Thursday, 2 June 2011

Skype under rc4 layer - arithmetic encoding

Here is most complex arithmetic encode of skype.

unpack-4142.c :

P.S. I wonder, why this post was mentioned, but anyway:

--- skype & microsoft & DMCA was here ---

Check it on The Pirate Bay and GitHub.

P.S2. Link on pastebin with "unpack-4142.c" you can find in comments.


  1. WOW!!! immpresive analysis..

  2. Especially when most of the work is by HexRays ;-)

  3. HexRays;-p

  4. Hexrays, hopefully, was good for 4.x analysis.

    Take a look on messy "arithmetic.c" and you will have idea about all related troubles.

  5. So what happens in this code? Can you explain?

  6. В десятке нах!

  7. Data after rc4 deobfusc, marked with 0x41 or 0x42 byte(tag) decoded to key(index) - value. I.e. something readable and in ascii.

  8. As this is reversed by you, can you explain us what and why is happening in functions unpack_42_list_76B1B0 and unpack_41_0_715D70

    And why all the code about year old? Is it REALLY your code or ....?

  9. Beautiful Russian ladies

    European and American women are too arrogant for you? Are you looking for a sweet lady that will be caring and understanding?
    Then you came to the right place- here you can find a Russian lady that will love you with all her heart.


  10. john.f.doe@somewhere.online3 June 2011 02:01

    Фима, а кто все эти люди в логах: shamanyst, xot_iam, cyberozz?
    И куда Шон делся? Обещал эту же хрень в Берлине показать и пропал. Или теперь ты за него?

  11. когда запилят плугин к пиджину/либ-пурплу?

  12. Где можно скачать hexrays ? :)

  13. реверс этих функций унылое гавно, не знаю вы это делали Ефим или это какой то другой школьнег

    начнем хотя бы
    с функции
    которая в оригинале называется Deserialize
    и является членом класса AtributeConteiner
    void AtributeConteiner::Deserialize


    unpack_42_ctx_init_76ACD0 - это конструктор класса atributeconteiner_decoder_t::atributeconteiner_decoder_t()

    unpack_42_76AEC0 это член класса atributeconteiner_decoder_t::deserialize()

    unpack_42_ctx_end_714D90 это деструктор класса atributeconteiner_decoder_t::~atributeconteiner_decoder_t()

    еще могу подсказать что

    u32 unpack_42_ctx_init_76ACD0(u32 max_depth, u32 ctx, u32 packed_blob, u32 packed_bytes)
    memset ((void *)ctx, 0xCC, 333*4);
    dword(ctx,0x1F2) = max_depth;
    dword(ctx,0x1FA) = packed_bytes;
    dword(ctx,0x1F6) = packed_blob;

    dword(ctx,0x312) = ctx + 0x212;
    dword(ctx,0x316) = 0;
    dword(ctx,0x31A) = 32;
    ^^^^^^ это некое подобие std::vector

    dword(ctx,0x51E) = ctx + 0x31E;
    dword(ctx,0x522) = 0;
    dword(ctx,0x526) = 0x200;
    ^^^^^^^ это некое подобие std::vector

    типы вектором я вам раскрывать не хочу

    return ctx;

  14. да и еще кстати, это не арифметическое кодирование
    а упаковка обычных примитивов, по типу ASN.1 стандарта

  15. Efim be honest. Say to the society which part is yours and which part is Sean O'Neil's work.
    Just reading your irresolute bleating in efforts to explain the code leaves big doubts

  16. Sean copyrighted his code, as you can see.

  17. > Sean copyrighted his code, as you can see.

    на паблике этих файлов не было
    каким образом они вам достались?
    Sean говорил о том что у него была украдена эта работа

  18. I will not comment on this.
    Let me remain it behind the scenes.

    Yes, many of you may doubt about how legit it was to got Sean's (VEST corporation) code and skype de-obfuscated binaries.

    Lets imagine, that some unknown 'good guy' send it me by email. Or you may think, that i found it on same forum on china server. Or you may think, that i hack him. In theory its possible, but its too tricky and has no enough motivation.

    You may not trust me, and claim all archive and codes to own by VEST. Its you choice. But, as i know, Sean always copyright his code. So, be sure, what all other codes, is mine. This is easy to proof if you try to make lexical or styles compare of it.

  19. Question is not from where they from. Question is will anyone can make open source skype protocol specification and implementation based on this files(possible from illegal sources) or not?

  20. вы меня не поняли
    я имел ввиду что если у вас есть эти пару файлов от Sean, может у вас есть и остальные?
    то может вы выложите их тоже?

  21. Почему ты отвечаешь по-английски на русские посты

  22. yep,

    pretty accurate, but can be improved..

  23. Do you not feel it unethical to be using a pirated version of Hex-Rays' software?

  24. Any mirrors of this article? Without the censored cut-outs, of course.. ;)

  25. It was not article. Just code paste of unpack-4142.c file. Check this.

  26. John Pitacus17 June 2011 14:41

    Grats for this work.
    I just don't understand why only now people were able to reverse Skype. Is there something that makes this job harder?

  27. @JohnPitacus

    Oh yes. Check vanila skype presentation.