Neopets Mobile: Difference between revisions
(→Reverse engineering the format: Fill out rest of IDs) |
|||
| Line 108: | Line 108: | ||
* 33022 (test writing numbers) |
* 33022 (test writing numbers) |
||
* 40961 (login) |
* 40961 (login) |
||
* 40963 ( |
* 40963 (write state) |
||
* 40965 (login + ?) |
* 40965 (login + ?) |
||
* 40967 (create pet + create account) |
* 40967 (create pet + create account) |
||
Revision as of 19:46, 1 June 2023
Neopets Mobile does not refer to the 2021 interface of the website, but the 2006 flip phone application that has long been discontinued.
Archival
https://www.jellyneo.net/?go=mobile
https://pinkpt.com//neodex/index.php?title=Neopets_Mobile
https://drive.google.com/file/d/1Cj8hqk4VI-O408kgMnKpffPmI-kxKmWR/view
Attempts to reverse engineer the long-defunct API
TODO (The jars are all minified, but perhaps I can extract the API URLs from them and document what the application expects to get back)
The META-INF/MANIFEST.MF for the Nokia 6280 version specifies a Java version of 1.4.2_04.
The decompiler used is quiltflower: https://github.com/QuiltMC/quiltflower and the javax.microedition classes were copied from https://github.com/mcpat/java-microedition-libraries
Nokia 6280 V02.30.00 (en) Singtel
m.java contains two calls:
- http://npprod-singtel.in-fusio.com/data-np/
- http://npprod-singtel.in-fusio.com/singtel/check?session= followed by RecordStore.openRecordStore("data-i", true).getRecord(1) as a String if not null, else ""
The session check appears to return one of the following values, with anything else as a failure code of -1:
| Response | Treated as ID |
|---|---|
| SUBSCRIBED | 1 |
| UNSUBSCRIBED | 2 |
| REVOKED | 3 |
| SECURITY | 5 |
Nokia 6111
m.java contains one call:
Getting sample network requests
- Install Kahvibreak
- Edit
/path/to/Kahvibreak/Software/win32/KLaunch.bat - Change
echo NetworkNotAvailable=true>>property.txttoecho NetworkNotAvailable=false>>property.txt - Edit
/etc/hosts - Add
127.0.0.1 npprod-singtel.in-fusio.com - Add
127.0.0.1 npprod.in-fusio.com - Run something on port 80 that listens to
/data-np/ - Launch Neopets Mobile from Kahvibreak
- Try to login
Reverse engineering the format
I've been renaming symbols in the decompiled source code to slowly figure out what the application is looking for as a response.
The response seems to use the same data structure as the request: a form-encoded set of key-value pairs, then a newline, then some sort of binary data structure.
Numbers are big-endian. Strings are delayed until the end of the structure. However, a reference to a string may appear in the number buffer as a short representing the offset in the string buffer to the start of the string. The start of the string is a short representing the length of the string, followed by the text of the string itself. Note that the first item in the number buffer will always be a pointer to the encoding information string in the string buffer, which itself is the first item of the string buffer.
Nested structures can also be in the string buffer. They are handled similarly: the number buffer contains the offset to the start of the nested structure in the string buffer. However, the nested structure does not have its first six bytes, and the meaning of the "number buffer len + 2 (n)" field is changed to "number of items in this structure".
The game ID is hardcoded to 11061 and the center is hardcoded to 61.
After the form data and newline, the structured data looks like this:
| Offset | Type | Meaning |
|---|---|---|
| 0 | short | Tag |
| 2 | int | Length-derived value: 8 * (2 + n + m) |
| 6 | short | number buffer len + 2 (n) |
| 8 | bytes | number buffer |
| n + 8 | bytes | string buffer |
| m | byte | 0xFF, end of structured data |
For example, the login attempt above can be broken into the following parts:
{'client': 'NEOPETS/2.8', 'game': '11061', 'center': '61', 'language': 'en'}
Tag: 40961 (a001)
Number buffer: b'\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 '
String buffer: b'\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00'
Note that if tag == 0x8000 or 0x8064, a different format is followed:
| Offset | Type | Meaning |
|---|---|---|
| 0 | short | Tag |
| 2 | int | (len(message) + 1) * 8 |
| 6 | byte | 0x00, start of message |
| 7 | string | error message to display in console |
The application emits the following request tags:
- 33022 (test writing numbers)
- 40961 (login)
- 40963 (write state)
- 40965 (login + ?)
- 40967 (create pet + create account)
- 40968 (create pet)
- 40969 (add item)
- 40971 (test writing strings)
- 40973 (request unlock info)
The application handles the following response tags:
- 40960 (sync status)
- 40962 (user info)
- 40964 (does nothing)
- 40966 (rejected username, password, or pet name)
- 40970 (info about added item)
- 40972 (does nothing)
- 40974 (unlock info)
Requests
Unknown (33022)
Number buffer contains:
- pointer to encoding string
- constant int 0x0
- boolean hardcoded to true
Logging in (40961, 40965)
With username "adadad" and password "gjgjgj", in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x01\x00\x00\x01\xa0\x00\x12\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00\xff'
Number buffer contents:
- pointer to encoding string
- constant int 0x64, doesn't mean anything
- constant int 0x64, doesn't mean anything
- pointer to username string
- pointer to password string
- pointer to extraneous information string; seemingly usually a zero-length string
I don't know how 40965 semantically differs from the first one.
Creating a pet and signing up (40967, 40968)
With username "adadad", password "gjgjgj", male green Kacheek, name "cccccc", birthday 1999-12-31, health 6, strength weak, defense very poor, movement slow, height 36 cms, weight 26 lbs, in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x07\x00\x00\x04\xd0\x00:\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00(\x004\x00:\x00>\x00B\x00J\x00S\x00Z\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00$\x00\x00\x00\x1a\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x06cccccc\x00\n1999-12-31\x00\x04Male\x00\x02en\x00\x02EN\x00\x06adadad\x00\x07Kacheek\x00\x05GREEN\x00\x04Male\x00\xff'
Number buffer contents:
- pointer to encoding string
- constant int 0x64, doesn't mean anything
- constant int 0x64, doesn't mean anything
- pointer to username string
- pointer to password string
- pointer to pet name
- if 40967, pointer to date of birth string (YYYY-MM-DD)
- if 40967, pointer to gender string (Male, Female)
- if 40967, pointer to lowercase language string (en)
- if 40967, pointer to uppercase language string (EN)
- if 40967, pointer to username string again
- pointer to species string (Kacheek, Kougra, Shoyru, Lutari)
- pointer to colour string (GREEN, RED, YELLOW, BLUE)
- pointer to gender string again
- int pet health
- int pet strength
- int pet defense
- int pet movement
- int pet height
- int pet weight
Add item to inventory (40969)
Number buffer contents:
- pointer to encoding string
- constant int 0x64, doesn't mean anything
- constant int 0x64, doesn't mean anything
- pointer to username string
- pointer to password string
- pointer to extraneous information string; seemingly usually a zero-length string
- int mobile item ID, which does not appear to be the same as the website item ID
Request unlock info (40973)
Number buffer contents:
- pointer to encoding string
That's it.
Responses
Synchronization status (40960)
A break statement is missing after this in the application, but the next case throws an exception that is immediately swallowed, so everything is OK.
Number buffer contents:
- pointer to encoding string
- int with sync status ID
Known sync status IDs:
- 41: Already running a mobile game session
Unlock information (40974)
The game only prints this to the console.
Number buffer contents:
- pointer to encoding string
- pointer to "short code" string
- int "nbSms"
- pointer to price string
- pointer to currency string
