As you can possible try, sending not work as expected.
It will not work at all on any 5.x skype and will not work for 3.x/4.x without new 'login' certificate(they call it 'credentials'). Cert issued by skype login server each time when you enter password, or once in around 30 days if you mark 'remember password' checkbox.
First (and main) problem for now, its about skype14. Which stops connect to network supernodes. Because, as i think, 5.x skype stop support its too oldy proto.
If you will take a try to connect with skydump(its only need ip:port) to 3.x or 4.x skype, it will work, but with 5.x this will fail.
Where is two methods to get credentials(certificate) for 'login' into network.
Easy method was by manually login via skype14 and dump certificate from log file(with help of get_creds.pl), which was specially patched for this. Now, its not work anymore, because skype14 can't connect to 5.x supernodes.
Second method, is use Sean's 'skype_login.c' code. Which have a little messy things with headers. But, keep in mind, what skype Inc maybe already change something in this process since 2009.
I have no 5.x clean binary, so its also bad thing and a big problem.
I think, for now, better way will be in patching 4.x for dump credentials into log file. I will try to do it in near future.
But, if you dump credentials somehow, when you may try to send skype message to 3.x or 4.x without problem, and be sure what code 'works'. You can also may use old certificate(check 'a_cred.txt'), but you only got 'credentials expired' in you peer client logs.
So, keep in touch.
Have you tried reverse engineer linux version on skype? I don't know what version of protocol it uses, but it still works. Maybe it has less anti-debugging and obfuscation things. I think it was not built by the same team that works on the main version of skype.
ReplyDeleteAlso Nokia's phone n900 have built in skype. This phone uses linux (built for ARM cpu) and skype in it is integrated as empathy (linux IM for Gnome desktop) plugin. If you reverse engineer this version then maybe it would be easy to rebuild it to get a generic empathy plugin that can be used on PC. Many people who want skype to be opensource also want to see it as a plugin for popular IM's like pidgin or empathy sooner or later so maybe reversing existing plugin would bring that moment faster. If you want I can send you skype binary from n900 firmware for reverse engineering.
I think Skype for mobile phone behaves differently than the desktop version. It won't act as a supernode and things like that so it probably connects in a different way and is pretty limited.
ReplyDeleteThe desktop Linux version might work though.
No I don't think mobile version can act as a super-node. But as I understand this post so can't the 4.x version of skype now. I think providing super-nodes is not the primary objective while creating opensource client. And I think it would be a good feature to be able to disable super-node behavior to save your traffic.
ReplyDeleteOther than super-nodes n900 version can do everything else without limitations (chat, group chat, audio/video, group audio).
Man. Skype layers kill you.
ReplyDeleteYou may also wish to consider reversing the Skype for Asterisk binaries: http://downloads.digium.com/pub/telephony/skypeforasterisk/
ReplyDeleteAll the interesting stuff is inside file res_skypeforasterisk.so - it contains two embedded binaries which it extracts to a temporary directory, one is from Skype named 'skyhost' and the other a helper program named 'skywatcher'. You can find these embedded file by searching for ELF headers inside the main file.
The skyhost binary is the one to reverse. It's the same as what's on embedded Skype devices such as the N900 mentioned above, but is x86 instead of ARM. It's protected and encrypted, of course, but a cursory examination of the binary indicates that it shouldn't be too difficult to break past that. I've made a start on it and can send you the .idb if you're interested.
So, you have spent 5 years of you life on the that development and it's not even close to the end yet. I feel sad and sorry for you. People! Why don't you use your brain for developing something open, where people ready to share ideas? If you would, we could have had our own absolutely open and totally legal protocol and source code. Something like Jabber+SIP/Jabber/WebRTC and many other projects trying to archive. I suggest you to reexamine your principal and meaning of your life and how you are going to live it. Do you want to be know after your death as "a guy who illegally hacked skype" or "the guy, who invented an unbeatable open standard which is much better then any other existing one"?..
ReplyDeleteJezz...
@Anton: Who are you to judge what people do with time on their hands? Go troll somewhere else.
ReplyDelete[Phoronix] Skype To Take Action Against Reverse-Engineering
ReplyDelete"So, you have spent 5 years of you life on the that development .."
ReplyDeleteActually, a bit more then three years.
It was a exciting challenge. And its still do.
Imagine, no one can break it, but you can.
Yes, "just for fun".
keep it up, everybody loves the idea reverse engineering proprietary protocols. would be fantastic if you get to the point of completely hacking skype. hope you get a lot of help of fellow minds!
ReplyDeletebest wishes from berlin
Наверняка сотни людей ломают голову над этим же. И теперь большая часть их знаний и трудов обесценилась. Будем надеяться что разработчики не поменяют всё в ближайшее время, а то иначе будет печально.
ReplyDeleteзачем заниматься тем что у вас плохо получается?
ReplyDeleteIDA вы даже не освоили, хотя бы для смеха flirt запустили
и чем глупые домыслы в коментариях писать в функции memcpy
лучше займитесь чем то более полезным, если вы конечно на что то способны вообще
а то три года на реверс такого пустяка как skype,
смех да и только
I love how you misspelled because.
ReplyDeletestupid russian trolls
ReplyDeleteI wonder why russian comments have so much trolling. It seems that all russian trolls have suddenly jumped here. Hopefully we will soon see plugins for 3rd party clients. Well done!
ReplyDeleteрашинс троль как вы выразились уже давно имеют реверс скайпа в нормальном виде, пока школота пиарится,и троллит
ReplyDelete>Hopefully we will soon see plugins for 3rd party clients.
ReplyDeleteда вы можете надеяться на все что угодно
но никаких плагинов никто делать не будет
спецификации как и нормального реверса протокола у вас нет
а насчет качества реверса
я уже отписал в другом топике
"Skype under rc4 layer - arithmetic encoding"
You can also have a look at the J2ME version of Skype for Mobile phones. I can confirm that it's just a stripped down version of the protocol, not the real one, but for basic instant messaging it should be enough.
ReplyDeleteBut who wants to look through obfuscated, ugly Java-code?
You can also have a look at Skype for windows mobile, seems that there are some quotes from Monkey Island 2 in it ;-)
Skype-SP.001:
--------------------
Heaven preserve me! You look like something that's died! Then perhaps you should switch to decaffeinated. can't rest 'til' you've been exterminated! Too bad they're all fabricated. Throughout the Caribbean, my great deeds are celebrated! Oh, that is so cliché En Garde! Touché You would have, but you were always running away. I have never seen such clumsy swordplay! I could, if you would use some breath spray. You can't match my witty repartee! Is that your face? I thought it was your backside. Coming face to face with me must leave you petrified! When I'm done with you, you'll be a boneless filet. I'll skewer you like a sow at a buffet! If you don't count all the ones you've dated. You're the ugliest monster ever created! With your breath, I'm sure they all suffocated. Every enemy I have met, I've annihilated!
--------------------
A good method of getting an unprotected binary of the skyhost from skypeforasterisk:
ReplyDelete1. run skyhost in gdb
2. in gdb: catch syscall
3. in gdb: run
(this will break on a call to sys_getpid, which is after the binary has unprotected itself but before it's run anything substantial, it is still in initialization)
4. [optionally, for later info] in gdb: info registers / info backtrace
5. in gdb: generate-core-file
6. load this core file into IDA Pro and it'll create an impressively complete disassembly of the binary
Hope this helps!
> Imagine, no one can break it, but you can.
ReplyDeleteHm, but the protocol was broken before and published as 'Silver needle in the Skype' research paper, no?
I mean, it would be great to have an open source client, since my current OS won't run Skype very easily and I sometimes need it for work.
Still, in the grand scheme of things, I agree with Anton. We don't need enhancements of Skype or Facebook, we need properly designed free+distributed infrastructures to replace the proprietary centralized crap. VoIP and Video on Jabber is available but still has some notable deficiencies, such as Pidgin VoIP still not working for Windows or a lack of automated/usable fallback mechanisms to work with NAT and tunnel firewalls. This is what needs work.
I can't tell my boss that Skype is crap if I can't offer something that is at least functionally equivalent.
XMPP-based social networks need even more work and are barely known at all..
Even if through some miracle a new and better version of open source Skype would appear over night it would need to be compatible with Skype.
ReplyDeleteSure, you can convince people to switch, provided you offer something better than it's open source but it still has to work with Skype, the program that almost all the rest it using. You can't tell people to swtich to your new program that won't workg with Skype and they won't be able to comunicate with the people they know on Skype.
Anyway it seems you've become pretty popular Efim. Phoronix wrote about this, that's how I found out. Phoronix also got a letter from Skype themselves so I'd expect some presure.
There have been many attepts at this but no one really took it all the way. They were probably bought of or scare or something.
I wanted to do this reverse engineering myself but didn't manage to find the time.
I hope you succeed and won't give up.
Good luck
"Hm, but the protocol was broken before and published as 'Silver needle in the Skype' research paper, no?"
ReplyDeleteYes. But not too deep, no session layer, for example. And take a close look on this paper.
There is no any usable details or sources.
useless. timewaste. fail.
ReplyDeletenot a time waste.
ReplyDeleteskype cant change its protocol without breaking compability with most of their userbase.
even if it would change, i dont believe it would be total rewrite, single elements could still be of use.
Слух, код конечно ужасен... жалко много чего на Windows завязано. >_< Всё же геморно придёться если захочется написать jabber транспорт.
ReplyDeleteYep, it is.
ReplyDeleteSkype (or should I say MS) is going to miss a golden opportunity here. Forget Tech, think Suit. Skype does not make a dime on the client, any of them. They give it away for free to get you on the network. That is a cost center to them. Traffic and gateway services is where they make money.
ReplyDeleteIf they were smart they would provide an API that could be used to build clients and gateways. The FOSS community would jump on the challenge just so they can have a Linux client that works. Then Skype can concentrate on their profit centers.
Start up a paypal page and I'll donate!
ReplyDeleteI agree, setup a pay-pal button so that people can support our right to reverse engineer.
ReplyDeleteThe DMCA might not be great, but it does give us the right to reverse engineer for interoperability.
There are laws to protect reverse engineering. Skype should talk to Microsoft about this. There is a grey area when you reverse engineer security encryption with the DMCA iirc, but reverse engineering itself is still protected.
ReplyDeleteAs you appear to be from russia, MS can screw themselves. And if they still attack you, they will be the next Sony.
ReplyDeleteFUCK THEM.
Hehe nice work man. For idiots wo are saying waste of time. Just think many of people play games and waste time other ways. In fact man is very poor if he has no time left to waste.
ReplyDeleteI hope you'll continue with the work, because an opensource client for the skype protocol is something necessary for the opensource world.
ReplyDeleteIt is true that we should create open technologies that work better than the proprietary ones, but these technologies will never be used if there won't be interoperability with existing solutions that yet have a large user base.
@Anton: you can even ask: what is the purpose of collecting stamps? It's only wast of the time of someone's life, do something which has more sense! I think, hobbies are not always "sane" especially not at the first glance. But the happiness about solve a problem etc can make worth. Also there are situations when only later we can see that something was a good idea, like with Linux: Linus started that as a hobby and he hasn't even got a dream that it will be used by as many people as now, it was a "totally geek hobby without future" as far as I can see ...
ReplyDelete>> Mitchell said...
ReplyDelete>> Start up a paypal page and I'll donate!
FYI: PayPal accounts in Russia is limited, for sending TO some PayPal accounts only. And cannot Receive money.
Hi there. Nice project you are running! I am sure that the people that call it a waste of time dont have a life of their own. I hope you succeed!
ReplyDeleteHi,
ReplyDeleteI tried to test the SkyLogin-code and added the appropriate crypto-functions, but I didn't succeed. Connection is closed after sending login1 and login2. Can someone confirm that it is still working (of course with different login server than the now defunct one in the sample, I used the IP of the server from your dump)? Maybe I have an error in the SHA/MD5 functions I added?
I also noticed that there are many hardcoded bytes in the login sequence and that they differ from your dump in skype_comm.txt
Also, there seems to be a buffer overflow in SHA_update in sha.c which blows away the stack.
I guess you have to add
if (bytes>=i) SHA->pos = 0;
at the and of the for-loop to prevent adding the offset to every chunk which causes the overflow.
Unfortunately I can't derive anything useful from your sources. As long as we can't get the login credentials without the use of the original Skype client, there can't be any useful opensource implementation, right?
@dose
ReplyDelete"Can someone confirm that it is still working"
No, i guess, its not. And i hope of this not.
Or in this case, spammers can easy abuse it, right after publishing.
We should take a timeout for skype.
To fix anything related with this.
I dont want to rise spammers in action,
just after working and test send-message code will appear.
So, my thoughts, is about get timeout for
implement anti-spam restrictions in clients.
And for that skype not blame me in releasing spamming tool.
I will continue in beginning of the July.
So, if spamming will increase, i will say:
"hey you have time to fix it!"
@dose
ReplyDeleteSome hints to you.
You need to know ollydbg and have previously ida experience.
From vanilla skype pdf, we known that keys are stored in usual way in microsoft standard security container. So, find winapi code on it. And try to catch debugger break's around.
Better do it for 3.8/4.1 version. Which are actually worked for now(i hope).
I also figure out, what 4.1 missed auto-update fix, so remove(nop's it) auto-update function before all.
Yes, they should ban that hardcoded values in this skype_login.c, they are not idiots.
But unless 3.8/4.1 are still working, we may get it from there again.
So, yes, its mostly reverse engineering task, then programming problem.
thanks for you reply,
be care,
be clever!
@skypeopensource
ReplyDeleteRegarding the whole spamming problem:
A spammer can also automate a local installation of the Skype client for spamming, remote controlling the application isn't that hard.
A spammer can also use SkypeKit.
I would agree that you possibly shouldn't release code that shows how to register to the Skype network, because spammers need lots of dummy accounts.
However I cannot see the problem with just using the login code as the user already has a valid account then.
Could it be that the 4.1.0.130 beta version you supplied (and which skype_login.c is based on) is banned?
I tried logging in to the network with the executable you published and logon didn't work.
However it worked fine with an official 4.2.0.166
As 4.1.0.130 is a beta, it isn't such a problem for users if it gets banned as it may not be so widely used in production.
However a ban of the 3.8 verison would be disasterous as it is the last version that is not such bloatware.
This all sounds very complicated, as far as I understand Vanilla Skype, Skype saves the encypted credentials somewhere in shared.xml
Now to get credentials, I have to CryptUnprotectData the protected storage (results in 24 bytes of data for me), use this on some data in shared.xml (don't even know what this all is in there) to get the login MD5 hash which is used to decrypt the RSA private key using the "FastTrack cipher". If I already know username+pass, I guess I could calc the MD5 hash myself and skip over to the RSA key decryption.
Well, seems to be too complicated for me, I'm curious if you can make something usable out of all the information you got, but from what I have seen, even implementing basic instant messaging (that's all that I would need) seems to be a challenging task.
Good luck with it!
I personally would prefer if they open up the protocl implementation they are using for their mobile J2ME based version. I guess this one would be easier to implement. I had a look at the decompiled J2ME version, but reading obfuscated Java-code is horrible.
PS: http://www.youtube.com/watch?v=9xW-BYayh7w
This looks very promising, but unfortunately there are still no sources or informations available :(
Stupid me, credentials are in config.xml, of course, not in shared.xml.
ReplyDelete@dose
ReplyDelete"Could it be that the 4.1.0.130 beta version you supplied (and which skype_login.c is based on) is banned?"
Yes. And, I think, very easily.
"Skype saves the encypted credentials somewhere in shared.xml
Now to get credentials, I have to CryptUnprotectData the protected storage"
Why decrypt it from physical disk?
Just caught clean bytes, just after login/registration, in running binary memory.
Hint:
ReplyDeletePubkey should start with 0x80 0x01 bytes.
Or 0x01 0x80 maybe.
@skypeopensource
ReplyDelete>Why decrypt it from physical disk?
Because it's easier for the user and it's an universal method that doesn't need modification of the Skype executable.
I wrote a dumper that dumps credentials directly from disk, I hope you like it:
http://files.mail.ru/45NRZC
You may add it to your git repository to make every researchers life easier for testing your code snippets.
PS: There seems to be a bug in the original skype_login.c:
#define reverse_bytes(x,i,j,n) for(i=0;(i)<(n);(i)++) ...
should be (i)<(n/2), otherwise it is swapping the bytes and changing them back again so that the function doesn't have any effect :)
For those annoyed by the update check of the Skype 4.1 executable, I only say 653DB7 ;-)
ReplyDelete@dose
ReplyDeleteOMG!
Thanks dose, you are great!
I dont know about github, i think it could be DMCA-ed in short time. But, for sure, i will add you research to some strong hosting, where we can host for all of this files.
Guys,
ReplyDeleteI tried getting the stuff to work on Linux. Compiled skype_login after a few tweaks -- Sean O'Neil's old method, not the new Windows-specific one dose wrote. Doesn't work, always gets 0 bytes from server. (to find a server, strace'd Skype for Linux to see where it connects on port 33033 when logging in).
Since Linux doesn't have Windows registry, I wonder where Skype for Linux stores the credentials. I mean, the credentials themselves are in config.xml, but where's the encryption key? Could be in shared.xml, there's a lot of encrypted stuff there.
@xman:
ReplyDeleteJust had a look at the Skype linux version.
It seems that it doesn't have its MD5-Hash encrypted, so just skip Stage 1 & 2 in my decrypter.
It also doesn't have a CRC in the end.
The rest is similar to the already known encryption scheme. You will get an updated Linux version of my dumper tomorrow :)
Regarding Sean O'Neil's login method: Yeah, it doesn't work anymore :(
Do you guys have a git repo or something? Would be much easier to collaborate on github or something similar. And because with git everybody has a copy of the whole history, we won't lose it if the project on github gets closed down.
ReplyDelete@dose: Thanks a lot, great! I'll look into compiling Efim's code for Linux this weekend.
ReplyDeleteHow to compile this code?
ReplyDeleteGreat post got to know a lot from you.
ReplyDelete@dose
ReplyDeleteHello,
I check you files. Looks like you only extract and save public key. But for code work also needed private key.
I bet it is in bytes after FastTrackChiper decoding.
Also, files on github still alive, so i think, i will use it as developers box.
Regards.
@dose
ReplyDeleteCheck this file:
http://pastebin.com/FfrAZavN
Its input for _get_cred.pl perl script.
Last 18 lines started from "00 00 00 01"
in "after Fasttrack decode" block its for sure 'credentials' certificate($data_cred).
Previous 0x80 bytes before this, should be private key, as i thought. But i dont sure, needed to check this.
@dose
ReplyDeleteI check bytes after Fasttrackcipher against possible rsa secret key, but with no success.
So, for now, i think, there is not secrey key, but n and p initial numbers. With 0x40 len each. From which we can easy get private key with some math(calc_d function in my miramax vc project) and Miracl lib.
Doh, they ban 4.1beta from login/register servers.
ReplyDelete@dose
ReplyDeleteI got secret key from FastTrackCipher decode output, check this:
http://pastebin.com/ASiz6tDu
And also will be usefull to learn
restore_user_keypair() function in process_cmd.c
This function calculate public/secret based on this p and q number.
See you.
hi guys
ReplyDeletei download the stuff from the below link
http://thepiratebay.org/torrent/6442887/Skype_protocol_reverse_engineered__source_available_for_download
and do as indicated but skype14 when try to login but not working. i have win 7 and already install skype 5. can any one guide or mail me at syedwaseemhaiderk@gmail.com will be great full to you dear
hello guys
ReplyDeletei am new user to all this stuff can any one guide me the process step by step and what is use of this stuff. can u people upload the whole step by step procedure for this i will be very great full to you. and please also mention use of this stuff.