
From hki@hem1.passagen.se Tue Jun  9 22:50:11 1998
Date: Tue, 09 Jun 1998 17:23:29 +0100
From: Henrik Isaksson <hki@hem1.passagen.se>
Reply-To: icq-devel@tjsgroup.com
To: icq-devel@tjsgroup.com
Subject: [ICQdev] V4

Hi!

This is the result of a sleepless night and a Casio fx-3600... ;-)

Login packet: (from client to server)

Undecrypted       Decrypted
04 00             04 00            Version
21 F2 D9 C9       2F 51 00 00      *Unknown* Maybe used to find key?
E6 A0             E8 03            CMD_LOGIN
D8 C9 0F A3       01 00 01 00      Sequence. Seems to be 32 bit now.
92 E9 A5 A3       4B 20 AB 00      UIN
...
(haven't looked at the rest yet)

The key that this message was encrypted with was D9 C9 0E A3.
This key does not seem to stored anywhere in the message, but it "shines"
through wherever there are zeros.
(That's why Matt thought the key was stored at 04-05 & 08-0b)

To get the key you can XOR your UIN with the encrypted UIN, 0c-0f.
Then you just XOR the key with the encrypted data to decrypt it.
I'm afraid this can't be the way the server does (it doesn't know the UIN),
so the key must be stored in another way.

Sequence numbers seem to be 32 bit now. The client starts with
01 00 01 00, 02 00 02 00 and so on. The server starts at 01 00 00 00.

This is what an acknowledgment message sent to the server looks like:

04 00              Version
CD E4              Theese three are *unknown*. However, if 03 (E4)
DA 80              is XORed with 08 (B1) the result is 55. This seems
98 B1              to be true for all ack packets.
10 00 00 00        Seq
4B 20 AB 00        UIN
42 6F 54 1A        Checksum?

Seq and UIN is not encrypted in the ack packets.

I really need a better sniffer!
Please tell me where I can find one!

Regards, Henrik
-- 
__,,,^..^,,,_____________________________________________________________
               hki@hem1.passagen.se      http://www.algonet.se/~henisak  

          =====================================================
          The "unoffical, not-sponsored-by-Mirabilis-one-bit"
          ICQ Clone Development List
