Quantcast
Channel: SGriffin's MAPI Internals
Viewing all articles
Browse latest Browse all 84

Parsing the POP3 UIDL History

December 4, 2012, 6:54 am
$
0
0

In my previous post, we discussed how to locate Outlook’s POP3 UIDL history. Now that we have the blob, let’s look at how to parse it:

POPBlob Structure:

  • Version (2 bytes): Must be PBLOB_VERSION_NUM (3)
  • Count (2 bytes): Count of resource tags
  • Resource tags (variable): 0 or more null terminated UTF-8 strings encoding the resource tags. The number of null terminated strings must match Count.

Resource Tags:

A resource tag encodes a UID with some metadata. The format of a resource tag string is represented as follows:

Mcyyyymmddhhmmssuuuuuuuuuuuuuuuuuu...

where

  • M (1 char): '+', '-', or '&', indicating a successful get, delete, or get-and-delete
  • c (1 char): ' ', 'h', or 'b', indicating content of none, header, body
  • yyyy (4 chars: Four digit year of download
  • mm (2 chars): Two digit month of download
  • dd (2 chars): Two digit day of download
  • hh (2 chars): Two digit hour of download
  • mm (2 chars): Two digit minute of download
  • ss (2 chars): Two digit second of download
  • uuuu... (variable): Encoded uid (Unique Identifier) of a message

The encoded uid of the message has been escaped so only alphanumeric characters and the character '$' are present. Non-alphanumeric characters in the original UID are represented as '$'+ 2 digit hex encoding. For instance, the character '-' is encoded in the UID as $2d

For example, this blob:

030017002B623230313230393036313331313338304243353335444224326445413633243264313145312432644137354324326430303231354144374242373400 
2B623230313230393036313331313337313433444242434224326445413636243264313145312432644135463224326430303232363443313534424100 
2B623230313230393036313331313339323445383833333324326445413334243264313145312432644133414324326430303231354144374631353600 
2B623230313230393036313331313336333446324533383124326445423236243264313145312432644244353924326430303231354144383043324300 
2B623230313230393036313331313339333733443545363924326445413236243264313145312432644231363024326430303231354144393946303000 
...

Can be interpreted as follows: 
0300 Version: PBLOB_VERSION_NUM 
1700 Count: Count of restags (0x17 = 23) 
2B623230313230393036313331313338304243353335444224326445413633243264313145312432644137354324326430303231354144374242373400 Tag 1 
2B623230313230393036313331313337313433444242434224326445413636243264313145312432644135463224326430303232363443313534424100 Tag 2 
2B623230313230393036313331313339323445383833333324326445413334243264313145312432644133414324326430303231354144374631353600 Tag 3 
2B623230313230393036313331313336333446324533383124326445423236243264313145312432644244353924326430303231354144383043324300 Tag 4 
2B623230313230393036313331313339333733443545363924326445413236243264313145312432644231363024326430303231354144393946303000 Tag 5 
...

And we can parse one of the resource tags as follows: 
2B623230313230393036313331313338304243353335444224326445413633243264313145312432644137354324326430303231354144374242373400 = 
"+b201209061311380BC535DB$2dEA63$2d11E1$2dA75C$2d00215AD7BB74" 
+ = Successful get 
b = Content is body 
2012 = Year 
09 = Month 
06 = Day 
13 = Hour 
11 = Minute 
38 = Second 
0BC535DB$2dEA63$2d11E1$2dA75C$2d00215AD7BB74 = UID

This UID can then be interpreted as: 
0BC535DB + $2d + EA63 + $2d + 11E1 + $2d + A75C + $2d + 00215AD7BB74 = 
0BC535DB + '-' + EA63 + '-' + 11E1 + '-' + A75C + '-' + 00215AD7BB74 = 
0BC535DB-EA63-11E1-A75C-00215AD7BB74


So the first UID encoded in this blob is "0BC535DB-EA63-11E1-A75C-00215AD7BB74", and the body was successfully retrieved on 9/6/2012 at 13:11:38.

Search
Viewing all articles
Browse latest Browse all 84

Trending Articles

Scuffham Amps - S-GEAR 2.6.0 VST, AAX, STANDALONE x86 x64 (R2R NO iLok2, +NO...

November 19, 2017, 7:24 am

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

VHSE First (1st) Allotment 2025 - vhscap.kerala.gov.in

May 24, 2025, 11:58 pm

UNIVERSE LEAGUE – UNIVERSE LEAGUE – WAR (We Are Ready) – EP [iTunes Plus M4A]

January 26, 2025, 11:12 am

City Hunter Teledrama – Episode 18 – 07th May 2016

May 6, 2016, 2:05 pm

Comment on Proposed Criteria for Identifying Predatory Conferences by Luke...

July 4, 2016, 3:53 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

Kendrick Lamar – Not Like Us (2024) [24Bit-88.2kHz] [PMEDIA] ⭐️

May 14, 2024, 7:14 pm

Inception 2010 Hindi Dual Audio 650MB BRRip 720p ESubs HEVC

December 27, 2016, 4:23 pm

East Hull MD admits sexual assaults after another victim comes forward

January 14, 2013, 12:20 am

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

R. v. Sargeant, 2023 ONSC 6406 (CanLII)

November 13, 2023, 9:00 pm

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

August 20, 2016, 5:13 pm

Who’s been sentenced at Northampton Magistrates’ Court

March 30, 2019, 10:00 pm

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

February 13, 2020, 3:12 am

Family cries out as traditional ruler allegedly abducts brother, extorts N2.5m

September 15, 2024, 1:15 am

Long-Running Conflict In Springfield (MA) Gangland Sphere Has Manzi Family &...

December 26, 2017, 3:59 pm

Wondershare Filmora X v10.1.20.16 x64

February 8, 2021, 5:34 am

Man arrested after fracas in flat

January 16, 2017, 10:10 pm

Man charged in ongoing Sexual Assault Investigation Derek Nyilas, 46, Faces...

May 27, 2019, 8:00 am
Search