Yahoo Messenger Protocol
a.k.a
How to make your own Yahoo
Messenger In VB
For all people who have been waiting to make their own yahoo messenger
and could not find any material on the YMSG protocol,well it's time to stop
looking and start making !!!!.The basic purpose of writing this document is
that people should know what's actually happening when they use the yahoo
messenger.There is hardly any if not any documentation available on the
internet concerning the YMSG ptotocol ,this made it more difficult and at the
same time more exciting and challenging for me to reverse engineer the yahoo
messenger protocol.
The first step involved in any messenger application
is logging into the messenger server and then retrieving the friends list.The
yahoo messenger is slightly different from other messengers.The yahoo messenger
connects to the yahoo HTTP server(port 80) to retrieve the friends list!!!!.All
conversation takes place through the messenger server(port 5050).Let us first
look at logging into the yahoo server to retrieve the friends list.
We
connect to the yahoo server msg.edit.yahoo.com on port 80.
In
order to get the friends list from the server we send the following data to
it
GET /config/ncclogin?.src=bl&login=ymusertest
&passwd=ympasstest&n= 1 HTTP/1.0
Accept:*/*
Accept:
text/htm
where ymusertest is the username and ympasstest is the password. .If
this data is sent using a Visual Basic application it would look some
thing like this
'Begin VB code
strlogin = "GET /config/ncclogin?.src=bl&login=ymusertest&passwd=ympasstest&n=1 HTTP/1.0" & vbCrLf
strlogin = strlogin & "Accept: */*" & vbCrLf
strlogin = strlogin & "Accept: text/html" & vbCrLf & vbCrLf
WnsckMn.SendData strlogin
'End VB code
On successfully sending the login data we get the following
response from the server
HTTP/1.0 200 OK
Date: Thu, 05 Jul 2001 08:57:11
GMT
Content-Type: text/html
Expires: Thu, 05 Jul 2001 08:57:11
GMT
Cache-Control: private
Pragma:
no-cache
Set-Cookie:Y=v=1&n=25udo5k8tkvjb&l=l4dao_3k34/o&p=m2f17464130004&r=5s&lg=us&intl=us;
expires=Thu, 15 Apr 2010 20:00:00 GMT; path=/; domain=.yahoo.com
Via: 1.0
hydcache (NetCache NetApp/5.0.1R2)
OK
BEGIN BUDDYLIST
Chat
Friends:ambixxxx,ami_xxxx,d_cexxxx,deepxxxx,dixxxx,indian_guyxxxx,k_v_pxxxx,kaxxxxdaram,kavithaxxxx1,malaxxxx,pujaxxxx,sudxxxx,sunxxxxma,swaxxxxadhu,vkxxxx68
END
BUDDYLIST
BEGIN
IGNORELIST
agxxxx,loving_xxxx,shravaxxxxula,varmxxxx1
END
IGNORELIST
BEGIN IDENTITIES
venkxxxxde
END
IDENTITIES
Mail=1
Login= vexxxxe
LOGING ONTO THE SERVER
Now we shall start using the yahoo messenger protocol to log into the
yahoo messenger and then send and receive messages.
We will connect to the yahoo messenger server cs.yahoo.com on
port 5050
The first and the most difficult part for me was to log on to this
server.Unlike other yahoo protocols like the YCHT protocol,the YMSG protocol
uses encryption to encrypt the user password while sending it out to the
messenger server.The encrypted string looks something like this
1$_2S43d5f$1LfmOGuxGxDpSWvd6nzGb0
For a mainly MS windows user like me it was a bit difficult to recognize
the type of encryption used.But after a lot of searching and breaking my head i
finally realised that this was a UNIX MD5 CRYPT .This kind of password
encryption is used in many unix mahines.Again i searched for some sort of code
in either c++ or VB for this unix_md5_crypt .Finally i managed to make a dll in
c which would perform this encryption.You can download the dll along with a
.bas module made in vb from here venky.zip .
Now let us start logging into the yahoo messenger server .We send the
following data to the messenger server
YMSG� C
�ZUªUbS`ú0À€userÀ€6À€$1$_2S43d5f$1LfmOGuxGxYCSWvd6nzGb0À€1À€userÀ€
This is the data sent when viewed through a port monitor
0010: 00 7F B1 63 40 00 80 06 00 4C C0 A8 00 08 D8 88 ...c@....L......
0020: AF 90 04 E5 13 BA 21 09 4C 9F B5 59 53 05 50 18 ......!.L..YS.P.
0030: 44 5C 3D D1 00 00 59 4D 53 47 08 00 00 00 00 43 D\....YMSG.....C
0040: 00 01 5A 55 AA 55 6E 56 41 BB 30 C0 80 73 75 6E ..ZU.UnVA.0..sun
0050: 64 61 6D 61 6D 61 C0 80 36 C0 80 24 31 24 5F 32 xxxxxx..6..$1$_2
0060: 53 34 33 64 35 66 24 31 4C 55 68 40 47 75 78 47 S43d5f$1xxxOGuxG
0070: 78 59 43 53 57 76 64 36 6E 7A 47 62 30 C0 80 31 xYCSWvd6nzGb0..1
0080: C0 80 73 75 6E 60 61 63 61 78 63 C0 80 ..sunxxxxxx..
Let us look at what exactly is being sent
- YMSG- is the yahoo standard header for all messenger
command/messages
- This is followed by 1 byte of data - 08.
- This is followed by 4 bytes of data - 00 00
00 00
- Next is the length of the message information-essentially H31 +
2*length of the userid
- The next 2 bytes of data are 00 and 01 respectively
- Next is a 4 byte are standard for all messages/commands being sent to
the messenger server.The 4 bytes are 5A 55 AA 55
- The next 4 bytes is what i call the initial 4 bytes bluff identifier.
These 4 bytes identify a particular user and it changes every time you
log in. Initially you could send any four bytes including 00 00 00 00 and
you would still be able to log in .
- This is followed by one byte of data signifying that the data being
sent is for logging into the server .This byte has an ASCII equivalent of
"0"
- This is followed by 2 bytes of data which is the standard argument
separator.- C0 80
- This is followed by the yahoo user id and the standard argument
separator.
- Followed by one byte which is standard for the login procedure and
which has an ASCII equivalent as "6" and the standard argument separator.
- Next is the md5crypt encrypted password followed by the standard
argument separator.
- Followed by one byte which is standard for the login procedure "1"
and the standard argument separator.
- And finally this is followed by again the yahoo user id and the
standard argument separator.
'Begin VB code
dat3 = "0" & Chr(&HC0) & Chr(&H80) & "ymusertest" & Chr(&HC0) & Chr(&H80) & "6" & Chr(&HC0) & Chr(&H80) & dat1 & Chr(&HC0) & Chr(&H80) & "1" & Chr(&HC0) & Chr(&H80) & "ymusertest" & Chr(&HC0) & Chr(&H80)
dat2 = "YMSG" & Chr(8) & Chr(0) & Chr(0) & Chr(0) & Chr(0) & Chr(Len(dat3)) & Chr(0) & Chr(1) & Chr(&H5A) & Chr(&H55) & Chr(&HAA) & Chr(&H55) & Chr(&H62) & Chr(&H53) & Chr(&H60) & Chr(&HFA) & dat3
Wnsckyhoo.SendData dat2
'End VB code
The response of the server looks like this
YMSG ��
jLS˜0À€sundaxxxxÀ€1À€sundaxxxxÀ€
This is the data received when viewed through a port
monitor
0010: 00 59 A2 FA 40 00 2D 06 61 DB D8 88 AF 90 C0 A8 .Y..@.-.a.......
0020: 00 08 13 BA 04 E5 B5 59 53 05 21 09 4C F6 50 18 .......YS.!.L.P.
0030: 83 2C 62 F1 00 00 59 4D 53 47 00 00 00 00 00 1D .,b...YMSG......
0040: 00 01 00 00 00 00 79 52 7E 23 30 C0 80 73 75 6E ......jLS˜0..sun
0050: 64 61 6D 65 62 61 C0 80 31 C0 80 73 75 6E 64 61 daxxxx..1..sunda
0060: 62 65 6D 61 C0 80 00 xxxx...
The most important part of this response is the 4 byte identifier which
the server sends us the - " jLS˜ " All further communication
with the server will involve using this 4 byte identifier.This is also a
user identifier for the current messenger session.
SENDING A MESSAGE
Here is a typical example of a message being sent
YMSG� ?
�ZUªUjLS˜1À€sundaxxxxÀ€5À€venkyxxxxxÀ€14À€hi
there
This is the data sent when viewed through a port monitor
0010:00 67 42 01 40 00 80 06 62 33 C0 A8 00 08 CC 47 .gB.@...b3.....G
0020:C9 64 0C D7 13 BA A4 2F 4A C7 2F 18 A2 3A 50 18 .d...../J./..:P.
0030:43 EA 76 11 00 00 59 4D 53 47 08 00 00 00 00 2B C.v...YMSG.....+
0040:00 06 5A 55 AA 55 6A 4C 53 23 31 C0 80 73 75 6E ..ZU.UjLS˜1..sun
0050:64 61 60 69 6D 61 C0 80 35 C0 80 76 65 6E 6B 79 daxxxx..5..venky
0060:50 64 78 64 65 C0 80 31 34 C0 80 68 69 20 74 68 xxxxx..14..hi th
0070:65 72 65 C0 80 ere..
Let us look at what is being sent
- YMSG- is the yahoo standard header for all messenger
command/messages
- This is followed by 1 byte of data - 08.
- This is followed by 4 bytes of data - 00 00
00 00
- The next byte is the length of the message information ,in this
case-HEX(16 + length(senderid)+length(receiverid) + len(message) )
- The next 2 bytes of data are 00 and 06 respectively
- Next is a 4 byte are standard for all messages/commands being sent to
the messenger server.The 4 bytes are 5A 55 AA 55
- The next 4 bytes are the user identifier for the current
session.
- This is followed by one byte of data signifying that the data is a
Private Message(PM) being sent to a user.This byte has an ASCII
equivalent of "1"
- This is followed by 2 bytes of data which is the standard argument
separator.- C0 80
- This is followed by the yahoo user id and the standard argument
separator.
- Followed by one byte which is standard for while sending a
message which has an ASCII equivalent of "5" and the standard argument
separator.
- This is followed by the id of the user to whom the message is being
sent and the standard argument separator.
- Followed by again one byte which is standard for while sending a
message which has an ASCII equivalent of "14" and the standard argument
separator.
- And finally followed by the message being sent followed by the
standard argument separator.
The VB code to achieve this looks some what like this
'Begin VB code
ren = "1" & Chr(&HC0) & Chr(&H80) & Text2.Text & Chr(&HC0) & Chr(&H80) & "5" & Chr(&HC0) & Chr(&H80) & Text1.Text & Chr(&HC0) & Chr(&H80) & "14" & Chr(&HC0) & Chr(&H80) & rtb2.Text & Chr(&HC0) & Chr(&H80)
mess ="YMSG" & Chr(8) & Chr(0) & Chr(0) & Chr(0) & Chr(0) & Chr(len(ren)) & Chr(0) & Chr(6) & Chr(&H5A) & Chr(&H55) & Chr(&HAA) & Chr(&H55) & Text3.Text & ren
Wnsckyhoo.Senddata mess
'End VB code
RECEIVING A
MESSAGE
YMSG ? ��
jLS˜5À€sundamamaÀ€4À€venky_dudeÀ€14À€hi
there
0010: 00 67 B6 8D 40 00 2E 06 3E D0 CC 47 CA 3B C0 A8 .g..@...>..G.;..
0020: 00 08 13 BA 08 DD C5 7E 1E 48 2E F3 76 6F 50 18 .........H..voP.
0030: FF FF E6 F8 00 00 59 4D 53 47 00 00 00 00 00 2B ......YMSG.....+
0040: 00 06 00 00 00 01 6A 4C 53 23 35 C0 80 76 65 6E ......jLS˜5..ven
0050: 6B 79 5F 64 75 64 65 C0 80 34 C0 80 73 75 6E 64 ky_dude..4..sund
0060: 61 6D 61 6D 61 C0 80 31 34 C0 80 68 69 20 74 68 amama..14..hi th
0070: 65 72 65 C0 80 ere..
Let us look at what has been received
- YMSG- is the yahoo standard header for all messenger
command/messages
- This is followed by 5 bytes of data - 00 00
00 00 00
- The next byte is the length of the message information ,in this
case-HEX(16 + length(senderid)+length(receiverid) + len(message) )
- The next 2 bytes of data are 00 and 06 respectively
- Next is a 4 byte of data signify that the message/command is to be
received .The 4 bytes are 00 00 00 01
- The next 4 bytes are the user identifier for the current
session.
- This is followed by one byte of data signifying that the data is a
Private Message(PM) which is to be received .This byte has
an ASCII equivalent of "5"
- This is followed by 2 bytes of data which is the standard argument
separator.- C0 80
- This is followed by the yahoo user id of the user who has sent
the message and the standard argument separator.
- Followed by one byte which is standard when receiving a PM
message which has an ASCII equivalent of "4" and the standard argument
separator.
- This is followed by the user id receiving the message and
the standard argument separator.
- Followed by again one byte which is standard when receiving a
message which has an ASCII equivalent of "14" and the standard argument
separator.
- And finally followed by the message being sent followed by the
standard argument separator.
USER COMES ONLINE
YMSG A�
jLS˜0À€venky_dudeÀ€7À€venkyxxxxÀ€10À€0À€11À€7D5798FDÀ€17À€0À€13À€1À€
0010: 00 7D 62 7A 40 00 2E 06 93 A4 CC 47 C9 64 C0 A8 .}bz@......G.d..
0020: 00 08 13 BA 0C D7 2F 18 A2 BF A4 2F 4B 06 50 18 ....../..../K.P.
0030: FF FF 8E 06 00 00 59 4D 53 47 00 00 00 00 00 41 ......YMSG.....A
0040: 00 01 00 00 00 01 6A 4C 53 98 30 C0 80 73 75 6E ......jLS˜0..sun
0050: 64 61 6D 61 6D 61 C0 80 37 C0 80 76 65 6E 6B 79 damama..7..venky
0060: 5F 64 75 64 65 C0 80 31 30 C0 80 30 C0 80 31 31 _dude..10..0..11
0070: C0 80 36 33 35 38 35 34 39 39 C0 80 31 37 C0 80 ..63585499..17..
0080: 30 C0 80 31 33 C0 80 31 C0 80 00 0..13..1...
The important part of this data received are the 3 bytes of data
37 C0 80 .These 3 bytes signify that the user status has changed .Basically i
split this up into 2 states
- User is online (the status maybe set to busy or be right back etc)
-
User is offline
The 3 bytes at the end of the message convey that data if the 3 bytes
are 31 C0 80 , then the user is online.
USER GOES
OFFLINE
YMSG 1�
jLS˜7À€venkyxxxxxÀ€10À€0À€11À€7D5798FDÀ€17À€0À€13À€0À€
0010: 00 6E 2D 52 40 00 2E 06 C8 DB CC 47 C9 64 C0 A8 .n-R@......G.d..
0020: 00 08 13 BA 0C D7 2F 18 A2 79 A4 2F 4B 06 50 18 ....../..y./K.P.
0030: FF FF B4 B1 00 00 59 4D 53 47 00 00 00 00 00 32 ......YMSG.....2
0040: 00 02 00 00 00 01 6A 4C 53 98 37 C0 80 76 65 6E ......jLS˜7..ven
0050: 6B 79 5F 64 75 64 65 C0 80 31 30 C0 80 30 C0 80 ky_dude..10..0..
0060: 31 31 C0 80 36 33 35 38 35 34 39 39 C0 80 31 37 11..63585499..17
0070: C0 80 30 C0 80 31 33 C0 80 30 C0 80 ..0..13..0..
Again in this case the last 3 bytes being 30 C0 80 signify that the user has gone offline.
Download a yahoo messenger clone from here yahclone.zip
Questions/Comments/Suggestions send
them to venky@venkydude.com .Visit my
homepage for some cool VB & C++
codes.Can also conatact me on Yahoo Messenger-id venky_dude & MSN Messenger
id- venky_dude@hotmail.com