It’s done now...

Well, before my efforts only had an effect on the ranking-board. I was able to set myself to any Name, Rank and BattlePoints as well as removing anyone else from the board. These changes were temporary since if I, or the other people on the board, played 1 ranked game it would update the chart correct. The only exception being that I could put someone on the board with a non-standard PID that nobody would be playing with(a.k.a a number less than 8 digits). Nobody would be able to remove that with normal gameplay.

The hack that has been discovered now, is not just the ranking board. It’s my real score. I will really have the points, gain/lose them slowly over battle, in-game ranking and ranking-charts updated to reflect it.

Unfortunately, I cannot post the code since it would cause havoc on not only this game, but any game running this version of GameSpy online software. I’m not interesting in causing Nintendo that much of a problem since they were a major part of my childhood. I will just say that A.Luigi realized that the network traffic that appears encrypted but always ending with “\final\” in plain-text isn’t hard to decrypt. Read his website; buried in all that stuff he talks about is the solution to that encrypted-looking traffic.

\setpd\\pid\249190728\ptype\3\dindex\kv\1\lid\length\217\data\\record\KdEh8LCzyfXX3avwYGI7Hsm_q4P+45FRFONgDJp3phZ2X4czTlsu4cc07Q95Cv3zXHz63XJHuay10auZK0UXcPlvY+_81gIe4sSG_04aZm4rMeVRdbbo31UszxtcBrV9AJxsd+diGvcjLy5qM71TpSaIyxLxJghrXp2+dLkucWWH3IaK0ZJFu3n_Ouve5UmyiD88PU6LNMagkDAq\final\

The record string above sets you to 200 BattlePoints.

If I make any changes to a valid record string, everything for my pid gets turned to zero. wins, losses, draws, battle-points, etc. I can’t actually set my Battle Points to anything I want, because I don’t yet understand how the “record” string is calculated. However, the fact that the record string always has the correct padding for base64-urlsafe-decoding makes me think that is the first step in reverse-engineering that string. I can change it to anything I already know is valid. e.g., using the GameSpy command \getpd\ for any known pid the server returns the record string for it. Because of my previous Ranking-chart hack, I can see the PID of everyone on it. TVC uses this command for the pids of each of the people on your friends/rivals list when first going online. BIG BOSS is #1 on the Best ranking chart with 26,112 BattlePoints. I used \getpd\ on his PID, returning the record string representing all the attributes applied to him. # of wins, losses, draws, BattlePoints, etc - everything you see on the main Wifi-record screen for your nick. Nintendo’s servers reply with \getpdr\ containing BIG BOSS’s current record. I took his record string and applied it to mine. Since I don’t know how to login to the server myself, I can only intercept the network traffic and wait until the end of a match when the Wii sends the \setpd\ command to update my battle-points. At that moment, I replace the record string the Wii would have sent with the one I got from BIG BOSS. Oddly enough, this update happens even in free-battle. Now I can set myself to 26,112 BattlePoints anytime I want using the record string obtained from BIG BOSS and unlike the ranking-board hack, these points are real. I’ll have to lose alot of matches to reduce these points to what they were before.

I’v since set up all this code on an Ubuntu system that also has bind9 DNS running on it and helped one person to recover battle-points they lost when they changed their name. This works by having them set their Wii’s primaryDNS to my server so I can control the answers to DNS queries. I can then tell the Wii that my system’s IP is one or more of the Nintendo servers. I have python code there waiting on the needed ports and they act as proxies, simply relaying traffic between the Wii and the real Nintendo server. I then can easily search the bytes of network traffic for any string I find interesting and modify it, before sending it, when I see fit.

By changing the word “record” into any other 6-byte-string I can prevent the battle-point change all-together. Right now, anyone connected to my server gets the word “record” changed to “nosave”. This way, they can play in Ranked battle mode without losing(or gaining) points.

So that’s it! -^_^-