Free Files from Flash

by DieselDragon  (Hyperspeed666@gmail.com)

Introduction

Anyone who uses the Internet nowadays will have noticed the increasing trend of Adobe Flash applications being used for playing embedded audio and video on web pages.

Notable websites for this include YouTube (Video) and the infamous MySpace (audio/video).  Often, these Flash players are used in an attempt to play files without revealing the location of the host file to prevent users from downloading the actual files to their computers - an example of which can be found at www.dragonforce.com.

However, one thing that many webmasters have overlooked is that the use of Flash media players does not guarantee that the file(s) in question will stay "safe."

After all, it's a simple fact that anything on the Internet that can be viewed by the user can be downloaded.  And it's a fact that has few exceptions.

In this article, I'll show you how to download one of my videos from YouTube, but instead of teaching you the technique for the one specific site, I'll be showing you the general principle behind the hack which should work for most sites that use embedded Flash players.

Obviously the standard disclaimers apply here, and you're the only one responsible for anything that you use this technique for.  Please don't steal copyrighted works.  The author of those works still has to put food on the table as much as you or I do.

How It All Works

When an embedded Flash player (henceforth referred to as EFP) loads on a web page, there are a few processes that take place:

  1. An <object> tag causes an HTTP request to the server for the EFP.
  2. The EFP is downloaded to temporary storage and executed using the relevant plugin.
  3. The EFP fires off an HTTP or other request for the media file.  (This request might return an XML Shareable Playlist Format (XSPF) file in the case of audio players.  More on that later.)
  4. The media file is downloaded or streamed to the EFP via temp storage or RAM.
  5. Once a decent buffer amount of data is downloaded, the EFP will start playing.

In this tutorial, we'll be tracing the EFP's HTTP requests to find out where the desired media file is located.

The Theory Applied

In this article, we'll be downloading the video at www.youtube.com/watch?v=T8feb8zXj54 (case sensitive).

Fire up your favorite packet scanner (I use Ethereal) and set it to trace everything to catch any EFPs that use unusual protocols (FTP, Telnet, etc.) to download files.  Then point your browser to the URL of the page that holds the media that you are interested in.  Once the song/movie has started playing, stop your packet scanner and have a peek at the log.

It'll look something like this:

(The following log is typed from memory as I discovered this on a friend's PC a while ago, so apologies for the lack of packet info.)

127.0.0.1 > 208.65.153.253 - GET http://www.youtube.com/watch?v=T8feb8zXj54
208.65.153.253 > 127.0.0.1 \
208.65.153.253 > 127.0.0.1  - [The usual GET requests and packets of HTML, images, scripts and other gumpf...]
208.65.153.253 > 127.0.0.1 /
127.0.0.1 > 208.65.153.253 - GET http://www.youtube.com/get_video?video_id=T8feb8zXj54&l=203&t=OEgsToPDskJ47_l7h9B3isGzSjA9NZmb 
                             [The L and T parameters are session specific.  Sending just the video_id parameter gives a blank page.]
208.65.153.253 > 127.0.0.1 \
208.65.153.253 > 127.0.0.1  - [Several packets of audio/video data...]
208.65.153.253 > 127.0.0.1 /

As you can see, there is an easily spotted URL to the video.

The URL itself may vary from that shown but the theory remains the same: trace packets, find the URL, download the file.

In this case, the video sent down from the YouTube server comes in FLV (Flash video) format, but sometimes renaming the file with a WMV (or whatever) extension might work.

Alternatively, there are probably several FLV file players for download knocking about the Internet.  If anyone is interested in hacking the FLV format, the original file in this case was a 320x240 Windows Media Video format with MP3 audio at 30 fps (I think) if that helps.

Quick Note on XSPF files

As mentioned above, some audio EFPs may request an XSPF file instead of an MP3 file.  This is actually a bonus as XSPF files are text/XML-based audio playlists and can contain references and URLs to many audio files across the Internet.

Hacking the audio player on www.dragonforce.com using the above method will demonstrate better what I'm talking about.

Check out www.xspf.org for full info and specifications on the format.  As a side-bar to this, try entering [(Your favorite band) .mp3 filetype:xspf] into Google and see what comes up!

The Final Word

I hope that this tutorial has helped you all learn a little about how Flash players and the HTTP standard in general work.  If you like to download music, please consider using this method (and buy the CD for copyright/royalty purposes of course!) as opposed to Apples iTunes.  After all, I'd rather pay my favorite bands much more than a measly three cents for each track of theirs that I buy!

Have a lot of phun... >:-)

>> Dieseldragon <<

Shouts to Bal-Sagoth (for being the greatest band ever known to metal!) and Dragonforce (for providing an excellent example for this article)!

F-yous to Apple iTunes for ripping artists off much worse than bedroom pirates and "those hackers" ever did!
Return to $2600 Index