[icq-devel] Another dirty but working way to implement protocol extensions

E Filippov joe at idisys.iae.nsk.su
Wed Mar 27 14:33:34 CET 2002

I made several little experiments with sending strange-msg

Discovered, that:

- "normal" strange-msg packets easily reach the recipient

- appending TLVs with illegal types makes strange-msgs to
  be ignored by the server; such strange-msgs never reach
  the recipient client (I tried types 0xCAFE, 0xBABE,
  0xABAC, 0x00FE, 0x00FF);
- using empty ack-request tlvs as data containers is not
  possible, too (i tried 00 03 00 00 "ack request?", 00 06
  00 00 "ack request?", using them in the following way:
  e.g. 00 03 00 04 0a 0b 0c 0d) (they are removed from the
  strange-msgs by the server, and strange-msgs are
  delivered in this reduced form).

- also, i tried to use the empty 0f 00 00 00 tlv of the
  "msg-data-2" structure as data container; this made the
  server eat my strange-msg packets.
I finally appended the custom data after the null
terminator byte of the LNTS, and inserted it into the "LNTS
msg" field of the "msg-data-2" structure.  One is able to
append any byte sequence there.

This way, any custom data reaches the recipient client.
(Length of this is restricted: it can have any length <=
6999 bytes).  ICQ2000b build 3286 silently ignores such
packets.  I didn't test other official clients. &RQ clone
silently ignores such packets, too.

Implementation details attached.

-------------- next part --------------
  //user_data is an example custom data to transmit
  //to the recipient, so that it will be ignored by 
  //the official clients

  //user_data can have any length <= 6999 bytes

  byte[] user_data = new byte[] {
    (byte) 0x01, (byte) 0x23,   (byte) 0x45, (byte) 0x67, 
    (byte) 0x89, (byte) 0xab,   (byte) 0xcd, (byte) 0xef
  long msg_id = 7 | ((((long) 0xffff) & this.nextMsgId++) << 16);
  SNAC p = new SNAC(0x0004, 0x0006, 0, 0, msg_id);

  byte[] cookie = this.msgCookie = new byte[8];
  fillMsgCookie(cookie); //fills 6 random bytes + 2 bytes of 0x00
  p.addWord(2); //msg channel aka msgfmt
  p.addStringPrependedWithByteLength(dstLoginId); //recipient uin //for example, 08 01 02 03 04 05 06 07 08 (if dstLoginId=="12345678")

  p.addWord(0x74 + user_data.length);
  //msg-data-2 start
  p.addWord(0); //??A


  p.addByteArray(new byte[] {
    //16 BYTE    capability1
    (byte) 0x09, (byte) 0x46, (byte) 0x13, (byte) 0x49,
    (byte) 0x4C, (byte) 0x7F, (byte) 0x11, (byte) 0xD1, 
    (byte) 0x82, (byte) 0x22, (byte) 0x44, (byte) 0x45, 
    (byte) 0x53, (byte) 0x54, (byte) 0x00, (byte) 0x00, 
    (byte) 0x00, (byte) 0x0A, (byte) 0x00, (byte) 0x02, 
    (byte) 0x00, (byte) 0x01, 
    (byte) 0x00, (byte) 0x0F, (byte) 0x00, (byte) 0x00, 

    (byte) 0x27, (byte) 0x11, 
    (byte) 0x00, (byte) (0x4C + user_data.length),
    (byte) 0x1B, (byte) 0x00, 
    (byte) 0x07, (byte) 0x00,
    //18 bytes of unk
    (byte) 0x10, (byte) 0xCF, (byte) 0x40, 
    (byte) 0xD1, (byte) 0x4F, (byte) 0xE9, 
    (byte) 0xD3, (byte) 0x11, (byte) 0xBC, 
    (byte) 0xD2, (byte) 0x00, (byte) 0x04, 
    (byte) 0xAC, (byte) 0x96, (byte) 0xDD,
    (byte) 0x96, (byte) 0x00, (byte) 0x00, 
    (byte) 0x03, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
    (byte) 0x00, 
    (byte) 0xFC, (byte) 0xFF,

    (byte) 0x12, (byte) 0x00, 
    (byte) 0xFC, (byte) 0xFF, 
    (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
    (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
    (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
    (byte) 0x01, 
    (byte) 0x00, 
    (byte) 0x00, (byte) 0x00,
    (byte) 0x00, (byte) 0x00, 
    //LNTS message_text
    (byte) (0x01 + user_data.length), (byte) 0x00,  //was 01 00
    (byte) 0x00

  p.addByteArray(new byte[] {
    (byte) 0x10, (byte) 0x18, (byte) 0x06, (byte) 0x70, 
    (byte) 0x54, (byte) 0x71, 
    (byte) 0xD3, (byte) 0x11, (byte) 0x8D, (byte) 0xD2,
    (byte) 0x00, (byte) 0x10, (byte) 0x4B, (byte) 0x06, 
    (byte) 0x46, (byte) 0x2E, (byte) 0x00, (byte) 0x00, 
    (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00
  //packet created

More information about the icq-devel mailing list