· 6 years ago · May 18, 2019, 04:12 PM
1The AOL Protocol
2
3When you hear the phrase "The AOL Protocol", I bet most of you immediately think of FDO, right?
4Although FDO is a part of the AOL protocol, it in no way encompasses the big picture. When I use
5the term "The AOL protocol", I refer to how the AOL client and server interact with each other,
6how data is prepared, how it is sent, and how it can be manipulated.
7
8There currently exists no formal documentation of the AOL protocol, or at least one that is
9publicly available. For this reason, I have taken it upon myself to strip the bits of
10information from my feeble mind and write a document with at least basic information about
11the AOL protocol. The information included in this document is what I have learned, from
12exploration, help from others, and just stumbling upon it. I in no way guarantee the accuracy
13of the information contained herein. That said, here is what I know.
14
15Table of Contents
16
171) Establishing a connection
18 A. Servers
19 B. The handshake
20 C. Sending the screenname and password
21 D. Completing the login
222) The packet
23 A. The first byte
24 B. The second and third bytes(CRC)
25 C. The fourth byte
26 D. The fifth byte
27 E. The sixth and seventh bytes
28 F. The eighth byte
29 G. The ninth and tenth bytes
303) Logging AOL's Data Packets
314) Forming Data Packets
325) Pings
336) About FDO Decompression
347) Putting it all together
358) Using Common Sense
36
37
38
39
401) Establishing a connection
41
42A. Servers - America Online Servers generally run on port 5190. The server that the clients
43connect to is randomly chosen via the DNS Round Robin 'AmericaOnline.aol.com'. There are
44literally hundreds of America Online servers linked together. It makes you wonder how they
45avoid the common IRC occurrence of "Net Splits". To connect to an AOL server, all one has to
46do is connect to 'AmericaOnline.aol.com' on port 5190. I'm sure all of you can do this, you
47can even test it in Telnet. AOL servers that people generally connect to are called "berps".
48An example AOL server is 'berp-cr01.dial.aol.com'.
49
50B. The handshake - Upon connecting to America Online, the client first sends an identification
51packet that includes the version of the AOL client being used. On success, the server will
52send back go ahead packet(SD) and the client will then send Screenname/Password. On failure,
53the AOL server will send an XS and the client will disconnect. AOL uses this in order to
54disable older clients from connecting and force people to upgrade. If the server gives no
55response, the packet wasn't formed correctly.
56
57Client: 5A413800347F7FA3036B0100F5000000050F00002152CBCA070A1000080400000000035F0000010004
58000300080000000000000000000000020D
59
60Server: 5AB71100037F7F240D5A88E9000B107F20534454D1F68B00000D
61
62C. Sending the screenname and password - After the server accepts the initial handshake, the
63screennname and password are sent. If the screenname and password match, the server then sends
64the Master Tool disabling information, and also sends the Welcome Window FDO. If the screenname
65and password do not match, the server will ask for the password once more, if it fails twice,
66the server sends the XS and the client is disconnected.
67
68Client: 5A243F00431010A044640015000100010A0400000001010B040000000103010A686F6C797461626C6
69520011D00011D00010A0400000002030108736174616E363636011D000002000D
70
71D. After receiving the Welcome Window FDO, the client sends the 'ya' token. This causes AOL
72to tell you if you have mail, assign you an IP address, and, if you have configured it, show
73your buddy list. Once you are assigned an IP address you are completely logged in and can
74now send other commands to the AOL service.
75
76Client: 5A4EBA00031018A40D5AC6910008111CA079610701010D5A5C340022121CA0746C00170001000A0F0400
777BB5E80A10041DA6DDF20A4504000000070002000D5A6F4A000D131CA053430150001000002000D
78
79Server: 5A419B00351D132079610304AC992E10020102010100040498A3CE86070101050203C00A153135332D34
80362D31362E6970742E616F6C2E636F6D0D5A7E91001E1E132076A007BB5E81DA6DDF20000000000696D66617274702
81E627574000D
82
832) The packet - Ah, the illusive AOL packet. The structure of these packets have remained a
84mystery throughout America Online's life. I will now make an attempt at breaking down these
85packets.
86
87Here's a basic idea of what a packet may look like:
88
89Z (CRC) (CRC) [NULL] (LENGTH BYTE) (HB 6TH) (HB 7TH) [SPACE] (TOKEN) (TOKEN)
90
91ThatÆs the first ten bytes in any AOL packet. The only bytes that don't change constantly are
92the first, Z(5A in Hex), and the fourth, A null(00 in hex). Anything after the first ten bytes
93is compressed FDO or data strings. Here is a breakdown of the ten bytes in greater detail.
94
95A. The first byte for all AOL versions is Z or 5A in Hex. This is probably the least
96troublesome byte because it never changes and you can't forget to add it as easily as you can
97the fourth.
98
99B. The second and third bytes are 'Hi' and 'Lo' bytes produced from the CRC16 Algorithm.
100CRC stands for "Cyclic Redundancy Check". The CRC is often used in compression to make sure
101no data was corrupted. If the CRC header does not match the data in a zip file, the file is
102assumed corrupted. The same goes for AOL packets. If the CRC does not match the packet, the
103AOL server ignores it. The CRC is taken from the packet with the first 5 bytes(the header)
104removed. The number produced by the algorithm is then used to produce a 'Hi' and a 'Lo'
105byte that is placed in the 2nd and 3rd spots in the header. The CRC only applies to
106versions of AOL clients 3.0 and below. The newer AOL clients simply send '**' as the 2nd
107and 3rd byte. you can get along with using newer AOL packets without a CRC, but you'll
108end up sending more data. If you can use the CRC it will actually be easier to just use
109it with the older, smaller packets.
110
111Here is the CRC function and 'Hi' and 'Lo' byte subs for C++ and Visual Basic programmers.
112These are public functions, I did not write them:
113
114
115C++:
116
117Function AOLCrc (strng$, lenstr)
118
119unsigned short
120CRC16(byte * buffer, int length)
121{
122 unsigned short crc = 0;
123 unsigned short ch;
124 int i, j;
125
126 for (i = 0; i < length; i ++) {
127 ch = (unsigned short) buffer;
128 for (j = 0; j < 8; j ++) {
129 if ((crc ^ ch) & 1)
130 crc = (crc >> 1) ^ 0xa001;
131 Else
132 crc >>= 1;
133 ch >>= 1;
134 }
135 }
136
137 return (crc);
138}
139
140Visual Basic:
141
142Function AOLCRC(strng$, lenstr)
143Dim crc As Long
144Dim ch As Long
145Dim i As Long
146Dim j As Long
147
148For i = 0 To lenstr - 1
149ch = Asc(Mid(strng$, i + 1, 1))
150For j = 0 To 7
151If ((crc Xor ch) And 1) Then
152crc = (Int((crc / 2)) Xor 40961)
153Else
154crc = Int(crc / 2)
155End If
156ch = Int(ch / 2)
157Next j
158Next i
159AOLCRC = crc
160End Function
161
162Function gethibyte(mybyte As Variant) As Variant
163gethibyte = Int(mybyte / 256)
164End Function
165
166Function getlobyte(mybyte As Variant) As Variant
167getlobyte = Int((mybyte - (gethibyte(mybyte) * 256)))
168End Function
169
170
171The use of these functions will be explained more later on.
172
173C. The 4th byte for all AOL versions is a null(00 in Hex). This byte never changes, but it
174is required, just try to remember to include it.
175
176D. The 5th byte is the length byte, The length byte is roughly the length of the packet with
177the first 5 bytes(The Header) removed. I say roughly because another thing can effect the
178length byte besides actual physical length. The byte directly before any string in the packet
179(screennames, chat, form data, etc..) is also a length byte. This byte represents the length
180of the string immediately following it, and is not counted in the 5th byte representation of
181the length. I have written a Visual Basic sub that will calculate the 5th byte in any given
182packet:
183
184Function give5th(pack As String, inputz as integer)
185'You need the EnHex function for this, you will find it later on in this document.
186Dim give5th1 As Integer
187inputz = inputz + 4
188give5th1 = Len(DeHex(pack)) - inputz
189give5th = EnHex(Chr(give5th1))
190End Function
191
192This function was written by me. Its use is simple. Just include the hexed entire packet
193(even header) and the # of inputs your form has to calculate the 5th byte to be places in
194your packet.
195
196Example: give5th("5AD69400411010A044640015000100010A0400000001010B04000000010301" & screenname$
197& "20011D00011D00010A04000000020301" & password$ & "011D000002000D", 2)
198
199E. The 6th and 7th bytes - These 2 bytes are almost as mind boggling as the 2nd and 3rd. If
200you watch AOL packets go by, you'll see what I mean. The 6th and 7th seem to change wildly,
201with no way to tell what the next will be. These packets are different for every new packet
202sent, but actually go in a loop. If you look at the login packets I use, you'll see the 6th
203byte(in hex) is 10(Int 16), and the seventh is 18(Int 24). Before every packet sent, I simply
204increase each by 1. Although the actual client seems to do something a little different,
205adding 1 works. You can't add 1 forever, of course. You'll notice after a while the AOL
206server will stop responding. The solution to this is resetting the 6th and 7th bytes to their
207 original values, 10(Int 10) and 18(Int 24). I'm sure most of you don't want to explore this
208 yourself, so the 6th and 7th reset at Int 127 and Int 135. I'm a little confused on what to
209call these bytes. I call them "counter bytes", but I've often heard them referred to as
210'heartbeats'. It seems to me the 9 char "ping-like" packets should be called heartbeats
211(Who knows? maybe they are). Regardless of terminology, this works.
212
213F. The 8th byte is simply a space.
214
215G. Finally, the 9th and 10th bytes(in ASCII) represent the token. for those of you who know
216FDO, you know that token kind of tells the server what to expect. If you aren't sure what
217you're looking at, just look for these tokens and cross check them with the AOL-Files token
218list to see what kind of packet it is.
219
220
221
2223) Logging AOL's Data Packets
223
224Logging the packets AOL uses is a very important skill when dealing with the AOL protocol.
225Without it, you will get nowhere. When you form a packet to send to the AOL server, you don't
226build it from the ground up(At least I don't). To build it from scratch would require you to
227write it in FDO, compress the FDO, and add the header. Although it is possible to do it that
228way, it is much easier to use logged packets and just change them where needed. Getting AOL
229packets is actually pretty simple. First, you create a program that listens on port 5190 for
230incoming connections. You then choose a version of AOL to spy on. This document revolves
231around 2.5 packets, so I suggest using AOL 2.5(available at http://clients.aol-files.com).
232You have to set up the AOL client to connect to your computer locally, rather than to
233'AmericaOnline.aol.com'. To do this open the 'tcp.ccl' file in the 'ccl' directory and change
234the 'AmericaOnline.aol.com' to 'localhost'. Save and close the file. you then connect your
235AOL client. If you did it correctly, you should see an incoming connection in your program.
236Now, your program make it so that when a client connects your program connects to
237'AmericaOnline.aol.com' on port 5190. Set up your program so that when Data is received,
238depending on the ID of the socket, it will direct the data to the client or server socket.
239If data is sent from the client, send it to the server, if it is sent from the server, sent
240it to the client. The idea behind this is to become a type of "data link" between the server
241and client. We can now begin to intercept data.
242
243Intercepting the data is nothing more than creating a textbox and displaying incoming data from
244the client or server. Its a good idea to mark it 'client' or 'server' to get a better idea of
245what you're looking at. The only trick to doing this is editing out the null characters.
246When a null character is put in any textbox or other viewing object, it represents to Windows
247the end of a line, so any text after it is unreadable. By editing out the null characters in
248a string, you allow yourself to see the entire packet. Here is a Visual Basic function I wrote
249to edit out null characters:
250
251Function stripnulls(thedata as String)
252Dim torem as Integer
253torem = 1
254Do Until crap = 0
255torem = InStr(1, thedata, Chr$(0))
256If torem > 0 Then Mid(thedata, torem, 1) = "Ê"
257Loop
258End Function
259
260When displaying a packet in ASCII, its is pretty much ruined for sending back to the server,
261even if you try putting the nulls back in. So most editing for packets is done in Hex. Here
262are some Visual Basic functions to Hex and DeHex strings and integers:
263
264Public Function EnHex(Data As String) As String
265 Dim iCount As Double
266 Dim sTemp As String
267
268
269 For iCount = 1 To Len(Data)
270 sTemp = Hex$(Asc(Mid$(Data, iCount, 1)))
271 If Len(sTemp) < 2 Then sTemp = "0" & sTemp
272 EnHex = EnHex & sTemp
273 Next iCount
274End Function
275
276Public Function DeHex(Data As String) As String
277 Dim iCount As Double
278
279
280 For iCount = 1 To Len(Data) Step 2
281 DeHex = DeHex & Chr$(Val("&H" & Mid$(Data, iCount, 2)))
282 Next iCount
283End Function
284
285Public Function Int2Hex(Data As String) As String
286 Dim sTemp As String
287 sTemp = Hex(Data)
288 If Len(sTemp) < 2 Then sTemp = "0" & sTemp
289 Int2Hex = Int2Hex & sTemp
290
291End Function
292
293Public Function Hex2Int(Data As String) As String
294 Dim iCount As Double
295 For iCount = 1 To Len(Data) Step 2
296 Hex2Int = Hex2Int & CInt(Val("&H" & Mid$(Data, iCount, 2)))
297 Next iCount
298End Function
299
300When you grab a 'logged' packet, grab the Hex. The use of these packets in packet forming
301will be explained better later on. If you don't want to do the work described above, use AOL
302Data Edit.
303
3044) Forming Data Packets
305
306Now I will attempt to explain how to form a packet and send it in Visual Basic using the
307functions provided above.
308
309The first step is to grab a logged packet. Here is a logged IM packet::
310
3115A21EF00401422A06953002500010001070400000003010A040000000103010A676F64736D6973663174011D000
31210A04000000020301026869011D00011D00011D000002000D
313
314I IMed the screenname 'godsmisf1t' with the message 'hi'.
315
316Now that you have a logged packet, you have to decide what strings you need to change. You
317know that the string 'godsmisf1t' and the string 'hi' should be changed to send an IM with a
318different message to a different person. The Hex for 'godsmisf1t' is '676F64736D6973666974'.
319So you look for that in the Hexed packet, you also look for the Hex for 'hi' which is '6869'.
320
3215A21EF00401422A06953002500010001070400000003010A040000000103010A676F64736D6973663174011D0001
3220A04000000020301026869011D00011D00011D000002000D
323
324Now that we've identified the data to be changed, just edit them out. Set variables for
325Screenname and IM and place them in the spots you deleted. Also remember that the byte
326directly before a string is a length byte, so you'll want to edit that out too.
327
328"5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname$ &
329"011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D"
330
331The screenname and IM Hexed strings become the variables Screenname$ and IM$, and the bytes
332directly before those strings are removed as well(0A, and 02). When you set the screenname
333variable, you set it to the Hexed Length of the screenname, and the screenname in Hex. Here
334is an example:
335
336screenname$ = Int2Hex(Len("godsmisf1t")) & EnHex("godsmisf1t")
337IM$ = Int2Hex(Len("hello")) & EnHex("hello")
338
339 Now you just hex the packet and send it back and it will work, right? Wrong. Many other
340things have to change now that you've changed data in the packet. First, we need to change
341the 5th byte(the length byte) so that it can properly send with varying message and screenname
342lengths. Here is how you grab the 5th byte using the give5th function I wrote:
343
344fifth$ = give5th("5A21EF00401422A06953002500010001070400000003010A04000000010301" &
345screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D", 2)
346
347The give5th function calculates the length byte from the packet and the number of inputs.
348An IM form has 2 inputs, so I put 2. The Hexed length byte is stored in the variable 'fifth$'
349for later use.
350
351Now we have to make sure we have the correct 6th and 7th byte. After I finished logging in,
352the 6th byte's Integer value was 16, and the 7th's Integer value was 24. When you finish
353logging in(more help later), set public variables to the 6th and 7th byte so you can increase
354them when you need to. Like I said above, just add 1 every time and remember to reset when
355the values equal 127 and 135. For now, lets say your 6th byte variable is named 'sixth' and
356you 7th is named 'seventh'. Here is how you would increment them:
357
358sixth = CInt(sixth) + 1
359seventh = CInt(seventh) + 1
360
361Remember, these variables are integers.
362
363This is how you add them and the fifth byte to your packet.
364
365Our current packet is "5A21EF00401422A06953002500010001070400000003010A04000000010301" &
366screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D" The current
3675th byte is(hexed) '40', the sixth is '14', and the seventh is '22'. These were from the
368logged packet and need to be changed, so we just replace them with our variables:
369
370packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) &
371"A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301"
372& IM$ & "011D00011D00011D000002000D")
373
374We just replaced the 5th and 6th and 7th byte with Hexed variables, and stored the new packet
375in the variable 'packet$'. Now that we have everything ready, we just have to change the CRC
376bytes. Here is how you use the functions above to do so:
377
378crc1 = AOLCRC(packet$, Len(packet$) - 1)
379thehi$ = Chr(gethibyte(crc1))
380thelo$ = Chr(getlobyte(crc1))
381
382packet$ = "5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) &
383Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ &
384"011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D"
385
386Now the packet is completely ready to be sent. So you just DeHex it, and send it to the server.
387
388whatyousend$ = DeHex(packet$)
389
390Just send whatyousend$ to the server and if you did everything correctly, it should send the IM.
391
392To tie this all together, here is a Send IM function you can use:
393
394Function SendIM(screenname as String, IM as String)
395screenname1$ = Int2Hex(Len(screenname)) & EnHex(screenname)
396IM1$ = Int2Hex(Len(IM)) & EnHex(IM)
397If sixth = "127" Then
398sixth = "15" 'Backtrack 1 because we are going to add 1 soon
399seventh = "23" 'THIS IS THE CODE TO RESET THE BYTES
400End If
401sixth = CInt(sixth) + 1
402seventh = CInt(seventh) + 1
403fifth$ = give5th("5A21EF00401422A06953002500010001070400000003010A04000000010301" &
404screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D", 2)
405packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) &
406"A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301"
407& IM$ & "011D00011D00011D000002000D")
408crc1 = AOLCRC(packet$, Len(packet$) - 1)
409thehi$ = Chr(gethibyte(crc1))
410thelo$ = Chr(getlobyte(crc1))
411packet$ = "5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) &
412Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ &
413"011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D"
414whatyousend$ = DeHex(packet$)
415Form1.Winsock1.SendData whatyousend$ 'This assumes you're main form is named Form1 and you
416are using Microsoft's Winsock Control.
417End Function
418
419Now you should have a pretty good idea of how packets work.
420
421
422
4235) Pings
424
425After successfully establishing a connection to AOL, you will notice AOL sends little packets
426to you that look like this:
427Server: 5A647D00032313260D
428
429These packets serve much the same function as a 'ping'. It checks to see if the connection
430is still alive. If you do not respond to these pings, you will receive no data from the AOL
431server. Luckily, responding is simple. All you do is take the 6th and 7th character from the
432ping packet, flip them around, and send back a client ping packet. This is what a client ping
433reply would look like:
434
435Client: 5A0AE900031323A40D
436
437The server's ping packet's 6th character was 23 Hexed. The 7th was 13 Hexed. The client's
438ping reply packet's 6th was 13 Hexed, the 7th was 23 Hexed. So the client just basically flips
439them over and sends back a ping reply packet. Here is the code to reply to pings:
440
441In your Winsock Data Arrival event, put this:
442
443'Assuming sData is the incoming server data:
444If Len(sData) = 9 Then
445ping6$ = Mid(sData, 6, 1)
446ping7$ = Mid(sData, 7, 1)
447packet$ = DeHex("0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D")
448crc1 = AOLCRC(packet$, Len(packet$) - 1)
449thehi$ = Chr(gethibyte(crc1))
450thelo$ = Chr(getlobyte(crc1))
451tosend$= DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "0003" & EnHex(ping7$) & EnHex(ping6$)
452& "A40D")
453Winsock1.SendData tosend$
454End If
455
456The client is the one that usually sends these pings, the server is usually the one responding
457to them. Until a ping is responded to or sent, the AOL server will stop sending the client
458 data. So if you were to create a full fledged AOL client, you would have to make a timer
459that would constantly send ping packets to the AOL server.
460
461Note - When sending ping replies or ping packets you don't need to increment the 6th or 7th
462or find a 5th byte.
463
4646) About FDO Compression
465
466The packets that we've been dealing with don't look much like FDO, but they are. They are
467compressed FDO. Just by studying packets you can kind of see how the FDO is compressed in that
468small area, you can even write a sub. Although I do not use FDO Compression in my personal
469projects, here is a way you can do it:
470
471Locate the file 'ada32.dll'. This is the resource library AOL puts all their FDO Compression
472functions in. If you know how to Declare Functions from DLL files, here are the functions
473that are in the 'ada32.dll' file:
474
475AdaAssembleAtomStream
476AdaDisassembleAtomStream
477AdaDoAtomCallbacks
478AdaAssembleArgument
479AdaAssembleAtomStream
480AdaAssembleFragment
481AdaDisassembleArgument
482AdaDisassembleAtom
483AdaDisassembleAtomState
484AdaDisassembleAtomStream
485AdaDisassembleAtomStreamState
486AdaDoAtomCallbacks
487AdaEnumAllAtoms
488AdaFreeState
489AdaGetAtomByName
490AdaGetAtomName
491AdaGetErrorText
492AdaGetVersion
493AdaInitialize
494AdaIsValidProtocol
495AdaLookupAtomEnum
496AdaNormalizeAtomStream
497AdaTerminate
498
499Here are the functions that are in the æada.dllÆ file:
500
501?ADAASSEMBLEATOMSTREAM@@ZAJAFVZSTRING@@AEVZBUFFER@@I@Z
502?ADADISASSEMBLEATOMSTREAM@@ZAHAFVZBUFFER@@AEVZSTRING@@I@Z
503?ADADOATOMCALLBACKS@@ZAHP7AHKGGPFEG@ZKAFVZBUFFER@@I@Z
504___EXPORTEDSTUB
505_ADAASSEMBLEARGUMENT
506_ADAASSEMBLEATOMSTREAM
507_ADAASSEMBLEFRAGMENT
508_ADADISASSEMBLEARGUMENT
509_ADADISASSEMBLEATOM
510_ADADISASSEMBLEATOMSTATE
511_ADADISASSEMBLEATOMSTREAM
512_ADADISASSEMBLEATOMSTREAMSTATE
513_ADADOATOMCALLBACKS
514_ADAENUMALLATOMS
515_ADAFREESTATE
516_ADAGETATOMBYNAME
517_ADAGETATOMNAME
518_ADAGETERRORTEXT
519_ADAINITIALIZE
520_ADAISVALIDPROTOCOL
521_ADALOOKUPATOMENUM
522_ADANORMALIZEATOMSTREAM
523_ADATERMINATE
524ADA
525Atomic Disassembler/Assembler
526WEP
527
528
529Like I said, I do not use FDO Compression, so I haven't written any functions concerning it.
530
531
532
5337) Putting it all together
534
535Ok, you've probably been reading this doc for a while now. Good for you, you took the time
536to learn something. For those of you who scrolled up to here just to get the code for an AOL
537client, shame on you.
538
539Here is the result of the topics discussed in this document, a Visual Basic AOL client capable
540of sending IMs. This client uses the functions found earlier in this document.
541
5421) Start a new project
5432) Add the Microsoft Winsock Control to your project
5443) Create a control on the form
5454) Create 2 command buttons(Connect, Send IM)
5465) Create 5 text boxes(Status, Screenname, Password, IMName, IMMsg)
547
548In the General (Declarations) put this:
549
550Dim sixth as String
551Dim seventh as String
552Dim packet as String
553
554In the connect button, put this:
555
556Call Winsock1.Connect("AmericaOnline.aol.com", 5190) 'This opens a connection to the AOL server
557
558In you 'Connect' event of your Winsock control, put this:
559
560status.Text = status.Text & "Connected" & vbCrLf
561packet$ = DeHex("5A413800347F7FA3036B0100F5000000050F00002152CBCA070A1000080400000000035F0
562000010004000300080000000000000000000000020D")
563Winsock1.SendData packet$ ' This sends the version packet, NO CHANGES HAVE TO BE MADE
564
565In your 'DataArrival' event of your Winsock control, put this:
566
567Winsock1.GetData sData, vbString 'Puts the incoming data in 'sData'
568
569If Len(sData) = 9 Then
570ping6$ = Mid(sData, 6, 1)
571ping7$ = Mid(sData, 7, 1)
572packet$ = DeHex("0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D")
573crc1 = AOLCRC(packet$, Len(packet$) - 1)
574thehi$ = Chr(gethibyte(crc1))
575thelo$ = Chr(getlobyte(crc1))
576tosend$= DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "0003" & EnHex(ping7$) & EnHex(ping6$)
577& "A40D")
578Winsock1.SendData tosend$
579End If
580
581Dim crap as Integer
582crap = 1
583Do Until crap = 0
584crap = InStr(1, sData, Chr$(0))
585If crap > 0 Then Mid(sData, crap, 1) = "Ê"
586Loop
587status.Text = status.Text & "Server: " & sData & vbCrLf & vbCrLf
588
589If InStr(1, sData, "Invalid password") Then
590status.Text = status.Text & "Invalid Password" & vbCrLf
591Call Winsock1.Close
592End If
593If InStr(1, sData, "Invalid account") Then
594status.Text = status.Text & "Invalid account" & vbCrLf
595Call Winsock1.Close
596End If
597
598If InStr(1, sData, "SD") Then
599screenname1$ = Int2Hex(Len(screenname.Text) + 1) & EnHex(screenname.Text)
600password1$ = Int2Hex(Len(password.Text)) & EnHex(password.Text)
601fifth$ = give5th("5AD69400411010A044640015000100010A0400000001010B04000000010301" &
602screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D", 2)
603packet$ = DeHex("00" & fifth$ & "1010A044640015000100010A0400000001010B04000000010301" &
604screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D")
605crc1 = AOLCRC(packet$, Len(packet$) - 1)
606thehi$ = Chr(gethibyte(crc1))
607thelo$ = Chr(getlobyte(crc1))
608packet$ = DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ &
609"1010A044640015000100010A0400000001010B04000000010301" & screenname1$ &
610"20011D00011D00010A04000000020301" & password1$ & "011D000002000D")
611Winsock1.SendData packet$ 'Sends the screenname/password. If you donÆt understand this
612refer above to 'Forming Packets'
613packet$ = DeHex("5A3A0A00031018A40D") 'This is a logged ping packet
614Winsock1.SendData packet$
615End If
616
617If InStr(1, sData, "Master Tool") Then
618packet$ = DeHex("5A3A0A00031018A40D5AC6910008111CA079610701010D5A5C340022121CA0746C001
61970001000A0F04007BB5E80A10041DA6DDF20A4504000000070002000D5A6F4A000D131CA0534300150001000002000D")
620Winsock1.SendData packet$ 'This sends the ya login packet, NO CHANGES HAVE BEEN MADE
621sixth=Hex2Int("13")
622seventh=Hex2Int("21") 'This is where you set your sixth and seventh at first.
623End If
624
625In your send IM command button put this:
626
627screenname1$ = Int2Hex(Len(IMName.Text)) & EnHex(IMName.Text)
628IM1$ = Int2Hex(Len(IMMsg.Text)) & EnHex(IMMsg.Text)
629If sixth = "127" Then
630sixth = "15" 'Backtrack 1 because we are going to add 1 soon
631seventh = "23" 'THIS IS THE CODE TO RESET THE BYTES
632End If
633sixth = CInt(sixth) + 1
634seventh = CInt(seventh) + 1
635fifth$ = give5th("5A606700001522A06953002500010001070400000003010A04000000010301" &
636screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D", 2)
637packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) &
638"A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301"
639& IM1$ & "011D00011D00011D000002000D")
640crc1 = AOLCRC(packet$, Len(packet$) - 1)
641thehi$ = Chr(gethibyte(crc1))
642thelo$ = Chr(getlobyte(crc1))
643packet$ = DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) &
644Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname1$ &
645"011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D")
646Winsock1.SendData packet$
647IMMsg.Text=""
648
649In the Winsock control's 'SendComplete' event, put this:
650
651Dim crap as Integer
652crap = 1
653Do Until crap = 0
654crap = InStr(1, packet$, Chr$(0))
655If crap > 0 Then Mid(packet$, crap, 1) = "Ê"
656Loop
657status.Text = status.Text & "Client: " & packet$ & vbCrLf & vbCrLf
658
659In the status textbox's 'Change' event, put this:
660
661status.SelStart = Len(status.Text) 'Auto Scrolls
662If Len(status.Text) >= 32000 Then status.Text = Right$(status.Text, Len(status.Text) / 2)
663'Keeps the length from getting too large
664
665Make sure your status.Text is set MultiLine to True and has scrollbars. If you did it
666correctly, you should now have a working AOL client that has a status box and can send IMs.
667Welcome to Winsock AOL.
668
669
670
6718) Common Sense
672
673Ok, most of you have probably stopped reading by now. But I need to make a point.
674
675The only reason that the information above is not already widely available is because of the
676fear of abuse. Putting this information in immature hands is dangerous. Some people believe
677that if it gets out, the walls of the America Online service will come crashing down as things
678like faster mail bombers, spammers, IM bombers, and cloners begin to immerge. It may very
679well be impossible to enter a chat room without being so lagged by scrolling, IMs, and emails
680that you cannot even stay connected. I don't personally believe that though. Due to the
681complexity of these packets, it is far harder to use even copied source of this than to use
682copied source of the infamous "AOL Progs" that eventually died out. If you are learning
683from this document, I implore you to use common sense in your use of this information.
684
685This document would not be possible if it werenÆt from the help I received from my friends.
686Thanks to phrea, nec, jay, ceramic, and anyone else who I forgot.
687
688Thank you for listening,
689Gods Misfit
690binary0100@yahoo.com
691http://aol.necrocosm.com