2011-01-12, 20:39
So hulu has rolled out a new system. (I just noticed a new hulu job posting yesterday for a senior security administrator by the way)
I have been working on updates for the new security on the grabbing smil files. They are now signing requests with code in sec_as3.swf
I have it mostly figured out but I can't get a look at the signing code in sec_as3.swf
video_id = content id of video
v = sec_as3.swf version
ts = ? (seems to be a constant)
np = ? (seems to always be 1)
vp = ? (seems to always be 1)
device_id = computerGUID
pp = distroPlatform
dp_id = partner
bcs= signature generated by generateSignatureToCSEL in sec_as3.swf. It uses a sorted list of parameters to generate this signature.
So I have tried to steward the plug-in and keep it functional but I am at a wall here.
My only option I know to move forward right now is to attempt to guess the signing method because if I decompress the sec_as3.swf with flasm then I can see some keys in the clear in a hex editor. I also can get many function names so know the standards used. I am pretty sure they use http://code.google.com/p/as3crypto/ for their crypto so that limits the possible algorithms. attempting to load any of the action script from sec_as3.swf crashes everything I have tried so far. I tried various trials for commercial flash decompilers too.
any input or help is greatly appreciated.
Update: just did some testing and the smil encryption is still the same. So really the only thing missing is the generateSignatureToCSEL way to make signatures. (which I think means generate signature to content selection)
Update 2: Success!! after some guidance I was able to replicate the signing. I just have to implement the changes in hulu addon now and we should be set.
I have been working on updates for the new security on the grabbing smil files. They are now signing requests with code in sec_as3.swf
I have it mostly figured out but I can't get a look at the signing code in sec_as3.swf
video_id = content id of video
v = sec_as3.swf version
ts = ? (seems to be a constant)
np = ? (seems to always be 1)
vp = ? (seems to always be 1)
device_id = computerGUID
pp = distroPlatform
dp_id = partner
bcs= signature generated by generateSignatureToCSEL in sec_as3.swf. It uses a sorted list of parameters to generate this signature.
So I have tried to steward the plug-in and keep it functional but I am at a wall here.
My only option I know to move forward right now is to attempt to guess the signing method because if I decompress the sec_as3.swf with flasm then I can see some keys in the clear in a hex editor. I also can get many function names so know the standards used. I am pretty sure they use http://code.google.com/p/as3crypto/ for their crypto so that limits the possible algorithms. attempting to load any of the action script from sec_as3.swf crashes everything I have tried so far. I tried various trials for commercial flash decompilers too.
any input or help is greatly appreciated.
Update: just did some testing and the smil encryption is still the same. So really the only thing missing is the generateSignatureToCSEL way to make signatures. (which I think means generate signature to content selection)
Update 2: Success!! after some guidance I was able to replicate the signing. I just have to implement the changes in hulu addon now and we should be set.