10 replies to this topic

[phr0sty]

i'm trying to intercept data that is going into a swf, but i can't seem to figure out how to view and/or process application/x-amf data. the task that i have is neopets-related, but the question can pertain to application/x-amf data coming out of/into any swf.

any help would be greatly appreciated.

[Waser Lave]

Have you tried WireShark? Otherwise you can use something like PyAMF, send the same requests and you can get the data directly.

[Pyro699]

Im assuming that you want to automatically spin the wheels, as those applications use that type. Ive already done so... ill post the exact steps when i get home

Have you tried WireShark? Otherwise you can use something like PyAMF, send the same requests and you can get the data directly.

I used wireshark, but i didnt need to use PyAMF to get it done... although, i did look into that option.


Here's what you do...

First i got the packets for the games...

WheelOfExcitement = "\x00\x03\x00\x00\x00\x01\x00\x16\x57\x68\x65\x65\x6c\x53\x65\x72\x76\x69\x63\x65\x2e\x73\x70\x69\x6e\x57\x68\x65\x65\x6c\x00\x02\x2f\x31\x00\x00\x00\x09\x0a\x00\x00\x00\x01\x02\x00\x01\x32"
WheelOfKnowledge =  "\x00\x03\x00\x00\x00\x01\x00\x16\x57\x68\x65\x65\x6c\x53\x65\x72\x76\x69\x63\x65\x2e\x73\x70\x69\x6e\x57\x68\x65\x65\x6c\x00\x02\x2f\x31\x00\x00\x00\x09\x0a\x00\x00\x00\x01\x02\x00\x01\x31"
WheelOfMonotony =   "\x00\x03\x00\x00\x00\x01\x00\x16\x57\x68\x65\x65\x6c\x53\x65\x72\x76\x69\x63\x65\x2e\x73\x70\x69\x6e\x57\x68\x65\x65\x6c\x00\x02\x2f\x31\x00\x00\x00\x09\x0a\x00\x00\x00\x01\x02\x00\x01\x33"

Im using python (obviously) so those strings are hex codes that simulate the exact packet that is sent. The packets that get sent to the server are EXACTLY the same, every time.

Take that data and send it to http://www.neopets.com/amfphp/gateway.php with the Content-Type as application/x-amf

Im not sure if it was needed, but i also put the refer header in there as-well

WheelOfExcitement = 'http://images.neopets.com/wheels/wheel_of_excitement_v1_a9db9936db.swf'
WheelOfKnowledge = 'http://images.neopets.com/wheels/wheel_of_knowledge_v1_731eafc8f8.swf'
WheelOfMonotony = 'http://images.neopets.com/wheels/wheel_of_mediocrity_v1_c4ed41eb31.swf'

Its basically the url of the swf... Also, be VERY careful spinning the wheel of excitement now, because you can still spin it even though the faerie quest shit is going on xD I got a test account frozen that way -.-


To get the response from the wheel, i did this: (Note that it is in python)

//response = the response returned from opening the url
//response.read() = the html data
resp_hex = response.read().encode("hex")
s = ""
for x in xrange(0, len(resp_hex), 2):
    v = int(resp_hex[x:x+2], 16)
    if 32 <= v and v <= 126:
        s += chr(v)

//This returns a html string that is very easy to parse.
////stripHTML = a function that removes ALL html tags that are present
////GetBetween = a simple function that gets all text between point a and point b, exclusive

winText = stripHTML(GetBetween(s, "<center>", "</center>")))

I do believe that's exactly what your after Just remember who made it :3

~Cody

Edited by Pyro699, 14 November 2010 - 09:12 AM.

[Noitidart]

Wow some crazy stuff going on in here I dont even udnerstand

[phr0sty]

thanks pyro. i was actually trying to read some data from keyquest, but your code fits into the same paradigm, so thank you very much.

just out of curiosity, what is the hey encoded request that you send? where do you get that? if i take the request out of something like Firebug or something like Tamper Data and then hex-encode that string, would that be the same?


thanks alot for your inpu

[Pyro699]

Its not a string in the sense that it is composed of characters you make with your keyboard. All characters (in the ASCII range) can be defined as a 2 digit hexadecimal string < 00 - FF > If you were to take those strings above and turn them into characters, you would get a bunch of gibberish and a html string.

Here is a screenshot of where to find said packet ^^

Spoiler

and cause im nice, heres one of finding the response...

Spoiler

That should help even more

And im sure theres some areas that you could talk about in length that would be over our heads noit

Enjoy
~Cody

[phr0sty]

thanks again. you're guides are awesome and very helpful.

correct me if i'm wrong: the post data begins 4 bytes after the end of the header infomation until EOF, correct? it looks like in both of your screenshots, that is the case.

thanks again

[Pyro699]

Yeah, they are 4 bytes after... but it doesnt really matter because when you parse the data through that function i posted above... 00, 01 and 03 are all values that wouldn't be recorded in the string.

Best of luck to you Feel free to ask more questions about this crap :3 Once your done with that, tackle the wheel of Monotony and let me know if you crack the process of getting the spin time

~Cody

[phr0sty]

Once your done with that, tackle the wheel of Monotony and let me know if you crack the process of getting the spin time

i believe that this should help you with that question: http://www.neopets.com/~amaterasuchan

[Pyro699]

It amazes me how much people underestimate me I have used google and found that method, that worked on the old wheel, they have updated them all and that no-longer works xD when you click on the wheel and go to that url, it still says you have not spun the wheel xP

Silly people, your the 3rd person to day to send me that EXACT same link -.-

~Cody

[phr0sty]

lol sorry. i haven't spun the wheel yet since last year. i didn't know that it stopped working.