suloku

The code for this can be found in DllSkyTrip.cro and the code.bin, function to generate mirage spot: ".text:004608F4 sub_4608F4"

To find the current Mirage Spot, it uses that random value, and some other values, like the current time and generates a new random value.

the final result of it is then "rnd % 33 + 1".

So that's what we were missing! Would it be very difficult to get the full asm for the function? I don't know how to get it, but I can probably get the asm into a friendlier C (well, I suppose if you can get the asm you are most than capable of also translating it to C).

Also, is it really the current time? the_SLAYER and me got the same islands just by setting the random seed to certain values with TID being 0, that's why we assumed it only used those two. Did we just get unfortunate coincidence?

edit: should I just get the code.bin into IDA and look for the function you posted? Does it work that way? (I really have no clue)

Well, I meant the script itself, no the data that acompanies it, since that is distribution-dependent. R/S Mystery Event is different from wondercard in that sense.

I only have this: http://es.pokemon.wikia.com/wiki/Gira_Ticket_E%C3%B3n

There's no image that clearly says the contest was for 99, but maybe we migth be able to contact the user who uploaded the promotional scan? It is said to have 5 pages, and only the cover is uploaded there.

I tend to think that the distro machine/cart/device simply had a selector for the trade # and 151 happens to be the default one and NOI just used this one.

The spanish being 99 is supposed to be due to a contest, so who knows. I doubt the event itself is different, it's a script and that is the same even for the WCs we have for the same events: the WC changes, the script remains.

About the european missing string: in the USA e-reader script, the missing line and following one are the same "Paragraph", so I suspect the distribution tool used by NOE had a bug that skipped that first line due to the "new line" command in the script. Fortunately, the distro still makes sense without that line. If the full script lies in the distribution device used by NOE will probably remain a mistery (but the official distro doesn't have that line, so the legit one is the flawed even if the missing string is there).

The official spanish EON ticket has been documented to have been a 99 distribution, but confirming this is nearly impossible, unless getting a legit save with more than 100 times to share, but that is difficult, since that value decreases by 1 each time you mix records, regarless of the other people already having the Eon ticket or not.

Block 5 (0x1600) is Savedata::RandomGroup

this block is just a 4 byte random value, which is generated by the 3DS AES engine.

I didn't fully reverse it, but it calls SVC 0x28 "GetSystemTick(void)" and then uses a Mersenne Twister algo with sha256 and sha1 hash.

So it's not encrypted, just a random value. It's like a seed value from the good old RNG days.

Thanks for the info about how it is generated! The "problem" we have is that we haven't been able to figure out the algorythm that the game uses to output the Daily Mirage Spot. We know the algorythm uses this random value and TID, but the algorythm isn't simple enough to guess it without reverse engineering (something I don't have a clue how to do).

Will look into that error, I only experienced something similar when the file is already opened elsewhere.

Please, always keep a backup of your savegames!

To know where this comes from, please read this thread: https://projectpokemon.org/forums/showthread.php?46883-GEN-3-Mystery-Gift-Research

PC Version: https://github.com/projectpokemon/Gen3-WCTool/releases/

GC/Wii Homebrew: https://github.com/suloku/gba-link-cable-dumper/releases/

NDS Homebrew: https://github.com/suloku/savegame-manager/releases/

e-Reader savegames for Eon Ticket transfer (all regions) via Link Cable with real hardware: EON_ticket_ereader_savegames.zip

Sorry, I can't make a propper post right now. I'll try to get this decent tomorrow. There are some readme included.

FAQ:

Q: What's the diference between using any of these injection apps and sending my cartridge to nintendo?

A: None.

Q: I have a ESP/GER/ITA/FRE game. If I inject the USA Mystic ticket, will this be legit?

A: All evidence suggests that the USA Wondercard distributions were compatible with all non-japanese games. Game release dates make it also technically possible to have received an Emerald Mystic ticket on an European game, and we know the USA Aurora Ticket distribution device is compatible with European games (but it only distributed the english wondercard, fully opetational though).

- USA and UK games are the very same game rom, so all the english events apply to both, regarless of being European or USA.

- The spanish Emerald Aurora ticket wondercard is fine, Nintendo messed up and left Vermillion city instead of updating the wondercard text to Hoenn. The event was never done in Spain, but it could be received at other countries if you used the spanish cart, so it is totally legit, so don't worry, nintendo was very sloppy with this.

- Nintendo also messed up the german Eon Ticket (there is photo proof from oficial german distribution that this was already known).

EON_ticket_ereader_savegames.zip

WC3Tool 0.1e.zip

At long last, the price for all this waiting!: https://github.com/suloku/wc-tool/releases/tag/0.1

Yes, there's no FRLG Mystic ticket yet, as you know, we posponed release in an attempt to get the missing events, but seems pointles to keep it anymore since we collected everything we could already (many thanks to Real.96!!).

I'm gonna make a thread for the tool, but I gotta sleep so I'll be trying to update it during the week. GC/WII and NDS injection apps tomorrow, sorry for those expecting them (they are ready, but can't pospone sleeping anymore).

Please keep anything tool-related here, this thread is for mystery gift research and discussion: https://projectpokemon.org/forums/showthread.php?50474-GEN-III-Mystery-Gift-Tool-Nintendo-Events-Wondercards-e-Trainer-cards-and-e-Berry-editor-(and-more!)

Don't have CFW, and it's pretty much impossible to get it on 11.0

Uh? A friend with a 3ds capable of emunand and buying fielrunners is all you need.

For gba games it's actually easy to find:

1.- Use a script editor to search the script for the starter, then check how many flags are set or how does it work.

2.- Make a couple test to locate flag diferences in the save file

3.- Hope those flags are what is used to decide the roamer instead of something else set elsewhere.

I did this with emerald to change the roaming lati, which also affects which one you get from the event.

Alternatively, you could technically use a custom rom with a custom script that toogles the flags for you when talking to an npc (or whatever you asign the script to). (Also, there will be a way to do this without custom roms soon, even with retail carts).

I'm not sure if there is a fixed correlation of flag# an save offset, but if it is it would help a lot locating them in the save (but with a little testing they should be easy to find).

You are right. Maybe it learns poison/steel attacks? In any case no stab so...

I coded this really quick, should be user friendly enough:

https://github.com/suloku/gen6_safari_mirage_tool/releases/tag/0.1

It also has the friend safari unlock for XY

By the way, when coding it I realized that the u32 value at 0x1600 (MDV) is the only thing that get's checksummed in the whole block, unless I trusted the wiki too much, because I haven't really tested the tool on my 3DS, I just saw changes were correctly made with an hex editor.

For reference, Jirachi on Pokemon Channel (the european distribution) is also shiny locked afaik, only the US one can be shiny.

For my implementation, I’ve copied the Odd Egg data from the English version. But according to legend, the Odd Egg received from the mobile event had a 50% chance to be Shiny, higher than the 14% chance for the in-game event in the Western versions. Does anyone know where this information came from? The only way to verify it would have been to download index.txt and read the probability values, and I’ve seen no evidence that anyone would have known how to do that at the time.

 

If the information that the eggs in the international versions were the same ones, but with different probabilities then what hacky did would reproduce them.

Here's the dissassembly code for the odd egg in US crystal, there you can see that there are only two possible DV combinations (non-shiny or shiny) and that the only thing that differentiates an egg from another is species ID and DV, which I guess is what the server sent?:https://github.com/pret/pokecrystal/blob/700321a7fb2d6c852ffc91cc0b8867526cb76813/data/odd_eggs.asm#L105

Awesome stuff guys!

Fixed*

Yeah, this is something I recognized before.

Can be seen here for example:

[ATTACH=CONFIG]13821[/ATTACH]

Just btw. at the official Pokémon site of Sun & Moon in the Pokémon Bank section they used the ID No. 123456 as a placeholder.

However... the biggest ID No. I have seen so far is 944542. (

.)

So I wouldn't be too surprised if they might cap IDs now at 999999, which would make it the highest possible ID.

Kaphotics explained this on irc: TID+SID are still 4 bytes total, a formula is used so an ID ranging 0-999999 is displayed, so nothing really changed, it's just how the ID is displayed. Also, if I remember correctly the new formula makes the latest ID (I don't exatcly remember, they were post-99xxxx) 0.023% rarer than the others.

Well, the anti timetravel, for what I know, stores the difference between real clock and raw rtc. I guess we could calcuñate the value and search it in a savegame, the the plugin would fix the value in the save bwfore loading, but for what I saw ctrulib doesn't have the functions to tingle rtc (either real or raw).

I guess we are stuck to the dev app. The little demand is because only a few game have anti-timetravel.

Also, tested TID 1 and 0x1600 zeroed, output was map 197 (0x0f if the output should be the same as streetpass)

Maybe it is modulus 32 -> value range 0-32 (33 possible values) + 1.

But as you said, being able to edit the passed spots in batches of 10 is great. Maybe we could even make an ntr plugin to eaaily change the first passed island, the values are near the eon ticket "herpesvalue" so it should be easy to find on a memory dump.

1) Ain't those decor only viewable in dream world? Unlocking them has no effect on the ds game right?

The other only thing the connected to dream world flag is used should be the medal for waking a dream pokemon right? The medal should be able to be edited into the save anyways.

2) Check this: http://pkmnclassic.net

3) Would need research, should be doable with 2 consoles.

4) I was researching it, but no time right now. There's an AR code though.

The 12 quickballs download code will also be distribute with preordered games by the GAME stablisments in Spain.

There will be 10.000 codes available.

Well, you may test by enabling 11 islands (10 hexed + daily), then streetpass with a oras save that has a daily spot that isn't any of the other 11.

But if that was the case, there's no reason you couldn't unlock all spots via online pss, just leave the console there and eventually you have the 32 other spots? Makes sense they limited it to 10+1 daily, to keep the luck factor, or getting crescent isle would be too easy

EDIT: You are right about deciphering tid and dmv outputing 0x20. For reference, FF FF FF FE also produces 0x20 with tid 0.

EDIT 2: I've been thinking, and since we know (or suspect) the output, seeing what 00000000 and TID 1 produces might help. Also, if it works like passed spots, the output can't be 0, so maybe it is adding +1 after the calculus, or it can't output 0 at all.

I'm pretty sure they go bay map# except crescent isle being the first instead of the last.

Back to padding... I think it is padded due to being a "decrypted" version of what lies at 0x1600.

Now we know the output for crescent isle is 01 00 00 000 and have these TID/0x1600 combos for it:

TID 00000: FF FF FE FF

TID 61931: 76 CC C9 91

Edit: also, my tid&0x91C9 = 0x91C9, which seems suspicious but we'd need anither save with crescent isle as dayly spot to see if this is mere coincidence (I don'tthink so...)

Of course now endianess and maybe using the low/high bytes might come at play if 0x1600 is an encrypted u32 with the TID (an u16). FF FF FE FF unlocking the isle suggests the value are two u16 (I may be wrong though).

Also, for things like this I recall GF using a modulus, here's what they did in swarms for DP (also check the safari formula): https://projectpokemon.org/wiki/Pokémon_DP_Save_File_Structure#Swarm_Pok.C3.A9mon_-_0x72D4

I made some tests, they are in this order:

Great! I'm gonna quote IGN:

"Only one random Mirage Spot can be discovered within your own game each day, but up to ten more can be sent over via StreetPass or Passerbys on the Player Search System."

I had previously read you coul unlock all spots, seems I was fooled. Don't know why they added two padding bytes, but seems we won't get anything else from streetpass.

But seems we almost cracked the spots, only piece remaining would be 0x1600 and TID, since that spot is the only one with hidden items, but maybe hacking in the mirage spot just for the hidden item is quite pointless, as since you are hacking the spot just for the hidden it, you might hack the item

Well, I could also use the NTR memory editor plugin, but dunno what the address might be.

Filling 32 bytes didn't produce any outcome, so how did that "get spots trough online pss" thing go? For some reason I don't seem to be getting any buzznav news and I've waited 8 hours since I last connected for sure

EDIT: nevermind, I was too impatient, I'll just leave it connected to the server until I get several spots.

EDIT2: I had my console connected to pss for like an hour and didn't get any spot...

Actually, I'm a little tired of testing for today, it's been a long afternoon until I've located that single byte (went trough a whole family guy season...).

In any case I went and tried 0x21 (since I knew what 0x01 and 0x20 produce). This didn't produce the two previous spots, but spot 466. This is consecutive with the other map I got previously (465 and 204), so maybe I messed up and 0x20 produces spot 465 and 204 is the dayly spot for the game. 0x21 is 33, there are 33 spots and crescent isle takes 0x01, so if we go by map order 02 should be spot 184 and makes sense 0x21 is the last map.

You can have up to 30 street passes, so up to 30 spots, gonna test the next 29 bytes that go after 0x307D4, see if I get 30 spots + daily one.

EDIT: I remembered that I found 33 120 byte slots, so maybe it is possible to have all mirage spots unlocked at once, even if they capped the streetpass limit to 30. You can get spots every 8 hours after all.

EDIT 2: I tried 32 consecutive bytes and what I got was no mirage spot at all (only the dayly one was still there). Seems we'll need a save with several passed spots for more clues, blindly testing makes no sense when we can get such a save.

Good news! I've found where the PSS mirage spots are stored in the savegame (well, at least 1 of them).

And even better news: it seems it is totally independent of other passerby data stored there. Currently the block 0x37 I've tested is all zeroes but a single byte.

0x307D4 is the magic byte I've located, set it to 01 for Crescent isle (and cresselia can be battled). 0x20 for spot 204.

Almost all of 0x307D0 to 0x30800 is 0x00, so either testing or getting a savefile with many mirage spots (that would be better) will be the best to find the other isles.

Still, since no hidden items are available with this method, discovering how to generate values at 0x1600 for any TID would be nice.

edit: My guess is that the values are stored when the passerby data is got, then they are wiped when the day changes. I had pss streetpass data, used it and lots of mirage islands appeared. I forgot to save and I basically lost all those islands, so this kind of supports my theory.