Neopets Mobile: Difference between revisions

Neopets Mobile does not refer to the 2021 interface of the website, but the 2006 flip phone application that has long been discontinued.

Archival

https://www.jellyneo.net/?go=mobile

https://pinkpt.com//neodex/index.php?title=Neopets_Mobile

https://drive.google.com/file/d/1Cj8hqk4VI-O408kgMnKpffPmI-kxKmWR/view

Attempts to reverse engineer the long-defunct API

TODO (The jars are all minified, but perhaps I can extract the API URLs from them and document what the application expects to get back)

The META-INF/MANIFEST.MF for the Nokia 6280 version specifies a Java version of 1.4.2_04.

The decompiler used is quiltflower: https://github.com/QuiltMC/quiltflower and the javax.microedition classes were copied from https://github.com/mcpat/java-microedition-libraries

Nokia 6280 V02.30.00 (en) Singtel

m.java contains two calls:

• http://npprod-singtel.in-fusio.com/data-np/
• http://npprod-singtel.in-fusio.com/singtel/check?session= followed by RecordStore.openRecordStore("data-i", true).getRecord(1) as a String if not null, else ""

The session check appears to return one of the following values, with anything else as a failure code of -1:

Nokia 6111

m.java contains one call:

• http://npprod.in-fusio.com/data-np/

Getting sample network requests

1. Install Kahvibreak
2. Edit /path/to/Kahvibreak/Software/win32/KLaunch.bat
3. Change echo NetworkNotAvailable=true>>property.txt to echo NetworkNotAvailable=false>>property.txt
4. Edit /etc/hosts
5. Add 127.0.0.1 npprod-singtel.in-fusio.com
6. Add 127.0.0.1 npprod.in-fusio.com
7. Run something on port 80 that listens to /data-np/
8. Launch Neopets Mobile from Kahvibreak
9. Try to login

Reverse engineering the format

I've been renaming symbols in the decompiled source code to slowly figure out what the application is looking for as a response.

The response seems to use the same data structure as the request: a form-encoded set of key-value pairs, then a newline, then some sort of binary data structure.

Numbers are big-endian. Strings are delayed until the end of the structure. However, a reference to a string may appear in the number buffer as a short representing the offset in the string buffer to the start of the string. The start of the string is a short representing the length of the string, followed by the text of the string itself. Note that the first item in the number buffer will always be a pointer to the encoding information string in the string buffer, which itself is the first item of the string buffer.

The game ID is hardcoded to 11061 and the center is hardcoded to 61.

After the form data and newline, the structured data looks like this:

For example, the login attempt above can be broken into the following parts:

{'client': 'NEOPETS/2.8', 'game': '11061', 'center': '61', 'language': 'en'}
Tag: 40961 (a001)
Number buffer: b'\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 '
String buffer: b'\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00'

Note that if tag == 0x8000 or 0x8064, a different format is followed:

The application emits the following request tags:

• 33022
• 40961 (login)
• 40963
• 40965 (login + ?)
• 40967 (create pet + create account)
• 40968 (create pet)
• 40969
• 40971
• 40973 (request unlock info)

The application handles the following response tags:

• 40960
• 40962
• 40966
• 40970
• 40974 (unlock info)

Requests

Logging in (40961, 40965)

With username "adadad" and password "gjgjgj", in Python 3 bytes notation:

b'client=NEOPETS/2.8&game=11061&center=61&language=en\n\xa0\x01\x00\x00\x01\xa0\x00\x12\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00\xff'

Number buffer contents:

• pointer to encoding string
• constant int 0x64, doesn't mean anything
• constant int 0x64, doesn't mean anything
• pointer to username string
• pointer to password string
• pointer to extraneous information string; seemingly usually a zero-length string

I don't know how 40965 semantically differs from the first one.

Creating a pet and signing up (40967, 40968)

With username "adadad", password "gjgjgj", male green Kacheek, name "cccccc", birthday 1999-12-31, health 6, strength weak, defense very poor, movement slow, height 36 cms, weight 26 lbs, in Python 3 bytes notation:

b'client=NEOPETS/2.8&game=11061&center=61&language=en\n\xa0\x07\x00\x00\x04\xd0\x00:\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00(\x004\x00:\x00>\x00B\x00J\x00S\x00Z\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00$\x00\x00\x00\x1a\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x06cccccc\x00\n1999-12-31\x00\x04Male\x00\x02en\x00\x02EN\x00\x06adadad\x00\x07Kacheek\x00\x05GREEN\x00\x04Male\x00\xff'

Number buffer contents:

• pointer to encoding string
• constant int 0x64, doesn't mean anything
• constant int 0x64, doesn't mean anything
• pointer to username string
• pointer to password string
• pointer to extraneous information string; seemingly usually a zero-length string
• if 40967, pointer to date of birth string (YYYY-MM-DD)
• if 40967, pointer to gender string (Male, Female)
• if 40967, pointer to lowercase language string (en)
• if 40967, pointer to uppercase language string (EN)
• if 40967, pointer to username string again
• pointer to species string (Kacheek, Kougra, Shoyru, Lutari)
• pointer to colour string (GREEN, RED, YELLOW, BLUE)
• pointer to gender string again
• int ?
• int ?
• int ?
• int ?
• int ?
• int ?

Request unlock info (40973)

Number buffer contents:

• pointer to encoding string

That's it.

Responses

Unlock information (40974)

The game only prints this to the console.

Number buffer contents:

• pointer to "short code" string
• int "nbSms"
• pointer to price string
• pointer to currency string