TeamSpeak 3 Protocol

[Asphyxia]

Alright, so I am emotionally feeling awful. I let go of my ex-girlfriend of 4 years completely yesterday. I just wasn't finding the peace and strength in seeing her that I was hoping for. We were hanging out as "friends", but hearing of her happiness with her new boyfriend and how she actually thought about trying to find a partner for me before thinking that we could maybe "try again" was heart shattering. I feel very psychopathic currently, randomly I get shaky along with urges to fucking destroy things, but I am trying to keep my feelings at bay. I try to smile and pretend life gets better.. anyways, the method.

Fuck the video, here is a text tutorial:
Navigate to "HKey_Local_Machine\Software\Microsoft\Windows NT\Current Version" within regedit.exe (Registry Editor).
Modify your Product ID value to something totally random.

Start a TeamSpeak 3 instance using "Run" like this: "C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe -nosingleinstance"

Connect to the target server using a new User Identity.

Repeat the steps exactly and you should be able to make a complaint against a user in each instance from the same IP address with no problem.

 

[Hexboy]

Sorry to hear that mate!

I keep getting a "Maximum number of connections with the same identity exceeded."
Maybe they have patched?

 

[Asphyxia]

Sorry to hear that mate!

I keep getting a "Maximum number of connections with the same identity exceeded."
Maybe they have patched?

No, they have not patched it.

Connect to the target server using a new User Identity.

I guess I was not very clear about that part. You must actually connect with different user identities. I will elaborate on this step as others may become confused also.

1. Settings ---> Identities (or Ctrl+I)
2. Click on the 'Add' button
3. Create 5 different identities, for use in this example.

That is pretty straight forward, I think. All you have to do is make sure you select a different identity while connecting in each client. I hope you understand now?

If I find the motivation, I will make a video later today haha.

 

[Hexboy]

Ok got it, working fine, thanks for that.
I have it working programmatically kinda.

Do you know if the connection process has been reversed at all? I'm guessing so as there are bots.

 

[Asphyxia]

Ok got it, working fine, thanks for that.
I have it working programmatically kinda.

Do you know if the connection process has been reversed at all? I'm guessing so as there are bots.

No, those bots use the query which is totally different.

 

[Hexboy]

ah right, the next step would be to reverse it which is probably beyond me to be honest.

 

[Asphyxia]

ah right, the next step would be to reverse it which is probably beyond me to be honest.

That is exactly the part where I had a fucking hay-day, trust me man --- it is really fucking fun. Me and Supervisor worked on trying for about 4 days straight. We must become more experienced with ASM and reverse engineering.
That.. or find some assistance on the subject lol.
Me and Supervisor compiled our own assortment mmbbq files, I think I named it R4P3bbq or yumbbq. All that it was is basically a compilation of the latest stable/updated mmbbq that is alive (which it is dying sadly, it is an amazing reverse engineering tool.. it pretty much makes the process itself work itself backwards, inside out.. which is different than many other reverse engineering tools, a bit). I should Github that shit, I think I will soon. It's a tool to aid you in attempting to reverse engineer the TeamSpeak 3 protocol. We got stuck on hooking addresses or whatever *starts reading an ASM book*.

I will make that video in a few minutes, I promise.

 

[Hexboy]

That is exactly the part where I had a fucking hay-day, trust me man --- it is really fucking fun. Me and Supervisor worked on trying for about 4 days straight. We must become more experienced with ASM and reverse engineering.
That.. or find some assistance on the subject lol.
Me and Supervisor compiled our own assortment mmbbq files, I think I named it R4P3bbq or yumbbq. All that it was is basically a compilation of the latest stable/updated mmbbq that is alive (which it is dying sadly, it is an amazing reverse engineering tool.. it pretty much makes the process itself work itself backwards, inside out.. which is different than many other reverse engineering tools, a bit). I should Github that shit, I think I will soon. It's a tool to aid you in attempting to reverse engineer the TeamSpeak 3 protocol. We got stuck on hooking addresses or whatever *starts reading an ASM book*.

I will make that video in a few minutes, I promise.

Yeah I have used it, it's not so much the ASM that is beyond me, it's the potential encryption.
I have no doubt that it has been done previously, but doubt it's public.

 

[Asphyxia]

This kind of walks you through it, if you can find your way I will give you free cookies!! http://www.blizzhackers.cc/viewtopic.php?p=4597974

The issue me and Supervisor ran into was likely not extremely daunting, but due to our inexperience in reverse engineering protocols it was not an easy adventure, we had no luck completely working it out. We did get some packet information though, not a lot though. We ended up giving up, lol. I am interested in trying again if you want to try to work on it together.

 

[Hexboy]

Yeah sounds good, seems rather straight forward.
Did you get to the point of writing something in c# to view the encrypted packets?
I think that would be step one, so you can at least get the entry point and then see the diff from the decrypted and the encrypted.

https://mega.co.nz/#!wthgTZBB!oqEh0mrXn3EQea1_f4wryEMUFDQZqxg9UnFmB4zF0x0

This changes the reg value to a random value then launches TS, might only work with 64bit as the install is in a different location I'll change it once we get the other stuff working.

 

[Asphyxia]

Yeah sounds good, seems rather straight forward.
Did you get to the point of writing something in c# to view the encrypted packets?
I think that would be step one, so you can at least get the entry point and then see the diff from the decrypted and the encrypted.

While we probably could have gotten that working with C#, we had only gotten all packets being sent decrypted. Which is a great starting place, but it was through the command-line interface using mmBBQ. I am going to get some rest here, but when I get on tomorrow I will gladly begin looking into it again. We can collab on the project and document our work in this thread --- that will help others also. We had a slight issue, the address we were trying to hook was having some silly access violation (for received packets), which I know too little about to comment on. If I am remembering correctly, we either had a wrong address or were trying to access protected memory information.

 

[TiREX]

Do you have anything on that?

 

[TheFeldi]

so, whats ur result?

 

[MazeMcRoy]

Here a little candy for you guys
http://pastebin.com/LW7xxv0A
Its my TS3 packet logger library. Its written very ugly in C but it does the job.
You need to compile this with GCC since its for Linux ONLY.
You can inject it with LD_PRELOAD.
It was written for version 3.0.17 so the offsets meight have changed.

 

[ehthe]

Here a little candy for you guys
http://pastebin.com/LW7xxv0A
Its my TS3 packet logger library. Its written very ugly in C but it does the job.
You need to compile this with GCC since its for Linux ONLY.
You can inject it with LD_PRELOAD.
It was written for version 3.0.17 so the offsets meight have changed.

That look at the same time awsome and messy x)

 

[MazeMcRoy]

That messy code is due the fact that ts3 has messy code xD

 

[MazeMcRoy]

I found this on the web

http://hastebin.com/amaxohokol.tex

 

[Supervisor]

Who posted this? Where was it posted? Can you provide us any details?

 

[TheFeldi]

2015-10-18 19:32:34.199570|DEBUG |PulseAudio | | connected to pulse audio server
it was on linux i think

 

[TheFeldi]

https://github.com/Youx/soliloque-server/wiki/teamspeak-protocol
I found something with just googlin'

local function decrpyt_hook(context)
local ret = context.arg32(0, “uint32_t”);
if ret == 0x00903894 then
printf(“RECV_CRYPT: %s”, str(context.arg32(2, “char*”), context.arg32(3, “int”)));
end
end
codecave.inject(nil, 0x903640, decrpyt_hook, codecave.INTERCEPT_RETURN)

local function encrypt_hook(context)
local ret = context.arg32(0, “uint32_t”);
if ret == 0x0090F81B then
printf(“SEND_CRYPT: %s”, str(context.arg32(2, “char*”), context.arg32(3, “int”)));
end
end
codecave.inject(nil, 0x903640, encrypt_hook, codecave.INTERCEPT_PRE)

SOURCE: https://www.cyberguerrilla.org/a/2013/?p=10491