Dammit, like THE DAY AFTER I started to look at the free-for-all. But...
I looked at your example for "The Go Team!". I followed the TCP/IP stream with WireShark (Ethereal). It looks like there's a couple of new developments.
Firstly, it looks like the algorithm for generating the X-Apple-Validation key has changed. I've been simulating the exact same request as iTunes and I now come up with a different value than Apple does.
Secondly, it looks like there are additional HTTP requests in the chain before iTunes gets artwork. It looks like there is a session initialization just before the album artwork request. During this session, it looks like the server will send the unencrypted URL. There appears to be a very short timeout to the session. If I send the EXACT same request, I get the URL to the encrypted image.
These seem to be the two biggest deals in getting the unencrypted artwork, currently. In the meantime, I'm going to see if I can apply the "onefish/twofish" algorithms to the encrypted artwork.
Good luck, Marv!
Posted by WALDO at September 29, 2007 12:24 PMBugger.
Back to breaking the encryption then...
I can manage to retrieve the exact same encrypted file using a php script as iTunes retrieves. We just need to figure out what Apple is using as the encryption key.
As has been said before the encrypted files are always the same no matter what account is being used.
So the encryption key is constant or related to the file its self eg. its md5 hash (or a combination of both).
Posted by Infirmus at October 18, 2007 11:26 PMDrop me a line, I'll sort you out with a gift cert for the UK store...
Posted by k at December 27, 2007 8:16 AM