--- /dev/null
+/* packet-icq.c
+ * Routines for ICQ packet disassembly
+ *
+ * $Id: packet-icq.c,v 1.1 1999/10/24 00:55:49 guy Exp $
+ *
+ * Ethereal - Network traffic analyzer
+ * By Johan Feyaerts
+ * Copyright 1999 Johan Feyaerts
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+/*
+ * This file: by Kojak <kojak@bigwig.net>
+ *
+ * Decoding code ripped, reference to the original author at the
+ * appropriate place with the code itself.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_STDDEF_H
+#include <stddef.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <ctype.h>
+#include <glib.h>
+#include "packet.h"
+#include "resolv.h"
+
+int proto_icq = -1;
+int hf_icq_uin =-1;
+int hf_icq_cmd =-1;
+int hf_icq_sessionid =-1;
+int hf_icq_checkcode =-1;
+int hf_icq_decode = -1;
+
+/* Offsets of fields in the ICQ headers */
+/* Can be 0x0002 or 0x0005 */
+#define ICQ_VERSION 0x00
+/* Is either one (server) or four (client) bytes long */
+/* Client header offsets */
+#define ICQ5_UNKNOWN 0x02
+#define ICQ5_CL_UIN 0x06
+#define ICQ5_CL_SESSIONID 0x0a
+#define ICQ5_CL_CMD 0x0e
+#define ICQ5_CL_SEQNUM1 0x10
+#define ICQ5_CL_SEQNUM2 0x12
+#define ICQ5_CL_CHECKCODE 0x14
+#define ICQ5_CL_PARAM 0x18
+#define ICQ5_CL_HDRSIZE 0x18
+
+/* Server header offsets */
+#define ICQ5_SRV_SESSIONID 0x03
+#define ICQ5_SRV_CMD 0x07
+#define ICQ5_SRV_SEQNUM1 0x09
+#define ICQ5_SRV_SEQNUM2 0x0b
+#define ICQ5_SRV_UIN 0x0d
+#define ICQ5_SRV_CHECKCODE 0x11
+#define ICQ5_SRV_PARAM 0x15
+#define ICQ5_SRV_HDRSIZE 0x15
+
+typedef struct _cmdcode {
+ char* descr;
+ int code;
+} cmdcode;
+
+cmdcode serverCmdCode[] = {
+ { "SRV_ACK", 10 },
+ { "SRV_GO_AWAY", 40 },
+ { "SRV_NEW_UIN", 70 },
+ { "SRV_LOGIN_REPLY", 90 },
+ { "SRV_BAD_PASS", 100 },
+ { "SRV_USER_ONLINE", 110 },
+ { "SRV_USER_OFFLINE", 120 },
+ { "SRV_QUERY", 130 },
+ { "SRV_USER_FOUND", 140 },
+ { "SRV_END_OF_SEARCH", 160 },
+ { "SRV_NEW_USER", 180 },
+ { "SRV_UPDATE_EXT", 200 },
+ { "SRV_RECV_MESSAGE", 220 },
+ { "SRV_X2", 230 },
+ { "SRV_NOT_CONNECTED", 240 },
+ { "SRV_TRY_AGAIN", 250 },
+ { "SRV_SYS_DELIVERED_MESS", 260 },
+ { "SRV_INFO_REPLY", 280 },
+ { "SRV_EXT_INFO_REPLY", 290 },
+ { "SRV_STATUS_UPDATE", 420 },
+ { "SRV_SYSTEM_MESSAGE", 450 },
+ { "SRV_UPDATE_SUCCESS", 480 },
+ { "SRV_UPDATE_FAIL", 490 },
+ { "SRV_AUTH_UPDATE", 500 },
+ { "SRV_MULTI_PACKET", 530 },
+ { "SRV_X1", 540 },
+ { "SRV_RAND_USER", 590 },
+ { "SRV_META_USER", 990 },
+ { NULL, 0 }
+};
+
+cmdcode clientCmdCode[] = {
+ { "CMD_ACK", 10 },
+ { "CMD_SEND_MESSAGE", 270 },
+ { "CMD_LOGIN", 1000 },
+ { "CMD_REG_NEW_USER", 1020 },
+ { "CMD_CONTACT_LIST", 1030 },
+ { "CMD_SEARCH_UIN", 1050 },
+ { "CMD_SEARCH_USER", 1060 },
+ { "CMD_KEEP_ALIVE", 1070 },
+ { "CMD_SEND_TEXT_CODE", 1080 },
+ { "CMD_ACK_MESSAGES", 1090 },
+ { "CMD_LOGIN_1", 1100 },
+ { "CMD_MSG_TO_NEW_USER", 1110 },
+ { "CMD_INFO_REQ", 1120 },
+ { "CMD_EXT_INFO_REQ", 1130 },
+ { "CMD_CHANGE_PW", 1180 },
+ { "CMD_NEW_USER_INFO", 1190 },
+ { "CMD_UPDATE_EXT_INFO", 1200 },
+ { "CMD_QUERY_SERVERS", 1210 },
+ { "CMD_QUERY_ADDONS", 1220 },
+ { "CMD_STATUS_CHANGE", 1240 },
+ { "CMD_NEW_USER_1", 1260 },
+ { "CMD_UPDATE_INFO", 1290 },
+ { "CMD_AUTH_UPDATE", 1300 },
+ { "CMD_KEEP_ALIVE2", 1310 },
+ { "CMD_LOGIN_2", 1320 },
+ { "CMD_ADD_TO_LIST", 1340 },
+ { "CMD_RAND_SET", 1380 },
+ { "CMD_RAND_SEARCH", 1390 },
+ { "CMD_META_USER", 1610 },
+ { "CMD_INVIS_LIST", 1700 },
+ { "CMD_VIS_LIST", 1710 },
+ { "CMD_UPDATE_LIST", 1720 },
+ { NULL, 0 }
+};
+
+typedef struct {
+ u_int32_t random;
+} cl_cmd_ack;
+
+typedef struct _cl_cmd_send_msg {
+#define MSG_TEXT 0x0100
+#define MSG_URL 0x0400
+#define MSG_AUTH_REQ 0x0600
+#define MSG_AUTH 0x0800
+#define MSG_USER_ADDED 0x0c00
+#define MSG_CONTACTS 0x1300
+ u_int32_t receiverUIN;
+ u_int16_t msgType;
+ u_int16_t msgLen;
+ /*
+ * Followed by char[msgLen]
+ */
+} cl_cmd_send_msg;
+
+/*
+ * All ICQv5 decryption code thanx to Sebastien Dault (daus01@gel.usherb.ca)
+ */
+const u_char
+table_v5 [] = {
+ 0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x60, 0x57, 0x5B, 0x3D,
+ 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F, 0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39,
+ 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64, 0x35, 0x5A, 0x4A, 0x42,
+ 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48,
+ 0x33, 0x31, 0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48, 0x33, 0x51, 0x54,
+ 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A, 0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36,
+ 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x35, 0x5A,
+ 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35,
+ 0x5A, 0x4A, 0x62, 0x66, 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58, 0x3B,
+ 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64,
+ 0x55, 0x6A, 0x32, 0x3E, 0x44, 0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C,
+ 0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x3E,
+ 0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A, 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58,
+ 0x3B, 0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67, 0x53, 0x41, 0x25, 0x41,
+ 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D, 0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F,
+ 0x47, 0x43, 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35, 0x5A, 0x00, 0x00 };
+
+static char*
+findcmd(cmdcode* c, int num)
+{
+ static char buf[16];
+ cmdcode* p = c;
+ while (p->code != 0) {
+ if (p->code == num) {
+ return p->descr;
+ }
+ p++;
+ }
+ snprintf(buf, sizeof(buf), "(%x)", num);
+ return buf;
+}
+
+void
+proto_tree_add_hexdump(proto_tree* t,
+ u_int32_t offset,
+ const u_char *data,
+ int size)
+{
+ int i;
+ char buf[96];
+ int n;
+ int done = 0, line = 0;
+ int added = 0;
+
+ if (size==0)
+ return;
+
+ line = size / 16;
+
+ for (i=0;i<line;i++) {
+ added = 0;
+ done = 0;
+ for (n = i * 16; n < (i+1)*16; n++) {
+ added = sprintf(buf+done, "%02x", data[n]);
+ if ((n%8)==7)
+ added += sprintf(buf + done + added, " ");
+ else
+ added += sprintf(buf + done + added, " ");
+ done += added;
+ }
+ for (n = i * 16; n < (i+1)*16; n++) {
+ if (isprint(data[n]))
+ added = sprintf(buf + done, "%c", data[n]);
+ else
+ added = sprintf(buf + done, ".");
+ done += added;
+ }
+ proto_tree_add_text(t,
+ offset + i*16,
+ 16,
+ buf);
+ }
+ if ((size%16)!=0) {
+ done = 0;
+ for (n = line * 16 ; n < size ; n++) {
+ added = sprintf(buf+done, "%02x", data[n]);
+ if ((n%8)==7)
+ added += sprintf(buf + done + added, " ");
+ else
+ added += sprintf(buf + done + added, " ");
+ done += added;
+ }
+ for (n = size ; (n%16)!=0;n++) {
+ added = 0;
+ if ((n%8)==7)
+ added += sprintf(buf + done + added, " ");
+ else
+ added += sprintf(buf + done + added, " ");
+ done += added;
+ }
+ for (n = line * 16; n < (line+1)*16; n++) {
+ added = 0;
+ if (n<size) {
+ if (isprint(data[n]))
+ added = sprintf(buf + done, "%c", data[n]);
+ else
+ added = sprintf(buf + done, ".");
+ } else {
+ added = sprintf(buf + done, " ");
+ }
+ done += added;
+ }
+ proto_tree_add_text(t,
+ offset + line*16,
+ size % 16,
+ buf);
+ }
+}
+
+static u_int32_t
+get_v5key(const u_char* pd, int len)
+{
+ u_int32_t a1, a2, a3, a4, a5;
+ u_int32_t code, check, key;
+
+ code = pletohl(&pd[ICQ5_CL_CHECKCODE]);
+
+ a1 = code & 0x0001f000;
+ a2 = code & 0x07c007c0;
+ a3 = code & 0x003e0001;
+ a4 = code & 0xf8000000;
+ a5 = code & 0x0000083e;
+
+ a1 = a1 >> 0x0c;
+ a2 = a2 >> 0x01;
+ a3 = a3 << 0x0a;
+ a4 = a4 >> 0x10;
+ a5 = a5 << 0x0f;
+
+ check = a5 + a1 + a2 + a3 + a4;
+ key = len * 0x68656C6C;
+ key += check;
+ return key;
+}
+
+static void
+decrypt_v5(u_char *bfr, u_int32_t size,u_int32_t key)
+{
+ u_int32_t i;
+ u_int32_t k;
+ for (i=0x0a; i < size+3; i+=4 ) {
+ k = key+table_v5[i&0xff];
+ if ( i != 0x16 ) {
+ bfr[i] ^= (u_char)(k & 0xff);
+ bfr[i+1] ^= (u_char)((k & 0xff00)>>8);
+ }
+ if ( i != 0x12 ) {
+ bfr[i+2] ^= (u_char)((k & 0xff0000)>>16);
+ bfr[i+3] ^= (u_char)((k & 0xff000000)>>24);
+ }
+ }
+}
+
+static void
+dissect_icqv2(const u_char *pd,
+ int offset,
+ frame_data *fd,
+ proto_tree *tree)
+{
+ /* Not really implemented yet */
+ if (check_col(fd, COL_PROTOCOL)) {
+ col_add_str(fd, COL_PROTOCOL, "ICQv2 (UDP)");
+ }
+ if (check_col(fd, COL_INFO)) {
+ col_add_str(fd, COL_INFO, "ICQ Version 2 protocol");
+ }
+}
+
+/*
+ * Dissect all the v5 client traffic. This is encrypted, so be careful.
+ */
+static void
+dissect_icqv5Client(const u_char *pd,
+ int offset,
+ frame_data *fd,
+ proto_tree *tree)
+{
+ proto_tree *icq_tree = NULL;
+ proto_tree *icq_decode_tree = NULL;
+ proto_item *ti = NULL;
+
+ u_int16_t version = -1, cmd = -1;
+ u_int16_t seqnum1 = 0 , seqnum2 = 0;
+ u_int32_t uin = -1, sessionid = -1;
+ u_int32_t key = -1;
+ u_int16_t pktsize = -1; /* The size of the ICQ content */
+ u_char decr_pd[1600]; /* Decrypted content, size should be dynamic */
+
+ pktsize = fd->pkt_len - offset;
+ /* First copy the memory, we don't want to overwrite the old content */
+ memcpy(decr_pd, &pd[offset], pktsize);
+ if (fd->pkt_len > fd->cap_len) {
+ pktsize -= (fd->pkt_len - fd->cap_len);
+ }
+ if (pktsize>0x14) {
+ key = get_v5key(decr_pd, pktsize);
+ decrypt_v5(decr_pd, pktsize, key);
+
+ /* This information only makes sense in the decrypted version */
+ uin = pletohl(&decr_pd[ICQ5_CL_UIN]);
+ cmd = pletohs(&decr_pd[ICQ5_CL_CMD]);
+ sessionid = pletohl(&decr_pd[ICQ5_CL_SESSIONID]);
+ version = pletohs(&decr_pd[ICQ_VERSION]);
+ seqnum1 = pletohs(&decr_pd[ICQ5_CL_SEQNUM1]);
+ seqnum2 = pletohs(&decr_pd[ICQ5_CL_SEQNUM2]);
+ }
+
+ if (tree) {
+ ti = proto_tree_add_item_format(tree,
+ proto_icq,
+ offset,
+ pktsize, NULL,
+ "ICQv5 Client: len %d", pktsize);
+ icq_tree = proto_item_add_subtree(ti, ETT_CL_ICQ);
+ proto_tree_add_item_format(icq_tree,
+ hf_icq_cmd,
+ offset+ICQ5_CL_CMD,
+ 2,
+ cmd,
+ "Command: %d (%s)", cmd, findcmd(clientCmdCode, cmd));
+ proto_tree_add_item_format(icq_tree,
+ hf_icq_sessionid,
+ offset+ICQ5_CL_SESSIONID,
+ 4,
+ sessionid,
+ "Session ID: 0x%08x",
+ sessionid);
+ proto_tree_add_item_format(icq_tree,
+ hf_icq_checkcode,
+ offset+ICQ5_CL_CHECKCODE,
+ 4,
+ key,
+ "Key: 0x%08x",
+ key);
+ proto_tree_add_item_format(icq_tree,
+ hf_icq_uin,
+ offset+ICQ5_CL_UIN,
+ 4,
+ uin,
+ "UIN: %ld (0x%08X)",
+ uin, uin);
+ proto_tree_add_text(icq_tree,
+ offset + ICQ5_CL_SEQNUM1,
+ 2,
+ "Seqnum1: 0x%04x", seqnum1);
+ proto_tree_add_text(icq_tree,
+ offset + ICQ5_CL_SEQNUM1,
+ 2,
+ "Seqnum2: 0x%04x", seqnum2);
+ ti = proto_tree_add_text(icq_tree,
+ offset,
+ pktsize,
+ "Decoded packet");
+ icq_decode_tree = proto_item_add_subtree(ti,
+ ETT_CL_ICQ_DECODE);
+ proto_tree_add_hexdump(icq_decode_tree, offset, decr_pd, pktsize);
+ }
+}
+
+static void
+dissect_icqv5Server(const u_char *pd,
+ int offset,
+ frame_data *fd,
+ proto_tree *tree)
+{
+ /* Server traffic is easy, not encrypted */
+ proto_tree *icq_tree = NULL;
+ proto_tree *icq_decode_tree = NULL;
+ proto_item *ti = NULL;
+
+ u_int16_t version, cmd;
+ u_int32_t uin, sessionid;
+ u_int32_t pktsize;
+
+ uin = pletohl(&pd[offset + ICQ5_SRV_UIN]);
+ cmd = pletohs(&pd[offset + ICQ5_SRV_CMD]);
+ sessionid = pletohl(&pd[offset + ICQ5_SRV_SESSIONID]);
+ version = pletohs(&pd[offset + ICQ_VERSION]);
+ pktsize = fd->pkt_len - offset;
+
+ if (tree) {
+ ti = proto_tree_add_item_format(tree,
+ proto_icq,
+ offset,
+ pktsize,
+ NULL,
+ "ICQv5 Server: len %d", pktsize);
+
+ icq_tree = proto_item_add_subtree(ti, ETT_SRV_ICQ);
+ proto_tree_add_item_format(icq_tree,
+ hf_icq_cmd,
+ offset + ICQ5_SRV_CMD,
+ 2,
+ cmd,
+ "Command: %d (%s)",
+ cmd, findcmd(serverCmdCode, cmd));
+ proto_tree_add_item_format(icq_tree,
+ hf_icq_uin,
+ offset+ICQ5_SRV_UIN,
+ 4,
+ uin,
+ "UIN: %ld",
+ uin);
+ proto_tree_add_item_format(icq_tree,
+ hf_icq_sessionid,
+ offset+ICQ5_SRV_SESSIONID,
+ 4,
+ sessionid,
+ "Session ID: 0x%08x",
+ sessionid);
+ ti = proto_tree_add_text(icq_tree,
+ offset,
+ pktsize,
+ "Decoded packet");
+ icq_decode_tree = proto_item_add_subtree(ti,
+ ETT_CL_ICQ_DECODE);
+ proto_tree_add_hexdump(icq_decode_tree, offset, pd+offset, pktsize);
+ }
+}
+
+void dissect_icqv5(const u_char *pd,
+ int offset,
+ frame_data *fd,
+ proto_tree *tree)
+{
+ u_int32_t unknown = pletohl(&pd[offset + ICQ5_UNKNOWN]);
+
+ if (check_col(fd, COL_PROTOCOL))
+ col_add_str(fd, COL_PROTOCOL, "ICQv5 (UDP)");
+ if (check_col(fd, COL_INFO))
+ col_add_str(fd, COL_INFO, "ICQv5 packet");
+ if (unknown == 0x0L) {
+ dissect_icqv5Client(pd, offset, fd, tree);
+ } else {
+ dissect_icqv5Server(pd, offset, fd, tree);
+ }
+}
+
+void dissect_icq(const u_char *pd,
+ int offset,
+ frame_data *fd,
+ proto_tree *tree)
+{
+ int version = 0;
+
+ version = pletohs(&pd[offset + ICQ_VERSION]);
+ switch (version) {
+ case 0x0005:
+ dissect_icqv5(pd, offset, fd, tree);
+ break;
+ case 0x0002:
+ dissect_icqv2(pd, offset, fd, tree);
+ break;
+ default:
+ fprintf(stderr, "ICQ: Unknown version\n");
+ break;
+ }
+}
+
+/* registration with the filtering engine */
+void
+proto_register_icq(void)
+{
+ static hf_register_info hf[] = {
+ { &hf_icq_uin,
+ {"UIN", "icq.uin", FT_UINT32, BASE_DEC, NULL, 0x0, ""}},
+ { &hf_icq_sessionid,
+ {"SessionID", "icq.sessionid", FT_UINT32, BASE_HEX, NULL, 0x0, ""}},
+ { &hf_icq_cmd,
+ {"Command", "icq.cmd", FT_UINT16, BASE_DEC, NULL, 0x0, ""}},
+ { &hf_icq_checkcode,
+ {"Checkcode", "icq.checkcode", FT_UINT32, BASE_HEX, NULL, 0x0, ""}},
+ { &hf_icq_decode,
+ {"Decode", "icq.decode", FT_STRING, BASE_NONE, NULL, 0x0, ""}}
+ };
+
+ proto_icq = proto_register_protocol ("ICQ Protocol", "icq");
+
+ proto_register_field_array(proto_icq, hf, array_length(hf));
+}
git.samba.org / metze / wireshark / wip.git / commitdiff