News Protocol Download Articles Contacts  AOLHACKERS.RU      Protocol   V7 Protocol ICQv7 (personal) protocol notes
by Massimo Melina, [email protected]
www.rejetto.com/icq
last update Nov 02, 2001

THESE ARE ONLY _PERSONAL_ NOTES
USE IT AT YOUR OWN RISK
if you want to tell me about additional info or wrong info in this file, contact me

important note:
* this doc is very bad written for several reasons i won't list here.
* i don't earn money from this, i'm a student, i'm only having some fun.
* a list of people who contributed to this doc is at bottom
* you won't understand too much in here if you don't read AIM protocol docs at www.icqv7.cjb.net

some notes:
* unk = unknown
* communication is over FLAP protocol (find info about it in AIM protocol docs)
* where specified, communication is over SNAC protocol, over FLAP (AIM proto docs too)
* password is xored with these bytes: F3,26,81,C4,39,86,DB,92,71,A3,B9,E6,53,7A,95,7C
* LE stands for little-endian
* BE stands for big-endian
* BYTE is a 8 bit integer
* WORD is a 2-byte integer (BE)
* DWORD is a 4-byte integer (BE)
* TIME_T is a DWORD, unix time format
* IPADDR is a quadruple of bytes A,B,C,D where in dotted form is A.B.C.D
* COLOR is a quadruple of bytes: R,G,B,N where N is not used (you should set it zero)
* STRING is a succession of (ascii) characters without length-leading or null-char-ending
* UIN is a 4-byte integer (LE) that codifies the uin number
* B-UIN is a BYTE preceded STRING: the byte indicates the length of the string and the string report an uin number
* UINLIST is a raw succession of B-UINs
* NTS is a Null Termined String
* LNTS is a word (LE) preceeded NTS: the word indicates the length of the NTS string (null char included)
* DLS is a dword (LE) preceeded string
* msg-subtype is a BYTE:
CODE FORMAT MEANING
01 plain msg
02 ? chat
03 ? file
04 url-msg url
06 user-msg authorization request
07 plain authorization denied
08 empty authorization given
0C user-msg user added you
0E email-msg emailExpress
13 contacts-msg contacts
1A empty contacts-req
E? plain auto-msg-req (E8 away, E9 occupied, EA na, EB dnd, EC f4c)
* msg-flags is a BYTE:
00 = normal
80 = multiple
03 = special (used for auto-msg-req)
* error-code is a WORD:
00 00 no error
00 01 bad uin
00 05 bad password
00 18 rate exceeded
00 1D (probably) you're trying to reconnect too fast, wait a second and retry
* user-msg is a LNTS: nick FE first FE last FE email FE unk-char FE msg
* url-msg is a LNTS: msg FE url
* contacts-msg is a LNTS: contacts# FE uin FE nick FE uin FE nick FE...
* email-msg is a LNTS: name FE FE FE email FE unk-char FE body
* gmt offset is a signed byte, specifies negative half hours from GMT 0 (e.g. -3 = GMT+1:30)
* status codes is a double word: WORD flags + WORD status
WORD flags
2000 direct connection only for contact list
1000 direct connection by request
0002 show ip? (licq uses it on invisible state)
0001 webaware
WORD status (sometime i saw bit 3 set, or bit 9 in invisible state)
0000 online
0020 free4chat
0001 away
0004 n/a
0005 n/a
0010 occupied
0011 occupied
0013 dnd
0100 invisible
* accept-status codes
0 normally accepted (use this replying to auto-msg-req)
9 not accepted, occupied
A not accepted, dnd
4 accepted but away
E accepted but NA
C accepted to contact list (no blink in tray)
* priority codes
00 00 = file-reply
01 00 = normal
02 00 = send urgent
04 00 = send to contact list (don't blink in tray)
* direct-connection-info
IPADDR my ip address, often second NIC ip, leave 0 for no direct-connection
DWORD port where listening for connections, leave 0 for no direct-connection
BYTE 04
WORD protocol version (licq 0006, icq2000 0007, icq2001 0008)
4 BYTE unk
8 BYTE 00 00 00 50 00 00 00 03
TIME_T unk, usually a recent time
TIME_T unk, usually a recent time
TIME_T unk, usually a recent time
WORD 0
* wp-short-request-info
LNTS first
LNTS last
LNTS nick
* wp-full-request-info
wp-short-request-info
LNTS email
WORD (LE) minimum age, 0 if disabled
WORD (LE) maximum age, 0 if disabled
BYTE sex (0=disabled, other=see table)
BYTE language (0=disabled, other=see table)
LNTS city
LNTS state
WORD country (0=disabled, other=see table)
LNTS company-name
LNTS department
LNTS position
BYTE occupation field (0=disabled)
WORD past information category (0=disabled, other=see table)
LNTS desc
WORD interests-category (0=disabled, other=see table)
LNTS interests-specific (comma separated)
WORD affiliation/organization (0=disabled, other=see table)
LNTS desc
WORD homepage category
LNTS desc
BYTE only-online-users, (0=off, 1=on)
* wp-result-info
WORD length of this record (you can't rely on fields if record is shorter)
UIN his uin
LNTS nick
LNTS first
LNTS last
LNTS email
BYTE auth (0=required, 1=always)
BYTE status (00 offline, 01 online, 02 not webaware)
BYTE unknown, usually 0
BYTE sex
BYTE age
9 BYTE unk, 0
* main-home-info
LNTS nick
LNTS first
LNTS last
LNTS email
LNTS city
LNTS state
LNTS phone
LNTS fax
LNTS street
LNTS cellular (if SMS-able string contains an ending ' SMS')
LNTS zip
WORD country (LE)
BYTE gmt
BYTE unknown, usually 0
* work-info
LNTS city
LNTS state
DWORD 0
LNTS street
LNTS zip
WORD country (LE)
LNTS company-name
LNTS company-dept
LNTS company-position
WORD 0 (LE?)
LNTS company-web
* homepage-more-info
BYTE age
BYTE 0
BYTE sex
LNTS homepage
WORD birth-year (LE)
BYTE birth-month
BYTE birth-day
BYTE lang1
BYTE lang2
BYTE lang3
* work-info
LNTS city
LNTS state
LNTS unk
LNTS unk
LNTS street address
LNTS zip code
WORD unk, 2700
LNTS company name
LNTS unk
LNTS position
WORD unk, 0500
LNTS unk
* more-email-info
BYTE number (of addresses)
for number times
BYTE unknown, usually 00
LNTS address
* personal-interests-in
BYTE # of categories to follow
for # times
WORD category (6800 => Computers, 7100 => Music)
LNTS specific
* past-background-info
012F01 university
LNTS specific
00616E
* capability is a 4 DWORD number
4 capabilities are known
1) 09461349 4C7F11D1 82224445 53540000
2) 09461344 4C7F11D1 82224445 53540000
3) 97B12751 243C4334 AD22D6AB F73F1492 // sent by icq2001
4) 2E7A6475 FADF4DC8 886FEA35 95FDB6DF // sent by icq2001
* capability-info is a succession of capabilities
note: icq2000b sends 1) and 2), licq sends only 2)


***********************************
------LOGIN SESSION-----------
connection to login server

server sends (1) <- in parenthesis lies the FLAP channel (SNACs use always channel 2)
4 BYTE 00 00 00 01

client sends (1)
4 BYTE 00 00 00 01
TLV(1) STRING my uin
TLV(2) STRING encrypted password
TLV(3) STRING client profile, example "ICQ Inc. - Product of ICQ (TM).2000b.4.63.1.3279.85"
TLV(16) WORD unk, usually 01 0A
TLV(17) WORD major version, 4 for icq2000, 5 for icq2001
TLV(18) WORD minor version
TLV(19) WORD lesser version
TLV(1A) WORD build version
TLV(14) DWORD dunno version
TLV(0F) STRING language, 2 chars, usually "en"
TLV(0E) STRING country, 2 chars, usually "us"

server sends (4)
TLV(1) STRING my uin
if all goes right
TLV(5) STRING BOS-address:port
TLV(6) STRING cookie
else
TLV(8) error-code
TLV(4) STRING url // not always present
TLV(C) WORD unknown

close connection

-----SERVICE SESSION---------
connection to service server specified in TLV(5)

server sends (1)
4 BYTE 00 00 00 01

client sends (1)
4 BYTE 00 00 00 01
TLV(6) STRING cookie

------SNAC COMMANDS------------

server sends // Server is ready
SNAC 1,03
24 BYTE 00 01 00 02 00 03 00 04 00 06 00 08 00 09 00 0A 00 0B 00 0C 00 13 00 15

client sends // hey, i'm an icq client, not aim
SNAC 1,17
32 BYTE 00 01 00 03 00 13 00 02 00 02 00 01 00 03 00 01 00 15 00 01
00 04 00 01 00 06 00 01 00 09 00 01 00 0A 00 01 00 0B 00 01

server sends // got it, ack to 1,17
SNAC 1,18
48 BYTE 00 01 00 03 00 02 00 01 00 03 00 01 00 04 00 01 00 06 00 01 00 08 00 01
00 09 00 01 00 0A 00 01 00 0B 00 01 00 0C 00 01 00 13 00 02 00 15 00 01

client sends // request rate
SNAC 1,06
empty

server sends // response to 1,06
SNAC 1,07
181 BYTE unknown
WORD # of known messagges (N)
N DWORD known messages, a known message is a words pair: FAMILY/SUBTYPE
17 DWORD unknown, they seems messagge IDs too

client sends // ack to 1,07
SNAC 1,08
10 BYTE 00 01 00 02 00 03 00 04 00 05

client sends // Requests personal information.
SNAC 1,0E
empty

client sends // Request rights information for location service
SNAC 2,02
empty

client sends // Request rights information for buddy list
SNAC 3,02
empty

client sends // Requests rights for ICBM (Instant Message) operations.
SNAC 4,04
empty

client sends // Requests BOS rights
SNAC 9,02
empty

server sends // response to 1,0E
SNAC 1,0F
if bit15 set in flag
8 BYTE 00 06 00 01 00 02 00 03
BUIN my uin
WORD warning level
WORD user class?
TLV(1) WORD class2, usually 00 00 or 00 50
TLV(C) direct-connection-info, usually 0s
TLV(A) IPADDR my ip address
TLV(4) WORD idle time, usually 00 00
TLV(6) DWORD status code
TLV(F) DWORD unknown, it seems to be an incrementing value
TLV(2) TIME_T member since
TLV(3) TIME_T online since

server sends // response to 2,02
SNAC 2,03
TLV(1) 04 00
TLV(2) 00 10
TLV(3) 00 0A

server sends // response to 3,02
SNAC 3,03
TLV(1) 02 58
TLV(2) 02 EE
TLV(3) 02 00

server sends // response to 4,04
SNAC 4,05
16 BYTE unknown, 00 02 00 00 00 03 02 00 03 E7 03 E7 00 00 03 E8

server sends // response to 9,02
SNAC 9,03
TLV(2) 00 A0
TLV(1) 00 A0

client sends // Add ICBM parameter
SNAC 4,02
16 BYTE 00 00 00 00 00 03 1F 40 03 E7 03 E7 00 00 00 00

client sends // set user info
SNAC 2,04
TLV(5) capability-info

client sends // add to contact list
SNAC 3,04
UIN-LIST

client sends // remove from contact list
SNAC 3,05
UIN-LIST

client sends // add to visible list
SNAC 9,05
UIN-LIST

client sends // remove from visible list
SNAC 9,06
UIN-LIST

client sends // add to invisible list
SNAC 9,07
UIN-LIST

client sends // remove from invisible list
SNAC 9,08
UIN-LIST

client sends // add to a sort of visible list
SNAC 9,0A
UIN-LIST

client sends // remove from a sort of visible list
SNAC 9,0B
UIN-LIST

client sends // set status code
SNAC 1,1E
TLV(6) status-code
TLV(8) error-code
TLV(C) direct-connection-info
TLV(11) variable length, sent changing user info
here some cases (they seems to be groups of 5 bytes)
15 BYTE: 01 0A 19 0B 3B 01 2E 19 0B 3B 01 5E 19 0B 3B
5 BYTE: 01 18 E5 CC 3B
TLV(12) WORD unknown, sent changing user info, usually 0

client sends // unknown (usually after set status code)
SNAC 1,11
DWORD 00 00 00 00

client sends // client ready
SNAC 1,02
64 BYTE unknown, usually 00 01 00 03 01 10 02 8A 00 02 00 01 01 01 02 8A 00 03 00 01
01 10 02 8A 00 15 00 01 01 10 02 8A 00 04 00 01 01 10 02 8A
00 06 00 01 01 10 02 8A 00 09 00 01 01 10 02 8A 00 0A 00 01
01 10 02 8A

client sends // many purposes
SNAC 15,02
TLV(1)
WORD (LE) bytes remaining, useless
UIN my uin
WORD type
WORD req-id
type=3C00 // ask for offlines messages
nothing
type=3E00 // ack to offline messages
nothing
type=D007
WORD subtype
subtype=9808 xml-stype in an LNTS
LNTS '<key>' name of required data '</key>'
subtype=1F05 // simple query info
UIN user to request info
subtype=6905 // simple query info extended (used by icq2001)
DWORD unk, 36 01 04 00
UIN user to request info
subtype=B204 // query info about user
UIN user to request info
subtype=D004 // query my info
UIN my uin
subtype=1505 // wp-short-request
wp-short-request-info
subtype=3305 // wp-full-request
wp-full-request-info
subtype=EA03 // modify user info (main/home)
main-home-info
subtype=FD03 // modify user info (homepage/more)
homepage-more-info
subtype=0604 // modify user info (about)
LNTS about
subtype=F303 // modify user info (work)
work-info
subtype=2E04 // change password
LNTS new password
subtype=C404 // remove user (warning!)
UIN uin to remove
LNTS password
subtype=2404 // set permissions?
BYTE authorization, 00 = required, 01 = not required
BYTE webaware, 00 = off, 01 = on
2 BYTE unknown, 01 00
subtype=D70A // unknown (icq2001)

server sends // Message of the day
SNAC 1,13
if bit15 set in flag
8 BYTE 00 06 00 01 00 02 00 03
WORD unknown, usually 0004
TLV(B) STRING message of the day, usually 'http://www.aol.com'

server sends // many purposes
SNAC 15,03 flag:000x
TLV(1) used for a lot of things
WORD (LE) bytes remaining, useless
UIN my uin
WORD message-type
WORD req-id
message-type = 4100 // offline message
UIN his uin
WORD year (LE)
BYTE month (1=jan)
BYTE day
BYTE hour (GMT time)
BYTE minutes
BYTE msg-subtype
BYTE msg-flags
LNTS msg
WORD 0000, present only in single messages
message-type = 4200 // end of offline messages
BYTE unknown, usually 0
message-type = D007
2 BYTE unknown, usually 98 08
WORD length of the following NTS
NTS "<key>"field-type"</key>"
field-type = DataFilesIP
6 BYTE unk, usually 2A 02 44 25 00 31
message-type = DA07
3 BYTE subtype
subtype=A2080A // where to get ads stuff
LNTS ip address (a web server), usually '<value>205.188.250.25</value>' that is cb.icq.com
subtype=A40132 or AE0132 // empty whitepages result
empty
subtype=A4010A // wp-full-request result
wp-result-info
subtype=AE010A // wp-full-request result (the last)
wp-result-info
DWORD lasting results (LE)
subtype=90010A // wp-short-request result
wp-result-info
subtype=9A010A // wp-short-request result (the last)
wp-result-info
DWORD lasting results (LE)
subtype=C8000A // query result
main-home-info
WORD unknown
subtype=D2000A // query result
work-info
subtype=E6000A // query result
LNTS about
subtype=F0000A // query result
personal-interests-info
subtype=FA000A // query result
past-background-info
subtype=FA0014 // query result: users does not exists
empty
subtype=EB000A // query result
more-email-info
subtype=DC000A // query result
homepage-more-info
WORD unknown
subtype=0E010A // query: additional info
WORD unknown, 0000
subtype=64000A // ack to modify info (main/home)
empty
subtype=78000A // ack to modify info (homepage/more)
empty
subtype=82000A // ack to modify info (about)
empty
subtype=6E000A // ack to modify info (work)
empty
subtype=B4000A // ack to remove user
empty
subtype=AA000A // ack to change password
empty
subtype=A0000A // ack to 2404
empty
subtype=1D030A // ack to D70A
empty

server sends // ONcoming user
SNAC 3,0B
B-UIN
WORD 0
WORD # of following TLVs
TLV(1) 00 50
TLV(C) direct-connection-info
TLV(A) IPADDR
TLV(4) WORD 0
TLV(6) status
TLV(D) capability-info
TLV(F) DWORD it seems a time in seconds
TLV(2) TIME_T member since
TLV(3) TIME_T online since

server sends // OFFgoing user
SNAC 3,0C
B-UIN
4 BYTE 00 00 00 01
TLV(1) 00 00

server sends // incoming message
SNAC 4,07
8 BYTE ??B, a sort of ID (it seems to be based on timestamp)
WORD msg-format
B-UIN sender's uin
WORD warning level? garbage of OSCAR protocol
WORD 5 or 6, maybe it counts the following TLVs before the format-dipendent datas
TLV(1) WORD 00 50
TLV(4) WORD 0 (not present in file-req and auto-msg-req)
TLV(6) sender's status
TLV(F) DWORD it seems a time in seconds
TLV(2) TIME_T member since
TLV(3) TIME_T online since
if msg-format = 1 // message
TLV(2)
7 BYTE 05 01 00 01 01 01 01
WORD msg length + 4
4 BYTE 0
STRING message
if msg-format = 4 // url or contacts or auth-req or userAddedYou
TLV(5)
UIN sender's uin
BYTE msg-subtype
BYTE msg-flags
LNTS msg
if text-msg
COLOR foreground
COLOR background
if msg-format = 2 // advanced message
TLV(5)
WORD ??A, 00 02 for file-ack, else 00 00
8 BYTE same as ??B
16 BYTE capability1
if ??A=0000
TLV(A) 00 02 on file-reply, 00 01 else
TLV(5) WORD, listening port (BE) (present on FT)
TLV(3) IPADDR, internal ip (present on FT and file-reply)
TLV(F) empty
TLV(2711)
WORD 1B 00
BYTE ??E (08 in auto-msg-req, else 07)
19 BYTE unk, 0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3 BYTE unk, 03 00 00
if auto-msg-req
BYTE 00
BYTE unk, 00 or 04 (00 in auto-msg-req)
WORD ??D, seems to be a downcounter starting from FFFF
2 BYTE 0E 00
WORD same as ??D
12 BYTE 0
BYTE msg-subtype
BYTE msg-flags
WORD unk, 00 00 or 01 00 or 02 00 (0000 in file-reply, auto-msg-req)
WORD priority
LNTS msg
if file-req
4 BYTE 9F CD D3 11
LNTS filename
DWORD filesize (LE)
4 BYTE 00 FD 81 01
if file-reply
WORD ??C
2 BYTE 0
LNTS ''
DWORD unk
WORD same as ??C but inverted endian
2 BYTE 0
if auto-msg-req
empt
if text-msg
COLOR foreground
COLOR background
TLV(4) IPADDR, external ip (BE) (present on file-req, file-ok)

server sends // server ack to type-2 messages
SNAC 4,0C
10 BYTE equals to first 10 BYTE of message
BUIN equals to message' uin

client sends // send message
SNAC 4,06
8 BYTED ??B, a sort of ID (it seems to be based on timestamp, ACKs should use same ID)
WORD message-format
B-UIN recipient
msg-format=1 // simple message
TLV(2)
7 BYTE 05 01 00 01 01 01 01
WORD msg length + 4
4 BYTE 0
STRING msg
TLV(6)
empty
msg-format=2 // advanced message (only for ICQv7+ clients)
TLV(5)
WORD ??A (00 01 on abort request, else 00 00)
8 BYTE same as ??B
16 BYTE capability1
if ??A = 00 00
TLV(A) 00 01 (maybe 00 02 for file-ack)
TLV(B) 00 01 (present on abort requests)
TLV(5) WORD, listening port (BE) (present on file-req)
TLV(3) IPADDR, internal ip (present on file-req)
TLV(F) empty
TLV(2711)
26 BYTE ??E, 1B 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00
BYTE unk, 00 or 04 (00 on auto-msg-req)
WORD ??D, seems to be a downcounter starting from FFFF
WORD 0E 00 (it could be a LE counter of following bytes: 0E = 2+12)
WORD same as ??D
12 BYTE 0
BYTE msg-subtype
BYTE msg-flags
WORD unk, 00 00 or 01 00 or 02 00 (0000 in file-reply, 0100 in auto-msg-req)
WORD priority
LNTS msg
if subtype=FT
WORD unk, can be 0
WORD ??C, can be 0
LNTS filename (empty on file-reply)
DWORD filesize (LE) (zero on file-reply)
WORD unk, can be 0
WORD same or similar to ??C
if subtype=chat
BYTE 01
10 BYTE 0
if subtype=msg
COLOR foreground
COLOR background
if subtype=auto-msg-req
empty
TLV(3) empty // ack request?
msg-format=4 // url or contacts or auth-reply or multi-send
TLV(5)
UIN my uin
BYTE msg-subtype
BYTE msg-flags
LNTS msg
if contacts-req
2 BYTE 39 00, it seems to be the number of the following bytes
18 BYTE unk, 2A 0E 7D 46 76 76 D4 11 BC E6 00 04 AC 96 1E A6 02 00
DTS Request For Contacts
15 BYTE 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00
2 BYTE 11 00, it seems to be the number of the following bytes
2 BYTE 0
DTS request message
TLV(6) empty // ack request?

client or server sends // ack to type-2 message (answer to auto-msg-req too)
SNAC 4,0B flags:0000
10 BYTE equals to first 10 BYTE of message
BUIN equals to message' uin
2 BYTE 00 03
47 BYTE from offset 40 (??E) to 86 of TLV(5)
BYTE accept-status
3 BYTE 0
LNTS message
if not auto-msg
4 BYTE 0
if msg
4 BYTE FF FF FF FF
if file-deny
11 BYTE unk, 01 00 00 xx xx 00 00 xx xx 00 00

server sends // warning: you're sending too fast
SNAC 1,0A flags:0000
WORD unk, usually 1, 2 or 3
24 BYTE 00 01 00 00 00 50 00 00 09 C4 00 00 07 D0 00 00 05 DC 00 00 03 20 00 00
WORD unk, maybe indicates the available buffer in the server and it's always under 2000dec
under 5DC (1500dec), the first word is 3
over it's 2
9 BYTE 00 00 17 70 00 00 00 00 01

client sends // add to ignore list (it seems to have no effects)
SNAC 3,05
UIN-LIST

server sends (4)
TLV(9) WORD disconnect reason
00 01 = another client is loggin with this uin
TLV(B) STRING comment?
for reason 00 01, "http://www.aim.aol.com/errors/USER_LOGGED_OFF_NEW_LOGIN.html"

server sends
SNAC 4,01 flags:0000
WORD error-code
000E invalid packet?

server sends
SNAC 17,03 flags:0000
TLV(4) STRING message of the day, usually "http://www.aol.com"
TLV(8) error-code
TLV(C) 00 01

client sends // add to visible lsit
SNAC 13,08 flags:0000
BYTE 00
BUIN an uin
8 BYTE 00 00 2B 63 00 02 00 00 // maybe last dword is my status

client sends // remove from visible list
SNAC 13,0A flags:0000
BYTE 00
BUIN an uin
8 BYTE 00 00 22 64 00 02 00 00

server sends // ack to 13,0A
SNAC 13,0E flags:8000
10 BYTE unknown, 00 06 00 01 00 02 00 02 00 00

----A (hopely) CORRECT LOGIN SEQUENCE
login packet (uin/password)
get the cookie and reconnect
send cookie
SNAC 1/3
SNAC 1/17
SNAC 1/6
SNAC 1/E
SNAC 2/2
SNAC 3/2
SNAC 4/4
SNAC 9/2
the server reply 1/7 to the 1/6, and then it goes:
SNAC 1/8
SNAC 4/2
SNAC 2/4
SNAC 3/4 with the contact list
if status = invisible SNAC 9/5 with visible list
SNAC 1/1E with status
SNAC 1/11
if status <> invisible SNAC 9/7 with invisible list
SNAC 1/2
SNAC 15/2, to require offline messages


---RECEIVE A FILE TRANSFER REQUEST VIA SERVER
server:
SNAC 4,07 (file-req)
client:
SNAC 4,06 (file-ok)
or
SNAC 4,0B (file-denied)
server:
SNAC 4,07 (file-ack, with ??A=0002)

after file-req a SNAC 4,07 (file-abort) could happen

---NEW UIN REGISTRATION
server sends (1)
4 BYTE 00 00 00 01

client sends (1)
4 BYTE 00 00 00 01

client sends
SNAC 17,04
3 BYTE 00 01 00
BYTE unk, 3B or 38
4 BYTE 0
4 BYTE 28 00 03 00
4 BYTE 0
4 BYTE 0
4 BYTE ??A, unk, 03 46 00 00 or B4 25 00 00
4 BYTE same as ??A
4 BYTE 0
4 BYTE 0
4 BYTE 0
4 BYTE 0
LNTS chosen password
4 BYTE same as ??A
4 BYTE 00 00 CF 01

server sends
SNAC 17,05
17 BYTE 00 01 00 32 30 00 00 00 00 00 2D 00 03 00 00 00 06
BYTE unk, 0F or 72
2 BYTE 3E 62
2 BYTE unk, E3 53 or CD B5
2 BYTE 7E FF
4 BYTE unk, 14 18 03 46 or 17 08 B4 25
18 BYTE 0
UIN new uin number
2 BYTE unk, 03 46 or B4 25
2 BYTE 00 00

---PEOPLE WHO CONTRIBUTED TO THIS DOC (i decide the order, that is, random)
Jeff Hughes <[email protected]>
Filippov Joe <[email protected]>
Robin Fisher <[email protected]>
Daniel Wirtz <[email protected]>
Alex Efros <[email protected]> В©AOLHACKERS.RU 2004-2005 design by Gn0m =:]o<
rss