codename_B

I'll take a look at those Bulbasaur to see if I can make sense of them.

EDIT: Well, no luck so far. My guess is there's another encryption method on top of the normal stuff. Still prodding away....

It would make sense, thanks for taking a look!

If it helps, here's a whole bunch of bulbasaur.

bulba_1..pkm

bulba_6..pkm

bulba_2..pkm

bulba_4..pkm

bulba_3..pkm

bulba_5..pkm

bulba_0..pkm

http://projectpokemon.org/wiki/Pokemon_Black/White_NDS_Structure

I must be confused, because I do not see any questions on how to decrypt that data. Have you not tried the normal methods, using the PRNG?

I assume you are referring to that? Yeah, I've got some model files to work from and it works fine for those but it appears to be arranged in a different block shuffling manner to what I'm able to figure out.

Again, could just be me...

I'm getting completely nonsensical PID values when I try to read them from the byte[] array. Where pid: is in the unencryped 50 odd bytes prior to the encrypted .pkm and ppid: is what I'm trying to make sense of.

I've also tried reversing the byte[] order, just to see if it's just me being silly about reading it right, and that was equally unhelpful.

pid: 400304484

ppid: -600101640

pid: 333716725

ppid: 360572957

pid: 416152147

ppid: -520608497

pid: 399112007

ppid: 2126842325

pid: 288258214

ppid: -1112572622

pid: 320386427

ppid: 524767930

pid: 371985483

ppid: -743971207

pid: 400304484

ppid: -1070459604

pid: 333716725

ppid: -1425794014

pid: 416152147

ppid: -215364339

pid: 399112007

ppid: -171590219

pid: 288258214

ppid: -1235925158

pid: 320386427

ppid: 1926462963

pid: 371985483

ppid: 982673062

A little work on result.asp?data=WHATEVER

data length is 444 bytes

0x00-0x03 checksum

0x04-0x07 pid

0x08-0x09 data-length (minus headers)

0x0A game version

0x0B always "0x02"

The rest is unknown, but a lot of it can be blank. Here are some pastes of some data captures (if you feel like having a go at deciphering it yourself) with excess padding (the rest of the 444 bytes) stripped off.

2d b8 4c a1 1f 51 74 13 b0 01 00 00 14 02 dc 14 90 d5 bc 1d 43 00 65 00 6f 00 6c 00 ff ff 00 00 00 00 ff ff 00 00 00 00 e0 e7 51 3d bd 96

2d b8 4f 74 1f 51 74 13 64 00 00 00 14 02 dc 14 90 d5 bc 1d 43 00 65 00 6f 00 6c 00 ff ff 00 00 00 00 ff ff 00 00 00 00 e0 e7 51 3d bd 96

2d b8 4e f3 b3 1f 22 17 b0 01 00 00 14 02 dc 20 df df 53 a8 4a 00 44 00 4f 00 4c 00 43 00 45 00 ff ff ff ff 00 00 00 00 00 24 1e 2e 01 9c

That's really not answering the question of how to go about decrypting the 220 bytes I have. (I'm also not sure if I've got them the right way round for decryption so feel free to flip em about as you see fit)

I've attached a 220-byte .pkm file that I've gotten from a search.

I'm not 100% sure of the format this is in but from what I've been able to deduce the rest of the bytes up till this are GTS specific and padding, so this is the data that will return a valid pokemon.

Feel free to put in some input, or ask any questions!

I'm going to put this to bed for now, and take another look at it some time in the future.

a..pkm

Here are the data return lengths for various numbers of results, I'll attach data if anyone wants it.

0: 42

1: 338

2: 634

3: 930

4: 1226

5: 1522

6: 1818

7: 2114

338 byte result

0x1 0x0 0x1 0xc6 0x5f 0xad 0x0 0x0 0x5d 0x1d 0xee 0x5b 0xe 0xa 0x7e 0xe2 0x28 0x78 0x1c 0x41 0xdf 0xcf 0xca 0x5d 0xbc 0xf 0xbf 0x1d 0x30 0x3 0xa5 0x74 0xd3 0x51 0xe3 0x34 0xa2 0x2a 0xa4 0x4 0xbb 0xab 0x8 0xfe 0x1d 0x64 0x60 0x30 0x76 0x1c 0xa6 0xc3 0x19 0x41 0xe2 0xfd 0x31 0x38 0x16 0xfd 0x56 0x73 0x8 0xfc 0xe0 0x34 0x11 0x7b 0x7e 0xc8 0x5d 0xfd 0x39 0xe5 0x77 0x60 0x15 0x78 0xb8 0x10 0xf8 0xb9 0x61 0x2f 0xf6 0x49 0xe0 0x66 0x35 0xd7 0x39 0x8 0x22 0xf5 0x20 0xe4 0xd9 0xff 0x28 0x1d 0xea 0xe0 0xd1 0x5a 0x6e 0x4b 0xb7 0xd5 0x52 0x4d 0x5a 0x23 0x50 0xf3 0x7c 0xf1 0xca 0xb7 0x38 0x55 0xf4 0x24 0x10 0xa 0xd1 0xfd 0x19 0xe2 0xa3 0x1b 0x26 0x6e 0xd1 0x4c 0x56 0xf7 0xfd 0xa4 0xe3 0x5e 0x1f 0x50 0x3e 0x49 0xfd 0x36 0xfd 0x2e 0x70 0xaf 0x30 0xce 0x39 0x30 0x31 0x42 0xb2 0x61 0xde 0xe8 0xc2 0xc3 0x3f 0xad 0x6b 0xdc 0xbe 0x51 0x19 0xac 0x71 0xc 0x0 0xdd 0xf 0xe8 0xaf 0xaf 0x79 0xbe 0x4f 0x70 0x29 0xcd 0x38 0xde 0xb2 0xd1 0x28 0xc6 0x67 0xc4 0xfd 0xb3 0x75 0x14 0x45 0xd5 0x2b 0x25 0x28 0xaf 0x1d 0x7d 0x30 0xdc 0xd7 0xc2 0x7b 0x1d 0xfe 0xc7 0xef 0x5a 0xd0 0x4 0x3a 0x25 0x10 0xc9 0xf6 0xe8 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x3 0x0 0x2 0x64 0x1e 0x2 0x3 0x0 0x9 0x0 0x0 0x0 0xdc 0x7 0xb 0x11 0xd 0x25 0xf 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x42 0xbd 0xdc 0x13 0x1 0xdc 0x59 0xf9 0x4e 0x0 0x45 0x0 0x49 0x0 0x4c 0x0 0xff 0xff 0x0 0x0 0x0 0x0 0xff 0xff 0xdc 0x5 0x2 0x0 0x14 0x2 0x1 0x3 0x38 0x61 0x38 0x37 0x33 0x31 0x63 0x38 0x31 0x38 0x31 0x35 0x66 0x35 0x65 0x61 0x30 0x65 0x62 0x31 0x36 0x35 0x63 0x39 0x66 0x34 0x32 0x62 0x30 0x35 0x65 0x63 0x39 0x30 0x66 0x65 0x66 0x65 0x37 0x61

I'm working on this flipped, as I find it easier to think of things little-endian...

So what we've got is first 40 bytes String checksum

Last 2 bytes 0x00 and 0x01 ALWAYS (signals end of stream I guess!)

Took another look at this with fresh eyes today, it is literally the sum of all bytes, xor-ed with 0x2db842b2 and then flipped.

Totally obvious now that you look at it.

Not the cleanest code ever, but it works and that'll do for now.

public static int getCheckSum(byte[] flipped) {

int g = 0;

for(int i=0; i<flipped.length-4; i++) {

g = g+(flipped & 255);

}

g = g ^ 0x2db842b2;

g = flip(g);

return g;

}

public static int flip(int a) {

ByteBuffer buff = ByteBuffer.allocate(4);

buff.putInt(a);

byte[] b = buff.array();

buff.clear();

buff = ByteBuffer.allocate(4);

for(int i=3; i>=0; i--) {

buff.put(b);

}

buff.rewind();

return buff.getInt();

}

Working on a way to search the GTS, I'm still stuck on the final integer.

If anyone is good at spotting the patterns between numbers, please feel free to lend a hand!

To get these values, I've done a fair bit of looking at everything and I've got a fairly decent map of where everything is - I just need a process to generate the last number in this now! (or the first depending on what way around you look at the problem)

Pid: 326390047

Query: LbhDTB9RdBMHAAAA9QEDAAAABw==

Decoded: 2d b8 43 4c 1f 51 74 13 07 00 00 00 f5 01 03 00 00 00 07

Reversed: 07 00 00 00 03 01 f5 00 00 00 07 13 74 51 1f 4c 43 b8 2d

(read in reverse order)

results (max 0x07): 0x07

location?: 0x00

level range to: 0x00

level range from: 0x00

gender: 0x03

species: 0x01 0xf5

data-length: 0x00 0x00 0x00 0x07 (always 7)

pid: 0x13 0x74 0x51 0x1f

unknown: 0x4c 0x43 0xb8 0x2d

Query: LbhAPnQLnBYHAAAAiQIDW2QABw==

############################

results: 7

location: 0

to: 100

from: 91

gender: 3

id: 649

dataLength: 7

pid: 379325300

???: 1044428845

############################

Query: LbhDTB9RdBMHAAAA9QEDAAAABw==

############################

results: 7

location: 0

to: 0

from: 0

gender: 3

id: 501

dataLength: 7

pid: 326390047

???: 1279506477

############################

Just starting from scratch and thinking about things backwards here, don't mind me.

5th Gen GTS Research (Searching)

Pid: 326390047

Query: LbhDTB9RdBMHAAAA9QEDAAAABw==

Decoded: 2d b8 43 4c 1f 51 74 13 07 00 00 00 f5 01 03 00 00 00 07

Reversed: 07 00 00 00 03 01 f5 00 00 00 07 13 74 51 1f 4c 43 b8 2d

(read in reverse order)

results (max 0x07): 0x07

location?: 0x00

level range to: 0x00

level range from: 0x00

gender: 0x03

species: 0x01 0xf5

data-length: 0x00 0x00 0x00 0x07 (always 8)

pid: 0x13 0x74 0x51 0x1f

unknown: 0x4c 0x43 0xb8 0x2d

Bump

Ok, I'm currently at a loss as to the first 4 bytes, someone feel free to enlighten me ;D

data=LbhAPnQLnBYHAAAAiQIDW2QABw==

decoded=2db8403e740b9c16070000008902035b640007

where 2db8403e740b9c16070000008902035b640007 these bytes represent the level-ranges of the requested pokemon

data=LbhAPnQLnBYHAAAAiQIDW2QABw==

decoded=2db8403e740b9c16070000008902035b640007

where 2db8403e740b9c16070000008902035b640007 these bytes represent the id of the requested pokemon

Little update:

data=LbhD8XQLnBYHAAAAAQADAAAABw==

decoded=2d b8 43 f1 74 0b 9c 16 07 00 00 00 01 00 03 00 00 00 07

The pid is these bytes here: 2d b8 43 f1 74 0b 9c 16 07 00 00 00 01 00 03 00 00 00 07

as opposed to what is said in the OP

Ok, i've finally managed to capture a query!

Have you got any captured queries from gen5 btw? I'm in need of some so I can see what format the bytes need to be in and decode the base64 etc. I'm working on a web-based GTS searching script

Vouching for this, legit++

Ok so, I've gotten as far as needing to know about the format of the request - I'm not sure if I'm base64-ing it right either, but anyway, you guys can fill me in on that

Here's what I've got so far

I've got a hunch I'm not doing the actual request bytes correctly, but then again hex isn't my strong point.

Salt: HZEdGCzcGGLvguqUEKQN
Request: http://gamestats2.gs.nintendowifi.net/syachi2ds/web/worldexchange/search.asp?pid=12345
Response: Cnrr0y1Qu1zmtSwStUTTOHyl7mStgHBb
Request-bytes: 010000010A000700
Request: http://gamestats2.gs.nintendowifi.net/syachi2ds/web/worldexchange/search.asp?pid=12345&hash=baf062d3f3949481c65d12b1054ef275c4ccfec0&data=MzkzMDAwMDAwMTAwMDAwMTBBMDAwNzAw
error: validation