The verification request contains eight bytes. The first four are an offset,
the second four are a length.
The offset is an offset into aim.exe when it is mapped during execution
on Win32. So far, AOL has only been requesting bytes in static regions
of memory.
When the client recieves the request, it adds it to the current ds
(0x00400000) and dereferences it, copying the data into a buffer which
it then runs directly through the MD5 hasher. The 16 byte output of
the hash is then sent back to the server.
If the client does not send any data back, or the data does not match
the data that the specific client should have, the client will get the
following message from "AOL Instant Messenger":
"You have been disconnected from the AOL Instant Message
Service (SM) for accessing the AOL network using unauthorized software.
You can download a FREE, fully featured, and authorized client, here
http://www.aol.com/aim/download2.html"
The connection is then closed, recieving disconnect code 1, URL
http://www.aim.aol.com/errors/USER_LOGGED_OFF_NEW_LOGIN.html.
| 00 01 |
|
word |
|
SNAC family |
| 00 1F |
|
word |
|
SNAC subtype |
| 00 00 |
|
word |
|
SNAC flags |
| xx xx xx xx |
|
dword |
|
SNAC request-id |
|
| xx xx xx xx |
|
dword |
|
Requested data offset |
| xx xx xx xx |
|
dword |
|
Requested data length |
|
|
|