{"id":43688655,"url":"https://github.com/friedkeenan/tfm-secrets-leaker","last_synced_at":"2026-02-05T03:05:43.224Z","repository":{"id":65298186,"uuid":"589370066","full_name":"friedkeenan/tfm-secrets-leaker","owner":"friedkeenan","description":"A utility for obtaining the hardcoded secrets within the Transformice client.","archived":false,"fork":false,"pushed_at":"2024-06-24T19:52:32.000Z","size":85,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-06-24T21:39:18.742Z","etag":null,"topics":["atelier801","flash","transformice"],"latest_commit_sha":null,"homepage":"","language":"ActionScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/friedkeenan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-15T23:39:53.000Z","updated_at":"2024-06-24T19:50:32.000Z","dependencies_parsed_at":"2024-02-10T22:29:05.652Z","dependency_job_id":"e3db4248-04eb-41b1-8ed9-2e1c9d15ab5e","html_url":"https://github.com/friedkeenan/tfm-secrets-leaker","commit_stats":null,"previous_names":[],"tags_count":41,"template":false,"template_full_name":null,"purl":"pkg:github/friedkeenan/tfm-secrets-leaker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friedkeenan%2Ftfm-secrets-leaker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friedkeenan%2Ftfm-secrets-leaker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friedkeenan%2Ftfm-secrets-leaker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friedkeenan%2Ftfm-secrets-leaker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/friedkeenan","download_url":"https://codeload.github.com/friedkeenan/tfm-secrets-leaker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friedkeenan%2Ftfm-secrets-leaker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29108389,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T02:48:39.389Z","status":"ssl_error","status_checked_at":"2026-02-05T02:48:27.400Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["atelier801","flash","transformice"],"created_at":"2026-02-05T03:05:42.516Z","updated_at":"2026-02-05T03:05:43.214Z","avatar_url":"https://github.com/friedkeenan.png","language":"ActionScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TFM Secrets Leaker\n\nA utility for obtaining the hardcoded secrets within the Transformice client.\n\n## Building\n\nTo build, you should use the [asconfig.json](https://github.com/friedkeenan/tfm-secrets-leaker/blob/main/asconfig.json) file to compile the `TFMSecretsLeaker.swf` file. This can be done with [vscode-as3mxml](https://github.com/BowlerHatLLC/vscode-as3mxml) or [asconfigc](https://www.npmjs.com/package/asconfigc).\n\nYou will also need to place the SWC files for the following libraries under a `lib` folder at the same level as the `asconfig.json` file:\n\n- [as3commons-bytecode-1.1.1](https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/as3-commons/as3commons-bytecode-1.1.1.swc)\n- [as3commons-lang-0.3.7](https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/as3-commons/as3commons-lang-0.3.7.swc)\n- [as3commons-reflect-1.6.4](https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/as3-commons/as3commons-reflect-1.6.4.swc)\n\nIf you wish to save yourself the hassle, then there is also a pre-built SWF in the [releases](https://github.com/friedkeenan/tfm-secrets-leaker/releases) of this repo.\n\n## Usage\n\nWhen running the built SWF file, it will `trace` out the obtained secrets. These can be viewed in something like [ffdec](https://github.com/jindrapetrik/jpexs-decompiler), though a helpful `leak-secrets.py` script is also provided to get the output using the standalone debug projector, used like so:\n\n```\n./leak-secrets.py \u003cpath/to/TFMSecretsLeaker.swf\u003e\n```\n\nWhen running the SWF, a window will pop up for a short moment, seem to begin to load the game, and then exit. This is normal.\n\nUnfortunately this is not currently compatible with [Ruffle](https://github.com/ruffle-rs/ruffle/) as it does not currently implement `fscommand(\"quit\")`.\n\n## The Secrets\n\nTransformice's networking protocol utilizes several hardcoded, frequently-changing secrets that are contained within the client. Every five minutes or so, a different main SWF is served for the game, changing most of these hardcoded secrets. Therefore it is required to have a dynamic utility to get these secrets automatically, as they change far too often to just manually obtain.\n\nThese secrets include:\n\n- The server address.\n    - This is the address of the server that the client connects to. This changes and has changed, but infrequently enough that I think it could feasibly be hardcoded and manually rediscovered when it does change.\n- The server ports.\n    - The ports of the server that the client can connect to. These to my knowledge have never changed, but theoretically they could, and we are able to report them, and so we do. The client will randomly shuffle these ports and then try to connect to them in sequence, moving on to the next one if the connection is unsuccessful.\n- The game version.\n    - This is what the game displays in the bottom right corner of the login screen, showing text like `1.740`. The game version that this reports is the `740` component of that, and is sent in the handshake packet that the client sends to the server. This does not change as often as the other secrets do.\n- The connection token.\n    - This is a random set of characters which is similarly sent in the handshake packet. I believe it used by the server to identify what the expected values of the other secrets should be.\n- The auth key.\n    - After the client sends the handshake packet to the server, the server then responds with a packet containing an \"auth token\". This is an integer that is used again when the client sends the login packet. The client XOR's the auth token with the hardcoded \"auth key\", resulting in a ciphered token, which is then sent to the server in the login packet.\n- The packet key sources.\n    - Certain packets within Transformice's network protocol are encrypted, for example the login packet. The particular cipher varies per packet, but the keys used are derived from an array of integers called the \"packet key sources\". These integers are combined with a key name, e.g. \"identification\", to obtain the actual key used to encrypt a packet.\n- The client verification template.\n    - Shortly after the handshake sequence has been completed by the client and server, the server will send a packet to the client to make sure that the client is official and otherwise proper (i.e. not a bot). This packet contains a \"verification token\" (an integer) which the client will then use in its response. The client will respond with a ciphered packet using the XXTEA algorithm with the verification token converted to a string as the name for the key. The (plaintext) packet data will begin with the verification token, and then some semi-random, hardcoded fields, with the verification token thrown in again in the midst of it. This does not seem to change as often as the other secrets do, but it does change.\n\n        What this reports is a hex string representing a string of bytes of the plaintext body of this packet (in Python, something you could use `bytes.fromhex` on). In place of where the verification token should go, `aabbccdd` is used, and should be replaced with the actual packed verification token.\n\n## Other Games\n\nOther Atelier 801 games have very similar structures to Transformice, and so this utility is able to also support the following games:\n\n- Transformice\n- Dead Maze\n- Bouboum\n- Nekodancer\n- Fortoresse\n\nTransformice and Dead Maze are the only games that have client verification templates. And so for the others, no client verification template will be traced out.\n\nTo obtain the secrets to a particular game, its name should be supplied to the `game` loader parameter. For instance, here is how you would do so using the `leak-secrets.py` script:\n\n```\n./leak-secrets.py path/to/TFMSecretsLeaker.swf?game=transformice\n\n./leak-secrets.py path/to/TFMSecretsLeaker.swf?game=deadmaze\n\n./leak-secrets.py path/to/TFMSecretsLeaker.swf?game=bouboum\n\n./leak-secrets.py path/to/TFMSecretsLeaker.swf?game=nekodancer\n\n./leak-secrets.py path/to/TFMSecretsLeaker.swf?game=fortoresse\n```\n\nIf no `game` parameter is supplied, then the utility will default to leaking Transformice's secrets.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriedkeenan%2Ftfm-secrets-leaker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffriedkeenan%2Ftfm-secrets-leaker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriedkeenan%2Ftfm-secrets-leaker/lists"}