[johnsoft]

I read through the Spotify article, and if I understood it correctly, you don't need to run QEMU+PANDA to get at the unencrypted stream. That was just the method the author chose to analyze the running code. He tracked every memory read and write made by the CPU, and looked for byte distributions that looked like encrypted data, and found the decryption function at address 00719b84. He then located that code inside the Spotify binary, at 0x0042e2ed.

Once you know that, you don't need to repeat the initial analysis every time. You can just set up a hook to record all the data that flows through that function after it's decrypted.

[joelanders]

Yes, that's my understanding as well; my other comment was sloppy. I'm unsure what was meant by "hook," though. Is that something you set up with the target process running under a debugger? That much privilege wouldn't be available to apps in an app store, right?

[johnsoft]

I meant "hook" in the most vague, hand-wavy sense of the word… anything from attaching a debugger at runtime, to modifying the binary so it automatically saves every song on your desktop. Obviously if you did something like the latter, no extra privilege would be needed.