Hacking Pokémon X/Y Dumper and Editor

ElYubiYubi

ElYubiYubi

GBATemp Maniac
Member
Level 9
Joined
Apr 9, 2013
Messages
2,397
Trophies
1
XP
1,795
Country
Puerto Rico
Ra1d said:
Guys,I can confirm that the dumper is getting blocked by Nintendo,every time I'm trying to conduct a wonder trade with dumper open,it disconnects me from the internet,I did the wireshark method just fine.At first I thought i was paranoid,but if I'm even trying to connect to the internet(in-game) with dumper open,it won't let me,only when I close it,and If I got to the wonder trade window,open the dumper and then conduct a trade,it disconnects me.

But at least I can do the long method with the dongle.
Click to expand...

There you have it guys. Told ya this Wonder Trade method was too risky
 
kyogre123

kyogre123

Mexican Pride
OP
Member
Level 8
Joined
Sep 23, 2013
Messages
2,920
Trophies
0
Age
34
XP
1,347
Country
Mexico
Zaneris said:
I believe you misunderstood me, this still currently isn't possible.

Packet injection is easy, we just can't get the 3DS to accept the packets due to the hash.
It could be anything with any type of secret key on who knows what data...

HMAC-MD5
HMAC-SHA1 Truncated
AES-CBC
AES-CTR

Any encryption cracking experts are welcome to assist =P
Click to expand...

Woah, I don't know if cracking the save file of the game would be easier than this :wacko:
 
WulfyStylez

WulfyStylez

SALT/Bemani Princess
Member
Level 12
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,877
Country
United States
We cannot inject any modified pokemon right now. If you want to test your packet editing for if/when you can inject, try capturing the packet with your normal editing/MITM tools and sending it back without editing it in any way. This works if your environment's set up right.

I'm not particularly optimistic about getting these checksums cracked. I imagine we might have to just wait till the 3DS is properly hacked and we can decrypt the cart and look at the code that handles them.
 
  • Like
Reactions: Zaneris
Zaneris

Zaneris

Well-Known Member
Newcomer
Level 1
Joined
Sep 5, 2013
Messages
87
Trophies
0
Age
37
XP
86
Country
Canada
WulfyStylez said:
We cannot inject any modified pokemon right now. If you want to test your packet editing for if/when you can inject, try capturing the packet with your normal editing/MITM tools and sending it back without editing it in any way. This works if your environment's set up right.

I'm not particularly optimistic about getting these checksums cracked. I imagine we might have to just wait till the 3DS is properly hacked and we can decrypt the cart and look at the code that handles them.
Click to expand...

Nor am I optimistic... there's a lot of optimistic people following the same steps I took, but eventually coming to realize the exact same roadblock.
 
ElYubiYubi

ElYubiYubi

GBATemp Maniac
Member
Level 9
Joined
Apr 9, 2013
Messages
2,397
Trophies
1
XP
1,795
Country
Puerto Rico
I'm telling you the best & easiest way would be cracking the SaveFile. Somebody can take a look at the SaveEditors I posted a few pages back.

Or unless someone can make Smea share his work...
 
M

MangekyoSharingan

New Member
Newbie
Level 1
Joined
Nov 4, 2013
Messages
2
Trophies
0
Age
38
XP
51
Country
It must have something to do with a integrity check value in the code. It would help if we could get the sniffed packages of two trainers during the same exchange, and the same extraction of the same pokemons getting back to their owner again.
That way we could get a pattern on which values depend on the pokemon, wich ones on the trainer&DS
If we could repeat the operation after that, we could separate the time variables and other ones that are independent on the pokemon and trainer... Volunteers? xD
 
kyogre123

kyogre123

Mexican Pride
OP
Member
Level 8
Joined
Sep 23, 2013
Messages
2,920
Trophies
0
Age
34
XP
1,347
Country
Mexico
EvilMakiPR said:
I'm telling you the best & easiest way would be cracking the SaveFile. Somebody can take a look at the SaveEditors I posted a few pages back.

Or unless someone can make Smea share his work...
Click to expand...

I'm telling you the easiest way would be calling Nintendo and ask them for the SC.
Pointless advice is pointless.
 
  • Like
Reactions: signz
WulfyStylez

WulfyStylez

SALT/Bemani Princess
Member
Level 12
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,877
Country
United States
EvilMakiPR said:
I'm telling you the best & easiest way would be cracking the SaveFile. Somebody can take a look at the SaveEditors I posted a few pages back.

Or unless someone can make Smea share his work...
Click to expand...

Smea's work is the mset hack. You could go make your own hack based off of it if you'd like.
As for savegames: http://3dbrew.org/wiki/Savegames
Not happening any time soon. They've been protected for a while, and 6.0.0+ games buffed up that protection.
 
kyogre123

kyogre123

Mexican Pride
OP
Member
Level 8
Joined
Sep 23, 2013
Messages
2,920
Trophies
0
Age
34
XP
1,347
Country
Mexico
MangekyoSharingan said:
It must have something to do with a integrity check value in the code. It would help if we could get the sniffed packages of two trainers during the same exchange, and the same extraction of the same pokemons getting back to their owner again.
That way we could get a pattern on which values depend on the pokemon, wich ones on the trainer&DS
If we could repeat the operation after that, we could separate the time variables and other ones that are independent on the pokemon and trainer... Volunteers? xD
Click to expand...

Someone at ProjectPokemon traded the same copy of one Pokemon (clones) three times and the packets were different, if that's what you're asking.
 
RubenPikachu

RubenPikachu

Member
Newcomer
Level 1
Joined
Nov 25, 2012
Messages
17
Trophies
0
Website
pikaedit.wordpress.com
XP
68
Country
Mexico
artillerycannons said:
Hey, there. As long as we're going to try to figure out what causes shininess, here are four of mine and one the person who I was showing mine to over trade to get the data flashed at me (his is the ambipom): http://www.mediafire.com/?zwwaryiynoftoki

Best of luck.
Click to expand...


I have found out how a pkx is shiny, it uses offset 0x18-0x1B (I'm not sure how the game generates it but acts as a unsigned integer for shiny check), ID and SID
Like the PID in Gen 5, divide this seed into 16 bit parts, let s1 be the upper part and s2 the lower part

If (id^sid^s1^s2)<=8 then the pokemon is shiny (yes, including the 8, I have a shiny magikarp that makes this equal to 8)
 
  • Like
Reactions: MangekyoSharingan
A

artillerycannons

New Member
Newbie
Level 1
Joined
Nov 4, 2013
Messages
2
Trophies
0
Age
33
XP
42
Country
United States
RubenPikachu said:
I have found out how a pkx is shiny, it uses offset 0x18-0x1B (I'm not sure how the game generates it but acts as a unsigned integer for shiny check), ID and SID
Like the PID in Gen 5, divide this seed into 16 bit parts, let s1 be the upper part and s2 the lower part

If (id^sid^s1^s2)<=8 then the pokemon is shiny (yes, including the 8, I have a shiny magikarp that makes this equal to 8)
Click to expand...

I just checked this on my chandelure -- id^sid^s1^s2 (BitXor[31843,47503,7938,56034]) = 12. So the chances of getting a shiny HAVE increased, looks like? (It's a friend safari lampent.)
 
  • Like
Reactions: dot7z
Nurio

Nurio

That Kirby fan
Member
Level 4
Joined
Mar 31, 2009
Messages
850
Trophies
0
Age
33
Location
The Netherlands
XP
450
Country
Netherlands
EvilMakiPR said:
There you have it guys. Told ya this Wonder Trade method was too risky
Click to expand...
I highly highly highly doubt Nintendo even noticed the guy using the dumper, much less being able to cut off his internet from afar on *only* his computer, but no other device on the network.
The far far far more likely explanation is that the dumper is causing an issue with his network driver or something along those lines.
 
  • Like
Reactions: signz
RubenPikachu

RubenPikachu

Member
Newcomer
Level 1
Joined
Nov 25, 2012
Messages
17
Trophies
0
Website
pikaedit.wordpress.com
XP
68
Country
Mexico
artillerycannons said:
I just checked this on my chandelure -- id^sid^s1^s2 (BitXor[31843,47503,7938,56034]) = 12. So the chances of getting a shiny HAVE increased, looks like? (It's a friend safari lampent.)
Click to expand...


It could be that the formula would be id^sid^s1^s2 < 16... I would need a shiny with this calculation equal to 15 to prove it...
 
Nurio

Nurio

That Kirby fan
Member
Level 4
Joined
Mar 31, 2009
Messages
850
Trophies
0
Age
33
Location
The Netherlands
XP
450
Country
Netherlands
What exactly does the syntax "a^b^c^d" even mean? As a mathematician, it looks like "to the power of", but I'm sure that's not right in this context...
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Hardware  Why does my 3DS take so long to turn off?

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

What's the best 3DS emulator (especially after Citra's shutdown)?

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Tutorial  How to fix 007-2001

gacube emeleter

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: https://youtube.com/shorts/fRENPoVaZHk?si=0xgCyaSVzuc5GD5F