lostaddict
-
Posts
60 -
Joined
-
Last visited
Content Type
Profiles
Pokédex
Portal
Technical Documentation
Pages
Tutorials
Forums
Events
Downloads
Gallery
Blogs
Everything posted by lostaddict
-
I can do further tests once I get back home. But I'm 80% sure that there is no share option (even if when you choose receive, you have the "friend" option like the wonder cards). Except from the first 4 bytes all the others are used for text. The first 3 bytes are there to identify the Wonder News and the other one is for color (I have tried several values and if you put anything out of the rage of 1-8 it displayed the default yellow card). I'm not sure if there are some bytes at the end that can be used for activating the sharing option...
-
I have test it on a save file that already contain wonder card on it. I think is totally separate. So you can have only wonder news, only wonder card or both... I have to test this later today, but i think that this is the case.
-
When i was checking the asm code few days ago trying to figure out the wonder card checksum, I kept a note about few lines of code that where validating some bytes just above the wonder card data using the same algorithm. Last weekend i revisit that part of asm code and i found that it was checking for bytes "06 00 00" before do the actual checksum validation of the data (similar to the delivery man script). So after some trial and error we now have wonder news: So here are the details: Wonder News data start at 0x2a0 and ends just before the checksum of the wonder card (444 bytes in total). It uses the same checksum calculation algorithm as Wonder Cards. Header is 06 00 00 XX where XX the color of the card (01-Crystal, 02-Red, 03-Green, 04-Blue, 05-yellow, 06-Gold, 07-Silver, anything else - Yellow 1) All the other bytes are the text. There is nothing special about it. It's just some text. Another piece of puzzle is now in place...
-
Also have in mind that if a card is distributable, once you share it it's going to be distibutable and on the other save...
-
I have tried to trade cards 2-3 times but that was only between emerald... I have tried to trade now between emerald and leaf green with no success. I'm not sure if there is a flag for this. There is some bytes that can be used for this purpose... Here is what I'm talking about. Those are Wonder Card start bytes: E9 03 FF FF 00 00 00 00 10 --> Following by the card text data E9 03 FF FF: Mystic Ticket (E9 mystic, E8 aurora, EA old sea map) 03: Same on all tickets - Unknown FF FF: Unknown 00 00 00 00: Unknown 10: Card Color/Distributable I have used before aurora ticket header to create Altering Cave and Eggs card with not problem... What I'm thinking is that like Delivery man script header initial bytes (33 FF FF FF), Those are used just as an extra validation to identify if there are wonder card data...
-
To be honest I'm not sure if this card is legal (altering cave on same card as a ticket) even if technically is possible (I haven't try it but I'm sure it is). The question is why Nintendo to get in such trouble to change the event script, just to distribute it only in Mexico. I can accept that maybe Nintendo changed the card color... But the script as well? I don't think so... As ajxpkm point before, the only way to prove that this card is legit is to have actual photos or videos from the event. Also a closer look on that sav file could verify if this card is legal or not. Unfortunately as long as those saves remain on private collections, this is not possible... So until then from my point of view, this card was hacked. Edit: Regarding the tool, I have finished with the export functionality and i have start working on the import... Soon the testing/research/experimentation will be much easier using the tool :biggrin:
-
I'm not sure if this is legal or not, but here is a video with the Gold Aurora Ticket: Also Mystic Ticket: The text is in English. Same applies for the Mystic Ticket... According to the descriptions in the videos those where distribute to Latin America. Edit: On that channel there are also 2 videos with the Japanese Aurora and Old Sea Map wonder cards...
-
No new info from me today I did some work on the export functionality... Here is the result. The injection to the sav file was done manually. Still a lot of work to do...
-
Just checked the Aurora ticket Invader TAK post. It seems that it has the same trash bytes as Taka's tickets... This means that if this ticket is legit (which i have no idea if is) then most probably Taka's tickets are legit as well. The question now is why the European distributions does not have those trash bytes... Edit: I think that this is maybe the reason: European distributions contains 2 languages. Japanese and USA seems to contain only 1. There is a chance that the trash bytes are just the template for the second language...
-
The algorithm was correct. I was input the wrong data :rolleyes: Thanks for the link. I have already study it For now i have just change the name of the trainer and test the checksum to verify that everything is ok... Tomorrow i will construct the template I'm going to use in the tool. By the way here is a first screenshot of the tool (Still only GUI. Nothing is saving or injected). I will add another tab for the trainer functionality...
-
Nice... Keep the info coming Very interesting stuff!!! I suppose it's impossible to locate a japan save file with wonder news... Btw do we know the algorithm of computing the e-reader checksum? I read somewhere that is a simple bit-wise sum, but this doesn't seem to work (maybe I'm doing something wrong or I'm just tired after a long day at work). I don't have the courage to figure it out... :tongue:
-
Thank you BlackShark! That helped me a lot. On my save was at Section 2 instead of 0. I put there the Morfeo's trainer and it worked like a charm Here is a screenshot: So if you have the trainer wonder card, the guy in green says to you this: Thank you for using the MYSTERY GIFT System. By holding this WONDER CARD, you may take part in a survey at a POKéMON MART. Use these surveys to invite TRAINERS to the SEVII ISLANDS. …Let me give you a secret password for a survey: “GIVE ME AWESOME TRAINER” Write that in on a survey and send it to the WIRELESS COMMUNICATION SYSTEM. If you have the Wonder Card AND the e-card code you get the event unlocked... The man in green says this: Thank you for using the MYSTERY GIFT System. A TRAINER has arrived in the SEVII ISLANDS looking for you. We hope you will enjoy battling the visiting TRAINER. You may invite other TRAINERS by entering other passwords. Try looking for other passwords that may work. So i guess this was planned to work like this: 1. You receive the trainer wonder card from an event 2. You find somewhere those codes (wonder news maybe???) 3. You send the codes to wonder spot using the adapter 4. The new batch of code was downloaded to enable the event. Now i have to try with only the e-reader code to see what happens... Edit: This works and if you have only the e-reader code. If you go straight to Sootopolis the trainer is there... Also just to be correct, the above text is from FireRed. My test was in Emerald so the text says about trainer arrived at Sootopolis
-
Nice work on the translations. Small update: I'm currently investigate to see if i can enable the Sootopolis trainer event. It seems that this event was e-reader related and was removed from the English versions. I'm not sure if i can enable it, but it worth a try... Also i have start working on the tool. I did a basic GUI but there is still a lot to do.
-
OK here are some custom cards i create for Altering Cave and Wish Eggs. I don't have the originals so this is the best think i could come with... If you have any ideas on the text please share it. Also if there is anyone lucky enough to have a Wish Egg card from the original distribution (if there was a card), please share it... Edit (16/9/2015): For those who are interested in the WISH Eggs, here are the first 2 I have recreated:
-
Thanks for the clarification :smile: I had to tried this... A custom event (based on Egg event): I have just received a Pokemon (Castform) from the Delivery Man... Custom scripts... Confirmed!!! EDIT: OK So here we are (last for today)... Now we need card text for the Altering Cave and Egg Events...
-
Why to speculate when we can actually make some tests? :tongue: I have change value 0x39 to 0x38 and what i get was: According to this: http://bulbapedia.bulbagarden.net/wiki/List_of_moves Surf is 0x57 and Hydro Pump is 0x56 so i guess we have an offset of 0x1E... Another mystery solved! :smile:
-
OK here is the script for the egg in readable format: '--------------- #org 0x674D3D setvirtualaddress 0x8674D3D checkflag 0x1E4 virtualgotoif 0x0 0x8674D4C jumpram special2 0x40DD 0x86 compare 0x40DD 0x6 virtualgotoif 0x1 0x8674D73 setflag 0x1E4 virtualcall 0x8674D7E lock faceplayer virtualmsgbox 0x8674DDE '"Thank you for using the MYSTERY\nG..." waitmsg waitkeypress fanfare 0x172 waitfanfare release end '--------------- #org 0x674D4C special2 0x40DD 0x86 compare 0x40DD 0x6 virtualgotoif 0x1 0x8674D73 setflag 0x1E4 virtualcall 0x8674D7E lock faceplayer virtualmsgbox 0x8674DDE '"Thank you for using the MYSTERY\nG..." waitmsg waitkeypress fanfare 0x172 waitfanfare release end '--------------- #org 0x674D73 lock faceplayer virtualmsgbox 0x8674E6A '"Oh, your party appears to be full...." waitmsg waitkeypress release end '--------------- #org 0x674D7E giveegg 0xAC setobedience 0x40DD setcatchlocation 0x40DD 0xFF compare 0x40DD 0x1 virtualgotoif 0x1 0x8674DC0 compare 0x40DD 0x2 virtualgotoif 0x1 0x8674DC6 compare 0x40DD 0x3 virtualgotoif 0x1 0x8674DCC compare 0x40DD 0x4 virtualgotoif 0x1 0x8674DD2 compare 0x40DD 0x5 virtualgotoif 0x1 0x8674DD8 return '--------------- #org 0x674DC0 setpkmnpp 0x1 0x2 0x39 return '--------------- #org 0x674DC6 setpkmnpp 0x2 0x2 0x39 return '--------------- #org 0x674DCC setpkmnpp 0x3 0x2 0x39 return '--------------- #org 0x674DD2 setpkmnpp 0x4 0x2 0x39 return '--------------- #org 0x674DD8 setpkmnpp 0x5 0x2 0x39 return '--------- ' Strings '--------- #org 0x674DDE = Thank you for using the MYSTERY\nGIFT System.\pFrom the POKéMON CENTER we\nhave a gift--a POKéMON EGG!\pPlease raise it with love and\nkindness. #org 0x674E6A = Oh, your party appears to be full.\pPlease come see me after storing\na POKéMON on a PC. The key commands here are: giveegg 0xAC which gives an egg with pichu (pichu number is 172 which in hex is 0xAC) setcatchlocation 0x40DD 0xFF Most probably related to the location you found the egg. In this case its the "Nice Place" I think the moves are related to this command: setpkmnpp 0x1 0x2 0x39 (0x1 is the slot the egg will placed, I'm not sure about 0x2 and 0x39). Maybe is move surf as second move? I'm sure we can find this info in a rom hack thread... Also we need to search what flag 0x1E4 does... EDIT: For the record here is the altering cave script as well: '--------------- #org 0x6756E3 setvirtualaddress 0x86756E3 addvar 0x403E 0x1 compare 0x403E 0xA virtualgotoif 0x0 0x86756FD setvar 0x403E 0x0 lock faceplayer virtualmsgbox 0x8675708 '"Thank you for using the MYSTERY\nG..." waitmsg waitkeypress release end '--------------- #org 0x6756FD lock faceplayer virtualmsgbox 0x8675708 '"Thank you for using the MYSTERY\nG..." waitmsg waitkeypress release end '--------- ' Strings '--------- #org 0x675708 = Thank you for using the MYSTERY\nGIFT System.\pThere appears to be a rumor about\nrare POKéMON sightings.\pThe sightings reportedly came from\nthe ALTERING CAVE on ROUTE 103.\pPerhaps it would be worthwhile for\nyou to investigate this rumor. Each time you talk to the guy, the variable 0x403E increases by 1 (addvar 0x403E 0x1) Once reaches to 0xA goes back to 0x0 (zubat).
-
Hey guys, To add to the EON ticket finding, you can make a change in the delivery man script to deliver any item you want. For items that are related to the events, you have to set the "Enable" flag of that event as well... So to add on my previous post regarding the item codes, here are the event enable codes: E008 --> Activate Mystic Ticket Event D606 --> Activate Old Map Event D508 --> Activate Aurora Ticket Event B308 --> Activate EON Ticket Event So for example in the delivery man script of the Aurora Ticket, you have to change all the instances of D5 08 to any of the other codes to recreate the event you want... Now to expand this further, yesterday while i was struggling to change the text for the EGG Event, I had an idea... Why to struggle to change those things manually if there is a chance those events already be scripted in the rom? And guess what... Actually they are... After the "33 FF FF FF" sequence, there are 5 other bytes... "B8 F4 57 67 08". So if you take those bytes and reverse them to "08 67 57 F4" (B8 indicates the start of the script so we don't want it). Then open the rom in hex editor and go to address 0x6757F4 you can actually find the script you are looking for. Then Just copy it and paste it after the "33 FF FF FF". Compute the checksum and that's it :biggrin: You have a fully working delivery man script based on the event script already existed in the rom With this method i recreate all the events in like 10 mins... So now i have all 3 tickets, altering cave and an egg event (which gives you an egg with surfing Pichu). All the events are missing the text on the wonder card but are working as expected... So, this actually opens endless opportunities... Why? Because you can use any already existing script from the rom (for example Gift Pokemon) and attach it to the delivery man to activate it through Wonder Card. And since the Wondercard script actually overwrites the Rom script, in theory you can create any script you want using the existing script editors and attach it to the delivery man, through a Wonder Card. Edit: Here are some images from the actual game for the Altering Cave Event: This event seems to be a little bit "buggy" and I think maybe this is the reason never released. I'm saying this because of those 2 facts: 1. Always you can find only 1 kind of pokemon in the cave. Each time you talk to the delivery man, this pokemon change. 2. Once you toss the wonder card, the last pokemon you had enable, stays there for ever (instead of return to zubat). Here are some images for the Surfing Pichu Egg: Interesting Text: A peculiar POKEMON EGG obtained at the nice place Maybe this indicates this is an event pokemon egg...
-
Yes we can do this... I have a small question mark regarding the egg events, but i think is possible as well... I have already recreate mystic ticket and old sea map based on the legal aurora tickets we had. I have also recreate altering cave wonder card. At the moment my biggest issue is the text on the card for "Old Sea Map" and "Altering Cave". Since those events was never distribute outside Japan, we need to translate the cards from Japanese... Other than that, both of them works perfectly inside the game...
-
Since the checksum issue is now resolved, i can confirm some of the previous speculations: Cards Color Values: 0x00: Dark Yellow with square patterns 0x04: Dark Blue/Green with square patterns 0x08: Red with line patterns 0x0c: Green with line patterns 0x10: Blue with line patterns 0x14: Yellow with line patterns 0x18: Yellow with pokeball patterns 0x1c: Grey with pokeball patterns Also for each card color there are 3 values that can be used (for example 0x00,0x01,0x02 are all dark yellow with square patterns). After the 3 instances the next one is always empty (for example 0x03). To make any of the cards distributable you have to add 0x80 to the above values (for example 0x80 is distributable dark yellow card)
-
Guys finally I got it... I have figured out the checksum calculation :biggrin: Here is my first custom wonder card. I have change the color and title of the AURORA Ticket: I will post more details later... :grog: Edit: Custom wonder card that can be shared:
-
That's the point of this topic to share the knowledge... :biggrin: Regarding your questions: 1. Personally I haven't make any actual progress... I was really busy in the past days, but i take a look in the function that validates the checksum in the firered rom. I have to share some info (see the rest of the post). 2. I had the impression that you can link Japanese Colosseum with English GBA (But I'm not sure... maybe I'm wrong) 3. That is the ultimate target of this thread... To create some save games that can used to distribute those events. If we find a way to solve the checksum issue, then this is possible... Now some new info... ajxpkm send me a link few days ago with a description of a function in FireRed rom that does what we are actually try to do... That function reads a checksum value from 2 different places and tries to validate it with some data with lengths 332 and 1000 bytes each... I take a look at the assembly code and i found several evidences that this is actually the correct function. For example one of the validations that this function does is this: cmp r0, #0x0 beq $08069e9c (label end) ldrb r0, [r4, #0x0] cmp r0, #0x33 bne $08069e9c ldrb r0, [r4, #0x1] cmp r0, #0xff bne $08069e9c ldrb r0, [r4, #0x2] cmp r0, #0xff bne $08069e9c ldrb r0, [r4, #0x3] cmp r0, #0xff bne $08069e9c This chunk of asm code checks if the first 4 bytes of the data is "33 FF FF FF". If is not then retuns... This data is the start of the Delivery Man script which is always "33 FF FF FF". This is what we are actually looking for. The part that does the checksum validation. This is a loop over the data: lsr r1, r2, #0x08 //SHIFT RIGHT R2 (SEED) TO TAKE FIRST 2 DIGITS (UPPER SEED) add r0, r5, r3 //READS DATA FROM A SPECIFIC ADDRESS ldrb r0, [r0, #0x0] eor r2, r0 //XOR DATA WITH SEED (WHICH IS 0x1121 BTW) lsl r0, r2, #0x18 //DO SOME SHIFTING lsr r0, r0, #0x17 add r0, r0, r6 //USE PREVIOUS RESULT TO COMPUTE A NEW ADDRESS ldrh r0, [r0, #0x0] //GET HALF WORD (2 BYTES) FROM THAT SPECIFIC ADDRESS (THIS IS THE LOOKUP TABLE) add r2, r0, #0x0 eor r2, r1 //XOR UPPER SEED WITH THE VALUE FROM THE LOOKUP TABLE add r0, r3, #0x1 lsl r0, r0, #0x10 //DO AGAIN SOME SHIFTING lsr r3, r0, #0x10 cmp r3, r4 What this asm code does is to loop ever the data and do the same or similar calculations with the ones that Morfeo describes (see my commends above)...
-
I did some research on Morfeo Algorithm. It's a CRC16 checksum algorithm with a lookup table. It's seems to be a common checksum computation algorithm. The bad thing is that there are a lot of variations of the algorithm... Including custom lookup tables (using different polynomial to generate them), in some cases different computation functions (but similar ones) and even different initial crc value (seed)... E-Reader uses a similar algorithm (CRC32) for checksum computation. Here you can find very interesting information regarding E-Reader and an implementation of the CRC32 algorithm (under technical details) https://www.caitsith2.com/ereader/index.htm I think we should try to use the same algorithm and in our case... You never know... EDIT (1/9/2015): No News on checksum but here is some text i found regarding the Delivery Man dialog: Egg: Thank you for using the MYSTERY GIFT System. From the POKéMON CENTER we have a gift - a POKéMON EGG! Please raise it with love and kindness. Oh, your party appears to be full. Please come see me after storing a POKéMON on a PC. Tickets: Thank you for using the MYSTERY GIFT System. You must be {RED}. There is a ticket here for you. It appears to be for use at the VERMILION CITY port. Why not give it a try and see what it is about? Thank you for using the MYSTERY GIFT System. Oh, I’m sorry, {RED}. Your BAG’s KEY ITEMS POCKET is full. Please store something on your PC, then come back for this. Altering Cave: Thank you for using the MYSTERY GIFT System. Recently, there have been rumors of rare POKéMON appearances. The rumors are about ALTERING CAVE on OUTCAST ISLAND. Why not visit there and check if the rumors are indeed true? And some really interesting ones: Thank you for using the MYSTERY GIFT System. By holding this WONDER CARD, you may take part in a survey at a POKéMON MART. Use these surveys to invite TRAINERS to the SEVII ISLANDS. …Let me give you a secret password for a survey: “GIVE ME AWESOME TRAINER” Write that in on a survey and send it to the WIRELESS COMMUNICATION SYSTEM. Thank you for using the MYSTERY GIFT System. A TRAINER has arrived in the SEVII ISLANDS looking for you. We hope you will enjoy battling the visiting TRAINER. You may invite other TRAINERS by entering other passwords. Try looking for other passwords that may work. Thank you for using the MYSTERY GIFT System. Your BATTLE COUNT CARD keeps track of your battle record against TRAINERS with the same CARD. Look for and battle TRAINERS who have the same CARD as you. You may check the overall rankings by reading the NEWS. Please do give it a try! Thank you for using the MYSTERY GIFT System. Congratulations! You have won a prize for winning three battles! We hope you will be inspired to battle some more. Old Sea Map (Emerald): MYSTERY GIFT System. Let me confirm--you are [PLAYER]? We received this OLD SEA MAP addressed to you. Source: http://iimarck.us/dumps/dfirered.txt
-
Not much but here are some new findings... In the Delivery Man Script: 33 FF FF FF B8 58 02 00 08 6A 5A 2B 3A 01 BB 01 BC 02 00 08 2B AD 01 BB 01 BC 02 00 [color="#FF0000"][b]08 47 73 01[/b] [/color] 01 00 21 0D 80 01 00 BB 01 BC 02 00 08 BD C5 02 00 08 66 6D 46 73 01 01 00 21 0D 80 00 00 BB 01 B3 02 00 08 1A 00 80 73 01 1A 01 80 01 00 09 00 29 D5 08 29 3A 01 BD 22 03 00 08 66 6D 6C 02 BD B3 03 00 08 66 6D 6C 02 BD 86 03 00 08 66 6D 6C 02 CE DC D5 E2 DF 00 ED E3 E9 00 DA E3 E6 00 E9 E7 DD E2 DB 00 E8 DC D9 00 This is the location of the item he delivers. The first 2 bytes are always the same. The other 2 is the hex value of the in game item... So theoretically you can change this value to put any item you want... 08 47 72 01 - Mystic Ticket 08 47 73 01 - Aurora Ticket 08 47 78 01 - Old Sea Map And Some new colors (I messed up with the Japanese cards): 0C --> Green 12 --> Blue Wish we had a way to figure out how to compute that checksum... :rolleyes: Is there any tool that we can use to find the actual function used for encryption/decryption in the rom? If we can find that function maybe we can reverse engineer it... Edit: Also for some reason the Japanese cards are much smaller... This is the complete Japanese Aurora Card: E8 03 FF FF 00 00 00 00 08 00 55 AE 7B 77 61 59 A0 64 00 1B 07 06 04 00 56 AE 95 00 A3 A1 A1 A5 00 01 07 00 00 00 00 00 00 8A AE 71 2D 00 1A 3D 22 13 00 9F 59 73 7E 5E 7E 60 AE 19 00 A3 06 02 1D 00 02 0A 03 AB 00 55 AE 7B 77 61 59 A0 64 2D 00 23 27 03 0A 14 37 00 44 07 29 26 AB 00 00 00 00 00 00 00 00 61 59 A0 64 2D 00 23 27 50 10 27 00 0D 39 7A 9F AE 64 AB 00 61 59 A0 64 2D 00 23 27 03 1F 04 16 00 0A 19 56 AE 95 2D 00 0D 13 15 02 44 00 08 41 0B 02 AB 00 00 00 00
-
Ok I have check my code and I'm 99% sure that my implementation is correct. So at the moment I have reach a dead end... :confused: I'm posting below the url to the original archive from Morfeo. You can take a look at it, maybe I'm missing something regarding the algorithm... Also here is how i find the archive with the algorithm info in the first place (it's part of a save file that contains Morfeo aurora ticket): Here is the complete text in Spanish: .NOTA No muestro a nadie el mé todo para crear Wonder Cards, por lo que no respondo a esas preguntas. Pero si tienes los conocimientos necesarios y sobre todo SENTIDO COMÚN, tal vez puedes merecer la última pieza para lograrlo en: galeon.com/albumpokemon/llaveWC.rar Also here are the results of my implementation running the Morfeo's example: Step 1: Input Byte: 33 Tab index: 3(0x3) Tab value: E017 Tab value reverse: 17E0 New Seed: 1765 New Alta Seed: 17 ---------------------------- Step 2: Input Byte: FF Tab index: 154(0x9A) Tab value: 01ED Tab value reverse: ED01 New Seed: ED16 New Alta Seed: ED ---------------------------- Step 3: Input Byte: FF Tab index: 233(0xE9) Tab value: A030 Tab value reverse: 30A0 New Seed: 304D New Alta Seed: 30 ---------------------------- Step 4: Input Byte: FF Tab index: 178(0xB2) Tab value: 17B0 Tab value reverse: B017 New Seed: B027 New Alta Seed: B0 ---------------------------- Final Seed: B027 Binary Conversion: 0xB027 --> 1011000000100111 0x4FD8 <-- 0100111111011000 Save File Checksum: D8 4F And the results when running it on the actual Wonder Card data (the last step): New Seed: F018 New Alta Seed: F0 ---------------------------- Step 332: Input Byte: 00 Tab index: 24(0x18) Tab value: 6130 Tab value reverse: 3061 New Seed: 3091 New Alta Seed: 30 ---------------------------- Final Seed: 3091 Binary Conversion: 0x3091 --> 11000010010001 0x0F6E <-- 00111101101110 Save File Checksum: 6E 0F
