9f cb50 344a 1ff5 3131 45c6 a63d f7b4  ?..P4J..11E..=..
00000d0: 77f5 9147 152a f1b0 a36f 5c6d 6e68 8a95  w..G.*...o\mnh..
00000e0: c19b 5b61 dd0a 0c61 3a3d 8226 9f01 020c  ..[a...a:=.&....
00000f0: 3f00 0264 6400 0000 da07 0315 1025 0200  ?..dd........%..
0000100: 0000 0000 0000 0000 3752 da05 2b01 5201  ........7R..+.R.
0000110: 4801 5601 4901 5b01 ffff 0000 47bc 0000  H.V.I.[.....G...
0000120: 3300 0a02                                3...

which resulted in this data:

0000000: 4a3b 52db b7c2 32b5 afda bd0d 913e 2c78  J;R...2......>,x
0000010: a9fb 8b27 ecda 9953 0173 fa95 9a1c 5f33  ...'...S.s...._3
0000020: 0532 18d7 aee9 ef84 ab6b 19cc 3d6e 0a5c  .2.......k..=n.\
0000030: 1ae5 2008 5541 d316 78ee 625c 6c23 71ac  .. .UA..x.b\l#q.
0000040: 0018 6661 0f9c f7fe d937 d997 b3e1 9303  ..fa.....7......
0000050: a3bc d0dc daf0 838d be6a 8001 97c3 6bc7  .........j....k.
0000060: 59f0 2909 eec1 fb8c 563e 09c7 38c5 d833  Y.).....V>..8..3
0000070: 5460 f525 d3f9 1463 3320 6a7d 45ee f343  T`.%...c3 j}E..C
0000080: 5716 8a49 06dc a89d 4626 5247 8b58 01f8  W..I....F&RG.X..
0000090: 49cd 8b62 5766 17b9 a633 35a3 88ef 2d75  I..bWf...35...-u
00000a0: fb8e 3d76 0b71 a8c0 731b 613d d949 13c8  ..=v.q..s.a=.I..
00000b0: 3991 7b79 ce21 5d6c b1fa 77c8 1247 d80b  9.{y.!]l..w..G..
00000c0: 8594 9585 b3de f481 f848 f9ff 06dc 9c97  .........H......
00000d0: b378 ad7f a53c 8200 d538 dcbf 09bd 03ff  .x...<...8......
00000e0: cb2a 9133 0666 7433 0d80 3ddf 9a6a f8ae  .*.3.ft3..=..j..
00000f0: cd87 af77 904b 020a f611 cb51 ecce a329  ...w.K.....Q...)
0000100: 5116 f4eb 6eb2 353c 593f ffd6 f101 5ce5  Q...n.5<Y?....\.
0000110: db08 4dc1 1e86 c5ee cb73 8259 9d59 e3c8  ..M......s.Y.Y..
0000120: ca7f a2ab 1dfb 6405 bbba 5eb3            ......d...^.

To which he applied:

        if req.action == 'post' and 'data' in req.qvars:
           data = b64decode(req.qvars['data'][0].encode('ascii'))
           data = bytearray(data)
           data[-56 + 0x04] ^= 1 # requested pokemon
           data[-56 + 0x12] ^= 1 # second dep'd
           data = bytes(data)
           req.qvars['data'][0] = b64encode(data).decode('ascii')

Which resulted in:

0000000: 4a3b 52db b7c2 32b5 afda bd0d 913e 2c78  J;R...2......>,x
0000010: a9fb 8b27 ecda 9953 0173 fa95 9a1c 5f33  ...'...S.s...._3
0000020: 0532 18d7 aee9 ef84 ab6b 19cc 3d6e 0a5c  .2.......k..=n.\
0000030: 1ae5 2008 5541 d316 78ee 625c 6c23 71ac  .. .UA..x.b\l#q.
0000040: 0018 6661 0f9c f7fe d937 d997 b3e1 9303  ..fa.....7......
0000050: a3bc d0dc daf0 838d be6a 8001 97c3 6bc7  .........j....k.
0000060: 59f0 2909 eec1 fb8c 563e 09c7 38c5 d833  Y.).....V>..8..3
0000070: 5460 f525 d3f9 1463 3320 6a7d 45ee f343  T`.%...c3 j}E..C
0000080: 5716 8a49 06dc a89d 4626 5247 8b58 01f8  W..I....F&RG.X..
0000090: 49cd 8b62 5766 17b9 a633 35a3 88ef 2d75  I..bWf...35...-u
00000a0: fb8e 3d76 0b71 a8c0 731b 613d d949 13c8  ..=v.q..s.a=.I..
00000b0: 3991 7b79 ce21 5d6c b1fa 77c8 1247 d80b  9.{y.!]l..w..G..
00000c0: 8594 9585 b3de f481 f848 f9ff 06dc 9c97  .........H......
00000d0: b378 ad7f a53c 8200 d538 dcbf 09bd 03ff  .x...<...8......
00000e0: cb2a 9133 0666 7433 0d80 3ddf 9a6a f8ae  .*.3.ft3..=..j..
00000f0: cd87 af77 904b 020a f711 cb51 ecce a329  ...w.K.....Q...)
0000100: 5116 f4eb 6eb2 343c 593f ffd6 f101 5ce5  Q...n.4<Y?....\.
0000110: db08 4dc1 1e86 c5ee cb73 8259 9d59 e3c8  ..M......s.Y.Y..
0000120: ca7f a2ab 1dfb 6405 bbba 5eb3            ......d...^.

Flipped bits are in 0xf8 and 0x106.

Which was accepted by the server and resulted in this Pokémon coming back:

0000000: 0bbe 49d0 0000 cb1e 3764 78b1 74f3 97b2  ..I.....7dx.t...
0000010: b24c fab5 37fd f13c 40f5 bfdd 7355 0281  .L..7..<@...sU..
0000020: c754 1f06 9538 4e24 6b56 7231 d74a d352  .T...8N$kVr1.J.R
0000030: 2c5d 334f 3f5e b54b 45cb 861b f78e f4fa  ,]3O?^.KE.......
0000040: f41d b4e5 7195 1be1 8769 abb8 2fe2 7360  ....q....i../.s`
0000050: 4419 a39d df5f 46f5 e959 a6c4 8748 f86a  D...._F..Y...H.j
0000060: a8a3 894c 4057 54ee 991d 32eb 59cf a276  ...L@WT...2.Y..v
0000070: 8ed7 a70e 60d8 3268 c9d7 87f5 cec5 6c7f  ....`.2h......l.
0000080: be37 c58a e9ff 2659 cfee 064d 8f09 3f4a  .7....&Y...M..?J
0000090: 128b 9dec 0aab 7472 dc1d 8f88 a6c8 b6f0  ......tr........
00000a0: 40e7 6bcc c1e2 22ad 5cae 5d39 b797 7dac  @.k...".\.]9..}.
00000b0: 48d6 7d21 e5fb 140a e703 41c9 1cbd 1d8b  H.}!......A.....
00000c0: 3f9f cb50 344a 1ff5 3131 45c6 a63d f7b4  ?..P4J..11E..=..
00000d0: 77f5 9147 152a f1b0 a36f 5c6d 6e68 8a95  w..G.*...o\mnh..
00000e0: c19b 5b61 dd0a 0c61 3a3d 8226 9f01 020c  ..[a...a:=.&....
00000f0: 3e00 0264 6400 0000 da07 0315 1036 3a00  >..dd........6:.
0000100: 0000 0000 0000 0000 3752 da05 2b01 5201  ........7R..+.R.
0000110: 4801 5601 4901 5b01 ffff 0000 47bc 0000  H.V.I.[.....G...
0000120: 3300 0a02                                3...

The only differences are in 0xf0 and 0xfd.

His pid is 98193975 (0x05da5237).

The snapshots may have a different timestamp.

Before, the requested Pokémon was an Abra; after, it was set to Poliwrath.

Decoded (probably):

Before:

0000000: 0bbe 49d0 0000 cb1e 4601 ffff 3701 2c01  ..I.....F...7.,.
0000010: 2f01 2f01 ffff 0000 0000 0000 0000 000a  /./.............
0000020: 0000 0000 0000 0000 9f01 5e00 47bc 11ea  ..........^.G...
0000030: cd03 0000 4676 0002 0000 0000 0000 0000  ....Fv..........
0000040: 0000 0000 0000 0000 2b01 5201 4801 5601  ........+.R.H.V.
0000050: 4901 5b01 ffff 0000 0000 000a 0204 0000  I.[.............
0000060: 1600 0004 0c00 0000 e600 1000 0000 0000  ................
0000070: 1423 0000 0000 0000 ff0c 719f 0000 0000  .#........q.....
0000080: 0200 0000 0000 0000 0000 0000 0c00 2000  .............. .
0000090: 2000 0d00 1000 1300 0e00 1000 0000 0000   ...............
00000a0: 0002 0aff ffff ffff ffff ffff ffff ffff  ................
00000b0: ffff ffff ffff ffff ffff 2602 ffff 0000  ..........&.....
00000c0: ffff ffff ffff 3a01 ffff ffff ffff 4301  ......:.......C.
00000d0: ffff ffff 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0003 d666 7673  .............fvs
00000f0: 210a d853 c854 0561 a024 57ea e7ec 5e99  !..S.T.a.$W...^.
0000100: da68 fc92 3387 c1db 38d2 b5c5 c32d ed69  .h..3...8....-.i
0000110: 7a94 dc04 8864 aec1 17e9 6371 37ba 2eb1  z....d....cq7...
0000120: d5f2 77a2                                ..w.

After:

0000000: 0bbe 49d0 0000 cb1e 4601 ffff 3701 2c01  ..I.....F...7.,.
0000010: 2f01 2f01 ffff 0000 0000 0000 0000 000a  /./.............
0000020: 0000 0000 0000 0000 9f01 5e00 47bc 11ea  ..........^.G...
0000030: cd03 0000 4676 0002 0000 0000 0000 0000  ....Fv..........
0000040: 0000 0000 0000 0000 2b01 5201 4801 5601  ........+.R.H.V.
0000050: 4901 5b01 ffff 0000 0000 000a 0204 0000  I.[.............
0000060: 1600 0004 0c00 0000 e600 1000 0000 0000  ................
0000070: 1423 0000 0000 0000 ff0c 719f 0000 0000  .#........q.....
0000080: 0200 0000 0000 0000 0000 0000 0c00 2000  .............. .
0000090: 2000 0d00 1000 1300 0e00 1000 0000 0000   ...............
00000a0: 0002 0aff ffff ffff ffff ffff ffff ffff  ................
00000b0: ffff ffff ffff ffff ffff 2602 ffff 0000  ..........&.....
00000c0: ffff ffff ffff 3a01 ffff ffff ffff 4301  ......:.......C.
00000d0: ffff ffff 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0003 d666 7673  .............fvs
00000f0: 200a d853 c854 0561 a024 57ea e7ff 6699   ..S.T.a.$W...f.
0000100: da68 fc92 3387 c1db 38d2 b5c5 c32d ed69  .h..3...8....-.i
0000110: 7a94 dc04 8864 aec1 17e9 6371 37ba 2eb1  z....d....cq7...
0000120: d5f2 77a2                                ..w.

Differences are in the same places.

So. Flipped bits at 0xf8 and 0x106 in the data. Discarding the 0x08 bytes for the header, that leaves offsets 0xf0 and 0xfd -- which are the exact bytes that differ in the decoded Pokémon.

Awesome.

Here's the bit-twiddled data, minus the first eight bytes, XORed with the Pokémon that came back:

0000000: a464 f4dd 913e e766 9e9f f396 9829 0ee1  .d...>.f.....)..
0000010: b33f 0020 ade1 ae0f 45c7 a70a ddbc ed05  .?. ....E.......
0000020: 6c3f 06ca a856 4478 71b3 5239 820b 0044  l?...VDxq.R9...D
0000030: 54b3 5113 537d c4e7 45d3 e07a f812 0304  T.Q.S}..E..z....
0000040: 2d2a 6d72 c274 88e2 24d5 7b64 f512 f0ed  -*mr.t..$.{d....
0000050: fa73 239c 489c 2d32 b0a9 8fcd 6989 03e6  .s#.H.-2....i...
0000060: fe9d 808b 7892 8cdd cd7d c7ce 8a36 b615  ....x....}...6..
0000070: bdf7 cd73 2536 c12b 9ec1 0dbc c819 c4e2  ...s%6.+........
0000080: f811 97cd 62a7 27a1 8623 8d2f d86f 28f3  ....b.'..#./.o(.
0000090: b4b8 a84f 8244 5907 2793 b2fe adb9 1e30  ...O.DY.'......0
00000a0: 33fc 0af1 18ab 3165 653f 2640 79b6 20c0  3.....1ee?&@y. .
00000b0: f92c 0ae9 f7bc cc01 6297 d44c af63 e90a  .,......b..L.c..
00000c0: c7d7 32af 3296 8362 8249 e8b9 0301 75b4  ..2.2..b.I....u.
00000d0: a2cd 4df8 1c97 f24f 6845 cd5e 680e fea6  ..M....OhE.^h...
00000e0: cc1b 66be 4760 f4cf f7ba 2d51 0f4a 0006  ..f.G`....-Q.J..
00000f0: c911 c935 88ce a329 8b11 f7fe 7e84 0e3c  ...5...)....~..<
0000100: 593f ffd6 f101 5ce5 ec5a 97c4 3587 97ef  Y?....\..Z..5...
0000110: 8372 d458 d458 b8c9 3580 a2ab 5a47 6405  .r.X.X..5...ZGd.
0000120: 88ba 54b1                                ..T.

Edited by イーブイ
xor

Share this post


Link to post
Share on other sites

Current thoughts on the cipher itself:

Pokémon sent to the GTS have an extra eight bytes added. What are these? The data sent to post_finish.asp is also eight bytes long; is it the same thing?

Pokémon sent to exchange.asp have *another* four bytes added -- presumably the receiver's pid.

I'm assuming here that info.asp has an empty payload. Here are four data sent to info.asp, from two of magical's games, LordLandon's game, and my Platinum:

pid 0x05da5237: 0x752d3b4a 0x1dcc143f
pid 0x0f3ad0df: 0xe52d3b4a 0x3902b107
pid 0x06fab95b: 0x092e3b4a 0x608aa63f
pid 0x0b7b1424: 0xa32c3b4a 0x6b3bb412

LordLandon did an experiment, slightly changing his game's pid. The results were:

pid 0x06fab95b: 0x092e3b4a 0x608aa63f
pid 0x06fab95c: 0x082e3b4a 0x374801f5
pid 0x07fab95b: 0x082e3b4a 0x364801f2

pid 0x07fab95c: 0x0b2e3b4a 0xfb0ee8b2
pid 0x07faba5c: 0x0a2e3b4a 0xc0cc506f

In inconvenient binary form:

00000110 11111010 10111001 01011011 pid
00001000 00101110 00111011 01001010
01100000 10001010 10100110 00111111

00000110 11111010 10111001 01011100 pid
00001000 00101110 00111011 01001010
00110111 01001000 00000001 11110101

00000111 11111010 10111001 01011011 pid
00001000 00101110 00111011 01001010
00110110 01001000 00000001 11110010

00000111 11111010 10111001 01011100 pid
00001011 00101110 00111011 01001010
11111011 00001110 11101000 10110010

00000111 11111010 10111010 01011100 pid
00001010 00101110 00111011 01001010
11000000 11001100 01010000 01101111

We know:

- Flipping one bit in good data makes bad data. Flipping two separated bits in good data makes good data.

- The same pid sends the same data to info.asp every time. Different pids send different data to info.asp.

- Posting the same Pokémon *from a box* twice sends radically different data (magical). Posting the same Pokémon *from the party* twice sends exactly the same data (LordLandon).

It seems both the pid and a checksum of the data are used to generate the key.

Edited by イーブイ
lordlandon experiment

Share this post


Link to post
Share on other sites

Hey there, just joined this thread is awesome.

Is there a way yet, to send multiple pokemon in one go without having to restart the game? Or would I have to figure this out by decoding wi-fi dumps?

Edit: I read the thread saw there isn't.

But question, I don't have my DS wth me and won't for a few hours, but in sendpkm.py

Why does it return 1? In most big company code(I say that loosely) doesn't returning 1 usually indicate an error while 0 indicates success?

Also, has anyone tried to have their browser emulate whatever the DS sends? Like the identity thing if it's a FF browser, IE or Opera and all that?

Share this post


Link to post
Share on other sites
Is there a way yet, to send multiple pokemon in one go without having to restart the game?

I believe this would be possible by replying to result.asp with several different Pokémon in a row, but it won't actually work unless we can figure out why Pt/HG/SS report a communication error.

Why does it return 1? In most big company code(I say that loosely) doesn't returning 1 usually indicate an error while 0 indicates success?

Process exit codes use 0 for success and 1–255 for error, yes. The only place sendpkm.py explicitly exits is if you don't provide a filename, which is indeed an error. Otherwise it drops out and Python will exit with 0.

Edit: Oh, the 0x0001 response. I can't recall ever seeing 0 used for success outside process exit, actually. But that's what was sniffed from D/P, and we have no idea what it actually means either way; result.asp uses 0x0004 and 0x0005 to mean yes/no. (What.) Dumps of the same operations performed by both D/P and Pt/HG/SS should tell us for sure.

Also, has anyone tried to have their browser emulate whatever the DS sends? Like the identity thing if it's a FF browser, IE or Opera and all that?

It would probably work, but I doubt it would be useful. We don't know the encryption used for sending data, you need to respond to a challenge every time you send a request, and the response is binary.

Share this post


Link to post
Share on other sites
We know:

- Flipping one bit in good data makes bad data. Flipping two separated bits in good data makes good data.

This looks like parity checking to me. So there's most likely a parity bit(s) in there somewhere.

Share this post


Link to post
Share on other sites

I seem to still be having some troubles that keep leading to the blue screen.

I am running Mac OS X. Python version 2.6

With LordLandon's advice on my first issue I checked what else was running. I turned off printer sharing, web sharing, etc.

I used an AR DSi to dump my save file to micro SD. I coverted it from .DUC to SAV and extracted my party Pokemon.

For some reason it appears to connect and still goes to the blue screen that says "press A to return to title screen." When I attempted to use a box Pokemon the screen flickered blue and black and static.

I have tried Diamond, Pearl, and Platinum all three do the same thing. I am wondering is there an updated version of sendpkm? Or is there anything else on my own network or computer I can try? Are thee any settings on my router I can change? I keep looking through my control panels, and the router settings and don't see anything that would make sense to change in either place. Any advice would be appreciated.

Also, has anyone tried this on Heartgold/Soulsilver yet??? I have made it to Goldenrod City on both of my saves and would have already tried it if not for the issues I am still having on D/P/PT

Thanks in advance to any kind sould who can help solve this for me.

--Ringo

PS-- Thanks again to LordLangdon for your service to the Pokemon community and for the help solving the first issue I had.

Share this post


Link to post
Share on other sites

Do you think it would be possible to have a program like sendpkm download wondercards to a retail cart via the get from Wi-Fi feature?

Share this post


Link to post
Share on other sites
probly not as its made to send pokemon

Well... Reading his post would probably be a good idea.

He asked if it was possible to make a program that works like sendpkm, except it lets you download Wondercards over Wi-Fi.

Share this post


Link to post
Share on other sites

I've played a bit around with this myself, thanks to the sample DNS server script LordLandon submitted and after some Python quick courses I managed to make a simple DNS redirect .py script that simply redirects all GTS related requests to a specific IP (webserver) thus you can by manually entering a DNS on the Pokemon game network settings, you can connect to a custom web-server and let it handle your client requests -rather than the official GTS.

It's not perfect but combining the DNS server with a simple PHP script it currently let's you be online without disconnecting (though no results are returned when you search, deposit only shows the visuals -no pokemon is actually deposited anywhere). With a simple on/off flag I can make anyone that connects "forcefully" receive a pokemon as if someone traded with them. Looking around and I see others are looking into the server side data, it's nice because if the _GET[data] can be decoded and information extracted, it's possible to even create a PKM file server where you "search" for a pokemon and you always find "people" that trade it away (funny enough it would simply be the server decoding your search and then for example forcing you to accept a pokemon as if someone traded it to you the normal way).

A lot of possibilities and I think there will be a projectpokemon.org official GTS DNS address everyone can input and fetch their legal pokemon at what ever level and gender they want. ;)

Included my sources as an attachment, nothing big just another version of what LordLandon made only that this is for a webserver (PHP and Python to encode/decode pkm/bin).

By the way if you wanna try it out and see what awesome Pokémon you get by connecting to my GTS server, you actually can for tonight! Load the game, edit the network settings, set the DNS primary IP to my IP: 84.202.82.24. Save the changes and load the save, go to GTS (Goldenrod City, west of the Radio Station) and connect. So far the connection tests and "handshake" server(?) connections are not touched, but once it starts to read from the website it will be my own server and not Nintendos. :P If someone uses it tonight I'll check the logs and see how it went, just trying it out so won't be online after ~12 hours. ;)

egts_website.zip

egts_website.zip

Share this post


Link to post
Share on other sites

Hi everyone !

I made two VB.NET console applications, one for the DNS Server part, and the other for the Pokémon sending part (fake GTS).

It was ready for quite a while, but I couldn't test it until Saturday.

Now it's been tested and it works well, I was able to send a Pokémon to a friend of mine across the Internet without problem.

I made the GTS server working with threads, so several connections are possible simultaneously.

It is mainly a copypasta of the Python script, but it can be easily improved and included in a window application.

For example, I was planning to make a GUI that would include the ability to make a list of Pokémon to send.

I attached a ZIP file containing the sources and the binaries of the two programs.

GTS_Nuker.zip

GTS_Nuker.zip

Share this post


Link to post
Share on other sites

This is kind of neat. Package contains a mini DNS server and the PHP files for the logging.

It does require some configuration but in the end by having $pure_log on, it simply receives requests and writes the communication to log files. It still uses the official servers but the game is not aware of that, kind of cool. Helps log stuff when you go to GTS or the battletower, do some stuff and the data is logged for future research.

I doubt it's something new but what the heck, perhaps someone gets more use of this than me. :)

For example when I turn on my DNS server and set my NDS to connect to it, I can use the GTS/Battletower and the communications will be logged at http://vlacula.no-ip.com/pokemon/egts/pokemondpds/logs/!

egts_website.zip

egts_website.zip

Share this post


Link to post
Share on other sites

Hello (and Welcome to me, I know).

I'm just working on a FULL PHP GTS server, and will examinate your code with attention...

Evil cheater, using python for calculating values :P (the part of encoding .pkm is already done on my server, if you're intersted...).

Just for you to know, the part with sockets is very difficult in this server with PHP, because of the port 80, used by Apache... And the asynchron connexion.

Thank you for your egts server.

PS : I'm a French speaking Swiss, so don't pay attention to my scabrous english :bidoof:

Share this post


Link to post
Share on other sites
This is kind of neat. Package contains a mini DNS server and the PHP files for the logging.

It does require some configuration but in the end by having $pure_log on, it simply receives requests and writes the communication to log files. It still uses the official servers but the game is not aware of that, kind of cool. Helps log stuff when you go to GTS or the battletower, do some stuff and the data is logged for future research.

I doubt it's something new but what the heck, perhaps someone gets more use of this than me. :)

For example when I turn on my DNS server and set my NDS to connect to it, I can use the GTS/Battletower and the communications will be logged at http://vlacula.no-ip.com/pokemon/egts/pokemondpds/logs/!

Just a quick question, but how'd you set this up?

I'm having issues trying to figure out how to set it up so that I can publish my DNS to allow people outside my network to connect. I was under the original assumption that your script is made so it can go up on a webhost, but when I put it up on mine it doesn't do anything (probably due to shared hosting), or maybe I'm missing on how to do this altogether, working on like 6 hours of sleep from 2 days ago.

Forgot to mention, I'm really only interested in serving up pokemon, preferably many at a time to different people (if possible) and being able to just have the script run at different times of day (easy enough to setup).

I tried no-ip (what you're using), but was still a bit lost despite having used it before.

Share this post


Link to post
Share on other sites
Just a quick question, but how'd you set this up?

I'm having issues trying to figure out how to set it up so that I can publish my DNS to allow people outside my network to connect. I was under the original assumption that your script is made so it can go up on a webhost, but when I put it up on mine it doesn't do anything (probably due to shared hosting), or maybe I'm missing on how to do this altogether, working on like 6 hours of sleep from 2 days ago.

Forgot to mention, I'm really only interested in serving up pokemon, preferably many at a time to different people (if possible) and being able to just have the script run at different times of day (easy enough to setup).

I tried no-ip (what you're using), but was still a bit lost despite having used it before.

The Python script will send all DNS requests to what ever IP you like (in this case your own host IP). Now the PHP website thing is just a fragment of what "GTS" really is, just a test and it's not something I recommend you use. On the other hand what you can do is simply use the original LordLandon Python script that is both webserver and DNS server.

Run sendpkm.py and it should ask you to enter the path to a .pkm file. Once that's done it will wait for a DS to contact it, the way that happens is to put your own IP (public IP even if you like) on the Pokemon network settings (in the Pokemon game, main screen, WIFI settings). Port 53 must be publicly open on the PC you use as a "server" and you should be able to log the GTS (official one) from before, this means all ports are okay.

About the PHP script I made you must edit .htaccess (the relative "root" path) and the index.php (lines 16-20 and 26-27). Btw if line 16 is set to "$pure_log = 1;" then it simply acts and works as the official GTS because it just sends all requests to GTS and sends the response to the NDS and it wont tell the difference. You could try that just to see if it works, then by disabling $pure_log and enabling $pkmdist it will send what ever .pkm file you specify on line 27 to each person that connect. The DNS server must run on the side to keep redirecting requests properly.

It's not bug free, it's far from finished and if you hang on a while longer there will be a proper GTS source-code available for all the enthusiasts that wanna run their own home GTS for themselves and friends.

*Edit*

Also, for the DNS to work properly, if you have a host and you ping the domain for your site you can read the proper IP, now if you http://0.0.0.0 directly, if you do not get to the website directly then it wont work using that as the server for the PHP files. I myself run XAMPP on my own machine, that's why my no-ip domain points directly to my IP so you can access my "homepage" both using IP and domain name. The DNS server LordLandon and I made are simple ;)

Share this post


Link to post
Share on other sites

Let's just say that if it does utilize the DNS settings (as it should) and if the connection is not SSL encrypted it will be possible to as well emulate that like the GTS. Problem is if the server use SSL encryption it will be really hard to crack and then act as the server, the client would not get what it expects and it would just end up with errors and blue screens. Let's hope for the best but I have not looked into it, last time I checked for Mystery Gift over WIFI it connected to a special download server, didn't check the communication but it may be SSL. :/

Share this post


Link to post
Share on other sites

I can't seem to get it to work for me. I'm using a laptop with Vista, and I've tried running it both wirelessly and with a cable going to the router. I've opened port 53, and forwarded it on the router to this computer. I put the IP that sendpkm gave me in as the DNS info in the WFC setup. Every time I go it either tells me I can't connect, or gives me the blue error screen. Did I miss something on this thread? Some help would be greatly appreciated :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now