[Techtalk] Update on that reengineering problem
meredydd at everybuddy.com
Mon May 26 22:27:56 EST 2003
OK, I think I know where I stand now. So here it is.
I am attempting to reverse engineer Microsoft's MSN Chat protocol. This is
proving relatively easy in terms of the protocol itself (it's a bastardised
version of IRC, using for authentication the standard Passport cookie
scheme), but I'm having problems with the client-verification procedures used
to check that the client is the genuine Microsoft OCX, not some *gasp*
non-Windows user. This is a challenge-response sequence required before you
can actually do any talking. Sequence of events goes something like this:
- Client connects to server, sends a version string
- Client sends a constant string to initiate client verification
- Server sends an eight-byte challenge wrapped in a constant string
- Client sends a challenge response
- Server sends "OK" notification, traffic continues
There are in fact two types of server connection. You first connect to a
dispatch server, for which some kind soul has already reversed the response
algorithm, which gives you the IP on which any particular chat room (channel)
is hosted. You then make *another* connection, to the server you've been told
about, and go through the verification routine again. Unfortunately, the
algorithm, which was reverse engineered by the same person/group who did the
first one, has been changed. And I haven't a clue what to.
So. The algorithm I need to replicate takes an eight-byte challenge and
returns a sixteen-byte response. From past experience, it is likely to make
heavy use of MD5 hashing. It may or may not be related to the known algorithm
(as was, in fact, it was identical):
- Append challenge to constant string
- Take hash of the above, append that to another constant string
- Send hash of the above as response
I've tried a grep - not an occurrence of "md5" (in either case) in the OCX.
I've also tried disassembly (an OCX is just an EXE with no main() as far as I
understand), but can't seem to make head or tail of it. From looking at it in
a hex editor, several string constants have had strange things done to them
(spaced out every other char with null zeros etc), and the combination of the
above leads me to suspect that it's been armoured against disassembly.
Unfortunately, I don't know enough about this sort of thing to verify it, and
I can't find any more useful information on the web :-( Oh, and yes, there
is no software apart from that OCX which talks to MSN Chat. No Mac version
(there goes the nice UNIX debugging environment). And internet chat isn't
covered by the DoJ settlement, because it's not a protocol used between
standard MS clients and standard Win2k+ servers.
So - any bright ideas? What should I do next?
More information about the Techtalk