[prog] Update on that reengineering problem

Meredydd meredydd at everybuddy.com
Tue May 27 10:57:11 EST 2003 

Durr. Knew I was forgetting something. Full captures of two sessions with the 
genuine client are at http://archives.wincoll.ac.uk/~c/MSN_chat2.libpcap (and 
MSN_chat3.libpcap), in pcap format. These are full sessions, so the actual 
IRC connections are right at the end of the file. There are two connections, 
make sure you get the right one!

The lines you're looking for are the ones which start with
"AUTH GateKeeperPassport" and contain "GKSSP". It encodes null zeros, 
newlines, carriage-returns, commas, and spaces as \0, \n, \r, \c, and \b 
respectively, but transmits all other characters as-is. You can spot which 
bits are constant string and where the challenge is by comparing the two 
captures. This could be useful if I've missed something, say, and am hashing 
the wrong characters. That said, I'm pretty sure I know where this code is, 
and the eight-byte length (exactly the same as in challenge #1, for the 
dispatch server) is somewhat reassuring.

The predigested version - extracted eight-byte challenges and the ensuing 
16-byte responses:

MSN_chat2:

#1: 11 93 b7 b5 6d a2 d7 3a
-->	1a db 94 96 a6 1a bf 82 1e 79 44 b0  38 c3 29 9d 

#2: 34 e7 54 af 3e  59 02 f8
-->	b5 5c 5c 7a  9f 32 6f 0c 9d 34 cd 78 7a 3c b0 c7 af 

MSN_chat3:

#1: 9a 8f 35 35 9e 28 78 4e
-->	4f 16 79 e6 7f e7 56 10  2a 0b 55 6c b6 3d 35 b4

#2: de 45 c1 e2 8e 26 75 db
-->	a5 9e e4 1a  bf 2d cd c7 13 09 8b ad 24 53 74 02

The OCX itself is available at http://archives.wincoll.ac.uk/~c/MsnChat45.ocx

STOP PRESS - extra info: while trawling the stuff for this email, I realised 
(dur again) that a different version string was being sent. It appears that 
"IRC6" and "IRC7" use different challenge hashes, but that the chat server no 
longer accepts IRC6, which is why the old hashes still work for the dispatch 
server but not chat. As IRC6 used the same challenge algorithm for both, it 
is exceedingly likely that IRC7 uses the same for both. The values I give 
here are snapshots from the IRC7 sessions I have captured.

Meredydd

On Tuesday 27 May 2003 00:47, Elizabeth Barham wrote:
> Please pass along challange/response examples so we may look at it.
>
> Elizabeth

More information about the Programming mailing list