Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

10 Good

About magical

  • Rank
  • Birthday 02/22/1990
  1. Response hash is calculated as: sha1(salt + base64(data) + salt) Where base64 is the url-safe variant, and salt is still HZEdGCzcGGLvguqUEKQN. magical: 2 Game Freak: 0
  2. So. As mentioned earlier in the thread, we now know how the checksum is obsfuscated, thanks to Jalada and nicholas on IRC. (That is, by xoring it with 0x4a3b2c1d.) By looking for the magic number 0x4a3b2c1d, i was able to find where in the ROM the encryption takes place, and to pinpoint the encryption algorithm. I'm sure you will not be surprised to learn that it uses yet another LCG, which i'm naming the GRNG, for "GTS Random Number Generator". (Terrible, i know. Also it sounds a bit like "grunge".) Ladies and Gentlemen, the GRNG: GRNG[n+1] = (GRNG[n] * 0x45 + 0x1111) & 0x7fffffff
  3. Wow. Great stuff here, LordLandon, Vlad. Poking around in the ROM, i figured out how the hash is generated. hash = sha1("sAdeqWo3voLeC5r16DYv" + token) Breaking the encryption is going to be harder. Some random observations: The data= parameter is base64-encoded The base64-encoded data always begins with "Sj". Does anyone else find that odd? Wait—it's even better than that: the base64-decoded data always begins with "J;". Not sure what that means, though. Perhaps it indicates how the data is encrypted. The data sent to post.asp is 300 bytes long. 8 bytes longer than the Pokémon
  • Create New...