The verification request contains eight bytes. The first four are an offset, the second four are a length.

The offset is an offset into aim.exe when it is mapped during execution on Win32. So far, AOL has only been requesting bytes in static regions of memory.

When the client recieves the request, it adds it to the current ds (0x00400000) and dereferences it, copying the data into a buffer which it then runs directly through the MD5 hasher. The 16 byte output of the hash is then sent back to the server.

If the client does not send any data back, or the data does not match the data that the specific client should have, the client will get the following message from "AOL Instant Messenger":

"You have been disconnected from the AOL Instant Message Service (SM) for accessing the AOL network using unauthorized software. You can download a FREE, fully featured, and authorized client, here"

The connection is then closed, recieving disconnect code 1, URL

 00 01   word   SNAC family
 00 1F   word   SNAC subtype
 00 00   word   SNAC flags
 xx xx xx xx   dword   SNAC request-id
 xx xx xx xx   dword   Requested data offset
 xx xx xx xx   dword   Requested data length

Example SNAC dump with flap header:
  2A 02 E5 65 00 12 00 01 00 1F 00 00 82 E8 D1 D1 *..e............
  03 FF FF FF 03 FF FF FF                         ........

  Main | Basic | Login | Snaclist | Sequences | Misc | Changes | Credits | Terms