From mds1281@ritvax.isc.rit.edu Mon May  4 14:16:17 1998
Date: Fri, 24 Apr 1998 17:21:11 +0000
From: Matt Smith <mds1281@ritvax.isc.rit.edu>
Reply-To: icq-devel@tjsgroup.com
To: icq-devel@tjsgroup.com
Subject: Re: [ICQdev] the ICQ API..

> 
> What about sharing your findings about the v4 protocol?
> 
No problem here goes.  I haven't figured everything out yet but if you
have access to some snooping log files this should help.  This is only
for the loging packet. All numbers are hex.
The first to byte are the version of course 0x0004
Bytes 0c-0f are the encrypted UIN which must be XORed with the key to
retrieve the actual value.

How to get the key:
The key is stored in 08-0b and 04-05.
05 should be equal to 09.  now the key is like this (intel order so the
first byte is low order )  Numbers represent position in the packet.
04 09 XX 0b
XX is a bit tricky if 04 = 08 +1 then xx = 0a - 1 and if 04 = 08 - 1
then xx = 0a + 1

The password is still plaintext and starts at 1c with a 2 byte length
including the null followed by the null terminated password. 
This is followed by 98 00 00 00 which is probably the version. Then the
IP followed by 04 00 01 00 03 00 00 00 00 after this come the 4 byte
status I think then 00 98 00 ends it up which looks like another version
thing.

There's still a bunch of fields that I don't know what they are.  It's
possible they're other keys or more encrypted data.  I think the command
( bytes 02 03 ) is encrypted also since it's always different even on
different login packets.
Currently most of my effort is going to improving Micq so hopefully this
is enough for some one else to start to work out the protocol.  It's
possible that the same key is used thoughout but that would be bad for
security course so is transmitting a plaintext key :)

-- Matt
          =====================================================
          The "unoffical, not-sponsored-by-Mirabilis-one-bit"
          ICQ Clone Development List