Results 1 to 8 of 8

Thread: Help amfphp?

  1. #1

    Joined
    Jul 2012
    Posts
    1,888
    Thanks
    1,619
    Thanked
    3,297/1,003
    DL/UL
    223/0
    Mentioned
    469 times
    Time Online
    132d 23h 52m
    Avg. Time Online
    45m

    Help amfphp?

    I'm trying to do a DailyDoer with python that just requires you to double click the script and let it run.

    I see that the wheels send a POST request to "/amfphp/gateway.php" with something close to
    Code:
    WheelService.spinWheel /1
    but I'm not sure how to send that, if it can be sent just with a POST request or if I have to use PyAMF.

    Help appreciated.

  2. #2

    Joined
    Jun 2012
    Posts
    1,699
    Thanks
    876
    Thanked
    2,881/1,142
    DL/UL
    44/1
    Mentioned
    562 times
    Time Online
    118d 6h 45m
    Avg. Time Online
    40m
    Py amfs your best bet , see (you need an account to see links)

    If you prefer to use post just use the chr codes to make the bytes up:

    Chr(0) + Chr(3) + Chr(0) + Chr(0) + Chr(0) + Chr(1) + Chr(0) + Chr(22) + "WheelService.spinWheel" + Chr(0) + Chr(2) + Chr(47) + Chr(49) + Chr(0) + Chr(0) + Chr(0) + Chr(9) + Chr(10) + Chr(0) + Chr(0) + Chr(0) + Chr(1) + Chr(2) + Chr(0) + Chr(1) + "5"


  3. The Following User Says Thank You to DarkByte For This Useful Post:

    Daviid (10-28-2015)

  4. #3

    Joined
    Jul 2012
    Posts
    1,888
    Thanks
    1,619
    Thanked
    3,297/1,003
    DL/UL
    223/0
    Mentioned
    469 times
    Time Online
    132d 23h 52m
    Avg. Time Online
    45m
    Quote Originally Posted by DarkByte View Post
    Py amfs your best bet , see (you need an account to see links)

    If you prefer to use post just use the chr codes to make the bytes up:

    Chr(0) + Chr(3) + Chr(0) + Chr(0) + Chr(0) + Chr(1) + Chr(0) + Chr(22) + "WheelService.spinWheel" + Chr(0) + Chr(2) + Chr(47) + Chr(49) + Chr(0) + Chr(0) + Chr(0) + Chr(9) + Chr(10) + Chr(0) + Chr(0) + Chr(0) + Chr(1) + Chr(2) + Chr(0) + Chr(1) + "5"

    Alright, now I get where to get those values come from.
    I guess the last number "5" is the wheel we are spinning?
    Do you know if they log (or care about) the referer header? I've seen that you have a random number next to the swf url
    Code:
    http://images.neopets.com/wheels/wheel_of_misfortune_v2_3075ced020.swf?r=[randomNumber]

  5. #4

    Joined
    Jun 2012
    Posts
    1,699
    Thanks
    876
    Thanked
    2,881/1,142
    DL/UL
    44/1
    Mentioned
    562 times
    Time Online
    118d 6h 45m
    Avg. Time Online
    40m
    refferer is always worth setting , they may very well check it I do have code to there wheels somewhere but cba to find it out. I would always send refferers just as good practice even if they dont yet track it they may in future.

    Don't think they care about the random number it just to force the cache in certain browsers to reload but I do it anyway just in case...

    The number is the wheel i.d yes the easiest way to read the content of a amf packet is (you need an account to see links)

    It will decode the request and the result to a readable array
    Last edited by DarkByte; 10-28-2015 at 09:37 PM.

  6. #5

    Joined
    Jul 2012
    Posts
    1,888
    Thanks
    1,619
    Thanked
    3,297/1,003
    DL/UL
    223/0
    Mentioned
    469 times
    Time Online
    132d 23h 52m
    Avg. Time Online
    45m
    @(you need an account to see links)

    Last question
    I've seen (you need an account to see links), I've checked and now it sends a POST request to the gateway with "WheelService.startMonotony /1" does that means that now it's insecure to spin the wheel without waiting or does it used to do that too when you tested it?

    ---------------------------------------

    If I add when I add headers
    Code:
    br.addheaders = [
    		('User-agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36'),
    		('Content-Type', 'text/html; charset=UTF-8'),
    		('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'),
    		('Accept-Encoding', 'gzip, deflate'),
    		('Accept-Language', 'es-ES,es;q=0.8,en;q=0.6')
    		]
    the response I get is in hexadecimal? It worked fine only with User-agent
    Last edited by Daviid; 11-01-2015 at 06:30 AM.

  7. #6

    Joined
    Jun 2012
    Posts
    1,699
    Thanks
    876
    Thanked
    2,881/1,142
    DL/UL
    44/1
    Mentioned
    562 times
    Time Online
    118d 6h 45m
    Avg. Time Online
    40m
    Sorry went to Westfest over weekend and to sisters .

    I would decompile the swf to be sure but its probably no longer safe. I noticed in there new mobile app they call MobileService.StartMonothony or something like that too but didnt look at its data yet. The return will be amf data format:

    (you need an account to see links)

    The header problem could be that you are sending this incorrectly

    ('Content-Type', 'text/html; charset=UTF-8'),


    You should be sending content type as application/x-amf

    this post from a long time ago might also intrest you but it is mostly repeating whats said in the amf file format specification.

    (you need an account to see links)



    Pyamf is still easier!

    PHP Code:
    from classes.NeoAccount import NeoAccount
    pyamfhandler 
    RemotingService('http://www.neopets.com/amfphp/gateway.php')

    neouser "" #Neopets username
    neopass "" #Neopets password


    theacc NeoAccount(neouser,neopass,"")
    theret theacc.login() #Login here

    pyamfhandler.opener =theacc.opener.open #Tell pyamf to use our wrappers opener cookie to login
    CustomPetServicepyamfhandler.getService ("CustomPetService")
    theret =  CustomPetService.getUserData("raredaredevil",)
    print 
    theret 
    Returns:
    {'pet_list': [{'slots': [{'id': 1, 'label': u'Active Configuration'},
    {'id': 2, 'label': u'Preset #1'}, {'id': 3, 'label': u'Preset #2'}],
    'active_slot': 1, 'name': u'Badgerfeet'},
    {'slots': [{'id': 1, 'label': u'Active Configuration'},
    {'id': 2, 'label': u'Preset #1'},
    {'id': 3, 'label': u'Preset #2'}],
    'active_slot': 1, 'name': u'teoteoteo'}],
    'active_pet': None}


    So you could say

    PHP Code:
    CustomPetServicepyamfhandler.getService ("CustomPetService")
    theret =  CustomPetService.getUserData("raredaredevil",)
    for 
    pet in theret['pet_list']:
        print 
    pet['name'
    Returns:
    Badgerfeet
    teoteoteo


    Much easier!
    Last edited by DarkByte; 11-02-2015 at 04:26 AM.

  8. The Following User Says Thank You to DarkByte For This Useful Post:

    Daviid (11-02-2015)

  9. #7

    Joined
    Jul 2012
    Posts
    1,888
    Thanks
    1,619
    Thanked
    3,297/1,003
    DL/UL
    223/0
    Mentioned
    469 times
    Time Online
    132d 23h 52m
    Avg. Time Online
    45m
    Quote Originally Posted by DarkByte View Post
    Sorry went to Westfest over weekend and to sisters .

    I would decompile the swf to be sure but its probably no longer safe. I noticed in there new mobile app they call MobileService.StartMonothony or something like that too but didnt look at its data yet. The return will be amf data format:

    (you need an account to see links)

    The header problem could be that you are sending this incorrectly

    ('Content-Type', 'text/html; charset=UTF-8'),


    You should be sending content type as application/x-amf

    this post from a long time ago might also intrest you but it is mostly repeating whats said in the amf file format specification.

    (you need an account to see links)



    Pyamf is still easier!

    PHP Code:
    from classes.NeoAccount import NeoAccount
    pyamfhandler 
    RemotingService('http://www.neopets.com/amfphp/gateway.php')

    neouser "" #Neopets username
    neopass "" #Neopets password


    theacc NeoAccount(neouser,neopass,"")
    theret theacc.login() #Login here

    pyamfhandler.opener =theacc.opener.open #Tell pyamf to use our wrappers opener cookie to login
    CustomPetServicepyamfhandler.getService ("CustomPetService")
    theret =  CustomPetService.getUserData("raredaredevil",)
    print 
    theret 
    Returns:
    {'pet_list': [{'slots': [{'id': 1, 'label': u'Active Configuration'},
    {'id': 2, 'label': u'Preset #1'}, {'id': 3, 'label': u'Preset #2'}],
    'active_slot': 1, 'name': u'Badgerfeet'},
    {'slots': [{'id': 1, 'label': u'Active Configuration'},
    {'id': 2, 'label': u'Preset #1'},
    {'id': 3, 'label': u'Preset #2'}],
    'active_slot': 1, 'name': u'teoteoteo'}],
    'active_pet': None}


    So you could say

    PHP Code:
    CustomPetServicepyamfhandler.getService ("CustomPetService")
    theret =  CustomPetService.getUserData("raredaredevil",)
    for 
    pet in theret['pet_list']:
        print 
    pet['name'
    Returns:
    Badgerfeet
    teoteoteo


    Much easier!
    Thank for the links and info I'll study that.

    Sorry that I didn't specify, the
    Code:
    \x00\x00blahblahblah
    response I get it while opening any neopets URL (e.g. /index.phtml) with mechanize module, it works fine just sending the user-agent, I C&P the headers sent by the browser.
    Right now I can't test but could it be the
    Code:
    image/webp,*/*;q=0.8
    bit from the Accept header?

  10. #8

    Joined
    Jun 2012
    Posts
    1,699
    Thanks
    876
    Thanked
    2,881/1,142
    DL/UL
    44/1
    Mentioned
    562 times
    Time Online
    118d 6h 45m
    Avg. Time Online
    40m
    Ahh yeah could very well be Neopets uses gzip too so the encoding could be that?

    Accept should be :
    text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

    Accept-Encoding should be :
    gzip, deflate, sdch

    Then theres
    Accept-Language too is :
    en-US,en;q=0.8

  11. The Following User Says Thank You to DarkByte For This Useful Post:

    Daviid (11-02-2015)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •