1w=/2!89 The AOL Protocol When you hear the phrase "The AOL Protocol", I bet most of you immediately think of FDO, right? Although FDO is a part of the AOL protocol, it in no way encompasses the big picture. When I use the term "The AOL protocol", I refer to how the AOL client and server interact with each other, how data is prepared, how it is sent, and how it can be manipulated. There currently exists no formal documentation of the AOL protocol, or at least one that is publicly available. For this reason, I have taken it upon myself to strip the bits of information from my feeble mind and write a document with at least basic information about the AOL protocol. The information included in this document is what I have learned, from exploration, help from others, and just stumbling upon it. I in no way guarantee the accuracy of the information contained herein. That said, here is what I know. Table of Contents 1) Establishing a connection A. Servers B. The handshake C. Sending the screenname and password D. Completing the login 2) The packet A. The first byte B. The second and third bytes(CRC) C. The fourth byte D. The fifth byte E. The sixth and seventh bytes F. The eighth byte G. The ninth and tenth bytes 3) Logging AOL's Data Packets 4) Forming Data Packets 5) Pings 6) About FDO Decompression 7) Putting it all together 8) Using Common Sense 1) Establishing a connection A. Servers - America Online Servers generally run on port 5190. The server that the clients connect to is randomly chosen via the DNS Round Robin 'AmericaOnline.aol.com'. There are literally hundreds of America Online servers linked together. It makes you wonder how they avoid the common IRC occurrence of "Net Splits". To connect to an AOL server, all one has to do is connect to 'AmericaOnline.aol.com' on port 5190. I'm sure all of you can do this, you can even test it in Telnet. AOL servers that people generally connect to are called "berps". An example AOL server is 'berp-cr01.dial.aol.com'. B. The handshake - Upon connecting to America Online, the client first sends an identification packet that includes the version of the AOL client being used. On success, the server will send back go ahead packet(SD) and the client will then send Screenname/Password. On failure, the AOL server will send an XS and the client will disconnect. AOL uses this in order to disable older clients from connecting and force people to upgrade. If the server gives no response, the packet wasn't formed correctly. Client: 5A413800347F7FA3036B0100F5000000050F00002152CBCA070A1000080400000000035F0000010004000300080000000000000000000000020D Client: ZA84k!R_ Server: 5AB71100037F7F240D5A88E9000B107F20534454D1F68B00000D Server: Z-$Z SDT C. Sending the screenname and password - After the server accepts the initial handshake, the screennname and password are sent. If the screenname and password match, the server then sends the Master Tool disabling information, and also sends the Welcome Window FDO. If the screenname and password do not match, the server will ask for the password once more, if it fails twice, the server sends the XS and the client is disconnected. Client: 5A243F00431010A044640015000100010A0400000001010B040000000103010A686F6C797461626C6520011D00011D00010A0400000002030108736174616E363636011D000002000D Client: Z$?CDdholytable satan666 D. After receiving the Welcome Window FDO, the client sends the 'ya' token. This causes AOL to tell you if you have mail, assign you an IP address, and, if you have configured it, show your buddy list. Once you are assigned an IP address you are completely logged in and can now send other commands to the AOL service. Client: 5A4EBA00031018A40D5AC6910008111CA079610701010D5A5C340022121CA0746C00170001000A0F04007BB5E80A10041DA6DDF20A4504000000070002000D5A6F4A000D131CA053430150001000002000D Client: ZNZƑ-yaZ\4" tl{EZoJSC Server: 5A419B00351D132079610304AC992E10020102010100040498A3CE86070101050203C00A153135332D34362D31362E6970742E616F6C2E636F6D0D5A7E91001E1E132076A007BB5E81DA6DDF20000000000696D66617274702E627574000D Server: ZA5 ya.Ά153-46-16.ipt.aol.comZ~-- tj{imfartp.but 2) The packet - Ah, the illusive AOL packet. The structure of these packets have remained a mystery throughout America Online's life. I will now make an attempt at breaking down these packets. Here's a basic idea of what a packet may look like: Z (CRC) (CRC) [NULL] (LENGTH BYTE) (HB 6TH) (HB 7TH) [SPACE] (TOKEN) (TOKEN) Thats the first ten bytes in any AOL packet. The only bytes that don't change constantly are the first, Z(5A in Hex), and the fourth, A null(00 in hex). Anything after the first ten bytes is compressed FDO or data strings. Here is a breakdown of the ten bytes in greater detail. A. The first byte for all AOL versions is Z or 5A in Hex. This is probably the least troublesome byte because it never changes and you can't forget to add it as easily as you can the fourth. B. The second and third bytes are 'Hi' and 'Lo' bytes produced from the CRC16 Algorithm. CRC stands for "Cyclic Redundancy Check". The CRC is often used in compression to make sure no data was corrupted. If the CRC header does not match the data in a zip file, the file is assumed corrupted. The same goes for AOL packets. If the CRC does not match the packet, the AOL server ignores it. The CRC is taken from the packet with the first 5 bytes(the header) removed. The number produced by the algorithm is then used to produce a 'Hi' and a 'Lo' byte that is placed in the 2nd and 3rd spots in the header. The CRC only applies to versions of AOL clients 3.0 and below. The newer AOL clients simply send '**' as the 2nd and 3rd byte. you can get along with using newer AOL packets without a CRC, but you'll end up sending more data. If you can use the CRC it will actually be easier to just use it with the older, smaller packets. Here is the CRC function and 'Hi' and 'Lo' byte subs for C++ and Visual Basic programmers. These are public functions, I did not write them: C++: Function AOLCrc (strng$, lenstr) unsigned short CRC16(byte * buffer, int length) { unsigned short crc = 0; unsigned short ch; int i, j; for (i = 0; i < length; i ++) { ch = (unsigned short) buffer; for (j = 0; j < 8; j ++) { if ((crc ^ ch) & 1) crc = (crc >> 1) ^ 0xa001; Else crc >>= 1; ch >>= 1; } } return (crc); } Visual Basic: Function AOLCRC(strng$, lenstr) Dim crc As Long Dim ch As Long Dim i As Long Dim j As Long For i = 0 To lenstr - 1 ch = Asc(Mid(strng$, i + 1, 1)) For j = 0 To 7 If ((crc Xor ch) And 1) Then crc = (Int((crc / 2)) Xor 40961) Else crc = Int(crc / 2) End If ch = Int(ch / 2) Next j Next i AOLCRC = crc End Function Function gethibyte(mybyte As Variant) As Variant gethibyte = Int(mybyte / 256) End Function Function getlobyte(mybyte As Variant) As Variant getlobyte = Int((mybyte - (gethibyte(mybyte) * 256))) End Function The use of these functions will be explained more later on. C. The 4th byte for all AOL versions is a null(00 in Hex). This byte never changes, but it is required, just try to remember to include it. D. The 5th byte is the length byte, The length byte is roughly the length of the packet with the first 5 bytes(The Header) removed. I say roughly because another thing can effect the length byte besides actual physical length. The byte directly before any string in the packet(screennames, chat, form data, etc..) is also a length byte. This byte represents the length of the string immediately following it, and is not counted in the 5th byte representation of the length. I have written a Visual Basic sub that will calculate the 5th byte in any given packet: Function give5th(pack As String, inputz as integer) 'You need the EnHex function for this, you will find it later on in this document. Dim give5th1 As Integer inputz = inputz + 4 give5th1 = Len(DeHex(pack)) - inputz give5th = EnHex(Chr(give5th1)) End Function This function was written by me. Its use is simple. Just include the hexed entire packet(even header) and the # of inputs your form has to calculate the 5th byte to be places in your packet. Example: give5th("5AD69400411010A044640015000100010A0400000001010B04000000010301" & screenname$ & "20011D00011D00010A04000000020301" & password$ & "011D000002000D", 2) E. The 6th and 7th bytes - These 2 bytes are almost as mind boggling as the 2nd and 3rd. If you watch AOL packets go by, you'll see what I mean. The 6th and 7th seem to change wildly, with no way to tell what the next will be. These packets are different for every new packet sent, but actually go in a loop. If you look at the login packets I use, you'll see the 6th byte(in hex) is 10(Int 16), and the seventh is 18(Int 24). Before every packet sent, I simply increase each by 1. Although the actual client seems to do something a little different, adding 1 works. You can't add 1 forever, of course. You'll notice after a while the AOL server will stop responding. The solution to this is resetting the 6th and 7th bytes to their original values, 10(Int 10) and 18(Int 24). I'm sure most of you don't want to explore this yourself, so the 6th and 7th reset at Int 127 and Int 135. I'm a little confused on what to call these bytes. I call them "counter bytes", but I've often heard them referred to as 'heartbeats'. It seems to me the 9 char "ping-like" packets should be called heartbeats(Who knows? maybe they are). Regardless of terminology, this works. F. The 8th byte is simply a space. G. Finally, the 9th and 10th bytes(in ASCII) represent the token. for those of you who know FDO, you know that token kind of tells the server what to expect. If you aren't sure what you're looking at, just look for these tokens and cross check them with the AOL-Files token list to see what kind of packet it is. 3) Logging AOL's Data Packets Logging the packets AOL uses is a very important skill when dealing with the AOL protocol. Without it, you will get nowhere. When you form a packet to send to the AOL server, you don't build it from the ground up(At least I don't). To build it from scratch would require you to write it in FDO, compress the FDO, and add the header. Although it is possible to do it that way, it is much easier to use logged packets and just change them where needed. Getting AOL packets is actually pretty simple. First, you create a program that listens on port 5190 for incoming connections. You then choose a version of AOL to spy on. This document revolves around 2.5 packets, so I suggest using AOL 2.5(available at http://clients.aol-files.com). You have to set up the AOL client to connect to your computer locally, rather than to 'AmericaOnline.aol.com'. To do this open the 'tcp.ccl' file in the 'ccl' directory and change the 'AmericaOnline.aol.com' to 'localhost'. Save and close the file. you then connect your AOL client. If you did it correctly, you should see an incoming connection in your program. Now, your program make it so that when a client connects your program connects to 'AmericaOnline.aol.com' on port 5190. Set up your program so that when Data is received, depending on the ID of the socket, it will direct the data to the client or server socket. If data is sent from the client, send it to the server, if it is sent from the server, sent it to the client. The idea behind this is to become a type of "data link" between the server and client. We can now begin to intercept data. Intercepting the data is nothing more than creating a textbox and displaying incoming data from the client or server. Its a good idea to mark it 'client' or 'server' to get a better idea of what you're looking at. The only trick to doing this is editing out the null characters. When a null character is put in any textbox or other viewing object, it represents to Windows the end of a line, so any text after it is unreadable. By editing out the null characters in a string, you allow yourself to see the entire packet. Here is a Visual Basic function I wrote to edit out null characters: Function stripnulls(thedata as String) Dim torem as Integer torem = 1 Do Until crap = 0 torem = InStr(1, thedata, Chr$(0)) If torem > 0 Then Mid(thedata, torem, 1) = "" Loop End Function When displaying a packet in ASCII, its is pretty much ruined for sending back to the server, even if you try putting the nulls back in. So most editing for packets is done in Hex. Here are some Visual Basic functions to Hex and DeHex strings and integers: Public Function EnHex(Data As String) As String Dim iCount As Double Dim sTemp As String For iCount = 1 To Len(Data) sTemp = Hex$(Asc(Mid$(Data, iCount, 1))) If Len(sTemp) < 2 Then sTemp = "0" & sTemp EnHex = EnHex & sTemp Next iCount End Function Public Function DeHex(Data As String) As String Dim iCount As Double For iCount = 1 To Len(Data) Step 2 DeHex = DeHex & Chr$(Val("&H" & Mid$(Data, iCount, 2))) Next iCount End Function Public Function Int2Hex(Data As String) As String Dim sTemp As String sTemp = Hex(Data) If Len(sTemp) < 2 Then sTemp = "0" & sTemp Int2Hex = Int2Hex & sTemp End Function Public Function Hex2Int(Data As String) As String Dim iCount As Double For iCount = 1 To Len(Data) Step 2 Hex2Int = Hex2Int & CInt(Val("&H" & Mid$(Data, iCount, 2))) Next iCount End Function When you grab a 'logged' packet, grab the Hex. The use of these packets in packet forming will be explained better later on. If you don't want to do the work described above, use AOL Data Edit. 4) Forming Data Packets Now I will attempt to explain how to form a packet and send it in Visual Basic using the functions provided above. The first step is to grab a logged packet. Here is a logged IM packet:: 5A21EF00401422A06953002500010001070400000003010A040000000103010A676F64736D6973663174011D00010A04000000020301026869011D00011D00011D000002000D Z!@"iS%godsmisf1thi I IMed the screenname 'godsmisf1t' with the message 'hi'. Now that you have a logged packet, you have to decide what strings you need to change. You know that the string 'godsmisf1t' and the string 'hi' should be changed to send an IM with a different message to a different person. The Hex for 'godsmisf1t' is '676F64736D6973666974'. So you look for that in the Hexed packet, you also look for the Hex for 'hi' which is '6869'. 5A21EF00401422A06953002500010001070400000003010A040000000103010A676F64736D6973663174011D00010A04000000020301026869011D00011D00011D000002000D Now that we've identified the data to be changed, just edit them out. Set variables for Screenname and IM and place them in the spots you deleted. Also remember that the byte directly before a string is a length byte, so you'll want to edit that out too. "5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D" The screenname and IM Hexed strings become the variables Screenname$ and IM$, and the bytes directly before those strings are removed as well(0A, and 02). When you set the screenname variable, you set it to the Hexed Length of the screenname, and the screenname in Hex. Here is an example: screenname$ = Int2Hex(Len("godsmisf1t")) & EnHex("godsmisf1t") IM$ = Int2Hex(Len("hello")) & EnHex("hello") Now you just hex the packet and send it back and it will work, right? Wrong. Many other things have to change now that you've changed data in the packet. First, we need to change the 5th byte(the length byte) so that it can properly send with varying message and screenname lengths. Here is how you grab the 5th byte using the give5th function I wrote: fifth$ = give5th("5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D", 2) The give5th function calculates the length byte from the packet and the number of inputs. An IM form has 2 inputs, so I put 2. The Hexed length byte is stored in the variable 'fifth$' for later use. Now we have to make sure we have the correct 6th and 7th byte. After I finished logging in, the 6th byte's Integer value was 16, and the 7th's Integer value was 24. When you finish logging in(more help later), set public variables to the 6th and 7th byte so you can increase them when you need to. Like I said above, just add 1 every time and remember to reset when the values equal 127 and 135. For now, lets say your 6th byte variable is named 'sixth' and you 7th is named 'seventh'. Here is how you would increment them: sixth = CInt(sixth) + 1 seventh = CInt(seventh) + 1 Remember, these variables are integers. This is how you add them and the fifth byte to your packet. Our current packet is "5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D" The current 5th byte is(hexed) '40', the sixth is '14', and the seventh is '22'. These were from the logged packet and need to be changed, so we just replace them with our variables: packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D") We just replaced the 5th and 6th and 7th byte with Hexed variables, and stored the new packet in the variable 'packet$'. Now that we have everything ready, we just have to change the CRC bytes. Here is how you use the functions above to do so: crc1 = AOLCRC(packet$, Len(packet$) - 1) thehi$ = Chr(gethibyte(crc1)) thelo$ = Chr(getlobyte(crc1)) packet$ = "5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D" Now the packet is completely ready to be sent. So you just DeHex it, and send it to the server. whatyousend$ = DeHex(packet$) Just send whatyousend$ to the server and if you did everything correctly, it should send the IM. To tie this all together, here is a Send IM function you can use: Function SendIM(screenname as String, IM as String) screenname1$ = Int2Hex(Len(screenname)) & EnHex(screenname) IM1$ = Int2Hex(Len(IM)) & EnHex(IM) If sixth = "127" Then sixth = "15" 'Backtrack 1 because we are going to add 1 soon seventh = "23" 'THIS IS THE CODE TO RESET THE BYTES End If sixth = CInt(sixth) + 1 seventh = CInt(seventh) + 1 fifth$ = give5th("5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D", 2) packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D") crc1 = AOLCRC(packet$, Len(packet$) - 1) thehi$ = Chr(gethibyte(crc1)) thelo$ = Chr(getlobyte(crc1)) packet$ = "5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D" whatyousend$ = DeHex(packet$) Form1.Winsock1.SendData whatyousend$ 'This assumes you're main form is named Form1 and you are using Microsoft's Winsock Control. End Function Now you should have a pretty good idea of how packets work. 5) Pings After successfully establishing a connection to AOL, you will notice AOL sends little packets to you that look like this: Server: 5A647D00032313260D Server: Zd}#& These packets serve much the same function as a 'ping'. It checks to see if the connection is still alive. If you do not respond to these pings, you will receive no data from the AOL server. Luckily, responding is simple. All you do is take the 6th and 7th character from the ping packet, flip them around, and send back a client ping packet. This is what a client ping reply would look like: Client: 5A0AE900031323A40D Client: Z # The server's ping packet's 6th character was 23 Hexed. The 7th was 13 Hexed. The client's ping reply packet's 6th was 13 Hexed, the 7th was 23 Hexed. So the client just basically flips them over and sends back a ping reply packet. Here is the code to reply to pings: In your Winsock Data Arrival event, put this: 'Assuming sData is the incoming server data: If Len(sData) = 9 Then ping6$ = Mid(sData, 6, 1) ping7$ = Mid(sData, 7, 1) packet$ = DeHex("0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D") crc1 = AOLCRC(packet$, Len(packet$) - 1) thehi$ = Chr(gethibyte(crc1)) thelo$ = Chr(getlobyte(crc1)) tosend$= DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D") Winsock1.SendData tosend$ End If The client is the one that usually sends these pings, the server is usually the one responding to them. Until a ping is responded to or sent, the AOL server will stop sending the client data. So if you were to create a full fledged AOL client, you would have to make a timer that would constantly send ping packets to the AOL server. Note - When sending ping replies or ping packets you don't need to increment the 6th or 7th or find a 5th byte. 6) About FDO Compression The packets that we've been dealing with don't look much like FDO, but they are. They are compressed FDO. Just by studying packets you can kind of see how the FDO is compressed in that small area, you can even write a sub. Although I do not use FDO Compression in my personal projects, here is a way you can do it: Locate the file 'ada32.dll'. This is the resource library AOL puts all their FDO Compression functions in. If you know how to Declare Functions from DLL files, here are the functions that are in the 'ada32.dll' file: AdaAssembleAtomStream AdaDisassembleAtomStream AdaDoAtomCallbacks AdaAssembleArgument AdaAssembleAtomStream AdaAssembleFragment AdaDisassembleArgument AdaDisassembleAtom AdaDisassembleAtomState AdaDisassembleAtomStream AdaDisassembleAtomStreamState AdaDoAtomCallbacks AdaEnumAllAtoms AdaFreeState AdaGetAtomByName AdaGetAtomName AdaGetErrorText AdaGetVersion AdaInitialize AdaIsValidProtocol AdaLookupAtomEnum AdaNormalizeAtomStream AdaTerminate Here are the functions that are in the ada.dll file: ?ADAASSEMBLEATOMSTREAM@@ZAJAFVZSTRING@@AEVZBUFFER@@I@Z ?ADADISASSEMBLEATOMSTREAM@@ZAHAFVZBUFFER@@AEVZSTRING@@I@Z ?ADADOATOMCALLBACKS@@ZAHP7AHKGGPFEG@ZKAFVZBUFFER@@I@Z ___EXPORTEDSTUB _ADAASSEMBLEARGUMENT _ADAASSEMBLEATOMSTREAM _ADAASSEMBLEFRAGMENT _ADADISASSEMBLEARGUMENT _ADADISASSEMBLEATOM _ADADISASSEMBLEATOMSTATE _ADADISASSEMBLEATOMSTREAM _ADADISASSEMBLEATOMSTREAMSTATE _ADADOATOMCALLBACKS _ADAENUMALLATOMS _ADAFREESTATE _ADAGETATOMBYNAME _ADAGETATOMNAME _ADAGETERRORTEXT _ADAINITIALIZE _ADAISVALIDPROTOCOL _ADALOOKUPATOMENUM _ADANORMALIZEATOMSTREAM _ADATERMINATE ADA Atomic Disassembler/Assembler WEP Like I said, I do not use FDO Compression, so I haven't written any functions concerning it. 7) Putting it all together Ok, you've probably been reading this doc for a while now. Good for you, you took the time to learn something. For those of you who scrolled up to here just to get the code for an AOL client, shame on you. Here is the result of the topics discussed in this document, a Visual Basic AOL client capable of sending IMs. This client uses the functions found earlier in this document. 1) Start a new project 2) Add the Microsoft Winsock Control to your project 3) Create a control on the form 4) Create 2 command buttons(Connect, Send IM) 5) Create 5 text boxes(Status, Screenname, Password, IMName, IMMsg) In the General (Declarations) put this: Dim sixth as String Dim seventh as String Dim packet as String In the connect button, put this: Call Winsock1.Connect("AmericaOnline.aol.com", 5190) 'This opens a connection to the AOL server In you 'Connect' event of your Winsock control, put this: status.Text = status.Text & "Connected" & vbCrLf packet$ = DeHex("5A413800347F7FA3036B0100F5000000050F00002152CBCA070A1000080400000000035F0000010004000300080000000000000000000000020D") Winsock1.SendData packet$ ' This sends the version packet, NO CHANGES HAVE TO BE MADE In your 'DataArrival' event of your Winsock control, put this: Winsock1.GetData sData, vbString 'Puts the incoming data in 'sData' If Len(sData) = 9 Then ping6$ = Mid(sData, 6, 1) ping7$ = Mid(sData, 7, 1) packet$ = DeHex("0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D") crc1 = AOLCRC(packet$, Len(packet$) - 1) thehi$ = Chr(gethibyte(crc1)) thelo$ = Chr(getlobyte(crc1)) tosend$= DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D") Winsock1.SendData tosend$ End If Dim crap as Integer crap = 1 Do Until crap = 0 crap = InStr(1, sData, Chr$(0)) If crap > 0 Then Mid(sData, crap, 1) = "" Loop status.Text = status.Text & "Server: " & sData & vbCrLf & vbCrLf If InStr(1, sData, "Invalid password") Then status.Text = status.Text & "Invalid Password" & vbCrLf Call Winsock1.Close End If If InStr(1, sData, "Invalid account") Then status.Text = status.Text & "Invalid account" & vbCrLf Call Winsock1.Close End If If InStr(1, sData, "SD") Then screenname1$ = Int2Hex(Len(screenname.Text) + 1) & EnHex(screenname.Text) password1$ = Int2Hex(Len(password.Text)) & EnHex(password.Text) fifth$ = give5th("5AD69400411010A044640015000100010A0400000001010B04000000010301" & screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D", 2) packet$ = DeHex("00" & fifth$ & "1010A044640015000100010A0400000001010B04000000010301" & screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D") crc1 = AOLCRC(packet$, Len(packet$) - 1) thehi$ = Chr(gethibyte(crc1)) thelo$ = Chr(getlobyte(crc1)) packet$ = DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & "1010A044640015000100010A0400000001010B04000000010301" & screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D") Winsock1.SendData packet$ 'Sends the screenname/password. If you dont understand this refer above to 'Forming Packets' packet$ = DeHex("5A3A0A00031018A40D") 'This is a logged ping packet Winsock1.SendData packet$ End If If InStr(1, sData, "Master Tool") Then packet$ = DeHex("5A3A0A00031018A40D5AC6910008111CA079610701010D5A5C340022121CA0746C00170001000A0F04007BB5E80A10041DA6DDF20A4504000000070002000D5A6F4A000D131CA0534300150001000002000D") Winsock1.SendData packet$ 'This sends the ya login packet, NO CHANGES HAVE BEEN MADE sixth=Hex2Int("13") seventh=Hex2Int("21") 'This is where you set your sixth and seventh at first. End If In your send IM command button put this: screenname1$ = Int2Hex(Len(IMName.Text)) & EnHex(IMName.Text) IM1$ = Int2Hex(Len(IMMsg.Text)) & EnHex(IMMsg.Text) If sixth = "127" Then sixth = "15" 'Backtrack 1 because we are going to add 1 soon seventh = "23" 'THIS IS THE CODE TO RESET THE BYTES End If sixth = CInt(sixth) + 1 seventh = CInt(seventh) + 1 fifth$ = give5th("5A606700001522A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D", 2) packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D") crc1 = AOLCRC(packet$, Len(packet$) - 1) thehi$ = Chr(gethibyte(crc1)) thelo$ = Chr(getlobyte(crc1)) packet$ = DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D") Winsock1.SendData packet$ IMMsg.Text="" In the Winsock control's 'SendComplete' event, put this: Dim crap as Integer crap = 1 Do Until crap = 0 crap = InStr(1, packet$, Chr$(0)) If crap > 0 Then Mid(packet$, crap, 1) = "" Loop status.Text = status.Text & "Client: " & packet$ & vbCrLf & vbCrLf In the status textbox's 'Change' event, put this: status.SelStart = Len(status.Text) 'Auto Scrolls If Len(status.Text) >= 32000 Then status.Text = Right$(status.Text, Len(status.Text) / 2) 'Keeps the length from getting too large Make sure your status.Text is set MultiLine to True and has scrollbars. If you did it correctly, you should now have a working AOL client that has a status box and can send IMs. Welcome to Winsock AOL. 8) Common Sense Ok, most of you have probably stopped reading by now. But I need to make a point. The only reason that the information above is not already widely available is because of the fear of abuse. Putting this information in immature hands is dangerous. Some people believe that if it gets out, the walls of the America Online service will come crashing down as things like faster mail bombers, spammers, IM bombers, and cloners begin to immerge. It may very well be impossible to enter a chat room without being so lagged by scrolling, IMs, and emails that you cannot even stay connected. I don't personally believe that though. Due to the complexity of these packets, it is far harder to use even copied source of this than to use copied source of the infamous "AOL Progs" that eventually died out. If you are learning from this document, I implore you to use common sense in your use of this information. This document would not be possible if it werent from the help I received from my friends. Thanks to phrea, nec, jay, ceramic, and anyone else who I forgot. Thank you for listening, Gods Misfit binary0100@yahoo.com http://aol.necrocosm.com ws*n j f} b[^ZVRN wsokgc_[WSOK w s okgc>_F[WSOK  w!s!o"kH1g2c3_6[-;WA;S[;O_;K _;<w<s<o<kCgCcD_D[DWDSEOEK EEwEsIoJk KgNc}Q_Q[RWwTS}XOTZK TZZw ]s]o\^k'`gQ`cS`_g`[`W`S/aO?bK ?bbwkslolkmgLpcp_Xq[qWArSCrOErK ErwwiWTT*,KY  Ym'I_<> ! _ a { } ]_Rh:<<>DFik|(F]{#24Mn~ Rq9;;  9 !!!!!~""'='?'|(|(~(((((..F1H1p1111111 22333D3^3w3y3{3334!424@4B4s444444 5555N5g5555555 6:6b666667777777"8$8n8p885979r9t9::{;};<<==:>:><>|>>>@@@@AACCCCCCD=D?DEEEkFmFdGfGGGGGHHII>I@IIIIIJJ[JJJJ KK+KHKKLLM"M N*NNNNNNNNO O OOOOOKQMQkQQQRRRRR S%S%S@SSSSSRTmTuTwTUU;V=V?VAV\V^VWW{X{X}XXXXXXYY/YHYbYYYYYYYYYZZZ,ZDZRZTZZZZ[8[I[_[w[[[[[[\%\%\7\F\Y\j\|\\\\\\\]]] ]h]j]l]n]]]]^^`^__+_b_____%`'`<`S`i`k``````-a/aaaaAbCbbbbbbbc\cccc,dGdGdOdQdfdpdddddeeHeeeeefff!f@f@fffwg$hNhmhh`iij:jBjDjlj%k{kkkkkkllTllllmm4mRmmnno.o p;pJpLpppppppp qqVqXqqqqCrErssss*s,s,sssvvw^w`wzwwwww =/2!9(8w9wTimes New Roman