MSN mobile clients for Android
Trying to get information on mobile clients in order to modify one, if possible.
APK files can be decrypted using http://www.javadecompilers.com/apk
Regarding Android, we have 4 clients: (The best candidate for a revival being com.play.wlm
because it may be possible to code a xmpp server on top of Escargot.)
cn.msn.messenger
Uses something named MCCP. It seems to be working like MSNP but commands and arguments are different. REG, RAT, RAP, ...
public static String DP_IP = "http://221.130.179.150:9940";
public static final String DP_URL = "http://mobdp.msn.cn:9940";
public static final String DP_URL2 = "http://apollo.msn.com.cn:9940";
Login request (port 9940):
POST / HTTP/1.1
Content-Type: application/octet-stream
Content-Length: 64
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; XT1052 Build/KOT49H)
Host: mobdp.msn.cn:9940
Connection: Keep-Alive
Accept-Encoding: gzip
RQGW 0 email@msn.com 3.1 PICA 2001 7.1.0.12 TCP
RP 0
All valid commands are visible in cn\msn\messenger\network\Protocol.java
.
com.pica.msn
Uses a proxy XMPP.
public static String REGISTER_SERVER = "reg1.msn.pica.com:8082";
public static String dispServer = "disp1.msn.pica.com";
public static String dispServerPort = "22246";
Login call to the dispatch server (port 22246):
POST /dispatch.xml HTTP/1.1
Content-Type: text/xml
User-Agent: UNTRUSTED/1.0
Content-Length: 96
Host: mobilemsndp.msn.cn:22246
Connection: Keep-Alive
Accept-Encoding: gzip
imid=email@msn.com&version=6.800.1018.en&type=s&source=msn&oem=sina&imsi=208015438493420
All the code for the possible responses is in com\pica\msn\Parser.java
.
com.play.wlm
Uses XMPP official Messenger server.
static final String WLM_SERVICE = "messenger.live.com";
public static final int XMPP_PORT = 5222;
miyowa.android.microsoft.wlm
Uses a proprietary protocol made by Miyowa.
These 2 apps seems to have the same internals (at least for their last versions)... They connect to http://api.prod.capptain.com/xmpp-disco?deviceid=fd5b91106755dad0e8084fcfc52e9234&packageName=(com.play.wlm|miyowa.android.microsoft.wlm)&hashedSignature=ba03a5568574d966a1caafcba5a90445ccd05101
and expect a JSON response:
{"domain":"messenger.hotmail.com","hostname":"messenger.hotmail.com","port":"5222","serviceDomain":"messenger.hotmail.com","appid":"1"}
Then, they both connect to the XMPP server set in the JSON.
im.mercury.android
Uses the MSNP server or the HTTP gateway. Once decompiled, strings are obfuscated by a tx.aqt
function which uses PbeWithMd5AndDes encryption (password "Code", iterations 10, salt "\xa9\x9b\xc8\x32\x56\x35\xe3\x03").
Exemple: "messenger.hotmail.com" => tx.aqt("WAHQSaDkj8ZAR1R/bfuZ/yTmrJAIVoXL")
Note: the length of encrypted messenger.hotmail.com
is the same as length of m1.escargot.log1p.xyz
(cPlC/mQldzxZ0xkMDWBIK8yGm5Ceir6s
) so substitution may be possible. Encrypted strings are visible without decompilation in classes.dex
. Question: can we hex edit this file and still be able to install the APK?