Mario Kart Wii

General info

Domains looked up:

gpcm.gs.nintendowifi.net
gpsp.gs.nintendowifi.net
gamestats.gs.nintendowifi.net
gamestats2.gs.nintendowifi.net
mariokartwii.available.gs.nintendowifi.net
mariokartwii.natneg1.gs.nintendowifi.net
mariokartwii.natneg2.gs.nintendowifi.net
mariokartwii.natneg3.gs.nintendowifi.net
mariokartwii.master.gs.nintendowifi.net
mariokartwii.gamestats.gs.nintendowifi.net
mariokartwii.gamestats2.gs.nintendowifi.net
mariokartwii.ms19.gs.nintendowifi.net
naswii.nintendowifi.net
mariokartwii.sake.gs.nintendowifi.net

Packet captures

Connect -> Find Regional Match -> One Game
Many individual dumps - Thanks to Leseratte10 for these

SSL Dumps

Capture SSL dumps originated from

Connection #1: to naswii.nintendowifi.net

Send:

POST /ac HTTP/1.1
Host: naswii.nintendowifi.net
User-Agent: RVL SDK/1.0
Host: naswii.nintendowifi.net
HTTP_X_GAMECD: RMCE
Content-Type: application/x-www-form-urlencoded
Content-Length: 307

action=bG9naW4*&gsbrcd=Uk1DSjJsZW9obmk*&userid=MTc4NjY3MzgyNzQ5OA**&ingamesn=AG4AbwAgAG4AYQBtAGU*&sdkver=MDAxMDAw&gamecd=Uk1DRQ**&makercd=MDE*&unitcd=MQ**&macadr=MDAxN2FiMjkyM2Jl&lang=MDE*&devtime=MTQwMjI4MTYwNDI1&csnum=TFU1OTE2MDM1OTg*&cfc=NzYxNTIxMzU1NDYyNzE4Mg**&region=MDE*

Original dump has %2As in place of *s, these are replaced for clarity.

Receive:

HTTP/1.1 200 OK
NODE: wifiappw1
Content-Type: text/plain
Content-Length: 287
Date: Fri, 28 Feb 2014 21:04:51 GMT
Server: Nintendo Wii (http)

challenge=Njg3VEYwRUc*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTd1VHMjNSMXI0cER0cFExTXVhZHVoWTVmQUtCaVVKb2lKS3pSSG1mVDBoNEIvUzFjU1A3Yk5kenZFbG9Bdm5kcHM2MERxam1vcThtQVRFd3FsOUZYNVRhUEF4WFlWcVdyMWVVQ09wNjlwK01hdkFGekN6QkxINC9mT2s1Tk5HQXQ*&datetime=MjAxNDAyMjgyMTA0NTI*

All data in post data is base64 encoded with * for padding characters instead of =, even the text data. I have a sneaking suspicion that token from the response is double-base64 encoded.

Connection #2: to mariokartwii.sake.gs.nintendowifi.net

Send:

POST /SakeStorageServer/StorageServer.asmx HTTP/1.1
Host: mariokartwii.sake.gs.nintendowifi.net:443
User-Agent: GameSpyHTTP/1.0
Connection: close
Content-Length: 647
Content-Type: text/xml
SOAPAction: "http://gamespy.net/sake/GetMyRecords"

<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://gamespy.net/sake"><SOAP-ENV:Body><ns1:GetMyRecords><ns1:gameid>1687</ns1:gameid><ns1:secretKey>9r3Rmy</ns1:secretKey><ns1:loginTicket>Adt8e9QzSIASvVhDY4TOgx__</ns1:loginTicket><ns1:tableid>FriendInfo</ns1:tableid><ns1:fields><ns1:string>info</ns1:string><ns1:string>recordid</ns1:string></ns1:fields></ns1:GetMyRecords></SOAP-ENV:Body></SOAP-ENV:Envelope>

Receive:

HTTP/1.1 200 OK
Date: Fri, 28 Feb 2014 21:05:02 GMT
Server: Microsoft-IIS/6.0
p3p:CP='NOI ADMa OUR STP'
X-Powered-By:ASP.NET
cluster-server:gstprdweb06
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 381

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetMyRecordsResponse xmlns="http://gamespy.net/sake"><GetMyRecordsResult>Success</GetMyRecordsResult><values /></GetMyRecordsResponse></soap:Body></soap:Envelope>

Back