Viber Communication Security - Bad Request

More documents

Recommendations

Info

Experiments Chapter 3 3.2.3 Manual Reverse Engineering A lot of developers have warned us that protocol reverse engineering cannot be easily done automatically and a lot has to be done by hand. Using basic tools we will try to make sense of all the hex. Basic Structure We start by looking at the different kinds of messages and the headers we are sending towards the serevers. Starting with a truncated list of the first 32 bytes of the udp payload. 4b990100010077cab33159228d1200a0.. 4b99020077cab33159228d12060ccc02.. 4b99030077cab33159228d12 4b99020077cab33159228d12060ccc02.. 4b990600004976a50e34010000 4b9909004976a50e3401000000 4b990600015250a50e34010000 4b9909005250a50e3401000000 4b99030077cab33159228d12 4b99030077cab33159228d12 4b99060000327aa50e34010000 4b990900327aa50e3401000000 4b990600013b54a50e34010000 4b9909003b54a50e3401000000 4b990a0081c8000ceb6e70fbd28754e5.. 4b1980673cad3d353a86eb6e70fbe190.. 4b9906000174b2a60e34010000 4b99090074b2a60e3401000000 4b1980673cae3d353e46eb6e70fbe620.. 4b1980673caf3d354206eb6e70fbe141.. 4b99060000eed8a60e34010000 4b990900eed8a60e3401000000 4b1980673cb03d3545c6eb6e70fbe620.. 4b1980673cb13d354986eb6e70fbe5a9.. 4b1980673cb53d355886eb6e70fbe224.. 4b990a0080c90001eb6e70fb81cb0001.. 4b990a0081c900071d5a94a399ad3e5a.. 4b99050077cab33159228d12 This piece has been immensely truncated but already we can differentiate between two packet types: long voice packets starting with 0x4b19 and shorter signaling messages starting with 0x4b99. 20
Experiments Chapter 3 Signaling Messages The stream of signaling messages all start with a seemingly random stream identifier (in this case 0x4b99) which in all calls is 0x0080 higher than the actual voice data stream. The next two bytes indicate some sort of message type. Table 1 displays the values of the two bytes and their occurrences during a long call. Note that these messages are for the most part just sent from client to server (except for the 0x0200 messages), the messages from the server to the client have different starting bytes. Value Occurences 0100 1 0200 2 0300 142 0500 1 0600 182 0900 182 0a00 20 Table 1: Message type indicators and their occurrences. Using these numbers and their position in the stream, we can infer the meaning of the values. The 0x0100 value for example only occurs once at the begin of the stream and 0x0500 at the end, so we can assume that these message mark the beginning and the end of the call sent out by the client. The 0x0300 messages are the only messages that are sent directly to the Internet Protocol (ip)-address of the other party. They occur a lot more but do not change over time: mappelman:captures michiel > cat udp-payload.txt | grep "^4b9903" | uniq -c 142 4b99030077cab33159228d12 This message also includes a special value which is also referenced in the beginning and end messages (0x77cab33159228d12) so this looks like a simple keep alive message sent from client to client. The special value changes each call but we haven’t found a source for it. This value is also included in another type of message which is the only message that originates from the server with the same first two bytes and has a message type value of 0x0200. Table 2 gives an overview of these messages. The message value 0x0200 contains the aforementioned special value and the ip of the other client (twice actually, separated by the values 200 and 63) and some other yet unknown information as can been seen in Table 3. Values 0x0600 and 0x0900 are messages which follow a specific routine. First a messages with a 0x0600 value is sent out, then immediatly after that a message with a 0x0900 value and after some time a reply is received on the incoming stream. In Table 4 one such message exchange is displayed. A possible explanation might be the measurement of jitter in the network. The client sends two measurement in rapid succession, the server receives these messages and after a couple of those message pairs it can see how well the path to the client performs. After that it returns the packet back to the client which is then able to calculate the Round Trip Time (rtt) and jitter towards the server. 21
Page 1 and 2: Viber Communication Security Michie
Page 3 and 4: Introduction Chapter 1 1 Introducti
Page 5 and 6: Introduction Chapter 1 • How does
Page 7 and 8: Preliminary Research Chapter 2 2.1.
Page 9 and 10: Preliminary Research Chapter 2 mess
Page 15 and 16: Experiments Chapter 3 Android On An
Page 17 and 18: Experiments Chapter 3 (a) Android D
Page 19 and 20: Experiments Chapter 3 3.2 Reverse E
Page 21: Experiments Chapter 3 mappelman@ath
Page 25 and 26: Experiments Chapter 3 Time Source i
Page 27 and 28: Experiments Chapter 3 3.3 Applicati
Page 29 and 30: Experiments Chapter 3 1 public Stri
Page 31 and 32: Experiments Chapter 3 It does nothi
Page 33 and 34: Experiments Chapter 3 1 private Con
Page 35 and 36: Experiments Chapter 3 3.4 Other Wea
Page 37 and 38: Conclusion Chapter 4 4 Conclusion 4
Page 39 and 40: Acronyms Appendix A A Acronyms aes
Page 41 and 42: Appendix B [16] A. Greene, “Skype

Viber Communication Security - Bad Request

Create successful ePaper yourself

Delete template?

Save as template?