
From mds1281@ritvax.isc.rit.edu Mon May  4 14:30:47 1998
Date: Fri, 01 May 1998 06:07:58 +0000
From: Matt Smith <mds1281@ritvax.isc.rit.edu>
Reply-To: icq-devel@tjsgroup.com
To: "icq-devel@tjsgroup.com" <icq-devel@tjsgroup.com>
Subject: [ICQdev] V4 login

Well I've had some success logging in as V4 but I haven't been able
crack the numbers so I thought I'd post the and see if anyone can figure
'em out.

The packet I'm sending is:

04 00         Version
xx xx         see below
5E A2 9D 59   key1  xor them together get 0x03E90001 which is
5F A2 74 5A   key2 high command low SEQ
42 E4 D9 5A   UIN  real UIN = 0x00AC461C
63 34 90 23   X1
D4 7A 39 35   X2
06 F4 00 00   port
08 00         len of passwd
76 6f 72 6c 6f 6e 73 00 passwd ( please don't use :) )
98 00 00 00   version of client ?
81 15 73 9E   IP
04            placeholder
00 00 00 00   Status
03 00 00 00   X3
00 00 00 00   X4
00 00 98 00   X5 version again?

As you can see I only varied 2 bytes becuase I'm not sure how all this
stuff holds together.  I know if you get a working version and change
anything the whole thing falls apart.  Passwords of the same length
appear to be interchangable but of different lengths the numbers must be
changed.
Anyway I just ran it thru a loop and watched which were excepted.  Below
are the values I've tried that worked the values in between have been
tested and failed anyone have any ideas?
00 04
00 2B
00 3B
00 55
00 6C
00 75
00 95
00 98
00 B6
00 C0

We can get on the server now we just have to figure out what we're
doing. :)

-- Matt
          =====================================================
          The "unoffical, not-sponsored-by-Mirabilis-one-bit"
          ICQ Clone Development List
From mds1281@ritvax.isc.rit.edu Mon May  4 14:31:22 1998
Date: Fri, 01 May 1998 06:17:44 +0000
From: Matt Smith <mds1281@ritvax.isc.rit.edu>
Reply-To: icq-devel@tjsgroup.com
To: "icq-devel@tjsgroup.com" <icq-devel@tjsgroup.com>
Subject: [ICQdev] [cont. of last message]

All those numbers at the end of the last post are backwards sorry about
that. :(
Also the high byte doesn't seem to affect anything ie 0x0055 and 0x0155
both work as does 0x4355 but only those numbers work even with different
high bytes so we might be looking at 2 byte long codes.  And possibly a
dummy value that's there just to throw us off or maybe it does something
we don't know about?

-- Matt
          =====================================================
          The "unoffical, not-sponsored-by-Mirabilis-one-bit"
          ICQ Clone Development List
