This is G o o g l e's cache of http://172.192.128.78/markus/Voice%20PacKets.txt. G o o g l e's cache is
the snapshot that we took of the page as we crawled the web. The
page may have changed since that time. Click here for the current page without highlighting. To link
to or bookmark this page, use the following url:
http://www.google.com/search?q=cache:nK7L-dp_WLMJ:172.192.128.78/markus/Voice%2520PacKets.txt++%22ycht+protocol%22&hl=en&ie=UTF-8
Google is not affiliated with the authors
of this page nor responsible for its
content. |
These
search terms have been highlighted: |
ycht |
protocol | | |
This Explanation leaves alot out but thats on purpose. Theres more than enough for you to have a chance to get it working on your own .
Thank You Cordata51 for showing me the sig= encryption procedure
Thank You Josh Shivers for the help way back with the rest (even though your a big fat liar sometimes!)
Ok For the 2 Packets below the server is vc.yahoo.com , port 5001.
This is the first you send to initiate the voice login.
The Username : tit_fuck
The Room :ChatterBox:3
RMSPACE: 21748078 ( the chat rooms room space # given to you when you loginto the chatroom thru YMSG or YCHT protocol)
VCAUTH: Hhlo.ARs02flONm1VE9KZYcmLb.jTju40- ( voice authorization encrpyt code assigned to you when you loginto the room thru YMSG or YCHT protocol
there's also 2 len chrs in there and notice before the "d" chr it its chr(1)
you send:
Packet #1
0x0000 00 9F 00 00 81 C9 00 30-00 00 00 00 00 00 00 00 ....0........
0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0030 00 00 00 00 80 CC 00 6B-00 00 00 00 43 41 21 59 .....k....CA!Y
0x0040 00 01 00 00 00 00 00 01-64 02 00 02 65 02 00 05 ........d...e...
0x0050 02 08 74 69 74 5F 66 75-63 6B 03 19 63 68 2F 43 ..tit_fuck..ch/C
0x0060 68 61 74 74 65 72 42 6F-78 3A 33 3A 3A 32 31 37 hatterBox:3::217
0x0070 34 38 30 37 38 07 22 48-68 6C 6F 2E 41 52 73 30 48078."Hhlo.ARs0
0x0080 32 66 6C 4F 4E 6D 31 56-45 39 4B 5A 59 63 6D 4C 2flONm1VE9KZYcmL
0x0090 62 2E 6A 54 6A 75 34 30-2D 06 00 05 02 00 19 b.jTju40-......
Yahoo Returns:
Packet #2
0x0000 00 80 00 00 81 C8 00 44-00 00 00 00 00 00 00 00 ....D........
0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0040 00 00 00 00 00 00 00 00-80 CC 00 38 00 00 00 00 .........8....
0x0050 43 41 21 59 00 0A 00 00-00 00 00 00 08 04 42 DA CA!Y..........B
0x0060 46 28 03 19 63 68 2F 43-68 61 74 74 65 72 42 6F F(..ch/ChatterBo
0x0070 78 3A 33 3A 3A 32 31 37-34 38 30 37 38 35 34 39 x:3::21748078549
Whats important in this return packet? the 4 chrs "BF(" , they are the hex representation of the ip you will use for the next packets for voicelogin into ChatterBox:3 (in this case its 66.218.70.40 which is v9.vc.scd.yahoo.com))
Ok close that socket and open up a new one....port 5001, server is 66.218.70.40
Yea this 1st packet look alomst exactly the same, or is it?
YOU SEND:
Packet #1
0x0000 00 9F 00 00 81 C9 00 30-00 00 00 00 00 00 00 00 ....0........
0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0030 00 00 00 00 80 CC 00 6B-00 00 00 00 43 41 21 59 .....k....CA!Y
0x0040 00 01 00 00 00 00 00 01-64 02 00 02 65 02 00 05 ........d...e...
0x0050 02 08 74 69 74 5F 66 75-63 6B 03 19 63 68 2F 43 ..tit_fuck..ch/C
0x0060 68 61 74 74 65 72 42 6F-78 3A 33 3A 3A 32 31 37 hatterBox:3::217
0x0070 34 38 30 37 38 07 22 48-68 6C 6F 2E 41 52 73 30 48078."Hhlo.ARs0
0x0080 32 66 6C 4F 4E 6D 31 56-45 39 4B 5A 59 63 6D 4C 2flONm1VE9KZYcmL
0x0090 62 2E 6A 54 6A 75 34 30-2D 06 00 05 02 00 19 b.jTju40-......
This next packet is full of necessary goodies you need to complete this voice login, and alot of it is different every time you login voice.
The 4 chrs before the "CA!Y" are your VoiceID or as I call it , VID. (0A B7 61 29)
this serves the same purpose in voice as the YMSGKEY or SessionID does in the YMSG protocol except its your identity string in voice instead of chat.
Near the end of the packet , you'll find , 44 04 thru 47 04.... 04 is a len.
and one of these 4 chr long hex strings (and theres 4 of them) tells you the offset into Yacscom.dll and another tells you the length of Yacscom.dll to read and MD5hash encrypt you'll need to do that for the SIG= key later in the login.
YAHOO RETURNS:
Packet #2
0x0000 01 50 00 00 81 C8 00 44-00 00 00 00 00 00 00 00 .P...D........
0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0040 00 00 00 00 00 00 00 00-80 CC 01 08 0A B7 61 29 ...........a)
0x0050 43 41 21 59 00 04 00 00-00 00 00 01 08 04 42 DA CA!Y..........B
0x0060 46 28 1E 04 00 00 00 22-1F 04 00 00 1F 40 20 04 F(.....".....@ .
0x0070 00 00 00 01 21 04 00 00-00 20 22 04 00 00 21 58 ....!.... "...!X
0x0080 20 04 00 00 00 01 23 04-00 00 1F 40 24 04 00 00 .....#....@$...
0x0090 00 10 25 04 00 00 FD E8-28 04 FF FF D8 F0 29 04 ..%...(.).
0x00A0 FF FF F4 48 2A 04 00 00-27 10 2B 04 00 0F 42 40 H*...'.+...B@
0x00B0 2C 04 00 09 27 C0 2D 04-00 03 D0 90 2E 04 00 0B ,...'-...А....
0x00C0 71 B0 2F 04 00 00 75 30-30 04 00 00 27 10 31 04 q/...u00...'.1.
0x00D0 FF FF 8A D0 32 04 FF FF-F4 48 33 04 00 00 09 C4 2.H3....
0x00E0 42 04 00 00 01 F4 3B 04-00 00 23 28 34 04 00 0F B....;...#(4...
0x00F0 42 40 35 04 01 31 2D 00-36 04 00 03 D0 90 37 04 B@5..1-.6...А7.
0x0100 FF FF F4 48 38 04 FF FF-FE 0C 39 04 00 00 00 00 H8..9.....
0x0110 3A 04 FF FF FE 70 3C 02-00 02 3D 02 00 01 3E 04 :.p<...=...>.
0x0120 00 00 00 FA 3F 04 00 00-4E 20 40 02 03 E8 41 02 ...?...N @..A.
0x0130 D1 20 43 02 13 88 44 04-00 01 25 10 45 04 00 00 C..D...%.E...
0x0140 10 00 46 04 00 01 FC C1-47 04 00 00 7B 6C 39 32 ..F...G...{l92
Hey this next packet tells ya your ready to send the next packet I call The "EXE" PAcket. This Packet below is actually caused by you sending on port 5000 in UDP proto this packet, 80 A2 00 01 00 00-00 00 0A B7 61 29 which is .......a) , right after you receive the above packet, " 80 A2 00 01 00 00-00 00 0A B7 61 29 .......a)" notice the VoiceID.
(sniff the port 5000 udp packets on a voice login to see how thats done , all ya need is the voiceID key. I'm Not going to include that here, its not hard.)
Yahoo Returns:
Packet #3
0x0000 00 64 00 00 81 C8 00 44-00 00 00 00 00 00 00 00 .d...D........
0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0040 00 00 00 00 00 00 00 00-80 CC 00 1C 00 00 00 00 ..............
0x0050 43 41 21 59 00 07 00 00-00 00 00 00 0B 06 73 65 CA!Y..........se
0x0060 72 76 65 72 rver
next below notice where the voiceID is (0A B7 61 29)
the chr before exe= is a len chr.
the second chr of the packet , F8, is the len of the entire packet
sig=edef8c144f61f861765d29b0 .. this fucker is a bitch and it has to be right for you to get voice data first 8... edef8c14 the md5hash of the section of yacscom.dll the earlier packet told you to read and encrypt
the last 16 ya really can just copy from Ymessenger's login sig and you be ok but if u need to knw the middle 8 are a md5 hash of ypager piece dictated by the earlier packet as well
if you get the first 8 wrong you'll still get in but you'll get no actual compressed audio data and will not have the ability to send audio data either.
the rest of the crap in the packet , like the username ya need, ok, but the rest u canb just copy from your ymessengers voice login packet (get a sniffer once again)
YOU SEND:
Packet #4
0x0000 00 F8 00 00 81 C9 00 30-0A B7 61 29 00 00 00 00 ....0.a)....
0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0030 00 00 00 00 80 CC 00 C4-00 00 00 00 43 41 21 59 .........CA!Y
0x0040 00 07 00 00 00 00 00 00-0B AE 65 78 65 3D 59 50 .........exe=YP
0x0050 61 67 65 72 26 73 69 67-3D 65 64 65 66 38 63 31 ager&sig=edef8c1
0x0060 34 34 66 36 31 66 38 36-31 37 36 35 64 32 39 62 44f61f861765d29b
0x0070 30 26 61 70 70 3D 6D 63-28 35 2C 20 35 2C 20 30 0&app=mc(5, 5, 0
0x0080 2C 20 31 32 34 36 29 26-75 3D 74 69 74 5F 66 75 , 1246)&u=tit_fu
0x0090 63 6B 26 69 61 3D 75 73-26 6C 69 62 3D 79 61 63 ck&ia=us&lib=yac
0x00A0 73 63 6F 6D 28 34 33 29-26 69 6E 3D 34 2C 31 2C scom(43)&in=4,1,
0x00B0 31 30 34 2C 35 2E 31 30-2C 4C 6F 67 69 74 65 63 104,5.10,Logitec
0x00C0 68 20 4D 69 63 72 6F 70-68 6F 6E 65 20 28 57 65 h Microphone (We
0x00D0 62 29 26 6F 75 74 3D 33-2C 31 2C 31 30 34 2C 35 b)&out=3,1,104,5
0x00E0 2E 31 30 2C 53 42 20 4C-69 76 65 21 20 57 61 76 .10,SB Live! Wav
0x00F0 65 20 44 65 76 69 63 65- e Device
the packet below is the return of the roomlist.
Here it is your in! the roomlist of voice users in ChatterBox:3 and also their VoiceId's for example, .Y..gary_baker91 which is in the hex , (0A AF C0 59 01 0C 67 61 72 79 5F 62-61 6B 65 72 39 31)
01 0C are the delimiter(separator) between voiceid and username 0C is the username length
0A AF C0 59 is the voiceID for this guy ...it shows up in the port 5000 udp audio data (when he keys up) your now receiving on the UDP port u connected earlier in this process. Thats how you identify whos talking the voiceID in the udp data. example of the udp data...
".3.. ... <-this is the beginning of a audio packet on port 5000
. is the voiceID. Its that asshole, llvllegz talking again!
Yahoo Returns:
Packet #5
0x0000 01 F0 00 00 81 C8 00 44-00 00 00 00 00 00 00 00 ....D........
0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0040 00 00 00 00 00 00 00 00-95 CA 01 A8 0A AF C0 59 ..........Y
0x0050 01 0C 67 61 72 79 5F 62-61 6B 65 72 39 31 00 00 ..gary_baker91..
0x0060 0A B6 DE C9 01 08 6C 6C-76 6C 6C 65 67 7A 00 00 ...llvllegz..
0x0070 0A B4 0A 99 01 09 6B 65-69 74 68 36 34 30 32 00 ....keith6402.
0x0080 0A B6 28 E9 01 0D 6A 75-73 74 34 75 5F 38 34 32 .(..just4u_842
0x0090 30 30 30 00 0A B6 00 D9-01 08 4B 61 59 4C 61 20 000.....KaYLa
0x00A0 32 35 00 00 8A B6 00 D9-01 08 6B 61 79 6C 61 20 25.....kayla
0x00B0 32 35 00 00 0A B4 3D 29-01 16 6F 30 6F 5F 6A 6F 25...=)..o0o_jo
0x00C0 68 6E 73 5F 70 72 69 6E-63 65 73 73 5F 6F 30 6F hns_princess_o0o
0x00D0 00 00 00 00 0A B6 1C 49-01 0A 56 49 52 55 53 2D ......I..VIRUS-
0x00E0 4B 49 4E 47 00 00 00 00-8A B6 1C 49 01 0A 76 69 KING.....I..vi
0x00F0 72 75 73 2D 6B 69 6E 67-00 00 00 00 0A AF BC 39 rus-king.....9
0x0100 01 0C 76 69 76 65 6B 5F-67 61 72 67 31 33 00 00 ..vivek_garg13..
0x0110 0A B1 00 79 01 09 44 65-20 4D 61 73 74 65 72 00 ..y..De Master.
0x0120 8A B1 00 79 01 09 64 65-20 6D 61 73 74 65 72 00 .y..de master.
0x0130 0A B7 42 49 01 0A 73 70-6F 72 74 73 31 32 32 34 .BI..sports1224
0x0140 00 00 00 00 0A B5 19 D9-01 10 72 79 61 6E 5F 73 ........ryan_s
0x0150 74 72 61 74 68 66 69 65-6C 64 00 00 0A B5 7F 79 trathfield...y
0x0160 01 0D 6F 7A 7A 79 73 5F-70 72 6F 70 68 65 74 00 ..ozzys_prophet.
0x0170 0A B7 42 F9 01 06 5F 5F-48 49 47 48 00 00 00 00 .B..__HIGH....
0x0180 8A B7 42 F9 01 06 5F 5F-68 69 67 68 00 00 00 00 B..__high....
0x0190 0A B7 5B D9 01 1C 67 5F-69 5F 6F 5F 72 5F 67 5F .[..g_i_o_r_g_
0x01A0 6F 5F 73 5F 6D 6F 72 6F-5F 6D 5F 6F 5F 75 5F 63 o_s_moro_m_o_u_c
0x01B0 6F 6D 00 00 0A B7 24 39-01 08 72 65 68 6E 5F 6D om...$9..rehn_m
0x01C0 33 34 00 00 0A B7 41 59-01 13 74 68 65 5F 63 68 34...AY..the_ch
0x01D0 6F 73 65 6E 5F 6F 6E 65-5F 31 30 34 33 00 00 00 osen_one_1043...
0x01E0 0A B7 61 29 01 08 74 69-74 5F 66 75 63 6B 00 00 .a)..tit_fuck..
The End.
~MArKus~