AIM 6.8

Login information

I'm not sure what version it started at, but AIM 6.8 uses SSL for all of the main connections - buddy list, IMs, chats (I haven't looked at direct connections or file sharing).

This version still does not hash passwords at login. It does do a little XOR routine, but if someone is able to sniff your SSL connection a XOR isn't going to stop them. For future reference, here are the numeric values of the character string it is XORed against (e.g. 65 = A, 97 = a):

118 145 197 231 208 217 149 221 158 47 234 216 107 33 194 188


There is a URL transmitted during the login sequence which uses a special encoding. It looks like Base26 at first glance, but it's actually a modified hex/XOR sequence. Let's look at an example. The encoded screen name is:

DBPAHNGAEICGPBGOGEFKGEIIEMNM

Here is how the character set is mapped to normal hex:

ABCDEFGHIJKLMNOP
0123456789ABCDEF

Here are the numeric values of the character string it is XORed against (e.g. 65 = A, 97 = a):
66 132 8 16 33 66 133 11 23 46 93 186 116 232 208 161

this results in the encoded string revealing the screenname:
stupidtest9284

The login server uses oscar wrapped in HTML/XML. It is slightly different than the earlier 6.x versions, but very similar.


Saved password information

To come. (probably similar or the same as the 6.x early versions)


Stability

This version seems to be more stable in chats than the earlier versions, but I need more testing to confirm that.


Documents