[MrSquid]

This took about 8 hours total to figure out.
It's still a bit dodgy but I am now officially using MSNP8 on my self-coded MSN Messenger client. :D
E-mail me if you have troubles. :)

-MrSquid (s4033714@student.uq.edu.au)

NOTE: This currently only works for @hotmail.com addresses!


Notification server will send you the data:

USR 6 TWN S lc=1033,id=507,tw=20,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1050844794,kpp=1,kv=4,ver=2.1.0173.1,tpf=1f8199062fef2d77ccc6eeef44f09cf2

Convert all commans in the last parameter of this data (from lc=1033 onwards - inclusive of lc=1033) into & symbols.

Also convert the

ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom into a real URL

. This will be of the form:

ru=http://messenger.msn.com

Then you must use an SSL client (I choose to use Java hence I used 'miniSSL' as my free SSL client) to connect to loginnet.passport.com
* edit UnderDOC: For vb.net or C# you can use the Mentalis Security Library *


Once you are connected you must send a standard HTTP request for the page:
/login.srf? with the converted data from above concatenated to the end of it.

This should be something like this (will vary each time):

GET /login.srf?lc=1033&id=507&tw=20&fs=1&ru=http://messenger.msn.com&ct=1050844794&kpp=1&kv=4&ver=2.1.0173.1&tpf=1f8199062fef2d77ccc6eeef44f09cf2 HTTP/1.0

(NOTE: the above line should end in two newlines like: \r\n\r\n)


The server will then send some crud back that is basically useless other than for
the 'Set-Cookie' commands it will send out.
(there should be two(2) of them!!!)

You must then record the values of the lines that contain the 'Set-Cookie:' command
at the beginning of the line.


Now connect once again to loginnet.passport.com and this time send the data:

GET /ppsecure/post.srf?lc=1033&id=507&tw=20&cbid=507&da=passport.com&login=example@hotmail.com&domain=hotmail.com&passwd=mypassword&sec=&mspp_shared=&padding= HTTP/1.0

Cookie: 1stCookieValue
Cookie: 2ndCookieValue

***Replace 'example@hotmail.com' with your e-mail and 'mypassword' with your password!
NOTE: the 'GET' line and the 'Cookie' lines are each ended with '\r\n' except
for the very lasy (2nd) 'Cookie' line which ends in two newlines: '\r\n\r\n'


The server will now reply with another bunch of HTTP and HTML data.
Ignore the HTTP data, it just has some cookies that are of no real use.
In the HTML data there is a section saying:

URL=http://messenger.msn.com/download/passportdone.asp?&id=10&t=blahblahblah$$&p=blahblahblah$$

You need to record the data 't=blahblahblah$$&p=blahblahblah$$'
NOTE: 'blahblahblah' will be (in all cases) a string of numbers, letters and symbols.
This is the login code that you must now send to the MSN Notification Server
that sent you the 'USR 6 TWN S blahblahblah' data before.

Now send to the MSN Notification Server the data as follows:

USR 7 TWN S t=blahblahblah$$&p=blahblahblah$$

(ending with a newline: \r\n)

This should then allow you to proceed with your MSNP8 based session on the
MSN Notification Server.

[kaos]

this should be on the front page or something

:w00t: :w00t:

[underdoc]

I havent verified if it works ok... does it kaos?

[kaos]

havnt had the time to test it yet

i want 2 get it to login using non hotmail addys, i'll post something here if i do it before someone else

[MrSquid]

Your wish is my command :P

Figured out the non-hotmail.com e-mail addresses...

First, just to clarify what a successful authentication with an @hotmail.com address I am going to paste
some example data of what it should look like below.

NOTE: e-mail address = example@hotmail.com password = mypassword

NOTE: >>> RECEIVE: <<< SEND: [do not send these, send/receive the data after this line(s)]


--->MSNP8 Notification Server Session:
<<< VER 4 MSNP8 CVR0

>>> VER 4 MSNP8 CVR0
<<< CVR 5 0x0409 winnt 5.1 i386 MSNMSGR 5.0.0540 MSMSGS imbot_ben@hotmail.com

>>> CVR 5 5.0.0540 5.0.0540 5.0.0540 http://download.micr...438/setupdl.exe http://messenger.microsoft.com
<<< USR 6 TWN I imbot_ben@hotmail.com

>>> USR 6 TWN S lc=1033,id=507,tw=20,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1050915732,kpp=1,kv=4,ver=2.1.0173.1,tpf=15a35d4460da3f1a27cb169ed78bcf26


--->SSL Connection: SSL Client Connecting To: loginnet.passport.com:443

<<< SEND:
GET /login.srf?lc=1033&id=507&tw=20&fs=1&ru=http://messenger.msn.com&ct=1050915732&kpp=1&kv=4&ver=2.1.0173.1&tpf=15a35d4460da3f1a27cb169ed78bcf26 HTTP/1.0



>>> RECEIVE:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 21 Apr 2003 09:02:23 GMT
PPServer: H: LAWPPLOGN3A041
Content-Type: text/html
Expires: Mon, 21 Apr 2003 13:02:24 GMT
Cache-Control: private
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: BrowserTest=Success?; expires=Tue, 22-Apr-2003 09:02:24 GMT;domain=.passport.com;path=/;HTTPOnly= ;version=1
Set-Cookie: MSPPost=0; domain=.passport.com;path=/;version=1
Connection: Keep-Alive
Content-Length: 1480




<html><head><script language="javascript">var submitted = false;function GetCookie(sName){var aCookie = document.cookie.split("; ");for(var i = 0; i < aCookie.length; i++){var aCrumb = aCookie.split("=");if (sName == aCrumb[0]) return unescape(aCrumb[1]);} return null;}function DoSubmit(){var CookieVal = GetCookie("MSPPost");if("1" == CookieVal){document.cookie = "MSPPost=0;;path=/;domain=.passport.com";history.go(-1);}else if (!submitted){submitted = true;document.cookie = "MSPPost=1;;path=/;domain=.passport.com";document.hiddenform.submit();}}</script></head><body><form name=hiddenform action="https://login.passport.net/uilogin.srf?id=507" method=POST target="_top"><input type=hidden name="mspprawqs" value="bGM9MTAzMyZpZD01MDcmdHc9MjAmZnM9MSZydT1odHRwOi8vbWVzc2VuZ2VyLm1zbi5jb20mY3Q9MTA1MDkxNTczMiZrcHA9MSZrdj00JnZlcj0yLjEuMDE3My4xJnRwZj0xNWEzNWQ0NDYwZGEzZjFhMjdjYjE2OWVkNzhiY2YyNg=="><BR><input type=hidden name="mspppostint" value="cHJlPSZ1aWNvZGU9MQ=="><BR><noscript><img src="https://www.passportimages.com/1033/PassportLogoTrans.gif" height="34" width="153" border="0" align="left" alt="Microsoft Passport"><br><br><br>Please click the button below to continue. This manual step is neccessary because your browser has scripting disabled<br><br><input type="submit" tabindex="1" value="Continue" id="submit1" name="submit1" class="PPRSbmtBtn"></noscript></form><script language="javascript">var timeoutID = setTimeout('DoSubmit()', 1000);</script></body></html>



--->SSL Connection: SSL Client Connecting To: loginnet.passport.com:443

<<< SEND:
GET /ppsecure/post.srf?lc=1033&id=507&tw=20&cbid=507&da=passport.com&login=example@hotmail.com&domain=hotmail.com&passwd=mypassword&sec=&mspp_shared=&padding= HTTP/1.0
Cookie: BrowserTest=Success?; expires=Tue, 22-Apr-2003 09:02:24 GMT;domain=.passport.com;path=/;HTTPOnly= ;version=1
Cookie: MSPPost=0; domain=.passport.com;path=/;version=1



>>> RECEIVE:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 21 Apr 2003 09:02:26 GMT
PPServer: H: LAWPPLOGN4A044
Content-Type: text/html
Expires: Mon, 21 Apr 2003 09:01:26 GMT
Cache-Control: no-cache
cachecontrol: no-store
Pragma: no-cache
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: MSPSec1= ; expires=Thu, 30-Oct-1980 16:00:00 GMT;domain=.passport.com;path=/;HTTPOnly= ;version=1
Set-Cookie: MSPSec=5oNKQZYwDA12fhgquzwP72dsrC3KL6N2AZ4lK5y0kKcbX5C65brGZiXdMP1ng6uRHQ; HTTPOnly; domain=.passport.com;path=/;secure=
Set-Cookie: MSPAuth=5sOU9y1QHD9yrFiXckEUl*loCpVJ72whXhBaTVkLaNfqWPX1XqNkMdYP0c!qJjZwlBfkIPCAYV1ik9d0Hvo6n57g$$; HTTPOnly; domain=.passport.com;path=/
Set-Cookie: MSPProf=5qhk4yw2PHXEy4BnDLVgWUapS6UaLKFx7mR*V5s7tUtrqX6dy2TRfqBDB2Ocks6lPKAsgbyvNbgYKigTln2FFlxsHsldK!!6!*NosOgICb4!bjLRDzxQ0UN4hSYHLwIN88WntMUJqKWbs$; HTTPOnly; domain=.passport.com;path=/
Set-Cookie: MSPVis=507;domain=.passport.com;path=/
Set-Cookie: MSPPre=example@hotmail.com; HTTPOnly; domain=.passport.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT
Set-Cookie: MSPShared= ; HTTPOnly; domain=.passport.com;path=/;Expires=Thu, 30-Oct-1980 16:00:00 GMT
Set-Cookie: MSPSoftVis=; domain=.passport.com;path=/;version=1
Connection: Keep-Alive
Content-Length: 505



<HEAD><meta HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1"><META HTTP-EQUIV="REFRESH" CONTENT="0; URL=http://messenger.msn.com/download/passportdone.asp?did=1&t=4t7Jsm!5RDBzZ2uWQAOGqpoOinrpbdva1XOn6R5LXnq2KTTrhpZyviSqsI9kpmwOx10Ot3IPDmnNE9PdibfGYkQA$$&p=4poBJFh0nCpTmLraNDJ1Pn3rX*W!fj08qFRPHJy!zR2*cnm5M!f1ITH2Oo*iUC*W70TVxnZDgPV*Gs32zzpOqWDiM3pqxHE!rovYKmsZlXjy!Cz1I89uzSN75yTDdpkOIX27VAB!S2BIahoYt8TA0IEqu9iurLYs5bS8GHebwl5ys$"><script>function OnBack(){}</script></HEAD>


--->Continue MSNP8 Notification Server Session:
<<< USR 7 TWN S t=4t7Jsm!5RDBzZ2uWQAOGqpoOinrpbdva1XOn6R5LXnq2KTTrhpZyviSqsI9kpmwOx10Ot3IPDmnNE9PdibfGYkQA$$&p=4poBJFh0nCpTmLraNDJ1Pn3rX*W!fj08qFRPHJy!zR2*cnm5M!f1ITH2Oo*iUC*W70TVxnZDgPV*Gs32zzpOqWDiM3pqxHE!rovYKmsZlXjy!Cz1I89uzSN75yTDdpkOIX27VAB!S2BIahoYt8TA0IEqu9iurLYs5bS8GHebwl5ys$

>>> USR 7 OK example@hotmail.com MrSquid 1 0

--->Authentication Complete: Continue MSNP8 Session




**********************************************************
Now here is what must be changed to use non-hotmail.com addresses:
**********************************************************


***Note: the 1st SSL connection to loginnet.passport.com is always the same for all e-mail addresses!

***For blah@hotmail.com addresses (as above):
2nd SSL connection:
(e-mail = example@hotmail.com)
(password = mypassword)
Connect To: loginnet.passport.com
Use the following in the GET XXX HTTP/1.0 where:
XXX = /ppsecure/post.srf?lc=1033&id=507&tw=20&cbid=507&da=passport.com&login=example@hotmail.com&domain=hotmail.com&passwd=mypassword&sec=&mspp_shared=&padding=



***For blah@msn.com addresses:
2nd SSL connection:
(e-mail = example@msn.com)
(password = mypassword)
Connect To: msnialogin.passport.com
Use the following in the GET XXX HTTP/1.0 where:
XXX =
/ppsecure/post.srf?lc=1033&id=507&tw=20&cbid=507&da=passport.com&login=example@msn.com&domain=msn.com&passwd=mypassword&sec=&mspp_shared=&padding=



***For blah@blah.blah addresses (this encompasses ANY addresses that do NOT fit the other standard e-mail address types):
2nd SSL connection:
(e-mail = example@blah.biz)
(password = mypassword)
Connect To: login.passport.com [NOT: loginnet.passport.com]
Use the following in the GET XXX HTTP/1.0 where:
XXX =
/ppsecure/post.srf?lc=1033&id=507&tw=20&cbid=507&da=passport.com&login=example@blah.biz&domain=passport.com&passwd=mypassword&sec=&mspp_shared=&padding=



***For blah@webtv.net addresses (used for MSN TV or something??? - I live in Australia so we don't get anything fancy like that :P):
2nd SSL connection:
(e-mail = example@webtv.net)
(password = mypassword)
Connect to: login.passport.com
Use the following in the GET XXX HTTP/1.0 where:
XXX =
/ppsecure/post.srf?lc=1033&id=507&tw=20&cbid=507&da=passport.com&login=example@webtv.net&domain=webtv.net&passwd=mypassword&sec=&mspp_shared=&padding=



***NOTE: If you connect to the wrong server/send the wrong GET XXX HTTP/1.0 command (eg. you use the msnialogin.passport.com server for a blah@hotmail.com address then the server will actually send you a HTTP redirect to the correct server/URL you should be connecting to. :)
IMHO it is easier just to code it correctly from the beginning rather than rely upon the redirects. (just my opinion!)


- MrSquid (s4033714@student.uq.edu.au)

[underdoc]

Ill build a proof of concept on this tomorrow :)

[Doggie]

hmm good stuff if it works mr squid :)

[ZoRoNaX]

This method is nice yes, but as you said it doesn't work for accounts other than @hotmail.com.
I figured out the way MSN 5 does it and I'll post it here ASAP.

With this method you won't receive any junk data, and it will work for other accounts too (because it's the official way). :w00t:

ZoRoNaX

This post has been edited by ZoRoNaX: 12 May 2003 - 10:40 AM

[Daniel]

http://pscode.com/vb...=45051&lngWId=1