News Protocol Download Articles Contacts  AOLHACKERS.RU      Articles  Cutting floret (en) TO CUT THE FLORET PART 1 Authorization on service ICQ _ _/ \_ / \ / \ >--o--< \_/ \_/ \I/C D A PROJECT This document does not give the full description of ICQ Oscar v7/8 protocol and only acquaints the reader with main principles. I will try to explain the work of the protocol briefly. Which information do we need to know to talk about this protocol? It is known, there is a server login.icq.com which runs ICQ service on 5190 port through TCP protocol.It is known before 7th protocol Oscar worked through UDP, but after 7th through TCP. Lets examine the work of the protocol step by step. Step 1. ICQ client passes authorization in ICQ service. I should notice that authorization makes up the complicated procedure with several steps. |----------| |---------------| | | | | | CLIENT | OSCAR 7/8 | login.icq.com | | | LP ----------------->5190 | | |ICQ2003a | | ICQ SERVICE | | | | | |----------| |---------------| Firstly, the connection with the server login.icq.com on 5190 port occurs. Then server login.icq.com sends test FLAP package. Here is the dump of it: 2A 01 7E BF 000400000001 Still it is necessary to know that ICQ service has the concept of channels (chanel). Totally there are 4 (5) channels. Maybe these channels are like is in IRC?;) chanel 1 - serves for initial purposes like an establishment of connection (authorization) chanel 2 - serves for transfer of the basic packages and data transmission chanel 3 - the channel of mistakes processings chanel 4 - the channel of separation chanel 5 - the service channel, admins probably use it Depending on which channel in the ICQ package is specified, it is transfered to be processed using corresponding services (functions). The channel in ICQ package is always defned as the second byte in FLAP package, below I will show, how does the package looks like. This package tells to the ICQ client that it is time to send the data with UIN and the password. The first what is made by the client is sending on the server login.icq.com a number{line} of parameters, into which UIN and the password of user are included. And as well the line of parameters connected to the client part. Here is the dump of a package login: dump #1 2A 01 11 53 00 83 00 00 00 01 00 01 00 06 3X 3X 3X 3X 3X 3X 00 02 00 08 XX XX XX XX XX XX XX XX 00 03 00 33 49 43 51 20 49 6E 63 2E 20 2D 20 50 72 6F 64 75 63 74 20 6F 66 20 49 43 51 20 28 54 4D 29 2E 32 30 30 33 61 2E 35 2E 34 37 2E 31 2E 33 38 30 30 2E 38 35 00 16 00 02 01 0A 00 17 00 02 00 05 00 18 00 02 00 2F 00 19 00 02 00 01 00 1A 00 02 0E D8 00 14 00 04 00 00 00 55 00 0F 00 02 65 6E 00 0E 00 02 75 73 Lets analyze this package in details. Remember that ICQ packages are called FLAP (the second byte is the channel of the ICQ server). FLAP contains so-called SNAC packages into which various TLV packages are included. ICQ protocol contains transmission and receiving of SNAC packages |-----------------------------| | F L A P | | | | | | |-------------------------| | | | S N A C | | | | | | | | |----------------| | | | | | | | | | | | T L V | | | | | | | | | | | |----------------| | | | |-------------------------| | | | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | |-------------------------| | | | S N A C | | | | | | | | |----------------| | | | | | | | | | | | T L V | | | | | | | | | | | |----------------| | | | |-------------------------| | | | |-----------------------------| FLAP: 2A 01 11 53 00 83 00 00 00 01 Allows service to distinguish ICQ data from other packages. 2A - (Command Start) allows to distinguish ICQ package from others packages (the beginning of the ICQ package). 01 - is the channel. 11 - is so-called Sequence Number, can be a random number. 00 83 - Data Field Length is the length of the data block which follows after FLAP, very important field. As we generalize everything, we can make a table: ------------------- | Command Start | | byte: '\x2A' | ------------------- | Channel ID | | byte | ------------------- | Sequence Number | | word | ------------------- |Data Field Length| |word | ------------------- |Data | |variable | ------------------- The FLAP-package has fixed length header and the next block can be variable length. The length of header is equal to 6 bytes. Further there is standard TLV. TLV 01 : 00 01 tells to the service that there are data with UIN, before uin goes the size of it: uin 00 06 then itself uin 39 36 33 36 33 32 Then there are not obligatory parameters. The version a structure of the client TLV 03 : 00 03 49 43 51 20 49 6E 63 2E 20 2D 20 50 72 6F 64 75 63 74 20 6F 66 20 49 43 51 20 28 54 4D 29 2E 32 30 30 33 61 2E 35 2E 3437 2E 31 2E 33 38 30 30 2E 38 35 For example: 3ICQ Inc. - Product of ICQ (TM) .2003a.5.47.1.3800.85 TLV 16 : 00 16 Usually presented in two bytes 01 0A TLV 17 : 00 17 The priority version of the major clients, for example: 4 for icq2000, 5 for icq2001, icq2003 TLV 18 : 00 18 The priority version of the minor. TLV 19 : 00 19 The least version of the client, in our case is two bytes 00 01 TLV 1A: 00 1A The version of the client at its assembly (build version) occupies two bytes 0E D8 TLV 14 : 00 14 dunno the version occupies 4 bytes 00 00 00 55 TLV 0F: 00 0F language with which the client works, occupies two symbols, usually is "en" TLV 0E: 00 0E the country in which the client is located, occupies two symbols, usually is "us" Then the login package finishes. It is important to remember: after TLV there is a TLV size always. Let's analyze in details SNAC package, which, as we know, is situated in the FLAP package: | |-------------------------| | | | S N A C | | | | | | | | |----------------| | | | | | | | | | | | T L V | | | | | | | | | | | |----------------| | | | |-------------------------| | | | |-----------------------------| As we can see the dump #1, SNAC contains the following fields: 1) version of TLV 2) the size of TLV content 3) content of TLV |-------------------------| | WORD TLV version | | | | WORD TLV length | | | | VAR TLV data | | | |-------------------------| Here is the structure of login: TLV(1) STRING my uin TLV(2) STRING encrypted password TLV(3) STRING client profile, example "3ICQ Inc. - Product of ICQ (TM).2003a.5.47.1.3800.85" TLV(16) WORD unk, usually 01 0A TLV(17) WORD major version, 4 for icq2000, 5 for icq2001 TLV(18) WORD minor version TLV(19) WORD less version TLV(1A) WORD build version TLV(14) DWORD dunno version TLV(0F) STRING language, 2 chars, usually "en" TLV(0E) STRING country, 2 chars, usually "us" Assume that the client generated login package correctly and sent it to the server login.icq.com, so what will be next? If everything is ok, login.icq.com should answer with the following FLAP, which includes SNAC: UIN, IPserver:PORT, COOKIE (256 bytes of the casual data). Let's examine a dump of this package: Dump *2 2A 04 C6 B5 01 21 00 01 00 06 3X 3X 3X 3X 3X 3X 00 05 00 0F 32 30 35 2E 31 38 38 2E 38 2E 31 38 3A 35 33 00 06 01 00 35 A3 D2 E6 D5 A2 75 F1 9F 2E C0 78 8C 78 D8 AA 10 B7 60 42 10 44 27 9A 58 E9 12 24 CD E9 4C F0 51 06 BD 86 2E A4 86 CF 1E 9B 21 AC FE 8F EE BF 16 B6 94 8D 50 58 35 5F CD 1E 8C C5 5B E1 ED 12 FD 93 48 31 1D C0 B2 A9 E7 E0 00 F5 D4 9E 5C 6E BF BC BF 34 93 4A BD 4E 94 55 97 4B 8F 9A A9 F0 14 1D 15 97 CB 1B 08 C3 D1 E2 1E CA 8F 5A 10 7F 91 B7 AA 1A 8F 56 22 B2 2C AD 31 A2 73 4F A9 F9 8E 2A 5C A5 71 AD C1 4A 6E 8A 65 CD 86 2C 6B 32 05 DA DC 3D C0 09 37 5A 10 76 C2 55 C0 8D 7B 30 5C 53 C9 2F A2 B0 FA 26 45 82 8D 58 D8 BF 2C 26 BD F0 5B 13 B4 B1 D3 00 8D 90 A7 8F 18 91 AF C7 F7 3F 46 00 30 60 53 BF DE 8C 4E 4E D4 28 D8 0D 17 3A AB 85 B2 49 E4 19 3E D4 73 6C 82 24 7C FB 16 94 50 88 4B 8E EE 08 62 99 1D E1 BE 23 F2 98 15 17 D5 B4 FD 47 AF 9E 65 CD EC 31 67 20 B9 D4 We can see that FLAP contains SNAC'S: TLV 0001, TL 0005, TL 0006. TLV 0001 - UIN TLV 0005 - the server and port where we will reconnect TLV 0006 - COOKIE, the data which is necessary to send to the server and the port, which are specified in TLV 0005 to prove to the server that we are really those as whom we pretend to be ;) SNAC TLV 00 01 00 06 39 36 33 36 33 32 - UIN TLV 00 05 F 32 30 35 2E 31 38 38 2E 38 2E 31 38 3A 35 33 - IP:PORT TLV 00 06 01 00 35 A3 D2 E6 D5 A2 75 F1 9F 2E C0 78 8C 78 D8 AA 10 B7 60 42 10 44 27 9A 58 E9 12 24 CD E9 4C F0 51 06 BD 86 2E A4 86 CF 1E 9B 21 AC FE 8F EE BF 16 B6 94 8D 50 58 35 5F CD 1E 8C C5 5B E1 ED 12 FD 93 48 31 1D C0 B2 A9 E7 E0 00 F5 D4 9E 5C 6E BF BC BF 34 93 4A BD 4E 94 55 97 4B 8F 9A A9 F0 14 1D 15 97 CB 1B 08 C3 D1 E2 1E CA 8F 5A 10 7F 91 B7 AA 1A 8F 56 22 B2 2C AD 31 A2 73 4F A9 F9 8E 2A 5C A5 71 AD C1 4A 6E 8A 65 CD 86 2C 6B 32 05 DA DC 3D C0 09 37 5A 10 76 C2 55 C0 8D 7B 30 5C 53 C9 2F A2 B0 FA 26 45 82 8D 58 D8 BF 2C 26 BD F0 5B 13 B4 B1 D3 00 8D 90 A7 8F 18 91 AF C7 F7 3F 46 00 30 60 53 BF DE 8C 4E 4E D4 28 D8 0D 17 3A AB 85 B2 49 E4 19 3E D4 73 6C 82 24 7C FB 16 94 50 88 4B 8E EE 08 62 99 1D E1 BE 23 F2 98 15 17 D5 B4 FD 47 AF 9E 65 CD EC 31 67 20 B9 D4 - is the COOKIE (256 bytes of the casual data) which we need to send to the server after reconnection on the specified server and port. If you write brute force of this package for ICQ service, it will be enough for you to make sure uin and password are correct. For example in icda brute force this function is engaged with the followong code: buffer[512]='\xEE'; rbuf=buffer; do { rbuf++; if(*rbuf == '\x06'){ if(*(rbuf+1) != '\x01'){rbuf++;} } if((*rbuf == '\x06') && ((*(rbuf+1) == '\x01'))){break;} }while(*rbuf != '\xEE'); if((*rbuf == '\x06') && ((*(rbuf+1) == '\x01'))){close(proxysock); return 5;} This code checks the presence of TLV 06 - cookie, considering there is an opportunity of appearing 06 if we will have 6d uin. Sure you can write your own function. So the structure in your program would look like: TLV(1) STRING my uin if all goes right TLV(5) STRING BOS-address:port TLV(6) STRING cookie else TLV(8) error-code TLV(4) STRING url It is necessary to note if the password or uin were wrong the server would answer with the following FLAP a package (TLV 04): 2A 04 AE B0 00 56 00 01 00 09 32 34 30 37 39 30 31 35 32 00 04 00 3F 68 74 74 70 3A 2F 2F 77 77 77 2E 61 69 6D 2E 63 6F 6D 2F 65 72 72 6F 72 73 2F 4D 49 53 4D 41 54 43 48 5F 50 41 53 53 57 44 2E 68 74 6D 6C 3F 63 63 6F 64 65 3D 75 73 26 6C 61 6E 67 3D 65 6E 00 08 00 02 00 05 Now we will view the dump of a package which we will have to send after reconnection: 2A 01 28 E0 01 08 00 00 00 01 00 06 01 00 EC 9F D0 FB 60 5F 7C 66 D4 24 4F 87 83 E7 98 41 15 DF AB DA C5 AF D0 CD FD 52 45 57 99 EC 9F 6A 96 3D C4 1A D7 E2 93 88 5F 9F 77 78 8F DD FB 19 E0 D5 01 DA 0B 48 19 33 F6 95 B9 9E AF 01 D3 D0 9D 46 D3 AD 4D 3C B3 0D 80 CC 2E 03 90 2C E2 77 B9 3A C8 F1 F5 6F 84 3B 33 97 F4 04 16 9B 84 FA 2B 21 35 FC B7 97 60 E9 77 7A 81 3A 1F 50 6A E4 21 B6 B0 FC 07 17 09 3A 2E 9D 2E 86 BD 30 06 20 FA 5C A9 F6 EE 55 63 26 A1 E5 CD C7 F6 91 FD 86 7D B9 3F DF 07 34 79 52 66 F8 F4 AE FB D5 BF 7B CB 2E D2 FA CB 64 68 EE 19 F1 47 D5 70 40 E3 22 65 43 20 5E 1C 27 DA 81 5B 64 10 52 67 E9 8A 47 D5 89 92 6E C8 EF A9 0D FB 40 96 AD DD 41 2F 0E A2 96 B7 D0 12 CD D5 92 30 45 79 E6 DE 9A 70 5A 40 0B 9D C3 23 D8 AB 51 4D 83 92 BA A3 0E 3C 82 9C F3 EC 2B 7C 8A F1 F8 77 E3 C1 09 D4 8F 94 9A As we can see, in this FLAP package only SNAC with TLV 06 are included. How the server will react to this package? The server will answer with package READY. Here is the dump of it: TLV 03 SNAC 1,03 2A 02 8F 2D 00 24 00 01 00 03 00 00 83 C8 13 D5 00 01 00 02 00 03 00 04 00 06 00 08 00 09 00 0A 00 0B 00 0C 00 13 00 15 00 22 This package tells the client it is ready to work with it. On this SNAC 1,13 we need to answer with SNAC 1,17 (TLV 17) 2A 02 67 E1 00 32 00 01 00 17 00 00 00 00 00 17 00 01 00 04 00 13 00 04 00 02 00 01 00 03 00 01 00 15 00 01 00 04 00 01 00 06 00 01 00 09 00 01 00 0A 00 01 00 0B 00 01 This package tells to the server - hey, i'm an icq client, not aim;)))) Here the authorization on the server finishes. In the following documentation I will show, how to send messages to other clients. Wish success to you beginning coders =) Payhash from AolHackerS.ru [email protected] AOLHACKERS.RU 2004 design by Gn0m =:]o<