As I noted in my last post, I recently ran the Shamrock shuffle 8K. The official pictures for most of the races in US are taken by Marathonfoto. You can go to their website after the race, put in your Bib no and get a preview of the photos that can then be ordered from them. In previous years, I was happy with just taking the thumbnail of the picture and sharing it with my friends. Looks like the Marathonfoto folks decided to “beef” up their security this year and put a annoying “Proof” across the picture. When you log into the site, it shows a list of all the pictures they took of you.. the list looks like this
Clicking on any of the thumbnails brings up a popup looks like
Here’s what I did to get rid of the “Proof” text
- Checked the page source of the popup and figured that it was a flash application. Clever way of obfuscating the link to the source image..
- Knowing that the flash application would use generic HTTP connections in the background, I fired up “WireShark“, a traffic capture and analyzer tool, and clicked on the thumbnail again to fire up the popup.
- An analysis of the traffic showed that the flash app was calling out a particular URL to get the image. Here’s a screenshot of the analysis by Wireshark.
- Fire up a browser window and directly access the image with the URL from the traffic capture to get it without the “Proof” text :).. The original image looks like this.
Dude! this is good – when you initially mentioned I was trying to understand what reverse engineering did you do, eventually post this blog i realised….
We need internal firewall for our DC 2.0
Kool maaaan….. Just make a disclaimer before the Shamrock Shuffle tries to sue you……
Nice work
Hi,
I’ve just run the London Marathon and would love to be able to view my photo’s without having proof stamped all over me like I’m a prototype or something!
I ran Wireshark for one of the images and this is what I got:
Request URI: /view_watermark.cfm?CustomerNumber=K57N34&NegsNumber=47077536&Orientation=P
I can’t figure out what I should be doing in order to view the ‘non-proofed image’. Can you help?
Many Thanks
good that you got it working. But i managed to rip the swf(flash) file and look at the source code. The Proof image on your picture is what i saw. dont know if they changed the way they do it, but the proof i’m seeing now has a different proof. even when i put the url i get a jpg with the proof and no flash. image_type=P will give me the small thumbnail. and image_type=PhotoProof will give me the full version but with the proof. All tho i used the domain ‘gradimages’ and the proof is yellow. if i use the domain ‘marathonfoto’ its red. Do you have any insight on this?
Kongol – Looks like Marathonfoto beefed up their security again and in addition to changing the parameters, also put in source domain referrals. Looks like the door is closed :(..
After a long search for a way to access a photo online before the site can put the annoyingly legal “proof” on it, I came across your site and found it was most likely my only hope. I ran Wireshark and the following is the code that popped up~
GET /ver2/ViewImage.aspx?OrderNo=26333182&Roll=00001&Frame=0506 HTTP/1.1
Host: partypics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://partypics.com/ver2/EventImages.aspx?Page=6
Cookie: PartyPics_CartID=856dfe86-3535-478f-9ad3-2cd2ced21692; ASP.NET_SessionId=c5qplm45iqocrc553i4snmzl
I’m not quite sure how to manipulate the url, or if I even can, considering it seems all of the url is necessary to identify which photo to access. Is there anything I can do? Thanks for your time =)
Selin – which site are you trying to grab the pictures from?
partypics.com
Any luck determining the location of the pics (minus the “PROOF”) with the newer security in place?
Sorry John.. I was not able to. Looks like I was able to convince the folks at marathonfoto to fix their security :).
Vinay… Once you have the information from WireShark, what format do you enter it in your browser?
I tried the following:
http://www.servername.com/image_server.cfm?(followed by all my individual parameters; image_type, cust_number, negs_number)
I’ve tried lots of combinations. I also tried someone’s suggestion above using image_type=PhotoProof, but that only shows the large image with the watermark.
Do you know of any other image types I might try.
Basically, I just need to know how to execute the ‘GET’ statement using a web browser. Thanks.
This workaround isn’t work up today. Anybody knows the image_type from PhotoProof to ???
I think they changed their security system a while ago. Haven’t been successful in figuring it out yet :).. But you will know when I do :).
Has anyone figured out how they are preventing ‘View Source’? I want to take a look at their image_server.cfm but they lock those pages up tighter than a drum.
The security has definitely been beefed up. I just ran the Marine Corps Marathon and I’m trying to get some photos from the marathon photo website without paying $15 per photo (way too expensive). I decompiled the flash piece and it seem as though the “proof” text is not being added there. It’s being added in the image_server.cfm script. I used wget to download the cfm, but it’s encrypted. If anyone has a way to successfully decrypt a cfm file (I’m having trouble finding anything) we may be able to get the URL of the full res photos. I tried changing the image_type variable to something other than PhotoProof and I got a warning that my customer # and IP were logged. I’ll be using someone else’s # & IP from now on 🙂 Has anyone been able to get full res photos recently?
I wonder if there is some development on this?
Any development here?