Neopets Mobile: Difference between revisions
(→Logging in: Update example) |
(→Reverse engineering the format: Add error format) |
||
Line 100: | Line 100: | ||
Number buffer: b'\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 ' |
Number buffer: b'\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 ' |
||
String buffer: b'\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00' |
String buffer: b'\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00' |
||
Note that if tag == 0x8000 or 0x8064, a different format is followed: |
|||
{| class="wikitable" |
|||
! Offset !! Type !! Meaning |
|||
|- |
|||
| 0 || short || Tag |
|||
|- |
|||
| 2 || int || (len(message) + 1) * 8 |
|||
|- |
|||
| 6 || byte || 0x00, start of message |
|||
|- |
|||
| 7 || string || error message to display in console |
|||
|} |
|||
[[Category:Neopets]] |
[[Category:Neopets]] |
Revision as of 10:58, 21 May 2023
Neopets Mobile does not refer to the 2021 interface of the website, but the 2006 flip phone application that has long been discontinued.
Archival
https://www.jellyneo.net/?go=mobile
https://pinkpt.com//neodex/index.php?title=Neopets_Mobile
https://drive.google.com/file/d/1Cj8hqk4VI-O408kgMnKpffPmI-kxKmWR/view
Attempts to reverse engineer the long-defunct API
TODO (The jars are all minified, but perhaps I can extract the API URLs from them and document what the application expects to get back)
The META-INF/MANIFEST.MF for the Nokia 6280 version specifies a Java version of 1.4.2_04.
The decompiler used is quiltflower: https://github.com/QuiltMC/quiltflower and the javax.microedition classes were copied from https://github.com/mcpat/java-microedition-libraries
Nokia 6280 V02.30.00 (en) Singtel
m.java
contains two calls:
- http://npprod-singtel.in-fusio.com/data-np/
- http://npprod-singtel.in-fusio.com/singtel/check?session= followed by RecordStore.openRecordStore("data-i", true).getRecord(1) as a String if not null, else ""
The session check appears to return one of the following values, with anything else as a failure code of -1:
Response | Treated as ID |
---|---|
SUBSCRIBED | 1 |
UNSUBSCRIBED | 2 |
REVOKED | 3 |
SECURITY | 5 |
Nokia 6111
m.java
contains one call:
Getting sample network requests
- Install Kahvibreak
- Edit
/path/to/Kahvibreak/Software/win32/KLaunch.bat
- Change
echo NetworkNotAvailable=true>>property.txt
toecho NetworkNotAvailable=false>>property.txt
- Edit
/etc/hosts
- Add
127.0.0.1 npprod-singtel.in-fusio.com
- Add
127.0.0.1 npprod.in-fusio.com
- Run something on port 80 that listens to
/data-np/
- Launch Neopets Mobile from Kahvibreak
- Try to login
Logging in
With username "adadad" and password "gjgjgj", in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x01\x00\x00\x01\xa0\x00\x12\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00\xff'
Signing up
With username "adadad", password "gjgjgj", male green Kacheek, name "cccccc", birthday 1999-12-31, health 6, strength weak, defense very poor, movement slow, height 36 cms, weight 26 lbs, in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x07\x00\x00\x04\xd0\x00:\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00(\x004\x00:\x00>\x00B\x00J\x00S\x00Z\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00$\x00\x00\x00\x1a\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x06cccccc\x00\n1999-12-31\x00\x04Male\x00\x02en\x00\x02EN\x00\x06adadad\x00\x07Kacheek\x00\x05GREEN\x00\x04Male\x00\xff'
Reverse engineering the format
I've been renaming symbols in the decompiled source code to slowly figure out what the application is looking for as a response.
The response seems to use the same data structure as the request: a form-encoded set of key-value pairs, then a newline, then some sort of binary data structure.
Shorts seem to be big-endian. Strings seem to be delayed until the end of the structure.
The game ID is hardcoded to 11061 and the center is hardcoded to 61.
After the form data and newline, the structured data looks like this:
Offset | Type | Meaning |
---|---|---|
0 | short | Tag |
2 | int | Length-derived value: 8 * (2 + n + m) |
6 | short | number buffer len + 2 (n) |
8 | bytes | number buffer |
n + 8 | bytes | string buffer |
m | byte | 0xFF, end of structured data |
For example, the login attempt above can be broken into the following parts:
{'client': 'NEOPETS/2.8', 'game': '11061', 'center': '61', 'language': 'en'} Tag: 40961 (a001) Number buffer: b'\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 ' String buffer: b'\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00'
Note that if tag == 0x8000 or 0x8064, a different format is followed:
Offset | Type | Meaning |
---|---|---|
0 | short | Tag |
2 | int | (len(message) + 1) * 8 |
6 | byte | 0x00, start of message |
7 | string | error message to display in console |