May I ask how you learned how to do this? I don't want to intrude on your secrets but I've always been curious as to how some people go about manipulating their way into what should be safe information.
May I ask how you learned how to do this? I don't want to intrude on your secrets but I've always been curious as to how some people go about manipulating their way into what should be safe information.
No problem at all... not really any secret here.
The main point is that I'm a proffesional in the IT sector (mainly business intelligence and software development) with over a decade of experience.
That there gives me the ability to grab any program, and find some way of tracing the way it works (sometimes better, depends a lot on the language and design, really).
With that out of the way, I first saved the PeroPero Saimin page to the disk to get my hands on the game's swf file.
Then, I googled until I found a good enough Flash SWF decompiler, which basically tries to give you readable action script source code from a swf file.
After that, I just read the resulting code, trying to get a general idea of how the program worked.
Once I had a bare understanding of that, I looked for the part where gacha/chance was handled.
That's how I got the first part of my post (BTW, later I realized I had made a few mistakes in my assumptions, but by that time they were irrelevant).
Once I knew that the app was constantly asking the server for every scrap of data and every event processing, I opened one of my trusty packet sniffers.
I pinged Nutaku to get a general idea of what IP it was using, and then started watching over any TCP/IP packet that was moved between my machine and Nutaku.
Then, I basically played the game while watching the packets go by, until I had a good idea of how PeroPero's communication protocol worked (I can tell you, for example, that Nutaku handles the load balancing, making sure we all have access to the game no matter the consumption of bandwidth, by proxying everything through an Amazon AWS Service).
After that, it was just a matter of analyzing the HTTP packets to see what was being transmitted.
I waited until I got a Chance Time in the event spin, and started reading all the packets very closely.
The fact that the data is not encrypted at all helped inmensely (now that would have been a nightmare to bypass).
Once again, just enough experience to know what to look for, and what tools to use, and patience. Lots of patience.
BTW, if anybody wants to know, the tools used were FFDec for decompiling the swf file, and WireShark for packet sniffing. Besides that, just Sublime Text as text editor to power through pieces of code/data.
PPS ID: 853603 (YoshiEnVerde)
Osawari Invite: 40VRKO15D3C537UUC2F4F
Well, thanks [MENTION=92]YoshiEnVerde[/MENTION], your analysis pretty much solves the mistery xD.
Though I'd really like to be able to analyse the code further, but the conclusions makes sense to me, so I agree.
Didn't even wanted to use WireShark, but I guess there's no problem in just sniffing some packages and observe traffic.
LoV ID: Danex (RIP LoV)
PPS ID: 574023 (Dropped)
Currently Playing: MWA
My signature :3 Newbie stuff, don't kill me :c
I am happy that server handle all because then people can only cheat by hacking the server which I am cetain to be notised.
So basicly no easy way to cheat
If the coding had been done badly our programmer friend and some cheaters could have made a cheat programs by now.
Very good that is not the case
just to be sure...
the event ends on july 13 to be 14 or 12 to be 13?
on airi tips says the event runs till 8:00 am of july 13, but the button says it ends on july 24:00 (maybe sounds dumb but i prefer ask rather than "where the hell is my last day?")
The next 5 hours and some minutes are all that's left of the event.
8AM EST is when the maintenance window will open, and the event will be removed.
Whether the event will still be available between 00:00 EST and 8:00 EST is unknown.
PPS ID: 853603 (YoshiEnVerde)
Osawari Invite: 40VRKO15D3C537UUC2F4F
This post contains material regarding an exploit and should not be used maliciously.