Neopets Mobile: Difference between revisions
(Add information relating to credentials) |
(Add more number buffer contents) |
||
Line 105: | Line 105: | ||
The application emits the following request tags: |
The application emits the following request tags: |
||
* 33022 |
* 33022 |
||
* 40961 |
* 40961 (login) |
||
* 40963 |
* 40963 |
||
* 40965 |
* 40965 (login + ?) |
||
* 40967 (create pet + create account) |
|||
* 40967 |
|||
* 40968 |
* 40968 (create pet) |
||
* 40969 |
* 40969 |
||
* 40971 |
* 40971 |
||
Line 121: | Line 121: | ||
* 40974 |
* 40974 |
||
== |
== Requests == |
||
=== Logging in === |
=== Logging in (40961, 40965) === |
||
With username "adadad" and password "gjgjgj", in Python 3 bytes notation: |
With username "adadad" and password "gjgjgj", in Python 3 bytes notation: |
||
Line 137: | Line 137: | ||
* pointer to extraneous information string; seemingly usually a zero-length string |
* pointer to extraneous information string; seemingly usually a zero-length string |
||
I don't know how 40965 semantically differs from the first one. |
|||
=== Signing up === |
|||
=== Creating a pet and signing up (40967, 40968) === |
|||
With username "adadad", password "gjgjgj", male green Kacheek, name "cccccc", birthday 1999-12-31, health 6, strength weak, defense very poor, movement slow, height 36 cms, weight 26 lbs, in Python 3 bytes notation: |
With username "adadad", password "gjgjgj", male green Kacheek, name "cccccc", birthday 1999-12-31, health 6, strength weak, defense very poor, movement slow, height 36 cms, weight 26 lbs, in Python 3 bytes notation: |
||
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x07\x00\x00\x04\xd0\x00:\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00(\x004\x00:\x00>\x00B\x00J\x00S\x00Z\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00$\x00\x00\x00\x1a\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x06cccccc\x00\n1999-12-31\x00\x04Male\x00\x02en\x00\x02EN\x00\x06adadad\x00\x07Kacheek\x00\x05GREEN\x00\x04Male\x00\xff' |
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x07\x00\x00\x04\xd0\x00:\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00(\x004\x00:\x00>\x00B\x00J\x00S\x00Z\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00$\x00\x00\x00\x1a\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x06cccccc\x00\n1999-12-31\x00\x04Male\x00\x02en\x00\x02EN\x00\x06adadad\x00\x07Kacheek\x00\x05GREEN\x00\x04Male\x00\xff' |
||
Number buffer contents: |
|||
* pointer to encoding string |
|||
* constant int 0x64, doesn't mean anything |
|||
* constant int 0x64, doesn't mean anything |
|||
* pointer to username string |
|||
* pointer to password string |
|||
* pointer to extraneous information string; seemingly usually a zero-length string |
|||
* if 40967, pointer to date of birth string (YYYY-MM-DD) |
|||
* if 40967, pointer to gender string (Male, Female) |
|||
* if 40967, pointer to lowercase language string (en) |
|||
* if 40967, pointer to uppercase language string (EN) |
|||
* if 40967, pointer to username string again |
|||
* pointer to species string (Kacheek, Kougra, Shoyru, Lutari) |
|||
* pointer to colour string (GREEN, RED, YELLOW, BLUE) |
|||
* pointer to gender string again |
|||
* int ? |
|||
* int ? |
|||
* int ? |
|||
* int ? |
|||
* int ? |
|||
* int ? |
|||
[[Category:Neopets]] |
[[Category:Neopets]] |
Revision as of 11:56, 21 May 2023
Neopets Mobile does not refer to the 2021 interface of the website, but the 2006 flip phone application that has long been discontinued.
Archival
https://www.jellyneo.net/?go=mobile
https://pinkpt.com//neodex/index.php?title=Neopets_Mobile
https://drive.google.com/file/d/1Cj8hqk4VI-O408kgMnKpffPmI-kxKmWR/view
Attempts to reverse engineer the long-defunct API
TODO (The jars are all minified, but perhaps I can extract the API URLs from them and document what the application expects to get back)
The META-INF/MANIFEST.MF for the Nokia 6280 version specifies a Java version of 1.4.2_04.
The decompiler used is quiltflower: https://github.com/QuiltMC/quiltflower and the javax.microedition classes were copied from https://github.com/mcpat/java-microedition-libraries
Nokia 6280 V02.30.00 (en) Singtel
m.java
contains two calls:
- http://npprod-singtel.in-fusio.com/data-np/
- http://npprod-singtel.in-fusio.com/singtel/check?session= followed by RecordStore.openRecordStore("data-i", true).getRecord(1) as a String if not null, else ""
The session check appears to return one of the following values, with anything else as a failure code of -1:
Response | Treated as ID |
---|---|
SUBSCRIBED | 1 |
UNSUBSCRIBED | 2 |
REVOKED | 3 |
SECURITY | 5 |
Nokia 6111
m.java
contains one call:
Getting sample network requests
- Install Kahvibreak
- Edit
/path/to/Kahvibreak/Software/win32/KLaunch.bat
- Change
echo NetworkNotAvailable=true>>property.txt
toecho NetworkNotAvailable=false>>property.txt
- Edit
/etc/hosts
- Add
127.0.0.1 npprod-singtel.in-fusio.com
- Add
127.0.0.1 npprod.in-fusio.com
- Run something on port 80 that listens to
/data-np/
- Launch Neopets Mobile from Kahvibreak
- Try to login
Reverse engineering the format
I've been renaming symbols in the decompiled source code to slowly figure out what the application is looking for as a response.
The response seems to use the same data structure as the request: a form-encoded set of key-value pairs, then a newline, then some sort of binary data structure.
Numbers are big-endian. Strings are delayed until the end of the structure. However, a reference to a string may appear in the number buffer as a short representing the offset in the string buffer to the start of the string. The start of the string is a short representing the length of the string, followed by the text of the string itself. Note that the first item in the number buffer will always be a pointer to the encoding information string in the string buffer, which itself is the first item of the string buffer.
The game ID is hardcoded to 11061 and the center is hardcoded to 61.
After the form data and newline, the structured data looks like this:
Offset | Type | Meaning |
---|---|---|
0 | short | Tag |
2 | int | Length-derived value: 8 * (2 + n + m) |
6 | short | number buffer len + 2 (n) |
8 | bytes | number buffer |
n + 8 | bytes | string buffer |
m | byte | 0xFF, end of structured data |
For example, the login attempt above can be broken into the following parts:
{'client': 'NEOPETS/2.8', 'game': '11061', 'center': '61', 'language': 'en'} Tag: 40961 (a001) Number buffer: b'\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 ' String buffer: b'\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00'
Note that if tag == 0x8000 or 0x8064, a different format is followed:
Offset | Type | Meaning |
---|---|---|
0 | short | Tag |
2 | int | (len(message) + 1) * 8 |
6 | byte | 0x00, start of message |
7 | string | error message to display in console |
The application emits the following request tags:
- 33022
- 40961 (login)
- 40963
- 40965 (login + ?)
- 40967 (create pet + create account)
- 40968 (create pet)
- 40969
- 40971
- 40973
The application handles the following response tags:
- 40960
- 40962
- 40966
- 40970
- 40974
Requests
Logging in (40961, 40965)
With username "adadad" and password "gjgjgj", in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x01\x00\x00\x01\xa0\x00\x12\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00\xff'
Number buffer contents:
- pointer to encoding string
- constant int 0x64, doesn't mean anything
- constant int 0x64, doesn't mean anything
- pointer to username string
- pointer to password string
- pointer to extraneous information string; seemingly usually a zero-length string
I don't know how 40965 semantically differs from the first one.
Creating a pet and signing up (40967, 40968)
With username "adadad", password "gjgjgj", male green Kacheek, name "cccccc", birthday 1999-12-31, health 6, strength weak, defense very poor, movement slow, height 36 cms, weight 26 lbs, in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x07\x00\x00\x04\xd0\x00:\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00(\x004\x00:\x00>\x00B\x00J\x00S\x00Z\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00$\x00\x00\x00\x1a\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x06cccccc\x00\n1999-12-31\x00\x04Male\x00\x02en\x00\x02EN\x00\x06adadad\x00\x07Kacheek\x00\x05GREEN\x00\x04Male\x00\xff'
Number buffer contents:
- pointer to encoding string
- constant int 0x64, doesn't mean anything
- constant int 0x64, doesn't mean anything
- pointer to username string
- pointer to password string
- pointer to extraneous information string; seemingly usually a zero-length string
- if 40967, pointer to date of birth string (YYYY-MM-DD)
- if 40967, pointer to gender string (Male, Female)
- if 40967, pointer to lowercase language string (en)
- if 40967, pointer to uppercase language string (EN)
- if 40967, pointer to username string again
- pointer to species string (Kacheek, Kougra, Shoyru, Lutari)
- pointer to colour string (GREEN, RED, YELLOW, BLUE)
- pointer to gender string again
- int ?
- int ?
- int ?
- int ?
- int ?
- int ?