Russian hacker-zine analysis of Skype anti-reverse-engineering measures

Russian hacker magazine Xakep Online has posted an interesting analysis of all the measures Skype goes to to avoid reverse-engineering of their protocol and code. If you can’t read the original Russian you can get the gist (as I did) from the Google translation. A few highlighted techniques:

  • Binary file is fully encrypted and dycrypted as it’s dynamically loaded into memory.
  • Eliminated almost all static function calls, and critical procedures are called via a dynamically-obtained pointer determined via obfuscated code. That makes figuring out what’s going on in a debugger difficult.
  • Recognizes the Windows kernel-mode debugger SoftICE and refuses to run when it sees it.
  • Measure how long it takes to execute certain sections of code to try to detect whether it’s being run in emulation. (I’m not sure how this would work, given the range of CPUs it has to run on…)
  • Do a checksum of the resulting decrypted code.

The article also goes into all the ways Skype routes around firewalls by looking for open ports, and suggests that along with encrypted traffic and peer-to-peer distribution it’s the perfect tool to deliver a worm, trojan or virus payload under the radar of virus checkers and firewalls… if only you can find a way to get the target client to run your code. Essentially you’re left with just one level of protection, namely Skype itself. I’m not convinced this is any more problematic than the Swiss-cheese that is Windows security already, but it’s something to think about as we go forward.

(Thanks to Sergey for the link and summary of the Russian!)