Skypelog.c Decoding Source

1. /**********************************************************
2.  SkypeLog: Display a Skype log as text.
3.  Copyright 2008 Neal Krawetz, Hacker Factor
4.  Created for the DoD Cyber Crime Center (DC3) Forensic Challenge 2008.
5.  Challenge name: 302_SKYPE_Communications_Logs_Challenge2008
6.  
7.  =========================================================
8.  Licensing and distribution:
9.  This code is provided as open source but is NOT licensed under the GPL
10.  or other common open source licenses.  This code may not be re-licensed
11.  without the explicit, written permission of Neal Krawetz.
12.  
13.  This software is provided AS-IS with no warranty expressed or implied.
14.  It may not be accurate and many not be suitable for any specific need.
15.  In locations where a warranty is required, this code may not be used.
16.  The copyright holder is not liable for any costs associated with using
17.  this software.
18.  
19.  This code, or portions of it, may be incorporated into other projects as
20.  long as the code is not re-licensed and the following acknowledgement is
21.  included along with any licensing files, copyright statements, and
22.  source code:
23.     This software includes code from skypelog by Neal Krawetz,
24.     Hacker Factor Solutions, Copyright 2008, All Rights Reserved.
25.  
26.  =========================================================
27.  To compile:  gcc skypelog.c -o skypelog
28.  
29.  =========================================================
30.  About the log file format:
31.  
32.  Skype logs are in ".dbb" files.  These are binary files.
33.  
34.  There are some files out there that try to decode the file format,
35.  but they are wrong.
36.  Example:
37.    http://dl.free.fr/gHps09KVK/SkypeLogFileAnalysis.pdf
38.    http://dmytry.pandromeda.com/texts/skype_chatlogs_friday_13.html
39.  These documents try to identify 2-byte tags and the content that follows.
40.  However, the "tags" in the documents are actually coincidental.
41.  
42.  The actual format appears to be a data dump.
43.  There are informative portions, but also some random garbage.
44.  (The garbage may have meaning, but I haven't found it yet.)
45.  How to parse:
46.    1st 16 bytes:
47.     '1331' -- denotes start of a record
48.     record size (4 bytes)
49.     session (4 bytes)
50.     unk (4 bytes)
51.  Then...
52.  For all of the bytes in the record (record size):
53.  All content begins with a 0x03.
54.      Read the data until you hit one of these bytes.
55.        This does NOT need to be on the even byte offset!
56.      - If the byte is a 0x03, then it is followed by a number.
57.        Numbers are in a 7-bit format.  The MSB identifies whether it is
58.        the last byte in the number sequence.
59.        - If the MSB is set (Byte & 0x80), then it is not the last byte
60.          in the number.
61.        - If the MSB is not set, then it is the last byte in the number.
62.        The Number identifies the TYPE of the data field.
63.      All data sections end with 0x00, 0x01, 0x02, or 0x03.
64.      - If it is 0x03, then it denotes a new dataset immediately after
65.        the last data set.  Process this next set of data.
66.      - If it is 0x00, then the next bytes are junk.  Read until you hit
67.        another 0x03.
68.  
69.  The files themselves are separated by record size.
70.  For example, if the record is 256 bytes or smaller, then it is stored in
71.  a 256 byte block and separated into a filename that contains "256" in
72.  the name.
73.    call256.dbb
74.    callmember256.dbb
75.    chat256.dbb
76.    chatmsg256.dbb   <-- the actual chat log
77.    ...
78.  If the record is larger than 256 but smaller than 512 bytes, then it
79.  goes into chat512.dbb, chatmsg512.dbb, etc.
80.  This means, a single conversation is likely split across multiple files.
81.  
82.  To put together the whole conversation, you need all of the parts.
83.  An easy way to assemble them:
84.    ./skypelog chatmsg256.dbb chatmsg512.dbb charmsg1024.dbb | sort
85.  or
86.    ./skypelog chatmsg*.dbb | sort
87.  
88.  This exacts data from each of the files, then uses sort to put them in
89.  the proper order (grouped by session and then date).
90.  
91.  To just see the time, sender, and message:
92.    skypelog chatmsg*.dbb | sort | awk -F\| '{print $2 "|" $3 "|" $4}'
93.  
94.  Each conversation includes a session ID.  For example:
95.     #useralice/$userbob;12345678abcdef10
96.  The first name is the caller.
97.  The second name is the recipient of the call.
98.  The 16 hex digits is a unique ID.  This ID appears to change with each
99.  new connection.
100.  The Session is also listed in the chat log (e.g., chat256.dbb or
101.  chat512.dbb).
102.  
103.  Let's assume you only have one of the chat files.  How much of the
104.  conversation are you missing?
105.  Each of the chat lines (chatmsg*.dbb) contains a Log ID.  (Denoted
106.  by this program with "LogId:".)  The maximum ID is stored in the basic
107.  chat file (e.g., chat256.dbb or chat512.dbb).  Each line in chatmsg*.dbb
108.  should have a Log ID that increments by one.  Thus, you can count the
109.  number of missing lines.
110.  
111.  HOWEVER:  Watch the timestamps!  Each time they reconnect, the Log ID
112.  seems to restart.  Thus: Sort by date THEN by Log.  And then watch for
113.  missing sequences in the Log ID.
114.    skypelog chatmsg*.dbb | \
115.    awk -F\| '{print $2"|"$5"|"$3"|"$4"|"$6"|"$7 }' | \
116.    sort
117.  (Best way to use the Log ID: if two lines happen in the same second,
118.  then use the Log ID to find which one came a fraction faster.)
119.  
120.  Finally: This parsing was found by reverse-engineering existing logfiles.
121.  There are plenty of bytes that are skipped (use -vvv to see them) and
122.  they may have important meanings.  Even the blocking at 0x03 may not be
123.  accurate.  (There may be a better way to identify data segments.)
124.  
125.  To see the unknown stuff, use -vvv:
126.    [num] = identified number for type of data
127.    *byte* = byte skipped because the type of data is unknown.
128.    {bytes} = bytes skipped because it is outside of an identified data set.
129.  **********************************************************/
130.  
131. #include <stdlib.h>
132.  
133. /* support files > 2G */
134. #if 0
135. # define __USE_LARGEFILE64
136. # define __USE_FILE_OFFSET64
137.  typedef struct stat64 mystat;
138. #else
139. # define O_LARGEFILE 0
140. # define fstat64(x,y) fstat(x,y)
141. # define mmap64(a,b,c,d,e,f) mmap(a,b,c,d,e,f)
142.  typedef struct stat mystat;
143. #endif
144.  
145. #include <stdio.h>
146. #include <unistd.h>
147. #include <stdint.h>
148. #include <string.h>
149. #include <ctype.h>
150. #include <time.h>
151. #include <sys/mman.h>  /* for mmap */
152. #include <sys/types.h>
153. #include <sys/stat.h>
154. #include <fcntl.h>
155.  
156. typedef uint8_t byte;
157. typedef uint64_t offset;
158.  
159. /****************************************************************/
160. /****************************************************************/
161. /****************************************************************/
162.  
163. int FileIn=0;
164. byte *Memory=NULL;
165. offset MemorySize=0;
166. offset Index=0; /* index into memory */
167.  
168. int Verbose=0;
169. char Divider='|';
170. int BlankFlag=0;
171.  
172. /****************************************************************/
173. /****************************************************************/
174. /****************************************************************/
175.  
176. /*********************************************
177.  SkypeCloseFile(): Close the memory map.
178.  This sets the globals.
179.  *********************************************/
180. void    SkypeCloseFile  ()
181. {
182.   if (Memory) { munmap(Memory,MemorySize); }
183.   MemorySize=0;
184.   if (FileIn) { close(FileIn); }
185. } /* SkypeCloseFile() */
186.  
187. /*********************************************
188.  SkypeOpenFile(): Memory map a file.
189.  This sets the globals.
190.  *********************************************/
191. void    SkypeOpenFile   (char *Filename)
192. {
193.   mystat Stat;
194.  
195.   /* block re-opens */
196.   SkypeCloseFile();
197.  
198.   /* Open file */
199.   FileIn = open(Filename,O_RDONLY|O_LARGEFILE);
200.   if (FileIn == -1)
201.     {
202.     fprintf(stderr,"ERROR: Unable to open file (%s)\n",Filename);
203.     exit(-1);
204.     }
205.  
206.   if (fstat64(FileIn,&Stat) == -1)
207.     {
208.     fprintf(stderr,"ERROR: Unable to stat file (%s)\n",Filename);
209.     close(FileIn);
210.     exit(-1);
211.     }
212.  
213.   MemorySize=Stat.st_size;
214.   if (MemorySize > 0)
215.     {
216.     Memory=mmap64(0,MemorySize,PROT_READ,MAP_PRIVATE,FileIn,0);
217.     if (Memory == MAP_FAILED)
218.       {
219.       fprintf(stderr,"ERROR: Unable to mmap file (%s)\n",Filename);
220.       close(FileIn);
221.       exit(-1);
222.       }
223.     }
224. } /* SkypeOpenFile() */
225.  
226. /*********************************************
227.  SkypeFindRecord(): Find the next record start.
228.  Skype records begin with "l33l".
229.  Returns 1st byte AFTER the record tag.
230.  Returns (offset)(-1) on EOF.
231.  This modifies Index.
232.  *********************************************/
233. offset  SkypeFindRecord ()
234. {
235.   if (memcmp(Memory+Index,"l33l",4) == 0) { Index+=4; return(Index); }
236.   for( ; Index+4 < MemorySize; Index++)
237.     {
238.     if (memcmp(Memory+Index,"l33l",4) == 0)
239.       {
240.       Index+=4;
241.       return(Index);
242.       }
243.     }
244.   return(-1);
245. } /* SkypeFindRecord() */
246.  
247. /*********************************************
248.  ReadNumber(): Read a number stored in the
249.  Skype data format.  Assume number starts
250.  at Memory[Index].
251.  The format:
252.    If the byte is < 0x80, then it is the number.
253.    If the byte is > 0x80, then num & 0x7f are
254.    seven bits to the number.
255.  Returns the number and increments Index.
256.  *********************************************/
257. uint64_t    ReadNumber  ()
258. {
259.   int Shift=0;
260.   uint64_t Num=0;
261.   while((Index < MemorySize) && (Memory[Index] & 0x80))
262.     {
263.     Num = Num | ((Memory[Index] & 0x7f) << Shift);
264.     Shift += 7;
265.     Index++;
266.     }
267.   if (Index < MemorySize)
268.     {
269.     Num = Num | ((Memory[Index] & 0x7f) << Shift);
270.     Index++;
271.     }
272.   return(Num);
273. } /* ReadNumber() */
274.  
275. /*********************************************
276.  Bytes2Val(): Read/combine bytes and return a number.
277.  *********************************************/
278. uint64_t    Bytes2Val   (int Len)
279. {
280.   uint64_t Val=0;
281.   int Shift=0;
282.  
283.   if (Index+Len >= MemorySize)
284.     {
285.     fprintf(stderr,"ERROR: Fractional Skype record.\n");
286.     return(0);
287.     }
288.  
289.   Len--;
290.   Shift=0;
291.   while(Len >= 0)
292.     {
293.     Val |= (Memory[Index] << Shift);
294.     Shift+=8;
295.     Len--;
296.     Index++;
297.     }
298.   return(Val);
299. } /* Bytes2Val() */
300.  
301. /***************************************************************/
302. /***************************************************************/
303. /***************************************************************/
304.  
305. /*********************************************
306.  Usage():
307.  *********************************************/
308. void    Usage   (char *Name)
309. {
310.   if (strchr(Name,'/'))
311.     {
312.     Name = strrchr(Name,'/');
313.     Name++;
314.     }
315.   printf("Usage: [options] %s\n",Name);
316.   printf("  -b  :: insert a blank line between records\n");
317.   printf("  -Fc :: set the field divider (default: -F'|')\n");
318.   printf("  -v  :: verbose (-vv = more verbose)\n");
319. } /* Usage() */
320.  
321. /*********************************************
322.  main():
323.  *********************************************/
324. int main    (int argc, char *argv[])
325. {
326.   int c;
327.   long RecordNum=0;
328.   long RecordLen=0;
329.   offset RecordEnd=0;
330.   time_t Time;
331.   struct tm *TimeS;
332.   uint64_t SequenceNum;
333.   uint64_t Number;
334.   int First=0;
335.   int PrintString=0;
336.   char *Label;
337.  
338.   while((c = getopt(argc,argv,"bF:v")) != -1)
339.     {
340.     switch(c)
341.       {
342.       case 'b': BlankFlag=1; break;
343.       case 'F':
344.     Divider=optarg[0];
345.     if (!strcmp(optarg,"\\n")) Divider='\n';
346.     break;
347.       case 'v': Verbose++; break;
348.       default:
349.     Usage(argv[0]);
350.     exit(-1);
351.       }
352.     }
353.  
354.   /* Process each file */
355.   for( ; optind < argc; optind++)
356.     {
357.     SkypeOpenFile(argv[optind]);
358.     Index=0;
359.     while( (Index < MemorySize) && (SkypeFindRecord() != (offset)(-1)) )
360.       {
361.       RecordNum++;
362.       if (Verbose) printf("# Record %ld in %s\n",RecordNum,argv[optind]);
363.       RecordLen = Bytes2Val(4);
364.       RecordEnd = Index + RecordLen;
365.       if (Verbose)
366.     {
367.     printf("# Record length: %ld bytes (0x%08lx)\n",
368.         (long)RecordLen,(long)RecordLen);
369.     }
370.  
371.       if (Index+RecordLen > MemorySize)
372.     {
373.     fprintf(stderr,"WARNING: Fractional record being processed.\n");
374.     /* Permit it to go on! */
375.     RecordLen = MemorySize - Index;
376.     }
377.  
378.       SequenceNum = Bytes2Val(4);
379.       if (Verbose)
380.     {
381.     printf("# Sequence: %08lx\n",(unsigned long)SequenceNum);
382.     }
383.  
384.       /* Process the record */
385.       First = 0; /* no output yet (first entry not seen) */
386.       Time=0;
387.       while(Index < RecordEnd)
388.         {
389.     /* Skip until we hit 0x03 */
390.     while ((Index < RecordEnd) && (Memory[Index] != 0x03))
391.        {
392.        if (Verbose > 2) printf(" {%02x}",Memory[Index]);
393.        Index++;
394.        }
395.  
396.     /* Check if we found the start */
397.     while ((Index < RecordEnd) && (Memory[Index] == 0x03))
398.         {
399.         Number=0;
400.         /* Skip multiple 0x03 */
401.         while (Memory[Index] == 0x03) Index++;
402.         Number = ReadNumber();
403.  
404.         PrintString=1;
405.         Label=NULL;
406.         switch(Number)
407.           {
408.           case 15: Label="VoicemailFile"; break;
409.           case 16: Label="Call"; break;
410.           case 20: Label="Summary"; break;
411.           case 36: Label="Language"; break;
412.           case 40: Label="Country"; break;
413.           case 48: Label="City"; break;
414.           case 51: Label="File"; break;
415.           case 55: Label="Peek"; break;
416.           case 64: Label="Email"; break;
417.           case 68: Label="URL"; break;
418.           case 72: Label="Description"; break;
419.           case 116: Label="Country"; break;
420.           case 184: Label="Phone"; break;
421.           case 296: Label="Type"; break;
422.           case 404: Label="User"; break; /* voicemail */
423.           case 408: Label="User"; break; /* voicemail */
424.           case 440: Label="Session"; break;
425.           case 456: Label="Members"; break; /* username */
426.           case 460: Label="Members"; break;
427.           case 468: Label="User"; break;
428.           case 472: Label="Name"; break;
429.           case 480: Label="Session"; break;
430.           case 488: Label="Sender"; break; /* username */
431.           case 492: Label="Sender"; break; /* screenname */
432.           case 500: Label="Recipient"; break;
433.           case 508: Label="Message"; break;
434.           case 584: Label="Session"; break;
435.           case 588: Label="Member"; break;
436.           case 828: Label="User"; break;
437.           case 840: Label="User"; break;
438.           case 868: Label="Number"; break;
439.           case 920: Label="Screenname"; break;
440.           case 924: Label="Fullname"; break;
441.           case 3160: Label="LogBy"; break; /* username */
442.           default:
443.             PrintString=0;
444.             /* Chatmsg lines have TWO big integers that
445.                look like timestamps.  The first is really
446.                a timestamp.  The second is the log ID number. */
447.             if (!Time && (Number > 1000000000))
448.               {
449.               if (First) { printf(" %c ",Divider); }
450.               Time = Number;
451.               TimeS = gmtime(&Time);
452.               printf("%04d-%02d-%02d %02d:%02d:%02d",
453.                 TimeS->tm_year+1900, TimeS->tm_mon+1,
454.                 TimeS->tm_mday, TimeS->tm_hour,
455.                 TimeS->tm_min, TimeS->tm_sec);
456.               First=1;
457.               }
458.             else if (Time && (Number > 1000000000))
459.               {
460.               if (First) { printf(" %c ",Divider); }
461.               printf("LogId: %ld",(long)Number);
462.               }
463.             break;
464.           } /* switch */
465.  
466.         /* Print the string */
467.         if (PrintString && First) { printf(" %c ",Divider); }
468.         if (Verbose > 1) printf(" [%ld] ",(long)Number);
469.         if (PrintString && Label) { printf("%s: ",Label); }
470.         while((Index < RecordEnd) && (Memory[Index] > 0x03))
471.           {
472.           if (PrintString && isprint(Memory[Index]))
473.             {
474.             fputc(Memory[Index],stdout);
475.             First=1;
476.             }
477.           else
478.             {
479.             if (Verbose > 2) { printf(" *%02x*",Memory[Index]); }
480.             }
481.           Index++;
482.           }
483.         }
484.       } /* while reading record */
485.     if (First || Verbose) { printf("\n"); }
486.     if (BlankFlag && (First || Verbose)) { printf("\n"); }
487.     } /* while records exist */
488.     SkypeCloseFile(argv[optind]);
489.     } /* for each file */
490.   return(0);
491. } /* main() */
492.  
493. //Credits: http://www.hackerfactor.com/src/skypelog.c
494. //BaSs_HaXoR