Help reverse-engineer Vimeo's anti-downloading measures

JWZ wrote his own Vimeo downloader (and uses other Vimeo downloaders like Miro), but it's stopped working, because Vimeo's got new countermeasures.

I really rely on Vimeo downloaders for my own watching, since Vimeo's network buffering is so terribly broken and performs so poorly in bad network connections. Any time I really want to watch a video on Vimeo — especially if it's more than a few minutes long — I download it and watch it with VLC.

JWZ is looking for help reverse-engineering the measures Vimeo uses to stop video downloading. If you've got the time and inclination to help him, that would be great (it would also really help me write about and link to more Vimeo files here!).

On a private video, when you hit "Play" in either the Flash player or the HTML5 player, it loads "http://av.vimeo.com/Nx5/Nx3/Nx9.mp4?aksessionid=HEX&token=CTIME_HEX2" which returns the full MP4. Those URLs go 403 after some small number of minutes, and it loads a URL with different hex each time you hit play (though the decimal numbers stay the same), so presumably the ctime is a part of the hash.

The fact that this works in the HTML5 player means that they are computing those URLs from Javascript somehow, rather than with a secret key that is baked into their Flash player, so that's promising. But I don't have a lot of experience reverse-engineering gigantic Javascript apps.

Since it will be the first thing you find when googling, let me point out that the old moogaloop URLs like "http://vimeo.com/moogaloop/load/clip:ID" are 404. You used to be able to use those to get a signature, then construct a download URL like: "http://vimeo.com/moogaloop/play/clip:ID/SIG/EXP/?q=hd", but no more.


Vimeo download escalation