Yahoo's Online Game Protocol - by Jeff Connelly
~/mnt/ad4s2d/jeff/yog/yog.txt


YOG Servers:    yog*.games.snv.yahoo.com:11999  YAHOO!, main channel
DL Servers:     dl*.yahoo.com:80                localization dictionaries
VIP Servers:    vc*.vip.sce.yahoo.com:5001      sends sound & msie info
Search Servers: search*.games.yahoo.com:80      HTML code surrounding applet

A request on 216.131.39.136:80,
GET /tools/dhtml.dll?cid=232118;sid=75900;euid=202532445;session=217630374;;bx=0;qdt=-34724;qht=8;qck=0;event=i; HTTP/1.1
This occured upon loading the applet. Server reply was no content, so this
has to be used for logging in or logging purposes or such.

After the client is loaded, it connects to yog*.games.snv.yahoo.com:11999.
The server replies with "YAHOO!", the magic number. Client sends "Y" and
receives eight bytes:
                                                        o \0\005 11101
from server                client's reply when sending 6F 00 05 31 31 31 30 31
00 00 00 00 00 00 00 00   *6F 00 05 31 31 31 30 31*     o \0\5 11101
01 01 01 01 01 01 01 01    3C E9 8E 20 B2 48 0B 10
15 FB 74 83 79 4B DF 32    16 3B 24 82 38 DA 01 D2
1C FB AE 39 59 E2 B6 00    14 E1 F6 F8 1A C0 13 68
0F F6 D5 DF 3F 54 BC 7E    22 F7 10 FE 2C 56 55 8E
2F 1C F0 FB 23 7C 22 8A    0E 73 4C 9A 40 92 E9 6A
52 BF A1 D7 62 01 DD 56    DA AF B8 76 34 AE BD 86
44 87 EB 71 7D E1 45 18    CC D9 5E B0 E2 58 3B A0
44 44 44 44 44 44 44 44    63 E4 E9 B5 FD 15 9C F5
44 44 44 44 44 44 44 45    63 E4 E9 B5 FD 15 9C F5
44 44 44 44 44 44 44 46    63 E4 E9 B5 FD 15 9C F5  
44 44 44 44 44 44 44 47    63 E4 E9 B5 FD 15 9C F5  
44 44 44 44 44 44 44 FF    63 E4 E9 B5 FD 15 9C F5  
44 44 44 44 44 44 FF FF    63 E4 E9 B5 FD 15 9C F5  
44 44 44 44 44 FF FF FF    63 E4 E9 B5 FD 15 9C F5  
44 44 44 44 FF FF FF FF    63 E4 E9 B5 FD 15 9C F5  
44 44 44 44 FF FF FF FF    63 E4 E9 B5 FD 15 9C F5  
44 44 44 FF FF FF FF FF    C2 17 70 DE 4C B6 F5 EE  
FF FF FF FF FF FF FF FF    C2 17 70 DE 4C B6 F5 EE

Those are just some bytes that I received. I suspect it's mangled in some
way. Previously, there was no or minimal mangling. It appears that now,
everything the client sends is "encrypted" using this key.

Here's the procedure again:
- Client connects to server
- < "YAHOO!"            server received connection, client can talk now
- > "Y"                 client requests random key
- < .. .. .. .. .. ..   6-byte key used to encrypt further transmissions
- > o <00 06> 11101     encrypted open room request
So, in telnet you can't go so far as to send an open room request without
cracking the client-side encryption. I suspect Yahoo did this intentionally
to thwart attempts to reverse-engineer the YOG (or is it YAcs?) protocol
via packet sniffing alone. You must also RE the client now that Yahoo has
encryption.


More about the encryption:

When yogs.pl sends all zeros, the client exposes what it truly is sending: an
open room request, room 11101. So I suspect the server to send a key which
the client uses to encrypt it's further transmissions with. Not plain XOR.
Position-dependent. Answers lies in source. Specifically, _cls92.java. 

_cls92.jad, om routine:
void om(int i)
    throws IOException
{
    if(c == b)
    {
        d -= b;
        c = b = 0;
    }
    if(b + i > 8192)    // 8192 = 0x2000
    {
        System.arraycopy(a, b, a, 0, c - b);
        d -= b;
        c -= b;
        b = 0;
    }
    int j = b + i;
    if(j > 8192)
        throw new IOException("CPInputStream Buffer full size=" + i + " p1" + b + " pend=" + d);
    int k;
    for(; c < j; c += k)
    {
        k = e.read(a, c, 8192 - c);
        if(k == -1)
            throw new IOException("Illegal cp protocol");
        if(f != null)
            f.Us(a, c, c + k);
    }

}

public void qm()
    throws IOException
{
    om("YAHOO!".length());  // om(6)
    // Just insuring a[] contains "YAHOO!"
    for(int i = 0; i < "YAHOO!".length(); i++)
        if(a[b + i] != "YAHOO!".charAt(i))
            throw new IOException("Illegal connection proxy header");

    b += "YAHOO!".length();
    d = b;
}




Update 10/15/01: This file is from when YOG's server where much different.

* = number, 

Command Format

    1 byte      Command byte
    2 bytes     Data length
    x bytes     Data

Known commands, in order which they are generally sent:
             / > = from client to server (recv), < = from server to client
            / 
Command Sent_By Data_Meaning
'YAHOO!'server  no data, no length -- sent upon client connection
These commands from _cls170.java:
00      server  ACTION_CONNECT(s)           d.Ah(s)
01      server  ACTION_SEND_DATA(flag, k)   b.Sb(a), d.Bh(flag,k=readint,b)
02      server  ACTION_DISCONNECT(l)        d.Ch(l)
06      server  UPDATE_CLIENT_PEER(s1, i1)  d.Fh(s1, i1)
08      server  UPDATE_CLIENT_PEER_CLOSED() d.Gh()
04      server  UPDATE_CLIENT_DATA(b.fr(1)) d.Dh(b)
05      server  UPDATE_ACTION_FAILED(j1)    d.Eh(j1)
07      server  UPDATE_CONNECT_FAILED()     d.Hh(s2)
03      server  falls through to unknown command
These commands from old packet dumps:
29 ')'  server  sometimes sent before YAHOO!, followed by 0x14. close.
6F 'o'  client  ASCII Room ID (rooms.txt)
64 'd'  server  Reply to 'o' command
64 'd'  client  Authentication
42 'B'  server  unknown
66 'f'  server  ASCII Room ID (rooms.txt)
63 'c'  server
06 \6   client
58 'X'  client  (none), closing connection. server closes immediately
6B 'k'  client  unknown, doesn't disconnect
7A 'z'  client  unknown, doesn't disconnect
59 'Y'  client  request random 6-byte encryption key

Other commands may cause the server to immediately disconnect
 the client.

(Server) Init String

        "YAHOO!"

    Sent upon client connection to the server. The client checks to 
    see if this is received, if not, something is wrong.

(Client) Request Encryption Key

        59
        'Y'

    This single byte is sent after YAHOO! by the client to request an
    encryption key. Future client commands are encrypted using this.

(Client) Open Room

        6F 00 05 <room>
        'o'

    Opens a specified room, see rooms.txt for known values.
    Example:

        6F 00 05 31 31 31 30 31 -> opens room 11101, chess Camel Club

    The server would then reply similar data to these:

        6F 00 05 31 31 31 30 31 00 00 0B 7C
        6F 00 05 31 31 31 30 31 00 00 14 73
                                      ** **

    The last two bytes are what vary, I believe they are session IDs or such.

(Server) Re: Open Room

        42 00 05 <room>
        'B'

    Replied to an open room request.

(Server) Re: Open Room

    These requests all where received when entering Chess, Camel Club.

        d  .  .  .  |  .  .  .  .  G  A  M  E  S  .  .  p  .  .  O
       64 00 00 0B 7C 00 0D 00 05 47 41 4D 45 53 00 01 70 00 01 30
       64 00 00 14 73 00 0D 00 05 47 41 4D 45 53 00 01 70 00 01 30
       64 00 00 18 F5 00 0D 00 05 47 41 4D 45 53 00 01 79 00 01 30
                ** **

    Startup protocol requires that first UTF section equals "GAMES".
    Next two strings have to equal _cls77.m, and aa.e(), respectively. 
                                      "p"

    Replied to an open room request.

    When there was an error later:

       64 00 00 0B 7C 00 69 01 00 66
        d  .  .  .  |  .  i  .  .  f
                                \  \
                                 Length of message to display

    Followed by: "Your request to blah blah.."
    I suspect this is how Yahoo's servers display messages boxes in applets.



(Client) User Info
    

    64 00 00 0B 7C 00 7E 00 00 09
     d  .  .  .  |  .  ~  .  .  .
             ** **    --       --
             "key"    varies  varies

    Followed by:

    id=&face=.Ov=1&n=bjgiult2oc02r&l=h40b1030j60c4i/o&p=
    m1i2q7fb110001&r=61&1g=us&intl=us&np=1<00 1B>Mozilla
    /4.5 [en] (Windows 98; U)<00 02>us

    Which, broken down, is:

    id=
    face=.0v
    n=bjgiult2oc02r
    l=h40b1030j60c4i/o
    p=m1i2q7fb110001
    r=61
    1g=us
    intl=us
    np=1<00 1B>Mozilla/4.5 [en] (Windows 98; U)<00 02>us

    Here's another capture:

    id=realbadatgames
    face=9.0v=1
    n=bjgiult2oc02r
    l=h40b1030j60c4i/o
    p=m1i2q7fb110001
    r=61
    1g=us
    intl=us
    np=1<00 1B>Mozilla/4.5 [en] (Windows 98; U)<00 02>us

    n, l, p, r. Seemingly garbled information. Observations:
    - No uppercase letters
    - Lowercase letters and numbers, plus a slash

    Perhaps this is generated by the Yahoo games applet to foil attempts to
    access YOG not through their applet. TODO: Decompile applet.
    Immediately after this a user authentication error was returned.

    I hypothesise n, l, p, and r are encrypted password information.


     d  .  .  .  s  .  .  .  .  .  r  e  a  l  b  a  d  a  t  g  a  m  e  s
    64 00 00 14 73 00 11 00 00 0E 72 65 61 6C 62 61 64 61 74 67 61 6D 65 73
    64 00 00 18 F5 00 11 00 00 0E ...
             ** **          Length|User login name

    64 00 00 14 73 00 21 65 00 0E
     d  .  . ** **  .  !  e  .  .

     Sent here is user list. See sample.txt for disection.

    64 00 00 14 73 00 05 73 2B 00 00 00
     d  .  . ** ** .   .  s  +  .  .  .

    Last packet of user list^

    64 00 00 14 73 00 0B 6C 00 07 76 68 69 76 65 31 30 2B
     d  .  . ** **  .  .  l  .  .  v  h  i  v  e  1  0  +

    64 00 00 14 73 00 02 64 2B
     d  .  . ** **  .  .  d  +

    These packets are for individual users, their table config perhaps.

    Sent by client, when sending text:
    65 00 00 14 73 00 08 43 00 05 68 65 6C 6C 6F
     d  .  . ** **  .  .  C  .  .  h  e  l  l  o
                            length, text

    Send by server when someone says something:
    64 00 00 14 73 00 18 63 <length-2b> <username> <length-2b> <message>
             ** ** 



(Server) c Command

    63 00 00 0B 7C 00
     c  .  . ** **  .

    63 00 00 14 73 00
             ** **

    Disconnect? Ready to disconnect?

(Client) \6 Command

    06 FC 2E DF 00 1B 6C CB 90 92 52 8E 50 04 00 00 D2 42 00 00
     .  .  .  .  .  .  l  .  .  .  R  .  P  .  .  .  .  B  .  .

    Unknown. Last thing sent by client before disconnecting.


(Client) Exiting

    58
     X

    When the client sends this, the server immediately closes the
    connection.