URL: http://omega.uta.edu/~tom/ICQ/
Bibliography / Web Resources
Disclaimer
Mirabilis was founded in July 1996 by four young Israeli avid-computer users who established a new Internet company. Yair Goldfinger, Arik Vardi, Sefi Vigiser, and Amnon Amir, created the company in order to introduce a new communication tool for the Internet. They found that the Internet provides a connection to all its users, but an interconnection among those users is still missing. They developed the missing technology to allow Internet users to find and locate each other more easily, and provide them with a simple and easy to use tool to create peer-to-peer communication channels. They were the pioneers in this new industry.
In November 1996, only four months after Mirabilis was founded, the first version of the ICQ product was introduced to the Internet. Later it was said that ICQ has "taken the Internet by storm". For example, Alexander Woodby from Tucows wrote, "ICQ is one program that's definitely taking the net by storm. Started by a small group of people, it's proven itself as perhaps the leading interpersonal chat program today." Soon after its release, the ICQ program started spreading very quickly by "word-of-mouse".
In June 1998, America Online acquired all Mirabilis' assets and ICQ
Inc., the successor of Mirabilis Ltd., was created. The ICQ program and
its use has been free of charge from the very beginning and still is free.
A more detailed introduction to "What is ICQ?" can be found at
the Mirabilis web site: http://www.mirabilis.com/products/whatisicq.html
It explains the currently latest version ICQ99b, whereas my graphics and
descriptions are based on the earlier version ICQ98a.
Fig. 3.1: ICQ Contact List |
Fig. 3.2: Online Status |
Fig. 3.3: ICQ Features |
The list of ICQ Features (Fig. 3.3) appears when a person's name from the contact list is clicked on. By double-clicking a user, the default action (send a message) is chosen. All messages sent to every person are stored individually and can be reviewed using the View Messages History. The Info shows you information about that person which they chose to make public. Other features include sending a file or URL, and requesting a chat session.
The Contact List Wizard (Fig. 3.4) helps you find people who you want to communicate with. You can find ICQ users by different pieces of information, like e-mail address, first- and/or last name, or nickname. However, the easiest and fastest way to find a specific ICQ user is by their unique ICQ number (UIN -- Unique Internet Number, according to Mirabilis).
Fig. 3.4: Search for ICQ Users |
To search for a new user choose Add/Find Users from the ICQ menu (Fig. 3.5). The ICQ menu also allows users to set and change their ICQ preferences, and if more than one ICQ user use the same computer they can switch the current ICQ user with Add/Change Current User.
The System Menu (Fig. 3.6) enables the user to switch between basic and advanced features for ICQ, and to send a message to non-ICQ-users to introduce them to ICQ.
Fig. 3.5: ICQ Menu |
Fig. 3.6: System Menu |
First of all, the ICQ Protocol is proprietary by its developer Mirabilis,
or now ICQ Inc. Any information that is publicly available on the ICQ Protocol
has been reverse-engineered by a random group of people on the Internet
with lose collaboration and common interest. Thus, none of the information
found or provided in this document is guaranteed to be correct or accurate.
However, I am sure the people trying to figure out the ICQ Protocol gave
their best effort in doing so and I would like to thank them for their
efforts and for making their work public.
Fig. 4.2 shows a sample screen shot from SocketSpy (demo version) while the ICQ client was disconnected from the ICQ server. The SocketSpy demo version has some restrictions, one being the limitation of the packet dump to 20 bytes.
Now we try to decode (or "decrypt") the packet dump using the scheme
for ICQ version V5 (See Fig. 4.3) as it is described in the V5-Encryption
page. The first two bytes specify the version number (0x0005),
thus we are using the V5 scheme. After 4 zero-bytes, the next four bytes
are for the UIN number of the user's ICQ client. When switching the byte
order (due to little endian/big endian) and converting the Hex-number (0x004E6CAA
= 56789020 dec.) it turns out that the UIN is really the one of my
ICQ client (56789020). However, I was not able to verify the command (0xC2EE)
for disconnecting from ICQ.
|
|||
Length | Content (if fixed) | Designation | Description |
2 bytes | 05 00 | VERSION | Protocol version |
4 bytes | 00 00 00 00 | ZERO | Just zeros, purpose unknown |
4 bytes | AA 6C 4E 00 | UIN | Your (the client's) UIN |
4 bytes | 77 72 55 FC | SESSION_ID | Used to prevent 'spoofing'. See below. |
2 bytes | EE C2 | COMMAND | |
2 bytes | A4 01 | SEQ_NUM1 | Starts at a random number |
2 bytes | E8 C6 | SEQ_NUM2 | Starts at 1 |
4 bytes | xx xx xx xx | CHECKCODE | |
variable | xx ... | PARAMETERS | Parameters for the command being sent |
Naturally, to figure out the protocol specifications from spying on
the packets send through the WinSocket is not trivial and requires much
work and effort. Magnus Ihse,
who started researching the ICQ protocol V2 early on and published one
of the first documents about the ICQ Protocol, formed a mailing list called
ICQ-devel
due to the huge amount of responses and questions he received. Through
constant effort over the years, the participants of the ICQ-devel list
reverse-engineered mostly all of the ICQ protocol versions and implemented
ICQ Clients on different platforms and in different programming languages.
The UDP packet sent from the client to the server has the following general layout:
Length Content (if fixed) Name
Description
------ ------------------ ----
-----------
2 bytes 02 00
VERSION Identifies
the packet as an ICQ packet
2 bytes xx xx
COMMAND Code for
service the server should provide
2 bytes xx xx
SEQ_NUM Sequence
number
4 bytes xx xx xx xx
UIN
The senders UIN
variable
PARAMETERS 0 or more parameters (depending
on COMMAND)
The UDP packet sent from the server to the client has the following general layout:
Length Content (if fixed) Name
Description
------ ------------------ ----
-----------
2 bytes 02 00
VERSION Identifies
the packet as an ICQ packet
2 bytes xx xx
COMMAND Code for
service the server should provide
2 bytes xx xx
SEQ_NUM Sequence
number
variable
PARAMETERS 0 or more parameters (depending
on COMMAND)
More detailed information about the version 2 can be found here.
(Original
source: http://www.algonet.se/~henisak/icq/icq091.txt
)
Version 3 header is as follows:
2 Bytes - This is the Version of the protocol = 03 00 (Major, Minor)The V3 Protocol is explained in more depth here.
2 Bytes - This is the Function code. The ones I know are listed below.
2 Bytes - First Sequence Code \ These are usually the same
2 Bytes - Second Sequence Code /
4 Bytes - This is the user ID of the client user
4 Bytes - These four bytes are ICQ's weak attempt at security:
to get these do the following:check1 = ( data[8] << 24) | ( data[4] << 16 ) | ( data[2] << 8 ) | ( data[6] );
offs1 = Random % length; // offset into packet
offs2 = Random % 256; // offset into magic data
check2 = ( offs1 << 24 ) | !( data[offs1] << 16 ) | ( offs2 << 8) | !( magic[offs2] );
check = check1 ^ check2; // XOR the two checks
2 Bytes - Version Number (not Encrypted) = 04 00 (Major, Minor)
2 Bytes - Random number (Not Encrypted)
***** Everything from this point to the 1/4 mark is encrypted *****
2 Bytes - Always 00 00 un-encrypted
- Since the key is xored to encrypt - whatever numbers are here
are the first 2 bytes of the encryption Key.
2 Bytes - Command Code.
2 Bytes - First Sequence Code
2 Bytes - Second Sequence Code
4 Bytes - User ID Number
4 Bytes - This is a Checksum. It is calculated the same as above
- The packet is encrypted by XORing 1/4 of the packet with a key
- The Key is calculated by multiplying the length * 0x66756B65 and
adding the check value.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 4
| 0
| RANDOM
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Everything below this
point is encrypted
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
ZEROS
| COMMAND
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
SEQUENCE
| SECOND SEQUENCE
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
UIN
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
CHECK
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The V4 Protocol is explained in more detail here.
Encryption of V3/V4 is explained here.
An example of a V5 header is shown in Fig. 4.3. Version 5 is used in the newest release of ICQ 99b.
The best explanation for encryption in V5 can be found here.
The information provided from any ICQ user during registration is also
stored on the ICQ-Server. If someone requests the public information about
a certain user, a request command in a UDP packet is sent to the server
which then sends back the information about the inquired ICQ user. All
UDP packets must be acknowledged, otherwise retransmission will occur after
10 seconds.
"The ICQ protocol is ridiculously simplistic and is riddled with security holes. So is the ICQ software. So ICQ users can be spoofed, have their machine crashed, or have evil haxxors run arbitrary code on their boxes. Geez, these poor users might as well run Internet Explorer!"This statement was referring to the earlier versions of the ICQ Protocol. In versions V4 and V5, encryption and other security features were added to the protocol.
The ICQ Protocol is not very well designed or engineered, but it has undergone some major improvements over time.
[2] Ihse, Magnus; The ICQ Protocol Site; <http://www.student.nada.kth.se/~d95-mih/icq/>
[3] Isaksson, Henrik; The ICQ hacking page; <http://www.algonet.se/~henisak/icq/>
[4] Meistern; Meistern's ICQ Hacking Page; <http://www.globalserve.net/~jphowe/icq/>
[5] Kalinin, Eugene; ICQ Protocol Definiton; <http://www.mml.nsi.ru/~ekalinin/MSPvsICQ/Protocol.htm>
[6] Cox, Alan; ICQ so-called protocol; <http://www.insecure.org/sploits/icq.spoof.overflow.seq.html>
[7] CNET.com, Editors' Choice; CNET Compares 6 Top Instant-Messaging
Programs;
<http://home.cnet.com/category/topic/0,10000,0-3781-7-278365,00.html>
[8] WinTECH Software; SocktSpy... Application Description; <http://www.win-tech.com/html/socktspy.htm>
THE INFORMATION AVAILABLE ON THIS PAGE IS PROVIDED ON AN "AS IS" BASIS. THE AUTHOR MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THOSE OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THIS DOCUMENT AND THE INFORMATION PRESENT HEREIN. THE AUTHOR DOES NOT WARRANT, GUARANTEE OR MAKE ANY REPRESENTATIONS REGARDING THE USE OR THE RESULTS OF THE USE OF THEESE DOCUMENTS OR THE INFORMATION PRESENT HEREIN. THE ENTIRE RISK OF USING THE INFORMATION PRESENT IN THIS DOCUMENT IS ASSUMED BY THE USER. IN NO EVENT WILL THE AUTHOR BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THIS DOCUMENT OR THE INFORMATION PRESENT HEREIN, EVEN IF THE AUTHOR HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION.The author of this page is in no way affiliated with Mirabilis or ICQ Inc.
Copyright © 1999 by Tom Ueltschi