Saturday, 8 December 2012

Status update

I am still looking for some financial support for this project. Now, i do some slow research on dev.epycs.ru. Everyone who skilled enough can join.

Friday, 4 May 2012

Microsoft changes skype supernodes architecture to support wiretapping

Two months ago, Skype replaces user-hosted P2P supernodes with Linux grsec boxes hosted by Microsoft, but for what?

I found some brilliant and valuable comment about this:
I think wiretapping is one of the big reasons for the rearchitecture. Skype officially claimed they could not comply with wiretapping requests because of the P2P network as late as 2008 (http://news.cnet.com/8301-13578_3-9963028-38.html), and Microsoft was already working on wiretapping VoIP in 2009 (http://blog.tmcnet.com/blog/tom-keating/microsoft-patents-voip-and-skype-wiretapping.asp).
via Hacker News

Answer is: WIRETAPPING

So, think twice.

P.S. M$ talking, that "supernodes don't transit voice traffic" - this is bullshit. They do. In case, where you both behind NAT or in case of authority curiosity.

P.S2. Especially, for Kostya Kortchinsky at post.
Relay nodes take care of those if you can't communicate directly with the other end. There is a mutual exclusivity in that a node can't be a relay and a supernode at the same time.
Can he prove it? No. But, I can. This code, which I wrote in past, will allow for your traffic to flow via supernode(and also relay node): skyrel.c skypush.c

How to deal with AES keys? Not big problem, if you have Skype RSA CA(certificate of authority) private key, which skype/microsoft obviously have.

So, forget about security and anonymity in microsoft-skype.

Thursday, 26 April 2012

Skype User IP-address Disclosure

Hello,

Some anonymous user made a comment with a link to an interesting text. I tested this stuff and it really works.


Skype user IP-address disclosure

1. Download this patched version of Skype 5.5:
http://skype-open-source.blogspot.com/2012/03/skype55-deobfuscated-version-released.html

2. Turn on debug-log file creation via adding a few registry keys.
https://github.com/skypeopensource/skypeopensource/wiki/skype-3.x-4.x-5.x-enable-logging

3. Make "add a Skype contact" action, but do not send add request, just click on the user to view his vcard.

4. Have a look at the log file to find the desired skypename.
The record will be like this for real user ip: -r195.100.213.25:31101
And like this for user internal network card ip: -l172.10.5.17

21:16:45.818 | T#3668 PresenceManager: | noticing skypetestuser1 0x3e54a539a91a19fc-s-s65.55.223.23:40013-r195.100.213.25:31101-l172 .10.5.17:22960 23d23109 82f328ff

5. Catch that skype user via whois service.
http://nic.ru/whois/?query=195.100.213.25

The mentioned steps will help you to get the following information about a skype user: City, Country, Internet provider and internal user ip-address.
Now, you can troll him about CIA and Mossad, he-he.


Orginal link:
Skype user IP-address disclosure
http://pastebin.com/rBu4jDm8

Saturday, 24 March 2012

skype55 deobfuscated version released

Hello, everyone!

We got deobfuscated skype v5.5!!!

I can't belive in this. But its fucking true. Great thanks and congratulations going to Vilko.

Some words from Vilko about his skype5 research:

Skype version 5.5 is a hybrid of GUI on delphi and embedded dll with skype "kernel". This kernel is fully independent structure in binary code - code block, data block, imports. And it was built with use of VC compiler(exists VC lib signatures).

This kernel has not contain any reference to external code/data in delphi part. And only entry point block xrefs on kernel from delphi GUI. It can be saved as independent binary code with dll-header, and that kernel will work, i tested this.


You can download it here:
(DMCA takedown arrived, so check download link in comments)

Skype-open-source project still alive!

P.S. We open jabber conference for all who interested in skype reversing. Feel free to join on: skypeopensource@conference.jabber.ru

Saturday, 1 October 2011

Status update

So, for now, anyone can test Epycs and try to send messages to a skype user.

However, this code is based on emulating skype v1.4 protocol session handshake. But this version is not supported anymore. It cannot login to a network, even if binary is patched to represent 4.x version.

Current protocol capabilities may be shown like this:
skype14 -> skype14
skype14 -> skype3x
skype14 -> skype4x
skype14    skype5x
So there's no reason to work on a skype14.exe binary anymore. But it has received many patches for debugging reasons (analyzing connection and handshake flow) previously.

For now I have to patch skype v4.1 and 3.8 extensively, before they will be ready for future work. And then we can continue analyzing and writing a new (updated) protocol for session handshake to send messages to any skype version, including skype v5.x binary.

It will allow sending messages:
skype38    skype14 (no need for this anymore)
skype38 -> skype3x
skype38 -> skype4x
skype38 -> skype5x
The bad thing is that (in skype38 and skype41) in many parts of code the debug info was removed and also code addresses and places changed a lot. I can not simply find an old part of code from skype14 in the new skype38 binary. So, almost all the hard work needs to be done again.

The old protocol can be still usable(for 3.x, 4x versions), but debugging and testing it will be very hard because skype14.exe is not working in skype network anymore (cannot login).

I don't have much time to work on it now. But i will be slowly working on skype41.exe to patch it and log all needed info for reconstructing skype41-> skype5x protocol for send message session.

That's all, for now.

Wednesday, 3 August 2011

DMCA counter-notice confirmed

I got confirmation from Blogger about my counter-notice.

---
The Blogger Team blogger-support@google.com to me
show details 9:02 PM (1 hour ago)
Hello,

Thanks for reaching out to us.

In accordance with the DMCA, we have completed processing your
infringement complaint and the content in question no longer appears on
the following URL(s):

http://skype-open-source.blogspot.com/2011/07/great-skype-testing-day.html

Please let us know if we can assist you further.
---

So, i restore links in my post.

DMCA takedown number three

And again. LOL.
Skype Inc or some anonymous, haters gona hate?

---
from support@blogger.com
to skypeopensource@gmail.com
cc blogger-dmca-notification@google.com
date Wed, Aug 3, 2011 at 9:01 PM
subject Blogger DMCA takedown notification
mailed-by blogger.bounces.google.com
signed-by blogger.com
Important mainly because of the people in the conversation.
hide details 9:01 PM (57 minutes ago)
Blogger has been notified, according to the terms of the Digital Millennium Copyright Act (DMCA), that certain content in your blog is alleged to infringe upon the copyrights of others. As a result, we have reset the post(s) to "draft" status. (If we did not do so, we would be subject to a claim of copyright infringement, regardless of its merits. The URL(s) of the allegedly infringing post(s) may be found at the end of this message.) This means your post - and any images, links or other content - is not gone. You may edit the post to remove the offending content and republish, at which point the post in question will be visible to your readers again.
A bit of background: the DMCA is a United States copyright law that provides guidelines for online service provider liability in case of copyright infringement. If you believe you have the rights to post the content at issue here, you can file a counter-claim. For more information on our DMCA policy, including how to file a counter-claim, please see http://www.google.com/dmca.html.
The notice that we received, with any personally identifying information removed, will be posted online by a service called Chilling Effects at http://www.chillingeffects.org. We do this in accordance with the Digital Millennium Copyright Act (DMCA). You can search for the DMCA notice associated with the removal of your content by going to the Chilling Effects search page at http://www.chillingeffects.org/search.cgi, and entering in the URL of the blog post that was removed. If it is brought to our attention that you have republished the post without removing the content/link in question, then we will delete your post and count it as a violation on your account. Repeated violations to our Terms of Service may result in further remedial action taken against your Blogger account including deleting your blog and/or terminating your account. If you have legal questions about this notification, you should retain your own legal counsel.
Sincerely,
The Blogger Team
Affected URLs:
http://skype-open-source.blogspot.com/2011/07/great-skype-testing-day.html
---

I think its just anonymous abuse of this form:
http://www.google.com/support/bin/request.py?contact_type=lr_dmca&product=blogger
There is not need any confirmation for takedown any blog or post.

I filled counter-notice against it twise.
Will see how it will end.

UPD. I got counter-notice confirm. So, i guess i can restore links.

Wednesday, 27 July 2011

DMCA takedown again

Here is a letter on my email.

---
Blogger DMCA takedown notification

Blogger has been notified, according to the terms of the Digital Millennium Copyright Act (DMCA), that certain content in your blog is alleged to infringe upon the copyrights of others. As a result, we have reset the post(s) to "draft" status. (If we did not do so, we would be subject to a claim of copyright infringement, regardless of its merits. The URL(s) of the allegedly infringing post(s) may be found at the end of this message.) This means your post - and any images, links or other content - is not gone. You may edit the post to remove the offending content and republish, at which point the post in question will be visible to your readers again.

A bit of background: the DMCA is a United States copyright law that provides guidelines for online service provider liability in case of copyright infringement. If you believe you have the rights to post the content at issue here, you can file a counter-claim. For more information on our DMCA policy, including how to file a counter-claim, please see http://www.google.com/dmca.html.

The notice that we received, with any personally identifying information removed, will be posted online by a service called Chilling Effects at http://www.chillingeffects.org. We do this in accordance with the Digital Millennium Copyright Act (DMCA). You can search for the DMCA notice associated with the removal of your content by going to the Chilling Effects search page at http://www.chillingeffects.org/search.cgi, and entering in the URL of the blog post that was removed. If it is brought to our attention that you have republished the post without removing the content/link in question, then we will delete your post and count it as a violation on your account. Repeated violations to our Terms of Service may result in further remedial action taken against your Blogger account including deleting your blog and/or terminating your account. If you have legal questions about this notification, you should retain your own legal counsel.

Sincerely,
The Blogger Team

Affected URLs:
http://skype-open-source.blogspot.com/2011/07/great-skype-testing-day.html
---

It contains links *on my own code*, wtf?
I think in this case no reason for takedown at all.
Where was no patched binaries or something. Just my code.

Hmm.

P.S. Here available first DMCA takedown notice:
https://www.chillingeffects.org/dmca512c/notice.cgi?NoticeID=89716
Interesting discussion about this post on reddit.