New YMSG Discovery: SERVICE_PASSTHROUGH2 (0x16)


#1

As I was still testing the WIP Escargot YMSG frontend, I noticed that when authentication was successful, the client would send this packet pictured here:

The curious cat I was decided to extact the key-value pairs and examine the data within.

First, here’s the structure:

Key 1: <YahooId>
Key 25: Unknown (“C=0[0x01]F=1,P=0,C=0,H=0,W=0,B=0,O=0,G=0[0x01]M=0,P=0,C=0,S=0,L=3,D=1,N=0,G=0,F=0,T=0”)
Key 146: Base64 string #1
Key 145: Base64 string #2
Key 147: Base64 string #3

Not knowing how key 25 was created, I had instead decoded the Base64 strings to see what was up, and oh boy, was something up.

Key 146 is actually the operating system the client is running on (e.g.: “V2luZG93cyAyMDAwLCBTZXJ2aWNlIFBhY2sgNA==” decodes to “Windows 2000, Service Pack 4”).
Key 145 is actually the processor type (e.g.: “SW50ZWwgUGVudGl1bSBQcm8gb3IgUGVudGl1bQ==” decodes to “Intel Pentium Pro or Pentium”).
Finally, key 147 is actually the time zone of the user (e.g.: “RWFzdGVybiBTdGFuZGFyZCBUaW1l” decodes to “Eastern Standard Time,” my time zone).

I’d only see this kind of data used in collecting PC data. A similar kind of PC data collection is used in MSNP (CVR), and it’s interesting to see that Yahoo! had done the same thing.

In short, this packet service isn’t a passthrough. It’s data collection. :slight_smile:


#2

Service 22/x16 is a settings packet not pass though. You’re thinking of either server 75 or 77. Key 25 is a collection of settings, I forget what they represent but changing certain things in messenger and the absence or presence of files can change the values.


#3

I know that this YMSG packet is not a passthrough (in fact, I conclude the thread by saying it’s NOT a passthrough). It was the name given by several sources (e.g., Wireshark, jYMSG docs, basically everyone in the Yahoo! Messenger scene). I just went with the name just because. :stuck_out_tongue: