INeedAttention.com

Rants on business, science, technology, society, politics, police, and justice, plus life hacks and tricks, since 2003.

INeedAttention.com header image 2

Streaming Content Restriction Techniques in Flash Players

February 4th, 2006 · 9 Comments

Years ago, MP3.com was one of the only sites to allow bands to create profiles and upload their music for global distribution. Today, a number of other clones have appeared, including Soundclick.com, Purevolume.com, and Myspace Bands. In the days of MP3.com, MP3 was veritably the lowest common denominator for music distribution. To protect artists, MP3.com would offer the option to “stream only”. This method became quickly defeated, however, when clever users discovered that there was a simple hack to download and save the entire song.

When MP3.com first launched, it was actually possible to right click download links, paste them back into the browser, and begin traversing folders, downloading as much music as desired. MP3.com quickly got wise to this and put basic HTTP protection on their file indexes (i.e. set up their site to provide a 403 error instead of a list of all uploaded files for an artist).

Another thing offered by MP3.com was the capability to allow listeners to stream a song without allowing them to download it. In this primitive era of the web, to create a “stream only” play system, MP3.com would allow users to download a play list file with the “pls” extension from the browser, which would contain information on the music’s source. The audio player would open the play list and load the song and subsequently stream the song as it played. When playing the song, however, a user could check the play list entry to determine the actual source of the MP3. In essence, MP3.com was publicly distributing only a pointer to the file, but not the actual file. However, if a user checked the play list entry and then pointed their browser to the source file being played, they would be able to download the file in its entirety.

Today, MP3.com no longer offers the services it did five years ago. That site changed ownership long ago, and when they did, bands changed to the other newer services to distribute their art. These services offered far better publicity, a more streamlined look, and what appeared to be a stronger system for DRM. All three of the sites still around today that were mentioned earlier use Flash players for their streaming. In this way, they likely figure, users will not be able to perpetrate the “view info” attack that was possible with play list files. However, as will be explained here, the new flash players may prevent people from simply right clicking and knowing the file source, but they certainly do not stop users from downloading the files in their entirety.

To start, we will need a copy of Ethereal, or any other kind of packet sniffer. If you don’t know what packet sniffing is, this is a great opportunity to learn! When information is transmitted over the internet, it is broken up into packets. Many computers can share the same physical connection, using a direct cable connection or a hub. In this way, one computer can send a packet when no other computer is, and also, if a packet is lost, it can be easily retransmitted. Ethereal allows you to analyze the traffic on your network connection, so that you can see each packet as it goes from computer to computer. Over wireless, this also can allow you to see network connections for anyone else connected as well.

The Purevolume flash player

Now, let’s say I am checking out this band called The Truth Is. Because the truth is, I was checking out The Truth Is as I wrote this. Click on “The author” to stream the song which will be used as an example here. Note that the download button is grayed and inactive. The flash player embedded in the page allows a seamless user experience, and in fact it seems that downloading is disabled. In order to actually play the sound, the flash player is actually downloading the MP3 and playing it inside the browser. So, while the listener can’t download the file, in a way, they already have. Because the flash player requests the MP3 file in the same way a web browser requests any other file, the address can still be determined. Once the file’s address is known, the address can be entered back into the browser and the file can be downloaded.

To obtain the address, start up Ethereal, and click “Capture” and “Interfaces”. Then, select the interface which you are using to connect to the internet and select “Prepare”. At this screen, make sure that “Capture packets in promiscuous mode” is not checked. This option instructs your network card to listen only for packets that are addressed to it, as opposed to listening to all traffic on the network (i.e. that of other computers sharing the same connection). Some network cards actually don’t support promiscuous mode anyway, to prevent illicit uses. Click “Start” to begin the packet capture.

The Ethereal prep screen, prior to packet capture

There will likely be many packets arriving every second, at least. Switch back to the web browser window, and refresh the page. Then click “The author” again to being the streaming playback. Now switch back to Ethereal, and click the “Stop” button. Ethereal now lists every packet received during the capture period. Click the “Protocol” column to sort by the communication type, in this case, we are looking for HTTP. For someone that has no experience packet sniffing, this may seem completely alien. But, buried in there, is the request by the flash player for the MP3 file:

GET /streams3/ZEqOj24mbE7gn4CzPkQYZa4PN9nxuW1uVtqQuuwU1vVtYA HTTP/1.1

The MP3 file is requested, and we follow the TCP stream in Ethereal

Believe it or not, this is the address of the MP3 file for the song that was just streaming. Right click on the packet that resembles this, and select “Follow TCP Stream”. From here, copy and paste the address from that line, not including the GET or the HTTP 1.1 at the end. Note also, below this line in the TCP stream is the host name. Take note of the server that was used to serve you the file. By putting the “/streams/…” portion of the address with the host name, you get something that looks approximately like this:

s8.purevolume.com/streams3/ZEqOj24mbE7gn4CzPkQYZa4PN9nxuW1uVtqQuuwU1vVtYA

By copying and pasting this address into the browser, the file can then be downloaded. The name may be wrong, but the content is correct. Rename the file something appropriate, such as “The Truth Is – The Author.mp3”. This song can now be played just like any other MP3 file.

The procedure for Soundclick artists is roughly the same, except that Soundclick actually does not use machine readable file names, so it should be obvious when the MP3 file is requested. Use the same procedure after selecting that packet, right clicking, and choosing “Follow TCP Stream” as for Purevolume requests.

Myspace’s flash player is a bit tougher to crack. I was actually unable to figure it out in a few minutes, but that doesn’t mean it’s impossible. When it comes to downloading protected music, the general rule of thumb is that if it can be played it can be copied. After playing with Myspace for a bit, it’s my guess that there is either some type of challenge/response going on with the flash player, or that the server is looking at some other characteristic of the request (i.e. which MIME types are acceptable to the browser).

If anyone is able to crack it, let me know!

UPDATE September 18, 2006: When using this method, use a low numbered server like “s2.purevolume.com” and make sure your stream is “streams3” not “streams4”, as Purevolume seems to have updated its systems.

Tags: Computers · pwn3d! (Hacks and Tricks) · Technology

9 responses so far ↓

  • 1 levee // Dec 30, 2006 at 5:24 am

    I’m just tried to download a stream with this method as you wrote in this post, but it was not succesful…

    myspace.com/classiccase – into a nightmare file:

    streams4/2QaPVOIMykejNOjiu4PNbEzhDpvX7lrKYcLh/89147762065f5b26d2721eef8059a8edf4fad0ad

    I got this stream, but its a broken link, and the s8 server didn’t answer. Please, help me 🙂

  • 2 pat o. // Mar 31, 2007 at 5:15 am

    I’m getting

    “Unauthorized Song Play Attempt. Error: Error 410”

    They must have updated something — any ideas?

  • 3 Steve // Jun 1, 2007 at 11:08 pm

    not even getting an HTTP thing.. ur idea is wrong.

  • 4 peteru // Jun 2, 2007 at 8:08 am

    Steve, yea the whole thing was made up. I faked all the screenshots! Don’t you think after over a year Purevolume might have patched its system? Clearly not I suppose. But here’s to you Steve! The reason you’re not seeing anything is because you’re using Ethereal wrong, fool.

  • 5 Rob // Jun 2, 2007 at 8:30 am

    Is there an updated resource for this methodology with regards to soundclick? I know they have something like 3 levels of password security. I haven’t found anything around it yet. Any ideas?

  • 6 H // Jul 26, 2007 at 5:35 pm

    I’m also getting:
    “Unauthorized Song Play Attempt. Error: Error 410″

    any help would be great

  • 7 marcos // Dec 17, 2007 at 10:06 pm

    i cant download ethereal, i’m getting an error that says that download is corrupted, or a virus, and i download it from their own website!
    help please 🙂

    [Editor: Yikes!]

  • 8 marcos // Dec 17, 2007 at 10:34 pm

    i could install it.. but getting “Unauthorized Song Play Attempt. Error: Error 410″.. that’s because i have /streams4/? , how do i get /streams3/? 😛

  • 9 Matt // Feb 7, 2008 at 11:00 pm

    Ok so same error for me, obviously the server recognizes that the browser isn’t using the flash player. So, the question is….how do you ‘trick’ it into thinking it’s getting the request from the flash player?

Leave a Comment