Tuesday, January 23, 2007

TcpXtract - 3gp

This is considered the 3rd part of my write up in tcpxtract series, I have previously written two posts about it. I never think of writing that much about tcpxtract(this tool is kinda buggy), but it is really useful especially when you need to extract certain type of files.

Last week I was told about 3gp media file format by mypapit, 3gp is 3rd generation new mobile phone video standard format. Most of mobile handphone nowadays ship with 3GPP and 3GPP2 content capture and playback capabilities. Thus most of the pr0n video clips are distributed in 3gp format from server to client end(mobile phone users). I don't really know much about it as I'm still using old handphone.

Thanks to mypapit again as he pointed me out where to get the 3gp files so that I can have chance to look at the meta header in the file and writing the tcpXtract sig for it. I have logged the network traffic with tcpdump when downloading the 3gp file.If you are administering many servers, I don't think you would like to dig out 3gp files on all the servers as it is much of works, it's better to detect and identify it at network level so that you can easily eliminate it.

One of good resource when writing file signature that I found is -

http://filext.com/detaillist.php?extdetail=3gp&Search=Search


However the identified header that given are too common in the packet payload, I don't think 00 00 00 at the beginning offset makes a good signature. I need to dig more to write more accurate signature for 3gp. I have downloaded the file and renamed it to pr0n.3gp.

shell>file pr0n.3gp
pr0n.3gp: ISO Media, MPEG v4 system, 3GPP (H.263/AMR)

Then I examined it's data in hex|ascii format and idenfitied the fix strings - ftype3gp4, in fact it comes after 00 00 00 and the 4th dynamic byte. Before writing the sig, I tested it with ngrep -

shell>ngrep -i -I 3gp.pcap -t 'ftyp3gp4'
input: 3gp.pcap
match: ftyp3gp4
.....

shell>ngrep -I 3gp.pcap -xX '0x6674797033677034'
input: 3gp.pcap
match: 0x6674797033677034
.....

Now it should be pretty accurate, the 4th byte offset is dynamic when I examined 3gp file variants. Thus I have the sig added to tcpxtract.conf as below -

3gp(1000000, \x00\x00\x00\?\x66\x74\x79\x70\x33\x67\x70\x34);

I got syntax error when I added this signatures, it appears that the file type(extension) can't be specified with numeric but alphabets(pretty odd and buggy). Thus I have to change it to tgp instead of 3gp for the sake of it.

tgp(1000000, \x00\x00\x00\?\x66\x74\x79\x70\x33\x67\x70\x34);

Then I executed -

shell>mkdir 3gp-extract

shell>tcpxtract -f 3gp.pcap -o 3gp-extract

Examined the file that has been extracted -

shell>file 3gp-extract/00000000.tgp
3gp-extract/00000000.tgp: ISO Media, MPEG v4 system, 3GPP (H.263/AMR)

Now I already got the signature right, move on. Sorry guys, no phone pr0n for you next time!

Cheers (:P)

6 comments:

Anonymous said...

well, smartass.
3gp is container format, so i don't think your magic will catch any other file than yours :P
http://en.wikipedia.org/wiki/3gp

C.S.Lee said...

Anonymous,

Unfortunately, the magic works.

maikee said...

http://3gp.converterformac.com/flv-to-3gp-converter-for-mac.php

maikee said...

FLV to 3GP Mac
MOV to 3GP Mac
AVI to 3GP Mac
MP4 to 3GP Mac
WMV to 3GP Mac
MPEG to 3GP Mac
DVD to 3GP Mac
MPEG1 to 3GP Mac
MPEG2 to 3GP Mac
VOB to 3GP Mac
M4V to 3GP Mac
ASF to 3GP Mac
DAT to 3GP Mac

maikee said...

this artcile written by a good!!
FLV to 3GP Mac
MOV to 3GP Mac
AVI to 3GP Mac
MP4 to 3GP Mac
WMV to 3GP Mac
MPEG to 3GP Mac
DVD to 3GP Mac
MPEG1 to 3GP Mac
MPEG2 to 3GP Mac
VOB to 3GP Mac
M4V to 3GP Mac
ASF to 3GP Mac
DAT to 3GP Mac

kate said...

Well fortunately this is a nice post. The magic/trick that you jjust did is perfect.