Table of Contents
Mirabilis was founded in July 1996 by four young Israeli avid-computer users who established a new Internet company. Yair Goldfinger, Arik Vardi, Sefi Vigiser, and Amnon Amir, created the company in order to introduce a new communication tool for the Internet. They found that the Internet provides a connection to all its users, but an interconnection among those users is still missing. They developed the missing technology to allow Internet users to find and locate each other more easily, and provide them with a simple and easy to use tool to create peer-to-peer communication channels. They were the pioneers in this new industry.
In June 1998, America Online acquired all Mirabilis’ assets and ICQ Inc., the successor of Mirabilis Ltd., was created. The ICQ program and its use has been free of charge from the very beginning and still is free.
A more detailed introduction to “What is ICQ?” can be found at the Mirabilis web site: http://www.mirabilis.com/products/whatisicq.html It explains the currently latest version ICQ99b, whereas my graphics and descriptions are based on the earlier version ICQ98a.
The list of ICQ Features (Fig. 3.3) appears when a person’s name from the contact list is clicked on. By double-clicking a user, the default action (send a message) is chosen. All messages sent to every person are stored individually and can be reviewed using the View Messages History. The Info shows you information about that person which they chose to make public. Other features include sending a file or URL, and requesting a chat session.
To search for a new user choose Add/Find Users from the ICQ menu (Fig. 3.5). The ICQ menu also allows users to set and change their ICQ preferences, and if more than one ICQ user use the same computer they can switch the current ICQ user with Add/Change Current User.
3.3 File Transfer
First of all, the ICQ Protocol is proprietary by its developer Mirabilis, or now ICQ Inc. Any information that is publicly available on the ICQ Protocol has been reverse-engineered by a random group of people on the Internet with lose collaboration and common interest. Thus, none of the information found or provided in this document is guaranteed to be correct or accurate. However, I am sure the people trying to figure out the ICQ Protocol gave their best effort in doing so and I would like to thank them for their efforts and for making their work public.
Fig. 4.2 shows a sample screen shot from SocketSpy (demo version) while the ICQ client was disconnected from the ICQ server. The SocketSpy demo version has some restrictions, one being the limitation of the packet dump to 20 bytes.
Now we try to decode (or “decrypt”) the packet dump using the scheme for ICQ version V5 (See Fig. 4.3) as it is described in the V5-Encryption page. The first two bytes specify the version number (), thus we are using the V5 scheme. After 4 zero-bytes, the next four bytes are for the UIN number of the user’s ICQ client. When switching the byte order (due to little endian/big endian) and converting the Hex-number ( = 56789020 dec.) it turns out that the UIN is really the one of my ICQ client (56789020). However, I was not able to verify the command () for disconnecting from ICQ.
Naturally, to figure out the protocol specifications from spying on the packets send through the WinSocket is not trivial and requires much work and effort. Magnus Ihse, who started researching the ICQ protocol V2 early on and published one of the first documents about the ICQ Protocol, formed a mailing list called ICQ-devel due to the huge amount of responses and questions he received. Through constant effort over the years, the participants of the ICQ-devel list reverse-engineered mostly all of the ICQ protocol versions and implemented ICQ Clients on different platforms and in different programming languages.
4.2.1 Protocol V1
4.2.2 Protocol V2
The UDP packet sent from the client to the server has the following general layout:
More detailed information about the version 2 can be found here. (Original source: http://www.algonet.se/~henisak/icq/icq091.txt )
Version 3 header is as follows:
4.2.4 Protocol V4
The V4 Protocol is explained in more detail here. Encryption of V3/V4 is explained here.
An example of a V5 header is shown in Fig. 4.3. Version 5 is used in the newest release of ICQ 99b.
4.3 Client-Server Communication
The information provided from any ICQ user during registration is also stored on the ICQ-Server. If someone requests the public information about a certain user, a request command in a UDP packet is sent to the server which then sends back the information about the inquired ICQ user. All UDP packets must be acknowledged, otherwise retransmission will occur after 10 seconds.
4.5 Security Aspects of the Protocol
The ICQ Protocol is not very well designed or engineered, but it has undergone some major improvements over time.
Bibliography / Web Resources
 Ihse, Magnus; The ICQ Protocol Site; <http://www.student.nada.kth.se/~d95-mih/icq/>
 Meistern; Meistern’s ICQ Hacking Page; <http://www.globalserve.net/~jphowe/icq/>
 Cox, Alan; ICQ so-called protocol; <http://www.insecure.org/sploits/icq.spoof.overflow.seq.html>
 WinTECH Software; SocktSpy… Application Description; <http://www.win-tech.com/html/socktspy.htm>
Copyright © 1999 by Tom Ueltschi