Hacking flash : Moogaloop.SWF

By Israel Torres

Disclaimer:
For informational purposes only

Harder bodies faster…
* Background info:
* Surfing digg (as usual) and found video link to collegehumor.com called “harder bodies faster” ;)
* Watched video and wanted to add to my  personal offline flv collection.
* They don’t offer download link :(

Keepvid.com
* Second-best alternative to native site “save as” link is keepvid.com
* Copy and paste url
* Click download
* The file is downloaded to your system
* … except that collegehumor.com isn’t an option on keepvid.com (at this time)

Logically speaking…	
* At this point We could:
*  see if Youtube.com has the file (which keepvid does support).
* See if another popular video site offers this same video.
* But that would only solve a temporary problem without learning anything…

Google.com	
* Google, google, google!
* Sometimes google doesn’t have all the answers :(
* What was found were pointers on youtube, similar keepvid sites, mysterious third party tools (that required Admin installation/execution) >_>

Time to burn in R&D?	
* More research found concepts to sniff your network to see where file is really coming from, etc.
* This wouldn’t work for my home machines since I don’t use flash on my systems (paranoia!)

Typical R&D…
* View-source hunting found nothing immediately useful…
* http://www.collegehumor.com/moogaloop/moogaloop.swf?clip_id=1789284&autostart=true
* Tried Base URL…
* http://www.collegehumor.com/moogaloop/
* … returns 404

R&D…
* Tried direct file link...
* http://www.collegehumor.com/moogaloop/moogaloop.swf
* Got prompted to download moogaloop.swf
* (this is the video player itself and not the video…)

R&D like a monkey…
* Tossed moogaloop.swf into notepad… 
* Gobblygook
* Ultraedit32 (hex editor)
* Hexed gobblygook
* Big guns: SWF Decompiler
* :) :) :) :)

Making sense of it all…
* Actionscript is easy to read!
* Quickly found URL references
* Especially this one:
* Static var CONFIG_PATH_BASE =
* “/moogaloop/video:”
* Hrm, very similar to presentation link: 
* /video:1789284

Pwn3d!
* Naturally the next step was to look at the url in its entirety:
* http://www.collegehumor.com/moogaloop/video:1789284
* "This XML file does not appear to have any style information associated with it. The document tree is shown below."
* MuHAhahahaha!

Easy street…
* So this points to an explicitly related xml file that contains a lot of info about the file for the player…
* Including the location of the flv file!
* <file>
* http://1.content.collegehumor.com/d1/ch6/e/1/collegehumor.9e35614eb25fb056ec67816113350e0c.flv
* </file>

Key = Cookie Cut + ID;
* Pasted flv url in browser
* Prompted with flv file download
* Loaded on free windows flv player
* … added to flv collection!

Domo arigator mr. roboto
* Now that I’ve found how to do it It’d be much funner to automate it…
* Cheesy DOS batch file:
* wget --output-document=temp.txt http://www.collegehumor.com/moogaloop/video:1789284
* type temp.txt | find /i ".flv“
* … which outputs …
* <file>http://1.content.collegehumor.com/d1/ch6/e/1/collegehumor.9e35614eb25fb056
* ec67816113350e0c.flv</file>

Domo domo…
* Why CLI?
* Easily called for scripting:
* FOR /F %I IN (CHFILES.TXT) DO @PoC_CH_moogaloop.exe %I
* Will download all the IDs stored in CHFILES.TXT without user interaction!

Domo domo…
* Wanted a standalone app that didn’t require installation or external tools such as wget…
* Wrote Win32 (XP/Vista) CLI PoC tool:
* PoC_CH_moogaloop.exe
* PoC_CH_moogaloop.exe 1789284
* Displays flv home, and downloads file in seconds…

Giving back…
* Contacted keepvid.com with this process and thanked them for the inspiration to write this up and requested they add this site to their “any site” drop-down as well as a standalone app for non-browser use (giving all info herein).

Additional info…
* visit talks.israeltorres.org for posted talks.
* visit tools.israeltorres.org for posted tools.
* contact: israel@israeltorres.org

Additional info…
* http://www.keepvid.com
* http://applian.com/flvplayer?src=KeepvidPlay
* http://digg.com/videos/music/Harder_Bodies_Faster_Stronger
* http://www.collegehumor.com/video:1789284
* http://www.collegehumor.com/moogaloop/video:1789284
* wget --output-document=temp.txt http://www.collegehumor.com/moogaloop/video:1789284
* type temp.txt | find /i ".flv"
* <file>http://1.content.collegehumor.com/d1/ch6/e/1/collegehumor.9e35614eb25fb056ec67816113350e0c.flv</file>
* 1E81855B7C37DE8859DA0B1CD8C38EC4  PoC_CH_moogaloop.exe

The end.

* Questions?
* Answers?
* Thanks!