Monday, August 7, 2017

De-obfuscate videos from pluralsight

I recently subscribed to pluralsight and needed to access the videos out of their walled app. A quick look at lsof when pluralsight is running shows that it's accessing a cached video in my ~/Library.
A quick look at the psv file using the file command fails. Using hexdump doesn't reveal any magic strings. Time to look for other clues. Next step was to sign in onto their website and play videos using the browser and at the same time take a tcpdump..

Comparing the first few bytes from the website and from the PSV reveals something interesting

Aha, it looks like we have a simple XOR obfuscation with a key 0x65. Can we write  a simple de-obfuscation script?

You bet!

Now I can play my learning videos on my TV w/out hooking up my laptop.


  1. Hey,

    your code dosn't work at all. I've made necessary changes.

    However, because the logic is itself wrong, this does not work.

    Please help if you have some solution about decoding videos from PluralSight, it would be really helpful.


  2. import os
    from os.path import join, basename, normpath

    # Script taken from:

    source_dir = r"D:\RK\Videos\Source"
    target_dir = r"D:\RK\Videos\PluralSight"

    def deobs_pluralsight(fpath, target_dir):
    fname = os.path.basename(fpath)
    target_fname = fname.replace('psv', 'mp4')
    target_file_path = os.path.join(target_dir, target_fname)

    with open(target_file_path, "wb") as ofh:
    for byte in bytearray(open(fpath, "rb").read()):
    #ofh.write(chr(byte ^ 101))
    ofh.write(bytes(byte ^ 101))

    def deobfuscate(dirname,fname):
    if fname:
    #for fname in fnames:
    fpath = os.path.join(dirname, fname)
    print ("Printing fPath: %s", fpath)
    deobs_pluralsight(fpath, target_dir)

    #if not os.path.isdir(target_dir):
    # mkpath(target_dir)

    for root, dirs, files in os.walk(source_dir):
    for fname in files:
    deobfuscate (root, fname)