lostaddict

OK so here is what i have regarding the info and the algorithm Morfeo left behind: 1) General Information: As we already know there are 2 relevant data blocks for each Wonder Card. At the beginning of each of those 2 blocks there is a key (checksum value) which is 4 Bytes Wonder Card Data (332 bytes) Green Man Script (1000 bytes) 2) Algorithm Information The algorithm seems to use the same method that rom uses to encrypt things... Before proceed with the actual algorithm there are 2 things needs to be defined. What is "Seed" and what is "Tab" "Seed" is a 2 byte value that is compute in each step of the algorithm and used as input to the next step. Initial value of "Seed" is always "8530" "Tab" is an index value. This points to a 2 byte value that can be found in a file. This file is actually a lookup table. You look on a specific address and you retrieve the specific value to use it in the algorithm... According to Morfeo is really important to group the file data in "tabs". Each tab has 2 bytes. More info on how the Tabs are created: The Tab file is provided by Morfeo (tab.bin). I did some search to find it's origin... The data in the file seems to be part of the actual rom (I found them both in Emerald and Green Leaf roms). That's why I'm assume that this is the same method of encryption the game itself uses... 3) The Algorithm 2 More definitions: "upperSeed": The upper 2 bytes of the "Seed" "reverseTab": The reverse value of the "Tab" (if Tab value is XXYY the reverse is YYXX) For Each Byte: Tab Index = (Current Byte [b]XOR [/b]"Seed") [b]AND [/b]0xFF Tab Value = Value at position "Tab Index" in tab.bin file newSeed = reverseTab [b]XOR [/b]upperSeed End For Tab Values for the Example: Offset Data ##Tab 00000000 00 00 00Tab 00000002 00 01 01Tab 00000004 0F CF 02Tab 00000006 E0 17 "03Tab"<-- 1st Byte 00000008 30 01 04Tab 0000000A 0F 00 05Tab ¡ ¡ ¡ ¡ ¡ ¡ 00000130 10 06 98Tab 00000132 00 10 99Tab 00000134 01 ED "9ATab"<-- 2nd Byte 00000136 10 1C 9BTab 00000138 51 2F 9CTab ¡ ¡ ¡ ¡ ¡ ¡ 00000160 00 BB B0Tab 00000162 0B B0 B1Tab 00000164 17 B0 "B2Tab"<-- 4th Byte 00000166 EF 50 B3Tab 00000168 17 D0 B4Tab ¡ ¡ ¡ ¡ ¡ ¡ 000001CE 20 BF E7Tab 000001D0 A0 2F E8Tab 000001D2 A0 30 "E9Tab"<-- 3rd Byte 000001D4 17 20 EATab 000001D6 1A F0 EBTab Example: Input Data "33 FF FF FF" Step 1: [b]"33"[/b] FF FF FF 8530 ^ 33 = 8503 & 0xFF = 03 Tab03 = E0 17 17E0 ^ 85 = 1765 newSeed = 1765 Step 2: 33 [b]"FF"[/b] FF FF 1765 ^ FF = 179A & 0xFF = 9A Tab9A = 01 ED ED01 ^ 17 = ED16 newSeed = ED16 Step 3: 33 FF [b]"FF"[/b] FF ED16 ^ FF = EDE9 & 0xFF = E9 TabE9 = A0 30 30A0 ^ ED = 304D newSeed = 304D Step 4: 33 FF FF [b]"FF"[/b] 304D ^ FF = 30B2 & 0xFF = B2 TabB2 = 17 B0 B017 ^ 30 = B027 newSeed = B027 Once all the calculations for all the bytes are made we need to compute the final "Key" value which is the actual checksum. This is how this is done: a. Get the Last Seed the algorithm compute. b. Convert it to binary. c. Replace "zeros" with "ones" and "ones" with "zeros" d. Convert back to hex Example: B027 ---> 1011 0000 0010 0111 4FD8 ---> 0100 1111 1101 1000 "Key"= 4FD8 In sav file: D8 4F 00 00 4) Where this information is coming from? Morfeo left behind this information for those who actually care enough to mess with his codes... If you check closely in a .sav file that contains a Morfeo Wonder Card, you should find some bytes that are translating to a URL... From that URL you can download a .rar file containing: A .txt file with the above instructions in spanish and the tab.bin file for the encryption... Also you can find some other thoughts of Morfeo regarding why he is not sharing this information... :rolleyes: 5) Implementation of the algorithm I have implemented this yesterday... I'm planning to provide it later. As i have already explained while it works perfectly on the example, when it comes with the actual wonder card data, it fails to give the correct checksum... It can be either a code bug, wrong initial "Seed" value or missing data from the "tab.bin" file... Hopefully is a code bug since we don't have more info on the other 2 factors (initial seed and tab.bin file) that may affect the result... Enjoy :biggrin:

This is the exact same algorithm we have already implemented. If you run the algorithm on the block containing the wonder card data (using all block data) then it gives the correct checksum that you can add at the footer of the block. This resolves the corrupted file issue when you inject the wonder card code in the .sav file. I have already tested it and works ok :biggrin: NOW THE REALLY GOOD NEWS: Morfeo has left behind actual instructions on how to compute this checksum... It's in a .rar file that it supposed to contain all the information needed to implement wonder card functionality and generate the AR Codes... I have this since yesterday and the algorithm is already implemented. :wink: But while it works perfectly on his example, it does not work on the actual wonder card data... :rolleyes: I will post more details on this later today...

For anyone who is interesting here is the script: The file contains the source code, a jar file that you can run from the command line and the legit Aurora Wonder Card. To run it open a command prompt and type: java -jar ComputeChecksum.jar WonderCard.bin You should see the results in the output :smile: Make sure you have java installed on your computer... PS: Google Translate is not so good with the Japanese... ComputeChecksum.rar

Really nice info!!! There is a small mistake in you example: E8 03 FF FF will become FF FF 03 E8 I have write a quick script in java to compute this automatically... It reads the bytes from a file and computes the checksum. Here is the result when running it on you example: FFFF03E8 00000000 00000008 00000000 00000000 C9CCCFBB C3CEBBCC CEBFC5BD Sum: 5C5A5534 Final Checksum: B18E The bad news is that when i use this algorithm to the actual wonder card data, the result does not match with the one in the .sav file... Here are the results when running it on the actual wonder card data: FFFF03E8 00000000 00000008 00000000 00000000 C9CCCFBB C3CEBBCC CEBFC5BD 00000000 00000000 00000000 00000000 00000000 00000000 00000000 DCD7ECBF D9DBE2D5 E6D5BD00 000000D8 00000000 00000000 00000000 E3C10000 00E3E800 00D9DCE8 E3D7D9E7 DA00D8E2 E6E3E3E0 00DAE300 00D9DCE8 1BC5C9CA 00C8C9C7 BFBD0000 CCBFCEC8 D8E2D500 D9D9E100 DCE800E8 D9D800D9 D9EADDE0 E400EDE6 E3E7E6D9 E2DD00E2 E6DB0000 ADE2D9D9 D7D9CC00 D9EADDD9 D9DCE800 CCCFBB00 CEBBCCC9 BFC5BDC3 E2D500CE 000000D8 DCE80000 E700E2D9 00D9EAD5 00D9DCE8 D9E1D5DB 0000ABAB 00000000 00000000 00000000 00000000 E3BE0000 E8E3E200 E7E3E800 DCE800E7 BF00E7DD D5DCD7EC 00D9DBE2 D8E6D5BD 00000000 00000000 D9D60000 D9E6E3DA D7D9E600 DDEADDD9 E800DBE2 BB00D9DC CCC9CCCF BDC3CEBB ABCEBFC5 000000AB 00000000 00000000 Sum: 5DFDA06E Final Checksum: FE6B It should give 85 FC instead.... Is there any information on Taka's website regarding the blocks we should use to calculate the checksum?

Some more info (most of them are speculations): EVENT TYPE: E8 03 FF FF --> AURORA TICKET E9 03 FF FF --> MYSTIC TICKET EA 03 FF FF --> OLD SEA MAP This seems to be the identification of the wonder card event. (Not confirmed yet) CARD COLOR: 08 --> RED 9C --> GREY 94 --> YELLOW This seems to be the wonder card color. (Not confirmed yet) POKEMON ICON: 01 00 --> Bulbasaur Icon F9 00 --> Deoxys Icon FF FF --> Questionmark Icon This is the icon located on the upper right of the wonder card. Values are start from 01 to F9. (confirmed) CHECKSUM: This seems to be the checksum of the wonder card data. In order to be able to edit the text of the card we need to figure out how to compute this... Event type, Card color and Card text are part of the data that checksum is compute on... For some reason the Wonder Card Icon is not...

I think we need to read those notes... It will save as some time Some new findings: Wonder Card is at 0x560 as you mentioned before. In my previous injection, i put it only on 0x560 and it worked perfectly. I didn't notice that there was a 2nd location until you mention it, so i investigate further... Once I received the aurora ticket and save, wonder card code was stored and in the 2nd location as well... If you want to change the icon on the upper right of the Wonder Card here is the address: 0x6c6 - 0x6c7 : FF FF --> ? icon 9A 01 --> Deoxys icon I have tried some random values and different pokemon appear... No luck with the colors though...

OK some really good news: I was manage to insert aurora ticket to another save file using just the hex editor... The good news is that once you insert it, the ticket is unclaimed. And once you receive it, everything is working as expected :tongue: All the text is in English as well... Here is the save file: Now the bad news is that once you edit the sav file using hex editor, the sav file becomes corrupted. Most probably there is some kind of checksum validation during the loading... I was manage to overcome this issue by open the edited file in a .sav editor tool and save it again... Next step is to figure out how to enable/disable the distribute functionality by checking Morfeo's sav file... Also i need to figure out how to bypass the checksum validation without using other tools... PS: Regarding the tools i'm using, it's a HEX editor... The Script was extracted using the AdvanceMap tool. Pokemon - Emerald Version (USA, Europe)CLEAN-MOD2.rar

It's nice to see some progress. :smile: Looking forward to see the final result... By the way can you tell me what tools you are using? I'm totally newbie to this, but i'm interest to learn more... I did some research in the rom code by the way. Here is the actual code of the specific event (i think it includes the flags and the checks that are made). It also includes the formal in-game text: '--------------- #org 0x276B03 special2 LASTRESULT 0x1F8 compare LASTRESULT 0x1 if 0x1 goto 0x8276B23 goto 0x8276B19 '--------------- #org 0x276B23 checkitem 0x113 0x1 compare LASTRESULT 0x1 if 0x1 goto 0x8276B19 checkflag 0x8B3 if 0x1 goto 0x8276B19 msgbox 0x8273594 MSG_KEEPOPEN '"Thank you for using the MYSTERY\nE..." giveitem 0x113 0x1 MSG_OBTAIN setflag 0x8B3 setvar 0x403F 0x0 msgbox 0x82735F2 MSG_KEEPOPEN '"It appears to be for use at\nthe L..." release end '--------------- #org 0x276B19 executeram msgbox 0x8273178 MSG_FACE '"Thank you for accessing the\nMYSTE..." end '--------- ' Strings '--------- #org 0x273594 = Thank you for using the MYSTERY\nEVENT System.\pYou must be [player].\nThere is a ticket here for you. #org 0x2735F2 = It appears to be for use at\nthe LILYCOVE CITY port.\pWhy not give it a try and see what\nit is about? #org 0x273178 = Thank you for accessing the\nMYSTERY GIFT System.

Thanks for the clarifications ajxpkm. The issue was that i was inserting the master code/RMA code only once at the beginning... After i watch the video i was able to enable the Aurora Ticket and Mystic Ticket wonder cards. I haven't test with the other ones... Now any ideas on how to change the text that appears both on card and in-game once you use it?

Hi this is really interesting information... Did you try the Morfeo's Codes? I have tried to use them with no luck. I'm not sure if the way I'm inserting them in VBALink is wrong or the version of the rom i have is not correct (Emerald US/Europe Rev A). Anyway a tool to patch the save files or some already patched files with those wonder cards in them will be really nice to have... PS: Here is a save file i found online containing a legit aurora ticket wonder card (that you cannot share). Sauvegames Aurora.rar