New Gadu-Gadu protocol revealed

New DNS resolver for libgadu is already done. This effects in stability (especially, under Windows: #6263) and some code cleanup (win32 related code is no longer needed).

Also, now our libgadu fork have just one-lineĀ difference against upstream (#343). At least, it will be one line after upgrading to 1.12.0, because now we have some patches plucked from upstream trunk.

The biggest progress was made at reverse engineering of new Gadu-Gadu protocol. Newest official Gadu-Gadu client (11.0) doesn’t allow to make unencrypted connections, so protocol analyzing seemed to be impossible. Fortunately, I have managed to bypass this restriction and now everything goes as plaintext.

The next step was creating GG protocol dissector plugin for wireshark – it requires some effort, but it makes following work much easier. At this point, only most important packets are dissected.

Two steps listed above enabled me to make the third one: making some findings about new GG10.5/11 protocol. I will publish them later at libgadu protocol description site – it’s polish only, but my dissector plugin will also contain these information.

Now I’m in the middle of providing proxy support, but it requires deep changes in libgadu library, so I have to discuss it with libgadu team.

2 thoughts on “New Gadu-Gadu protocol revealed

  1. Could you reveal what encryption is used by new gg clients and how did you manage to bypass it? I readed protocol description ( but I see no info about encryption at all, I assume that you haven’t got time to update it. Are there any new flags available in gg_login80.hash_type field or just those two old easy crackable fields? Is sending password to server is still required during registration a new account?

    • It’s just a TLS connection – internal communication is identical to unencrypted version. As you pointed out, documentation isn’t updated yet, but all information about it is already integrated in libgadu source tree ( – please take a look at it.

      Hash function is just the same as previously, but sent with new, gg_login105 packet. I don’t know anything about new registration method.

Leave a Reply to Lukas Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.