| Attention Visitor: |
You may have to register or log in before you can post:
|
|
|||||||
|
|
|
Thread Tools | Display Modes |
Audio/video stream recording forums
|
| Attention Visitor: |
You may have to register or log in before you can post:
|
|
|||||||
|
|
|
|
Thread Tools | Display Modes |
|
#1
10-04-2013, 01:03 AM
|
|||
|
|||
 dumping Ilive.toHey guys,
Do you know how to dump ilive.to streamings? It used to be possible to dump the streams getting a token from http://www.ilive.to/server.php but not anymore. Although it's still possible to get a token the server closes the connection. Code:
rtmpdump -r rtmp://live.iguide.to/edge -y vsoui5hx1do3qon -W http://player.ilive.to/secure_player_ilive_z.swf --token "UYDk93k#09sdafjJDHJKAD873" --live --debug -p "http://www.ilive.to/view/49959/watch-live-SIC_Noticias-streaming-channel-for-free" 
|
|
#4
10-04-2013, 04:03 AM
|
|||
|
|||
Re: dumping Ilive.toThanks @KSV
Is the token from the server.php response modified in the swf file?
|
|
#5
10-04-2013, 07:18 AM
|
|||
|
|||
Re: dumping Ilive.toI answer myself. The token is obfuscated inside the swf.
I take the opportunity to ask you guys, how did you find the token? deobfuscating the swf? Or somehow you've found a method to reverse the process: Recieve SecureToken()--->DecodeTEA()--->SendSecureResponse() Thanks
|
|
#6
10-04-2013, 10:23 AM
|
|||
|
|||
Re: dumping Ilive.toI mostly just signed up to say thanks! The token from server.php still worked a few days ago; now it doesn’t seem to be as easy anymore.
In another thread, oelk said that you can find the token either by manipulating the code to output the calculated token, by using a debugger, or by using a “decryption” function in one’s own code. Now I would like to be able to extract these tokens myself, but while I’m a software dev, I’m not versed in ActionScript/Flash programming. Are there any how-to guides, preferably for Linux, that describe the process? I’ve seen people in other threads ask the same question, but the search doesn’t seem to produce anything of the sort.
|
|
#7
10-04-2013, 11:12 AM
|
|||
|
|||
Re: dumping Ilive.toI've been thinking on it and I guess the most simple, feasible way would be to dissamble the swf put a "print" and assemble again.
For example in ilive.to's swf file we can see in assembly code: Code:
43 getproperty info //nameIndex = 249 46 getproperty secureToken //nameIndex = 1823 49 getlex undefined //nameIndex = 255 52 ifeq L4 56 getlocal0 57 getproperty private::_connection //nameIndex = 239 60 pushstring "secureTokenResponse" //stringIndex = 2382 63 pushnull 64 getlex com.wowza.encryptionAS3::TEA //nameIndex = 1068 67 getscopeobject 1 69 getslot 1 71 getproperty info //nameIndex = 249 74 getproperty secureToken //nameIndex = 1823 77 getlex _a_-_--- //nameIndex = 3047 80 pushint -1820302793 // 0x-6c7f9dc9 82 callproperty _a_--_-- (1) //nameIndex = 2444 86 coerce_s 87 callproperty decrypt (2) //nameIndex = 1782 91 callpropvoid call (3) //nameIndex = 195 Making a wild guess as I'm dont know match about actionscript translates to something like: Code:
_connection.call("secureTokenResponse", null, TEA.decrypt(evt.info.secureToken, _a_-_---(-1820302793)));
@Telofy I also work in linux and unfortunately there isn't much, you can try JPEXS Decompiler though. The best I've found it's Adobe swf investigator http://labs.adobe.com/technologies/swfinvestigator/ Last edited by gorilla.maguila : 10-04-2013 at 12:26 PM.
|
|
#8
10-04-2013, 11:40 AM
|
|||
|
|||
Re: dumping Ilive.toHmmhmm, JPEXS is what I used, and it gives me:
Code:
if(evt.info.secureToken != undefined)
{
this._connection.call("secureTokenResponse",null,TEA.decrypt(evt.info.secureToken,_a_-_---._a_--_--(-1820302793)));
}
Code:
package
{
import flash.display.Sprite;
import flash.utils.ByteArray;
import flash.utils.Endian;
public class _a_-_--- extends Sprite
{
{
var _loc1_:* = true;
var _loc2_:* = false;
}
public function _a_-_---() {
var _loc1_:* = false;
var _loc2_:* = true;
super();
}
private static var _a_--_-:Class = _a_-_-__;
private static var _a_--_:Class = _a_-_;
private static var _a_-__:Class = _a_---;
private static var _a_-____:Array = new Array();
private static var _a_----:Array = new Array();
private static var _a_-___-:Boolean = false;
private static var _a_--:int;
private static function _a_-_--() : void {
var _loc7_:* = false;
var _loc8_:* = true;
var _loc1_:ByteArray = new _a_--_-() as ByteArray;
var _loc2_:ByteArray = new _a_--_() as ByteArray;
var _loc3_:ByteArray = new _a_-__() as ByteArray;
_loc3_.endian = Endian.LITTLE_ENDIAN;
_a_-- = _loc3_.readInt();
var _loc4_:int = _loc2_.readByte();
var _loc5_:* = 0;
while(_loc5_ < _loc4_)
{
_a_-__-_(_loc2_);
_loc5_++;
}
_loc4_ = _loc1_.readInt();
var _loc6_:* = 0;
while(_loc6_ < _loc4_)
{
_a_--__(_loc1_,_a_----[_loc6_ % _a_----.length]);
_loc6_++;
}
_a_-___- = true;
}
private static function _a_--__(param1:ByteArray, param2:ByteArray) : void {
var _loc6_:* = false;
var _loc7_:* = true;
var _loc3_:int = param1.readInt();
var _loc4_:ByteArray = new ByteArray();
param1.readBytes(_loc4_,0,_loc3_);
var _loc5_:_a_-_-_ = new _a_-_-_(param2);
_loc5_._a_---_(_loc4_);
_loc4_.position = 0;
_a_-____.push(_loc4_.readUTFBytes(_loc4_.length));
}
private static function _a_-__-_(param1:ByteArray) : void {
var _loc3_:* = false;
var _loc4_:* = true;
var _loc2_:ByteArray = new ByteArray();
param1.readBytes(_loc2_,0,16);
_loc2_.position = 0;
_a_----.push(_loc2_);
}
public static function _a_--_--(param1:int) : String {
var _loc2_:* = false;
var _loc3_:* = true;
if(!_a_-___-)
{
_a_-_--();
}
return _a_-____[param1 ^ _a_--];
}
}
}
There were several “severe” errors during the decompilation, so I doubt the result plus print command could be recompiled again. Disassembling it seems like a good idea.
|
|
#9
10-04-2013, 05:01 PM
|
|||
|
|||
Re: dumping Ilive.toThe decompiled “_a_-_---.as” from JPEXS doesn't make much sense at least for me. I've been playing with the deobfuscated functions/classes from JPEXS in a flex compiler and the result is that:
(Following the flow of) Code:
if(evt.info.secureToken != undefined)
{
this._connection.call("secureTokenResponse",null,TEA.decrypt(evt.info.secureToken,_a_-_---._a_--_--(-1820302793)));
}
Code:
public static function _a_--_--(param1:int) : String {
var _loc2_:* = false;
var _loc3_:* = true;
if(!_a_-___-)
{
_a_-_--();
}
return _a_-____[param1 ^ _a_--];
}
Code:
private static function _a_-_--() : void {
var _loc7_:* = false;
var _loc8_:* = true;
var _loc1_:ByteArray = new _a_--_-() as ByteArray;
var _loc2_:ByteArray = new _a_--_() as ByteArray;
var _loc3_:ByteArray = new _a_-__() as ByteArray;
_loc3_.endian = Endian.LITTLE_ENDIAN;
_a_-- = _loc3_.readInt();
var _loc4_:int = _loc2_.readByte();
var _loc5_:* = 0;
while(_loc5_ < _loc4_)
{
_a_-__-_(_loc2_);
_loc5_++;
}
_loc4_ = _loc1_.readInt();
var _loc6_:* = 0;
while(_loc6_ < _loc4_)
{
_a_--__(_loc1_,_a_----[_loc6_ % _a_----.length]);
_loc6_++;
}
_a_-___- = true;
}
Code:
_a_-- = _loc3_.readInt(); Next thing I'll try it's dissamble-->assemble with https://github.com/CyberShadow/RABCDAsm. Ideas Welcome.
|
|
#10
10-04-2013, 05:54 PM
|
|||
|
|||
Re: dumping Ilive.toWell even though, my idea is going down a different path than you folks, I somewhat have found a way to get a fresh copy of the token on-the-fly.
I was looking at svnpenn's Hulu.sh script which takes a Hulu video url into Firefox, memory dumps it, then searches said dump for parameters. I noticed you can do the exact same thing with ilive and the token is in the dump, but I currently am having issues with the regex to spit out the token to place in rtmpdump. It appears the token is always before the words "Connection succeeded" so I should just need a regex that says "give me the alphanumeric with some symbols string right before Connecton succeeded". I using gawk, sed, curl, wget, etc having my script already getting the tcURL, swfurl, & playpath. I know this isn't the greatest in the world way of doing it, but I know it's possible at least.
|
|
|
| Tags: ilive, securetoken |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
