Habbo.swf original source(structures and names, no code)

[PeanutButterHam]

@eMagic: unfortunately the newer releases aren't useful, but thanks for trying to help. The older ones weren't properly obfuscated, so I can reverse them and get an unobfuscated copy of the client's source code, which would shed extensive light on how most (if not all) the game functions are implemented.

I'll also need access to an iOS device that's on iOS 7 (or possibly 8, but I'm not 100%) which has been jailbroken, if that's something you can help with, I'll keep you posted. The .IPA is encrypted and it needs to be dumped from memory on an actual device that's capable of running it.

This seemed to spit out some stuff(can extract .ipa):

You must be registered to see links

How to peek into air app?

---

Extract "HabboAir", it should contain the 'native' code, I wouldn't know how to read from it though :[

 

[scottstamp851]

This seemed to spit out some stuff(can extract .ipa):

You must be registered to see links

How to peek into air app?

That's the payload file inside the app itself, which actually has all the useful poop in it. Hmm. I might see if I can repack it and get it working.

Never mind, supporting files are totally different between versions. Can't repack.

HabboTablet.swf is the stub file, it's got all the unobfuscated objects, but no code. The code is cross-compiled to native ARMv7 (v9?) instructions, that's held inside HabboAir, which is annoying encrypted. IDA Pro can handle it once it's been decrypted by an iOS device but without the .ipa packaging I don't know how to actually decompile it. I know someone who might know how, though. I'll ask him later.

Btw, you can't put the SWF through AS3 Sorcerer / SoThink, the AIR bytecode is slightly different than standard AVM bytecode. ASV supports it (kind of), though.

 

[The General]

Raspberry Pi is ARM.

 

[scottstamp851]

Raspberry Pi is ARM.

Sure is, this won't run on it though. Apple's using some proprietary instructions. Kind of annoying, but meh. You need to use an iOS device to decrypt these binaries, it's a DRM thing.

 

[PeanutButterHam]

Yo, how did Oleg just get the names, they're located in the ABC blocks but that is what gets translated to ARM right? Did I misinterpret something man

 

[The General]

Yo, how did Oleg just get the names, they're located in the ABC blocks but that is what gets translated to ARM right? Did I misinterpret something man

Binary data contained the names if I recall correctly.

 

[scottstamp851]

Yo, how did Oleg just get the names, they're located in the ABC blocks but that is what gets translated to ARM right? Did I misinterpret something man

No worries, it's easy to get confused. The SWF is a stub, it's just class and method names, and the ARM native instruction stack contains pointers to the SWF stubs. No idea why they do it that way, but we don't question Adobe. They've got enough problems as it is.

ASV can pull the ABC blocks apart in these SWFs, and read out translated stubs as AS3 code. You could probably do it manually also, not sure. I wrote some tooling that helped with it a few months ago when Oleg first sent me this stuff but I'm next to certain I've since formatted the disk it was on. v_v

The only way to get the actual AS3 code back from this is to decrypt it with an iOS device first (which requires the entire .ipa file), then run the decrypted memory dump through some reversing tools. Or do it the old-fashioned way with IDA Pro and just trace the instruction stack.

 

[jaden83]

Dissembled to pure Binary...
Found Names:
MuteAllInRoomComposer
GetEmailStatusComposer
RemoveSaddleFromPetMessageComposer
ForwardToARoomPromotedMessageComposer
CustomizePetWithFurniComposer
SetRelationshipStatusMessageComposer
GetNowPlayingMessageComposer
ExtendRentOrBuyoutStripItemMessageComposer
Game2RequestFullStatusUpdateMessageComposer
GetRentOrBuyoutOfferMessageComposer
ShoutMessageComposer
DeletePendingCallsForHelpMessageComposer
LeaveQueueMessageComposer
GetGuildCreationInfoMessageComposer
GetConcurrentUsersGoalProgressMessageComposer
Game2QuickJoinGameMessageComposer

LibraryProgressEvent ~ Don't know what this is for.
DisconnectReasonEvent
PingMessageEvent
RoomEngineToWidgetEvent
UserChangeMessageEvent
FurnitureAliasesMessageEvent
RoomSessionPropertyUpdateEvent
RoomSessionQueueEvent
RoomSessionPresentEvent
RoomSessionDimmerPresetsMessageEvent
GetGuestRoomResultEvent
FloorHeightMapMessageEvent
ProductOfferEvent

I'll keep updating when I find more...

 

[dominic]

Dissembled to pure Binary...
Found Names:
MuteAllInRoomComposer
GetEmailStatusComposer
RemoveSaddleFromPetMessageComposer
ForwardToARoomPromotedMessageComposer
CustomizePetWithFurniComposer
SetRelationshipStatusMessageComposer
GetNowPlayingMessageComposer
ExtendRentOrBuyoutStripItemMessageComposer
Game2RequestFullStatusUpdateMessageComposer
GetRentOrBuyoutOfferMessageComposer
ShoutMessageComposer
DeletePendingCallsForHelpMessageComposer
LeaveQueueMessageComposer
GetGuildCreationInfoMessageComposer
GetConcurrentUsersGoalProgressMessageComposer
Game2QuickJoinGameMessageComposer

I'll keep updating when I find more...

Release the disassembled pure binary!

 

[jaden83]

Release the disassembled pure binary!

I'll release it after removing the unnecessary poop known as shenanigans.

 

[BurakDev]

Still work on this ?

I located the start of flash data on HabboAir

but how locate the end of file ? I need apply ZLIB decompress after removing all before CWS

 

[PeanutButterHam]

Still work on this ?

I located the start of flash data on HabboAir

but how locate the end of file ? I need apply ZLIB decompress after removing all before CWS

The next 5 bytes(after "CWS") should be readable, it consist of the Version(1), and FileLengh(4). I'm not sure if you can find the end of the SWF without decompressing it first.

Edit: FileLength is the total size of the uncompressed SWF, it includes the header(8 bytes).

 

[The General]

Still work on this ?

I located the start of flash data on HabboAir

but how locate the end of file ? I need apply ZLIB decompress after removing all before CWS

Try decompressing the whole file and check again.

EDIT: probably doesn't work.

If you can send me the file I can see if I can decompress it.

 

[Gaby]

Does somebody care to explain why these original names are of such big importance? I fail to see it myself.

 

[ppntn]

Does somebody care to explain why these original names are of such big importance? I fail to see it myself.

The potential of having access to see how everything is handled? No, that's not important at all...
The original names would be easier to read instead of _-Ss

 

[Gaby]

The potential of having access to see how everything is handled? No, that's not important at all...
The original names would be easier to read instead of _-Ss

What can the community achieve when the full source would be visible? I'm just curious since most of the things said in this thread sound like another language to me.

 

[ppntn]

What can the community achieve when the full source would be visible? I'm just curious since most of the things said in this thread sound like another language to me.

We would be able to make every single packet proper functional, without having to packet log everything (for this revision), which I'd assume is a rather new revision.

 

[Gaby]

We would be able to make every single packet proper functional, without having to packet log everything (for this revision), which I'd assume is a rather new revision.

I see, thanks for the explanation. Definitely going to keep an eye on this thread then. hahaha

 

[ppntn]

I see, thanks for the explanation. Definitely going to keep an eye on this thread then. hahaha

Also, we would eventually be able to make in-game logic a lot better, since we'd have a better understanding on how it's handled. :

 

[The General]

We would be able to make every single packet proper functional, without having to packet log everything (for this revision), which I'd assume is a rather new revision.

You're talking nonsense.

Its not about the packet handling, its about a way to crack another platform and potentially use that also for retro's. Atleast thats what I'd like to see. Anything else in this is quite useless. Same server, same packets. Just a different interface.

I can already make every packet functional without packetlogging. Thats how I build almost everything in Arcturus.