Attention!
Do not use this skypkit!
After this story, habrahabr.ru/post/142805 Skype began to ban ALL accounts running on the same ip along with this skykkit.

There is such a wonderful thing as Skypekit. In a nutshell, this is a full-fledged Skype without a GUI, a wrapper for which you intend to write yourself.
')
Theoretically, on the basis of Skypekit could be:

• Create full-fledged Skype clients for all platforms
• Add Skype support to multi-protocol clients
• Run Skype on the server for SIP / Flash integration

and much more, if not the terms of use.
First, in order for Skype to allow you to distribute your product, you need to pay an over $ 9000 for certification of your product. Secondly, the certificate can be revoked at any time if Skype decides that you are violating the terms of use.

But thanks to the healing effects of reverse engineering, this ailment was cured.

Preamble

Details on how Skypekit is distributed can be found here habrahabr.ru/post/124321

Each runtime is compiled individually and is identified with your registered organization. It is assigned a unique version number and key. Subsequently, it will be possible to log in through this runtime only with the help of a key issued specifically for it. At the time of development, a Developer key is issued, with which it is possible to authorize only accounts belonging to your organization.

Keys are of two types:
Developer - you can log in only from the accounts of the developers in the group (valid for 60 days)
Distribution - you can login to all.

Access to the API occurs via a TCP socket on a local host. To do this, open the SSL-tunnel, which is encrypted using the issued key.



Therefore, even with a sniffer on localhost, you cannot see what the wrapper is talking to with runtime.
Skype requires that the finished application be obfuscated and distributed in binary form so that you can not pull out the key and use runtime separately.

Ranttime can only understand (decrypt) SSL with an encrypted key from its organization. Separately, runtime and key from different organizations are useless.

Therefore, the value is a pair of key and runtime.

If at some point Skype decides that you are no longer worthy of using Skypekit (for example, you have committed a terrible crime - publishing the source code of your program), the key can be revoked unilaterally and you will not be able to log in to the Skype network through your program.

Miraculous healing

As usual, all programs from Skype have protection against reverse engineering: the code is obfuscated, traps are used to prevent disassembly. Skypekit is no exception.

But one day, like the miracle of the descent of the gracious fire in Jerusalem, the runtime obfuscation subsided.

When comparing two decoded runtimes of the same version compiled for different owners, it was found that they differ slightly. The file contains the timestamp of the assembly and the password of the RSA-key that encrypts the local connection to runtime.

It turned out that the issued key only participates in the creation of a local SSL tunnel for the wrapper’s access to the runtime API, and only a version string containing the key imprint is sent to the authorization server:



Such a window can be called up in the Windows version during a voice call in the Call => Tech. call information .

According to this fingerprint, the authorization server determines which key is used and, based on this, decides whether it is possible to authorize the client.
It was established experimentally that it is possible to substitute the fingerprint of one key in this line and connect to runtime with the help of another. The authorization server responds according to the key that is transmitted in the version string.
For example, using the Developer key for the local SSL tunnel of the Developer, and sending a fingerprint from the Distribution key in the version string, it was possible to authenticate with an account not in the organization.

It turned out that if you replace the version string by specifying a version from a regular desktop client, there will be no verification at all.

This is a clear illustration of the failure of the Security through obscurity model .

FAQ

1. What changes were made, what are the differences from the original runtime?

• Obfuscation and traps were removed (deobfuscated version takes ~ 60% less memory). The program can be run in the debugger, edit HEX-editor.
• All personifying tags have been removed: unique version number, build time, etc.
• The version string was replaced, the fingerprint of the key is not transmitted in it, the runtime is presented as a desktop client.
• The encryption of debug information was removed (Initially, the logs are written encrypted, to decrypt, they need to be sent to Skype, where they will be processed manually, removing secrets from there and then only show)
• The certificate is taken from skypekit from Trillian.

Nothing else.

2. What certificate is it not deleted?

The certificate is needed to establish a local SSL tunnel, it is left for compatibility with the SDK.
He was picked out of Trillian and placed in the latest version. The certificate is unlimited, therefore it is the easiest to do. Even if it is recalled, it is not checked further on the local host, so it will not block runtime.

3. Is it legal / safe?

Not legally, not safe.

There is no certainty that the fingerprint in the version string is the only way to verify. There is a risk of losing an account when logging in through such a runtime, so for the time of testing it is better not to use your permanent Skype account.
This is still a binary proprietary Skype, although not obfuscated. We can not guarantee that it does not contain undocumented functions, so I advise you to treat this program as a potential trojan.

Regarding legality - this is one hundred percent warez with all the consequences.

4. How to legally add Skype support to your program?

It is forbidden to distribute the runtime itself, certificate and SDK.

You can distribute your own code for working with Skypekit. In this case, the origin of the runtime and the certificate can be anything, no one forbids the user to buy runtime for $ 5 and write out 60-day Developer-certificates for personal use.

For example, the popular Audacity program during installation reports that in order to support mp3, you need to independently find the LAME library. This approach is quite legal.

5. Under what platforms is runtime?

Cured runtime is still under Windows and x86_Linux.

There is a chance that miraculous healing will befall the Mac and ARM Linux version as well.

6. How does this differ from the usual Skype run in the background?

• Through the Desktop API you can not log in
• Through the Desktop API you can not redirect audio / video
• Skypekit API is more functional than Desktop API
• Desktop client cannot be completely hidden from view.
• Running a deobfuscated runtime on Linux takes less than 10mb of memory
• 200 MHz processor is enough for a voice call
• Linux doesn’t need an X server to run.
• The Skypekit version for Linux is much more functional than the existing desktop client (for example, it can group video calls). Actively developing, at the moment the most advanced of all platforms

7. Tomorrow Skype will slightly change the protocol and the whole work is a mess!

Skypekit is mainly intended for integration into devices.
For example: TVs , consoles , landlines .
These devices are already licensed and sold. Changing the protocol will break them all. Therefore, the likelihood that Skype will do it in the foreseeable future is extremely small.

8. Now everyone will make bots and will be spamming!

Spam could be earlier through the Desktop API.
By default, privacy settings are prohibited from receiving messages and calls from unauthorized contacts. Therefore, as before, you can only spam authorization requests with the accompanying text.

9. Where to download?

I don't know for sure, but there is some kind of magnetized link

 magnet:? xt = urn: btih: 3da068082f6ec70be379d4046e4c77bc4578f751 & dn = SkypeKit_sdk
 % 2Bruntimes_370_412.zip & tr = udp% 3A% 2F% 2Ftracker.openbittorrent.com% 3A80 & tr = udp% 3A% 2F
 % 2Ftracker.publicbt.com% 3A80 & tr = udp% 3A% 2F% 2Ftracker.ccc.de% 3A80

Total

Of course, this is not a complete solution, there is still an unknown binary proprietary Skype.

If you want to contribute to a truly noble cause - to create an open implementation of the Skype protocol, you can donate here skype-open-source.blogspot.com/p/donate.html

In the post are encouraged developers.
SDK is for:

• C ++ developer.skype.com/skypekit/reference/cpp/index.html
• Java developer.skype.com/skypekit/development-guide/java-tutorial/tutorial-guide-java
• Python developer.skype.com/skypekit/reference/python/html/help.html
• .NET (unofficial, Java-based and curve-based) www.codeproject.com/Articles/330778/Skypekit-NET

All emerging questions can be asked in the conference skypeopensource@conference.jabber.ru