Not the OP here, but briefly, the technique uses a little statistical cleverness and the ability to examine a running program to help identify which part of the Spotify program produces the unencrypted bytes of the track it is playing. It then taps into that part of the program, and copies these bytes to a file. That file then contains playable audio. (This data must be unencrypted in order to meaningfully feed the digital-to-analog converter of the playback computer.)
- Records (with PANDA) every instruction run and every piece of data read or written by that virtual machine for half a minute while it's playing audio. (!)
- Analyses that recording and uses some very clever statistics to identify functions that read chunks of data that looks encrypted, and write chunks of data that looks compressed (yes, you can tell the difference, compression is imperfect).
- Out pops one likely candidate, which sure enough is the decrypter.
Small correction: the magic of record-replay is that you don't have to record every piece of data read/written, only the non-deterministic events (interrupts, accesses to devices, and a couple instructions like `rdtsc`). This lets the overhead during recording stay low, while still getting all the benefits of a full execution trace. This is why we're able to store the Spotify trace [1] in only 263.1 MB.
