Teamspeak 3

NeoCortex · **Joined:** 01 Jun 2010 05:58 **Posts:** 18

Someone allready got his hands on it?
I took a quick look and was expecting something similar to the ts2 protocol, but it looks like they even crypt the udp packets.

After a short check to blacklist.teamspeak.com the real connection to the server starts:

Packet 1 (me -> server) seems to be allways the same one

Code:

00000000  d7 c1 32 95 35 84 20 27  00 00 00 00 02 9d 74 8b ..2.5. ' ......t.
00000010  45 aa 7b ef b9 9e fe ad  08 19 ba cf 41 e0 16 a2 E.{..... ....A...
00000020  2b 4b fa 92 95 cf 11 33  fd d5 a7 02 25 49 90 95 +K.....3 ....%I..
00000030  23 3e 00 97 2b 1c 71 b2  4e c0 61 f1 d7 6f c5 7e #>..+.q. N.a..o.~
00000040  f6 48 52 bf 82 6e 93 7e  43 de 6d 76 3a 15 ca 98 .HR..n.~ C.mv:...
00000050  30 fd 69 cb d4 0a 89 f3  5e b8 83 67 0e f7 83 1e 0.i..... ^..g....
00000060  14 1a 71 80 72 78 b8 c2  01 2e be d0 70 ed 49 b0 ..q.rx.. ....p.I.
00000070  ea c7 2e d4 0c a8 74 71  31 24 eb d8 86 46 0b 07 ......tq 1$...F..
00000080  56 38 9e 1f e9 fc e1 1a  b3 a7 6d f0 ff bd 58 1c V8...... ..m...X.
00000090  fb 32 4d a8 e6 08 0f e7  b3 ab c0 a5 9c d7 0b    .2M..... .......

Packet 2 (server -> me)

Code:

    00000000  66 28 6b ef 55 f1 14 54  00 00 02 97 76 8b 54 ad f(k.U..T ....v.T.
    00000010  79 e3 af 87 eb aa 1a 19  ba cf 41 e0 16 a2 2b 4b y....... ..A...+K
    00000020  fa 92 95 cf 11 33 fd d5  a7 02 25 49 90 95 23 33 .....3.. ..%I..#3
    00000030  08 86 2d 40 7c af 64 d2  49 e9 fc 56 f0 63 be 43 ..-@|.d. I..V.c.C
    00000040  52 b0 9c 12 de 2d 6d 80  30 7c 35 4e c5 96 21 cb R....-m. 0|5N..!.
    00000050  44 fa fc 1e b0 f2 2c 8f  b7 5e 0e c9 80 27 01 63 D.....,. .^...'.c
    00000060  0b bc 03 26 d7 fb 51 07  a5 85 2d f7 79 9d f8 e9 ...&..Q. ..-.y...
    00000070  3f fc 1e b6 41 7b 37 04  94 a9 ba 18 0a 06 20 6c ?...A{7. ...... l
    00000080  82 1a 90 f0 df 3f 8f 99  5f d8 fc cd 15 4b 92 2d .....?.. _....K.-
    00000090  6a ba 91 24 30 f3 95 84  ed 9b b4 99 0d 01 81 84 j..$0... ........
    000000A0  c7 48 95 41 83 50 9e 83  85 86 10 69 a6 3f f1 7e .H.A.P.. ...i.?.~
    000000B0  1e 1c d0 ea 

This one changes alot every time you connect.

Here's the same packet just a couple of seconds later.
Packet 2 (server -> me)

Code:

    00000000  fe a1 3c 31 6c ad 07 c9  00 00 02 97 76 8b 54 ad ..<1l... ....v.T.
    00000010  79 e3 af 87 eb aa 1a 19  ba cf 41 e0 16 a2 33 0e y....... ..A...3.
    00000020  f3 d9 d4 dc 05 4a 88 e1  a8 3c 39 7f 90 95 23 33 .....J.. .<9...#3
    00000030  08 86 2d 40 3e 85 4d 85  4b e0 da 3d cc 0c da 7e ..-@>.M. K..=...~
    00000040  52 99 d6 12 c3 62 6f 88  32 7a 69 3e cd a4 12 ce R....bo. 2zi>....
    00000050  62 fe de 1e 96 d0 0e a9  9f 75 21 ea a1 0c 04 16 b....... .u!.....
    00000060  59 98 73 42 d4 9c 3a 1d  df 8d 4a d7 6e af cc f7 Y.sB..:. ..J.n...
    00000070  2f cd 0c 86 73 5f 21 36  9f a5 9c 38 37 3d 56 01 /...s_!6 ...87=V.
    00000080  86 07 8b fc d4 27 ae b0  52 e1 c8 b5 18 3d bd 31 .....'.. R....=.1
    00000090  6f fd c7 2d 32 cb 94 9b  d7 a6 81 a7 7f 7d 89 a1 o..-2... .....}..
    000000A0  f0 73 8e 5f d5 5b ea 92  8a a6 0c 3f ac 43 d3 57 .s._.[.. ...?.C.W
    000000B0  25 04 f2

Seems to be challenging, someone has a idea what kind of crypting this coud be?

aluigi · **Posted:** 08 Jun 2010 09:54

maybe I could take a look in the next days

aluigi · **Posted:** 08 Jun 2010 13:18

the encryption used is part of the libtomcrypt library.
the following is the function that does the job included in a quick tester using the packet you supplied:

Code:

/*
  by Luigi Auriemma
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <tomcrypt.h>
int ts3_crypt(unsigned char *key /*includes nonce*/, unsigned char *data, int data_len, int encrypt) {
    static int  already_reg = 0;
    static const unsigned char default_key[]   = "c:\\windows\\system\\firewall32.cpl";
    unsigned long   tag = 8;
    int     err,
            stat;

    if(data_len < 13) return(data_len);
    if(!key) key = (unsigned char *)default_key;

    if(!already_reg) {
        register_cipher(&aes_desc);
        already_reg = 1;
    }

    #define ts3_crypt_args \
        0, \
        key, 16,                    /* key */ \
        key + 16, 16,               /* nonce */ \
        data + 8, 5,                /* header */ \
        data + 13, data_len - 13,   /* input */ \
        data + 13,                  /* output */ \
        data                        /* tag */

    if(encrypt) {
        err = eax_encrypt_authenticate_memory(ts3_crypt_args, &tag);
    } else {
        err = eax_decrypt_verify_memory(ts3_crypt_args, tag, &stat);
    }
    if(err != CRYPT_OK) return(-1);
    return(data_len);
}

int main(void) {
    int             len;
    unsigned char   data[] =
        "\xd7\xc1\x32\x95\x35\x84\x20\x27\x00\x00\x00\x00\x02\x9d\x74\x8b"
        "\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2"
        "\x2b\x4b\xfa\x92\x95\xcf\x11\x33\xfd\xd5\xa7\x02\x25\x49\x90\x95"
        "\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e"
        "\xf6\x48\x52\xbf\x82\x6e\x93\x7e\x43\xde\x6d\x76\x3a\x15\xca\x98"
        "\x30\xfd\x69\xcb\xd4\x0a\x89\xf3\x5e\xb8\x83\x67\x0e\xf7\x83\x1e"
        "\x14\x1a\x71\x80\x72\x78\xb8\xc2\x01\x2e\xbe\xd0\x70\xed\x49\xb0"
        "\xea\xc7\x2e\xd4\x0c\xa8\x74\x71\x31\x24\xeb\xd8\x86\x46\x0b\x07"
        "\x56\x38\x9e\x1f\xe9\xfc\xe1\x1a\xb3\xa7\x6d\xf0\xff\xbd\x58\x1c"
        "\xfb\x32\x4d\xa8\xe6\x08\x0f\xe7\xb3\xab\xc0\xa5\x9c\xd7\x0b";

    // decrypt
    len = ts3_crypt(NULL, data, sizeof(data)-1, 0);

    data[len] = 0;
    printf("%s\n", data + 13);

    // re-encrypt
    len = ts3_crypt(NULL, data, sizeof(data)-1, 1);

    return(0);
}

NOTE that the research is not finished because the key for the subsequent packets differs and some of its bytes (of the new one) change for each packet.
I will finish the research and will release it officially on my website another day because now I was interested only to a quick test and nothing else.

NeoCortex · **Joined:** 01 Jun 2010 05:58 **Posts:** 18

I got a little compiling problem with your source.
Got the *.h of libtomcrypt 1.00
Compiler runs fine just the linker got some probs.
Do i need the "right" version to compile it? Maybe you could provide yours?

Code:

D:\Programme\Microsoft Visual Studio\VC98\Bin>cl tom.cpp
Optimierender Microsoft (R) 32-Bit C/C++-Compiler, Version 12.00.8168, fuer x86
Copyright (C) Microsoft Corp 1984-1998. Alle Rechte vorbehalten.

tom.cpp
Microsoft (R) Incremental Linker Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

/out:tom.exe
tom.obj
tom.obj : error LNK2001: Nichtaufgeloestes externes Symbol _eax_decrypt_verify_memory
tom.obj : error LNK2001: Nichtaufgeloestes externes Symbol _eax_encrypt_authenticate_memory
tom.obj : error LNK2001: Nichtaufgeloestes externes Symbol _register_cipher
tom.obj : error LNK2001: Nichtaufgeloestes externes Symbol _aes_desc
tom.exe : fatal error LNK1120: 4 unaufgeloeste externe Verweise

D:\Programme\Microsoft Visual Studio\VC98\Bin>

aluigi · **Posted:** 14 Jun 2010 15:39

obviously you need to compile libtomcrypt first and then linking it