Recording reallifecam.com

[xanathar]

Hello,

I would like to know if some people here are still able to record reallifecam streams using rtmpdump.

I used to to do it for years but I'm really struggling now with the latest version of flowplayer.

I can get the urls and parameters required, however I have some issues finding the secure token.

They used to have 2 different secure token (one for free cams and one for premiums). Both were easy to find when decompiling the old swf player.

Now things are getting more difficult. According to what I have found, I think they read an encrypted binary file. (The algorithm seem easy though)

The swf can be found here:
"http://reallifecam.com/static/flowplayer/flowplayer.swf-20160913"

It would be great if anyone interested in reversing this kind of stuff could have a look.

Are there any other options/tools to find the secure tokens ? I guess the token is somewhere in memory. Are there any tools for browsing/searching the browser/flash plugin memory ?

We can discuss in private if you want. Reversing is fun and I'm here to learn and share.

Thanks

[ihryjfbd]

urlsnooper2

GET /static/flowplayer/flowplayer.swf-20160913 HTTP/1.1
Host: reallifecam.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://reallifecam.com/en/view/06_1
Cookie: guest_tkt="e9d8d961022a9570a3bde6ee5e45f9c41f1d93f 0c230805c225309b459f774b0401dbc4ab6401e794dde2bbc1 3fa94baf7d2678556dbf416f77fe4018d5535b757d9c2a6MTZ lOGJkYQ%3D%3D!guest\054issued-d5f9e293-1473888934!userid_type:b64str";
lang=en
Connection: keep-alive

[xanathar]

Quote:

Originally Posted by ihryjfbd

urlsnooper2

GET /static/flowplayer/flowplayer.swf-20160913 HTTP/1.1
Host: reallifecam.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://reallifecam.com/en/view/06_1
Cookie: guest_tkt="e9d8d961022a9570a3bde6ee5e45f9c41f1d93f 0c230805c225309b459f774b0401dbc4ab6401e794dde2bbc1 3fa94baf7d2678556dbf416f77fe4018d5535b757d9c2a6MTZ lOGJkYQ%3D%3D!guest\054issued-d5f9e293-1473888934!userid_type:b64str";
lang=en
Connection: keep-alive

Thanks, but I have all of this. (and even more). What I know is that the secure tokens (the -T parameter in rtmpdump) were:
#Loi8iJu for free cams
and
VTd3uh@SgFpf for premium.

I'm trying to find the new ones.

[xanathar]

Here's a summary of my findings.

The swf is encrypted but all the parts can easily be dumped from memory using a tool like SWF Memory Dumper.

(The algorithm is simple. Before using a memory dumper, I managed to decrypt the swf using a simple python script). It's quicker with a tool though.

Using JPEXS flash decompiler we can find a few references to the 'secureToken' but nothing in clear text. Reversing the functions could take ages. Static analysis can be really difficult.

I looked at a different option. On windows 10, I dumped the chrome process (The one with flash running. You can find the process id with swf memory dumper for example) using the task manager option. (Right click on process -> Create Dump File).

With winhex I found in the dump a reference to the string 'securetoken' (ignore the case) and next to it a key that really look like what we need. Unfortunately it did not work with rtmpdump. Also it seems that the securetoken is dynamic and keep changing.



Any help/idea is welcome.

Tools:
http://www.forceprojectx.com/service.../memory_dumper
https://www.x-ways.net/winhex/
https://www.free-decompiler.com/flash/

Reference:
http://blog.codestage.ru/2012/03/07/packed/

[j_cool]

I got this with urlsnooper:


rtmps://edge14.reallifecam.com/liveedge?uid=b5b4459&stamp=1474111782&token=eb65d6 7e240e947cc1c923610e205605

rtmps://edge27.reallifecam.com/liveedge?uid=afa61ea&stamp=1474111848&token=a01f6a 373539dfa9104be0a777db174b


any good ?


Cheers,

Johnny.

[xanathar]

Thanks, but it's not what I am looking for. The secureToken is 'embedded' in the swf file. You can't get it with a 'sniffer' like this. AFAIK the only way is to either decompile the swf (which can be difficult when the code is encrypted/obfuscated/complex) or scan the memory (using an hex editor for example).

Anyway here's a little trick. You don't need urlsnooper to get those urls

Just try this:
http://reallifecam.com/resources/gue.../playlist/03_1

Simply replace 03_1 by the camera you want.

If you are a member and logged, replace 'guest' by 'member' in the url I gave you so you can get any camera stream.

Thanks for looking at it though.

[j_cool]

I am intersted in this research.

I cannot get rtmp parameters on some peep-show websites unless
logged in as a member.
Here it looks like the same, the difference is that you have to pay $$$
to be a member. No $$$, no research.
I could not find T in memory dump on other peep-show sites, was it because I was not paying for private shows?

Am I right here? Here I see rtmps, not seen before on peep-show website.

Thank you for feedback, it was good so far, and was good post.

[xanathar]

Quote:

Originally Posted by j_cool

I am intersted in this research.

I cannot get rtmp parameters on some peep-show websites unless
logged in as a member.
Here it looks like the same, the difference is that you have to pay $$$
to be a member. No $$$, no research.
I could not find T in memory dump on other peep-show sites, was it because I was not paying for private shows?

Am I right here? Here I see rtmps, not seen before on peep-show website.

Thank you for feedback, it was good so far, and was good post.

Well, I have never done any research on 'peep-show' websites so I'm not sure. Each website can use a different way to protect their streams, so there's no universal solution to grab them. I know though (as I said before) that for reallifecam they had different tokens for guests and members. In an older version of their player the secureToken was in clear text in the swf. A simple decompilation was enough to find it. Things have changed a few months ago when they updated to a recent version of flowplayer.

I'm glad that you are interested in that research. I hope more skilled people will join us.

[ihryjfbd]

So encrypting each new packet with a new key?
something like ssl?

[xanathar]

Quote:

Originally Posted by ihryjfbd

So encrypting each new packet with a new key?
something like ssl?

I don't know exactly. I tried to dump the process a few times and had a different 'key' next to 'secureToken' (As seen in the screenshot).
I'm not even 100% sure that this string is the secureToken.
That's why I posted here, hopefully more experienced people will look at it too.