Fast tool bugfix

Here is a fast bugfix for the cheat tool.
Dowload the fvinternals cheat tool bugfix. Download the runtime files and overwrite the library.zip with the new library.zip.

Reported bugs:

• some animal values are static (fixed: our fault, we forgot to disable the debugging line)
• password is rejected by facebook (not fixed: actually we need some example passwords to verify this. We assume, this is a unicode problem. Workaround: Change your facebook pass to non unicode password)

Feature requests:

• Opening multiple mysteryboxes at a time (done! use --numEggs=<number>)
• Password typing every start is annoying (done! use can now optionally insert it as argument into the commandline)
• Place mysterygifts into the farm (queued)

Following line will use the commandline for password input and open 3 eggs on each login.

c:\FV\fvinternals_beta2.exe alice@facebook.com secretpassword --openEggs=mysterbox --numEggs=3

If you leave the password empty it will ask for it.

SQL Server for Farmville

Today i got an interested error message.

can't connect to server with dsn='mysql:host=10.211.50.239;port=3306;dbname=farm_1;',
error message SQLSTATE[HY000] [2003]
Can't connect to MySQL server on '10.211.50.239' (4).;
PDOMySqlClient.class.php:70

What information can we extract from it?

Farmville uses PHP Data Objects for the MySQL requests.
In line 70 of the php class, they are using the command PDO::__construct().

The MySQL server runs on:

• ip = 10.211.50.239
• port = 3306 (default)

The database in my request is called farm_1, but maybe there are others like farm_2.

I assume Farmville run multiple hosts with MySQL databases, but this is one we could extract from the error messages :)

Items in mysteryboxes

Yesterday, we published the first cheat tool of fvinternals, which has the feature of opening every mysteryegg as a mysterybox item.
Today we googled for other farmville blogs and sites, which contain information about the mysterybox contents.

We added some items and want to share the list with you, so you can select your item and the belonging mysterybox itemcode.

Here is our list of mysteryboxes and their contents. We would appreciate every help to complete the list.

Tool for getting storable animals for free

Some infos about the events of the last days.

We couldn't completely automate the unreleased items page, so we are looking for help. At the moment some trials are trying to select all images, but this task takes little time. If they can manage it in time, we will publish the manual selected unreleased items here.

We have also played with some AMF functions and implemented some "cheats". We thank here our supporter lotm, who helped us with the AMF codes. This wouldn't be possible without his work.

Since our main readers are using MS Windows, we tried to compile our code to an EXE again. But this was more difficult than developing the cheats :) After some days of library code patching we finally publish our first fvinternals cheat tool.

Which functionalities does it have:

1. Adding any storable animal to one of your storages (Dairy-, Nursery-, Horse- and Chickenstorage)
2. The binary places  mysteryeggs from your giftbox into your farm
3. Opening the mysteryeggs as a mysterybox or mysterygame (Thx for telling us this)
4. (Turning christmas lights on/off. This was fixed today, so it is historical in the binary)

App parameters:

 --getHorse=horse_item_code
 --getBaby=foal/calf_item_code
 --getCow=cow_item_code
 --getChicken=chicken_item_code
 --getPig=pig_item_code
 --openEggs=mysterybox_code
 --enableLights=1
 --disableLights=1

Run it as:

fvinternals.exe your@email.com --option

Example: (Visit fvinternals item search and search for "mystery" to get the codes)

C:\FV\fvinternals.exe your@email.com --openEggs=mysterybox100824

Download the file fvinternals.exe from our download site and download the runtime files. You have to overwrite the old library.zip with the new library.zip. Place everything on "C:\FV\" and start "cmd.exe" to execute it, read older posts, if you don't know how.

As mentioned above, creating the .exe was a big trouble. That's why it is unstable. If it doesn't work, run it multiple times. If it is still not working report the bug to us.

How are the cheats working?

• mysteryegg: Opening a mysteryegg, that is placed on the farm and change the itemname to a mysterybox itemname.
• animalstorage: you put two animals into the storage. the first one have to be valid and the second one is a generated one. 
• lights trick: you could set alternate graphics to some objects, this action was free. we just send the command to server. Nothing special, but since today, they charge FV cash for it.

Screenshot after our tests:

Getting the redbrown calf or any other calf you want

Our research on Farmville is still going on. Today we are going to tell you something about the lonely animals links and how you can change them to get another rewards.

The links in Facebook have this format:

http://apps.facebook.com/onthefarm/track.php?creative&cat=lonely_cow&subcat=pink&key=&next=lonelycow.php%3Fowner_id%3D%26lonely_cow_id%3D%26animalType%3Dcow_pink%26lonely_cow_sig%3D&ref=nf

Interesting is, that the key is not needed and if you use farmville.com to play you will get another links like:

http://www.farmville.com/lonelycow.php?owner_id=1234&animalType=cow_pink&lonely_cow_id=123456456345&lonely_cow_sig=234523452345

Since the farmville.com URL is simpler, we concentrate on this.

Lets have a look at the variables.

owner_id = this is the facebook id of the user, who found the animal
animalType = this is the animal type like cow_pinkm calf_pink , ...
lonely_cow_id = this id is unique for every lost animal
lonely_cow_sig = this is a signature of the string

Zynga is using this signature to protect user changes in the url like changing the animalType to calf_redbrown.

Interesting is, that Zynga is only saving the cow_id on the serverside. The signature is calculated by the client.
What does this mean for us? We can generate our own links, just by using the cow_id.

Back to redbrown calf, this calf cannot be born, because the redbrown cow cannot be stored in the dairybarn. But it is a valid object in the gamedata and we can now convert every lonely cow link to a redbrown calf link.

As proof of concept we implemented this and testet it with some calfs, seems like you can generate every calf from any lonely cow link, even from deer bucks or horses.

Visit http://fvinternals.funpic.de/convert.php and test it with a valid lonely animal link.

Getting images (and codes) of unreleased items

Since Zynga updated the item image links we wondered about the big size of the hashtable. By looking deeper at this hashtable and viewing some images we recognized, that there are images, you never see during the game. For example, there is an image of Craig's farm.

We filtered then all links, that are not used by the items.xml. There are many images that are still used by the game, like misson completed images.

We set a filter on buildings, animals and crops and this helped to get a viewable size of images. Interesting is, that much of them are not released.

• Pig Storage
• Dog house
• White appaloose horse
• Buckskin horse (new since Farmgame 40680)

It seems like you can also get the future itemcodes from the images. The plain image links are in the form
"assets/buildings/building_doghouse_icon.png" and the format is looking like <path>/<type><itemcode>_icon.png.

We tried to filter out the unreleased items, since there is now flag if the url is unreleased or not. You can view the images and codes by visiting http://fvinternals.funpic.de/unreleased.php. If there are some missing, we couldn't catch by our filter, please tell us. And if you want us to filter out some items, to remove already released items, so write a comment or send an e-mail.

Friendlynames of items

As we mentioned, Farmville is using a hashtable and how you can get them.

Sometimes you are looking for codes of items, that already are on your farm. For example the kelly green cow. The problem is, the code name is "cow_shamrock" and you don't know, what you have to search for. You can only filter by "cow" and look at the images. The solution for this is easy, inside the flashLocaleXml.xml are the displayed names stored. They are looking like:

<l k="cow_shamrock_friendlyName">
   <v>Kelly Green Cow</v>
</l>
<l k="calf_shamrock_friendlyName">
   <v>Kelly Green Calf</v>
</l>

We used again XSLT to get the data out of XML. You can change the XSL File like this to get the new values. If you need help with this, you may contact us, or write a comment below.

<xsl:for-each select="localization/b/l">
   <xsl:if test="contains(@k,'friendlyName')">
     ... access itemcode using 'v' and
      friendlyname using '@k'
   </xsl:if>
</xsl:for-each>

Now we have itemcodes, hashed image links and now the displayed names.
We used that info for building a full List of all hashed links.

We have also updated the search function a little bit. You can now search for displayed names and item codes.

Getting new Images without decompiling the Flashgame

Yesterday we blogged about the new images in Farmville. Today we want to show you a method of how you can get them without the hard work of decompilation. No more need for commercial decompiler.

Since the URL are in the SWF, we started looking deeper inside the binary and the SWF Format. SWF Files have a header, which is telling if the SWF file is compressed or not. In our case it was, so you cannot look into binary and see the URLs in plain text. We had former experience with SWF files, so we knew how to compress/decompress SWF files. That's the reason why we use our own code for decompressing it.

After decompressing it, you can see the URLs in plaintext, the only problem is, that there is much binary crap. So we wrote some small python code, to search for the links inside the binary.

The final program can be found on our site.
Download it from http://fvinternals.funpic.de/codes/extracthashedimages.exe
You will also need the runtimes from http://fvinternals.funpic.de/codes/runtime/
Copy all files to "C:\FV\"

Download the Farmgame.swf from Farmville, we used FarmGame.release-10-08-12.39998.swf for our tests.

c:\FV> extracthashedimages.exe FarmGame.release-10-08-12.39998.swf

and you should see a new file images.txt in your folder. Open it and you see the Hashtable in the format
old link:new hashed link

If you need the source code, feel free to e-mail us.

We used the data for generating a website, which displays the itemcodes and the belonging new image URL. Visit it on http://fvinternals.funpic.de/hashedimages.php

We also made a search formular to filter interesting values like

• Item type, e.g. show only animals
• Item code search, e.g. display only code with "horse" in text
• Show only items, that doesn't need Farmville cash
• Show only items, that are only buyable with Farmville cash

This Search site can be found at http://fvinternals.funpic.de/search.html

If you have questions, or request, you can e-mail us, just read our first post for e-mail or write a comment.

Farmville uses new image links

We received some feedback to our previous post. Farmville changed the links to the images, we didn't recognize this, because almost every image of every item loaded using the old image url.

We took the time and checked the diffrences today and we are going to explain it now.
The old images had the form of http://static-2.farmville.com/v36206/assets/animals/animal_horse_red_icon.png, you could build them using the items.xml. For explanation look at http://fvinternals.blogspot.com/2010/08/viewing-items-as-html-using-xslt.html
The new images are now using a hashed itemname in the form
http://static-0.farmville.com/prod/hashed/assets/animals/c5153828b93c6ea1259d7e0b7cd8c4a2.png.

Our first approach was to identify a rule for generating these hashes by logic. During our tests, we recognized, that every change in the items.xml lead to a non-hashed request. The idea was: "Is Farmville using a Hashtable?". So we were looking for new files which involve these hashes, but couldn't find something.

The next step was to reverse engineering the flash file of today. We couldn't find any free decompiler, so we used a shareware version of swf-kit to decompile it. Looking around we found the function for building the strings.

static public final function getAssetURL(param1:String) : String {
   if (AssetHashMap.hasOwnProperty(param1)) {
      param1 = GlobalEngine.getAssetUrl(AssetHashMap[param1]);
   } else {
      param1 = GlobalEngine.getAssetUrl(param1);
   }
   return param1;
}

We were right, FV is really using a Hashtable to map the images. The Hashmap is an object in the Displays package and has the format imageicon:hashimage and looks like this.

Display.AssetHashMap = {"assets/decorations/deco_bushgoose_icon.png":"assets/decorations/fe7cde4c1df363c2696423483e626da2.png", "assets/decorations/flags/flag_alpha_i_icon.png":"assets/decorations/flags/9cd115ac353499e998a24f25b17c8dc7.png", "assets/flowers/flower_lily_icon.png":"assets/flowers/2f2b4a9ef50f24d156e71d884fe4a336.png",
...
};

We uploaded the actual Hashmap, so you can download it from here.

The bad news are, that you have to decompile the swf on each update, to get the hashmap.

Farmville AMF Request to /flashservices/gateway.php

We had a look into the Farmville Requests. Farmville is using AMF3 to send and recieve gamedata.

To deserialize this, we used an intercept proxy called burp.
We have seen that, Farmville is sending these Request to one of the gateway services.
http://fb-tc-[1-3].farmville.com/flashservices/gateway.php.

The deserialized AMF Request looks like.

We have a target and response method, which is a Flash function. the response-filed is just for identifying the response, for testing you can keep the same value.

The data array is the request body, where Array 0 is containg some tokens which have to match. but can be keeped constant for the whole game. The Array 1 is the Request, which tells what to do. This one contains a sequence number, which you have to count up after every request. The functionname is triggerind the flashfunction with the parameters given above.

We have chosen a basic example with less data. We just call PregnantSowUtiliyService.onActivateSow(true) and this will give us the reward link, that can be shared with friends. During our tests, you can create as many Links as you want by just increasing the sequence number using the burp repeater. The function for Lostanimals is called LonelyCowService.createLonelyAnimal, but for some reason you cannot generate them.

It would be interesting to learn about how many functions Farmville is supporting and what their syntax is. If you are interested in this question ,so we can start to build a function database for Farmville.
On interests, just contact us.

Burp can only change the value inside the AMF request, but you cannot build your own AMF packages. You cannot remove or add arrays from the body. If you know any better proxy please let us know.

Viewing the Items as HTML using XSLT

The items.xml only contains the itemnames and not the displayed names insided the game. For example cow_shamrock is displayed as "Kelly Green Cow". And for some items, we wanted to know which picture is behind, or the other way round, which code is belonging to an item we have seen in Farmville.

We wrote a simple XSL File to transform and filter out the items we need and display the pictures.
A sample output from the Transformation with a filter for decorations without limits.

First of all, how can we get the pictures. We started a Network sniffer and looked into the traffic and saw much request to http://static-2.farmville.com/v36206/ so we took this address to and appended the path from the items.xml. The path could change, so looked into the traffic with tools like wireshark to get the new path for the new images.

We documented the Code,if you have Questions just write a comment and we can update the explanation. The code should be useable for everyone even if you don't now anything about XSL.

The example code below sets a filter for all "buyable" items. Later it checks IF the item is limited, if NOT it displays the data.

Download the file from here.

We used SAXON Java version to perform this XSLT transformation.
Usage:

java -cp saxon9he.jar net.sf.saxon.Transform -o output.html items.xml transform.xsl

 If you open the output.html, you should see an output like the first image in this post. 

gameSettings.xml.gz items.xml.gz and other .xml.gz files in Farmville

Looking into the communication between the Farmville game and the server, i recognized that there are some files called:

• gameSettings.xml.gz
• items.xml.gz
• flashLocaleXml.xml.gz
• crafting.xml.gz
• StorageConfig.xml.gz

 First i thought about simple gunzip packed files, but looking into the files i found out that there were used ASCII strings and no binary format.

00000000: 30 32 47 4d 65 4a 7a 74 76 57 6c 33 34 7a 69 53 02GMeJztvWl34ziS
00000010: 4b 50 72 5a 2b 53 73 34 76 75 65 38 71 5a 70 58 KPrZ+Ss4vue8qZpX
00000020: 61 56 6d 62 5a 64 63 34 50 53 65 39 5a 57 56 50 aVmbZdc4PSe9ZWVP
00000030: 4f 74 4e 6a 4f 32 75 5a 4c 7a 6f 51 43 55 6b 73 OtNjO2uZLzoQCUks
...

Looking into the characters i gave BASE64 i try and decoded it. Finally i got a binary file. But i still couldn't decompress it with gunzip. There must be something else. So i read about compressions in Flash applications and found that flash uses zlib. Hmm, but zlib also didn't the way. By playing around we found out that the first bytes are some kind of header. After removing the first bytes we could easily decompress it.

So our final decompressing algorithmus was

1. Remove magic header "02GM" from the string
2. BASE64 decode it
3. zlib decompress it

We wrote a small tool in Python, you can download it from http://www.python.org/download/.

Our Python code for decompressing the .xml.gz files, which you can download from here.

import zlib
import base64
import urllib
import sys

def entpacken( b64string ):
  decoded_data = base64.b64decode( b64string[4:] )
  return zlib.decompress( decoded_data )

def main():
  file = urllib.urlopen(sys.argv[1]).read()
  print entpacken(file)

if __name__=="__main__":
  main()

Running it as follows

python decompress.py http://static-facebook.farmville.com/v39886/items.xml.gz > items.xml

Our Python code for compressing the .xml files, which you can download from here.

import zlib
import base64
import urllib
import sys

def packen( xml ):
  zlibbed_str = zlib.compress( xml )
  return "02GM" + base64.b64encode( zlibbed_str )

def main():
  file = open(sys.argv[1], 'r').read()
  print packen(file)

if __name__=="__main__":
  main()

Running it as follows

python compress.py items.xml > items.xml.gz

Now we could look into this files and change the content :) Farmville is updating this files with future items like the ufo (see picture). So you can see the pictures and get the itemname before release.

You can get decompressed XML Files version 39886 from here, if needed.

Update: We added compiled .exe version of compress.exe and decompress.exe for the Windows user. Then you don't need the Python files anymore. Usage is the same. Open "cmd.exe" and run it as described above. Download the Runtime Files else it won't run on your computer. If other files are need, please leave a comment.

Farmville internals

Hello we started this blog, to collect and share our findings about Farmville.
We are looking for other people, who are also interested in Farmville and its internals.

Feel free to contact us at our gmail account fvinternals.