Daniel's Stuff

I write code

Category: HTTPMail

DeltaSync decompression progress

After quite some time I finally have some code that seems to decompress the message data returned from Windows Live via the DeltaSync protocol.

The code is AWFUL, but the results are looking pretty good.

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtTQ0w9MA==

X-Message-Status: n:0

X-SID-PRA: Daniel Parnell <me@danielparnell.com>

X-Message-Info: JGTYoYF78jHVrAq/T4xfKLLpTvwPwE0t6g/vyq6tyzbqln5iNnXwcSMg41wQCSulCxd5N8UB57Lq6un/ug7i0YsGX30yo+pm

Received: from randymail-a4.g.dreamhost.com ([208.97.132.207]) by bay0-mc8-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);

Thu, 29 Jan 2009 16:06:38 -0800

Received: from 192-168-1-101.tpgi.com.au (60-241-72-192.static.tpgi.com.au [60.241.72.192])

(using TLSv1 with cipher AES128-SHA (128/128 bits))

(No client certificate requested)

by randymail-a4.g.dreamhost.com (Postfix) with ESMTP id 97A67194DD3

for <danielparnell@live.com>; Thu, 29 Jan 2009 16:06:26 -0800 (PST)

Message-Id: <8EEE4310-25CC-47BE-8FCB-330EBCD75A21@danielparnell.com>

From: Daniel Parnell <me@danielparnell.com>

To: danielparnell@live.com

Content-Type: multipart/mixed; boundary=Apple-Mail-33–583770588

Mime-Version: 1.0 (Apple Message framework v930.3)

Subject: more test messages

Date: Fri, 30 Jan 2009 11:06:23 +1100

X-Mailer: Apple Mail (2.930.3)

Return-Path: me@danielparnell.com

X-OriginalArrivalTime: 30 Jan 2009 00:06:38.0411 (UTC) FILETIME=[9F1AB1B0:01C9826E]

–Apple-Mail-33–583770588

Content-Type: text/plain;

charset=US-ASCII;

format=flowed

Content-Transfer-Encoding: 7bit

this is another test message

–Apple-Mail-33–583770588

Content-Disposition: attachment;

filename=”AGL Energy Advisor.zip”

Content-Type: application/zip;

x-unix-mode=0644;

name=”AGL Energy Advisor.zip”

Content-Transfer-Encoding: base64

UEsDBAoAAAAAAANIPToAAAAAAAA********XABAAQUdMIEVuZXJneSBBZHZpc29yLmFwcC9VWAwA

q9WASWXVgEn1ARQAUEsDBAoAAAAAANFGNzoAAAAAAAA********mABAAQUdMIEVuZXJneSBBZHZp

c29yLmFwcC9fQ29kZVNpZ25hdHVyZS9VWAwAZdWASRnreEn1ARQAUEsDBBQACAAIAANIPToAAAAA

AAAAAAAAAAAzABAAQUdMIEVuZXJneSBBZHZpc29yLmFwcC9fQ29kZVNpZ25hdHVyZS9Db2RlUmVz

b3VyY2VzVVgMAK7VgEll1YBJ9QEUALWYWbOqOhbHn/t+it37sa27VcSBrnPPLQUUEBFwYHjZxSRE

hmAIg376xj30PbdO8FR17X7RaMgvK4t/1lrJtz+bNHmqAlQAmP3xPHwZPD8FmQd9kIV/PB/2y99n

z39+/+3bP7ktu7dU/ilPQIGf1MNCFtmn59/7/XmeJ0G/z+25J1UWd/unltHv88rz03OEcf7vfr+u

6xfn/tSLB9P7g0VfRTAPEL7KLez3dsCLj/3ndpp3+t/Maf/1gYe///aPb3Fw/X4CSVB869+b7T8f

Pe9dfBa2w6OXJEfw3J+7sMRHENQvGXA/B7QjHOzcG9cef+FySztW2mipj6XEDYflXhiN5Pkf9+f6

nw8S0GyQJAbAkYqAF5Dx6+0llK+cPlkem7XB0bZyxVg6mjdY/xLPBdgBSbfpMTjMx0dpYDkncMhp

YTUYORtFp3qA/yV744DMAJkPO9gDYz7t3/aTTW9gjvHhths4Q4dLo9lW+yVbh/DN4SzMMIJJEiDy

HPlAPK98iOBJiDZwe3J2HKp4k42Hv55jhx0cdLtmyeiet7TOVapM48QoEm8rq24jzUyyazDASZAG

GS5e3qT3M7Ggx2yxGBYpxS91xh4qIFlq46gxkUggqnEoZif4MyYbTy+cSmP7JHNDxO7okTFY0LJ2

vpEMc+7afYlwmvxMkvjcnvWzPS0ulN3OvIl6qUv61qdrknCdssDISYDzkmfhz7CNGjnLycW8wNOu

NxkEKeNeaS0fwAEkwFzHi0MEy8wn0/qaaNsLoPrmeImHjO33ArQyR9edRxNpOEIQpmSWLZin887C

RhRsljU7WotpJfDVXspnD1ivkQOQj66t9IjUCAgYJAalhc1pv6DWdmDYUNCT5OQ9pEJct7pDUXD/


And so on.  Once I’ve got things cleaned up a bit more I hope to post what I’ve been able to come up with.

A little further with the decompression routine

I’ve gotten just a little bit further with the decompression code 🙂



X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtTQ0w9MA==

X-Message-Status: n:0

X-SID-PRA: Daniel Parnell <me@danielparnell.com>

X-Message-Info: JGTYoYF78jHVrAq/T4xfKLLpTvwPwE0t6g/vyq6tyzbqln5iNnXwcSMg41wQCSulCxd5N8UB57Lq6un/ug7i0YsGX30yo+pm

Received: from randymail-a4.g.dreamhost.com ([208.97.132.207]) by bay0-mc8-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);

Thu, 29 Jan 2009 16:06:38 -0800

Received: from 192-168-1-101.tpgi.com.au (60-241-72-192.static.tpgi.com.au [60.241.72.192])

(using TLSv1 with cipher AES128-SHA (128/128 bits))

(No client certificate requested)

by randymail-a4.g.dreamhost.com (Postfix) with ESMTP id 97A67194DD3

for <danielparnell@live.com>; Thu, 29 Jan 2009 16:06:26 -0800 (PST)

Message-Id: <8EEE4310-25CC-47BE-8FCB-330EBCD75A21@danielparnell.com>

From: Daniel Parnell <me@danielparnell.com>

To: danielparnell@live.com

Content-Type: multipart/mixed; boundary=Apple-Mail-33–583770588

Mime-Version: 1.0 (Apple Message framework v930.3)

Subject: more test messages

Date: Fri, 30 Jan 2009 11:06:23 +1100

X-Mailer: Apple Mail (2.930.3)

Return-Path: me@danielparnell.com

X-OriginalArrivalTime: 30 Jan 2009 00:06:38.0411 (UTC) FILETIME=[9F1AB1B0:01C9826E]


The headers of the email message are coming through now, and I’m starting to get the message body

More Windows Live decompression progress

I’ve not had much time recently to work on the decompression routines as family and work need to take priority over side projects…  Last night I picked the code up again and had a bit more of a look.  I found a couple of mistakes in the code I’d written and am now getting a bit further in the decompression 🙂

The expected results as before:

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtTQ0w9MA==

X-Message-Status: n:0

X-SID-PRA: Daniel Parnell <me@danielparnell.com>

X-Message-Info: JGTYoYF78jHVrAq/T4xfKLLpTvwPwE0t6g/vyq6tyzbqln5iNnXwcSMg41wQCSulCxd5N8UB57Lq6un/ug7i0YsGX30yo+pm

Received: from randymail-a4.g.dreamhost.com ([208.97.132.207]) by bay0-mc8-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);

Thu, 29 Jan 2009 16:06:38 -0800

Received: from 192-168-1-101.tpgi.com.au (60-241-72-192.static.tpgi.com.au [60.241.72.192])

(using TLSv1 with cipher AES128-SHA (128/128 bits))

(No client certificate requested)

by randymail-a4.g.dreamhost.com (Postfix) with ESMTP id 97A67194DD3

for <danielparnell@live.com>; Thu, 29 Jan 2009 16:06:26 -0800 (PST)

Message-Id: <8EEE4310-25CC-47BE-8FCB-330EBCD75A21@danielparnell.com>

From: Daniel Parnell <me@danielparnell.com>

To: danielparnell@live.com

Content-Type: multipart/mixed; boundary=Apple-Mail-33–583770588

Mime-Version: 1.0 (Apple Message framework v930.3)

Subject: more test messages

Date: Fri, 30 Jan 2009 11:06:23 +1100

X-Mailer: Apple Mail (2.930.3)

Return-Path: me@danielparnell.com

X-OriginalArrivalTime: 30 Jan 2009 00:06:38.0411 (UTC) FILETIME=[9F1AB1B0:01C9826E]

What I’m getting now:

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtTQ0w9MA==

X-Message-Status: n:0

X-SID-PRA: Daniel Parnell <me@danielparnell.com>

X-Message-Info: JGTYoYF78jHVrAq/T4xfKLLpTvwPwE0t6g/vyq6tyzbqln5iNnXwcSMg41wQCSulCxd5N8UB57Lq6un/ug7i0YsGX30yo+pm

Received: from randymail-a4.g.dreamhost.com ([208.97.132.207]) by bay0-mc8-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);

Thu, 29 Jan 2009 16:06:38 -0800

Received: from 192-168-1-101.tpgi.com.au (60-241-72-192.static.tpgi.com.au [60.241.72.192])

(using TLSv1 with cipher AES128-SHA (128/128 bits))

(No client certificate requested)

by 


Hopefully I’ll get some more time to work on the code soon 🙂

Windows Live compression update

I had a bit of time yesturday to spend working on the Windows Live compression reverse engineering.  I successfully decompressed around 20 bytes.  The previous record was 2 bytes 😉  There are two parts to the compression.  First is the compressed data and the second is pointers back into decompressed data.  The compressed data is working quite well, but the pointers to repeated blocks that have already been decompressed is off a little so I see some correct data and some rubbish.  Hopefully I’ll get some more time in the next couple of days to work on it some more. 

OS X 10.5.6

As many people are aware Apple released Mac OS X 10.5.6 yesterday.  Unfortunately this broke the HttpMail plugin 🙁  After a little bit of poking around I found and fixed the problem.  The result is a new release of the plugin 1.53.  

Head on over to my downloads site at http://www.automagic-software.com/
Now, for a status report on Windows Live Mail reverse engineering.  I am still making progress.  I’m not getting as much time to work on it as I would like these days due to having two small children 😉  If anybody wants to donate a copy of the Hex-Rays decompiler then I imagine things would progress much faster 😉

Windows Live Mail

Just a quick note to let everybody know that I’m making good progress reverse engineering the Windows Live Mail protocol.  With the help of a couple of other people I’ve managed to determine the nature of the compression used on the message data.  We’ve successfully managed to build the decompression table and I’m now working through the routine to do the actual decompression.  IDA Pro is an amazing piece of software and I highly recommend it if you ever need to do any reverse engineering of compiled programs.