Audio/video stream recording forums (http://stream-recorder.com/forum/index.php)
-   rtmpdump (http://stream-recorder.com/forum/forumdisplay.php?f=54)
-   -  

Recording reallifecam.com

(http://stream-recorder.com/forum/showthread.php?t=22383)

xanathar 09-14-2016 10:52 AM

Recording reallifecam.com


 
Hello,

I would like to know if some people here are still able to record reallifecam streams using rtmpdump.

I used to to do it for years but I'm really struggling now with the latest version of flowplayer.

I can get the urls and parameters required, however I have some issues finding the secure token.

They used to have 2 different secure token (one for free cams and one for premiums). Both were easy to find when decompiling the old swf player.

Now things are getting more difficult. According to what I have found, I think they read an encrypted binary file. (The algorithm seem easy though)

The swf can be found here:
"http://reallifecam.com/static/flowplayer/flowplayer.swf-20160913"

It would be great if anyone interested in reversing this kind of stuff could have a look.

Are there any other options/tools to find the secure tokens ? I guess the token is somewhere in memory. Are there any tools for browsing/searching the browser/flash plugin memory ?

We can discuss in private if you want. Reversing is fun and I'm here to learn and share.

Thanks

ihryjfbd 09-14-2016 03:37 PM

Re: Recording reallifecam.com


 
urlsnooper2

GET /static/flowplayer/flowplayer.swf-20160913 HTTP/1.1
Host: reallifecam.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://reallifecam.com/en/view/06_1
Cookie: guest_tkt="e9d8d961022a9570a3bde6ee5e45f9c41f1d93f 0c230805c225309b459f774b0401dbc4ab6401e794dde2bbc1 3fa94baf7d2678556dbf416f77fe4018d5535b757d9c2a6MTZ lOGJkYQ%3D%3D!guest\054issued-d5f9e293-1473888934!userid_type:b64str";
lang=en
Connection: keep-alive

xanathar 09-15-2016 06:13 AM

Re: Recording reallifecam.com


 
Quote:

Originally Posted by ihryjfbd (Post 87542)
urlsnooper2

GET /static/flowplayer/flowplayer.swf-20160913 HTTP/1.1
Host: reallifecam.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://reallifecam.com/en/view/06_1
Cookie: guest_tkt="e9d8d961022a9570a3bde6ee5e45f9c41f1d93f 0c230805c225309b459f774b0401dbc4ab6401e794dde2bbc1 3fa94baf7d2678556dbf416f77fe4018d5535b757d9c2a6MTZ lOGJkYQ%3D%3D!guest\054issued-d5f9e293-1473888934!userid_type:b64str";
lang=en
Connection: keep-alive

Thanks, but I have all of this. (and even more). What I know is that the secure tokens (the -T parameter in rtmpdump) were:
#Loi8iJu for free cams
and
VTd3uh@SgFpf for premium.

I'm trying to find the new ones.

xanathar 09-16-2016 06:24 AM

Re: Recording reallifecam.com


 
Here's a summary of my findings.

The swf is encrypted but all the parts can easily be dumped from memory using a tool like SWF Memory Dumper.

(The algorithm is simple. Before using a memory dumper, I managed to decrypt the swf using a simple python script). It's quicker with a tool though.

Using JPEXS flash decompiler we can find a few references to the 'secureToken' but nothing in clear text. Reversing the functions could take ages. Static analysis can be really difficult.

I looked at a different option. On windows 10, I dumped the chrome process (The one with flash running. You can find the process id with swf memory dumper for example) using the task manager option. (Right click on process -> Create Dump File).

With winhex I found in the dump a reference to the string 'securetoken' (ignore the case) and next to it a key that really look like what we need. Unfortunately it did not work with rtmpdump. Also it seems that the securetoken is dynamic and keep changing.



Any help/idea is welcome.

Tools:
http://www.forceprojectx.com/service.../memory_dumper
https://www.x-ways.net/winhex/
https://www.free-decompiler.com/flash/

Reference:
http://blog.codestage.ru/2012/03/07/packed/

j_cool 09-17-2016 05:32 AM

Re: Recording reallifecam.com


 
I got this with urlsnooper:


rtmps://edge14.reallifecam.com/liveedge?uid=b5b4459&stamp=1474111782&token=eb65d6 7e240e947cc1c923610e205605

rtmps://edge27.reallifecam.com/liveedge?uid=afa61ea&stamp=1474111848&token=a01f6a 373539dfa9104be0a777db174b


any good ?


Cheers,

Johnny.

xanathar 09-17-2016 06:24 AM

Re: Recording reallifecam.com


 
Thanks, but it's not what I am looking for. The secureToken is 'embedded' in the swf file. You can't get it with a 'sniffer' like this. AFAIK the only way is to either decompile the swf (which can be difficult when the code is encrypted/obfuscated/complex) or scan the memory (using an hex editor for example).

Anyway here's a little trick. You don't need urlsnooper to get those urls :)

Just try this:
http://reallifecam.com/resources/gue.../playlist/03_1

Simply replace 03_1 by the camera you want.

If you are a member and logged, replace 'guest' by 'member' in the url I gave you so you can get any camera stream.

Thanks for looking at it though.

j_cool 09-17-2016 06:49 AM

Re: Recording reallifecam.com


 
I am intersted in this research.

I cannot get rtmp parameters on some peep-show websites unless
logged in as a member.
Here it looks like the same, the difference is that you have to pay $$$
to be a member. No $$$, no research.
I could not find T in memory dump on other peep-show sites, was it because I was not paying for private shows?

Am I right here? Here I see rtmps, not seen before on peep-show website.

Thank you for feedback, it was good so far, and was good post.

xanathar 09-17-2016 07:44 AM

Re: Recording reallifecam.com


 
Quote:

Originally Posted by j_cool (Post 87600)
I am intersted in this research.

I cannot get rtmp parameters on some peep-show websites unless
logged in as a member.
Here it looks like the same, the difference is that you have to pay $$$
to be a member. No $$$, no research.
I could not find T in memory dump on other peep-show sites, was it because I was not paying for private shows?

Am I right here? Here I see rtmps, not seen before on peep-show website.

Thank you for feedback, it was good so far, and was good post.

Well, I have never done any research on 'peep-show' websites so I'm not sure. Each website can use a different way to protect their streams, so there's no universal solution to grab them. I know though (as I said before) that for reallifecam they had different tokens for guests and members. In an older version of their player the secureToken was in clear text in the swf. A simple decompilation was enough to find it. Things have changed a few months ago when they updated to a recent version of flowplayer.

I'm glad that you are interested in that research. I hope more skilled people will join us.

ihryjfbd 09-17-2016 10:48 PM

Re: Recording reallifecam.com


 
So encrypting each new packet with a new key?
something like ssl?

xanathar 09-18-2016 04:05 AM

Re: Recording reallifecam.com


 
Quote:

Originally Posted by ihryjfbd (Post 87612)
So encrypting each new packet with a new key?
something like ssl?

I don't know exactly. I tried to dump the process a few times and had a different 'key' next to 'secureToken' (As seen in the screenshot).
I'm not even 100% sure that this string is the secureToken.
That's why I posted here, hopefully more experienced people will look at it too.


All times are GMT -6. The time now is 05:34 PM.