Jump to content

Pandora Internals


redredraider

Recommended Posts

Hello everyone I'm new to the forum and have some questions that maybe someone here can help me with.

How to retrieve the audio URL that the pandora client is using. 

Not long ago you could query the pandora server and get an xml file which contained the information that the pandora client displayed along with the audio url of the song.  Well they got wind of this and modified it slightly.  The audio url is now in this form

hxxp: audio-inap10-sjl10. pandora. com/access/?version=4&lid=13984893&token=jwwQndF%2Fa5rxLOy%2Bnc2R2hAuOwLUgo5icI

O3qjj5FbEkoqonR5DOIb%2FbyhHN5%2FPpyQhNEJDsGtOQGg%2B1z9bxseiKTPP2QXOBy38e5sbTpCkRBG27rwz%2F8a7cJ2YU4dwj1ydLfP5gt

D1Xteo%2BYRJprOhjQEGJytj2uh5k%2FLVLflTfxkqvxl21nuM9XiCGjuvcGCqCpon9u%2FMhhfpLb8ebfebb1b2b9b955c28500edf921b14f3a665d09d43a156

Well when the flash player connects for this song it uses this url 

hxxp: audio-inap10-sjl10. pandora. com/access/?version=4&lid=13984893&token=jwwQndF%2Fa5rxLOy%2Bnc2R2hAuOwLUgo5icIO3qjj5FbEkoqon

R5DOIb%2FbyhHN5%2FPpyQhNEJDsGtOQGg%2B1z9bxseiKTPP2QXOBy38e5sbTpCkRBG27rwz%2F8a7cJ2YU4dwj1ydLfP5gtD1Xteo%2BYRJprOhjQE

GJytj2uh5k%2FLVLflTfxkqvxl21nuM9XiCGjuvcGCqCpon9u%2FMhhfpL4FORCQDIvOpO882O

note the differences in the end of the url

b8ebfebb1b2b9b955c28500edf921b14f3a665d09d43a156  for the encrypted url

4FORCQDIvOpO882O                                                            for the decrypted url

So the flash player is decrypting the last 48 bytes of the url to get the true location of the song. 

Here's the problem!

I have decompiled the flash program and discovered the app is using blowfish to decode the last 48 bytes of the url.  I cannot however replicate

this decryption.  I am not a actionscript guru so I could use some help figuring out why the code isn't working.  If you know anything about blowfish the key arrays are plaintext in the decompiled code but I can find where a password is used for the encryption/decryption. I also have a working implementation of blowfish in flash that I've been playing with.  If anyone is interested and is not a representative of Pandora I will send you what Ive got so far.  Figuring this out would pretty much give us unlimited downloads of whatever songs we want.  Time shifting at hyperspeed.

email travis. taylor@ttu. edu

Link to post
Share on other sites
  • 4 weeks later...

I hate to break it to you, but they're using a password on the blowfish encryption... I've run it through every BF decrypter i can try... see if the password isn't plain as day in there, or if not, where they're getting it from?

Link to post
Share on other sites
  • 3 weeks later...

No need to reverse engineer it, just work around it. The trick is to grab the URL before the flash application does. I've hooked the flash URL events with a wrapper application to intercept and block the Flash app until my own http download starts, and it works pretty well. The only problem is ofcourse the track is downloaded twice.

Link to post
Share on other sites
  • 3 weeks later...

Why not just feed the first downloaded copy back to the pandora app like it was the server it originally requested the file from? You're already intercepting and putting it on hold, why not just turn around and inject data saying you're the server.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...