Topic: Userscripts.org discussion / internal server error when trying to upload an iso8859-1 encoded file

@MCH: You're going to have to convert all your international characters into named character entities. For example, Ö become Ö.

That's the price to pay for iso-8859-1 and all other non UTF-8 encodings.

Topic: Script development / A Scary Thought

Yes, by misusing unsafeWindow.

Topic: Ideas and script requests / SurfTheChannel

Success! All the components are now working:

1. The userscript has an internal "database" of decryption keys, arranged by skinID.
2. If an unknown skinID is encountered, the keyserver is contacted using AJAX (well, AJAJ).
3. The keyserver retrieves and decompiles the new skin, generates a new userscript, uploads it to userscripts.org, and responds with the results. ("Please update your script, here's a link.")
4. On most TV and Movie pages, the script can build a "pretty" download link using the show, title, season, episode, and part. An external redirector service is used to mask the real filename, which is usually ugly.
5. Failures are reported at the top of the current web page.

Topic: Ideas and script requests / SurfTheChannel

Status report: I have built a PHP web app that will fetch and decompile new playerIDs and build new userscripts. It can respond to XHRs. Still need to get it working on the production server (though it works on my local machine), as well as update the userscript itself to use the new service.

Topic: Ideas and script requests / SurfTheChannel

I know the basics of it: Open a socket, write a POST with the appropriate login data, read the response down to the Cookie: header, keep that. Open a second socket, and write a POST with the userscript, but this time pass in the Cookie: header I received. Read the response headers just enough to make sure it worked.

The language doesn't particularly matter.

Topic: Ideas and script requests / SurfTheChannel

The hard way, huh? *sigh* I suppose I could do that, too. (I was hoping for an API.)

I'm most comfortable with PHP, but I need to learn Python. That could be fun!

Topic: Ideas and script requests / SurfTheChannel

I like the way you think, Aquilax. :-)

However, I don't know how to programmatically post a script to userscripts.org -- is there an API I don't know about? The rest I know how to do, and I have the resources to do it.

Topic: Ideas and script requests / SurfTheChannel

It's probably already cached. For it to show up in LiveHTTPHeaders you'd need to clear the cache.

I *highly* recommend using FireBug instead, and clicking on its Net tab, then the Flash filter.

Topic: Ideas and script requests / SurfTheChannel

Sorry about that, PegasusX -- that was just some semi-pseudocode I wrote. (It's almost functional Javascript.)

Actually, what you need to decompile are the playerX.swf files. (I've done player1 through player15 -- I don't know how far up it goes.) Inside, you'll find that split and join stuff. I don't have a decompiled file on hand, though.

Topic: Ideas and script requests / SurfTheChannel

Aquilax: Yeah, that's why it's only at version 0.5. :-P I'll work up something with a decent user interface.

By the way, got any ideas on how to make the script more generalized? I suppose I could set up a server that automatically decompiles and caches player keys upon request... :-)

Edit: New version is up. Haven't tested it on unknown player IDs yet, but it should put a link in the sidebar that points to the userscript page, along with an error message.

Edit 2: If anyone else wants to use the Flare swf decompiler to grab the keys for IDs greater than 16, be my guest. :-)

Topic: Ideas and script requests / SurfTheChannel

Aquilax: I downloaded and decompiled their SWF. There are three "pass" keys. Here's the algorithm:

d = input_str;
d = atob(d);
d = d.split(pass1).join('');
d = d.split(pass2).join('');
d = d.split(pass3).join('');
d = atob(d);

and then d is the download URL.

Edit 1: I've created a script, and it works... but only on that video. I think they might be generating the .swf files per-request?

Edit 2: It's the playerXX.swf. My script only works for player10, not player14. They have different keys, and I think that the uidpass variables are used to choose between them.

Edit 3: I can't find where uidpass and uidpass2 are being read.

Edit 4: Nope, the player number is determined in flashvars, specifically, the value of xmlnum in the config key.

Edit 5: My script knows the keys for 10, 14, and 15. Here's the current version: http://lab.brainonfire.net/drop/surfthechannel-...

Edit 6: I've filled out the key database to include players 1-15. Uploaded here: http://userscripts.org/scripts/show/28065

Topic: Ideas and script requests / SurfTheChannel

Aquilax, I think they're using some kind of proprietary (probably crappy) encryption. Something homebrewed. I notice that there are three important variables in the flash_vars: input_str, uidpass, and uidpass2. All three are generated per-request.

I think that uidpass and uidpass2 are used to decode input_str, and the result is passed to getlink.surfthechannel.com for a final decoding and redirect to the terminal resource. That resource link looks something like this: http://player0002.tudou.com/flv/003/453/129/345...

Some parts of the base64-decoded string are invariant across requests, meaning the cipher they are using is quite weak. Most likely they are generated a string using the uidpass(2) strings and XORing it against the input_str, probably in binary form.

As it stands, however, it's easier for me to use Firebug's Net tab to catch the FLV link than to bother breaking their crappy decryption.