Page 1 of 5 1 2345 >
Show 40 post(s) from this thread on one page

Audio/video stream recording forums (http://stream-recorder.com/forum/index.php)
-   rtmpdump (http://stream-recorder.com/forum/forumdisplay.php?f=54)
-   -  

dumping Ilive.to

 (http://stream-recorder.com/forum/showthread.php?t=16652)

gorilla.maguila 10-04-2013 12:03 AM

dumping Ilive.to


 
Hey guys,

Do you know how to dump ilive.to streamings?

It used to be possible to dump the streams getting a token from http://www.ilive.to/server.php but not anymore. Although it's still possible to get a token the server closes the connection.

Code:
rtmpdump -r rtmp://live.iguide.to/edge -y vsoui5hx1do3qon -W http://player.ilive.to/secure_player_ilive_z.swf --token "UYDk93k#09sdafjJDHJKAD873" --live --debug -p "http://www.ilive.to/view/49959/watch-live-SIC_Noticias-streaming-channel-for-free"

KSV 10-04-2013 02:58 AM

Re: dumping Ilive.to


 
try with
Code:
-T "I8772LDKksadhGHGagf#"

hasomaso 10-04-2013 02:59 AM

Re: dumping Ilive.to


 
test that

Code:
--token "I8772LDKksadhGHGagf#"

gorilla.maguila 10-04-2013 03:03 AM

Re: dumping Ilive.to


 
Thanks @KSV

Is the token from the server.php response modified in the swf file?

gorilla.maguila 10-04-2013 06:18 AM

Re: dumping Ilive.to


 
I answer myself. The token is obfuscated inside the swf.

I take the opportunity to ask you guys, how did you find the token? deobfuscating the swf? Or somehow you've found a method to reverse the process:

Recieve SecureToken()--->DecodeTEA()--->SendSecureResponse()

Thanks

Telofy 10-04-2013 09:23 AM

Re: dumping Ilive.to


 
I mostly just signed up to say thanks! The token from server.php still worked a few days ago; now it doesn’t seem to be as easy anymore.

In another thread, oelk said that you can find the token either by manipulating the code to output the calculated token, by using a debugger, or by using a “decryption” function in one’s own code.

Now I would like to be able to extract these tokens myself, but while I’m a software dev, I’m not versed in ActionScript/Flash programming. Are there any how-to guides, preferably for Linux, that describe the process? I’ve seen people in other threads ask the same question, but the search doesn’t seem to produce anything of the sort.

gorilla.maguila 10-04-2013 10:12 AM

Re: dumping Ilive.to


 
I've been thinking on it and I guess the most simple, feasible way would be to dissamble the swf put a "print" and assemble again.

For example in ilive.to's swf file we can see in assembly code:

Code:
43  getproperty          info //nameIndex = 249
 46  getproperty          secureToken //nameIndex = 1823
 49  getlex                undefined //nameIndex = 255
 52  ifeq                  L4

 56  getlocal0           
 57  getproperty          private::_connection //nameIndex = 239
 60  pushstring            "secureTokenResponse"  //stringIndex = 2382
 63  pushnull             
 64  getlex                com.wowza.encryptionAS3::TEA //nameIndex = 1068
67  getscopeobject        1
69  getslot              1
71  getproperty          info //nameIndex = 249
74  getproperty          secureToken //nameIndex = 1823
77  getlex                _a_-_--- //nameIndex = 3047
80  pushint              -1820302793        // 0x-6c7f9dc9
82  callproperty          _a_--_-- (1) //nameIndex = 2444
86  coerce_s             
87  callproperty          decrypt (2) //nameIndex = 1782
91  callpropvoid          call (3) //nameIndex = 195

Making a wild guess as I'm dont know match about actionscript translates to something like:

Code:
_connection.call("secureTokenResponse", null, TEA.decrypt(evt.info.secureToken,        _a_-_---(-1820302793)));
Where _a_-_---() it's an obfuscated function. And maybe we can put something like trace(_a_-_---(-1820302793)) in assembly to show the computed token. (I think this method would also apply for coolsport)


@Telofy
I also work in linux and unfortunately there isn't much, you can try JPEXS Decompiler though. The best I've found it's Adobe swf investigator http://labs.adobe.com/technologies/swfinvestigator/

Telofy 10-04-2013 10:40 AM

Re: dumping Ilive.to


 
Hmmhmm, JPEXS is what I used, and it gives me:

Code:
if(evt.info.secureToken != undefined)
{
      this._connection.call("secureTokenResponse",null,TEA.decrypt(evt.info.secureToken,_a_-_---._a_--_--(-1820302793)));
}
The whole file “_a_-_---.as” looks like this:

Code:
package
{
  import flash.display.Sprite;
  import flash.utils.ByteArray;
  import flash.utils.Endian;


  public class _a_-_--- extends Sprite
  {
      {
        var _loc1_:* = true;
        var _loc2_:* = false;
      }

      public function _a_-_---() {
        var _loc1_:* = false;
        var _loc2_:* = true;
        super();
      }

      private static var _a_--_-:Class = _a_-_-__;

      private static var _a_--_:Class = _a_-_;

      private static var _a_-__:Class = _a_---;

      private static var _a_-____:Array = new Array();

      private static var _a_----:Array = new Array();

      private static var _a_-___-:Boolean = false;

      private static var _a_--:int;

      private static function _a_-_--() : void {
        var _loc7_:* = false;
        var _loc8_:* = true;
        var _loc1_:ByteArray = new _a_--_-() as ByteArray;
        var _loc2_:ByteArray = new _a_--_() as ByteArray;
        var _loc3_:ByteArray = new _a_-__() as ByteArray;
        _loc3_.endian = Endian.LITTLE_ENDIAN;
        _a_-- = _loc3_.readInt();
        var _loc4_:int = _loc2_.readByte();
        var _loc5_:* = 0;
        while(_loc5_ < _loc4_)
        {
            _a_-__-_(_loc2_);
            _loc5_++;
        }
        _loc4_ = _loc1_.readInt();
        var _loc6_:* = 0;
        while(_loc6_ < _loc4_)
        {
            _a_--__(_loc1_,_a_----[_loc6_ % _a_----.length]);
            _loc6_++;
        }
        _a_-___- = true;
      }

      private static function _a_--__(param1:ByteArray, param2:ByteArray) : void {
        var _loc6_:* = false;
        var _loc7_:* = true;
        var _loc3_:int = param1.readInt();
        var _loc4_:ByteArray = new ByteArray();
        param1.readBytes(_loc4_,0,_loc3_);
        var _loc5_:_a_-_-_ = new _a_-_-_(param2);
        _loc5_._a_---_(_loc4_);
        _loc4_.position = 0;
        _a_-____.push(_loc4_.readUTFBytes(_loc4_.length));
      }

      private static function _a_-__-_(param1:ByteArray) : void {
        var _loc3_:* = false;
        var _loc4_:* = true;
        var _loc2_:ByteArray = new ByteArray();
        param1.readBytes(_loc2_,0,16);
        _loc2_.position = 0;
        _a_----.push(_loc2_);
      }

      public static function _a_--_--(param1:int) : String {
        var _loc2_:* = false;
        var _loc3_:* = true;
        if(!_a_-___-)
        {
            _a_-_--();
        }
        return _a_-____[param1 ^ _a_--];
      }
  }

}
Welp. But if the OS is a problem, I can boot up a VM.

There were several “severe” errors during the decompilation, so I doubt the result plus print command could be recompiled again. Disassembling it seems like a good idea.

gorilla.maguila 10-04-2013 04:01 PM

Re: dumping Ilive.to


 
The decompiled “_a_-_---.as” from JPEXS doesn't make much sense at least for me. I've been playing with the deobfuscated functions/classes from JPEXS in a flex compiler and the result is that:

(Following the flow of)

Code:
if(evt.info.secureToken != undefined)
{
      this._connection.call("secureTokenResponse",null,TEA.decrypt(evt.info.secureToken,_a_-_---._a_--_--(-1820302793)));
}
After function:

Code:
public static function _a_--_--(param1:int) : String {
        var _loc2_:* = false;
        var _loc3_:* = true;
        if(!_a_-___-)
        {
            _a_-_--();
        }
        return _a_-____[param1 ^ _a_--];
      }
receives the integer -1820302793 and then calls:

Code:
private static function _a_-_--() : void {
        var _loc7_:* = false;
        var _loc8_:* = true;
        var _loc1_:ByteArray = new _a_--_-() as ByteArray;
        var _loc2_:ByteArray = new _a_--_() as ByteArray;
        var _loc3_:ByteArray = new _a_-__() as ByteArray;
        _loc3_.endian = Endian.LITTLE_ENDIAN;
        _a_-- = _loc3_.readInt();
        var _loc4_:int = _loc2_.readByte();
        var _loc5_:* = 0;
        while(_loc5_ < _loc4_)
        {
            _a_-__-_(_loc2_);
            _loc5_++;
        }
        _loc4_ = _loc1_.readInt();
        var _loc6_:* = 0;
        while(_loc6_ < _loc4_)
        {
            _a_--__(_loc1_,_a_----[_loc6_ % _a_----.length]);
            _loc6_++;
        }
        _a_-___- = true;
      }
the execution fails miserably at:

Code:
_a_-- = _loc3_.readInt();
As var _loc3_ is empty. Maybe JPEXS doesn't decompile the file in a proper way or maybe I'm missing something...

Next thing I'll try it's dissamble-->assemble with https://github.com/CyberShadow/RABCDAsm.

Ideas Welcome.

RedPenguin 10-04-2013 04:54 PM

Re: dumping Ilive.to


 
Well even though, my idea is going down a different path than you folks, I somewhat have found a way to get a fresh copy of the token on-the-fly.

I was looking at svnpenn's Hulu.sh script which takes a Hulu video url into Firefox, memory dumps it, then searches said dump for parameters.

I noticed you can do the exact same thing with ilive and the token is in the dump, but I currently am having issues with the regex to spit out the token to place in rtmpdump.

It appears the token is always before the words "Connection succeeded" so I should just need a regex that says "give me the alphanumeric with some symbols string right before Connecton succeeded".

I using gawk, sed, curl, wget, etc having my script already getting the tcURL, swfurl, & playpath.

I know this isn't the greatest in the world way of doing it, but I know it's possible at least.


All times are GMT -6. The time now is 06:31 PM.
Page 1 of 5 1 2345 >
Show 40 post(s) from this thread on one page