You are on page 1of 20

# The ICQ Security Tutorial / Written by R a v e N (blacksun.box.sk) <===================================================================> 13/7/2000, version 1.

0x90 0x34 0xF6 0xBB 0x40 0x2E 0x83 0x7F **Note** Now to get the other important item - your CryptIV value! This will appear in th e .dat file - after the text: 99BCryptIV which is just before the word 'password'. The CryptIV value is used in generatin g the decryption key. Search the .dat file for "99BCryptIV", and then once you have found it, skip pas t the null terminator and character 'h'. In the other words - ignore the first 2 characters after the word "99BCryptIV". The next 4 characters are your CryptIV value. They will probably look like strange ascii characters. Here is an example of what you could find: 99BCryptIV h]~t In the case above, the CryptIV value would be: ]~t Now we need to work out the ascii values of each character, like so: ] ~ t = = = = 93 223 152 116

For all you newbies, the Ascii value of something is its numerical value. Every single character on the keyboard has a special number associated with it called the Ascii value. Now the fun bit! Once you have your 4 character long CryptIV value converted to ascii, we need to perform this calculation with it: ( 1st + 2nd * 256 + 3rd * 65536 + 4th * 16777216 ) = CryptIV The 1st, 2nd, 3rd, and 4th bits represent the ascii value of each character of t he 99BCryptIV. So, for our example, we would do: (93 + 223 * 256 + 152 * 65536 + 116 * 16777216) = 1956175709 The final step is to convert the result into hex. Yes, im afraid it has to be do ne. The easiest way is to go into a programming language and make it convert it. For example, to convert the result above using Visual Basic, the code would be: msgbox hex(1956175709)

That simple! The code above will make it display a message box showing the hex v alue. In delphi that code would be: showmessage(inttohex(1956175709,1)); After converting to hex, you should get the value: 7498DF5D This can be properly represented as 0x7498DF5D or 7498DF5Dh depending on how you r inclined. Ok, lastly - your UIN. Suprisingly, this is the easiest piece of information to get!! Your UIN is your ICQ number. My UIN was: 16831675 Now we have all the information we need: UIN : 16831675 CryptIV : 7498DF5D Encrypted password: AF 79 90 34 F6 BB 40 2E 83 7F Now we need to use the above information to generate a decryption key (or an XOR key). This is quite complicated, and it would not be feasible for us to do it m anually here - but you can use the program I compiled quickly for this volume. I t should be along with this file, and its called "ICQ99b.exe". Actually, all we need to generate the decryption key is the UIN and the CryptIV - but we will need the Encrypted password soon. Go into the program and enter th e UIN and the CryptIV and click "Generate Key". Keep a note of the key it genera tes for you. **Note** Although the XOR key generating process is too complex to do here manually, I ha ve included the source to it with this volume. It is called "XorKeyGn.pas" and i t is written in pascal. The compiled program "ICQ99b.exe" is merely a port of th is source code into delphi to make it easier for newbies to generate the XOR key . The XorKeyGn.pas source was written entirely by CovertD - who is a very talent ed coder and deserves all the credit for this decryption, he has helped me to un derstand this decryption and create this tutorial for you. **Note** Ok! once you have the decryption key - the real decryption can begin. The decryp tion will require you to be familiar with XOR - if you are not familiar with thi s...I have included the visual basic and delphi source code to decrypt it. The hands-on approach: What we now need to do is XOR the encrypted password character-by-character with the decryption key (or XOR key as it should be known). Using the above example, my program generated the decryption key as: A7 79 F8 55-95 D0 26 4F-F2 7F 2C **Note**

Remember this is in hex too, so it really means: 0xA7 0x79 0xF8 0x55 etc. **Note** Ok, now the odd bit...remove the first two hex values of both the XOR key and th e encrypted password. Why this is needed is explained a bit later. So, for my ex ample we would end up with: ENCRYPTED PASS = 90 34 F6 BB 40 2E 83 7F XOR KEY = F8 55-95 D0 26 4F-F2 7F 2C So looking back at the encrypted password, we will actually be XOR'ing: 0x90 xor 0xF8 0x34 xor 0x55 0xF6 xor 0x95 0xBB xor 0xD0 etc. and just to do a quick example XOR: [ 0x90 xor 0xF8 ] 0x90 = 144 0xF8 = 248 010010000 011111000 ---------------001101000 = 104 XOR all of the encrypted password like this and write all of the results down (s o for our example, the first result would be 104). Now convert the results to th eir Ascii symbols, so 104 would become: h The easier approach: Ok, if all the talk of XOR scares you, here is the easier way. Below is the code for both visual basic and delphi to perform the XOR calculations above. The vis ual basic code to do this (using the example) would be: Dim Key, Encrypted As Variant Dim Decrypted As String Dim x As Integer 'If you are doing this for your own password and not the example, 'remember to replace the values with your own. Key = Array(&HF8, &H55, &H95, &HD0, &H26, &H4F, &HF2, &H7F, &H2C) Encrypted = Array(&H90, &H34, &HF6, &HBB, &H40, &H2E, &H83, &H7F)

'Begin XOR'ing the encrypted text with the key, and converting them to ascii cha rs. For x = 0 To 7 Decrypted = Decrypted & " " & Chr(Key(x) Xor Encrypted(x)) Next 'Show a message with the decryption text. MsgBox Decrypted Write down all of the results that are stated in the message box. Here is the de lphi code: Var Decrypted : String; x : Integer; Const //If you are doing this for your own password and not the example, //remember to replace the values with your own. Key : Array[0..8] of Integer = (\$F8, \$55, \$95, \$D0, \$26, \$4F, \$F2, \$7F, \$2C); Encrypted : Array[0..7] of Integer = (\$90, \$34, \$F6, \$BB, \$40, \$2E, \$83, \$7F); begin //Begin XOR'ing the encrypted text with the key, and converting them to ascii ch ars. For x := 0 To 7 do begin Decrypted := Decrypted + ' ' + Chr(Key[x] Xor Encrypted[x]); end; //Show a message with the decryption text. ShowMessage(Decrypted); end; The conclusion: Now lets look at what you have ended up with (whether you used the manual approa ch or the code above). You should have something in the format of this: < The password! > < maybe 1 more useless character > And yes, the password should have decrypted as 'hackfaq'. If you were wondering what the 3 useless characters actually mean, then here it is: The first character is a length word and is a hex value (therefore you shouldn't really convert it to it's ascii value) - the hex value should be equal to the l ength of the decrypted password. To cut a long story short, the first character holds the length of the password. The second character is rubbish - I believe? or it might be part of the length.. .who knows. The last useless character is simply a null terminator - i.e. zip, nothing, 0 I am really really sorry if I lost anyone during this topic! It is probably the most complex topic we have covered, and is quite difficult to explain - although