Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Soundclick - Circumventing "Pay-Per-Song" Function
Date: March 12, 2007 02:11AM

I found this probably about 3 years ago, but since then they've redone their services to use a Flash player to curtail song theft. However, I sat there with my packet sniffer for a few minutes, and quickly found a new way to pull this one off. For those of you not familiar with Soundclick it's a service where artists can upload their beats, songs, instrumentals, and other forms of music via MP3 for free. It's also pretty popular for pirating music without a Peer to Peer client. Artists have the option however to set their songs so that viewers need to pay a fee to download them, or license them for their own use.
Soundclick implemented the Flash player, and the need to be logged in to download MP3s, not too long ago in an effort to discourage song ripping. Sure you can just run some Audio capture program, and record the output, but it usually reduces the quality by a certain percentage. With this method you'll be able to capture the actual MP3 file with full quality (though it depends what bit-rate they chose to upload the file with) intact.

http://SERVER.soundclick.com/jarry/getsongfile.cfm?songid=SONG ID&id=67037448-E&q=hi

Server Values:
streamer
streamer2

Song ID:
This can be found by simply checking the properties of the song name on its page. The ID remains the same for downloading, and both the high, and low bit-rate streams.

Open up the URL in a media player, and allow it a few moments (this can take a while) to execute. If you receive an error immediately than all you need to do is switch the servers to the other one, and try again. The songs are stored on either of the servers, but not both. Once the song plays through, or has reached a sufficient download rate just simply select the "Save Media As...", or similar option in your media player, and there you have it.

http://www.awesomeandrew.net/index2.php?content=fd/soundclick


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Soundclick - Circumventing "Pay-Per-Song" Function
Posted by: trev
Date: March 12, 2007 07:31AM

The ID is actually changing, probably IP or session dependent (I get "authorization is missing" message with yours) but LiveHTTPHeaders extension in Firefox shows the download URL and it works.

Edit: You can also see the address in the cache - simply go to about:cache



Edited 1 time(s). Last edit at 03/12/2007 07:48AM by trev.

Options: ReplyQuote
Re: Soundclick - Circumventing "Pay-Per-Song" Function
Date: March 12, 2007 08:56AM

Hmm. Well I sent the same link to someone else to ask if they heard the bad music I had chosen, and they did, though I did have 2 different IDs at one point. It's still a problem they're technically going to need to fix somehow. The old way to do it was simply stream the file as "Hi", and then check the properties to see where the MP3 originated.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/



Edited 1 time(s). Last edit at 03/12/2007 09:05AM by Awesome AnDrEw.

Options: ReplyQuote
Re: Soundclick - Circumventing "Pay-Per-Song" Function
Posted by: trev
Date: March 12, 2007 09:04AM

They don't depend on session or browser either, so maybe these IDs simply expire.



Edited 1 time(s). Last edit at 03/12/2007 09:04AM by trev.

Options: ReplyQuote
Re: Soundclick - Circumventing "Pay-Per-Song" Function
Posted by: SW
Date: March 12, 2007 09:13AM

Is there any good music there? Not easier to download illegally than to record the whole song? :p

Options: ReplyQuote
Re: Soundclick - Circumventing "Pay-Per-Song" Function
Date: March 12, 2007 11:35PM

From time to time I find good Hardcore and Gabber tracks and mixes I like. You could record the audio output through any Wav editor, but usually the bit-rate is lowered, and it's a pain in the ass to record long mixes.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Soundclick - Circumventing "Pay-Per-Song" Function
Posted by: jungsonn
Date: March 15, 2007 08:30AM

Nice idea, but actually this is not illegal, it's really legal because they stream it to you dispite this hack, free (legal) music my friends.

Options: ReplyQuote


Sorry, only registered users may post in this forum.