Skype Chatsync logs Structure

1. //http://www.hackerfactor.com/blog/index.php?/archives/231-Skype-Logs.html
2. #10 kmn on 2010-10-06 06:47 (Reply)
3.  
4. After my previous post, i was able to get the hang of the \chatsync\(hex).dat files structure. However it will take some time to relate all the extracted variables, handles and id's. I should mention also, that it became obvious chatsync is not an "easy" and 100% effective method of acquiring chat-history, because SOME data IS actually encoded/encrypted, opposed to the plain simple structure of DBB files.
5.  
6. What I know so far ...
7.  
8. #HEADER - 32 bytes
9. 5 bytes: 0x73; 0x43; 0x64; 0x72; 0x07 in ASCII terms "sCdB(bell)"
10. 4 bytes: unsigned int, unix timestamp
11. 4 or more bytes: unsigned int; total data size after header (filesize - 32)
12. N bytes padding
13.  
14. # Structure Level-1
15. Chatsync files contain 6 major ("big") blocks of data enumerated #1 - #6. Each of them has a standard header:
16.  
17. Block header - 16 bytes
18. 4 bytes: unsigned int; block data size (in bytes)
19. 4 bytes: unknown id
20. 4 bytes: unsigned int; block number/descriptor (1,2,3,4,5 or 6)
21. 4 bytes padding
22. Block contents (size specified in header)
23.  
24. # Structure Level-2
25. Each major block, according to it's descriptor (1-6) has different internal data structure!
26.  
27. Block_types#1,#2,#3 and #4
28. These blocks share common internal structure so i'll give the common description. The structure is what i've came to call collection of "variable clusters"(records). That is sequence of DBB variables in separate sub-blocks. Each "variable cluster" has the structure
29.  
30. byte 0x41 "A"
31. byte N
32. --
33. --
34. DBB variables
35. --
36. --
37. ( end of record )
38.  
39. NOTE:
40. In addition to 0x00, 0x03, 0x04, there are two distinct data types i've found
41. 0x01 - data is fixed size, with tructure: 0x01 - 7bit code - 8 bytes of data
42. 0x06 - which is also a mystery but has the structure:
43. var 1) 0x06 - 7 bit code - 0
44. var 2) 0x06 - 7 bit code - !=0 - 7 bit format number
45.  
46. Each "variable cluster"(record) ends with eithter:
47. - end of block (last record)
48. - variable type 0x05, followed by a number (meaning unknown to me)
49. - a zero value for N (empty record)
50.  
51. Example:
52. 65 - start of record
53. 8 - max vars 0 (?)
54. 5 - 0x05 end of record
55. 0 - a number
56. ---------------------
57. 65 - start of record
58. 6 - max vars
59. 3 - 0x03; string
60. 0 - code 0
61. 116 +
62. 101 +
63. 115 +
64. 116 +
65. 0 = end of string "test#0"
66. 0 - 0x00; int
67. 1 - code 1
68. 0 - value 0
69. 0 - 0x00; int
70. 3 - code 3
71. 235 +
72. 239 +
73. 230 +
74. 153 +
75. 4 = intValue = 1127856107
76. 5 - 0x05 end of record
77. 1 - a number
78. ---------------------
79. 65 - start of record
80. 0 - empty record !
81. ---------------------
82. 65 - start of record
83. 2 - max var 2
84. 5 - 0x05 end of record
85. 0 - a number
86. ....
87.  
88. Block_type#5...
89. ... is just a collection of 16byte records, containng four 4-byte integer values, which represent message id (as insert into main.dbb or DBB), message handles (relating to block #6) and a field i have no clue about.
90. Data is aligned, so reading sequence of 32bit integers is straight-forward.
91.  
92. Block_type#6
93. Now here's where the fun starts. The "0x02/0x03/0x02", "0x03/0x03/0x01" header thing is just a game of chance. What is really stored is this:
94. A hybrid data structure, containing both aligned (header) and "variable cluster" parts. Here's the common structure:
95. HEADER - 20 bytes
96. 4byte - integer; handle1
97. 4byte - integer; handle2
98. 4byte - integer; handle3
99. 4byte - integer; handle4
100. - as to the meaning of these handles... they relate to the id's and handles specified in the other blocks, but i have yet to figure them out.
101. 4bytes - unsigned int; total size of the following records
102. - if size is 2 bytes, this means following is "65 0" - empty record
103. DATA
104. Same rules apply as the structure of #3,#4,#5 blocks. The only difference is that the "end of block" is not end of the major block, but of the data block (started with HEADER).
105.  
106. The blocks containing actual chat messages contain a variable cluster containing a BLOB variable (0x04 data type).
107. The size of this binary field is variable and the actual messages is contained INSIDE as a variable of type TEXT (0x03). That's why many have thought there's a 0x03 based "header" to look for.
108. I've found that these BLOBs contain IP addresses, ports, server information as well as the message itself. The offset at which standart DBB parsing might be attempted is 130 bytes, but this does not hold true in every case ! Also in case of group chats, the BLOBs do not contain the messages in plain text, there is no 0x03/0x02 etc. "header", hence small scale pattern attemps are bound for failure in general.