The AOL Protocol



When you hear the phrase "The AOL Protocol", I bet most of you immediately think of FDO, right? Although FDO is a part of the AOL protocol, it in no way encompasses the big picture. When I use the term "The AOL protocol", I refer to how the AOL client and server interact with each other, how data is prepared, how it is sent, and how it can be manipulated.



There currently exists no formal documentation of the AOL protocol, or at least one that is publicly available. For this reason, I have taken it upon myself to strip the bits of information from my feeble mind and write a document with at least basic information about the AOL protocol. The information included in this document is what I have learned, from exploration, help from others, and just stumbling upon it. I in no way guarantee the accuracy of the information contained herein. That said, here is what I know.







Table of Contents



1) Establishing a connection

A. Servers

B. The handshake

C. Sending the screenname and password

D. Completing the login

2) The packet

A. The first byte

B. The second and third bytes(CRC)

C. The fourth byte

D. The fifth byte

E. The sixth and seventh bytes

F. The eighth byte

G. The ninth and tenth bytes

3) Logging AOL's Data Packets

4) Forming Data Packets

5) Pings

6) About FDO Decompression

7) Putting it all together

8) Using Common Sense









1) Establishing a connection



A. Servers - America Online Servers generally run on port 5190. The server that the clients connect to is randomly chosen via the DNS Round Robin 'AmericaOnline.aol.com'. There are literally hundreds of America Online servers linked together. It makes you wonder how they avoid the common IRC occurrence of "Net Splits". To connect to an AOL server, all one has to do is connect to 'AmericaOnline.aol.com' on port 5190. I'm sure all of you can do this, you can even test it in Telnet. AOL servers that people generally connect to are called "berps". An example AOL server is 'berp-cr01.dial.aol.com'.



B. The handshake - Upon connecting to America Online, the client first sends an identification packet that includes the version of the AOL client being used. On success, the server will send back go ahead packet(SD) and the client will then send Screenname/Password. On failure, the AOL server will send an XS and the client will disconnect. AOL uses this in order to disable older clients from connecting and force people to upgrade. If the server gives no response, the packet wasn't formed correctly.



Client: 5A413800347F7FA3036B0100F5000000050F00002152CBCA070A1000080400000000035F0000010004000300080000000000000000000000020D

Client: ZA8Å4ãã kÅõÅÅÅ ÅÅ!RËÊ Å ÅÅÅÅ _ÅÅÅ Å ÅÅÅÅÅÅÅÅÅÅÅÅ



Server: 5AB71100037F7F240D5A88E9000B107F20534454D1F68B00000D

Server: Z-Å ãã$ZéÅ ã SDTÑöÅÅ



C. Sending the screenname and password - After the server accepts the initial handshake, the screennname and password are sent. If the screenname and password match, the server then sends the Master Tool disabling information, and also sends the Welcome Window FDO. If the screenname and password do not match, the server will ask for the password once more, if it fails twice, the server sends the XS and the client is disconnected.



Client: 5A243F00431010A044640015000100010A0400000001010B040000000103010A686F6C797461626C6520011D00011D00010A0400000002030108736174616E363636011D000002000D

Client: Z$?ÅC DdÅ ÅÅ ÅÅÅ ÅÅÅ holytable Å Å ÅÅÅ satan666 ÅÅ Å



D. After receiving the Welcome Window FDO, the client sends the 'ya' token. This causes AOL to tell you if you have mail, assign you an IP address, and, if you have configured it, show your buddy list. Once you are assigned an IP address you are completely logged in and can now send other commands to the AOL service.



Client: 5A4EBA00031018A40D5AC6910008111CA079610701010D5A5C340022121CA0746C00170001000A0F04007BB5E80A10041DA6DDF20A4504000000070002000D5A6F4A000D131CA053430150001000002000D

Client: ZNÅ ZÆ'Å- yaZ\4Å" tlÅ ÅÅ Å{è |ÝòE ÅÅÅÅ ÅZoJÅ SCÅ ÅÅÅ Å



Server: 5A419B00351D132079610304AC992E10020102010100040498A3CE86070101050203C00A153135332D34362D31362E6970742E616F6C2E636F6D0D5A7E91001E1E132076A007BB5E81DA6DDF20000000000696D66617274702E627574000D

Server: ZAÅ5 ya . Å Î À 153-46-16.ipt.aol.comZ~'Å-- tjÅ{è |ÝòÅÅÅÅÅimfartp.butÅ







2) The packet - Ah, the illusive AOL packet. The structure of these packets have remained a mystery throughout America Online's life. I will now make an attempt at breaking down these packets.



Here's a basic idea of what a packet may look like:



Z (CRC) (CRC) [NULL] (LENGTH BYTE) (HB 6TH) (HB 7TH) [SPACE] (TOKEN) (TOKEN)



That's the first ten bytes in any AOL packet. The only bytes that don't change constantly are the first, Z(5A in Hex), and the fourth, A null(00 in hex). Anything after the first ten bytes is compressed FDO or data strings. Here is a breakdown of the ten bytes in greater detail.



A. The first byte for all AOL versions is Z or 5A in Hex. This is probably the least troublesome byte because it never changes and you can't forget to add it as easily as you can the fourth.



B. The second and third bytes are 'Hi' and 'Lo' bytes produced from the CRC16 Algorithm. CRC stands for "Cyclic Redundancy Check". The CRC is often used in compression to make sure no data was corrupted. If the CRC header does not match the data in a zip file, the file is assumed corrupted. The same goes for AOL packets. If the CRC does not match the packet, the AOL server ignores it. The CRC is taken from the packet with the first 5 bytes(the header) removed. The number produced by the algorithm is then used to produce a 'Hi' and a 'Lo' byte that is placed in the 2nd and 3rd spots in the header. The CRC only applies to versions of AOL clients 3.0 and below. The newer AOL clients simply send '**' as the 2nd and 3rd byte. you can get along with using newer AOL packets without a CRC, but you'll end up sending more data. If you can use the CRC it will actually be easier to just use it with the older, smaller packets.



Here is the CRC function and 'Hi' and 'Lo' byte subs for C++ and Visual Basic programmers. These are public functions, I did not write them:



C++:



Function AOLCrc (strng$, lenstr)



unsigned short

CRC16(byte * buffer, int length)

{

unsigned short crc = 0;

unsigned short ch;

int i, j;

for (i = 0; i < length; i ++) {

ch = (unsigned short) buffer;

for (j = 0; j < 8; j ++) {

if ((crc ^ ch) & 1)

crc = (crc >> 1) ^ 0xa001;

Else

crc >>= 1;

ch >>= 1;

}

}

return (crc);

}



Visual Basic:



Function AOLCRC(strng$, lenstr)

Dim crc As Long

Dim ch As Long

Dim i As Long

Dim j As Long



For i = 0 To lenstr - 1

ch = Asc(Mid(strng$, i + 1, 1))

For j = 0 To 7

If ((crc Xor ch) And 1) Then

crc = (Int((crc / 2)) Xor 40961)

Else

crc = Int(crc / 2)

End If

ch = Int(ch / 2)

Next j

Next i

AOLCRC = crc

End Function



Function gethibyte(mybyte As Variant) As Variant

gethibyte = Int(mybyte / 256)

End Function



Function getlobyte(mybyte As Variant) As Variant

getlobyte = Int((mybyte - (gethibyte(mybyte) * 256)))

End Function





The use of these functions will be explained more later on.



C. The 4th byte for all AOL versions is a null(00 in Hex). This byte never changes, but it is required, just try to remember to include it.



D. The 5th byte is the length byte, The length byte is roughly the length of the packet with the first 5 bytes(The Header) removed. I say roughly because another thing can effect the length byte besides actual physical length. The byte directly before any string in the packet(screennames, chat, form data, etc..) is also a length byte. This byte represents the length of the string immediately following it, and is not counted in the 5th byte representation of the length. I have written a Visual Basic sub that will calculate the 5th byte in any given packet:



Function give5th(pack As String, inputz as integer)

'You need the EnHex function for this, you will find it later on in this document.

Dim give5th1 As Integer

inputz = inputz + 4

give5th1 = Len(DeHex(pack)) - inputz

give5th = EnHex(Chr(give5th1))

End Function



This function was written by me. Its use is simple. Just include the hexed entire packet(even header) and the # of inputs your form has to calculate the 5th byte to be places in your packet.



Example: give5th("5AD69400411010A044640015000100010A0400000001010B04000000010301" & screenname$ & "20011D00011D00010A04000000020301" & password$ & "011D000002000D", 2)



E. The 6th and 7th bytes - These 2 bytes are almost as mind boggling as the 2nd and 3rd. If you watch AOL packets go by, you'll see what I mean. The 6th and 7th seem to change wildly, with no way to tell what the next will be. These packets are different for every new packet sent, but actually go in a loop. If you look at the login packets I use, you'll see the 6th byte(in hex) is 10(Int 16), and the seventh is 18(Int 24). Before every packet sent, I simply increase each by 1. Although the actual client seems to do something a little different, adding 1 works. You can't add 1 forever, of course. You'll notice after a while the AOL server will stop responding. The solution to this is resetting the 6th and 7th bytes to their original values, 10(Int 10) and 18(Int 24). I'm sure most of you don't want to explore this yourself, so the 6th and 7th reset at Int 127 and Int 135. I'm a little confused on what to call these bytes. I call them "counter bytes", but I've often heard them referred to as 'heartbeats'. It seems to me the 9 char "ping-like" packets should be called heartbeats(Who knows? maybe they are). Regardless of terminology, this works.

F. The 8th byte is simply a space.



G. Finally, the 9th and 10th bytes(in ASCII) represent the token. for those of you who know FDO, you know that token kind of tells the server what to expect. If you aren't sure what you're looking at, just look for these tokens and cross check them with the AOL-Files token list to see what kind of packet it is.







3) Logging AOL's Data Packets



Logging the packets AOL uses is a very important skill when dealing with the AOL protocol. Without it, you will get nowhere. When you form a packet to send to the AOL server, you don't build it from the ground up(At least I don't). To build it from scratch would require you to write it in FDO, compress the FDO, and add the header. Although it is possible to do it that way, it is much easier to use logged packets and just change them where needed. Getting AOL packets is actually pretty simple. First, you create a program that listens on port 5190 for incoming connections. You then choose a version of AOL to spy on. This document revolves around 2.5 packets, so I suggest using AOL 2.5(available at http://clients.aol-files.com). You have to set up the AOL client to connect to your computer locally, rather than to 'AmericaOnline.aol.com'. To do this open the 'tcp.ccl' file in the 'ccl' directory and change the 'AmericaOnline.aol.com' to 'localhost'. Save and close the file. you then connect your AOL client. If you did it correctly, you should see an incoming connection in your program. Now, your program make it so that when a client connects your program connects to 'AmericaOnline.aol.com' on port 5190. Set up your program so that when Data is received, depending on the ID of the socket, it will direct the data to the client or server socket. If data is sent from the client, send it to the server, if it is sent from the server, sent it to the client. The idea behind this is to become a type of "data link" between the server and client. We can now begin to intercept data.



Intercepting the data is nothing more than creating a textbox and displaying incoming data from the client or server. Its a good idea to mark it 'client' or 'server' to get a better idea of what you're looking at. The only trick to doing this is editing out the null characters. When a null character is put in any textbox or other viewing object, it represents to Windows the end of a line, so any text after it is unreadable. By editing out the null characters in a string, you allow yourself to see the entire packet. Here is a Visual Basic function I wrote to edit out null characters:



Function stripnulls(thedata as String)

Dim torem as Integer

torem = 1

Do Until crap = 0

torem = InStr(1, thedata, Chr$(0))

If torem > 0 Then Mid(thedata, torem, 1) = "Å"

Loop

End Function



When displaying a packet in ASCII, its is pretty much ruined for sending back to the server, even if you try putting the nulls back in. So most editing for packets is done in Hex. Here are some Visual Basic functions to Hex and DeHex strings and integers:



Public Function EnHex(Data As String) As String

Dim iCount As Double

Dim sTemp As String





For iCount = 1 To Len(Data)

sTemp = Hex$(Asc(Mid$(Data, iCount, 1)))

If Len(sTemp) < 2 Then sTemp = "0" & sTemp

EnHex = EnHex & sTemp

Next iCount

End Function



Public Function DeHex(Data As String) As String

Dim iCount As Double





For iCount = 1 To Len(Data) Step 2

DeHex = DeHex & Chr$(Val("&H" & Mid$(Data, iCount, 2)))

Next iCount

End Function



Public Function Int2Hex(Data As String) As String

Dim sTemp As String

sTemp = Hex(Data)

If Len(sTemp) < 2 Then sTemp = "0" & sTemp

Int2Hex = Int2Hex & sTemp

End Function



Public Function Hex2Int(Data As String) As String

Dim iCount As Double

For iCount = 1 To Len(Data) Step 2

Hex2Int = Hex2Int & CInt(Val("&H" & Mid$(Data, iCount, 2)))

Next iCount

End Function



When you grab a 'logged' packet, grab the Hex. The use of these packets in packet forming will be explained better later on. If you don't want to do the work described above, use AOL Data Edit.







4) Forming Data Packets



Now I will attempt to explain how to form a packet and send it in Visual Basic using the functions provided above.



The first step is to grab a logged packet. Here is a logged IM packet::



5A21EF00401422A06953002500010001070400000003010A040000000103010A676F64736D6973663174011D00010A04000000020301026869011D00011D00011D000002000D

Z!ïÅ@ "iSÅ%ÅÅ ÅÅÅ ÅÅÅ godsmisf1t Å ÅÅÅ hi Å Å ÅÅ Å



I IMed the screenname 'godsmisf1t' with the message 'hi'.



Now that you have a logged packet, you have to decide what strings you need to change. You know that the string 'godsmisf1t' and the string 'hi' should be changed to send an IM with a different message to a different person. The Hex for 'godsmisf1t' is '676F64736D6973666974'. So you look for that in the Hexed packet, you also look for the Hex for 'hi' which is '6869'.



5A21EF00401422A06953002500010001070400000003010A040000000103010A676F64736D6973663174011D00010A04000000020301026869011D00011D00011D000002000D



Now that we've identified the data to be changed, just edit them out. Set variables for Screenname and IM and place them in the spots you deleted. Also remember that the byte directly before a string is a length byte, so you'll want to edit that out too.



"5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D"



The screenname and IM Hexed strings become the variables Screenname$ and IM$, and the bytes directly before those strings are removed as well(0A, and 02). When you set the screenname variable, you set it to the Hexed Length of the screenname, and the screenname in Hex. Here is an example:



screenname$ = Int2Hex(Len("godsmisf1t")) & EnHex("godsmisf1t")

IM$ = Int2Hex(Len("hello")) & EnHex("hello")



Now you just hex the packet and send it back and it will work, right? Wrong. Many other things have to change now that you've changed data in the packet. First, we need to change the 5th byte(the length byte) so that it can properly send with varying message and screenname lengths. Here is how you grab the 5th byte using the give5th function I wrote:



fifth$ = give5th("5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D", 2)



The give5th function calculates the length byte from the packet and the number of inputs. An IM form has 2 inputs, so I put 2. The Hexed length byte is stored in the variable 'fifth$' for later use.



Now we have to make sure we have the correct 6th and 7th byte. After I finished logging in, the 6th byte's Integer value was 16, and the 7th's Integer value was 24. When you finish logging in(more help later), set public variables to the 6th and 7th byte so you can increase them when you need to. Like I said above, just add 1 every time and remember to reset when the values equal 127 and 135. For now, lets say your 6th byte variable is named 'sixth' and you 7th is named 'seventh'. Here is how you would increment them:



sixth = CInt(sixth) + 1

seventh = CInt(seventh) + 1



Remember, these variables are integers.



This is how you add them and the fifth byte to your packet.



Our current packet is "5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D" The current 5th byte is(hexed) '40', the sixth is '14', and the seventh is '22'. These were from the logged packet and need to be changed, so we just replace them with our variables:



packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D")



We just replaced the 5th and 6th and 7th byte with Hexed variables, and stored the new packet in the variable 'packet$'. Now that we have everything ready, we just have to change the CRC bytes. Here is how you use the functions above to do so:



crc1 = AOLCRC(packet$, Len(packet$) - 1)

thehi$ = Chr(gethibyte(crc1))

thelo$ = Chr(getlobyte(crc1))



packet$ = "5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D"



Now the packet is completely ready to be sent. So you just DeHex it, and send it to the server.



whatyousend$ = DeHex(packet$)



Just send whatyousend$ to the server and if you did everything correctly, it should send the IM.



To tie this all together, here is a Send IM function you can use:



Function SendIM(screenname as String, IM as String)

screenname1$ = Int2Hex(Len(screenname)) & EnHex(screenname)

IM1$ = Int2Hex(Len(IM)) & EnHex(IM)

If sixth = "127" Then

sixth = "15" 'Backtrack 1 because we are going to add 1 soon

seventh = "23" 'THIS IS THE CODE TO RESET THE BYTES

End If

sixth = CInt(sixth) + 1

seventh = CInt(seventh) + 1

fifth$ = give5th("5A21EF00401422A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D", 2)

packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D")

crc1 = AOLCRC(packet$, Len(packet$) - 1)

thehi$ = Chr(gethibyte(crc1))

thelo$ = Chr(getlobyte(crc1))

packet$ = "5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname$ & "011D00010A04000000020301" & IM$ & "011D00011D00011D000002000D"

whatyousend$ = DeHex(packet$)

Form1.Winsock1.SendData whatyousend$ 'This assumes you're main form is named Form1 and you are using Microsoft's Winsock Control.

End Function



Now you should have a pretty good idea of how packets work.







5) Pings



After successfully establishing a connection to AOL, you will notice AOL sends little packets to you that look like this:

Server: 5A647D00032313260D

Server: Zd}Å # &



These packets serve much the same function as a 'ping'. It checks to see if the connection is still alive. If you do not respond to these pings, you will receive no data from the AOL server. Luckily, responding is simple. All you do is take the 6th and 7th character from the ping packet, flip them around, and send back a client ping packet. This is what a client ping reply would look like:



Client: 5A0AE900031323A40D

Client: Z éÅ #



The server's ping packet's 6th character was 23 Hexed. The 7th was 13 Hexed. The client's ping reply packet's 6th was 13 Hexed, the 7th was 23 Hexed. So the client just basically flips them over and sends back a ping reply packet. Here is the code to reply to pings:



In your Winsock Data Arrival event, put this:



'Assuming sData is the incoming server data:

If Len(sData) = 9 Then

ping6$ = Mid(sData, 6, 1)

ping7$ = Mid(sData, 7, 1)

packet$ = DeHex("0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D")

crc1 = AOLCRC(packet$, Len(packet$) - 1)

thehi$ = Chr(gethibyte(crc1))

thelo$ = Chr(getlobyte(crc1))

tosend$= DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D")

Winsock1.SendData tosend$

End If



The client is the one that usually sends these pings, the server is usually the one responding to them. Until a ping is responded to or sent, the AOL server will stop sending the client data. So if you were to create a full fledged AOL client, you would have to make a timer that would constantly send ping packets to the AOL server.



Note - When sending ping replies or ping packets you don't need to increment the 6th or 7th or find a 5th byte.







6) About FDO Compression



The packets that we've been dealing with don't look much like FDO, but they are. They are compressed FDO. Just by studying packets you can kind of see how the FDO is compressed in that small area, you can even write a sub. Although I do not use FDO Compression in my personal projects, here is a way you can do it:



Locate the file 'ada32.dll'. This is the resource library AOL puts all their FDO Compression functions in. If you know how to Declare Functions from DLL files, here are the functions that are in the 'ada32.dll' file:



AdaAssembleAtomStream

AdaDisassembleAtomStream

AdaDoAtomCallbacks

AdaAssembleArgument

AdaAssembleAtomStream

AdaAssembleFragment

AdaDisassembleArgument

AdaDisassembleAtom

AdaDisassembleAtomState

AdaDisassembleAtomStream

AdaDisassembleAtomStreamState

AdaDoAtomCallbacks

AdaEnumAllAtoms

AdaFreeState

AdaGetAtomByName

AdaGetAtomName

AdaGetErrorText

AdaGetVersion

AdaInitialize

AdaIsValidProtocol

AdaLookupAtomEnum

AdaNormalizeAtomStream

AdaTerminate



Here are the functions that are in the 'ada.dll' file:



?ADAASSEMBLEATOMSTREAM@@ZAJAFVZSTRING@@AEVZBUFFER@@I@Z

?ADADISASSEMBLEATOMSTREAM@@ZAHAFVZBUFFER@@AEVZSTRING@@I@Z

?ADADOATOMCALLBACKS@@ZAHP7AHKGGPFEG@ZKAFVZBUFFER@@I@Z

___EXPORTEDSTUB

_ADAASSEMBLEARGUMENT

_ADAASSEMBLEATOMSTREAM

_ADAASSEMBLEFRAGMENT

_ADADISASSEMBLEARGUMENT

_ADADISASSEMBLEATOM

_ADADISASSEMBLEATOMSTATE

_ADADISASSEMBLEATOMSTREAM

_ADADISASSEMBLEATOMSTREAMSTATE

_ADADOATOMCALLBACKS

_ADAENUMALLATOMS

_ADAFREESTATE

_ADAGETATOMBYNAME

_ADAGETATOMNAME

_ADAGETERRORTEXT

_ADAINITIALIZE

_ADAISVALIDPROTOCOL

_ADALOOKUPATOMENUM

_ADANORMALIZEATOMSTREAM

_ADATERMINATE

ADA

Atomic Disassembler/Assembler

WEP





Like I said, I do not use FDO Compression, so I haven't written any functions concerning it.







7) Putting it all together



Ok, you've probably been reading this doc for a while now. Good for you, you took the time to learn something. For those of you who scrolled up to here just to get the code for an AOL client, shame on you.



Here is the result of the topics discussed in this document, a Visual Basic AOL client capable of sending IMs. This client uses the functions found earlier in this document.



1) Start a new project

2) Add the Microsoft Winsock Control to your project

3) Create a control on the form

4) Create 2 command buttons(Connect, Send IM)

5) Create 5 text boxes(Status, Screenname, Password, IMName, IMMsg)



In the General (Declarations) put this:



Dim sixth as String

Dim seventh as String

Dim packet as String



In the connect button, put this:



Call Winsock1.Connect("AmericaOnline.aol.com", 5190) 'This opens a connection to the AOL server



In you 'Connect' event of your Winsock control, put this:



status.Text = status.Text & "Connected" & vbCrLf

packet$ = DeHex("5A413800347F7FA3036B0100F5000000050F00002152CBCA070A1000080400000000035F0000010004000300080000000000000000000000020D")

Winsock1.SendData packet$ ' This sends the version packet, NO CHANGES HAVE TO BE MADE



In your 'DataArrival' event of your Winsock control, put this:



Winsock1.GetData sData, vbString 'Puts the incoming data in 'sData'



If Len(sData) = 9 Then

ping6$ = Mid(sData, 6, 1)

ping7$ = Mid(sData, 7, 1)

packet$ = DeHex("0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D")

crc1 = AOLCRC(packet$, Len(packet$) - 1)

thehi$ = Chr(gethibyte(crc1))

thelo$ = Chr(getlobyte(crc1))

tosend$= DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "0003" & EnHex(ping7$) & EnHex(ping6$) & "A40D")

Winsock1.SendData tosend$

End If



Dim crap as Integer

crap = 1

Do Until crap = 0

crap = InStr(1, sData, Chr$(0))

If crap > 0 Then Mid(sData, crap, 1) = "Å"

Loop

status.Text = status.Text & "Server: " & sData & vbCrLf & vbCrLf



If InStr(1, sData, "Invalid password") Then

status.Text = status.Text & "Invalid Password" & vbCrLf

Call Winsock1.Close

End If

If InStr(1, sData, "Invalid account") Then

status.Text = status.Text & "Invalid account" & vbCrLf

Call Winsock1.Close

End If



If InStr(1, sData, "SD") Then

screenname1$ = Int2Hex(Len(screenname.Text) + 1) & EnHex(screenname.Text)

password1$ = Int2Hex(Len(password.Text)) & EnHex(password.Text)

fifth$ = give5th("5AD69400411010A044640015000100010A0400000001010B04000000010301" & screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D", 2)

packet$ = DeHex("00" & fifth$ & "1010A044640015000100010A0400000001010B04000000010301" & screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D")

crc1 = AOLCRC(packet$, Len(packet$) - 1)

thehi$ = Chr(gethibyte(crc1))

thelo$ = Chr(getlobyte(crc1))

packet$ = DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & "1010A044640015000100010A0400000001010B04000000010301" & screenname1$ & "20011D00011D00010A04000000020301" & password1$ & "011D000002000D")

Winsock1.SendData packet$ 'Sends the screenname/password. If you don't understand this refer above to 'Forming Packets'

packet$ = DeHex("5A3A0A00031018A40D") 'This is a logged ping packet

Winsock1.SendData packet$

End If



If InStr(1, sData, "Master Tool") Then

packet$ = DeHex("5A3A0A00031018A40D5AC6910008111CA079610701010D5A5C340022121CA0746C00170001000A0F04007BB5E80A10041DA6DDF20A4504000000070002000D5A6F4A000D131CA0534300150001000002000D")

Winsock1.SendData packet$ 'This sends the ya login packet, NO CHANGES HAVE BEEN MADE

sixth=Hex2Int("13")

seventh=Hex2Int("21") 'This is where you set your sixth and seventh at first.

End If



In your send IM command button put this:



screenname1$ = Int2Hex(Len(IMName.Text)) & EnHex(IMName.Text)

IM1$ = Int2Hex(Len(IMMsg.Text)) & EnHex(IMMsg.Text)

If sixth = "127" Then

sixth = "15" 'Backtrack 1 because we are going to add 1 soon

seventh = "23" 'THIS IS THE CODE TO RESET THE BYTES

End If

sixth = CInt(sixth) + 1

seventh = CInt(seventh) + 1

fifth$ = give5th("5A606700001522A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D", 2)

packet$ = DeHex("00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D")

crc1 = AOLCRC(packet$, Len(packet$) - 1)

thehi$ = Chr(gethibyte(crc1))

thelo$ = Chr(getlobyte(crc1))

packet$ = DeHex("5A" & EnHex(thehi$) & EnHex(thelo$) & "00" & fifth$ & Int2Hex(sixth) & Int2Hex(seventh) & "A06953002500010001070400000003010A04000000010301" & screenname1$ & "011D00010A04000000020301" & IM1$ & "011D00011D00011D000002000D")

Winsock1.SendData packet$

IMMsg.Text=""



In the Winsock control's 'SendComplete' event, put this:



Dim crap as Integer

crap = 1

Do Until crap = 0

crap = InStr(1, packet$, Chr$(0))

If crap > 0 Then Mid(packet$, crap, 1) = "Å"

Loop

status.Text = status.Text & "Client: " & packet$ & vbCrLf & vbCrLf



In the status textbox's 'Change' event, put this:



status.SelStart = Len(status.Text) 'Auto Scrolls

If Len(status.Text) >= 32000 Then status.Text = Right$(status.Text, Len(status.Text) / 2) 'Keeps the length from getting too large



Make sure your status.Text is set MultiLine to True and has scrollbars. If you did it correctly, you should now have a working AOL client that has a status box and can send IMs. Welcome to Winsock AOL.







8) Common Sense



Ok, most of you have probably stopped reading by now. But I need to make a point.



The only reason that the information above is not already widely available is because of the fear of abuse. Putting this information in immature hands is dangerous. Some people believe that if it gets out, the walls of the America Online service will come crashing down as things like faster mail bombers, spammers, IM bombers, and cloners begin to immerge. It may very well be impossible to enter a chat room without being so lagged by scrolling, IMs, and emails that you cannot even stay connected. I don't personally believe that though. Due to the complexity of these packets, it is far harder to use even copied source of this than to use copied source of the infamous "AOL Progs" that eventually died out. If you are learning from this document, I implore you to use common sense in your use of this information.



This document would not be possible if it weren't from the help I received from my friends.

Thanks to phrea, nec, jay, ceramic, and anyone else who I forgot.



Thank you for listening,

Gods Misfit

binary0100@yahoo.com

http://aol.necrocosm.com