SilicaAndPina

Members
  • Content Count

    25
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by SilicaAndPina

  1. Mm what about Binary? he did a bunch of reversing tamatown stuff back in the day on TamaTalk (mainly how to request codes?)~ it seems likely he could have some files from TamaTown .. potentially?
  2. dont know much about ON but couldnt you in theory just tell your phone you have a different tamagotchi than you really do (by just faking packets >_<) and get basically anything to show up?
  3. Basically, for some reason DreamTown uses Context3D (i think its a thing with the sterling engine thing. idk) , despite the name, "Context3D" has little to do with 3D graphics, its a wrapper around OpenGL ES. in ActionScript >-< it was a feature added in Flash Player 11, make sure your using flash player 11 or higher lol anyway, im not sure whats up with the Flash Player on Raspberry Pi but Some users have reported similar issues on Firefox for Ubuntu. In completely different games, so probably not an issue with DreamTown ... you could try the Adobe Flash Projector which is a standalone app provided by Adobe for running SWF files, just go "File > Open > "http://famita.ml/friends/prelauncher.swf?1.0.1.1776" the plus to using that is that it'll probably work after December 2020
  4. i asked for source code a few times- he allways says he will give then never does- i mananaged to work out a bit about Friends/DreamTown passwords work tho- (namely how your username is encoded in login pass- see https://github.com/KuromeSan/TamaTown/blob/master/DreamTown/password_tests.py) theres two bytes there that i dont know what are- im guessing there related to what Tamagotchi you currently have- but seems to be different for each "code type" since the DreamTown game acturally says what tamagotchi you have to acturally know what each one relates to.- oh and it was acturall the server that deermined what item you got- whereas in previous tamatowns the item id would be passed as an argument to the cgi scripts but on dreamtown the cgi scripts where meant to hve a list of items u can get- all that was passed to them was the "ticket type" you used at the fortune tellers place ..
  5. So i finally made a easy V5 Password Generator @ http://famita.ml/pc/pw_gen.html (arent my web design skills sick?) it can give GP & Items but um- yeah dont know what any of the Item ID's are- there is no list of them or anything for V5 You would have to just try some random number and see what it gives you- and that well takes time to do >_< its a range of 1-128 anyway so basically- you can give yourself any item but we dont know what items are avalible to give ourselves >_< (The generator just uses the famitama.cgi script i wrote for v5 TamaTown "rewritten" becasue why rewrite stuff :-:) Blessed Be~
  6. Oh all the languages are there, there accessed by flashvars. it seems- it loads a locale file *.ace? not sure what the format is but it looks zlib-compressed in mmog.cebd we have them defined here: <lang> <!-- Path of the one .ace file to load --> <!-- :: Values :: --> <!-- relative path, root is the project's bin folder --> <!-- You will need to replace the ${lang} token by the current language at runtime. --> <var name="localization_section_path" value="config/ace/resource/#lang#/localization_section.ace"/> <!-- Path of ace files to load --> <!-- :: Values :: --> <!-- relative path, root is the project's bin folder --> <var name="available" value="de,en,es,fr,nl,pl,pt,ru"/> <var name="default" value="en"/> <var name="de" value="config/loc/de/"/> <var name="en" value="config/loc/en/"/> <var name="es" value="config/loc/es/"/> <var name="fr" value="config/loc/fr/"/> <var name="it" value="config/loc/it/"/> <var name="nl" value="config/loc/nl/"/> <var name="pl" value="config/loc/pl/"/> <var name="pt" value="config/loc/pt/"/> <var name="ru" value="config/loc/ru/"/> <var name="debug" value="${debug.localization}" /> </lang> basically you just pass "lang=<language "name">" to flashvars and it loads with that some of you may have noticed theres an italian language thats defined but not avalible- i was curious so i edited the config to add it to the list and *this happened* anyway i addded a language selector to the site famita.ml/friends for easy usage .
  7. it all loads the same states that are all burned into the ROM anyway
  8. Tama-Go, seems like they just locked all the content that used to be there(is allready on the ROM) behind a paywall :-:
  9. there are a few "tamatown rewritten"-esq sites, here are some links: V5 & Friends: famita.ml V4/V3: alexgtama.tk V5 and Friends are fully playable. however V4/V3 is some stuffs thanks to not all swf's archived
  10. Oh boy Dream Town, this was a fun one first i would like to thank @Alex Grigoriou as he had downloaded all the Dream Town files before it went down, basically making this whole thing possible. But anyway you can play dream town @ http://famita.ml/friends/index.html Registering and Login saving stuff works, however codes for the actural Tamagotchi Friends dont (yet), If you have any problems please tell me so i can try fix it- im not entirely sure i rewrote every single script soo Technical notes (for nerds): This game might have not been developed by Bandai but rather outsourced to "Firma Studio" as all packages are marked "com.firmastudio" - interestingly firmastudio.com seems to be an architexture company not a game development one, now granted it is Dream TOWN but i dont think it falls under *.CEBD file format - there is only 1 SWF file acturally loaded by this, which is the loader itself. which loads other binaries and config files in the .CEBD file, which is compressed (gZIP) & encrypted (ARC4) SWF or XML files the main config file is called "mmog.cebd" which is XML and defines stuff like the login server and stuff. and the main binary is "tam.cebd" which is a SWF, i wrote a CEBD decryptor in C# .NET which you can find the src and binaries for here: Cebd_Decrypt its also built with the Starling Engine, the login server is default over unsecured HTTP (infact, it pretty much HAS to be over HTTP since it expects a direct IP and not a domain name, i think SSL on IP's is possible but you cant do it with Let's Encrypt ..), oh and the original server stored passwords in plaintext, when you did a "i forgot my pass" thing it would just give you your password. i acturally set mine up to do SHA512(password)^salt the password reset merely creates a new password for you and tells you that instead. :-: It was totallllly possible to cheat dream town (even the original one,) basically whenever you do anything it sends a request to the auth server (defined in mmog.cebd) basically you can just POST to <authserver>/inventory/add with a JSON like {"itemId":1,"quantity":4,"authId":<token>} and it just adds it to your inventory. Anyway, you can find the CGI scripts code for the login server here: DreamTown Repository, and the Client Files
  11. you suck at embedding flash files... http://famita.ml/friends/
  12. i prefer 5555 5555 - its ez to remember and is counted as a V5.5 Clebrity so royal ship games work too *though bandai actidentally made any non-region 0 famitama be able to play v5.5's games. though i doubt the item codes would work from them GP should though ...*
  13. UPDATE: You can now use login password created by actural connections v5 tamagotchi to "login" to the games - it will give you a logout password from that so you can unlock items & gotchi points - if you dont have a connections V5 you can use the password "0000 0000" or "5555 5555" for games on the royal ship, since apparently bandai made it so japanese famitama's cannot connect to the royal ship games..
  14. it seems more like a stage:index type thing to me, like how futabachi is 0:5 (because 0 = baby tamagotchi & 5 is the index, basically its the 6th baby (because we count from 0)) when it evolved into toddler status it became 1:1 which sorta backs up the theroy either way what it means doesnt matter, we have the 2 digits for what tama you have in login password, and we can use the smae 2 digits for creating logout ANYWAY~ my work here is done: v5 Password Generator: https://github.com/KuromeSan/V5-Password-Generator/tree/v1.0 Famitama.cgi re-write: https://github.com/KuromeSan/TamaTown/blob/master/V5/pc/cgi/Famitama.cgi btw my Tama & Earth EXPO rebuild now uses this code and you can login / logout with any v5 or v5.5
  15. I need to try this code on other regions.. if you have a famitama from another region please send me login password .-. also u forgot that region 5 is v5.5 / cleb according to this chart binary did:
  16. based on the "multiple variations" theroy- i wrote this python3 code: https://pastebin.com/Q15QFTGp there are some variables im not quite sure are for (maybe integretity checking?) but there not important lel it works anyway without knowing what they are still not entirely sure how items work (only item id 01 is valid apparently (maybe its acturally a quantity?)) it can generate login passwords from my logout passwords consistantly (atleast for me) anyone else wanna give it a try?, my tama's evolved from there baby state and it still worked. (went from 0,5 to 1,1 btw which backs up the stage:tama list theroy~) . i really just need ppl with other-region v5's to try it .
  17. Finally had the chance to try this on my V5 and well it seems i was right about the prize amount being specified by a single number for example (if you have a male futabatchi) 21000 00452 gives you 700GP 21000 00351 gives you 500GP Also, yes i was right about the "2" being a type identifier. 31000 00550 gave me a food item erh a cinamon roll sort of thing. idk its actural name. but anyway, first digit is type- 1 = no prize 2 = gotchi points 3 = gift / item ahahah next thing i need to work out is *login password* in theroy. login password should contain all the information needed to create a logout password, which is. what tam you have, and your region. (00, 01, 02, 03 etc) Login password is different every time, luckily we can still create them today here are some examples from my Futabatchi(M) in Oceiana Region (1) 10070 01540 10060 01530 01035 01000 01085 10500 01035 01000 Notice how they all have those required values? my V5 is region 1 and the tamagotchi i have is 0,5 all these passwords have a 5 and a 0 somewhere just in differnet places, also the checksum is different (if there even is a checksum on login password, 0+0+1+5+5+1+0+2+0 = 14, 14 mod 10 = 4. soo thats wrong) looking at this i allready have an idea, it seems like theres 2 3 formats if the first digit is 1 then the tama index'es are on the 2nd part in position 0 and 1 see how on these (both begin with 1) 10070 01540 & 10060 01530 both have "015" which gives us the current tamagotchi (0,5) and also the region "1" however if its 0 then its on the first part with 01035 10x5 again has all the information it would need atleast thats what i thought until i got 01000 00157 but wait a minute.. 0+1+0+0+0+0+0+1+5 = 7 mod 10 its still 7 wew maybe thats anoher format where if the check byte matches then its got like "015" right at the end :-: IDK this is complicated but im guessing that was to stop people using tamaown without a tamagotchi honesly i need more login codes from other tama's and regions so with that. if you have a V5 (thats not oceania region or a Futabatchi) please just go generate a bunch of login passwords so i can see better how region is encoded
  18. I worked a bit out about the v5 password generation using this list tells me alot, first that only thing that matters is what tamagotchi you have (and its gender) 21000 < this is obviously your tamagotchi region where 0 = japan, 1 = oceania 2 = america 3 = europe (i think v5 celebrity had like 4?) maybe 2 is like type "give GP" or something. 10554 < the pattern i noticed here was x05x maybe 05 is the prize number (05 being 1000GP) and its like x05x where the 2 x's represent what tama you have. so "15" (another theroy i had is this is some sort of list maybe the first is like what stage its in (baby, toddler, teen, adult, etc) and then the 2nd one is which of those it is . not sure) now then whats this 4 at the end? well its a checksum of the rest of the code, like a litteral checksum it is the sum of the entire code (minus the check digit) modulo 10 2+1+0+0+0+1+0+5+5 = 14 14 mod 10 = 4 check byte is 4, so the code is 21000 10554 :0 thou hast been reversed? maybe im wrong about how "your current tamagotchi" is encoded it seems like a weird way to do it
  19. it fails to load normally because it tries to GET http://famitama.com/pc/cgi/Famiif.php at startup it expects a webform-encoded response with "ResponseCode=OK" ^ if littearlly any request fails (not 200/OK status) it goes to the "Tamatown is experiencing downtime" message- (btw- that address is hardcoded into the SWF file and is not a realitive address .-. i had to change the assembly to point to famata.ml instead~ though you can also just edit your hosts file to make famitama.com point to your own server. but thats not noob-friendly.) side note, it acturally was GET-ing /crossdomain.xml first which drove me mad. i had no idea why it was trying to download crossdomain.xml nowhere in the actionscript does it say to do that. but it turns out its just Adobe's answer to cross-origin policys i kept looking thorugh the code wondering wtf was wrong until i eventurally just googled "crossdomain.xml" and i felt really stupid XD- Oh btw i just updated the site to give """logout password"""s (realy it just randomly selects one of the "special" codes from this list: but hey its something right? XD) the v5 logout password doesnt look that complicated tbh.
  20. So i noticed that nearly all of the FamiTama SWF's where on the web archive. (with the exception being the ones related to the Tama Theater and annoyingly chara/*) with that i rebuilt the site and got it mostly-functional i put the files on my webserver: you have to enable flash player for it to work though http://famita.ml/pc/index.html Only thing that doesnt work is login/logout passwords with the actural V5 Tamagotchi, (it just accepts every login password as valid and doesnt give anything for logout) as the passwords where generated on the server side. you'd need to dump the V5's ROM to reverse how it worked and just learn the secrets in general ... the only modification is to famitama_shell.swf which was to change "famitama.com" to "famita.ml" though the original files are also on there and can be used if you edit your etc/hosts file . oh, i also rewrote some of the server-side scripts (such as game_rollarcoaster.php - used for saving images from the "Perfect Rollarcoaster Image" game. i might try implement the survey's too, should be possible... i thought of giving out the V5's "special" promo codes (the v5 codes that can be used regardless of username or login password..) in place of logout passwords (atleast.. until its known how logout is generated) .. but have not done that yet.. EDIT: the survey votes are now counted. (nerds can see my terrible php code here) :-: anyway~ go say who best tama is
  21. the "special" ones where not, i think tamatown codes still needed your login password which was different every time. it even said it on the Tamatown & Earth EXPO
  22. V5's passwords acturally wherent tied to your username (atleast, there where a few that where not. i remember having a DVD that had a bunch of passwords on it (the wiki says this was only for the original release of the famaletchi, "Tama DVD", probably super rare now. i no longer have it though).. though it seems TamGo is definitely based on the username. anyway obviously with a ROM dump you can just reverse the code that generates the passwords easily. (also! i found a nice money dupe on TamaGo -> enter amount of $$$ u want onto the PC connection -> enter login code as logout code -> enter PC connection again but enter 0 points this time -> enter old login code(from last one) as logout again, repeat for infinite points) its probably allready known but whatever thought it was interesting that they use the same algorithm :?
  23. So i read how that person mannaged to dump the Tama-go's ROM, they used a vulnerability in the software, tbh i have a tama-go too which i got more recently-ish. *just not any figures which are needed to trigger the exploit* the idea of homebrew development on a tamagotchi just sounds awesome though. Anyway more interesting is that they foundGeneralPlus have whats basically a backdoor on all there ROM's that allows you to do arbitary code execution (and thus dump the ROM) via there "GeneralPlus Test Program" so maybe dumping ROM wont be so hard after all, i thought it would require decapping the chip and reading it out under a microscope
  24. yea i was reading stuff here after posting. it seems V4 is the most popular? also from what i gather yes code generation was server side, meaning you would have to dump the ROM of the tamagotchi device itself in order to work out how its generated .. it also might be possible to dump it via exploits instead of hardware hacking
  25. Sorry if this is the wrong place to post this, im new to the fourm. So. i was feeling very nostellgic when i found my old tamagotchi v5 (surprisingly, it still works!) i remembered there was a TamaTown Website thing you could goto to send your Tamagotchi data (it used like some password system) and then it would generate a code based on what you did, unfortunately this website does not exist anymore (doesnt even load on the web archive (except for V3 which gets to the login screen, but it cant get much further than that) Now, these days i do alot of Software Reverse Engineering (mostly of the PlayStation Vita OS..) Which got me thinking about how this thing probably works behind the scenes: Obviously the Tamagotchi device itself doesnt have an internet connection, which means there is probably some password generation algorithm on TamaTown (as well as a inverse of it on the device itself but, mainly due to lack of hardware knowledge and also because this is my *original* tamagotchi, im not about to open the thing up to try dump out the ROM (though i could maybe get another one..) (as nice of a resource that would be for static analysis) i did a quick google search for "Tamagotchi ROM Dump" it seems some people have mannaged to dump the rom of some of the older devices (but i couldnt find any downloads) its possible the password stuff was done server-side in which case reversing the ROM would be the only way to get the secrets. i figured the clock is probably how it does everything, it seems its even used for login password generation since changing the clock also seemed to change the password. im guessing your tamagotchi probably had to have the right time (to some degree) to be able to login to the server? besides that i havent been able to find much about how the device works internally, so i assume id have to take a look at the TamaTown Binaries at first i wondered if anyone ever made a private server for TamaTown (simular to the club penguin private servers) i came across this (also dead) site http://tamagotch.org/tamatown/ and this GIT repository https://github.com/loociano/tamatown which has a link to a few SWF files and goes over how the authentication worked for a few of them, so it seems like attempts where made? (though there was just a post with some more swfs for v4 posted just a few ago here) So basically im posting here, what (if any) progress has been made on reversing and hacking tamagotchi in general, what has allready been done ?