Comments on: Hitchhiker’s Guide to Reverse Engineering

By: Zen

Zen — Thu, 23 Oct 2008 17:02:18 +0000

I tried to sum up all efforts around rtmp in this post.

By: Compn

Compn — Tue, 04 Jul 2006 18:26:05 +0000

you can find Braden’s libpcap program at

http://home.twmi.rr.com/compn/rtmp.cpp

if anyone wants to look at it and find the problem :)

By: Braden

Braden — Fri, 05 May 2006 01:05:22 +0000

I’ve recently been playing around with RTMP streamed mp3s, and saving them into a file using a little libpcap program I wrote. However, I am having the same issue where they are slightly garbled, and it’s really irritating me. My only guess is that the Flash Plugin is making some modification to the mp3 data before playing it… and trying to reverse engineer the plugin (tried OS X) has so far been a headache. Unfortunately, my gdb skills are quite a bit better than my IDA-Pro skills. Has anyone figured out how to fix the “garbling” effect?
I got my hands on the mpg123 source code and have been playing around quite a bit… comparing my recorded copy of a streamed mp3 with another mp3 not streamed but in the same format (no ID3 tag, encoded with same bitrate, frame size, etc). I’ve found that about every 4 frames there is an extra 6-15 bytes at the end of the frame that is not part of the mp3 data, but looking thoroughly at the mpg123 source shows that these bytes aren’t even being included in the frame data, so they shouldn’t account for the garbling (plus 6-15 bytes every 4 frames is really probably too small to have a noticeable effect). I’m puzzled. I emailed the Red5-dev mailing list seeking advice but they refused to answer :-\.
If anyone has had more luck with this, I’d be interested to hear. It’s become a bit of an obsession. :)

By: Timo Lindfors

Timo Lindfors — Mon, 10 Apr 2006 00:54:26 +0000

You can dump the data portion of a TCP stream easily with tcpick, http://tcpick.sourceforge.net/
Works either using libpcap dumps or from live network.

By: luke

luke — Mon, 19 Sep 2005 21:03:26 +0000

Hi Guys,

We are working on a open source implmentation of RTMP over at osflash.
Come check it out for more info http://www.osflash.org/red5

– luke

By: kees

kees — Wed, 27 Apr 2005 18:33:13 +0000

More rtmp fun. This one actually produces an MP3 stream (though is seems lightly garbled).

http://www.myspace.com/ninofficial

By: Patrick Mineault

Patrick Mineault — Sun, 27 Mar 2005 01:49:33 +0000

I know that quite a few people would be interested in getting the specs to RTMP. The server is prohibitively expensive; I know that some people have offered themselves in writing a server for it if the protocol would be specified.

The messages themselves probably are encoded in AMF, which does have a SOAP-like structure. Here is a trace of of a typical AMF message:

00FB 00 00 00 01 00 10 61 6D 66 5F 73 65 72 76 65 72 ……amf_server
010B 5F 64 65 62 75 67 01 00 00 00 60 03 00 0A 63 6F _debug….`…co
011B 6C 64 66 75 73 69 6F 6E 01 01 00 0A 61 6D 66 68 ldfusion….amfh
012B 65 61 64 65 72 73 01 00 00 03 61 6D 66 01 00 00 eaders….amf…
013B 0B 68 74 74 70 68 65 61 64 65 72 73 01 00 00 09 .httpheaders….
014B 72 65 63 6F 72 64 73 65 74 01 01 00 05 65 72 72 recordset….err
015B 6F 72 01 01 00 05 74 72 61 63 65 01 01 00 07 6D or….trace….m
016B 5F 64 65 62 75 67 01 01 00 00 09 00 01 00 15 4D _debug………M
017B 75 6C 74 69 70 6C 65 43 61 6C 6C 73 2E 6D 65 74 ultipleCalls.met
018B 68 6F 64 31 00 02 2F 31 00 00 00 0E 0A 00 00 00 hod1../1……..
019B 01 00 00 00 00 00 00 00 00 00 ……….

It’s 2 bytes version, 2 bytes number of headers, then headers, then bodies. If that looks somewhat like your trace then this would make it relatively easy. AMFPHP runs on AMF. You can downlaod the latest beta of AMFPHP here:

http://www.5etdemi.com/uploads/amfphpbeta.zip

Look at everything under the io folder, that should make things clear.