Jump to content

Pandora Internals


Recommended Posts

Hello everyone I'm new to the forum and have some questions that maybe someone here can help me with.

How to retrieve the audio URL that the pandora client is using. 

Not long ago you could query the pandora server and get an xml file which contained the information that the pandora client displayed along with the audio url of the song.  Well they got wind of this and modified it slightly.  The audio url is now in this form

hxxp: audio-inap10-sjl10. pandora. com/access/?version=4&lid=13984893&token=jwwQndF%2Fa5rxLOy%2Bnc2R2hAuOwLUgo5icI



Well when the flash player connects for this song it uses this url 

hxxp: audio-inap10-sjl10. pandora. com/access/?version=4&lid=13984893&token=jwwQndF%2Fa5rxLOy%2Bnc2R2hAuOwLUgo5icIO3qjj5FbEkoqon



note the differences in the end of the url

b8ebfebb1b2b9b955c28500edf921b14f3a665d09d43a156  for the encrypted url

4FORCQDIvOpO882O                                                            for the decrypted url

So the flash player is decrypting the last 48 bytes of the url to get the true location of the song. 

Here's the problem!

I have decompiled the flash program and discovered the app is using blowfish to decode the last 48 bytes of the url.  I cannot however replicate

this decryption.  I am not a actionscript guru so I could use some help figuring out why the code isn't working.  If you know anything about blowfish the key arrays are plaintext in the decompiled code but I can find where a password is used for the encryption/decryption. I also have a working implementation of blowfish in flash that I've been playing with.  If anyone is interested and is not a representative of Pandora I will send you what Ive got so far.  Figuring this out would pretty much give us unlimited downloads of whatever songs we want.  Time shifting at hyperspeed.

email travis. taylor@ttu. edu

Link to comment
Share on other sites

  • 4 weeks later...
  • 3 weeks later...

No need to reverse engineer it, just work around it. The trick is to grab the URL before the flash application does. I've hooked the flash URL events with a wrapper application to intercept and block the Flash app until my own http download starts, and it works pretty well. The only problem is ofcourse the track is downloaded twice.

Link to comment
Share on other sites

  • 3 weeks later...

Why not just feed the first downloaded copy back to the pandora app like it was the server it originally requested the file from? You're already intercepting and putting it on hold, why not just turn around and inject data saying you're the server.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...