Okay, so after great research I finally had to give in to the homebrew scene to make any progress.

Hackers out there found an exploit in how SmashBros.Brawl, for the Wii, loads custom-stages that can be used to run arbitrary code on the Wii. I used that exploit to run homebrew “Riivolution”. This program allows you patch any files or memory offsets in real-time on a retail game. I used it to patch memory in-game, disabling SSL usage in the communication the game uses to talk to naswii.nintendowifi.net. Once that was done, capturing it in Wireshark/ngrep was trival. So, back to the network capture from my previous posting:

Server: \lc\1\challenge\LWCSCQRQPX\id\1\final\

Wii: \auth\\gamename\tatvscapwii\response\922bf66e07507810b3b7584fb07336b5\port\id\1\final\

Server: \lc\2\sesskey\827445045\proof\id\1\final\

Wii: \authp\\authtoken\NDS4O9DnVeYc3SovbdoE6tcBVD8W7ZF52ZCjuWcYcv/sAcj
+b3Liu4tHAW0RSwZKd9cOqZ7MNc7UrV6fC4j69IFjZA+FtZxhCP5mvydwkXYQ8fpnJX
kCtKqTwDPicMFm7u2\resp\6d6fed1a4c8325f7085f83c9c2e1f17d\lid\final\

Server: \pauthr\249190728\lid\final\

Wii: \setpd\\pid\249190728\ptype\3\dindex\kv\1\lid\length\217\data\\record\
KdEh8LCzyfXX3avwYGI7Hsm_q4P+45FRFONgDJp3phZ2X4czTlsu4cc07Q95Cv3zXHz63
XJHuay10auZK0UXcPlvY+_81gIe4sSG_04aZm4rMeVRdbbo31UszxtcBrV9AJxsd+diGv
cjLy5qM71TpSaIyxLxJghrXp2+dLkucWWH3IaK0ZJFu3n_Ouve5UmyiD88PU6LNMagkD
Aq\final\

As I suspected, the PokemonGTS hackers don’t know about this yet… but the token response from the naswii-server is indeed used as the authtoken value in the authp command. Since this is calculated at a remote server, I don’t even want to try reversing it anymore. It literally could be random like a session ID and have no meaning whatsoever other than a unique entry in a database somewhere corresponding to my userid. Shockingly different from the Pokemon game however, is that there is no password used. Just my userid; a unique number that appears not used anywhere else in the game. I can even change this number and I still get a valid token returned from the server… hmm. From asking Luigi-A about the resp value in authp, he said it might just be my userid used as a password. I tried it, the md5 hashes don’t match. This resp hash is now my last hurdle to being able to delete other people’s stats.

• I can see the profileIDs of all currently online players as well as leaderboards
• I can inject \getprofileid\ into the gamespy login communication to get all the details needed to login to naswii(assuming userid might be a constant for this game because no password seems to go with it), like “aim” string and Wii serial number

The only thing I can’t seem to produce is a valid resp hash.

However, I’m still doing tests.

If the calculation of the authp’s resp hash is a constant, like it is for that challenge-response hash, then I may just leave the Wii to do it. I’d capture the network communication in real-time and only replace the authtoken with one I generated from a manual naswii login designed to give me a token for a different player.

So far, doing this gives me \pauthr-2\err\Validation Invalid\final\ …or something similar to that. It could mean the authtoken I generated was invalid, or the resp hash and authtoken have some kind of common source input that is considered.

…or it could mean I just did it wrong…. more tests coming up.