THIS FILE IS PART OF A GOOGLE SUMMER OF CODE 2007 SUBMISSION BY JEFF CONNELLY ***************************** * Update 20070401 - Please see http://xyzzy.freeshell.org/gsoc/ instead * for the latest information - this document is no longer updated. Thanks. ****************************** myspaceim notes 20070320jc Note that these are very rough notes. YMMV. Please see the application for further information. These notes are made available only for your information. I wouldn't write real documentation like this. ==installation== http://www.myspace.com/myspaceim MySpaceIM_seutp.exe Install wireshark-setup-0.99.5.exe. MySpaceIM setup: get http://im.myspace.com/nsis/currentversion.txt get http://imupdate.myspace.com/nsis/MSIMClientSetup.1.0.673.0-static.exe ==run== run myspaceim on startup: get http://im.myspace.com/nsis/currentversion.txt login to my account myspace@xyzzy.cjb.net asks to pick username, enter shellreef check if it is available; it is, then I logout log back in check if 'jeff' is available "the username could not be submitted. please login and try again." don't know why. try to reconnect again. "your account info is not available. our bad. please try again later!" reconnect. "Your account info is temporarily unavailable. Our bad. Try in a few!" whatever. I stop and save the capture to login-and-check-username.pcap ==hosts== now lets look at the protocol. connects to 204.16.33.99, port 1863 wireshark thinks its MSNMS, but wikipedia says it just uses the same port # dns lookup of im.myspace.akadns.net, several response, pick one (akadns is part of akamai) ==login== save several tries to login-[1234].txt. telnet im.myspace.akadns.net 1863 the server immediately sends: (note: not byte-for-byte copy, ? is 'not' sign) \lc\1\nc\XUsvRmBXjKK+/0WXWIvnwEbMRaxHo0oDmdS1GTcH0i+bnCB25ssRRyu1q5pk47UJ8EpsLg8 JDPARfKGnv/ZLUQ==\id\1\final\\persistr\\cmd\257\dsn\101\uid\0\lid\20\rid\1059432 6\body\AdUnitRefreshInterval=10?AlertPollInterval=180?ChatRoomUserIDs=78744676;1 42663391;142910130;123521495;138528147;140271072;163733130?CurClientVersion=595? EnableIMBrowse=False?MaxAddAllFriends=100?MaxContacts=1000?MinClientVersion=529? MySpaceNowTimer=720?PersistenceDataTimeout=900?UseWebChallenge=1?WebTicketGoHome =False\final\ What's that +/ and =? Looks like base64. Let's decode it. >>> base64.decodestring("XUsvRmBXjKK+/0WXWIVNwEbMRaxHo0oDmds1gtCH0i+bnCB25ssRRyu 1q5pk47UJ8EpsLg8JDPARfKGnv/ZLUQ==") ']k/f`w\X8C\Xa2\xbe\xfeE\x97X\x8b\xe7Y\xe0f\xac\x05\xe1;C\X9D04\XB5\x198\x07\xd2 /\x9b\x9c v\xe6\xcb\x12G+\xb5\xab\x9ad\xe3\xb5\t\xf0Jl.\x0f\t\x0c\xf0\x11|\xa1\x a7\xbf\xfuKQ' >>> [note: I've intentionally replaced the keys above, to hide my password in case MySpaceIM's algorithm is just a plaintext equivalent; so what Python says is the decoded bytes does not exactly match the base64. Please don't hack me.] Looks like some sort of 64-byte random seed. Message format seems to be \name\value\name\value... So here, we can see the following parameters: lc: 1 nc: (64 random bytes) id: 1 final: (empty) persistr: (empty) cmd: 257 dns: 101 uid: 0 lid: 20 rid: 10594326 body: lots of parameters, in X=Y style, separated ^\ control character (28 dec, 0x1c hex) The server will wait here for a reply for quite a while. I hit enter. \error\\err\1\fatal\\errmsg\There was an error parsing an incoming request.\fina l\ What's that mean? error: (empty) err: 1 fatal: (empty) errmsg: There was an error parsing an incoming request final: (empty) Possibly the presence of a certain tag indicates something, i.e., fatal. ==send username== Split for easy reading: \login2\196610 \username\myspace@xyzzy.cjb.net \response\jmXdxAkjJTohOZuCSbMEEFyNGAR5ZpDKAdtaYwDWru4Srv/Tk3n4N2GD8VI6r6M17OPAr80wZjPB6rJ7zbN1DTpO6u2/49B1rlo= \clientver\673 \reconn\0 \status\100 \id\1 \final\ response decoded as base64 is 74 bytes, is probably a challenge/response scheme for the password. reply: \persistr\ \cmd\257 (= login ok) \dsn\101 \uid\0 \lid\20 \rid\16252675 \body\AdUnitRefreshInterval=10\034AlertPollInterval=180\034ChatRoomUserIDs=78744676;142663391;142910130;123521495;138528147;140271072;163733130\034CurClientVersion=595\034EnableIMBrowse=F client TCP acks, then server sends: \lc\2 \sesskey\263958216 \proof\3656574 \userid\3656574 \profileid\3656574 \uniquenick\3656574 \id\1 \final\ \persistr\ \cmd\257 \dsn\101 \uid\0 \lid\20 \rid\16252680 \body\AdUnitRefreshInterval=10\034AlertPollInterval=180\034ChatRoomUserIDs=78744676;14 TCP ack, then server sends: \persist\1 \sesskey\263958216 \cmd\1 \dsn\4 \uid\3656574 \lid\5 \rid\29 \body\UserID=3656574 \final\ \persist\1 \sesskey\263958216 \cmd\1 \dsn\1 \uid\3656574 \lid\4 \rid\30 \body\ \final\ ==after login== next, from server: \persistr\ \cmd\257 ( = login info?) \dsn\1 \uid\3656574 \lid\4 \rid\30 \body\UserID=3656574\034Sound=True\034PrivacyMode=0\034ShowOnlyToList=False\034OfflineMessageMode=1\034Headline=\034AvatarUrl=\034Alert=1\034ShowAvatar=False\034IMName=\034LastLogin=12818920 Gives information o client. client TCP acks, server sends more: (to split into readable, on vi: /\\, enter, /, enter, i, enter, escape, repeat) \persistr\ \cmd\257 ( = login info?) \dsn\4 \uid\3656574 \lid\5 \rid\29 \body\UserID=3656574\034ImageURL=http:/1/1myspace-513.vo.llnwd.net/100928/131/151/1928941513_m.jpg\034DisplayName=Jeff\034UserName=3656574\034BandName=\034SongName=\034TotalFriends=69 \final\ there again the "body" comes up. its like URL-encoded, but separated by \034 (0x1c hex) instead of & or ;. Look at each parameter. UserID: nothing unusual, this is just the uid. ImageURL: unusual; http:/1/1myspace-513.vo.llnwd.net, what is that? What is the /1/? 1myspace-513.vo.llnwd.net does not resolve. myspace-512.vo.llnwd.net = 68.142.73.40 opening just shows a blank page in firefox (didn't try protocol analysis) google llnwd shows lots of myspace references llnwd = limelight networks, "high performance content delivery for digital media" moving on: FROM CLIENT I tried to set my username to 'jeff': \persist\1 \sesskey\263958216 \cmd\1 \dsn\5 \uid\3656574 \lid\7 \rid\33 \body\UserName=jeff \final\ sesskey = session key. same throughout. cmd = command uid = user id lid = ??? id rid = ??? id there's more: FROM SERVER here, I tried to use the name 'jeff', but it was taken. \persistr\ \cmd\257 \dsn\5 \uid\3656574 \lid\7 \rid\33 \body\UserID=149935864\034ImageURL=http:/1/1a816.ac-images.myspacecdn.com/1images01/116/1m_cf372e544a0a386ebe3b78924d37c947.jpg\034DisplayName=Jeff\034UserName=jeff\034BandName=\034SongName= gives me my band and song name (what i'm currently playing?), display name, and some kind of image url. persist and persistr? whhat? go on: means name is taken? FROM CLIENT - response to check username \persist\1\sesskey\263958216\cmd\1\dsn\1\uid\3656574\lid\17\rid\35\body\UserID=149935864\final\ sesskey same. rid was really high before, now its low. 29, 30, 33... more info. FROM SERVER \persistr\\cmd\257\dsn\1\uid\3656574\lid\17\rid\35\body\UserID=0\034Sound=True\034PrivacyMode=0\034ShowOnlyToList=False\034OfflineMessageMode=0\034Headline=\034AvatarUrl=\034Alert=0\034ShowAvatar=True\034IMName=\034ClientVersion=0\034Allow FROM CLIENT I tried username shellreef here: \persist\1\sesskey\263958216\cmd\1\dsn\5\uid\3656574\lid\7\rid\37\body\UserName=shellreef\final\ FROM SERVER - response to check username - this one suceeded \persistr\\cmd\257\dsn\5\uid\3656574\lid\7\rid\37\body\UserName=shellreef\final\ FROM CLIENT \persist\1\sesskey\263958216\cmd\2\dsn\9\uid\3656574\lid\14\rid\39\body\UserName=shellreef\final\ looks real similar to what from client just a bit ago, but differences: cmd 1 2 dsn 5 9 lid 7 14 rid 37 39 FROM SERVER \persistr\\cmd\258\dsn\9\uid\3656574\lid\14\rid\39\body\UserName=shellreef\034Code=0\final\ UserName=shellreef, Code=0 - accepted? FROM CLIENT \persist\1\sesskey\263958216\cmd\1\dsn\4\uid\3656574\lid\5\rid\41\body\UserID=3656574\final\\persist\1\sesskey\263958216\cmd\1\dsn\1\uid\3656574\lid\4\rid\42\body\\final\ FROM SERVER \persistr\\cmd\257\dsn\4\uid\3656574\lid\5\rid\41\body\UserID=3656574\034ImageURL=http:/1/1myspace-513.vo.llnwd.net/100928/131/151/1928941513_m.jpg\034DisplayName=Jeff\034UserName=shellreef\034BandName=\034SongName=\034TotalFriends=69\fina more junk. total friends. FROM SERVER \persistr\\cmd\257\dsn\1\uid\3656574\lid\4\rid\42\body\UserID=3656574\034Sound=True\034PrivacyMode=0\034ShowOnlyToList=False\034OfflineMessageMode=1\034Headline=\034AvatarUrl=\034Alert=1\034ShowAvatar=False\034IMName=\034LastLogin=12818920 last login, imname FROM CLIENT - logout \logout\ \sesskey\263958216 \final\ "logout" with no value, session key, and hypothesis: messages end in an empty 'final'. ****** SECOND LOGIN SESSION ***** FROM SERVER \lc\1\nc\YuhUG2NCAEazR031ICizIFi/SFU9H4aEWP7XVgaPobCAvUQNwEXLQc3OPvalwXj97VWp/KoLpsgcqHztb4Uy0w==\id\1\final\ \persistr\\cmd\257\dsn\101\uid\0\lid\20\rid\16339203\body\AdUnitRefreshInterval=10\034AlertPollInterval=180\034ChatRoomUserIDs=78744676;142663391;142910130;123521495;138528147;140271072;163733130\034CurClientVersion=595\034EnableIMBrowse=F FROM CLIENT \login2\196610\username\myspace@xyzzy.cjb.net\response\vx2zVA1XwByoKucIS0OsXAZCI6siIhrL/680qwa55/98Wx2vTQxL1QwE4t/mKcStAp65gVDnJ2jCz+QHw4+BiJiYZKA3mI4wThM=\clientver\673\reconn\0\status\100\id\1\final\ FROM SERVER \lc\2\sesskey\267577152\proof\shellreef\userid\3656574\profileid\3656574\uniquenick\shellreef\id\1\final\ \persistr\\cmd\257\dsn\101\uid\0\lid\20\rid\16339206\body\AdUnitRefreshInterval=10\034AlertPollInterval=180\034ChatRoomUserIDs=78744676;142663391;142910130;123521495;138528147;140271072;163733130\034CurClientVersion=595\034EnableIMBrowse=F FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\0\uid\3656574\lid\1\rid\46\body\\final\\addbuddy\\sesskey\267577152\newprofileid\6221\reason\\final\\blocklist\\sesskey\267577152\idlist\b-|6221|a+|6221\final\ FROM SERVER \bm\4\f\6221\msg\\final\ FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\4\uid\3656574\lid\5\rid\49\body\UserID=3656574\final\\persist\1\sesskey\267577152\cmd\1\dsn\1\uid\3656574\lid\4\rid\50\body\\final\ FROM SERVER - ":") is Tom's "headline" text (or whatever that is, displayed by his name) \bm\100 \f\6221 \msg\|s|1|ss|:-)|ls||ip|0|p|0 (buddy info) \final\ \persistr\\cmd\257\dsn\0\uid\3656574\lid\1\rid\46\body\\final\ FROM CLIENT \blocklist\\sesskey\267577152\idlist\b-|6221|a+|6221\final\ FROM SERVER \persistr\\cmd\257\dsn\4\uid\3656574\lid\5\rid\49\body\UserID=3656574\034ImageURL=http:/1/1myspace-513.vo.llnwd.net/100928/131/151/1928941513_m.jpg\034DisplayName=Jeff\034UserName=shellreef\034BandName=\034SongName=\034TotalFriends=69\fina FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\2\uid\3656574\lid\6\rid\54\body\\final\\persist\1\sesskey\267577152\cmd\1\dsn\7\uid\3656574\lid\18\rid\55\body\\final\\blocklist\\sesskey\267577152\idlist\w0|c0|a-|*|b-|*\final\\status\1\sesskey\26757 (after a while) \blocklist\\sesskey\267577152\idlist\w0|c0|a-|*|b-|*\final\ FROM SERVER \persistr\\cmd\1025\dsn\7\uid\3656574\lid\18\rid\55\body\\302\200=\034ErrorMessage=Request time elapsed configured has passed.\final\ FROM CLIENT - I opened a message window to 'testuser' (this is actually a real user, not me) \persist\1\sesskey\267577152\cmd\1\dsn\5\uid\3656574\lid\7\rid\57\body\UserName=testuser\final\ FROM SERVER - info about testuser \persistr\\cmd\257\dsn\5\uid\3656574\lid\7\rid\57\body\UserID=15187323\034ImageURL=http:/1/1x.myspace.com/1images/1no_pic.gif\034DisplayName=testuserguy\034UserName=testuser\034BandName=\034SongName=\final\ FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\1\uid\3656574\lid\17\rid\59\body\UserID=15187323\final\ FROM SERVER \persistr\\cmd\257\dsn\1\uid\3656574\lid\17\rid\59\body\UserID=0\034Sound=True\034PrivacyMode=0\034ShowOnlyToList=False\034OfflineMessageMode=0\034Headline=\034AvatarUrl=\034Alert=0\034ShowAvatar=True\034IMName=\034ClientVersion=0\034Allow FROM CLIENT \addbuddy\\sesskey\267577152\newprofileid\15187323\reason\\final\\blocklist\\sesskey\267577152\idlist\b-|15187323|a+|15187323\final\\bm\122\sesskey\267577152\t\15187323\cv\673\msg\cmdtype=1&reqid=15704865745422254&contenttype=1&\final\ FROM SERVER \bm\4\f\15187323\msg\\final\ \bm\100\f\15187323\msg\|s|0|ss|Offline\final\ FROM CLIENT - I started typing \bm\121\sesskey\267577152\t\15187323\cv\673\msg\%typing%\final\ \persist\1\sesskey\267577152\cmd\1\dsn\2\uid\3656574\lid\6\rid\61\body\\final\ I sent "hello world". Some strange markup! That'll have to be decoded too. \bm\1\sesskey\267577152\t\15187323\cv\673\msg\

hello world\final\

= paragraph = font tag f = font face h = height? (size) = color tag v = color = ??? v = color - is # the nesting level? FROM CLIENT \persist\1\sesskey\267577152\cmd\2\dsn\2\uid\3656574\lid\16\rid\63\body\GroupName=IM Friends\034Position=1\034GroupFlag=131073\final\\persist\1\sesskey\267577152\cmd\2\dsn\2\uid\3656574\lid\16\rid\64\body\GroupName=MySpaceIM Rooms\034Posit FROM SERVER \persistr\\cmd\258\dsn\2\uid\3656574\lid\16\rid\63\body\GroupName=IM Friends\034Position=1\034GroupFlag=131073\final\ FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\4\uid\3656574\lid\3\rid\68\body\UserID=6221\final\\persist\1\sesskey\267577152\cmd\1\dsn\4\uid\3656574\lid\3\rid\69\body\UserID=15187323\final\ FROM SERVER - what is cmd=258? group info? \persistr\\cmd\258\dsn\2\uid\3656574\lid\16\rid\64\body\GroupName=MySpaceIM Rooms\034Position=2\034GroupFlag=196612\final\\persistr\\cmd\258\dsn\2\uid\3656574\lid\16\rid\65\body\GroupName=Recent Contacts\034Position=3\034GroupFlag=196610\f cmd=257 = user info on tom this is tom, he is listening to The Only Song - Sherwood. I can see him on my list. \persistr\\cmd\257\dsn\4\uid\3656574\lid\3\rid\68\body\UserID=6221\034ImageURL=http:/1/1myspace-502.vo.llnwd.net/100000/120/152/12502_m.jpg\034DisplayName=Tom\034UserName=tom\034BandName=Sherwood\034SongName=The Only Song\034TotalFriends=1 cmd=257 = user info on testuser \persistr\\cmd\257\dsn\4\uid\3656574\lid\3\rid\69\body\UserID=15187323\034ImageURL=http:/1/1x.myspace.com/1images/1no_pic.gif\034DisplayName=testuserguy\034UserName=testuser\034BandName=\034SongName=\034TotalFriends=41\final\ FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\2\uid\3656574\lid\6\rid\74\body\\final\ \persist\1\sesskey\267577152\cmd\1\dsn\0\uid\3656574\lid\2\rid\76\body\ContactID=6221\final\\persist\1\sesskey\267577152\cmd\1\dsn\0\uid\3656574\lid\2\rid\77\body\ContactID=15187323\final\ after web traffic \persistr\\cmd\1025\dsn\2\uid\3656574\lid\6\rid\54\body\ErrorMessage=Request timeout\final\ FROM CLIENT - I tried to send a message to nonexistent user \persist\1\sesskey\267577152\cmd\1\dsn\5\uid\3656574\lid\7\rid\79\body\UserName=testuser2222222222\final\ webchlg??? \webchlg\\sesskey\267577152\n\0\final\ FROM SERVER - challenging \persistr\\cmd\257\dsn\17\uid\3656574\lid\26\rid\20015794\body\Challenge=2437569020\034ChallengeData=CTtWmfBzuq4rxoe5GJhk0bfNp7tGQljzsIKaTBOARc21898xR26Y4qs9MBohcn+FlnD/1+T9KL/1Ftuo9vd3elbw==\034Challenge=2437569023\034ChallengeData=3PZg0J on home.myspace.com, client does: GET /Modules/IM/Pages/UrlRedirector.aspx?challenge=8408570-3656574-267577152&response=5CiUQCLEkz1ryhNZpv/IPxdmXS1tNnZaDk/kGx4cQxM&target=searchfriends&targetid=3656574 HTTP/1.1\r\n on collect.myspace.com, client does: GET /index.cfm?fuseaction=im.friendslist&setonlinenow=1&setrsi=1&MyToken=6451502b-0ba5-4805-91b3-b5925d8f1747 HTTP/1.1\r\n FROM SERVER - response to message to nonexistant user \persistr\\cmd\257\dsn\5\uid\3656574\lid\7\rid\79\body\UserName=testuser2222222222\final\ FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\7\uid\3656574\lid\18\rid\82\body\\final\ \persist\1\sesskey\267577152\cmd\1\dsn\2\uid\3656574\lid\6\rid\83\body\\final\ FROM SERVER \persistr\\cmd\257\dsn\7\uid\3656574\lid\18\rid\82\body\EventInvitation=On\034Mail=On\final\ \persistr\\cmd\257\dsn\2\uid\3656574\lid\6\rid\83\body\GroupID=25760886\034GroupName=IM Friends\034Position=1\034GroupFlag=131073\034GroupID=25760887\034GroupName=MySpaceIM Rooms\034Position=2\034GroupFlag=196612\034GroupID=25760888\034Gro FROM CLIENT \persist\1\sesskey\267577152\cmd\1\dsn\0\uid\3656574\lid\2\rid\86\body\ContactID=6221\final\\persist\1\sesskey\267577152\cmd\1\dsn\0\uid\3656574\lid\2\rid\87\body\ContactID=15187323\final\ FROM SERVER \persistr\\cmd\257\dsn\0\uid\3656574\lid\2\rid\86\body\ContactID=6221\034ContactID=6221\034Headline=:-)\034Position=1\034GroupName=IM Friends\034Visibility=1\034AvatarUrl=\034ShowAvatar=False\034LastLogin=128182824000000000\034IMName=\034N \persistr\\cmd\257\dsn\0\uid\3656574\lid\2\rid\87\body\ContactID=15187323\034ContactID=15187323\034Headline=\034Position=0\034GroupName=Recent Contacts\034Visibility=1\034AvatarUrl=\034ShowAvatar=True\034IMName=\034NickName=\034NameSelect= afterwards: \persistr\\cmd\1025\dsn\2\uid\3656574\lid\6\rid\74\body\ErrorMessage=Request timeout\final\ \persistr\\cmd\1025\dsn\0\uid\3656574\lid\2\rid\76\body\ContactID=6221\034ErrorMessage=Request timeout\final\ \persistr\\cmd\1025\dsn\0\uid\3656574\lid\2\rid\77\body\ContactID=15187323\034ErrorMessage=Request timeout\final\ END