Audio/video stream recording forums

Attention Visitor:
You may have to register or log in before you can post:
  • Click the register link to sign up.
  • Registered members please fill in the form below and click the "Log in" button.
To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Audio/video stream recording forums > Streaming media recording forum > rtmpdump
Register FAQ Members List Calendar Mark Forums Read

Reply Post New Thread
 
Thread Tools Display Modes
  #1  
Old 09-14-2016, 11:52 AM
xanathar xanathar is offline
Junior Member
 
Join Date: Aug 2016
Posts: 16
xanathar is on a distinguished road
Question

Recording reallifecam.com


Hello,

I would like to know if some people here are still able to record reallifecam streams using rtmpdump.

I used to to do it for years but I'm really struggling now with the latest version of flowplayer.

I can get the urls and parameters required, however I have some issues finding the secure token.

They used to have 2 different secure token (one for free cams and one for premiums). Both were easy to find when decompiling the old swf player.

Now things are getting more difficult. According to what I have found, I think they read an encrypted binary file. (The algorithm seem easy though)

The swf can be found here:
"http://reallifecam.com/static/flowplayer/flowplayer.swf-20160913"

It would be great if anyone interested in reversing this kind of stuff could have a look.

Are there any other options/tools to find the secure tokens ? I guess the token is somewhere in memory. Are there any tools for browsing/searching the browser/flash plugin memory ?

We can discuss in private if you want. Reversing is fun and I'm here to learn and share.

Thanks
Reply With Quote
  #2  
Old 09-14-2016, 04:37 PM
ihryjfbd ihryjfbd is offline
Senior Member
 
Join Date: Oct 2015
Posts: 212
ihryjfbd is on a distinguished road
Default

Re: Recording reallifecam.com


urlsnooper2

GET /static/flowplayer/flowplayer.swf-20160913 HTTP/1.1
Host: reallifecam.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://reallifecam.com/en/view/06_1
Cookie: guest_tkt="e9d8d961022a9570a3bde6ee5e45f9c41f1d93f 0c230805c225309b459f774b0401dbc4ab6401e794dde2bbc1 3fa94baf7d2678556dbf416f77fe4018d5535b757d9c2a6MTZ lOGJkYQ%3D%3D!guest\054issued-d5f9e293-1473888934!userid_type:b64str";
lang=en
Connection: keep-alive
Reply With Quote
  #3  
Old 09-15-2016, 07:13 AM
xanathar xanathar is offline
Junior Member
 
Join Date: Aug 2016
Posts: 16
xanathar is on a distinguished road
Default

Re: Recording reallifecam.com


Quote:
Originally Posted by ihryjfbd View Post
urlsnooper2

GET /static/flowplayer/flowplayer.swf-20160913 HTTP/1.1
Host: reallifecam.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://reallifecam.com/en/view/06_1
Cookie: guest_tkt="e9d8d961022a9570a3bde6ee5e45f9c41f1d93f 0c230805c225309b459f774b0401dbc4ab6401e794dde2bbc1 3fa94baf7d2678556dbf416f77fe4018d5535b757d9c2a6MTZ lOGJkYQ%3D%3D!guest\054issued-d5f9e293-1473888934!userid_type:b64str";
lang=en
Connection: keep-alive
Thanks, but I have all of this. (and even more). What I know is that the secure tokens (the -T parameter in rtmpdump) were:
#Loi8iJu for free cams
and
VTd3uh@SgFpf for premium.

I'm trying to find the new ones.
Reply With Quote
  #4  
Old 09-16-2016, 07:24 AM
xanathar xanathar is offline
Junior Member
 
Join Date: Aug 2016
Posts: 16
xanathar is on a distinguished road
Default

Re: Recording reallifecam.com


Here's a summary of my findings.

The swf is encrypted but all the parts can easily be dumped from memory using a tool like SWF Memory Dumper.

(The algorithm is simple. Before using a memory dumper, I managed to decrypt the swf using a simple python script). It's quicker with a tool though.

Using JPEXS flash decompiler we can find a few references to the 'secureToken' but nothing in clear text. Reversing the functions could take ages. Static analysis can be really difficult.

I looked at a different option. On windows 10, I dumped the chrome process (The one with flash running. You can find the process id with swf memory dumper for example) using the task manager option. (Right click on process -> Create Dump File).

With winhex I found in the dump a reference to the string 'securetoken' (ignore the case) and next to it a key that really look like what we need. Unfortunately it did not work with rtmpdump. Also it seems that the securetoken is dynamic and keep changing.



Any help/idea is welcome.

Tools:
http://www.forceprojectx.com/service.../memory_dumper
https://www.x-ways.net/winhex/
https://www.free-decompiler.com/flash/

Reference:
http://blog.codestage.ru/2012/03/07/packed/
Reply With Quote
  #5  
Old 09-17-2016, 06:32 AM
j_cool j_cool is offline
Senior Member
 
Join Date: Feb 2016
Posts: 515
j_cool is on a distinguished road
Default

Re: Recording reallifecam.com


I got this with urlsnooper:


rtmps://edge14.reallifecam.com/liveedge?uid=b5b4459&stamp=1474111782&token=eb65d6 7e240e947cc1c923610e205605

rtmps://edge27.reallifecam.com/liveedge?uid=afa61ea&stamp=1474111848&token=a01f6a 373539dfa9104be0a777db174b


any good ?


Cheers,

Johnny.
Reply With Quote
  #6  
Old 09-17-2016, 07:24 AM
xanathar xanathar is offline
Junior Member
 
Join Date: Aug 2016
Posts: 16
xanathar is on a distinguished road
Default

Re: Recording reallifecam.com


Thanks, but it's not what I am looking for. The secureToken is 'embedded' in the swf file. You can't get it with a 'sniffer' like this. AFAIK the only way is to either decompile the swf (which can be difficult when the code is encrypted/obfuscated/complex) or scan the memory (using an hex editor for example).

Anyway here's a little trick. You don't need urlsnooper to get those urls

Just try this:
http://reallifecam.com/resources/gue.../playlist/03_1

Simply replace 03_1 by the camera you want.

If you are a member and logged, replace 'guest' by 'member' in the url I gave you so you can get any camera stream.

Thanks for looking at it though.
Reply With Quote
  #7  
Old 09-17-2016, 07:49 AM
j_cool j_cool is offline
Senior Member
 
Join Date: Feb 2016
Posts: 515
j_cool is on a distinguished road
Default

Re: Recording reallifecam.com


I am intersted in this research.

I cannot get rtmp parameters on some peep-show websites unless
logged in as a member.
Here it looks like the same, the difference is that you have to pay $$$
to be a member. No $$$, no research.
I could not find T in memory dump on other peep-show sites, was it because I was not paying for private shows?

Am I right here? Here I see rtmps, not seen before on peep-show website.

Thank you for feedback, it was good so far, and was good post.
Reply With Quote
  #8  
Old 09-17-2016, 08:44 AM
xanathar xanathar is offline
Junior Member
 
Join Date: Aug 2016
Posts: 16
xanathar is on a distinguished road
Default

Re: Recording reallifecam.com


Quote:
Originally Posted by j_cool View Post
I am intersted in this research.

I cannot get rtmp parameters on some peep-show websites unless
logged in as a member.
Here it looks like the same, the difference is that you have to pay $$$
to be a member. No $$$, no research.
I could not find T in memory dump on other peep-show sites, was it because I was not paying for private shows?

Am I right here? Here I see rtmps, not seen before on peep-show website.

Thank you for feedback, it was good so far, and was good post.
Well, I have never done any research on 'peep-show' websites so I'm not sure. Each website can use a different way to protect their streams, so there's no universal solution to grab them. I know though (as I said before) that for reallifecam they had different tokens for guests and members. In an older version of their player the secureToken was in clear text in the swf. A simple decompilation was enough to find it. Things have changed a few months ago when they updated to a recent version of flowplayer.

I'm glad that you are interested in that research. I hope more skilled people will join us.
Reply With Quote
  #9  
Old 09-17-2016, 11:48 PM
ihryjfbd ihryjfbd is offline
Senior Member
 
Join Date: Oct 2015
Posts: 212
ihryjfbd is on a distinguished road
Default

Re: Recording reallifecam.com


So encrypting each new packet with a new key?
something like ssl?
Reply With Quote
  #10  
Old 09-18-2016, 05:05 AM
xanathar xanathar is offline
Junior Member
 
Join Date: Aug 2016
Posts: 16
xanathar is on a distinguished road
Default

Re: Recording reallifecam.com


Quote:
Originally Posted by ihryjfbd View Post
So encrypting each new packet with a new key?
something like ssl?
I don't know exactly. I tried to dump the process a few times and had a different 'key' next to 'secureToken' (As seen in the screenshot).
I'm not even 100% sure that this string is the secureToken.
That's why I posted here, hopefully more experienced people will look at it too.
Reply With Quote
Reply Post New Thread
Tags: , , , ,



Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -6. The time now is 09:32 PM.


Powered by All-streaming-media.com; 2006-2011
vB forum hacked with Zoints add-ons