For people who play Neko Atsume (a Tamagochi game), saving fish (the currency in that game) can a real pain. But I’m not going to install a cracked version from unknown source for unlimited fish, nor spend money on In-App purchasing. I need to find another way.

This game provides a daily password system, which may have some hidden flaw. You get into the menu, find the daily password, input it, and then receive some fish. Just like this.

If you have multiple devices, you will find the password is the same on different devices. And you will obtain the same amount of fish as well. That means devices get the password from the same approach, send the input to the server to get verified, received the same response (if you input correct password).

First thing first, setup an AP (Access Point) to intercept data flow between the game and the server. This was done by using a Raspberry Pi. Remembered to turn off data access on your phone to ensure that all data went through Wi-Fi. Here shows how the topology of the network changes.



Up: Original network topology
Down: Insert a interceptor into the network

Then turned on Wireshark to capture data flow. I set the Wi-Fi hotspot of Pi as 192.168.2.1. The phone was allocated as 192.168.2.92. Opened the app, clicked “info”, input password, and received fish.
Here came some interesting data with the keyword “neko”.

Data was sent to 49.212.146.33, which is equal to http://hpmobile.jp/. The full URL was http://hpmobile.jp/app/nekoatsume/neko_daily_en.php. Data obtained from the web page was “1,Insect,19,0,2016-04-19,”. “Insect” was the password of date “2016 April, 19th”. If you input that password, you would be rewarded with 19 silver fish and 0 golden fish.

Then moved along the timeline. Here was another URL: http://hpmobile.jp/app/nekoatsume/neko_aikotoba_en.php?aiko=insect&sn=300&gn=10.

Our submission used the password you input as the parameter for “aiko” to fulfill the post method.
Then the respond here was:

This web page returned “2,2016-04-19,19,0,”. If you tried to input a wrong password, it would be sent to the same PHP page. And “0” would be the respond. There wouldn’t be any effect if you changed “sn=” or “gn=”.

What we discovered was pretty promising. Next step was to modify the Pi into a honeypot to redirect the process locally and feed the app with fake web pages.



Redirect data flow to a fake server

I installed Nginx and PHP, created two pages called “neko_daily_en.php” and “neko_aikotoba_en.php” under “/var/www/app/nekoatsume/”. The content of “neko_daily_en.php” was “1,test,65535,65535,2016-04-21,”, while the content of “neko_aikotoba_en.php” was “2,2016-04-21,65535,65535,”.
If you saw this, cats are fooled!

Since our PHP page didn’t check the input, just typed whatever you want.

Is that what you are looking for?

Other findings:

  1. The number of fish in “neko_daily_en.php” is not used in the whole process. Only data in “neko_aikotoba_en.php” matters.
  2. The app will restore the date of the last check-in, and compare with the server to see whether you have already checked in that day. So just changing date information inside “neko_aikotoba_en.php” will be fine to avoid this check.
  3. The content of PHP page should end with “,”. Otherwise, the app cannot recognize the number of golden fish.