Jump to content


  • Posts

  • Joined


10 Good

About Falo

  • Birthday 11/01/1989

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. 0628_Potions & 1624_dusk_rockruff are now also released, strangely they glued 2 dusk rockruff wondercards together with different values Rockruff #1: Card #: 1624 - A special Rockruff! Rockruff @ Focus Band --- *Playername* - 51277/12369 Tackle / Bite / Fire Fang / Happy Hour Repeatable: False Collected: False Once Per Day: False Rockruff #2: Card #: 1624 - A special Rockruff! Rockruff @ Focus Band --- *Playername* - 51277/12369 Tackle / Bite / Thunder Fang / Happy Hour Repeatable: False Collected: False Once Per Day: False
  2. Each game with spotpass access, like Mario Kart 7 or Pokemon has some way to access this url *snipped*
  3. Yeah ok, didn't know you guys already updated spotpass tools for USUM. A bunch of new wondercards are released today on the server 0252_Wpack, //100 x Poké Ball 0263_maxrevive (EU Eng & JPN), //3 x Max Revive 0265_7_malasada, //7 x Big Malasada & 11 x Fresh Water 0266_7_tsutaya_rotopon, //4 wondercards glued together, 1 x Roto Catch/Roto Bargain/Roto Prize Money/Roto Exp. Points 1625_QuickBalls (JPN, EU, USA) // 12 x Quick Ball 0267_line_rotom, //Line App Rotom たくさん おしゃべりして まんぞくしたから アローラに もどってきたロト! これからは ぼうけんの パートナーとして よろしくロ~! Card #: 0267 - スマートフォンに はいりこんでいた ロトム Rotom @ (None) --- ククイ - 46381/04076 Uproar / Confide / Disarming Voice / (None) Repeatable: False Collected: False Once Per Day: False 0272_Asia_marshadow (EU, JPN, USA), Marshadow, the Pokémon which guides the Rainbow Hero. Can you make the mythical Pokémon that suddenly appeared in front of Satoshi, approve of you? Card #: 0272 - Mythical Pokémon Marshadow Marshadow @ (None) --- MT. Tensei - 60981/04151 Spectral Thief / Close Combat / Force Palm / Shadow Ball Repeatable: False Collected: False Once Per Day: False somehow the 1625_QuickBalls_US_S is missing for Ultra Sun.
  4. The first Ultra Sun/Moon event is online! Gold/Silver Serialcode Celebi. Ultra Sun: 0251_celebi_SER_JP_J_1510631793 Ultra Moon: 0251_celebi_SER_JP_J_1510631840 Downloaded from the official Spotpass server, both are identical after decryption and work with the newest PKHex. Distribution Text: 『ポケットモンスター 金・銀』を ダウンロードしてくれて ありがとう! ウバメのもりに まつられる セレビィが ときを こえて やってきた! Translated: "Pocket Monsters Gold & Silver" Thank you for downloading! Celebi to be enshrined in the woods of Ubame came beyond the time! Card #: 0251 - ときわたりポケモン セレビィ Celebi @ (None) --- ウバメ - 43783/03831 Heal Bell / Safeguard / Ancient Power / Future Sight Repeatable: False Collected: False Once Per Day: False 0251_celebi.wc7full
  5. Haven't gotten to the part where you can scan QR Codes. But from the code of the game, the event checks if Savedata::QRReaderSaveData:: Data+0x170 is set to 0xCBE05F18356504AC and checks if EventFlag 3100 is set, and flag 3487 is unset, so: 3100 = IsMagearnaActive 3487 = IsMagearnaCaptured So it should be easy to activate the event on any system with pkhex. Note: QR Encryption is the same as save signing, so memecrypto.
  6. You mean this list ? [i]relevant data removed[/i] The demo really contains to much code from the full game ^^, even the mystery gift server code is there.
  7. It was just a quick analysis, init_rtc_ctx initializes a 8 byte structure this is then used by j_getGameTime, i'm not sure if it "gets" or "sets" the time, since "get" makes more sense i used that name. savePtr is a pointer to the Savedata:: Savedata structure, not the raw save. gfl2::math::Random::Initialize, the name comes from the sun&moon demo, not oras, this initializes a mersenne twister algo, here the rest of the functions: (pseudo c code) I found the algo online, it's "Tiny Mersenne Twister" https://gitlab-dev.in2p3.fr/SOPHYA/SophyaLib/blob/927c275e1bbe27c728119b9763ef174ece43fc47/BaseTools/tinymt32.c https://gitlab-dev.in2p3.fr/SOPHYA/SophyaLib/blob/927c275e1bbe27c728119b9763ef174ece43fc47/BaseTools/tinymt32.h
  8. Yes but it's still a random value: unsigned int __fastcall sub_4608F4(int a1, int a2){ _DWORD *savePtr; // r4@1 int trainerId; // r6@1 unsigned int rnd; // r0@1 int rnd_ctx; // [sp+0h] [bp-28h]@1 char ctx; // [sp+10h] [bp-18h]@1 savePtr = *(_DWORD **)(sub_14E348() + 28); trainerId = *(_DWORD *)(*savePtr + 0x129A8); init_rnc_ctx((int)&ctx); j_getGameTime(savePtr, (int)&ctx); j_gfl2::math::Random::Initialize((int)&rnd_ctx, *(_DWORD *)(*savePtr + 0x1048) + trainerId); rnd = j_MersenneTwister((int)&rnd_ctx); *(_WORD *)(a1 + 0x51DA) = rnd % 33 + 1; return rnd % 33 + 1;} //*(_DWORD *)(*savePtr + 0x1048) = the random value from SaveData::RandomGroup
  9. The code for this can be found in DllSkyTrip.cro and the code.bin, function to generate mirage spot: ".text:004608F4 sub_4608F4" To find the current Mirage Spot, it uses that random value, and some other values, like the current time and generates a new random value. the final result of it is then "rnd % 33 + 1".
  10. Block 5 (0x1600) is Savedata::RandomGroup this block is just a 4 byte random value, which is generated by the 3DS AES engine. I didn't fully reverse it, but it calls SVC 0x28 "GetSystemTick(void)" and then uses a Mersenne Twister algo with sha256 and sha1 hash. So it's not encrypted, just a random value. It's like a seed value from the good old RNG days.
  11. I could look into it, but later. I use ida pro, patchrom and a cro/crs loading script. patchrom is used to convert the exefs code.bin and exheader.bin into a loadable exefs.elf. Then i load the exefs.elf and use the script to load static.crs, this loads a lot of export entries and give a basic overview where stuff is. The rest is done via vTable decoding, string search and knowledge how stuff should look like. Also hex-rays decompiler plugin helps a lot and after cleaning up you get a nice output like this: void __cdecl Savedata::MyStatus::SetZenryokuRingFlag(MyStatus *this, int flag){ unsigned int v2; // r3@1 int v3; // r1@1 v2 = this->data.OutFitFlags[1] & 0xEFFFFFFF | (flag << 28); v3 = (unsigned __int16)(this->data.Flags & 0xFFFD) | 2 * flag; this->data.OutFitFlags[1] = v2; this->data.Flags = v3;}
  12. There is a lot more code ^^ like collecting zygarde cells, berry field island, fishing spot, join festa, battle tree, battle spot.... But the more interesting code is just dummy... Magearna Event code: int MagianaQREventEnableCheck(){ return 0;} Pokédex QR making codes... void NetApp::QR::QRUtility::SetUpZukanQRData(){ ;}
  13. Nothing changed. _BOOL4 __fastcall pml::pokepara::CoreParam::CalcShiny(unsigned int TrainerID, unsigned int PokemonID){ return ((unsigned __int16)TrainerID ^ (TrainerID >> 16) ^ (PokemonID >> 16) ^ (unsigned __int16)PokemonID) < 16;} That new id is an exported function and only the FieldRo uses it to show that id, everything else uses the old id's. //edit: Wondercard was slightly changed, Oras uses 6800 Byte Sun&Moon Demo uses 16208 Byte i haven't looked into it yet, but Savedata::MysteryGiftSave::GetMameGiftNum Savedata::MysteryGiftSave::GetBPGiftNum Savedata::MysteryGiftSave::GetItemGiftNum Savedata::MysteryGiftSave::GetPokeGiftNum looks like they will give Battle Points via Wondercard... ^^ //edit2: a quick look into the structure: - Wondercard Size = 264 Byte -> nothing changed - There are 48 spaces for cards Types: 0 = Pokemon 1 = Item 2 = Battle Points 3 = Poké Beans (japanese: Mame, 豆) There is some date field after the card storage, it's defaulted to 2000:01:01:00:00:00:00
  14. C# gives me the correct result 201761, Also manually: TrainerID / 1.000.000 = 564 564 * -15625 = -8812500 -8812500 << 6 = -564000000 -564000000 + TrainerID = 201761 //edit, my code is an exact copy of the original asm code, but i just noticed -15625 << 6 = -1000000 so TrainerID + ((TrainerID / 1.000.000) * -1000000) or TrainerID % 1.000.000 should work...
  15. //PokeTool::GetDrawID public static int GetDrawID(uint TrainerID, int GameID) { if (GameID < 30) return (int)(TrainerID & 0xFFFF); else { return (int)((TrainerID + (((TrainerID / 1000000) * -15625) << 6))); } } TrainerID is the full 4 byte id, tid and sid. GameID's: 30 = Sun&Moon Demo, 31 = Sun, 32 = Moon, 33 = ???, 34 = ??? Note: this calculation allows any id from 0 to 999.999 And yes Greninja now has 3 forms 1. Form = Default 2. Form = "Battle Bond" Form, same stats as default form, just the ability is different (3x Battle Bond) 3. Form = "Ash-Greninja" Form
  • Create New...