[prog] Update on that reengineering problem

Meredydd meredydd at everybuddy.com
Tue May 27 21:57:49 EST 2003 

On Tuesday 27 May 2003 19:38, Elizabeth Barham wrote:
> Have you tried using the SHA1 hash function instead of MD5?
Hah, no. Neat idea, but that string doesn't appear in the executable either. I 
suppose that could be it, but I'm guessing not, because Microsoft have 
previously shown something of a fetish for MD5 (they use it in the Passport 
auth, in Messenger auth, and the known (IRC6) version of MSN chat).

> In your next message, you gave (my comments in brackets; please
> correct):
Yep, those bracketed comments were correct. Sorry for confusing you :^)

> I'm not clear on what #1 and #2 are, or are they two different
> servers?
Yes. #1 is the challenge/response pair which occurred when talking to the 
dispatch server. #2 is the challenge/response pair which occurred when 
connecting to the server on which the actual chat room was hosted.

> Are either of these the constant string you wrote about? I'd
> like to duplicate the md5 hash'd response of MSN_chat2 just to get a
> feel for it.
Uhm, the response code I know doesn't work if you send your version as IRC7 :(

I have another capture, of an attempt to connect using the old hash for both 
challenges (http://archives.wincoll.ac.uk/~c/MSN_chat4.libpcap):

#1 (old algorithm, identifying version as IRC6):
3c d6 64 5b b8 c2 47 79
-->	da 2c fc b8 3b 91 d1 d7 7d f6 63 57 4d 4d 49 a5

#2 fails.

As an illustration of the algorithm, I have a little C program which will 
perform the hash we know at http://archives.wincoll.ac.uk/~c/hashit.tgz 
(includes Aladdin's MD5 implementation). Do you read C?

By the way, I've found what appears to be a working implementation of MSN chat 
- an mIRC script called "Vincula Neo". I'm having a little bit of trouble 
figuring out how it works, and it may be that it offloads the verification 
hash to innards of the OCX, but it's be worth a look. First hit on Google, so 
I shaln't bother uploading a copy...

> Also, I had difficulty parsing the libpcap file with tcpdump:
>
> # tcpdump -F MSN_chat3.libpcap
> tcpdump: illegal char 'Ô'
>
> Should I use another method?
Eep! Um, that Shouldn't Happen(tm). Ethereal opens it fine - have you tried 
that?

> Also, retrieving MSN_chat2.libpcap results in an ERROR 403: Forbidden
> from here.
Oops. Try now?

Meredydd

More information about the Programming mailing list