From hki@hem1.passagen.se Tue Jun 9 22:50:11 1998 Date: Tue, 09 Jun 1998 17:23:29 +0100 From: Henrik Isaksson Reply-To: icq-devel@tjsgroup.com To: icq-devel@tjsgroup.com Subject: [ICQdev] V4 Hi! This is the result of a sleepless night and a Casio fx-3600... ;-) Login packet: (from client to server) Undecrypted Decrypted 04 00 04 00 Version 21 F2 D9 C9 2F 51 00 00 *Unknown* Maybe used to find key? E6 A0 E8 03 CMD_LOGIN D8 C9 0F A3 01 00 01 00 Sequence. Seems to be 32 bit now. 92 E9 A5 A3 4B 20 AB 00 UIN ... (haven't looked at the rest yet) The key that this message was encrypted with was D9 C9 0E A3. This key does not seem to stored anywhere in the message, but it "shines" through wherever there are zeros. (That's why Matt thought the key was stored at 04-05 & 08-0b) To get the key you can XOR your UIN with the encrypted UIN, 0c-0f. Then you just XOR the key with the encrypted data to decrypt it. I'm afraid this can't be the way the server does (it doesn't know the UIN), so the key must be stored in another way. Sequence numbers seem to be 32 bit now. The client starts with 01 00 01 00, 02 00 02 00 and so on. The server starts at 01 00 00 00. This is what an acknowledgment message sent to the server looks like: 04 00 Version CD E4 Theese three are *unknown*. However, if 03 (E4) DA 80 is XORed with 08 (B1) the result is 55. This seems 98 B1 to be true for all ack packets. 10 00 00 00 Seq 4B 20 AB 00 UIN 42 6F 54 1A Checksum? Seq and UIN is not encrypted in the ack packets. I really need a better sniffer! Please tell me where I can find one! Regards, Henrik -- __,,,^..^,,,_____________________________________________________________ hki@hem1.passagen.se http://www.algonet.se/~henisak ===================================================== The "unoffical, not-sponsored-by-Mirabilis-one-bit" ICQ Clone Development List