PDA

View Full Version : 5th gen Mystery Gift internet protocol analysis.



Kyohack
04-23-2011, 12:33 PM
I have been researching the internet protocol used to receive Mystery Gifts in Pokemon Black and White. I used the 32-bit Windows version of Wireshark to capture packets in promiscuous mode from my Asus USB-N13 adapter running in SoftAP mode with the defualt provided drivers. I was able to determine that Black and White also use SSL encryption in their online Mystery Gift activity, just like the 4th gen games. Since BW uses SSL encryption, we can not make a fake Mystery Gift server. It is simply not possible since we only have the public keys, and not the private keys.

Here is a in-depth analysis for the technical minded:

A few packets stand out. First of all, I noticed that the "Client Hello" handshake from my DS to nas.nintendowifi.net uses the SSL 3.0 protocol.

The very next packet after that is a "Server Hello" from nas.nintendowifi.net to my DS, which also uses the SSL 3.0 protocol. This packet also contains a SSL certificate which you can see below:


0000 00 23 54 97 80 fe e0 91 f5 6f 9e 5a 08 00 45 30 .#T..... .o.Z..E0
0010 04 47 b6 b7 40 00 ee 06 3f 71 45 19 8b 8d c0 a8 .G..@... ?qE.....
0020 01 09 01 bb f4 64 40 3c e9 20 d7 37 1d e3 50 18 .....d@< . .7..P.
0030 0f f0 06 d8 00 00 16 03 00 00 4a 02 00 00 46 03 ........ ..J...F.
0040 00 06 ee 36 e6 44 bd 0b 0f 4e 90 71 a3 5a 7c 0f ...6.D.. .N.q.Z|.
0050 7d 1e ce b5 4f d6 06 3a 75 49 ec 37 4e 3b e6 55 }...O..: uI.7N;.U
0060 09 20 7f 6c 13 75 dc 5d 70 3c c4 33 95 d3 af 02 . .l.u.] p<.3....
0070 72 d5 f0 5d 17 9b 68 a0 3e 87 28 fe 60 9d 3e 7a r..]..h. >.(.`.>z
0080 af 34 00 04 00 16 03 00 03 c2 0b 00 03 be 00 03 .4...... ........
0090 bb 00 03 b8 30 82 03 b4 30 82 03 1d a0 03 02 01 ....0... 0.......
00a0 02 02 01 04 30 0d 06 09 2a 86 48 86 f7 0d 01 01 ....0... *.H.....
00b0 05 05 00 30 81 8c 31 0b 30 09 06 03 55 04 06 13 ...0..1. 0...U...
00c0 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 .US1.0.. .U....Wa
00d0 73 68 69 6e 67 74 6f 6e 31 20 30 1e 06 03 55 04 shington 1 0...U.
00e0 0a 13 17 4e 69 6e 74 65 6e 64 6f 20 6f 66 20 41 ...Ninte ndo of A
00f0 6d 65 72 69 63 61 20 49 6e 63 31 0c 30 0a 06 03 merica I nc1.0...
0100 55 04 0b 13 03 4e 4f 41 31 14 30 12 06 03 55 04 U....NOA 1.0...U.
0110 03 13 0b 4e 69 6e 74 65 6e 64 6f 20 43 41 31 22 ...Ninte ndo CA1"
0120 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 63 0 ..*.H. .......c
0130 61 40 6e 6f 61 2e 6e 69 6e 74 65 6e 64 6f 2e 63 a@noa.ni ntendo.c
0140 6f 6d 30 1e 17 0d 30 35 30 32 31 39 30 34 33 32 om0...05 02190432
0150 35 31 5a 17 0d 31 35 30 32 31 37 30 34 33 32 35 51Z..150 21704325
0160 31 5a 30 81 96 31 0b 30 09 06 03 55 04 06 13 02 1Z0..1.0 ...U....
0170 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 US1.0... U....Was
0180 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 hington1 .0...U..
0190 13 07 52 65 64 6d 6f 6e 64 31 21 30 1f 06 03 55 ..Redmon d1!0...U
01a0 04 0a 13 18 4e 69 6e 74 65 6e 64 6f 20 6f 66 20 ....Nint endo of
01b0 41 6d 65 72 69 63 61 20 49 6e 63 2e 31 1e 30 1c America Inc.1.0.
01c0 06 03 55 04 0b 13 15 4e 69 6e 74 65 6e 64 6f 20 ..U....N intendo
01d0 57 69 66 69 20 4e 65 74 77 6f 72 6b 31 1d 30 1b Wifi Net work1.0.
01e0 06 03 55 04 03 13 14 6e 61 73 2e 6e 69 6e 74 65 ..U....n as.ninte
01f0 6e 64 6f 77 69 66 69 2e 6e 65 74 30 81 9f 30 0d ndowifi. net0..0.
0200 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H... ........
0210 00 30 81 89 02 81 81 00 a3 73 65 8c 53 30 8b 96 .0...... .se.S0..
0220 9a 1a 9c f0 f9 ef 40 2b c8 04 0d 2c 51 8a 53 cc ......@+ ...,Q.S.
0230 86 8e ff e6 f8 5e 95 ce 1c 91 e4 2f 7f 67 9b 7f .....^.. .../.g..
0240 04 9f 0c 09 c8 3a 30 93 0c 77 5e df 81 2a f0 1a .....:0. .w^..*..
0250 cd 53 c7 ad e8 11 a2 86 8d ab c6 1a f9 d3 0d 91 .S...... ........
0260 93 bf f8 9e a8 80 e9 ca 56 90 3b 31 b1 f1 07 92 ........ V.;1....
0270 f9 f4 d5 a3 c0 f9 e9 13 9e b7 67 9a 63 b0 be 4c ........ ..g.c..L
0280 84 97 31 e5 38 0f 10 99 1f e9 55 dc 41 42 54 7f ..1.8... ..U.ABT.
0290 1c 9f cf 22 09 2d f2 fb 02 03 01 00 01 a3 82 01 ...".-.. ........
02a0 18 30 82 01 14 30 09 06 03 55 1d 13 04 02 30 00 .0...0.. .U....0.
02b0 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 0,..`.H. ..B.....
02c0 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 .OpenSSL Generat
02d0 65 64 20 43 65 72 74 69 66 69 63 61 74 65 30 1d ed Certi ficate0.
02e0 06 03 55 1d 0e 04 16 04 14 aa 1a 38 11 7c 6c 66 ..U..... ...8.|lf
02f0 63 49 fb b8 a7 8c f4 a3 d0 e4 ee c6 37 30 81 b9 cI...... ....70..
0300 06 03 55 1d 23 04 81 b1 30 81 ae 80 14 7b 57 53 ..U.#... 0....{WS
0310 3f 31 ac 77 71 f1 fd 4a e6 0f 43 b0 d5 55 41 9f ?1.wq..J ..C..UA.
0320 d2 a1 81 92 a4 81 8f 30 81 8c 31 0b 30 09 06 03 .......0 ..1.0...
0330 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 U....US1 .0...U..
0340 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 20 30 1e ..Washin gton1 0.
0350 06 03 55 04 0a 13 17 4e 69 6e 74 65 6e 64 6f 20 ..U....N intendo
0360 6f 66 20 41 6d 65 72 69 63 61 20 49 6e 63 31 0c of Ameri ca Inc1.
0370 30 0a 06 03 55 04 0b 13 03 4e 4f 41 31 14 30 12 0...U... .NOA1.0.
0380 06 03 55 04 03 13 0b 4e 69 6e 74 65 6e 64 6f 20 ..U....N intendo
0390 43 41 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 CA1"0 .. *.H.....
03a0 01 16 13 63 61 40 6e 6f 61 2e 6e 69 6e 74 65 6e ...ca@no a.ninten
03b0 64 6f 2e 63 6f 6d 82 01 00 30 0d 06 09 2a 86 48 do.com.. .0...*.H
03c0 86 f7 0d 01 01 05 05 00 03 81 81 00 95 2a d5 3a ........ .....*.:
03d0 d6 2d 39 34 79 d4 3b 89 c6 44 e4 3d a4 7c fe 66 .-94y.;. .D.=.|.f
03e0 4a ff d5 a4 3a e2 7e a0 7f bd da 8a 5c 5c 10 84 J...:.~. ....\\..
03f0 91 0e f3 2f 6d 11 e1 40 d0 0f 38 79 ed 4c 22 71 .../m..@ ..8y.L"q
0400 77 39 45 c6 d7 6f a7 47 1c f6 89 12 ee f9 80 20 w9E..o.G .......
0410 f0 0f 3d 20 6a 7f 21 d8 ca 1e d0 71 32 12 8a 9d ..= j.!. ...q2...
0420 52 0d ea e5 35 83 cf 1b 7b 11 bd 92 90 f4 3a 8f R...5... {.....:.
0430 4a b8 22 3c 42 b8 50 2a af ef 5a f8 1b d0 97 a7 J."<B.P* ..Z.....
0440 a5 87 5e 4d ad 9e 88 5d 77 74 ea e3 16 03 00 00 ..^M...] wt......
0450 04 0e 00 00 00 .....


A few packets after that, I noticed a "Client Key Exchange" from my DS to nas.nintendowifi.net:


0030 0b 68 5f 28 00 00 16 03 00 00 84 10 00 00 80 66 .h_(.... .......f
0040 00 3d 4f e0 c7 37 40 9d 82 88 c5 f6 ea 4b fe dc .=O..7@. .....K..
0050 08 45 71 b7 75 88 5a 52 b0 94 2e 81 16 a2 96 d8 .Eq.u.ZR ........
0060 ec 36 a0 b4 2d 4a e2 86 00 da 80 c8 8c 38 2c 0f .6..-J.. .....8,.
0070 59 82 f5 d8 61 47 4e 16 bb 04 0f 49 b3 a2 d5 fc Y...aGN. ...I....
0080 0a 32 bf 86 23 8f 11 0d 43 52 b2 b7 f0 4a 5b 51 .2..#... CR...J[Q
0090 3a 21 90 ca 36 11 24 30 1f d6 92 83 5f f5 50 db :!..6.$0 ...._.P.
00a0 82 83 70 2d d9 1f 65 85 8f f6 2c 4d 04 c4 d7 d0 ..p-..e. ..,M....
00b0 7c 0e 31 4b 45 2d be 82 6a c1 64 25 5e 68 85 |.1KE-.. j.d%^h.

After that, I notice a few SSL 3.0 encrypted handshake messages, and then a 493 byte long payload from my DS to nas.nintendowifi.net. After that, nas.nintendowifi.net sends a 443 byte long payload to my DS. I won't bother showing either of these packets, since both are SSL 3.0 encrypted, and just look like a bunch of garbage.

A few more encrypted packets later, my DS makes a standard DNS query for gpcm.gs.nintendowifi.net, and the IP address is resolved to 69.10.30.242 (that is GameFreak's server that contains the Mystery Gift). After resolving that IP, my DS communicates with the server on TCP port 29900, and sends a bunch of data, including this:

\status\1\sesskey\45699032\statstring\/SCM/1/SCN/0/VER/90/LCK/0\locstring\\final\\updatepro\\sesskey\45699032\fi rstname\NDS:0000000000000000\aim\1o09auoa9\zipcode \IRAO\partnerid\11\final\

After that, several more packets are sent and received, when my DS finally recieves 4 data payloads of 500+ bytes each (encrypted of course) from 210.147.8.145. One of these payloads contains the Mystery Gift. After receiving the Mystery Gift, my DS logs out of the server by sending these 32 bytes of data:

\logout\\sesskey\45699032\final\

I have attached the pcap packet capture for those of you who are further interested.

bonzersass
02-10-2013, 03:40 PM
Fail dude, zip file is empty *** **** sdnjhisobdhds

i have been researching the internet protocol used to receive mystery gifts in pokemon black and white. I used the 32-bit windows version of wireshark to capture packets in promiscuous mode from my asus usb-n13 adapter running in softap mode with the defualt provided drivers. I was able to determine that black and white also use ssl encryption in their online mystery gift activity, just like the 4th gen games. Since bw uses ssl encryption, we can not make a fake mystery gift server. It is simply not possible since we only have the public keys, and not the private keys.

here is a in-depth analysis for the technical minded:

a few packets stand out. First of all, i noticed that the "client hello" handshake from my ds to nas.nintendowifi.net uses the ssl 3.0 protocol.

The very next packet after that is a "server hello" from nas.nintendowifi.net to my ds, which also uses the ssl 3.0 protocol. This packet also contains a ssl certificate which you can see below:


0000 00 23 54 97 80 fe e0 91 f5 6f 9e 5a 08 00 45 30 .#t..... .o.z..e0
0010 04 47 b6 b7 40 00 ee 06 3f 71 45 19 8b 8d c0 a8 .g. ... ?qe.....
0020 01 09 01 bb f4 64 40 3c e9 20 d7 37 1d e3 50 18 .....d@< . .7..p.
0030 0f f0 06 d8 00 00 16 03 00 00 4a 02 00 00 46 03 ........ ..j...f.
0040 00 06 ee 36 e6 44 bd 0b 0f 4e 90 71 a3 5a 7c 0f ...6.d.. .n.q.z|.
0050 7d 1e ce b5 4f d6 06 3a 75 49 ec 37 4e 3b e6 55 }...o..: Ui.7n;.u
0060 09 20 7f 6c 13 75 dc 5d 70 3c c4 33 95 d3 af 02 . .l.u.] p<.3....
0070 72 d5 f0 5d 17 9b 68 a0 3e 87 28 fe 60 9d 3e 7a r..]..h. >.(.`.>z
0080 af 34 00 04 00 16 03 00 03 c2 0b 00 03 be 00 03 .4...... ........
0090 bb 00 03 b8 30 82 03 b4 30 82 03 1d a0 03 02 01 ....0... 0.......
00a0 02 02 01 04 30 0d 06 09 2a 86 48 86 f7 0d 01 01 ....0... *.h.....
00b0 05 05 00 30 81 8c 31 0b 30 09 06 03 55 04 06 13 ...0..1. 0...u...
00c0 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 .us1.0.. .u....wa
00d0 73 68 69 6e 67 74 6f 6e 31 20 30 1e 06 03 55 04 shington 1 0...u.
00e0 0a 13 17 4e 69 6e 74 65 6e 64 6f 20 6f 66 20 41 ...ninte ndo of a
00f0 6d 65 72 69 63 61 20 49 6e 63 31 0c 30 0a 06 03 merica i nc1.0...
0100 55 04 0b 13 03 4e 4f 41 31 14 30 12 06 03 55 04 u....noa 1.0...u.
0110 03 13 0b 4e 69 6e 74 65 6e 64 6f 20 43 41 31 22 ...ninte ndo ca1"
0120 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 63 0 ..*.h. .......c
0130 61 40 6e 6f 61 2e 6e 69 6e 74 65 6e 64 6f 2e 63 a@noa.ni ntendo.c
0140 6f 6d 30 1e 17 0d 30 35 30 32 31 39 30 34 33 32 om0...05 02190432
0150 35 31 5a 17 0d 31 35 30 32 31 37 30 34 33 32 35 51z..150 21704325
0160 31 5a 30 81 96 31 0b 30 09 06 03 55 04 06 13 02 1z0..1.0 ...u....
0170 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 us1.0... U....was
0180 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 hington1 .0...u..
0190 13 07 52 65 64 6d 6f 6e 64 31 21 30 1f 06 03 55 ..redmon d1!0...u
01a0 04 0a 13 18 4e 69 6e 74 65 6e 64 6f 20 6f 66 20 ....nint endo of
01b0 41 6d 65 72 69 63 61 20 49 6e 63 2e 31 1e 30 1c america inc.1.0.
01c0 06 03 55 04 0b 13 15 4e 69 6e 74 65 6e 64 6f 20 ..u....n intendo
01d0 57 69 66 69 20 4e 65 74 77 6f 72 6b 31 1d 30 1b wifi net work1.0.
01e0 06 03 55 04 03 13 14 6e 61 73 2e 6e 69 6e 74 65 ..u....n as.ninte
01f0 6e 64 6f 77 69 66 69 2e 6e 65 74 30 81 9f 30 0d ndowifi. Net0..0.
0200 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.h... ........
0210 00 30 81 89 02 81 81 00 a3 73 65 8c 53 30 8b 96 .0...... .se.s0..
0220 9a 1a 9c f0 f9 ef 40 2b c8 04 0d 2c 51 8a 53 cc ......@+ ...,q.s.
0230 86 8e ff e6 f8 5e 95 ce 1c 91 e4 2f 7f 67 9b 7f .....^.. .../.g..
0240 04 9f 0c 09 c8 3a 30 93 0c 77 5e df 81 2a f0 1a .....:0. .w^..*..
0250 cd 53 c7 ad e8 11 a2 86 8d ab c6 1a f9 d3 0d 91 .s...... ........
0260 93 bf f8 9e a8 80 e9 ca 56 90 3b 31 b1 f1 07 92 ........ V.;1....
0270 f9 f4 d5 a3 c0 f9 e9 13 9e b7 67 9a 63 b0 be 4c ........ ..g.c..l
0280 84 97 31 e5 38 0f 10 99 1f e9 55 dc 41 42 54 7f ..1.8... ..u.abt.
0290 1c 9f cf 22 09 2d f2 fb 02 03 01 00 01 a3 82 01 ...".-.. ........
02a0 18 30 82 01 14 30 09 06 03 55 1d 13 04 02 30 00 .0...0.. .u....0.
02b0 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 0,..`.h. ..b.....
02c0 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 .openssl generat
02d0 65 64 20 43 65 72 74 69 66 69 63 61 74 65 30 1d ed certi ficate0.
02e0 06 03 55 1d 0e 04 16 04 14 aa 1a 38 11 7c 6c 66 ..u..... ...8.|lf
02f0 63 49 fb b8 a7 8c f4 a3 d0 e4 ee c6 37 30 81 b9 ci...... ....70..
0300 06 03 55 1d 23 04 81 b1 30 81 ae 80 14 7b 57 53 ..u.#... 0....{ws
0310 3f 31 ac 77 71 f1 fd 4a e6 0f 43 b0 d5 55 41 9f ?1.wq..j ..c..ua.
0320 d2 a1 81 92 a4 81 8f 30 81 8c 31 0b 30 09 06 03 .......0 ..1.0...
0330 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 u....us1 .0...u..
0340 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 20 30 1e ..washin gton1 0.
0350 06 03 55 04 0a 13 17 4e 69 6e 74 65 6e 64 6f 20 ..u....n intendo
0360 6f 66 20 41 6d 65 72 69 63 61 20 49 6e 63 31 0c of ameri ca inc1.
0370 30 0a 06 03 55 04 0b 13 03 4e 4f 41 31 14 30 12 0...u... .noa1.0.
0380 06 03 55 04 03 13 0b 4e 69 6e 74 65 6e 64 6f 20 ..u....n intendo
0390 43 41 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 ca1"0 .. *.h.....
03a0 01 16 13 63 61 40 6e 6f 61 2e 6e 69 6e 74 65 6e ...ca@no a.ninten
03b0 64 6f 2e 63 6f 6d 82 01 00 30 0d 06 09 2a 86 48 do.com.. .0...*.h
03c0 86 f7 0d 01 01 05 05 00 03 81 81 00 95 2a d5 3a ........ .....*.:
03d0 d6 2d 39 34 79 d4 3b 89 c6 44 e4 3d a4 7c fe 66 .-94y.;. .d.=.|.f
03e0 4a ff d5 a4 3a e2 7e a0 7f bd da 8a 5c 5c 10 84 j...:.~. ....\\..
03f0 91 0e f3 2f 6d 11 e1 40 d0 0f 38 79 ed 4c 22 71 .../m..@ ..8y.l"q
0400 77 39 45 c6 d7 6f a7 47 1c f6 89 12 ee f9 80 20 w9e..o.g .......
0410 f0 0f 3d 20 6a 7f 21 d8 ca 1e d0 71 32 12 8a 9d ..= j.!. ...q2...
0420 52 0d ea e5 35 83 cf 1b 7b 11 bd 92 90 f4 3a 8f r...5... {.....:.
0430 4a b8 22 3c 42 b8 50 2a af ef 5a f8 1b d0 97 a7 j."<b.p* ..z.....
0440 a5 87 5e 4d ad 9e 88 5d 77 74 ea e3 16 03 00 00 ..^m...] wt......
0450 04 0e 00 00 00 .....


a few packets after that, i noticed a "client key exchange" from my ds to nas.nintendowifi.net:


0030 0b 68 5f 28 00 00 16 03 00 00 84 10 00 00 80 66 .h_(.... .......f
0040 00 3d 4f e0 c7 37 40 9d 82 88 c5 f6 ea 4b fe dc .=o..7@. .....k..
0050 08 45 71 b7 75 88 5a 52 b0 94 2e 81 16 a2 96 d8 .eq.u.zr ........
0060 ec 36 a0 b4 2d 4a e2 86 00 da 80 c8 8c 38 2c 0f .6..-j.. .....8,.
0070 59 82 f5 d8 61 47 4e 16 bb 04 0f 49 b3 a2 d5 fc y...agn. ...i....
0080 0a 32 bf 86 23 8f 11 0d 43 52 b2 b7 f0 4a 5b 51 .2..#... Cr...j[q
0090 3a 21 90 ca 36 11 24 30 1f d6 92 83 5f f5 50 db :!..6.$0 ...._.p.
00a0 82 83 70 2d d9 1f 65 85 8f f6 2c 4d 04 c4 d7 d0 ..p-..e. ..,m....
00b0 7c 0e 31 4b 45 2d be 82 6a c1 64 25 5e 68 85 |.1ke-.. J.d%^h.

after that, i notice a few ssl 3.0 encrypted handshake messages, and then a 493 byte long payload from my ds to nas.nintendowifi.net. After that, nas.nintendowifi.net sends a 443 byte long payload to my ds. I won't bother showing either of these packets, since both are ssl 3.0 encrypted, and just look like a bunch of garbage.

A few more encrypted packets later, my ds makes a standard dns query for gpcm.gs.nintendowifi.net, and the ip address is resolved to 69.10.30.242 (that is gamefreak's server that contains the mystery gift). After resolving that ip, my ds communicates with the server on tcp port 29900, and sends a bunch of data, including this:

\status\1\sesskey\45699032\statstring\/scm/1/scn/0/ver/90/lck/0\locstring\\final\\updatepro\\sesskey\45699032\fi rstname\nds:0000000000000000\aim\1o09auoa9\zipcode \irao\partnerid\11\final\

after that, several more packets are sent and received, when my ds finally recieves 4 data payloads of 500+ bytes each (encrypted of course) from 210.147.8.145. One of these payloads contains the mystery gift. After receiving the mystery gift, my ds logs out of the server by sending these 32 bytes of data:

\logout\\sesskey\45699032\final\

i have attached the pcap packet capture for those of you who are further interested.

Kyohack
02-22-2013, 08:14 AM
Could you try again, please? The .zip file appears to be working now.