Skypes Flux Capacitor: UDP

Ralf Schlatterbeck

I recently wrote about the broken network obfuscation code (aka Flux Capacitor) of Skype published by Sean O’Neil. At the time I wasn’t able to decrypt UDP packets. Now I’ve looked a little more closely into the Vanilla Skype documentation — which also includes some code to decrypt Skype credentials on harddisk. This code contains a CRC implementation called CRC32. I had wrongly asumed that CRC32 of Skype would be the same as the crc32 implementation of pkzip, Ethernet, png, the POSIX cksum command etc. which is listed as “crc32″ in the CRC article on Wikipedia and which is standardized in e.g. IEEE 802.3.
The crc32 from the standards above inverts all the bits of the seed before using it (it uses an XOR mask of 0xFFFFFFFF) and does this again before returning the result of the CRC computation to the caller. But it uses the same polynomial as skype. So we can use an existing standard CRC implementation (e.g from the zlib library) as follows for computing the skype CRC:

def skype_crc (s, seed = 0xFFFFFFFF) :
    return (crc32 (s, seed ^ 0xFFFFFFFF)) ^ 0xFFFFFFFF

With this crc implementation I’m now able to also decrypt UDP (see updated code) packets. I’ve shown this some days ago at my talk @linuxwochenende, for slides see my events page.

Comments

Marius wrote on 2011-01-10 09:42:

This looks interesting but I guess there's still no news on the compression algorithm as nothing more was revealed at 27C3, right ?

Ralf Schlatterbeck wrote on 2011-01-10 09:57:

Right, I was at the 27C3 and Sean didn't present. Seems he has disappeared.

Marius wrote on 2011-01-13 15:08:
Well thanks for this post. It's the first confirmation I've had that the code he published does indeed work.

I just hope you don't disappear too :). Any plans on continuing this kind of work ? I'm tempted to have some fun with the binary too but I don't have the time and skills for now. An open source version of Skype would be really cool though.

Ralf Schlatterbeck wrote on 2011-01-13 15:40:

At least I have no intention to disappear :-) I plan to look into this more closely but time is scarce currently. An open source version would indeed be really cool. So if you continue on your exploration and find out something new I'd be glad for further information. You probably know about the Vanilla Skype and Silver Needle in the Skype slides (from blackhat and Defcon 2006, respectively), these are linked in the Wikipedia article on skype and provided the missing information for me to write code that decrypts Skype using Seans release. There's more in there, so it should be possible to find out certain messages skype sends just by looking at that documentation and the packets captured. I still hope someone else releases code for the compression algorithm, though...

Marius wrote on 2011-01-23 03:33:
I'm not doing to good on time either but one way or another I'll try to see what I can do about this.

Yes, I know about those , read about it on the wiki. But at the time being I had no experience to look into it. I'm only a high level programmer , c and c++ but recently I've been doing some reverse engineering too and it's fun. Kind of interesting though how people take a wack at reverse engineering sky and then only go half way. Keep in touch.