Thread: dumping Ilive.to
View Single Post
  #16  
Old 10-05-2013, 11:44 AM
gorilla.maguila gorilla.maguila is offline
Member
  
Join Date: Dec 2012
Posts: 62
gorilla.maguila is on a distinguished road
Default

Re: dumping Ilive.to

So here goes another method:

Disassembly / Assembly Method:

First modify you mms.cfg like this as we want to see the output of the trace() method.

Code:
#Hardware video decoding
#EnableLinuxHWVideoDecode=1
ProtectedMode=0
ErrorReportingEnable=1
TraceOutputFileEnable=1
MaxWarnings=50
AS3Trace=1
Then grab a flash player with debug enabled. In my case Projector content debugger for linux from http://www.adobe.com/support/flashplayer/downloads.html. (The linux version it's only 32 bits so if you are running a 64 bit distro make sure you download the required lib32 libs, like lib32-alsa-plugins lib32-curl lib32-gtk2 lib32-libxt lib32-nss)


Now we are going to disassemble the swf file insert a print and assembly again. I'm going to use https://github.com/CyberShadow/RABCDAsm.

In this case we want to see the output of the function _a_-_---._a_--_--(-1820302793)

The trace it's going to be inserted in the PlayerSetup class so we only have to open the swf file to trigger our trace.

Now we disassemble:

Code:
$ abcexport secure_player_ilive_z.swf
$ rabcdasm secure_player_ilive_z-1.abc
Now we are going to modify the Player.class.asasm to insert our trace method in assembly code:


Code:
findpropstrict      QName(PackageNamespace(""), "trace")
getlex              QName(PackageNamespace("", "#0"), "_a_-_---")
pushint             -1820302793
callproperty        QName(PackageNamespace("", "#1"), "_a_--_--"), 1
coerce_s
callpropvoid        QName(PackageNamespace(""), "trace"), 1
which equals trace(a_-_---._a_--_--(-1820302793));

We want to trigger this trace as soon as the swf it's opened so we insert it in Player.class.asasm like this:

Code:
class
 refid "com.longtailvideo.jwplayer.player:Player"
 instance QName(PackageNamespace("com.longtailvideo.jwplayer.player"), "Player")
  extends QName(PackageNamespace("flash.display"), "Sprite")
  implements Multiname("IPlayer", [PackageNamespace("com.longtailvideo.jwplayer.player")])
  implements Multiname("IGlobalEventDispatcher", [PackageNamespace("com.longtailvideo.jwplayer.events")])
  flag SEALED
  flag PROTECTEDNS
  protectedns ProtectedNamespace("com.longtailvideo.jwplayer.player:Player")
  iinit
   refid "com.longtailvideo.jwplayer.player:Player/instance/init"
   flag NEED_ACTIVATION
   body
    maxstack 4
    localcount 3
    initscopedepth 10
    maxscopedepth 15
    code
     getlocal0
     pushscope

     newactivation
     newfunction         "com.longtailvideo.jwplayer.player:Player/instance/init/inline_method"
     pop
     findpropstrict      QName(PackageNamespace(""), "trace")
     getlex              QName(PackageNamespace("", "#0"), "_a_-_---")
     pushint             -1820302793
     callproperty        QName(PackageNamespace("", "#1"), "_a_--_--"), 1
     coerce_s
     callpropvoid        QName(PackageNamespace(""), "trace"), 1

     jump                L9

......
Now we assemble again:

Code:
$ rabcasm secure_player_ilive_z-1/secure_player_ilive_z-1.main.asasm
$abcreplace secure_player_ilive_z.swf 1 secure_player_ilive_z-1/secure_player_ilive_z-1.main.abc
Now we launch our flash debugger and open our modified swf file and we see:


Code:
I8772LDKksadhGHGagf#
Error: Error #2067: The ExternalInterface is not available in this container. ExternalInterface requires Internet Explorer ActiveX, Firefox, Mozilla 1.7.5 and greater, or other browsers that support NPRuntime.
	at Error$/throwError()
	at flash.external::ExternalInterface$/addCallback()
	at com.longtailvideo.jwplayer.controller::Controller/preRollAdLoad()
	at com.longtailvideo.jwplayer.controller::Controller/setupPlayer()
	at com.longtailvideo.jwplayer.player::Player/setupPlayer()
That's all folks
Reply With Quote