Jump to content

イーブ&#

Member
  • Content Count

    26
  • Joined

  • Last visited

Everything posted by イーブ&#

  1. It would certainly make sense; bit odd to jam them in the header like that otherwise. Okay, noted. I'll make my parser work like that, and try some of the other mystery bytes tomorrow.
  2. The PP legality checker, at least, doesn't balk at a Pokémon with junk in 0x04 and 0x05. Interesting.
  3. There are some bytes in the save struct that are apparently unused by the games: for example, 0x04–0x05 and 0x42–0x43. I'm considering using these for my own nefarious purposes. So: 1. Do retail saves always set these to zero, or can they be garbage? I would hope the whole struct is memset to zero right off the bat, but you never know. 2. If so, do any legality checks—including Legality Checker and anything Nintendo uses—verify that these bytes are zero? Please note: I am not talking about "trash bytes". If you don't know what I mean, you probably don't know the answer.
  4. We were trying to build fake GTS servers. Now we have.
  5. The handshake is SSL with some other server. We don't know how it works.
  6. There are several third-party GTSes that can already do this. I think.
  7. Uh, it's part of my entire site. Not really meant for people to run for themselves, especially if you're not a developer.
  8. Yes, you could do that. Actually, just remove the line that deletes the Pokémon from the beta table, and it will do exactly that.
  9. veekun is already running its own DNS server, so dnsspoof wasn't really an option 8) veekun's GTS is still just a dumb roundtrip; working on some backend stuff before I try to make it cooler. And of course I need to actually finish veekun and all.
  10. For the curious, the veekun setup is as follows: - BIND thinks it's a master server for nintendowifi.net. It returns the veekun IP for gamestats2.gs, but the correct IPs for conntest and nat. - In Apache, gamestats2.gs.nintendowifi.net is a ServerAlias for veekun.com. Requests to http://gamestats2.gs.nintendowifi.net/pokemondpds/common/setProfile.asp, for example, as treated the same way as though they were for http://veekun.com/pokemondpds/common/setProfile.asp. - App side, I have these two route rules: map.connect('/pokemondpds/worldexchange/{page}.asp', controller='fake_gts', ac
  11. Do you really need a restarter...? Just make sendpkm.py not exit after sending the Pokémon off.
  12. It is done. DNS: 72.232.182.50 Simple roundtripping GTS. Deposit a Pokémon, and next time you check GTS status it'll come back to you. And no blue screen! No searching, etc., and I don't save your Pokémon after you take it back. (Disclaimer: Please don't put anything important in here; this is a proof of concept, and I reserve the right to nuke everything at any time.)
  13. Also, for the hacker crowd, this is a drop-in rewrite of pkmlib.py that might be a bit easier to work with: http://eevee.pastebin.com/fP4YH33Q
  14. BIND is happy to be a master zone for whatever domain you want, whether or not it's actually acting as the main nameserver for that domain. eevee@tekkanin ~ $ host gamestats2.gs.nintendowifi.net gamestats2.gs.nintendowifi.net has address 207.38.11.146 eevee@tekkanin ~ $ host gamestats2.gs.nintendowifi.net 72.232.182.50 gamestats2.gs.nintendowifi.net has address 72.232.182.50
  15. I'll have a simple GTS server running as part of veekun by the end of the weekend.
  16. Messages with the same sums of bytes have the same "key". Progress.
  17. The header is 0x4a3b2c1d ^ sum(bytes).
  18. Can we get the tech support out of the *research* thread? Here is some data, courtesy of.. mignot? Someone from IRC. Sorted by encrypted. 0x pid 0b pid 0x encrypted 0b encrypted 0d593d2b 00001101010110010011110100101011 4a 3b 2c d3 ad 0c 39 03 0100101000111011001011001101001110101101000011000011100100000011 0f4a4b55 00001111010010100100101101010101 4a 3b 2c e4 48 ac 3d 2e 0100101000111011001011001110010001001000101011000011110100101110 01050000 00000001000001010000000000000000 4a 3b 2c 1b 9e 9b cb 8e 0100101000111011001011000001101110011110
  19. I believe this would be possible by replying to result.asp with several different Pokémon in a row, but it won't actually work unless we can figure out why Pt/HG/SS report a communication error. Process exit codes use 0 for success and 1–255 for error, yes. The only place sendpkm.py explicitly exits is if you don't provide a filename, which is indeed an error. Otherwise it drops out and Python will exit with 0. Edit: Oh, the 0x0001 response. I can't recall ever seeing 0 used for success outside process exit, actually. But that's what was sniffed from D/P, and we have no idea what it ac
  20. Current thoughts on the cipher itself: Pokémon sent to the GTS have an extra eight bytes added. What are these? The data sent to post_finish.asp is also eight bytes long; is it the same thing? Pokémon sent to exchange.asp have *another* four bytes added -- presumably the receiver's pid. I'm assuming here that info.asp has an empty payload. Here are four data sent to info.asp, from two of magical's games, LordLandon's game, and my Platinum: pid 0x05da5237: 0x752d3b4a 0x1dcc143f pid 0x0f3ad0df: 0xe52d3b4a 0x3902b107 pid 0x06fab95b: 0x092e3b4a 0x608aa63f pid 0x0b7b1424: 0xa32c3b4a 0x6b3b
  21. magical has performed a fascinating experiment. He posted this Pokémon: 0000000: 0bbe 49d0 0000 cb1e 3764 78b1 74f3 97b2 ..I.....7dx.t... 0000010: b24c fab5 37fd f13c 40f5 bfdd 7355 0281 .L..7..<@...sU.. 0000020: c754 1f06 9538 4e24 6b56 7231 d74a d352 .T...8N$kVr1.J.R 0000030: 2c5d 334f 3f5e b54b 45cb 861b f78e f4fa ,]3O?^.KE....... 0000040: f41d b4e5 7195 1be1 8769 abb8 2fe2 7360 ....q....i../.s` 0000050: 4419 a39d df5f 46f5 e959 a6c4 8748 f86a D...._F..Y...H.j 0000060: a8a3 894c 4057 54ee 991d 32eb 59cf a276 ...L@WT...2.Y..v 0000070: 8ed7 a70e 60d8 3268 c9d7 87f5 cec5 6c7f ..
  22. Okay, attempting to think through this out loud, and IRC doesn't really cut the size of this stuff. I'm basing the following on LordLandon's depundep.txt. The Pokémon he sent out (based on the response from get.asp) was this: 0000000: ae38 6151 0000 0701 bb92 b2de e153 5dba .8aQ.........S]. 0000010: d0af 248a 8d23 cbf4 ed52 a78d 4550 5c77 ..$..#...R..EP\w 0000020: ec29 6f56 892a 40dc 28a9 df4c e1fa ae9b .)oV.*@.(..L.... 0000030: ef0c 99eb 4518 0da1 0da3 9d23 5440 ba9b ....E......#T@.. 0000040: bc5d c9cc b251 8019 21f3 9604 2e7f 977a .]...Q..!......z 0000050: b80a ab11 ac82 b276 f4c8
  23. I've started making an attempt at documenting this: http://projectpokemon.org/wiki/GTS_protocol
  24. No, the script only allows sending a single Pokémon to your game; then it shuts down. It's being looked into.
  25. Whoa, I guess I'm late to this party. I grabbed a packet dump of a wifi trade just this past weekend, intending to reverse engineer a fake client for third-party GTS/self-trading/storage/other shenanigans. Never thought to try reversing the GTS instead. If nobody else has attempted it yet, I'd certainly be interested in hacking together a more permanent fake trading server.
×
×
  • Create New...