TeamViewer is one of the most famous remote control software. When you access a remote computer, TeamViewer can record the whole process into a TVS (TeamViewer Session) file. You can playback the file later or share it with others. Other people must install TeamViewer to play the TVS file. To ease the sharing of TVS file, TeamViewer support converting TVS file to AVI format on Windows since version 7.
Because TVS is a proprietary format, only TeamViewer can play and convert it, and we cannot find any information on TVS format specification. If you are interested in what’s in a TVS file, I will take you on a tour in a TVS file.
First, let’s open a TVS file in a Hex Editor. At first glance, TVS file consists of three parts: header, body, and tail.
The header of TVS file is a multi-line ASCII string. The first line is Magic Number “TVS”. Following lines are tab separated key-value pairs. Keys include Version, TVVersion, Date, TVServer, ClientID, ServerID, LocalParticipantID, GUID, StreamTypes, ScreenFeatures, MetadataPosition. The value of last key MetadataPosition is an offset from the beginning of the file, which pointer to the tail of TVS file.
The tail of TVS file looks like some base-64 encoded data. However, if we decode it with base-64, the result doesn’t look like any meaningful data.
Between header and tail, there is a big block of random-like data, with “BEGIN” and “END” at each side. If we look closer into the body, we will find there are several “KEY”s followed by two 4-byte little-endian integers. We can verify the first integer is the size of data following “KEY” and two integers, until next “KEY”. Then, what the hell is the second integer? After some guessing, we find that the data in each KEY block is zlib compressed. If we decompress KEY data with zlib, the size of decompressed data is exactly the value of the second integer.
The decompressed KEY data looks very meaningful. But it looks not an easy task to tell the meaning of each byte. Here we leave it to our readers to explore it.