Neopets Mobile
Neopets Mobile does not refer to the 2021 interface of the website, but the 2006 flip phone application that has long been discontinued.
Archival
https://www.jellyneo.net/?go=mobile
https://pinkpt.com//neodex/index.php?title=Neopets_Mobile
https://drive.google.com/file/d/1Cj8hqk4VI-O408kgMnKpffPmI-kxKmWR/view
Attempts to reverse engineer the long-defunct API
TODO (The jars are all minified, but perhaps I can extract the API URLs from them and document what the application expects to get back)
The META-INF/MANIFEST.MF for the Nokia 6280 version specifies a Java version of 1.4.2_04.
The decompiler used is quiltflower: https://github.com/QuiltMC/quiltflower and the javax.microedition classes were copied from https://github.com/mcpat/java-microedition-libraries
Nokia 6280 V02.30.00 (en) Singtel
m.java contains two calls:
- http://npprod-singtel.in-fusio.com/data-np/
- http://npprod-singtel.in-fusio.com/singtel/check?session= followed by RecordStore.openRecordStore("data-i", true).getRecord(1) as a String if not null, else ""
The session check appears to return one of the following values, with anything else as a failure code of -1:
| Response | Treated as ID |
|---|---|
| SUBSCRIBED | 1 |
| UNSUBSCRIBED | 2 |
| REVOKED | 3 |
| SECURITY | 5 |
Nokia 6111
m.java contains one call:
Getting sample network requests
- Install Kahvibreak
- Edit
/path/to/Kahvibreak/Software/win32/KLaunch.bat - Change
echo NetworkNotAvailable=true>>property.txttoecho NetworkNotAvailable=false>>property.txt - Edit
/etc/hosts - Add
127.0.0.1 npprod-singtel.in-fusio.com - Add
127.0.0.1 npprod.in-fusio.com - Run something on port 80 that listens to
/data-np/ - Launch Neopets Mobile from Kahvibreak
- Try to login
Reverse engineering the format
I've been renaming symbols in the decompiled source code to slowly figure out what the application is looking for as a response.
The response seems to use the same data structure as the request: a form-encoded set of key-value pairs, then a newline, then some sort of binary data structure.
Numbers are big-endian. Strings are delayed until the end of the structure. However, a reference to a string may appear in the number buffer as a short representing the offset in the string buffer to the start of the string. The start of the string is a short representing the length of the string, followed by the text of the string itself. Note that the first item in the number buffer will always be a pointer to the encoding information string in the string buffer, which itself is the first item of the string buffer.
The game ID is hardcoded to 11061 and the center is hardcoded to 61.
After the form data and newline, the structured data looks like this:
| Offset | Type | Meaning |
|---|---|---|
| 0 | short | Tag |
| 2 | int | Length-derived value: 8 * (2 + n + m) |
| 6 | short | number buffer len + 2 (n) |
| 8 | bytes | number buffer |
| n + 8 | bytes | string buffer |
| m | byte | 0xFF, end of structured data |
For example, the login attempt above can be broken into the following parts:
{'client': 'NEOPETS/2.8', 'game': '11061', 'center': '61', 'language': 'en'}
Tag: 40961 (a001)
Number buffer: b'\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 '
String buffer: b'\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00'
Note that if tag == 0x8000 or 0x8064, a different format is followed:
| Offset | Type | Meaning |
|---|---|---|
| 0 | short | Tag |
| 2 | int | (len(message) + 1) * 8 |
| 6 | byte | 0x00, start of message |
| 7 | string | error message to display in console |
The application emits the following request tags:
- 33022
- 40961
- 40963
- 40965
- 40967
- 40968
- 40969
- 40971
- 40973
The application handles the following response tags:
- 40960
- 40962
- 40966
- 40970
- 40974
Credentials
Logging in
With username "adadad" and password "gjgjgj", in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x01\x00\x00\x01\xa0\x00\x12\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x00\x00\xff'
Number buffer contents:
- pointer to encoding string
- constant int 0x64, doesn't mean anything
- constant int 0x64, doesn't mean anything
- pointer to username string
- pointer to password string
- pointer to extraneous information string; seemingly usually a zero-length string
Signing up
With username "adadad", password "gjgjgj", male green Kacheek, name "cccccc", birthday 1999-12-31, health 6, strength weak, defense very poor, movement slow, height 36 cms, weight 26 lbs, in Python 3 bytes notation:
b'client=NEOPETS/2.8&game=11061¢er=61&language=en\n\xa0\x07\x00\x00\x04\xd0\x00:\x00\x00\x00\x00\x00@\x00\x00\x00@\x00\x10\x00\x18\x00 \x00(\x004\x00:\x00>\x00B\x00J\x00S\x00Z\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00$\x00\x00\x00\x1a\x00\x0eISO-8859-1;2.8\x00\x06adadad\x00\x06gjgjgj\x00\x06cccccc\x00\n1999-12-31\x00\x04Male\x00\x02en\x00\x02EN\x00\x06adadad\x00\x07Kacheek\x00\x05GREEN\x00\x04Male\x00\xff'
