Wednesday, 16 July 2014

How skype network works

When you run skype binary, following network actions is made:

Step 1. Login stage.

Skype binary checks if saved profile exists, and try to find private/public keys and skype issued certificate in it (also called credentials).

If its first run (i.e. no profile in %APPDATA%/skype/ found), skype do generation of private/public RSA keypair 1024 bits (128 bytes or 0x80 in hex) long.

Then, its make connection to skype 'login' servers. And send skypename, MD5(password) bytes, and you public key. If authorization OK, skype will issue personal certificate for you skypename and public key. This is 0x104 bytes array signed by skype network public key, also known as CA (certification of authority) in PKI (Public Key Infrastructure). Getting we skype signed certificate means that you now successfully "login" in skype network.

By the way, certificate will be issued on 30 days only. So, after that 30 days, you MUST login again (i.e. get new skype signed certificate).

Skype User Certificate Example:

Thursday, 5 June 2014

New toys for playing

Hello everyone!

Here is a new tool for playing with skype profile data. The project skydumpcred3 allows you to dump skype credentials (something like SSL certificates) from your skype 5.x clients and check it to see your RSA 1024-bit public and private keys in it.

Also I added the cert_decrypt project which can be useful to decrypt large 0x188 bytes of AES encoding blocks from skype debug.log file.

You can download both (and compile from sources, if you want) here:


Monday, 17 June 2013

Wiki re-open


Project public wiki on available again.
Pass: skype/skype

UPD. Ok, i decide to open my private wiki also.

So, check it out:
Pass: skype/skype


Saturday, 8 December 2012

Status update

I am still looking for some financial support for this project. Now, i do some slow research on Everyone who skilled enough can join.

Friday, 4 May 2012

Microsoft changes skype supernodes architecture to support wiretapping

Two months ago, Skype replaces user-hosted P2P supernodes with Linux grsec boxes hosted by Microsoft, but for what?

I found some brilliant and valuable comment about this:
I think wiretapping is one of the big reasons for the rearchitecture. Skype officially claimed they could not comply with wiretapping requests because of the P2P network as late as 2008 (, and Microsoft was already working on wiretapping VoIP in 2009 (
via Hacker News


So, think twice.

P.S. M$ talking, that "supernodes don't transit voice traffic" - this is bullshit. They do. In case, where you both behind NAT or in case of authority curiosity.

P.S2. Especially, for Kostya Kortchinsky at post.
Relay nodes take care of those if you can't communicate directly with the other end. There is a mutual exclusivity in that a node can't be a relay and a supernode at the same time.
Can he prove it? No. But, I can. This code, which I wrote in past, will allow for your traffic to flow via supernode(and also relay node): skyrel.c skypush.c

How to deal with AES keys? Not big problem, if you have Skype RSA CA(certificate of authority) private key, which skype/microsoft obviously have.

So, forget about security and anonymity in microsoft-skype.

Thursday, 26 April 2012

Skype User IP-address Disclosure


Some anonymous user made a comment with a link to an interesting text. I tested this stuff and it really works.

Skype user IP-address disclosure

1. Download this patched version of Skype 5.5:

2. Turn on debug-log file creation via adding a few registry keys.

3. Make "add a Skype contact" action, but do not send add request, just click on the user to view his vcard.

4. Have a look at the log file to find the desired skypename.
The record will be like this for real user ip: -r195.100.213.25:31101
And like this for user internal network card ip: -l172.10.5.17

21:16:45.818 | T#3668 PresenceManager: | noticing skypetestuser1 0x3e54a539a91a19fc-s-s65.55.223.23:40013-r195.100.213.25:31101-l172 .10.5.17:22960 23d23109 82f328ff

5. Catch that skype user via whois service.

The mentioned steps will help you to get the following information about a skype user: City, Country, Internet provider and internal user ip-address.
Now, you can troll him about CIA and Mossad, he-he.

Orginal link:
Skype user IP-address disclosure

Saturday, 24 March 2012

skype55 deobfuscated version released

Hello, everyone!

We got deobfuscated skype v5.5!!!

I can't belive in this. But its fucking true. Great thanks and congratulations going to Vilko.

Some words from Vilko about his skype5 research:

Skype version 5.5 is a hybrid of GUI on delphi and embedded dll with skype "kernel". This kernel is fully independent structure in binary code - code block, data block, imports. And it was built with use of VC compiler(exists VC lib signatures).

This kernel has not contain any reference to external code/data in delphi part. And only entry point block xrefs on kernel from delphi GUI. It can be saved as independent binary code with dll-header, and that kernel will work, i tested this.

You can download it here:
(DMCA takedown arrived, so check download link in comments)

Skype-open-source project still alive!

P.S. We open jabber conference for all who interested in skype reversing. Feel free to join on:

Saturday, 1 October 2011

Status update

So, for now, anyone can test Epycs and try to send messages to a skype user.

However, this code is based on emulating skype v1.4 protocol session handshake. But this version is not supported anymore. It cannot login to a network, even if binary is patched to represent 4.x version.

Current protocol capabilities may be shown like this:
skype14 -> skype14
skype14 -> skype3x
skype14 -> skype4x
skype14    skype5x
So there's no reason to work on a skype14.exe binary anymore. But it has received many patches for debugging reasons (analyzing connection and handshake flow) previously.

For now I have to patch skype v4.1 and 3.8 extensively, before they will be ready for future work. And then we can continue analyzing and writing a new (updated) protocol for session handshake to send messages to any skype version, including skype v5.x binary.

It will allow sending messages:
skype38    skype14 (no need for this anymore)
skype38 -> skype3x
skype38 -> skype4x
skype38 -> skype5x
The bad thing is that (in skype38 and skype41) in many parts of code the debug info was removed and also code addresses and places changed a lot. I can not simply find an old part of code from skype14 in the new skype38 binary. So, almost all the hard work needs to be done again.

The old protocol can be still usable(for 3.x, 4x versions), but debugging and testing it will be very hard because skype14.exe is not working in skype network anymore (cannot login).

I don't have much time to work on it now. But i will be slowly working on skype41.exe to patch it and log all needed info for reconstructing skype41-> skype5x protocol for send message session.

That's all, for now.

Wednesday, 3 August 2011

DMCA counter-notice confirmed

I got confirmation from Blogger about my counter-notice.

The Blogger Team to me
show details 9:02 PM (1 hour ago)

Thanks for reaching out to us.

In accordance with the DMCA, we have completed processing your
infringement complaint and the content in question no longer appears on
the following URL(s):

Please let us know if we can assist you further.

So, i restore links in my post.