Spoofing Client version?

dotface · Oct 16, 2015

Hi,

I was wondering if it would be possible to spoof the Client version?

You know some Server can require you to have a specific/latest client Version...

I tried to find where the Client Version is stored ( with CheatEngine/Hex-Editing (lol)) without success...

I did just found some values of the Stable build/Beta build in the Settings.db

Did anyone else tried this already? Is it even possible to fake it?

Supervisor · Oct 16, 2015

When the client connects to the server, it sends a few "welcome messages". In there is a special crafted strong with the client version. I'm pretty sure you can fake it. I'll look into our when I come home.

L. · Oct 16, 2015

I'm a bit earlier at Home i will take a look for you.

fyfywka · Oct 16, 2015

90% you cannot change the version, you have to look ts3client_win*.exe

fyfywka · Oct 16, 2015

alpha channel
141.101.112.28 - alpha server (Direct IP access not allowed)

Bluscream · Oct 16, 2015

fyfywka said:
alpha channel
141.101.112.28 - alpha server (Direct IP access not allowed)

Yeah i was about, yay new update and then "mirror not found" xD

Supervisor · Oct 16, 2015

I can't find a 3.0.19 -

/edit: whats about that alpha channel? how to get in there?

Bluscream · Oct 16, 2015

fyfywka said:
90% you cannot change the version, you have to look ts3client_win*.exe

You can, server side

Supervisor · Oct 16, 2015

Bluscream said:
You can, server side

The client sends only a string value to validate its version. So I do think it is possible clientside.

L. · Oct 16, 2015

So i did a fast sniff with wireshark didn't see anything that is super special.
maybe if i get a bit more time i will check it with olly.
Regards

fyfywka · Oct 16, 2015

version server gives an answer

ehthe · Oct 16, 2015

The version is checked with a simple string plus an encrypted one. So it's not easy to do it clientside. (well you can easily spoof it with an existing one that is).

dotface · Oct 16, 2015

ehthe said:
The version is checked with a simple string plus an encrypted one. So it's not easy to do it clientside. (well you can easily spoof it with an existing one that is).

And how would we do this?

Like I want to use use client version 16 on a server that requires 18.1 ?

ehthe · Oct 16, 2015

Hook the encryption function and modify the strings sent on the fly. (You may also just patch the binary, but the way these are stored has changed if I'm not mistaken)

Supervisor · Oct 17, 2015

alright, with a lot of help of @maxmuen I can tell you this:
There is a "versionSign" the teamSpeak Client sends to the server. Examples:

Code:

  Version = "3.0.16 [Build: 1407159763]";
  Platform = "Windows";
  VersionSign = "Y1DuQGXo/8/rYznEGyeQHgpvZMuiCH4FYm4QVyAgLYyMpNpc/LM7XetVWhDQxGsNejkN/2olI7GVJkt4X+ooDg==";

  Version = "3.0.18.1 [Build: 1444491275]";
  Platform = "Windows";
  VersionSign = "xqfa3CUd2GFiTqjJWYzcu9ZbxVVLng8qIMKlVxMqWdiM8JrTRiXBAaTBDd8Xc+flVe+rGSIOZTkXRsz1rqjiAA==";

You can find the versionSign within the TeamSpeak 3 client. It is possible to fake another client version, but only those ones which were released already. Since this versionSign is encrypted pretty heavily, it seems to be not possible to create a new one for like "3.1.0"

ehthe · Oct 17, 2015

Here's some material on how the client stores these infos

Code:

strlen("fp")
memcpy(0xXXXXXXX, "fp", 2)
strlen("]")

strlen("ddlichjfbnichlplgbnb")
memcpy(0xXXXXXXX, "ddlichjfbnichlplgbnb", 20)
strlen("1407159763")
memcpy(0xXXXXXXX, "1407159763", 10)

strlen("ccnhffnhefnlcgpghh")
memcpy(0xXXXXXXX, "ccnhffnhefnlcgpghh", 18)
strlen(" [Build: ")
memcpy(0xXXXXXXX, " [Build: ", 9)

strlen("dbkcchimbnib")
memcpy(0xXXXXXXX, "dbkcchimbnib", 12)
strlen("3.0.16")
memcpy(0xXXXXXXX, "3.0.16", 6)

memcpy(0xXXXXXXX, "3.0.16", 6)
memcpy(0xXXXXXXX, " [Build: ", 9)
memcpy(0xXXXXXXX, "3.0.16 [Build: ", 15)
memcpy(0xXXXXXXX, "1407159763", 10)
memcpy(0xXXXXXXX, "3.0.16 [Build: 1407159763", 25)
memcpy(0xXXXXXXX, "3.0.16 [Build: 1407159763]", 26)
strlen("8776GitHAgkFPfOLxEh5x+Luuh4NrYPEJUdsUzNKndcAuWMYjwQTZkmeZOeG/swdn/p2Cg2pRfZfsIFSOAUWCQ==")
memcpy(0xXXXXXXX, "8776GitHAgkFPfOLxEh5x+Luuh4NrYPEJUdsUzNKndcAuWMYjwQTZkmeZOeG/swdn/p2Cg2pRfZfsIFSOAUWCQ==", 88)
memcpy(0xXXXXXXX, "8776GitHAgkFPfOLxEh5x+Luuh4NrYPEJUdsUzNKndcAuWMYjwQTZkmeZOeG/swdn/p2Cg2pRfZfsIFSOAUWCQ==", 88)

strlen("eoofhjnhfe")
memcpy(0xXXXXXXX, "eoofhjnhfe", 10)
strlen("Linux")
memcpy(0xXXXXXXX, "Linux", 5)
memcpy(0xXXXXXXX, "Linux", 5)

Additionally one ~~should~~ may be able to 'break' the cypher used for the sign string by reversing the server binary.

9dc · Oct 17, 2015

Is it possible to change the String from which device i am online? Like Windows, Linux, FreeBSD

ehthe · Oct 17, 2015

Well of course it is possible. But it's not that easy after all x)

dedmen · Mar 31, 2016

How funny ^^ i just googled if anyone already tried that and found our forum

I was working on that version_sign the whole day yesterday. The sign is made up of two parts each 32 bytes... The first one is hash of the versionString. Which is pushed into an sha512 hash together with the computed hash out of the versionString and the versionString. That is then processed somehow with the second 32 bytes (i guess its an xor key encrypted with a static key in the server binary) and after some xoring (i think atleast) the first 32 bytes come out again and are compared with the sign from the beginning. And if those match.. You are accepted. I got everything for the first 32 bytes already.. Just need to figure out that second xoring like part.. I already found a function in there which references a static encryption key so i think im close.

Derp · Mar 31, 2016

dedmen said:
How funny ^^ i just googled if anyone already tried that and found our forum
I was working on that version_sign the whole day yesterday. The sign is made up of two parts each 32 bytes... The first one is hash of the versionString. Which is pushed into an sha512 hash together with the computed hash out of the versionString and the versionString. That is then processed somehow with the second 32 bytes (i guess its an xor key encrypted with a static key in the server binary) and after some xoring (i think atleast) the first 32 bytes come out again and are compared with the sign from the beginning. And if those match.. You are accepted. I got everything for the first 32 bytes already.. Just need to figure out that second xoring like part.. I already found a function in there which references a static encryption key so i think im close.

You're very close! Good job

BTW: Not to let you down but, very little can be done knowing the cryptography behind the version sign (I'm sure you now have a better idea on what it can be

)

Spoofing Client version?

dotface

Member

Supervisor

L.

Well-Known Member

fyfywka

fyfywka

Bluscream

Supervisor

Bluscream

Supervisor

L.

Well-Known Member

fyfywka

ehthe

dotface

Member

ehthe

Supervisor

ehthe

9dc

Member

ehthe

dedmen

Derp