Log in

View Full Version : regarding skype ;-?


mcensamuel
August 9th, 2005, 12:31
hi,

I have a question regarding skype.

Anybody knows answer for the following question !!

Why the protocol is still not public ?? (nobody reversed it) ;-?
or is it too difficult to reverse it ?
or is there any copyright problem in that ?

anybody knows the answer ? I am very much interested to know about the protocol ?? ... ;-)

thanks
mcen

sgdt
August 9th, 2005, 13:21
Are you concerned with the Protocol or the Compression? (they are very different things). If you are concerned with the Protocol, I would look into calls into Winsock. If you are concerned with the Compression, fire up VTune and IDA (VTune to point you to the interesting pieces, and then IDA to see where they fit in). Of particular importance will be any tables used for transformation and the huffman encoder/decoder. If you just want something quick, you could probably shim their code directly.

If you don't have VTune, find winsock send / receive routines, place a memory breakpoint on where else the data is being referenced, and you will have the huffman encoder/decoder.

Two notes: The PC version is written in Delphi, so I would give a look at it with the trial version of "PE Explorer". It'll point out the classes in a more friendly manner than Olly will. Second, if you have IDA, I would look at the Windows CE version of Skype, it might be less convoluted.

mcensamuel
August 10th, 2005, 02:21
I like to know the protocol stuff !!
is vtune is Intel's product ??

More than getting the details about the details of skype..
i like to know the answer to the following questions...

Why the protocol is still not public ?? (nobody reversed it) ;-?
or is it too difficult to reverse it ?
or is there any copyright problem in that ?

sgdt
August 10th, 2005, 11:02
The protocol would be trivial to reverse, most protocols are. But what is the goal? To talk to Skype or to create a product like Skype? If the goal is to talk to Skype, then your goal probably isn't to create another front end (after all, Skpye is free and works quite well). If your goal is to create a program Like Skype, you don't need to reverse the protocol at all. What is your Goal?

Why the protocol is still not public? Because the manufactures of Skype have not released it. I don't even think anyone has ever asked them?

Is it too dificult to reverse? No, it's a protocol. The compression might be hard, but I doubt it.

Is there any copyright problem? Well, why yes, there is. Everything from the EULA you clicked thru when installing Skype to the embedded strings in the program leave zero doubt that they would like to keep their stuff private.

Please note that the Protocol is just how it communicates. I really believe your more interested in the Compression. They are DIFFERENT THINGS.

The only reason I can think of to want their protocol would be to create a SPAM bot that would act like an automated client. Please tell me your not doing that...

mcensamuel
August 10th, 2005, 20:00
i can assure you that ...i dont have any criminal mind as u think !!
like to learn how they are getting this quality sounds !!

sometime back i looked for the yahoo voice stuff...i could able to collect some data on that...but i didnt get any detabils about this .

anyway thanks for your reply !!

sgdt
August 25th, 2005, 12:10
Skype Opens APIs To External Software, Including Games

http://www.gamasutra.com/php-bin/news_?story=6320 ("http://www.gamasutra.com/php-bin/news_?story=6320")

0xebfe
September 7th, 2005, 16:56
Actually, it seems even the snort community havent been able to come up with a signature for it.. I looked at the traffic as it loads.. seems very random or encrypted..

I am guessing the clients share some secret. The client sends a random challenge to the peers list it has (bootstrap or dynamically learnt).. the peer sends a response thats checked by the client.. then they start communicating encrypted.. Or perhaps the first handshake is a Diffie Hellman shared secret setup..

Interesting.. any body know of generic network protocol reversing papers/articles (not specific to skype)?

dyngnosis
September 13th, 2005, 21:41
There has been some work done on reverse engineering the Skype protocol.

Two university students have put together a white paper:

http://arxiv.org/pdf/cs.NI/0412017&ei=vosnQ9_NAZ_0-AGC7JiSBg ("http://arxiv.org/pdf/cs.NI/0412017&ei=vosnQ9_NAZ_0-AGC7JiSBg")

the difficulty in reversing much of the protocol is the encryption that happens early on.

IDA took 30min to dissassemble the Skype.exe binary and blows up when launched if attached to the IDA debugger. Attaching IDA to the already running process will get you further but it still pukes. I would be interested in hearing your results attaching olly. I have also had some success with SoftIce.

If your interested in knowing more about the protocol, and arcitecture of the skype network then start at the white paper... if you are interested in reverse engineering we should chat.

dyngnosis
September 13th, 2005, 21:50
0xebfe: There has been some excellent work done in the Protocol Informatics Projected at baselinesecurity... it is using bioinformatics and some cool algorithms to compare packet dumps .. he presented at DefCon 13 this year and has his slides up.. along with code, a white paper, background research, and a crapload more:

Def con Presentation: http://insidiae.org/PI/PI-Defcon.pdf ("http://insidiae.org/PI/PI-Defcon.pdf")
White Paper: http://insidiae.org/PI/pi.pdf ("http://insidiae.org/PI/pi.pdf")
Code: http://insidiae.org/PI/PI-v0.01.tgz ("http://insidiae.org/PI/PI-v0.01.tgz")

As a sample the author took 100 ICMP dumps and reproduced the protocol structure matching the RFC almost exactly...
http://insidiae.org/PI/PI-v0.01.tgz ("http://insidiae.org/PI/PI-v0.01.tgz")

0xebfe
September 14th, 2005, 13:29
Hey dyngnosis, yes I saw those two efforts.. The PI one is pretty interesting, if the protocol is indeed based on some structure, and not compressed/encoded. To a certain extent, thats pretty much what we do visually as well (look for static bytes, and check if they mean anything about the rest of the dynamic blocks). Have you tried the code on Skype?

The univ paper was a good start. Its more of a network traffic analysis though, not reversing. Besides, the clients seem to be able to login via the supernodes too, so quite a bit has changed since that paper was released.

How do I reach you outside this forum?

dyngnosis
September 14th, 2005, 15:52
0xebfe,

I have not yet tried PI with skype traffic... without finding out more about the encryption schema I don't think it has a hope of getting very far... there *Are* however some interesting things about the inital login sequence.

I would like to get a copy of the old version of skype that only hit a single login server... then BinDiff that against the current release... the changed code should certainly contain calls to the encryption functions.

In addition there are some calls to crypt32.dll ProtectData() and UnProtectData() that warrent some investigation... however debugging a running version of Skype is still a problem that I am working on. I've yet to attach Olly... after that perhaps remote debugging is the next step(?).

I think I've seen you around at the OpenRCE site... I'll contact you

Jer

0xebfe
September 14th, 2005, 18:29
Interesting, we think quite alike

http://www.oldversion.com/program.php?n=skype
("http://www.oldversion.com/program.php?n=skype
")

I tried some of what you mention. Let's chat off line.

mcensamuel
September 15th, 2005, 02:29
actullay i started the skype through IDA pro very easily...
there was some exception...but that is not a problem...

i got the address of the first socket call...and then..i didnt try much (;

anyway i hope skype is a big challenge for the reversers !!!
challenge by a big reverser to all other reverses !!
He chooses very good anti* reversing techniques...
attaching to the softICE is not a problem i guess...they are checking for \\.SICE and some other...that can be changed in the softICE...
Even i dont know much...had spent sometime on that...

dyngnosis
September 15th, 2005, 15:36
0xebfe, I sent you a message on the OpenRCE forums... hopefully it goes through but one never knows. Try my name at gmail if you never get the one on OpenRCE.

It sounds like mcensamuel has some interesting experience in dealing with anti-rev techniques... we will have to keep that in mind!

mcensamuel, if you have any suggested reading on defeating anti-rev techniques I'd love to hear from you as well.

One thing I am very interested in is the development of a well documented and structured approach when it comes to a Skype-like project.

dyngnosis
September 29th, 2005, 14:31
I've recently found this:

http://gcasiez.perso.wanadoo.fr/skypeandsoftice.html
("http://gcasiez.perso.wanadoo.fr/skypeandsoftice.html
")

It is a bit of information on patching skype to run with a debugger (softice).

sweet.