4 * This contains all the functions needed to actually login.
13 static int aim_encode_password(const char *password, unsigned char *encoded);
15 faim_export int aim_sendflapver(aim_session_t *sess, aim_conn_t *conn)
19 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x01, 4)))
22 aimbs_put32(&fr->data, 0x00000001);
24 aim_tx_enqueue(sess, fr);
30 * This is a bit confusing.
32 * Normal SNAC login goes like this:
34 * - server sends flap version
35 * - client sends flap version
36 * - client sends screen name (17/6)
37 * - server sends hash key (17/7)
38 * - client sends auth request (17/2 -- aim_send_login)
41 * XOR login (for ICQ) goes like this:
43 * - server sends flap version
44 * - client sends auth request which contains flap version (aim_send_login)
47 * For the client API, we make them implement the most complicated version,
48 * and for the simpler version, we fake it and make it look like the more
49 * complicated process.
51 * This is done by giving the client a faked key, just so we can convince
52 * them to call aim_send_login right away, which will detect the session
53 * flag that says this is XOR login and ignore the key, sending an ICQ
54 * login request instead of the normal SNAC one.
56 * As soon as AOL makes ICQ log in the same way as AIM, this is /gone/.
58 * XXX This may cause problems if the client relies on callbacks only
59 * being called from the context of aim_rxdispatch()...
62 static int goddamnicq(aim_session_t *sess, aim_conn_t *conn, const char *sn)
65 aim_rxcallback_t userfunc;
67 sess->flags &= ~AIM_SESS_FLAGS_SNACLOGIN;
68 sess->flags |= AIM_SESS_FLAGS_XORLOGIN;
72 if ((userfunc = aim_callhandler(sess, conn, 0x0017, 0x0007)))
73 userfunc(sess, &fr, "");
79 * In AIM 3.5 protocol, the first stage of login is to request login from the
80 * Authorizer, passing it the screen name for verification. If the name is
81 * invalid, a 0017/0003 is spit back, with the standard error contents. If
82 * valid, a 0017/0007 comes back, which is the signal to send it the main
83 * login command (0017/0002).
86 faim_export int aim_request_login(aim_session_t *sess, aim_conn_t *conn, const char *sn)
90 aim_tlvlist_t *tl = NULL;
92 if (!sess || !conn || !sn)
95 if ((sn[0] >= '0') && (sn[0] <= '9'))
96 return goddamnicq(sess, conn, sn);
98 sess->flags |= AIM_SESS_FLAGS_SNACLOGIN;
100 aim_sendflapver(sess, conn);
102 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 10+2+2+strlen(sn))))
105 snacid = aim_cachesnac(sess, 0x0017, 0x0006, 0x0000, NULL, 0);
106 aim_putsnac(&fr->data, 0x0017, 0x0006, 0x0000, snacid);
108 aim_addtlvtochain_raw(&tl, 0x0001, strlen(sn), sn);
109 aim_writetlvchain(&fr->data, &tl);
110 aim_freetlvchain(&tl);
112 aim_tx_enqueue(sess, fr);
118 * Part two of the ICQ hack. Note the ignoring of the key and clientinfo.
120 static int goddamnicq2(aim_session_t *sess, aim_conn_t *conn, const char *sn, const char *password)
122 static const char clientstr[] = {"ICQ Inc. - Product of ICQ (TM) 2000b.4.65.1.3281.85"};
123 static const char lang[] = {"en"};
124 static const char country[] = {"us"};
126 aim_tlvlist_t *tl = NULL;
127 char *password_encoded;
129 if (!(password_encoded = (char *) malloc(strlen(password))))
132 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x01, 1152))) {
133 free(password_encoded);
137 aim_encode_password(password, password_encoded);
139 aimbs_put32(&fr->data, 0x00000001);
140 aim_addtlvtochain_raw(&tl, 0x0001, strlen(sn), sn);
141 aim_addtlvtochain_raw(&tl, 0x0002, strlen(password), password_encoded);
142 aim_addtlvtochain_raw(&tl, 0x0003, strlen(clientstr), clientstr);
143 aim_addtlvtochain16(&tl, 0x0016, 0x010a);
144 aim_addtlvtochain16(&tl, 0x0017, 0x0004);
145 aim_addtlvtochain16(&tl, 0x0018, 0x0041);
146 aim_addtlvtochain16(&tl, 0x0019, 0x0001);
147 aim_addtlvtochain16(&tl, 0x001a, 0x0cd1);
148 aim_addtlvtochain32(&tl, 0x0014, 0x00000055);
149 aim_addtlvtochain_raw(&tl, 0x000f, strlen(lang), lang);
150 aim_addtlvtochain_raw(&tl, 0x000e, strlen(country), country);
152 aim_writetlvchain(&fr->data, &tl);
154 free(password_encoded);
155 aim_freetlvchain(&tl);
157 aim_tx_enqueue(sess, fr);
163 * send_login(int socket, char *sn, char *password)
165 * This is the initial login request packet.
167 * NOTE!! If you want/need to make use of the aim_sendmemblock() function,
168 * then the client information you send here must exactly match the
169 * executable that you're pulling the data from.
172 * clientstring = "AOL Instant Messenger (SM), version 4.3.2188/WIN32"
178 * unknown = 0x00000086
183 * Latest WinAIM that libfaim can emulate without server-side buddylists:
184 * clientstring = "AOL Instant Messenger (SM), version 4.1.2010/WIN32"
190 * unknown= 0x0000004b
193 * clientstring = "AOL Instant Messenger (SM), version 3.5.1670/WIN32"
199 * unknown =0x0000002a
202 * clientstring = "AOL Instant Messenger (TM) version 1.1.19 for Java built 03/24/98, freeMem 215871 totalMem 1048567, i686, Linus, #2 SMP Sun Feb 11 03:41:17 UTC 2001 2.4.1-ac9, IBM Corporation, 1.1.8, 45.3, Tue Mar 27 12:09:17 PST 2001"
206 * minor2 = (not sent)
208 * unknown= (not sent)
210 * AIM for Linux 1.1.112:
211 * clientstring = "AOL Instant Messenger (SM)"
217 * unknown= 0x0000008b
221 faim_export int aim_send_login(aim_session_t *sess, aim_conn_t *conn, const char *sn, const char *password, struct client_info_s *clientinfo, const char *key)
224 aim_tlvlist_t *tl = NULL;
228 if (!clientinfo || !sn || !password)
231 if (sess->flags & AIM_SESS_FLAGS_XORLOGIN)
232 return goddamnicq2(sess, conn, sn, password);
234 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 1152)))
237 if (sess->flags & AIM_SESS_FLAGS_XORLOGIN) {
238 fr->hdr.flap.type = 0x01;
240 /* Use very specific version numbers to further indicate hack */
241 clientinfo->major2 = 0x010a;
242 clientinfo->major = 0x0004;
243 clientinfo->minor = 0x003c;
244 clientinfo->minor2 = 0x0001;
245 clientinfo->build = 0x0cce;
246 clientinfo->unknown = 0x00000055;
249 snacid = aim_cachesnac(sess, 0x0017, 0x0002, 0x0000, NULL, 0);
250 aim_putsnac(&fr->data, 0x0017, 0x0002, 0x0000, snacid);
252 aim_addtlvtochain_raw(&tl, 0x0001, strlen(sn), sn);
254 aim_encode_password_md5(password, key, digest);
255 aim_addtlvtochain_raw(&tl, 0x0025, 16, digest);
257 aim_addtlvtochain_raw(&tl, 0x0003, strlen(clientinfo->clientstring), clientinfo->clientstring);
258 aim_addtlvtochain16(&tl, 0x0016, (fu16_t)clientinfo->major2);
259 aim_addtlvtochain16(&tl, 0x0017, (fu16_t)clientinfo->major);
260 aim_addtlvtochain16(&tl, 0x0018, (fu16_t)clientinfo->minor);
261 aim_addtlvtochain16(&tl, 0x0019, (fu16_t)clientinfo->minor2);
262 aim_addtlvtochain16(&tl, 0x001a, (fu16_t)clientinfo->build);
263 aim_addtlvtochain_raw(&tl, 0x000e, strlen(clientinfo->country), clientinfo->country);
264 aim_addtlvtochain_raw(&tl, 0x000f, strlen(clientinfo->lang), clientinfo->lang);
265 aim_addtlvtochain16(&tl, 0x0009, 0x0015);
267 aim_writetlvchain(&fr->data, &tl);
269 aim_freetlvchain(&tl);
271 aim_tx_enqueue(sess, fr);
276 faim_export int aim_encode_password_md5(const char *password, const char *key, fu8_t *digest)
281 md5_append(&state, (const md5_byte_t *)key, strlen(key));
282 md5_append(&state, (const md5_byte_t *)password, strlen(password));
283 md5_append(&state, (const md5_byte_t *)AIM_MD5_STRING, strlen(AIM_MD5_STRING));
284 md5_finish(&state, (md5_byte_t *)digest);
290 * aim_encode_password - Encode a password using old XOR method
291 * @password: incoming password
292 * @encoded: buffer to put encoded password
294 * This takes a const pointer to a (null terminated) string
295 * containing the unencoded password. It also gets passed
296 * an already allocated buffer to store the encoded password.
297 * This buffer should be the exact length of the password without
298 * the null. The encoded password buffer /is not %NULL terminated/.
300 * The encoding_table seems to be a fixed set of values. We'll
301 * hope it doesn't change over time!
303 * This is only used for the XOR method, not the better MD5 method.
306 static int aim_encode_password(const char *password, fu8_t *encoded)
308 fu8_t encoding_table[] = {
309 #if 0 /* old v1 table */
310 0xf3, 0xb3, 0x6c, 0x99,
311 0x95, 0x3f, 0xac, 0xb6,
312 0xc5, 0xfa, 0x6b, 0x63,
313 0x69, 0x6c, 0xc3, 0x9f
314 #else /* v2.1 table, also works for ICQ */
315 0xf3, 0x26, 0x81, 0xc4,
316 0x39, 0x86, 0xdb, 0x92,
317 0x71, 0xa3, 0xb9, 0xe6,
318 0x53, 0x7a, 0x95, 0x7c
323 for (i = 0; i < strlen(password); i++)
324 encoded[i] = (password[i] ^ encoding_table[i]);
330 * Generate an authorization response.
332 * You probably don't want this unless you're writing an AIM server. Which
333 * I hope you're not doing. Because it's far more difficult than it looks.
336 faim_export int aim_sendauthresp(aim_session_t *sess, aim_conn_t *conn, const char *sn, int errorcode, const char *errorurl, const char *bosip, const char *cookie, const char *email, int regstatus)
338 aim_tlvlist_t *tlvlist = NULL;
341 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x04, 1152)))
345 aim_addtlvtochain_raw(&tlvlist, 0x0001, strlen(sn), sn);
347 aim_addtlvtochain_raw(&tlvlist, 0x0001, strlen(sess->sn), sess->sn);
350 aim_addtlvtochain16(&tlvlist, 0x0008, errorcode);
351 aim_addtlvtochain_raw(&tlvlist, 0x0004, strlen(errorurl), errorurl);
353 aim_addtlvtochain_raw(&tlvlist, 0x0005, strlen(bosip), bosip);
354 aim_addtlvtochain_raw(&tlvlist, 0x0006, AIM_COOKIELEN, cookie);
355 aim_addtlvtochain_raw(&tlvlist, 0x0011, strlen(email), email);
356 aim_addtlvtochain16(&tlvlist, 0x0013, (fu16_t)regstatus);
359 aim_writetlvchain(&fr->data, &tlvlist);
360 aim_freetlvchain(&tlvlist);
362 aim_tx_enqueue(sess, fr);
368 * Generate a random cookie. (Non-client use only)
370 faim_export int aim_gencookie(fu8_t *buf)
376 for (i = 0; i < AIM_COOKIELEN; i++)
377 buf[i] = 1+(int) (256.0*rand()/(RAND_MAX+0.0));
383 * Send Server Ready. (Non-client)
385 * XXX If anyone cares, this should be made to use the conn-stored group
389 faim_export int aim_sendserverready(aim_session_t *sess, aim_conn_t *conn)
394 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 10+0x22)))
397 snacid = aim_cachesnac(sess, 0x0001, 0x0003, 0x0000, NULL, 0);
399 aim_putsnac(&fr->data, 0x0001, 0x0003, 0x0000, snacid);
400 aimbs_put16(&fr->data, 0x0001);
401 aimbs_put16(&fr->data, 0x0002);
402 aimbs_put16(&fr->data, 0x0003);
403 aimbs_put16(&fr->data, 0x0004);
404 aimbs_put16(&fr->data, 0x0006);
405 aimbs_put16(&fr->data, 0x0008);
406 aimbs_put16(&fr->data, 0x0009);
407 aimbs_put16(&fr->data, 0x000a);
408 aimbs_put16(&fr->data, 0x000b);
409 aimbs_put16(&fr->data, 0x000c);
410 aimbs_put16(&fr->data, 0x0013);
411 aimbs_put16(&fr->data, 0x0015);
413 aim_tx_enqueue(sess, fr);
419 * Send service redirect. (Non-Client)
421 faim_export int aim_sendredirect(aim_session_t *sess, aim_conn_t *conn, fu16_t servid, const char *ip, const char *cookie)
423 aim_tlvlist_t *tlvlist = NULL;
427 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 1152)))
430 snacid = aim_cachesnac(sess, 0x0001, 0x0005, 0x0000, NULL, 0);
431 aim_putsnac(&fr->data, 0x0001, 0x0005, 0x0000, snacid);
433 aim_addtlvtochain16(&tlvlist, 0x000d, servid);
434 aim_addtlvtochain_raw(&tlvlist, 0x0005, strlen(ip), ip);
435 aim_addtlvtochain_raw(&tlvlist, 0x0006, AIM_COOKIELEN, cookie);
437 aim_writetlvchain(&fr->data, &tlvlist);
438 aim_freetlvchain(&tlvlist);
440 aim_tx_enqueue(sess, fr);
446 * See comments in conn.c about how the group associations are supposed
447 * to work, and how they really work.
449 * This info probably doesn't even need to make it to the client.
452 static int hostonline(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
454 aim_rxcallback_t userfunc;
459 if (!(families = malloc(aim_bstream_empty(bs))))
462 for (famcount = 0; aim_bstream_empty(bs); famcount++) {
463 families[famcount] = aimbs_get16(bs);
464 aim_conn_addgroup(rx->conn, families[famcount]);
467 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
468 ret = userfunc(sess, rx, famcount, families);
475 static int redirect(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
480 aim_rxcallback_t userfunc;
481 aim_tlvlist_t *tlvlist;
482 char *chathack = NULL;
486 tlvlist = aim_readtlvchain(bs);
488 if (!aim_gettlv(tlvlist, 0x000d, 1) ||
489 !aim_gettlv(tlvlist, 0x0005, 1) ||
490 !aim_gettlv(tlvlist, 0x0006, 1)) {
491 aim_freetlvchain(&tlvlist);
495 serviceid = aim_gettlv16(tlvlist, 0x000d, 1);
496 ip = aim_gettlv_str(tlvlist, 0x0005, 1);
497 cookie = aim_gettlv_str(tlvlist, 0x0006, 1);
502 if ((serviceid == AIM_CONN_TYPE_CHAT) && sess->pendingjoin) {
503 chathack = sess->pendingjoin;
504 chathackex = sess->pendingjoinexchange;
505 sess->pendingjoin = NULL;
506 sess->pendingjoinexchange = 0;
509 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
510 ret = userfunc(sess, rx, serviceid, ip, cookie, chathack, chathackex);
516 aim_freetlvchain(&tlvlist);
522 * The Rate Limiting System, An Abridged Guide to Nonsense.
524 * OSCAR defines several 'rate classes'. Each class has seperate
525 * rate limiting properties (limit level, alert level, disconnect
526 * level, etc), and a set of SNAC family/type pairs associated with
527 * it. The rate classes, their limiting properties, and the definitions
528 * of which SNACs are belong to which class, are defined in the
529 * Rate Response packet at login to each host.
531 * Logically, all rate offenses within one class count against further
532 * offenses for other SNACs in the same class (ie, sending messages
533 * too fast will limit the number of user info requests you can send,
534 * since those two SNACs are in the same rate class).
536 * Since the rate classes are defined dynamically at login, the values
537 * below may change. But they seem to be fairly constant.
539 * Currently, BOS defines five rate classes, with the commonly used
540 * members as follows...
543 * - Everything thats not in any of the other classes
546 * - Buddy list add/remove
547 * - Permit list add/remove
548 * - Deny list add/remove
551 * - User information requests
555 * - A few unknowns: 2/9, 2/b, and f/2
559 * - Outgoing chat ICBMs
561 * The only other thing of note is that class 5 (chat) has slightly looser
562 * limiting properties than class 3 (normal messages). But thats just a
563 * small bit of trivia for you.
565 * The last thing that needs to be learned about the rate limiting
566 * system is how the actual numbers relate to the passing of time. This
567 * seems to be a big mystery.
572 static int rateresp(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
574 aim_rxcallback_t userfunc;
576 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
577 return userfunc(sess, rx);
582 static int ratechange(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
584 aim_rxcallback_t userfunc;
585 fu16_t code, rateclass;
586 fu32_t currentavg, maxavg, windowsize, clear, alert, limit, disconnect;
588 code = aimbs_get16(bs);
589 rateclass = aimbs_get16(bs);
591 windowsize = aimbs_get32(bs);
592 clear = aimbs_get32(bs);
593 alert = aimbs_get32(bs);
594 limit = aimbs_get32(bs);
595 disconnect = aimbs_get32(bs);
596 currentavg = aimbs_get32(bs);
597 maxavg = aimbs_get32(bs);
599 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
600 return userfunc(sess, rx, code, rateclass, windowsize, clear, alert, limit, disconnect, currentavg, maxavg);
606 static int selfinfo(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
608 aim_rxcallback_t userfunc;
610 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
611 return userfunc(sess, rx);
616 static int evilnotify(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
618 aim_rxcallback_t userfunc;
620 struct aim_userinfo_s userinfo;
622 memset(&userinfo, 0, sizeof(struct aim_userinfo_s));
624 newevil = aimbs_get16(bs);
626 if (aim_bstream_empty(bs))
627 aim_extractuserinfo(sess, bs, &userinfo);
629 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
630 return userfunc(sess, rx, newevil, &userinfo);
636 * How Migrations work.
638 * The server sends a Server Pause message, which the client should respond to
639 * with a Server Pause Ack, which contains the families it needs on this
640 * connection. The server will send a Migration Notice with an IP address, and
641 * then disconnect. Next the client should open the connection and send the
642 * cookie. Repeat the normal login process and pretend this never happened.
644 * The Server Pause contains no data.
647 static int serverpause(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
649 aim_rxcallback_t userfunc;
651 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
652 return userfunc(sess, rx);
658 * It is rather important that aim_sendpauseack() gets called for the exact
659 * same connection that the Server Pause callback was called for, since
660 * libfaim extracts the data for the SNAC from the connection structure.
662 * Of course, if you don't do that, more bad things happen than just what
666 faim_export int aim_sendpauseack(aim_session_t *sess, aim_conn_t *conn)
670 aim_conn_inside_t *ins = (aim_conn_inside_t *)conn->inside;
671 struct snacgroup *sg;
673 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 1024)))
676 snacid = aim_cachesnac(sess, 0x0001, 0x000c, 0x0000, NULL, 0);
677 aim_putsnac(&fr->data, 0x0001, 0x000c, 0x0000, snacid);
680 * This list should have all the groups that the original
681 * Host Online / Server Ready said this host supports. And
682 * we want them all back after the migration.
684 for (sg = ins->groups; sg; sg = sg->next)
685 aimbs_put16(&fr->data, sg->group);
687 aim_tx_enqueue(sess, fr);
693 * This is the final SNAC sent on the original connection during a migration.
694 * It contains the IP and cookie used to connect to the new server, and
695 * optionally a list of the SNAC groups being migrated.
698 static int migrate(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
700 aim_rxcallback_t userfunc;
702 fu16_t groupcount, i;
708 * Apparently there's some fun stuff that can happen right here. The
709 * migration can actually be quite selective about what groups it
710 * moves to the new server. When not all the groups for a connection
711 * are migrated, or they are all migrated but some groups are moved
712 * to a different server than others, it is called a bifurcated
715 * Let's play dumb and not support that.
718 groupcount = aimbs_get16(bs);
719 for (i = 0; i < groupcount; i++) {
722 group = aimbs_get16(bs);
724 faimdprintf(sess, 0, "bifurcated migration unsupported -- group 0x%04x\n", group);
727 tl = aim_readtlvchain(bs);
729 if (aim_gettlv(tl, 0x0005, 1))
730 ip = aim_gettlv_str(tl, 0x0005, 1);
732 cktlv = aim_gettlv(tl, 0x0006, 1);
734 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
735 ret = userfunc(sess, rx, ip, cktlv ? cktlv->value : NULL);
737 aim_freetlvchain(&tl);
743 static int motd(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
745 aim_rxcallback_t userfunc;
748 aim_tlvlist_t *tlvlist;
755 * 1 Mandatory upgrade
758 * 4 Nothing's wrong ("top o the world" -- normal)
759 * 5 Lets-break-something.
762 id = aimbs_get16(bs);
767 tlvlist = aim_readtlvchain(bs);
769 msg = aim_gettlv_str(tlvlist, 0x000b, 1);
771 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
772 ret = userfunc(sess, rx, id, msg);
776 aim_freetlvchain(&tlvlist);
781 static int hostversions(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
783 aim_rxcallback_t userfunc;
787 vercount = aim_bstream_empty(bs)/4;
788 versions = aimbs_getraw(bs, aim_bstream_empty(bs));
790 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
791 return userfunc(sess, rx, vercount, versions);
799 * Starting this past week (26 Mar 2001, say), AOL has started sending
800 * this nice little extra SNAC. AFAIK, it has never been used until now.
802 * The request contains eight bytes. The first four are an offset, the
803 * second four are a length.
805 * The offset is an offset into aim.exe when it is mapped during execution
806 * on Win32. So far, AOL has only been requesting bytes in static regions
807 * of memory. (I won't put it past them to start requesting data in
808 * less static regions -- regions that are initialized at run time, but still
809 * before the client recieves this request.)
811 * When the client recieves the request, it adds it to the current ds
812 * (0x00400000) and dereferences it, copying the data into a buffer which
813 * it then runs directly through the MD5 hasher. The 16 byte output of
814 * the hash is then sent back to the server.
816 * If the client does not send any data back, or the data does not match
817 * the data that the specific client should have, the client will get the
818 * following message from "AOL Instant Messenger":
819 * "You have been disconnected from the AOL Instant Message Service (SM)
820 * for accessing the AOL network using unauthorized software. You can
821 * download a FREE, fully featured, and authorized client, here
822 * http://www.aol.com/aim/download2.html"
823 * The connection is then closed, recieving disconnect code 1, URL
824 * http://www.aim.aol.com/errors/USER_LOGGED_OFF_NEW_LOGIN.html.
826 * Note, however, that numerous inconsistencies can cause the above error,
827 * not just sending back a bad hash. Do not immediatly suspect this code
828 * if you get disconnected. AOL and the open/free software community have
829 * played this game for a couple years now, generating the above message
830 * on numerous ocassions.
832 * Anyway, neener. We win again.
835 static int memrequest(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
837 aim_rxcallback_t userfunc;
842 offset = aimbs_get32(bs);
843 len = aimbs_get32(bs);
844 list = aim_readtlvchain(bs);
846 modname = aim_gettlv_str(list, 0x0001, 1);
848 faimdprintf(sess, 1, "data at 0x%08lx (%d bytes) of requested\n", offset, len, modname ? modname : "aim.exe");
850 if ((userfunc = aim_callhandler(sess, rx->conn, snac->family, snac->subtype)))
851 return userfunc(sess, rx, offset, len, modname);
854 aim_freetlvchain(&list);
860 static void dumpbox(aim_session_t *sess, unsigned char *buf, int len)
864 if (!sess || !buf || !len)
867 faimdprintf(sess, 1, "\nDump of %d bytes at %p:", len, buf);
869 for (i = 0; i < len; i++) {
871 faimdprintf(sess, 1, "\n\t");
873 faimdprintf(sess, 1, "0x%2x ", buf[i]);
876 faimdprintf(sess, 1, "\n\n");
882 faim_export int aim_sendmemblock(aim_session_t *sess, aim_conn_t *conn, fu32_t offset, fu32_t len, const fu8_t *buf, fu8_t flag)
890 if (!(fr = aim_tx_new(sess, conn, AIM_FRAMETYPE_FLAP, 0x02, 10+2+16)))
893 snacid = aim_cachesnac(sess, 0x0001, 0x0020, 0x0000, NULL, 0);
895 aim_putsnac(&fr->data, 0x0001, 0x0020, 0x0000, snacid);
896 aimbs_put16(&fr->data, 0x0010); /* md5 is always 16 bytes */
898 if ((flag == AIM_SENDMEMBLOCK_FLAG_ISHASH) && buf && (len == 0x10)) { /* we're getting a hash */
900 aimbs_putraw(&fr->data, buf, 0x10);
902 } else if (buf && (len > 0)) { /* use input buffer */
904 md5_byte_t digest[0x10];
907 md5_append(&state, (const md5_byte_t *)buf, len);
908 md5_finish(&state, digest);
910 aimbs_putraw(&fr->data, (fu8_t *)digest, 0x10);
912 } else if (len == 0) { /* no length, just hash NULL (buf is optional) */
915 md5_byte_t digest[0x10];
918 * These MD5 routines are stupid in that you have to have
919 * at least one append. So thats why this doesn't look
923 md5_append(&state, (const md5_byte_t *)&nil, 0);
924 md5_finish(&state, digest);
926 aimbs_putraw(&fr->data, (fu8_t *)digest, 0x10);
931 * This data is correct for AIM 3.5.1670.
933 * Using these blocks is as close to "legal" as you can get
934 * without using an AIM binary.
937 if ((offset == 0x03ffffff) && (len == 0x03ffffff)) {
939 #if 1 /* with "AnrbnrAqhfzcd" */
940 aimbs_put32(&fr->data, 0x44a95d26);
941 aimbs_put32(&fr->data, 0xd2490423);
942 aimbs_put32(&fr->data, 0x93b8821f);
943 aimbs_put32(&fr->data, 0x51c54b01);
944 #else /* no filename */
945 aimbs_put32(&fr->data, 0x1df8cbae);
946 aimbs_put32(&fr->data, 0x5523b839);
947 aimbs_put32(&fr->data, 0xa0e10db3);
948 aimbs_put32(&fr->data, 0xa46d3b39);
951 } else if ((offset == 0x00001000) && (len == 0x00000000)) {
953 aimbs_put32(&fr->data, 0xd41d8cd9);
954 aimbs_put32(&fr->data, 0x8f00b204);
955 aimbs_put32(&fr->data, 0xe9800998);
956 aimbs_put32(&fr->data, 0xecf8427e);
959 faimdprintf(sess, 0, "sendmemblock: WARNING: unknown hash request\n");
963 aim_tx_enqueue(sess, fr);
968 static int snachandler(aim_session_t *sess, aim_module_t *mod, aim_frame_t *rx, aim_modsnac_t *snac, aim_bstream_t *bs)
971 if (snac->subtype == 0x0003)
972 return hostonline(sess, mod, rx, snac, bs);
973 else if (snac->subtype == 0x0005)
974 return redirect(sess, mod, rx, snac, bs);
975 else if (snac->subtype == 0x0007)
976 return rateresp(sess, mod, rx, snac, bs);
977 else if (snac->subtype == 0x000a)
978 return ratechange(sess, mod, rx, snac, bs);
979 else if (snac->subtype == 0x000b)
980 return serverpause(sess, mod, rx, snac, bs);
981 else if (snac->subtype == 0x000f)
982 return selfinfo(sess, mod, rx, snac, bs);
983 else if (snac->subtype == 0x0010)
984 return evilnotify(sess, mod, rx, snac, bs);
985 else if (snac->subtype == 0x0012)
986 return migrate(sess, mod, rx, snac, bs);
987 else if (snac->subtype == 0x0013)
988 return motd(sess, mod, rx, snac, bs);
989 else if (snac->subtype == 0x0018)
990 return hostversions(sess, mod, rx, snac, bs);
991 else if (snac->subtype == 0x001f)
992 return memrequest(sess, mod, rx, snac, bs);
997 faim_internal int general_modfirst(aim_session_t *sess, aim_module_t *mod)
1000 mod->family = 0x0001;
1001 mod->version = 0x0000;
1003 strncpy(mod->name, "general", sizeof(mod->name));
1004 mod->snachandler = snachandler;
andersk / libfaim.git / blob