Reversing teamspeak 3 server

[Atom]

Decided to take a look into the TS3 Server windows binary(3.0.13.8) just to fuzz arround and maybe create a scripting api to automate some tasks that are not possible with ServerQuery(not sure if such thing already exists).

Started reversing some data structures and managed to get the server information such as name, description, maxClients, etc through the base pointer [ts3server + 0x005FCD5C] + 0x14(I believe this is the virtual server?).

Now, at least for me, getting the clients is proving to be bit more dificult, doing a pointer scan on the nickname isn't helping because it returns a lot of results(the minimum level at which I got results was at level 9) and the results seemed kinda 'random', by this I mean, the clients didn't seem to belong to an array of clients(at any level), so surely I'm doing something wrong right? I was wondering if you guys could give me any help/hints.

 

[tagKnife]

Hi, I reversed the TS3 server awhile ago, 3.0.18.6 I think. Client pointers are wierd, they are done in containers and multiple of them, in my old sdk, looks like have a class.

class ClientContainerPtr // This class is a mess, expect invalid pointers
{
public:
    ClientContainer* ClientContainer; //0x0000
    ClientContainer2* ClientContainer2; //0x0004
    ClientContainer3* ClientContainer3; //0x0008
char pad_0x000C[0x48]; //0x000C

class ClientContainer
{
public:
    char pad_0x0000[0x8]; //0x0000
    ClientContainerPtr* clientContainerPtr; //0x0008
    char pad_0x000C[0xC]; //0x000C
    Client* Client; //0x0018
char pad_0x001C[0x90]; //0x001C

class ClientContainer2
{
public:
    char pad_0x0000[0x4]; //0x0000
    ClientContainerPtr* ClientContainerPtr; //0x0004
    ClientContainer* ClientContainer; //0x0008
    char pad_0x000C[0xC]; //0x000C
    Client* client; //0x0018
char pad_0x001C[0x28]; //0x001C

};//Size=0x0044

class ClientContainer3
{
public:
    ClientContainerPtr* clientContainerPtr; //0x0000
    ClientContainer* clientContainer; //0x0004
    ClientContainerPtr* clientContainerPtr; //0x0008
    char pad_0x000C[0xC]; //0x000C
    Client* client; //0x0018
char pad_0x001C[0x28]; //0x001C

This make using pointer scanning for other clients really hard as they can go pretty deep. virtual servers, channels, and groups are done in the same way.

basicly I think its done like this.
Client1 is the first client on the list has a container etc etc,
client2 connects and a pointer from client1 is to client2,
Client3 connects and a pointer from client1 and client2 is to client3
Client4 connects and a pointer from client2 and client3 is to client4
client2 disconnects and all the pointers are reordered and it hurts my head.

here is my old reclass progress https://mega.nz/#!jcUnUZoJ!9HP8RkU6pnssXvGVe0eqvJIQz7Fp7beic2ucW8jF8Zg

 

[Atom]

Hi, I reversed the TS3 server awhile ago, 3.0.18.6 I think. Client pointers are wierd, they are done in containers and multiple of them, in my old sdk, looks like have a class.

Hey thanks for the information.
I got to a similiar outcome however I think the client can be in any of the first 3 addresses like so:

class Client
{
public:
   char pad_0x0000[0x4]; //0x0000
   Variables* VariableNames; //0x0004
   ClientData* ClientData; //0x0008
};   

class ClientNode
{
public:
   ClientNode* NextNode1; //0x0000
   ClientNode* NextNode2; //0x0004
   ClientNode* NextNode3; //0x0008
   char pad_0x000C[0x8]; //0x000C
   __int32 Index; //0x0014 this is probably wrong 
   Client* Client; //0x0018
};

class ClientList
{
public:
   ClientNode* ClientNode1; //0x0000
   ClientNode* ClientNode2; //0x0004
   ClientNode* ClientNode3; //0x0008
};

I have no idea what kind of data structure they are using to store the clients because they just ends up looping rather than just nullpointing the end/leaf nodes. So to loop all clients you would need to keep a list of the visited nodes/addresses until you've visited every single one.
I guess I'll move on to reversing some functions, thanks for your input.