This article has been taken from http://www.venkydude.com

Yahoo Messenger Protocol
a.k.a
How to make your own Yahoo Messenger In VB

For all people who have been waiting to make their own yahoo messenger and could not find any material on the YMSG protocol,well it's time to stop looking and start making !!!!.The basic purpose of writing this document is that people should know what's actually happening when they use the yahoo messenger.There is hardly any if not any documentation available on the internet concerning the YMSG ptotocol ,this made it more difficult and at the same time more exciting and challenging for me to reverse engineer the yahoo messenger protocol.

The first step involved in any messenger application is logging into the messenger server and then retrieving the friends list.The yahoo messenger is slightly different from other messengers.The yahoo messenger connects to the yahoo HTTP server(port 80) to retrieve the friends list!!!!.All conversation takes place through the messenger server(port 5050).Let us first look at logging into the yahoo server to retrieve the friends list.

We connect to the yahoo server msg.edit.yahoo.com on port 80.

In order to get the friends list from the server we send the following data to it

GET /config/ncclogin?.src=bl&login=ymusertest &passwd=ympasstest&n= 1 HTTP/1.0
Accept:*/*
Accept: text/htm

where ymusertest is the username and ympasstest is the password. .If this data is sent using a Visual Basic application it would look some thing like this

'Begin VB code

strlogin = "GET /config/ncclogin?.src=bl&login=ymusertest&passwd=ympasstest&n=1 HTTP/1.0" & vbCrLf
strlogin = strlogin & "Accept: */*" & vbCrLf
strlogin = strlogin & "Accept: text/html" & vbCrLf & vbCrLf
WnsckMn.SendData strlogin

'End VB code

On successfully sending the login data we get the following response from the server

HTTP/1.0 200 OK
Date: Thu, 05 Jul 2001 08:57:11 GMT
Content-Type: text/html
Expires: Thu, 05 Jul 2001 08:57:11 GMT
Cache-Control: private
Pragma: no-cache
Set-Cookie:Y=v=1&n=25udo5k8tkvjb&l=l4dao_3k34/o&p=m2f17464130004&r=5s&lg=us&intl=us; expires=Thu, 15 Apr 2010 20:00:00 GMT; path=/; domain=.yahoo.com
Via: 1.0 hydcache (NetCache NetApp/5.0.1R2)

OK
BEGIN BUDDYLIST
Chat Friends:ambixxxx,ami_xxxx,d_cexxxx,deepxxxx,dixxxx,indian_guyxxxx,k_v_pxxxx,kaxxxxdaram,kavithaxxxx1,malaxxxx,pujaxxxx,sudxxxx,sunxxxxma,swaxxxxadhu,vkxxxx68
END BUDDYLIST
BEGIN IGNORELIST
agxxxx,loving_xxxx,shravaxxxxula,varmxxxx1
END IGNORELIST
BEGIN IDENTITIES
venkxxxxde
END IDENTITIES
Mail=1
Login= vexxxxe

LOGING ONTO THE SERVER

Now we shall start using the yahoo messenger protocol to log into the yahoo messenger and then send and receive messages.

We will connect to the yahoo messenger server cs.yahoo.com on port 5050

The first and the most difficult part for me was to log on to this server.Unlike other yahoo protocols like the YCHT protocol,the YMSG protocol uses encryption to encrypt the user password while sending it out to the messenger server.The encrypted string looks something like this

1$_2S43d5f$1LfmOGuxGxDpSWvd6nzGb0

For a mainly MS windows user like me it was a bit difficult to recognize the type of encryption used.But after a lot of searching and breaking my head i finally realised that this was a UNIX MD5 CRYPT .This kind of password encryption is used in many unix mahines.Again i searched for some sort of code in either c++ or VB for this unix_md5_crypt .Finally i managed to make a dll in c which would perform this encryption.You can download the dll along with a .bas module made in vb from here venky.zip .

Now let us start logging into the yahoo messenger server .We send the following data to the messenger server

YMSG C
ZUªUbS`ú0À€userÀ€6À€$1$_2S43d5f$1LfmOGuxGxYCSWvd6nzGb0À€1À€userÀ€

This is the data sent when viewed through a port monitor

0010: 00 7F B1 63 40 00 80 06 00 4C C0 A8 00 08 D8 88 ...c@....L......
0020: AF 90 04 E5 13 BA 21 09 4C 9F B5 59 53 05 50 18 ......!.L..YS.P.
0030: 44 5C 3D D1 00 00 59 4D 53 47 08 00 00 00 00 43 D\....YMSG.....C
0040: 00 01 5A 55 AA 55 6E 56 41 BB 30 C0 80 73 75 6E ..ZU.UnVA.0..sun
0050: 64 61 6D 61 6D 61 C0 80 36 C0 80 24 31 24 5F 32 xxxxxx..6..$1$_2
0060: 53 34 33 64 35 66 24 31 4C 55 68 40 47 75 78 47 S43d5f$1xxxOGuxG
0070: 78 59 43 53 57 76 64 36 6E 7A 47 62 30 C0 80 31 xYCSWvd6nzGb0..1
0080: C0 80 73 75 6E 60 61 63 61 78 63 C0 80 ..sunxxxxxx..

Let us look at what exactly is being sent

YMSG- is the yahoo standard header for all messenger command/messages
This is followed by 1 byte of data - 08.
This is followed by 4 bytes of data - 00 00 00 00
Next is the length of the message information-essentially H31 + 2*length of the userid
The next 2 bytes of data are 00 and 01 respectively
Next is a 4 byte are standard for all messages/commands being sent to the messenger server.The 4 bytes are 5A 55 AA 55
The next 4 bytes is what i call the initial 4 bytes bluff identifier. These 4 bytes identify a particular user and it changes every time you log in. Initially you could send any four bytes including 00 00 00 00 and you would still be able to log in .
This is followed by one byte of data signifying that the data being sent is for logging into the server .This byte has an ASCII equivalent of "0"
This is followed by 2 bytes of data which is the standard argument separator.- C0 80
This is followed by the yahoo user id and the standard argument separator.
Followed by one byte which is standard for the login procedure and which has an ASCII equivalent as "6" and the standard argument separator.
Next is the md5crypt encrypted password followed by the standard argument separator.
Followed by one byte which is standard for the login procedure "1" and the standard argument separator.
And finally this is followed by again the yahoo user id and the standard argument separator.
'Begin VB code

dat3 = "0" & Chr(&HC0) & Chr(&H80) & "ymusertest" & Chr(&HC0) & Chr(&H80) & "6" & Chr(&HC0) & Chr(&H80) & dat1 & Chr(&HC0) & Chr(&H80) & "1" & Chr(&HC0) & Chr(&H80) & "ymusertest" & Chr(&HC0) & Chr(&H80)
dat2 = "YMSG" & Chr(8) & Chr(0) & Chr(0) & Chr(0) & Chr(0) & Chr(Len(dat3)) & Chr(0) & Chr(1) & Chr(&H5A) & Chr(&H55) & Chr(&HAA) & Chr(&H55) & Chr(&H62) & Chr(&H53) & Chr(&H60) & Chr(&HFA) & dat3
Wnsckyhoo.SendData dat2
'End VB code

The response of the server looks like this

YMSG 
jLS˜0À€sundaxxxxÀ€1À€sundaxxxxÀ€

This is the data received when viewed through a port monitor

0010: 00 59 A2 FA 40 00 2D 06 61 DB D8 88 AF 90 C0 A8 .Y..@.-.a.......
0020: 00 08 13 BA 04 E5 B5 59 53 05 21 09 4C F6 50 18 .......YS.!.L.P.
0030: 83 2C 62 F1 00 00 59 4D 53 47 00 00 00 00 00 1D .,b...YMSG......
0040: 00 01 00 00 00 00 79 52 7E 23 30 C0 80 73 75 6E ......jLS˜0..sun
0050: 64 61 6D 65 62 61 C0 80 31 C0 80 73 75 6E 64 61 daxxxx..1..sunda
0060: 62 65 6D 61 C0 80 00 xxxx...
The most important part of this response is the 4 byte identifier which the server sends us the - " jLS˜ " All further communication with the server will involve using this 4 byte identifier.This is also a user identifier for the current messenger session.

SENDING A MESSAGE

Here is a typical example of a message being sent

YMSG ? ZUªUjLS˜1À€sundaxxxxÀ€5À€venkyxxxxxÀ€14À€hi thereÀ€

This is the data sent when viewed through a port monitor

0010:00 67 42 01 40 00 80 06 62 33 C0 A8 00 08 CC 47 .gB.@...b3.....G
0020:C9 64 0C D7 13 BA A4 2F 4A C7 2F 18 A2 3A 50 18 .d...../J./..:P.
0030:43 EA 76 11 00 00 59 4D 53 47 08 00 00 00 00 2B C.v...YMSG.....+
0040:00 06 5A 55 AA 55 6A 4C 53 23 31 C0 80 73 75 6E ..ZU.UjLS˜1..sun
0050:64 61 60 69 6D 61 C0 80 35 C0 80 76 65 6E 6B 79 daxxxx..5..venky
0060:50 64 78 64 65 C0 80 31 34 C0 80 68 69 20 74 68 xxxxx..14..hi th
0070:65 72 65 C0 80 ere..

Let us look at what is being sent
YMSG- is the yahoo standard header for all messenger command/messages
This is followed by 1 byte of data - 08.
This is followed by 4 bytes of data - 00 00 00 00
The next byte is the length of the message information ,in this case-HEX(16 + length(senderid)+length(receiverid) + len(message) )
The next 2 bytes of data are 00 and 06 respectively
Next is a 4 byte are standard for all messages/commands being sent to the messenger server.The 4 bytes are 5A 55 AA 55
The next 4 bytes are the user identifier for the current session.
This is followed by one byte of data signifying that the data is a Private Message(PM) being sent to a user.This byte has an ASCII equivalent of "1"
This is followed by 2 bytes of data which is the standard argument separator.- C0 80
This is followed by the yahoo user id and the standard argument separator.
Followed by one byte which is standard for while sending a message which has an ASCII equivalent of "5" and the standard argument separator.
This is followed by the id of the user to whom the message is being sent and the standard argument separator.
Followed by again one byte which is standard for while sending a message which has an ASCII equivalent of "14" and the standard argument separator.
And finally followed by the message being sent followed by the standard argument separator.
The VB code to achieve this looks some what like this

'Begin VB code
ren = "1" & Chr(&HC0) & Chr(&H80) & Text2.Text & Chr(&HC0) & Chr(&H80) & "5" & Chr(&HC0) & Chr(&H80) & Text1.Text & Chr(&HC0) & Chr(&H80) & "14" & Chr(&HC0) & Chr(&H80) & rtb2.Text & Chr(&HC0) & Chr(&H80)
mess ="YMSG" & Chr(8) & Chr(0) & Chr(0) & Chr(0) & Chr(0) & Chr(len(ren)) & Chr(0) & Chr(6) & Chr(&H5A) & Chr(&H55) & Chr(&HAA) & Chr(&H55) & Text3.Text & ren
Wnsckyhoo.Senddata mess

'End VB code
RECEIVING A MESSAGE

YMSG ? 
jLS˜5À€sundamamaÀ€4À€venky_dudeÀ€14À€hi thereÀ€

0010: 00 67 B6 8D 40 00 2E 06 3E D0 CC 47 CA 3B C0 A8 .g..@...>..G.;..
0020: 00 08 13 BA 08 DD C5 7E 1E 48 2E F3 76 6F 50 18 .........H..voP.
0030: FF FF E6 F8 00 00 59 4D 53 47 00 00 00 00 00 2B ......YMSG.....+
0040: 00 06 00 00 00 01 6A 4C 53 23 35 C0 80 76 65 6E ......jLS˜5..ven
0050: 6B 79 5F 64 75 64 65 C0 80 34 C0 80 73 75 6E 64 ky_dude..4..sund
0060: 61 6D 61 6D 61 C0 80 31 34 C0 80 68 69 20 74 68 amama..14..hi th
0070: 65 72 65 C0 80 ere..

Let us look at what has been received
YMSG- is the yahoo standard header for all messenger command/messages
This is followed by 5 bytes of data - 00 00 00 00 00
The next byte is the length of the message information ,in this case-HEX(16 + length(senderid)+length(receiverid) + len(message) )
The next 2 bytes of data are 00 and 06 respectively
Next is a 4 byte of data signify that the message/command is to be received .The 4 bytes are 00 00 00 01
The next 4 bytes are the user identifier for the current session.
This is followed by one byte of data signifying that the data is a Private Message(PM) which is to be received .This byte has an ASCII equivalent of "5"
This is followed by 2 bytes of data which is the standard argument separator.- C0 80
This is followed by the yahoo user id of the user who has sent the message and the standard argument separator.
Followed by one byte which is standard when receiving a PM message which has an ASCII equivalent of "4" and the standard argument separator.
This is followed by the user id receiving the message and the standard argument separator.
Followed by again one byte which is standard when receiving a message which has an ASCII equivalent of "14" and the standard argument separator.
And finally followed by the message being sent followed by the standard argument separator.
USER COMES ONLINE

YMSG A

jLS˜0À€venky_dudeÀ€7À€venkyxxxxÀ€10À€0À€11À€7D5798FDÀ€17À€0À€13À€1À€

0010: 00 7D 62 7A 40 00 2E 06 93 A4 CC 47 C9 64 C0 A8 .}bz@......G.d..
0020: 00 08 13 BA 0C D7 2F 18 A2 BF A4 2F 4B 06 50 18 ....../..../K.P.
0030: FF FF 8E 06 00 00 59 4D 53 47 00 00 00 00 00 41 ......YMSG.....A
0040: 00 01 00 00 00 01 6A 4C 53 98 30 C0 80 73 75 6E ......jLS˜0..sun
0050: 64 61 6D 61 6D 61 C0 80 37 C0 80 76 65 6E 6B 79 damama..7..venky
0060: 5F 64 75 64 65 C0 80 31 30 C0 80 30 C0 80 31 31 _dude..10..0..11
0070: C0 80 36 33 35 38 35 34 39 39 C0 80 31 37 C0 80 ..63585499..17..
0080: 30 C0 80 31 33 C0 80 31 C0 80 00 0..13..1...

The important part of this data received are the 3 bytes of data 37 C0 80 .These 3 bytes signify that the user status has changed .Basically i split this up into 2 states

User is online (the status maybe set to busy or be right back etc)
User is offline
The 3 bytes at the end of the message convey that data if the 3 bytes are 31 C0 80 , then the user is online.

USER GOES OFFLINE

YMSG 1 
jLS˜7À€venkyxxxxxÀ€10À€0À€11À€7D5798FDÀ€17À€0À€13À€0À€

0010: 00 6E 2D 52 40 00 2E 06 C8 DB CC 47 C9 64 C0 A8 .n-R@......G.d..
0020: 00 08 13 BA 0C D7 2F 18 A2 79 A4 2F 4B 06 50 18 ....../..y./K.P.
0030: FF FF B4 B1 00 00 59 4D 53 47 00 00 00 00 00 32 ......YMSG.....2
0040: 00 02 00 00 00 01 6A 4C 53 98 37 C0 80 76 65 6E ......jLS˜7..ven
0050: 6B 79 5F 64 75 64 65 C0 80 31 30 C0 80 30 C0 80 ky_dude..10..0..
0060: 31 31 C0 80 36 33 35 38 35 34 39 39 C0 80 31 37 11..63585499..17
0070: C0 80 30 C0 80 31 33 C0 80 30 C0 80 ..0..13..0..

Again in this case the last 3 bytes being 30 C0 80 signify that the user has gone offline.
Download a yahoo messenger clone from here yahclone.zip
Questions/Comments/Suggestions send them to venky@venkydude.com .Visit my homepage for some cool VB & C++ codes.Can also conatact me on Yahoo Messenger-id venky_dude & MSN Messenger id- venky_dude@hotmail.com

Back to the top