4 * This contains all the functions needed to actually login.
13 static int aim_encode_password(const char *password, unsigned char *encoded);
15 faim_export int aim_sendflapver(aim_session_t *sess, aim_conn_t *conn)
19 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x01, 4)))
22 aimbs_put32(&fr->data, 0x00000001);
24 aim_tx_enqueue(sess, fr);
30 * This is a bit confusing.
32 * Normal SNAC login goes like this:
34 * - server sends flap version
35 * - client sends flap version
36 * - client sends screen name (17/6)
37 * - server sends hash key (17/7)
38 * - client sends auth request (17/2 -- aim_send_login)
41 * XOR login (for ICQ) goes like this:
43 * - server sends flap version
44 * - client sends auth request which contains flap version (aim_send_login)
47 * For the client API, we make them implement the most complicated version,
48 * and for the simpler version, we fake it and make it look like the more
49 * complicated process.
51 * This is done by giving the client a faked key, just so we can convince
52 * them to call aim_send_login right away, which will detect the session
53 * flag that says this is XOR login and ignore the key, sending an ICQ
54 * login request instead of the normal SNAC one.
56 * As soon as AOL makes ICQ log in the same way as AIM, this is /gone/.
58 * XXX This may cause problems if the client relies on callbacks only
59 * being called from the context of aim_rxdispatch()...
62 static int goddamnicq(aim_session_t *sess, aim_conn_t *conn, const char *sn)
65 aim_rxcallback_t userfunc;
67 sess->flags &= ~AIM_SESS_FLAGS_SNACLOGIN;
68 sess->flags |= AIM_SESS_FLAGS_XORLOGIN;
72 if ((userfunc = aim_callhandler(sess, conn, 0x0017, 0x0007)))
73 userfunc(sess, &fr, "");
79 * In AIM 3.5 protocol, the first stage of login is to request login from the
80 * Authorizer, passing it the screen name for verification. If the name is
81 * invalid, a 0017/0003 is spit back, with the standard error contents. If
82 * valid, a 0017/0007 comes back, which is the signal to send it the main
83 * login command (0017/0002).
85 * XXX make ICQ logins work again.
87 faim_export int aim_request_login(aim_session_t *sess, aim_conn_t *conn, const char *sn)
91 aim_tlvlist_t *tl = NULL;
93 if (!sess || !conn || !sn)
96 if ((sn[0] >= '0') || (sn[0] <= '9'))
97 return goddamnicq(sess, conn, sn);
99 sess->flags |= AIM_SESS_FLAGS_SNACLOGIN;
101 aim_sendflapver(sess, conn);
103 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 10+2+2+strlen(sn))))
106 snacid = aim_cachesnac(sess, 0x0017, 0x0006, 0x0000, NULL, 0);
107 aim_putsnac(&fr->data, 0x0017, 0x0006, 0x0000, snacid);
109 aim_addtlvtochain_raw(&tl, 0x0001, strlen(sn), sn);
110 aim_writetlvchain(&fr->data, &tl);
111 aim_freetlvchain(&tl);
113 aim_tx_enqueue(sess, fr);
119 * Part two of the ICQ hack. Note the ignoring of the key and clientinfo.
121 static int goddamnicq2(aim_session_t *sess, aim_conn_t *conn, const char *sn, const char *password)
123 static const char clientstr[] = {"ICQ Inc. - Product of ICQ (TM) 2000b.4.65.1.3281.85"};
124 static const char lang[] = {"en"};
125 static const char country[] = {"us"};
127 aim_tlvlist_t *tl = NULL;
128 char *password_encoded;
130 if (!(password_encoded = (char *) malloc(strlen(password))))
133 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x01, 1152))) {
134 free(password_encoded);
138 aim_encode_password(password, password_encoded);
140 aimbs_put32(&fr->data, 0x00000001);
141 aim_addtlvtochain_raw(&tl, 0x0001, strlen(sn), sn);
142 aim_addtlvtochain_raw(&tl, 0x0002, strlen(password), password_encoded);
143 aim_addtlvtochain_raw(&tl, 0x0003, strlen(clientstr), clientstr);
144 aim_addtlvtochain16(&tl, 0x0016, 0x010a);
145 aim_addtlvtochain16(&tl, 0x0017, 0x0004);
146 aim_addtlvtochain16(&tl, 0x0018, 0x0041);
147 aim_addtlvtochain16(&tl, 0x0019, 0x0001);
148 aim_addtlvtochain16(&tl, 0x001a, 0x0cd1);
149 aim_addtlvtochain32(&tl, 0x0014, 0x00000055);
150 aim_addtlvtochain_raw(&tl, 0x000f, strlen(lang), lang);
151 aim_addtlvtochain_raw(&tl, 0x000e, strlen(country), country);
153 aim_writetlvchain(&fr->data, &tl);
155 free(password_encoded);
156 aim_freetlvchain(&tl);
158 aim_tx_enqueue(sess, fr);
164 * send_login(int socket, char *sn, char *password)
166 * This is the initial login request packet.
168 * NOTE!! If you want/need to make use of the aim_sendmemblock() function,
169 * then the client information you send here must exactly match the
170 * executable that you're pulling the data from.
173 * clientstring = "AOL Instant Messenger (SM), version 4.3.2188/WIN32"
179 * unknown = 0x00000086
184 * Latest WinAIM that libfaim can emulate without server-side buddylists:
185 * clientstring = "AOL Instant Messenger (SM), version 4.1.2010/WIN32"
191 * unknown= 0x0000004b
194 * clientstring = "AOL Instant Messenger (SM), version 3.5.1670/WIN32"
200 * unknown =0x0000002a
203 * clientstring = "AOL Instant Messenger (TM) version 1.1.19 for Java built 03/24/98, freeMem 215871 totalMem 1048567, i686, Linus, #2 SMP Sun Feb 11 03:41:17 UTC 2001 2.4.1-ac9, IBM Corporation, 1.1.8, 45.3, Tue Mar 27 12:09:17 PST 2001"
207 * minor2 = (not sent)
209 * unknown= (not sent)
211 * AIM for Linux 1.1.112:
212 * clientstring = "AOL Instant Messenger (SM)"
218 * unknown= 0x0000008b
222 faim_export int aim_send_login(aim_session_t *sess, aim_conn_t *conn, const char *sn, const char *password, struct client_info_s *clientinfo, const char *key)
225 aim_tlvlist_t *tl = NULL;
229 if (!clientinfo || !sn || !password)
232 if (sess->flags & AIM_SESS_FLAGS_XORLOGIN)
233 return goddamnicq2(sess, conn, sn, password);
235 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 1152)))
238 if (sess->flags & AIM_SESS_FLAGS_XORLOGIN) {
239 fr->hdr.flap.type = 0x01;
241 /* Use very specific version numbers to further indicate hack */
242 clientinfo->major2 = 0x010a;
243 clientinfo->major = 0x0004;
244 clientinfo->minor = 0x003c;
245 clientinfo->minor2 = 0x0001;
246 clientinfo->build = 0x0cce;
247 clientinfo->unknown = 0x00000055;
250 snacid = aim_cachesnac(sess, 0x0017, 0x0002, 0x0000, NULL, 0);
251 aim_putsnac(&fr->data, 0x0017, 0x0002, 0x0000, snacid);
253 aim_addtlvtochain_raw(&tl, 0x0001, strlen(sn), sn);
255 aim_encode_password_md5(password, key, digest);
256 aim_addtlvtochain_raw(&tl, 0x0025, 16, digest);
258 aim_addtlvtochain_raw(&tl, 0x0003, strlen(clientinfo->clientstring), clientinfo->clientstring);
259 aim_addtlvtochain16(&tl, 0x0016, (fu16_t)clientinfo->major2);
260 aim_addtlvtochain16(&tl, 0x0017, (fu16_t)clientinfo->major);
261 aim_addtlvtochain16(&tl, 0x0018, (fu16_t)clientinfo->minor);
262 aim_addtlvtochain16(&tl, 0x0019, (fu16_t)clientinfo->minor2);
263 aim_addtlvtochain16(&tl, 0x001a, (fu16_t)clientinfo->build);
264 aim_addtlvtochain_raw(&tl, 0x000e, strlen(clientinfo->country), clientinfo->country);
265 aim_addtlvtochain_raw(&tl, 0x000f, strlen(clientinfo->lang), clientinfo->lang);
266 aim_addtlvtochain16(&tl, 0x0009, 0x0015);
268 aim_writetlvchain(&fr->data, &tl);
270 aim_freetlvchain(&tl);
272 aim_tx_enqueue(sess, fr);
277 faim_export int aim_encode_password_md5(const char *password, const char *key, fu8_t *digest)
282 md5_append(&state, (const md5_byte_t *)key, strlen(key));
283 md5_append(&state, (const md5_byte_t *)password, strlen(password));
284 md5_append(&state, (const md5_byte_t *)AIM_MD5_STRING, strlen(AIM_MD5_STRING));
285 md5_finish(&state, (md5_byte_t *)digest);
291 * aim_encode_password - Encode a password using old XOR method
292 * @password: incoming password
293 * @encoded: buffer to put encoded password
295 * This takes a const pointer to a (null terminated) string
296 * containing the unencoded password. It also gets passed
297 * an already allocated buffer to store the encoded password.
298 * This buffer should be the exact length of the password without
299 * the null. The encoded password buffer /is not %NULL terminated/.
301 * The encoding_table seems to be a fixed set of values. We'll
302 * hope it doesn't change over time!
304 * This is only used for the XOR method, not the better MD5 method.
307 static int aim_encode_password(const char *password, fu8_t *encoded)
309 fu8_t encoding_table[] = {
310 #if 0 /* old v1 table */
311 0xf3, 0xb3, 0x6c, 0x99,
312 0x95, 0x3f, 0xac, 0xb6,
313 0xc5, 0xfa, 0x6b, 0x63,
314 0x69, 0x6c, 0xc3, 0x9f
315 #else /* v2.1 table, also works for ICQ */
316 0xf3, 0x26, 0x81, 0xc4,
317 0x39, 0x86, 0xdb, 0x92,
318 0x71, 0xa3, 0xb9, 0xe6,
319 0x53, 0x7a, 0x95, 0x7c
324 for (i = 0; i < strlen(password); i++)
325 encoded[i] = (password[i] ^ encoding_table[i]);
331 * Generate an authorization response.
333 * You probably don't want this unless you're writing an AIM server. Which
334 * I hope you're not doing. Because it's far more difficult than it looks.
337 faim_export int aim_sendauthresp(aim_session_t *sess, aim_conn_t *conn, const char *sn, int errorcode, const char *errorurl, const char *bosip, const char *cookie, const char *email, int regstatus)
339 aim_tlvlist_t *tlvlist = NULL;
342 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x04, 1152)))
346 aim_addtlvtochain_raw(&tlvlist, 0x0001, strlen(sn), sn);
348 aim_addtlvtochain_raw(&tlvlist, 0x0001, strlen(sess->sn), sess->sn);
351 aim_addtlvtochain16(&tlvlist, 0x0008, errorcode);
352 aim_addtlvtochain_raw(&tlvlist, 0x0004, strlen(errorurl), errorurl);
354 aim_addtlvtochain_raw(&tlvlist, 0x0005, strlen(bosip), bosip);
355 aim_addtlvtochain_raw(&tlvlist, 0x0006, AIM_COOKIELEN, cookie);
356 aim_addtlvtochain_raw(&tlvlist, 0x0011, strlen(email), email);
357 aim_addtlvtochain16(&tlvlist, 0x0013, (fu16_t)regstatus);
360 aim_writetlvchain(&fr->data, &tlvlist);
361 aim_freetlvchain(&tlvlist);
363 aim_tx_enqueue(sess, fr);
369 * Generate a random cookie. (Non-client use only)
371 faim_export int aim_gencookie(fu8_t *buf)
377 for (i = 0; i < AIM_COOKIELEN; i++)
378 buf[i] = 1+(int) (256.0*rand()/(RAND_MAX+0.0));
384 * Send Server Ready. (Non-client)
386 * XXX If anyone cares, this should be made to use the conn-stored group
390 faim_export int aim_sendserverready(aim_session_t *sess, aim_conn_t *conn)
395 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 10+0x22)))
398 snacid = aim_cachesnac(sess, 0x0001, 0x0003, 0x0000, NULL, 0);
400 aim_putsnac(&fr->data, 0x0001, 0x0003, 0x0000, snacid);
401 aimbs_put16(&fr->data, 0x0001);
402 aimbs_put16(&fr->data, 0x0002);
403 aimbs_put16(&fr->data, 0x0003);
404 aimbs_put16(&fr->data, 0x0004);
405 aimbs_put16(&fr->data, 0x0006);
406 aimbs_put16(&fr->data, 0x0008);
407 aimbs_put16(&fr->data, 0x0009);
408 aimbs_put16(&fr->data, 0x000a);
409 aimbs_put16(&fr->data, 0x000b);
410 aimbs_put16(&fr->data, 0x000c);
411 aimbs_put16(&fr->data, 0x0013);
412 aimbs_put16(&fr->data, 0x0015);
414 aim_tx_enqueue(sess, fr);
420 * Send service redirect. (Non-Client)
422 faim_export int aim_sendredirect(aim_session_t *sess, aim_conn_t *conn, fu16_t servid, const char *ip, const char *cookie)
424 aim_tlvlist_t *tlvlist = NULL;
428 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 1152)))
431 snacid = aim_cachesnac(sess, 0x0001, 0x0005, 0x0000, NULL, 0);
432 aim_putsnac(&fr->data, 0x0001, 0x0005, 0x0000, snacid);
434 aim_addtlvtochain16(&tlvlist, 0x000d, servid);
435 aim_addtlvtochain_raw(&tlvlist, 0x0005, strlen(ip), ip);
436 aim_addtlvtochain_raw(&tlvlist, 0x0006, AIM_COOKIELEN, cookie);
438 aim_writetlvchain(&fr->data, &tlvlist);
439 aim_freetlvchain(&tlvlist);
441 aim_tx_enqueue(sess, fr);
447 * See comments in conn.c about how the group associations are supposed
448 * to work, and how they really work.
450 * This info probably doesn't even need to make it to the client.
453 static int hostonline(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
455 aim_rxcallback_t userfunc;
460 if (!(families = malloc(aim_bstream_empty(bs))))
463 for (famcount = 0; aim_bstream_empty(bs); famcount++) {
464 families[famcount] = aimbs_get16(bs);
465 aim_conn_addgroup(rx->conn, families[famcount]);
468 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
469 ret = userfunc(sess, rx, famcount, families);
476 static int redirect(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
481 aim_rxcallback_t userfunc;
482 aim_tlvlist_t *tlvlist;
483 char *chathack = NULL;
487 tlvlist = aim_readtlvchain(bs);
489 if (!aim_gettlv(tlvlist, 0x000d, 1) ||
490 !aim_gettlv(tlvlist, 0x0005, 1) ||
491 !aim_gettlv(tlvlist, 0x0006, 1)) {
492 aim_freetlvchain(&tlvlist);
496 serviceid = aim_gettlv16(tlvlist, 0x000d, 1);
497 ip = aim_gettlv_str(tlvlist, 0x0005, 1);
498 cookie = aim_gettlv_str(tlvlist, 0x0006, 1);
503 if ((serviceid == AIM_CONN_TYPE_CHAT) && sess->pendingjoin) {
504 chathack = sess->pendingjoin;
505 chathackex = sess->pendingjoinexchange;
506 sess->pendingjoin = NULL;
507 sess->pendingjoinexchange = 0;
510 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
511 ret = userfunc(sess, rx, serviceid, ip, cookie, chathack, chathackex);
517 aim_freetlvchain(&tlvlist);
523 * The Rate Limiting System, An Abridged Guide to Nonsense.
525 * OSCAR defines several 'rate classes'. Each class has seperate
526 * rate limiting properties (limit level, alert level, disconnect
527 * level, etc), and a set of SNAC family/type pairs associated with
528 * it. The rate classes, their limiting properties, and the definitions
529 * of which SNACs are belong to which class, are defined in the
530 * Rate Response packet at login to each host.
532 * Logically, all rate offenses within one class count against further
533 * offenses for other SNACs in the same class (ie, sending messages
534 * too fast will limit the number of user info requests you can send,
535 * since those two SNACs are in the same rate class).
537 * Since the rate classes are defined dynamically at login, the values
538 * below may change. But they seem to be fairly constant.
540 * Currently, BOS defines five rate classes, with the commonly used
541 * members as follows...
544 * - Everything thats not in any of the other classes
547 * - Buddy list add/remove
548 * - Permit list add/remove
549 * - Deny list add/remove
552 * - User information requests
556 * - A few unknowns: 2/9, 2/b, and f/2
560 * - Outgoing chat ICBMs
562 * The only other thing of note is that class 5 (chat) has slightly looser
563 * limiting properties than class 3 (normal messages). But thats just a
564 * small bit of trivia for you.
566 * The last thing that needs to be learned about the rate limiting
567 * system is how the actual numbers relate to the passing of time. This
568 * seems to be a big mystery.
573 static int rateresp(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
575 aim_rxcallback_t userfunc;
577 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
578 return userfunc(sess, rx);
583 static int ratechange(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
585 aim_rxcallback_t userfunc;
586 fu16_t code, rateclass;
587 fu32_t currentavg, maxavg, windowsize, clear, alert, limit, disconnect;
589 code = aimbs_get16(bs);
590 rateclass = aimbs_get16(bs);
592 windowsize = aimbs_get32(bs);
593 clear = aimbs_get32(bs);
594 alert = aimbs_get32(bs);
595 limit = aimbs_get32(bs);
596 disconnect = aimbs_get32(bs);
597 currentavg = aimbs_get32(bs);
598 maxavg = aimbs_get32(bs);
600 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
601 return userfunc(sess, rx, code, rateclass, windowsize, clear, alert, limit, disconnect, currentavg, maxavg);
607 static int selfinfo(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
609 aim_rxcallback_t userfunc;
611 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
612 return userfunc(sess, rx);
617 static int evilnotify(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
619 aim_rxcallback_t userfunc;
621 struct aim_userinfo_s userinfo;
623 memset(&userinfo, 0, sizeof(struct aim_userinfo_s));
625 newevil = aimbs_get16(bs);
627 if (aim_bstream_empty(bs))
628 aim_extractuserinfo(sess, bs, &userinfo);
630 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
631 return userfunc(sess, rx, newevil, &userinfo);
637 * How Migrations work.
639 * The server sends a Server Pause message, which the client should respond to
640 * with a Server Pause Ack, which contains the families it needs on this
641 * connection. The server will send a Migration Notice with an IP address, and
642 * then disconnect. Next the client should open the connection and send the
643 * cookie. Repeat the normal login process and pretend this never happened.
645 * The Server Pause contains no data.
648 static int serverpause(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
650 aim_rxcallback_t userfunc;
652 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
653 return userfunc(sess, rx);
659 * It is rather important that aim_sendpauseack() gets called for the exact
660 * same connection that the Server Pause callback was called for, since
661 * libfaim extracts the data for the SNAC from the connection structure.
663 * Of course, if you don't do that, more bad things happen than just what
667 faim_export int aim_sendpauseack(aim_session_t *sess, aim_conn_t *conn)
671 aim_conn_inside_t *ins = (aim_conn_inside_t *)conn->inside;
672 struct snacgroup *sg;
674 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 1024)))
677 snacid = aim_cachesnac(sess, 0x0001, 0x000c, 0x0000, NULL, 0);
678 aim_putsnac(&fr->data, 0x0001, 0x000c, 0x0000, snacid);
681 * This list should have all the groups that the original
682 * Host Online / Server Ready said this host supports. And
683 * we want them all back after the migration.
685 for (sg = ins->groups; sg; sg = sg->next)
686 aimbs_put16(&fr->data, sg->group);
688 aim_tx_enqueue(sess, fr);
694 * This is the final SNAC sent on the original connection during a migration.
695 * It contains the IP and cookie used to connect to the new server, and
696 * optionally a list of the SNAC groups being migrated.
699 static int migrate(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
701 aim_rxcallback_t userfunc;
703 fu16_t groupcount, i;
709 * Apparently there's some fun stuff that can happen right here. The
710 * migration can actually be quite selective about what groups it
711 * moves to the new server. When not all the groups for a connection
712 * are migrated, or they are all migrated but some groups are moved
713 * to a different server than others, it is called a bifurcated
716 * Let's play dumb and not support that.
719 groupcount = aimbs_get16(bs);
720 for (i = 0; i < groupcount; i++) {
723 group = aimbs_get16(bs);
725 faimdprintf(sess, 0, "bifurcated migration unsupported -- group 0x%04x\n", group);
728 tl = aim_readtlvchain(bs);
730 if (aim_gettlv(tl, 0x0005, 1))
731 ip = aim_gettlv_str(tl, 0x0005, 1);
733 cktlv = aim_gettlv(tl, 0x0006, 1);
735 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
736 ret = userfunc(sess, rx, ip, cktlv ? cktlv->value : NULL);
738 aim_freetlvchain(&tl);
744 static int motd(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
746 aim_rxcallback_t userfunc;
749 aim_tlvlist_t *tlvlist;
756 * 1 Mandatory upgrade
759 * 4 Nothing's wrong ("top o the world" -- normal)
762 id = aimbs_get16(bs);
767 tlvlist = aim_readtlvchain(bs);
769 msg = aim_gettlv_str(tlvlist, 0x000b, 1);
771 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
772 ret = userfunc(sess, rx, id, msg);
776 aim_freetlvchain(&tlvlist);
781 static int hostversions(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
783 aim_rxcallback_t userfunc;
787 vercount = aim_bstream_empty(bs)/4;
788 versions = aimbs_getraw(bs, aim_bstream_empty(bs));
790 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
791 return userfunc(sess, rx, vercount, versions);
799 * Starting this past week (26 Mar 2001, say), AOL has started sending
800 * this nice little extra SNAC. AFAIK, it has never been used until now.
802 * The request contains eight bytes. The first four are an offset, the
803 * second four are a length.
805 * The offset is an offset into aim.exe when it is mapped during execution
806 * on Win32. So far, AOL has only been requesting bytes in static regions
807 * of memory. (I won't put it past them to start requesting data in
808 * less static regions -- regions that are initialized at run time, but still
809 * before the client recieves this request.)
811 * When the client recieves the request, it adds it to the current ds
812 * (0x00400000) and dereferences it, copying the data into a buffer which
813 * it then runs directly through the MD5 hasher. The 16 byte output of
814 * the hash is then sent back to the server.
816 * If the client does not send any data back, or the data does not match
817 * the data that the specific client should have, the client will get the
818 * following message from "AOL Instant Messenger":
819 * "You have been disconnected from the AOL Instant Message Service (SM)
820 * for accessing the AOL network using unauthorized software. You can
821 * download a FREE, fully featured, and authorized client, here
822 * http://www.aol.com/aim/download2.html"
823 * The connection is then closed, recieving disconnect code 1, URL
824 * http://www.aim.aol.com/errors/USER_LOGGED_OFF_NEW_LOGIN.html.
826 * Note, however, that numerous inconsistencies can cause the above error,
827 * not just sending back a bad hash. Do not immediatly suspect this code
828 * if you get disconnected. AOL and the open/free software community have
829 * played this game for a couple years now, generating the above message
830 * on numerous ocassions.
832 * Anyway, neener. We win again.
835 static int memrequest(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
837 aim_rxcallback_t userfunc;
842 offset = aimbs_get32(bs);
843 len = aimbs_get32(bs);
844 list = aim_readtlvchain(bs);
846 modname = aim_gettlv_str(list, 0x0001, 1);
848 faimdprintf(sess, 1, "data at 0x%08lx (%d bytes) of requested\n", offset, len, modname ? modname : "aim.exe");
850 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
851 return userfunc(sess, rx, offset, len, modname);
854 aim_freetlvchain(&list);
860 static void dumpbox(aim_session_t *sess, unsigned char *buf, int len)
864 if (!sess || !buf || !len)
867 faimdprintf(sess, 1, "\nDump of %d bytes at %p:", len, buf);
869 for (i = 0; i < len; i++) {
871 faimdprintf(sess, 1, "\n\t");
873 faimdprintf(sess, 1, "0x%2x ", buf[i]);
876 faimdprintf(sess, 1, "\n\n");
882 faim_export int aim_sendmemblock(aim_session_t *sess, aim_conn_t *conn, fu32_t offset, fu32_t len, const fu8_t *buf, fu8_t flag)
890 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 10+2+16)))
893 snacid = aim_cachesnac(sess, 0x0001, 0x0020, 0x0000, NULL, 0);
895 aim_putsnac(&fr->data, 0x0001, 0x0020, 0x0000, snacid);
896 aimbs_put16(&fr->data, 0x0010); /* md5 is always 16 bytes */
898 if ((flag == AIM_SENDMEMBLOCK_FLAG_ISHASH) && buf && (len == 0x10)) { /* we're getting a hash */
900 aimbs_putraw(&fr->data, buf, 0x10);
902 } else if (buf && (len > 0)) { /* use input buffer */
904 md5_byte_t digest[0x10];
907 md5_append(&state, (const md5_byte_t *)buf, len);
908 md5_finish(&state, digest);
910 aimbs_putraw(&fr->data, (fu8_t *)digest, 0x10);
912 } else if (len == 0) { /* no length, just hash NULL (buf is optional) */
915 md5_byte_t digest[0x10];
918 * These MD5 routines are stupid in that you have to have
919 * at least one append. So thats why this doesn't look
923 md5_append(&state, (const md5_byte_t *)&nil, 0);
924 md5_finish(&state, digest);
926 aimbs_putraw(&fr->data, (fu8_t *)digest, 0x10);
931 * This data is correct for AIM 3.5.1670.
933 * Using these blocks is as close to "legal" as you can get
934 * without using an AIM binary.
937 if ((offset == 0x03ffffff) && (len == 0x03ffffff)) {
939 #if 1 /* with "AnrbnrAqhfzcd" */
940 aimbs_put32(&fr->data, 0x44a95d26);
941 aimbs_put32(&fr->data, 0xd2490423);
942 aimbs_put32(&fr->data, 0x93b8821f);
943 aimbs_put32(&fr->data, 0x51c54b01);
944 #else /* no filename */
945 aimbs_put32(&fr->data, 0x1df8cbae);
946 aimbs_put32(&fr->data, 0x5523b839);
947 aimbs_put32(&fr->data, 0xa0e10db3);
948 aimbs_put32(&fr->data, 0xa46d3b39);
951 } else if ((offset == 0x00001000) && (len == 0x00000000)) {
953 aimbs_put32(&fr->data, 0xd41d8cd9);
954 aimbs_put32(&fr->data, 0x8f00b204);
955 aimbs_put32(&fr->data, 0xe9800998);
956 aimbs_put32(&fr->data, 0xecf8427e);
959 faimdprintf(sess, 0, "sendmemblock: WARNING: unknown hash request\n");
963 aim_tx_enqueue(sess, fr);
968 static int snachandler(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
971 if (snac->subtype == 0x0003)
972 return hostonline(sess, mod, rx, snac, bs);
973 else if (snac->subtype == 0x0005)
974 return redirect(sess, mod, rx, snac, bs);
975 else if (snac->subtype == 0x0007)
976 return rateresp(sess, mod, rx, snac, bs);
977 else if (snac->subtype == 0x000a)
978 return ratechange(sess, mod, rx, snac, bs);
979 else if (snac->subtype == 0x000b)
980 return serverpause(sess, mod, rx, snac, bs);
981 else if (snac->subtype == 0x000f)
982 return selfinfo(sess, mod, rx, snac, bs);
983 else if (snac->subtype == 0x0010)
984 return evilnotify(sess, mod, rx, snac, bs);
985 else if (snac->subtype == 0x0012)
986 return migrate(sess, mod, rx, snac, bs);
987 else if (snac->subtype == 0x0013)
988 return motd(sess, mod, rx, snac, bs);
989 else if (snac->subtype == 0x0018)
990 return hostversions(sess, mod, rx, snac, bs);
991 else if (snac->subtype == 0x001f)
992 return memrequest(sess, mod, rx, snac, bs);
997 faim_internal int general_modfirst(aim_session_t *sess, aim_module_t *mod)
1000 mod->family = 0x0001;
1001 mod->version = 0x0000;
1003 strncpy(mod->name, "general", sizeof(mod->name));
1004 mod->snachandler = snachandler;