A case of reverse engineering

As I noted in my last post, I recently ran the Shamrock shuffle 8K. The official pictures for most of the races in US are taken by Marathonfoto. You can go to their website after the race, put in your Bib no and get a preview of the photos that can then be ordered from them. In previous years, I was happy with just taking the thumbnail of the picture and sharing it with my friends. Looks like the Marathonfoto folks decided to “beef” up their security this year and put a annoying “Proof” across the picture. When you log into the site, it shows a list of all the pictures they took of you.. the list looks like this

Clicking on any of the thumbnails brings up a popup looks like

Here’s what I did to get rid of the “Proof” text

  • Checked the page source of the popup and figured that it was a flash application. Clever way of obfuscating the link to the source image..
  • Knowing that the flash application would use generic HTTP connections in the background, I fired up “WireShark“, a traffic capture and analyzer tool, and clicked on the thumbnail again to fire up the popup.
  • An analysis of the traffic showed that the flash app was calling out a particular URL to get the image. Here’s a screenshot of the analysis by Wireshark.

  • Fire up a browser window and directly access the image with the URL from the traffic capture to get it without the “Proof” text :).. The original image looks like this.