aimpass - AOL IM 4.x Password Decoder

NOTE: This doesn't work with AIM 5.0 - sorry

And: I do not "GET PASSWORDS" for anybody. Don't even ask.

The AOL Instant Messenger program (under Windows, at least) can save the user passwords to obviate the need for the user typing that password every time. It's saved in the registry in an obscured form, and we have decoded the obscuring algorithm and embodied it in perl code.

Quick Links

Encoded Password Locations
Password Obscuring Algorithmn
Command Line Usage
Download
Bugs & TODO List
Revision History

Encoded Password Locations

AOL Instant Messenger saves user passwords in a trivially obscured form, but the location for that save depends on the platform.

Under Win32, it's in the registry. Under the key:

HKEY_CURRENT_USER\
        Software\
        America Online\
        AOL Instant Messenger (TM)\
        CurrentVersion\
        Users\

is a subkey for the user name (say, billgates), and under that is a string value Login\Password.

The Linux client stores the encoded password under each user's home directory in a file ~unixuser/.aim/aimusername/profile, and in this file is a line password=encodedpassword.

Both use the same algorithm save for the Windows practice of prepending two 0xFF hex bytes to the string: they don't seem to participate in the encoding.

Password Decoding Algorithm

The password found in the registry (see the next section) is mostly ASCII, but there seem to always be to 0xFF hex bytes at the start: they don't seem to actually participate in the decoding and serve only as a placeholder. The rest of the characters are always in the 16-character alphabet ABCDEFGHIJKLMNOP. The first step is always to translate these into the "usual" hex characters, so

ABCDEFGHIJKLMNOP - encoding alphabet
0123456789ABCDEF - represents...

Now we're left with pairs of hex bytes that represent individual characters in the user's password, and it's an error if the input string contains anything other than the encoding alphabet A..P.

Next, each byte is XOR'd with a fixed pattern to yield the "true" output character, and the 16-byte hash sequence is:

0x42, 0x84, 0x08, 0x10, 0x21, 0x42, 0x85, 0x0B,
0x17, 0x2E, 0x5D, 0xBA, 0x74, 0xE8, 0xD0, 0xA1

We don't know what the limit is on AOL IM passwords is, but in our implementation we recycle the hash sequence if the input runs past 16 characters. Whether this is valid or not is unknown.

Command Line Usage

aimpass will encode or decode as many AIM passwords as you like.

$ aimpass --encode=hello
ENCODE {hello} -> {CKOBGEHMEO}

$ aimpass --decode=CKOBGEHMEO
DECODE {CKOBGEHMEO} -> {hello}

Under WinNT/Win2000, we use the excellent ActiveState perl (www.activestate.com), and by putting the aimpass.p in your normal search path (say, C:\BIN), it can be run just like a native NT command.

Download

The aimpass software is written in perl and comes in two parts, but for easy distribution on the web we've combined them as mentioned above. It's built from aimpass (the main driver) and aimpass.pm (the actual password decoder), and they can easily be separated should you care to use the modules separately.

aiminfo.p - Perl program

Note that aimpass is not an end user or script-kiddie tool: if you don't know how to use perl, this tool is probably not for you. In particular, I don't provide help-me-recover-"my"-password support - sorry.

Elcom Software has a commercial Advanced IM Password Recovery product that may help you with this.

Bugs & TODO List

We don't know what the limit on AIM passwords is: we should find out.
This was tested with AIM 4.8.2790 on Windows. It does NOT work with AIM 5.0. We may get to updating it, but it's not really on the to-do list right now. Those who know the algorithm are encouraged to contact me.

Revision History

v1.0 (2002/03/01) - Initial Release

Navigate: More Tools