Develop Bugs

New OEM -> EXT rebuilder!

Hi,
This is completely new EXT rebuilder made by myself. It’s again (just like all of my stuff I made xD) made in .NET so you need .NET framework on your PC (Vista and 7 already have it integrated). It works just as previous OEM -> EXT rebuild, but with few enhancements .
First, it can rebuild both whole OEM or just single package (it could do probably the old one too).
Second, it works by WILDCARD, so you want convert eg only packages starting with PACKAGE_ so you do: extRebuild.exe /wildcard=“PACKAGE_*“ (btw, the PACKAGE_* is default)
Also, there is another nifty thing. You can specify, what to do with other packages (usually these are OEMDrivers etc), which do not apply to the wildcard. There are several options as another flag:
• /ext - (the default one) – the all matching packages are moved into EXT folder after finished reEXTing and the others are left in OEM
• /keep – both OEM and EXT will stay in the same directory, but the OEM pkgs won’t be converted to EXT
• /move – moves the non-apply-wildcard folders to directory REALOEM
• /move=“somedir“ – the same as ^, but you specify which folder to move the OEM to
• /dele – delete the non-matching packages
• /nodelete - doesn't delete empty OEM packages (like X0, X1, L0, L1 etc)
Well, for classic use, just drop your OEM folder or single package on the extRebuild.exe and it will rebuild that all new EXT is moved to EXT folder and remaining OEM stays on its place .
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
That’s probably all you need to know.
Thanks for watching and start using . (Mine extRebuild ofc .) Your OndraSter

great tool

Very nice tool working perfect, thanks!

Very nice tool works perfectly

nice work ontraster even if it is in .net

Good work, maybe this tool, rebuild my OEM from WM STD

OK, new version comming in few mins to first post...
Highlits:
- [FIX] Now fixed that if you have packages with similar name like ExtNewPhoneSetting and PhoneSetting, it doesn't crash (weird it was happening only to me, not to twopumpchump)
- [FIX] Using more "Safe Move" and "Safe Delete" which doesn't crash when deleting/moving is blocked
- [FIX] Some more internal fixings
- [ADD] Now it also deletes empty OEM like X1, X2, L0, L1 etc (checks for count of modules+files except dsm and if == 0 => deletes whole package in OEM), can be disabled by /nodelete flag

Nice Work here

Doesn't work for me, i dumped a rom and theres lots of files in "OEMAPPS" folder, and i want to make packages for them, and i only get only get one massive package. I want to get individual packages, like adobe, zip, camera, ect. This is a 6.1 rom dump.

no you can't, the tool cannot generate what doesn't exist like missing packages dsm's.

Oh ok thnxs

OndraSter said:
Hi,
This is completely new EXT rebuilder made by myself. It’s again (just like all of my stuff I made xD) made in .NET so you need .NET framework on your PC (Vista and 7 already have it integrated). It works just as previous OEM -> EXT rebuild, but with few enhancements .
First, it can rebuild both whole OEM or just single package (it could do probably the old one too).
Second, it works by WILDCARD, so you want convert eg only packages starting with PACKAGE_ so you do: extRebuild.exe /wildcard=“PACKAGE_*“ (btw, the PACKAGE_* is default)
Also, there is another nifty thing. You can specify, what to do with other packages (usually these are OEMDrivers etc), which do not apply to the wildcard. There are several options as another flag:
• /ext - (the default one) – the all matching packages are moved into EXT folder after finished reEXTing and the others are left in OEM
• /keep – both OEM and EXT will stay in the same directory, but the OEM pkgs won’t be converted to EXT
• /move – moves the non-apply-wildcard folders to directory REALOEM
• /move=“somedir“ – the same as ^, but you specify which folder to move the OEM to
• /dele – delete the non-matching packages
• /nodelete - doesn't delete empty OEM packages (like X0, X1, L0, L1 etc)
Well, for classic use, just drop your OEM folder or single package on the extRebuild.exe and it will rebuild that all new EXT is moved to EXT folder and remaining OEM stays on its place .
That’s probably all you need to know.
Thanks for watching and start using . (Mine extRebuild ofc .) Your OndraSter
Click to expand...
Click to collapse
Hi there,
- Nice work. It worked like a charm for me on XP machine.
- Just a suggestion : I think the OEM path does not handle the space in between the folder names.
- E.g. : Usually I have all my stuff in "C:\My Folder". So if I set OEM path as "C:\My Folder\..." then the exe throws a .NET exception and forces to close.
- However, If I set the OEM path as "C:\Folder" then exe runs fine and all the EXTs are generated properly.
Is it possible to handle this space issue easily (I know this might sound little too much, but still thought of sharing)?

chota_shivaji said:
Hi there,
- Nice work. It worked like a charm for me on XP machine.
- Just a suggestion : I think the OEM path does not handle the space in between the folder names.
- E.g. : Usually I have all my stuff in "C:\My Folder". So if I set OEM path as "C:\My Folder\..." then the exe throws a .NET exception and forces to close.
- However, If I set the OEM path as "C:\Folder" then exe runs fine and all the EXTs are generated properly.
Is it possible to handle this space issue easily (I know this might sound little too much, but still thought of sharing)?
Click to expand...
Click to collapse
Apologies for below post. I forgot to add the path in "" when it has a space in it. This is Windows.

Superb!!!!!
It is great.....

Tried ver 1.1...
The /nodelete flag doing the reverse work.
It is deleting all the folders from OEM except the ones converted to EXT...
instead I expected it to retain all the non-wildcard packages+empty packages in the OEM folder and move wildcard ones to EXT folder.

Hi Bro
Thanks for this
Cheers

c_shekhar said:
Tried ver 1.1...
The /nodelete flag doing the reverse work.
It is deleting all the folders from OEM except the ones converted to EXT...
instead I expected it to retain all the non-wildcard packages+empty packages in the OEM folder and move wildcard ones to EXT folder.
Click to expand...
Click to collapse
Oh it is bug in documentation in think, in default, it keeps OEM in OEM and then EXT moves to EXT so no need to use that flag

OndraSter said:
Oh it is bug in documentation in think, in default, it keeps OEM in OEM and then EXT moves to EXT so no need to use that flag
Click to expand...
Click to collapse
I think you could not get me correctly.
in default it does following:-
1. delete empty packages
2. keep the non-wildcard packages in OEM
3. move wildcard packages to ext folder
right?
I dont want to delete empty packages and thats why I am using the flag /nodelete. I am using following command:-
Code:
extrebuild.exe %1 /nodelete
and it is deleting all the non-wildcard packages from OEM.

Ohh, bug in app, I'll fix it when I get some time (if there was no IE7 problems with rendering, I would do it now). Thank to MS for that

of EXT to OEM
OndraSter said:
Ohh, bug in app, I'll fix it when I get some time (if there was no IE7 problems with rendering, I would do it now). Thank to MS for that
Click to expand...
Click to collapse
and can EXT OEM package thanks.

WP7 Root Tools - Announcement: Coming to MANGO and to other devices: SAMSUNG, HTC, LG

Hi hackers!
IMPORTANT ANNOUNCEMENT!
WP7 Root Tools will soon be available for Mango!
More info HERE
With this tool you get root-access to parts of your WP7 device. The first release only contains a registry-editor. The file-explorer and certificate stores will follow.
This tool is in alpha stage. That means that it is not feature complete and it is not yet properly tested. This tool also provides you with high privileges with which you can alter low level settings and data on this device. All this may result in unexpected and undesired behaviour, which may ultimately damage your device. Use this tool with care and use it at your own risk. The developer of this tool cannot be hold responsible for any kind of damages, caused directly or indirectly by using this tool.
The current version of this tool can only be used on Samsung devices. A small part of the code uses Samsung-specific functionality. The performance of the tool may sometimes be slow. This is the result of the way access to the system is elevated. The goal is to make this tool device-independent and to elevate access more directly in the future, but that requires more research.
To install this you need a developer-unlocked Windows Phone 7 device. For questions about unlocking your device, please refer to the appropriate threads.
If you have bug-reports or feature-requests, please give a full description.
If you like this, hit the "Thanks" and/or "Donate to me" button.
Ciao,
Heathcliff74
Update 2011/04/06:
1. Some people requested a possibility for donations. I opened a paypal-account and the "Donate to me" should work. Thanks!
2. I get an overwhelming amount of comments and pm's. I can't answer them all right now. I will try to answer them a bit later. Sorry.
Thanks for all the support guys!
Update 2011/04/13: RELEASE "WP Root Tools 0.2 alpha"
Consider this an "interim build". Most changes are under the hood. I did a lot of refactoring for performance improvements and paving the way for the file-explorer. This version does not include the file-explorer just yet. That will be the next release. Fixes in the new 0.2 alpha version:
- Compatible with light theme.
- Navigate out of the app with back-button.
- Due to refactoring and better use of the exploit I gained a lot of performance. It is very fast compared to the previous version. Should also reduce battery drain significantly.
Update 2011/04/14: RELEASE "WP Root Tools 0.3 alpha"
Mightyhog found a regression bug in the 0.2 version. HKLM\Software\Microsoft\ was not listed properly. It is fixed in the 0.3 alpha version.
Update 2011/04/18: Info about known limitations
Yesterday I added some info here which, after more research, did not seem to be entirely correct. I misinterpreted some of the file-flags I was seeing. So here's some more detailed info about the know limitations of the current Registry Editor and the File Explorer which is coming soon. It seems that having TCB privileges still has some limitations on accessing the filesystem and the registry.
Some registry values can be changed but they are reset back to their default value after the device is restarted. One example of such value is:
HKLM\System\CurrentControlSet\Control\Power\Timeouts\BattUserIdle DWord 300
Possible explanations:
- The value is stored in a ROM registry hive. The change is made in RAM and after the device is restarted and RAM is cleared, the value is read from ROM.
- In the boot sequence of the device some xml-files which contain settings, are provisioned and overwrite changes made to the registry.
- A certain service or startup-program simply overwrites settings on system-startup.
I'm working on the File Explorer now. While testing I found out that eventhough I have TCB privileges some access is still restricted, because system-files are mapped directly in ROM. There are 2 file-flags that have impact on this:
- 0x0040 = FILE_ATTRIBUTE_INROM - This file is an OS file stored in ROM. Most files in the \Windows folder have this attribute. These files cannot be moved, modified, renamed or removed. Only a firmware update can change these files.
- 0x2000 = FILE_ATTRIBUTE_ROMMODULE - The exe- and dll-files in the \Windows folder also have this flag set. These ROM files are mapped directly into executable read-only address-space, rather than being first copied to RAM. They cannot even be accessed as a file. They can only be executed. And therefore these files also can't be copied to another location, ie. we don't even have read-access on these files. However, I may have found a way to access these files anyway. This needs a bit more research, but I hope that I can at least copy the files to a location where they can be accessed.
Everything else seems to be possible. Creating files in the \Windows folder is no problem. I hope to be able to release a version with a File Explorer soon. I guess it will be in about two weeks or something. Bear with me.
Update 2011/04/19: No luck on reading the ROM modules
I did more testing. I wanted to have at least read-access to the exe- and dll-files in the \Windows folder. As it is not possible to call CreateFile() on those files, I tried LoadLibrary(). That works. With CreateToolhelp32Snapshot(), Module32First() and Module32Next() I can enumerate the modules and find the one I loaded. I also get a baseaddress and size of the module. The problem is that I can't access that memory. I tried direct-access and I tried using ReadProcessMemory(). ReadProcessMemory() returns "Incorrect parameter" as soon as I try to access the ROM memory. Also using VirtualProctect() to unlock the memory gives me "Incorrect parameter" all the time. So it seems we won't have read-access to the exe- and dll-files in the \Windows folder for now. I will now concentrate on other functionality for the File Browser. I will try to get access to the ROM modules later on.
Update 2011/06/14: RELEASE "WP Root Tools 0.4 alpha"
It has taken me a long time, here's a new release, finally. Actually this release is not very useful yet, because the file-explorer is read-only so far. The "Cut / Copy / Paste / Delete / Rename" will follow soon. The browsing part has been extremely difficult. The main problem was the performance. Opening a folder could take up to 4 minutes. Ouch! Through a combination of multi-threading techniques, caching and combining multiple exploits I finally got this to a stable solution where browsing can be done in quite an acceptable way. The write actions don't have these performance issues, because it is not a real problem when copying a file will take a few seconds more or less. I already started on implementing this. This release also has a few minor fixes to the Registry editor, but no new functionality. I also did a lot of testing on the certificate stores. I got full read / write access to all the stores, but none of that is implemented in the WP7 Root Tools yet. That will be next.
Update 2011/06/24: RELEASE "WP Root Tools 0.5 alpha"
In this version I implemented the basic file-operations and a certificate installer.
You might wonder why I created a certificate installer, because it is already possible to add certificates. When you email a certificate to yourself and tap that attachment, WP7 will install it. But if you install like this, the certificate will always be installed in the "Root" certificate store. With my certificate installer you can also install in "CA", "My" and "Code Integrity" stores. This may be very useful for hacking attempts. You can install a certificate by browsing to the ".cer" file and tap it. The possibilities for getting a certificate file on your phone will follow below. If you start installing certificates on your phone you should consider making backups in advance. I once experienced Zune going totally bezerk after installing certs. Zune took 100% and lost connection with the phone all the time. Everything was back to normal when I deleted the certs. In this version there is no view on the certificate stores available yet. In a future version you will be able to view the contents of all the certificate store and also uninstall certificates from there.
I specifically mentioned that this version has basic file-operations, because not everything is implemented. This is what you can do:
- Cut / Copy / Paste / Delete / Rename single files
- Delete empty folders
- Create new folders
This is what you can't do (will be possible in later versions):
- Cut / Copy / Paste multiple files or entire folders
- Delete folders with content
- Rename folders
Last, but not least: I fixed some performance issues. Mainly memory-leaks in native code and in COM interop. I'm not sure if I got all leaks now, because it's not easy to do native C++ without debugger and profiler. But improvement is clearly noticeable.
This version does not have a connection with the PC. So it is not possible to use WP7 Root Tools to transfer files between the phone and the PC. You can however, use other tools to get files onto your phone and then use WP7 Root Tools to move the files to the desired location. WP7 Root Tools has write access on every folder of your phone.
How to transfer files to your phone:
Mail the file to yourself. Use your phone to go to your mailbox (not webmail). The attachment will be downloaded in the background. Then use WP7 Root Tools to navigate to \Application Data\Volatile\EmailAttachments\Attachments(number). You have to look which attachment is the one you want. The filename may be changed. The extension is the same.
Install Davux' webserver on your phone. Configure a password in that webserver. The IP of the phone is visible in the webserver app. Browse to the phone like this: http://192.168.1.2/IsolatedStorage using the IP of the phone. Upload a file to the phone. Open WP7 Root Tools 0.5 alpha. Navigate to this folder: \Applications\Data\9BFACECD-C655-4E5B-B024-1E6C2A7456AC\Data\IsolatedStore\. There's your file. You can copy it to another location if you want.
Use the Zune storage hack, described here and here. If you copied the files to your phone in this way, they will be located at \My Documents\Zune\Content in one of the subfolders. Again, the files here are renamed. You have to find the file you want and then rename it.
Have fun!
Some screenshots:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

so what you are saying is you have been able to get read/write access to the file system on the focus? or is that something you just "hope" to add later?
EDIT: I'm sorry if that came off rude, I don't mean it to be I'm just excited about the idea of file system access!

very nice tool, needed a good registry editor for the samsung focus and this is perfect. thanks!

ur f-n awesome bro!

brilliant heathcliff

Very nice - works really well with the Focus.
Do you have any timeline for the file browser part? I'd love to see functionality that can copy files on and off the system folders.
Thanks for the tool!

EXCELLENT WORK Heathcliff, finally a way to write to the parts of the registry that we wasnt able to before. NOW we are getting somewhere with the Focus!!

Nice! Looks pretty neat!

Live tiles on Samsung Focus work now!
This is exactly what I was looking for to accomplish the live tile fix on my Samsung Focus detailed on wmpoweruser.
how-to-fix-live-tiles-which-are-not-updating-without-a-hard-reset-only-developer-unlocked-devices
Thanks, dude!
TOM.

voluptuary said:
so what you are saying is you have been able to get read/write access to the file system on the focus? or is that something you just "hope" to add later?
EDIT: I'm sorry if that came off rude, I don't mean it to be I'm just excited about the idea of file system access!
Click to expand...
Click to collapse
Yes I have 'full' access to the filesystem. The are 2 exceptions I found so far, using my hack:
1. I don't have access to files that are in use by the system. So, driver-files that are currently used cannot be accessed. Not even read-access. Possible work-around: I want to try to make a kind of copy-on-boot. I've already seen locations in the registry, where I can possibly add a startup-item that copies a file to a temporary location, when the file is not in use yet. But I have not tried that yet.
2. I can't overwrite or modify files that have the systemfile-flag. But I can copy the files, as long as they are not in use. Possible work-around: I have not tried all possibilities for changing file-flags. I might be able to do that.
I do have access through the entire file-system, including the \Windows folder and to the IsolatedStorage-folders of other apps. So that should give you a full file-explorer. Working on that now.
sorcy said:
Very nice - works really well with the Focus.
Do you have any timeline for the file browser part? I'd love to see functionality that can copy files on and off the system folders.
Thanks for the tool!
Click to expand...
Click to collapse
Well, there is not really a time-line yet. I wanted to finish the first release of this tool for a long time now. But I got some serious family issues. My grandpa died and my mother got a stroke and needed brain-surgery. Surgery went ok, but she needs rehabilitation right now. You can understand that I spent a lot of time with family over last weeks. I'm not sure how things will go. Situation with my mother looks promising. I visit her every other day now and it is a long ride. So that makes planning for this tool a bit difficult. But a lot of code that I made now is reusable for the other parts of WP7 Root Tools. So that should be a lot easier. I guess it won't take too long before I can add the file-explorer and certificate-stores. Just bear with me.

Hi Heathcliff74,
I hope everything goes well for your Family. The tool is one of kind, it's the first time that I see full Registry access on my Omnia 7. It looks very promising and I cannot wait for the File Explorer part. I hope you can add more features for both the registry and file explorer. Can you export the registry? Or that is not possible yet. Also, I would love to see a favorite’s option so we can add locations of the registry as favorites. We are very grateful to you for an excellent tool. Thanks.

Big thanks for the first alpha release ! Later this day I will do some tests and reply...

GIPAQ said:
Hi Heathcliff74,
I hope everything goes well for your Family. The tool is one of kind, it's the first time that I see full Registry access on my Omnia 7. It looks very promising and I cannot wait for the File Explorer part. I hope you can add more features for both the registry and file explorer. Can you export the registry? Or that is not possible yet. Also, I would love to see a favorite’s option so we can add locations of the registry as favorites. We are very grateful to you for an excellent tool. Thanks.
Click to expand...
Click to collapse
Thanks for the compliment. Importing and exporting registry keys is a feature that is not present yet, but it can be implemented for sure. Also a favorites option can be done. I'll put that on my ToDo-list.

Very good app. Hope to see quickly the file explorer feature !!!!
Take care of your family which is the most important .
Good luck!!!!

This is huge, I confirm it works on restricted Registry keys.
You are the best

martani said:
This is huge, I confirm it works on restricted Registry keys.
You are the best
Click to expand...
Click to collapse
Thanks! Now you can update your blog, right?

Heathcliff74 said:
Thanks! Now you can update your blog, right?
Click to expand...
Click to collapse
speaking of I did post a story about this hopefully later today it should be up

domineus said:
speaking of I did post a story about this hopefully later today it should be up
Click to expand...
Click to collapse
Can you tell me where you posted that? I'd like to read that. Tnx.

Heathcliff74 said:
Can you tell me where you posted that? I'd like to read that. Tnx.
Click to expand...
Click to collapse
wmpoweruser.com
waiting for acceptance

domineus said:
wmpoweruser.com
waiting for acceptance
Click to expand...
Click to collapse
Cool
Sent from my OMNIA7 using XDA Windows Phone 7 App

[Release]XapSpyAnalysis - a graphical tool for runtime analysis

Hi XDA developers!
Today I present you my first open source software called XapSpyAnalysis. You can download a compiled version and the sourcecode at xapspyanalysis.codeplex.com. It is an extension to Behrang Fouladis excellent XapSpy tool.
First, you need to use XapSpy. You need to start XapSpy and select a XAP package you want to analyse. It will be unpacked, stripped from its licence information, patched, signed and repacked. The next step is to launch the Emulator. This is automatically done from XapSpy. After it is booted, the application will get deployed to the emulator. After this is completed, XapSpy will inform you, that you can run the Monitor from inside XapSpy. This is where XDEMonitor kicks in. It will log all method calls and its variables it can get from the emulator log window. When you are finished, you can stop the recording and save the file to your harddisk.
This file can be loaded into XapSpyAnalysis. It will parse the file and display its raw content in the first tab. You can now switch between different views. You can display a table that contains all method calls with their variables, the DLL file from where the method call originates and its time. The next tab lists all method names and their number of calls. The next tab lists statistic values like how many method calls were registered and how many of them were unique method calls.
The final tab displays a graphical analyis of the method calls. The x axis displays the point of time, when the method was called. The y axis displays the number of method that was called. This is an unfortunate restriction from the used graphic framework. You can find a legend on the right side of the diagram. It maps the numbers to method names. But you can also point your mouse cursor on any of the data points in the diagram. A tooltip will be availabe that shows you the corresponding method name.
Now some screenshots:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
This screenshot shows an application, that crashes three times. You can see this from the data points starting with method 0 (InitializeComponent) and method 22 (Application_UnhandledException).
This screenshot shows an application that is properly executed and closed. It starts with method 0 (InitializeComponent) and calls a camera chooser (which is why method 0 is again called). This is a good example to see how Windows Phone 7 Multitasking and tombstoning works, because you can see when the methods Application_Deactivated and Application_Activated are used.
I hope this tool might be useful for some of you, especially when you want to understand how an application works. The apps can be even obfuscated. You will than only see method names like A, B, C etc. You can even check what other applications do, when they crash and that without having the source code.
If you have any ideas or find some bugs (and there will be bugs ) you can write me here on XDA or at Codeplex bugtracker. Already existing bugs and limitations can be found in the codeplex documentation.
Cheers,
Markus

rudelm said:
Hi XDA developers!
Today I present you my first open source software called XapSpyAnalysis. You can download a compiled version and the sourcecode at xapspyanalysis.codeplex.com. It is an extension to Behrang Fouladis excellent XapSpy tool.
First, you need to use XapSpy. You need to start XapSpy and select a XAP package you want to analyse. It will be unpacked, stripped from its licence information, patched, signed and repacked. The next step is to launch the Emulator. This is automatically done from XapSpy. After it is booted, the application will get deployed to the emulator. After this is completed, XapSpy will inform you, that you can run the Monitor from inside XapSpy. This is where XDEMonitor kicks in. It will log all method calls and its variables it can get from the emulator log window. When you are finished, you can stop the recording and save the file to your harddisk.
This file can be loaded into XapSpyAnalysis. It will parse the file and display its raw content in the first tab. You can now switch between different views. You can display a table that contains all method calls with their variables, the DLL file from where the method call originates and its time. The next tab lists all method names and their number of calls. The next tab lists statistic values like how many method calls were registered and how many of them were unique method calls.
The final tab displays a graphical analyis of the method calls. The x axis displays the point of time, when the method was called. The y axis displays the number of method that was called. This is an unfortunate restriction from the used graphic framework. You can find a legend on the right side of the diagram. It maps the numbers to method names. But you can also point your mouse cursor on any of the data points in the diagram. A tooltip will be availabe that shows you the corresponding method name.
Now some screenshots:
This screenshot shows an application, that crashes three times. You can see this from the data points starting with method 0 (InitializeComponent) and method 22 (Application_UnhandledException).
This screenshot shows an application that is properly executed and closed. It starts with method 0 (InitializeComponent) and calls a camera chooser (which is why method 0 is again called). This is a good example to see how Windows Phone 7 Multitasking and tombstoning works, because you can see when the methods Application_Deactivated and Application_Activated are used.
I hope this tool might be useful for some of you, especially when you want to understand how an application works. The apps can be even obfuscated. You will than only see method names like A, B, C etc. You can even check what other applications do, when they crash and that without having the source code.
If you have any ideas or find some bugs (and there will be bugs ) you can write me here on XDA or at Codeplex bugtracker. Already existing bugs and limitations can be found in the codeplex documentation.
Cheers,
Markus
Click to expand...
Click to collapse
Fascinating! I'll have to check this out against my xaps

I tried to follow the instructions but they were a bit confusing. The program crashes every time I select a XAP

@snickler: I am looking forward to your feedback
@MJCS: Ok, where do you get stuck? I still need to write a better documentation I guess
You downloaded Behrangs XapSpy and replaced the XDEmonitor files with the files from my version? Do you use the WP7 or WP7.5 SDK? There is an important difference regarding the naming of the emulator. In WP7 it is called Windows Phone 7 Emulator, while in WP7.5 it is just Windows Phone Emulator.

I am using 7.5
**
Ahhh I just noticed the 7.1 binaries. Now it works. Thank you!!!

Glad to hear I am really looking forward to your feedback!

[HACK] Using complete Windows API in Windows Store app (c++)

As we know, MS prohibits using most of standard Win32 API in Windows Store applications. Obviously there are lots of ways to overcome this limit and to call any API you like, if you are not going to publish your app on Windows Store. And here is one of them.
Idea is really simple and rather old (lots of viruses use it): search for kernel32.dll base in memory, then parse its exports for LoadLibraryA and GetProcAddress, call them - and get profit.
Writing here so this post can be indexed by google.
Partial code:
Code:
void DoThings()
{
char *Tmp=(char*)GetTickCount64;
Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);
while(Tmp)
{
__try
{
if(Tmp[0]=='M' && Tmp[1]=='Z')
break;
} __except(EXCEPTION_EXECUTE_HANDLER)
{
}
Tmp-=0x1000;
}
if(Tmp==0)
return;
LoadLibraryA=(t_LLA*)PeGetProcAddressA(Tmp,"LoadLibraryA");
GetProcAddressA=(t_GPA*)PeGetProcAddressA(Tmp,"GetProcAddress");
CreateProcessA=(t_CPA*)PeGetProcAddressA(Tmp,"CreateProcessA");
HMODULE hUser=LoadLibraryA("user32.dll");
MessageBoxA=(t_MBA*)GetProcAddressA(hUser,"MessageBoxA");
MessageBoxA(0,"A native MessageBox!","Test",MB_OK);
STARTUPINFO si;
memset(&si,0,sizeof(si));
si.cb=sizeof(si);
PROCESS_INFORMATION pi;
CreateProcessA("c:\\Windows\\system32\\cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi);
}
Complete project is attached. It contains sources and compiled appx files for side-loading.
Code compiles fine for x86/x64 and ARM, tested on x86/x64. Can someone test it on ARM? Ability to sideload metro apps is required.
The application should output a MessageBox, then execute cmd.exe.
A note: Windows Store application runs in a sandbox and as a limited account, so most of API returns "access denied". You can check this in a launched CMD - it displays "access denied" even on a "dir" command because normally "modern ui" apps don't have even read access to c:\.
To overcome this - add "all application packages" full control to the directories/objects you like (for example to c:\).

Works perfectly on my Windows 8 x64 Tablet :good:... its not ARM based though ...

Can i use this to run a non-store app?
Here is the catch, I have managed to get the installed (not the installation) file from a kind member here on XDA. But when I paste the folder in:
C:\Program Files\WindowsApps\Microsoft.ZuneMusic_1.0.927.0_x64__8wekyb3d8bbwe
The app isnt seen on the metro UI?
Any way to start a scanner of some sorts so that I can see the app in Metro.../?
THanx a ton!
Plz feel free to laugh a little at my noobish question...im stil learning..

Works perfectly on my surface RT!
but type dir in CMD returns "access denied".

There are no code signature checks from the command prompt that you launch.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Code:
#include <iostream>
void main()
{
std::cout << "Hello RT World!\n";
}
Compiled as an exe with info in http://stackoverflow.com/questions/...op-programs-be-built-using-visual-studio-2012

Open properties of your disk c:, go to the security tab and add "ALL APPLICATION PACKAGES" == full control. In this cage "dir" command would work, and your apps would be able to access whole filesystem.

Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?

Simplestas said:
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
Click to expand...
Click to collapse
Unless the dll is loading with a restricted security policy (such as through a Metro app) it is checked, yes.

Excellent work on the 'App1' technique of starting a cmd prompt from a modern app, and the fact it can run other unsigned cmd line apps.
Note that the cmd prompt still runs in the modern app container and probably has lots of restrictions
And also it only runs when the modern app is running and effectively freezes when the modern app goes into the background and suspends
Don't seem to be able to run win32 gui apps from the cmd prompt it starts -- they start but immediately terminate, presumably because the full win32 stuff cant initialise in a modern app container.
But can tum gui win32 api's, like the create dialog one, from the App1 modern app
Luckily we can also test, investigate and debug this on an intel Windows 8 system (dual monitor is best) when trying to work out what is going on, and then test on ARM after that.

@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.
@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.

GoodDayToDie said:
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.
@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.
Click to expand...
Click to collapse
Great seeing you again!
Anyways, I determined from some work with the VS Remote Debugger that the integrity checks are enforced in ZwCreateUserProcess. But, I bet LoadLibrary has its integrity checks in user-mode, since it normally doesn't access any functions using a call-gate to the kernel on Windows 7, which would mean we can modify it to allow us to load unsigned DLL's.
However, with this vulnerability, I had a different. What about allowing a native application to open, such as Notepad, and before it reaches the entrypoint, remotely injecting a different application to be ran (this would involve some sort of custom LoadLibrary + CreateRemoteThread pair of functions)? With the VS Debugger, you can already attach to any native process in user-mode and modify running code, data, and even the context (e.g. registers and similar data).

That suggestion is possible, and for trivial operations (i.e. replacing some strings in a program, or causing it to take one branch instead of another) people have already done so. Doing a wholesale replacement would be tricky, but should be possible (perhaps aided with WinDBG scripts or similar).

GoodDayToDie said:
Doing a wholesale replacement would be tricky
Click to expand...
Click to collapse
Not so tricky, I've already made a prototype on desktop Win8. Just make an ARM DLL that implements a PE loader using only 2 WinAPI functions - LoadLibrary (used only to get kernel32 handle) and GetProcAddress. Inject that DLL code and data sections via debugger, fixup relocs (you can minimize their amount in your "loader DLL" by not using global variables, placing all code into one file, not using CRT at all, and so on, ARM makes it easy to create position-independent code), and call your injected code via debugger passing it the address of LoadLibrary and GetProcAddress as parameters. Your code than would do what you wish - load and execute an unsigned DLL that you specify.
With this trick you can load EXE files too, as all ARM EXEs contain relocs by default.
But this way is too inconvenient to the end-user, so should be avoided. I really think that MS left enough holes for us to "unlock" unsigned apps on retail WinRT devices.
I'm already thinking on buying an Asus tablet with 3G (instead of waiting for a better device that I wish), so after NY holidays I'll join your game

Ah, that's a much more clever approach than actually trying to load the full program using the debugger itself... if it works. LoadLibrary triggers the same signature check that CreateProcess does (or rather, the system calls that they do will perform that check; if it was user-mode we could bypass it with the debugger). Your method may work, but since the desktop doesn't have the signature check anyhow, prototyping it there doesn't actually mean it will work on RT. Try it out and let us know how it goes, and if it works, posting your source would be awesome!

GoodDayToDie said:
Ah, that's a much more clever approach than actually trying to load the full program using the debugger itself... if it works. LoadLibrary triggers the same signature check that CreateProcess does (or rather, the system calls that they do will perform that check; if it was user-mode we could bypass it with the debugger). Your method may work, but since the desktop doesn't have the signature check anyhow, prototyping it there doesn't actually mean it will work on RT. Try it out and let us know how it goes, and if it works, posting your source would be awesome!
Click to expand...
Click to collapse
He doesn't mean making a prototype and importing from kernel32.dll. He means manually mapping the PE file, then using either CreateRemoteThread or modifying the context of a thread already launched to run it once it's in the memory address of another process. It's basically DLL injection with our own implementation of LoadLibrary. It would work because LoadLibrary doesn't use any system calls except to map memory (and mapping memory doesn't have integrity checks of any sort, and it shouldn't be design -- e.g. VirtualAlloc).
A bigger problem I thought of is automating this. I took a quick peek with Wireshark at my remote debugging session and saw HTTP with what appeared to be a proprietary protocol. In order to automate this from another computer (or any mobile device for that matter), we would need to reverse engineer the protocol. Or, an alternative would be to hook into Visual Studio once the debugging session is launched (maybe just a nice VS plugin would work?).

mamaich said:
Code:
void DoThings()
{
char *Tmp=(char*)GetTickCount64;
Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);
while(Tmp)
{
__try
{
if(Tmp[0]=='M' && Tmp[1]=='Z')
break;
} __except(EXCEPTION_EXECUTE_HANDLER)
{
}
Tmp-=0x1000;
}
if(Tmp==0)
return;
Click to expand...
Click to collapse
I was looking through the provided sample -- wouldn't our own GetModuleHandleA implementation be a better way of doing this? I'm just thinking should the alignment be changed in kernel32.dll it may be better to have something like this:
Code:
522 if (!name)
523 {
524 ret = NtCurrentTeb()->Peb->ImageBaseAddress;
525 }
526 else if (flags & GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS)
527 {
528 void *dummy;
529 if (!(ret = RtlPcToFileHeader( (void *)name, &dummy ))) status = STATUS_DLL_NOT_FOUND;
530 }
Source: http://source.winehq.org/source/dlls/kernel32/module.c#L504
Grabbing the Peb (NtCurrentTeb()->Peb) would involve pulling from the FS register at offset 0x30. Implementing this on ARM could be trickier, as I'm not sure of the inline assembly or availability of intrinsics (not to mention, it would be stored somewhere else than the FS register).
Now, for the PC, it appears __readfsdword is available as an intrinsic, so this *should* work on x86 installations of Windows 8.

mamaich said:
Not so tricky, I've already made a prototype on desktop Win8. Just make an ARM DLL that implements a PE loader using only 2 WinAPI functions - LoadLibrary (used only to get kernel32 handle) and GetProcAddress. Inject that DLL code and data sections via debu
Click to expand...
Click to collapse
I think this approach (of injecting own loader as far as understand) has such problem(even if implemented & automated)
Loaded exe can have own dependant dlls(any complicated-usefull proj has) that it cant load because of signing checks (and even more problems if it uses dynamic loading of own dlls and getprocaddress)
Or do i miss somth in your idea?

Will I be able to read/write to a parallel port using this method? Do the limited store apps have sufficient permissions to do that? Writing to a parallel port requires calling
Code:
hndleLPT = CreateFile("LPT1",(GENERIC_READ | GENERIC_WRITE), 0, 0, OPEN_EXISTING, 0, 0);
. Will this succeed?
Will I be able to successfully load this: http://www.highrez.co.uk/Downloads/InpOut32/default.htm ?
---------- Post added at 03:01 PM ---------- Previous post was at 02:11 PM ----------
This looks like an improved method to get the base address:
http://tedwvc.wordpress.com/2013/07/19/finding-the-kernel32-dll-module-handle-in-a-windows-store-app-using-approved-apis/

You should be able to do that using CreateFile2, which is permitted in Store apps already (no need to use the rest of the Win32 API). As for the permissions, I don't know, but it will probably work.
I mean, assuming your computer *has* an LPT port. I haven't seen one of those in a while...

how about the other way round? can a desktop app have access to the full windows 8 api (including those reserved for win store apps only)?

WP7 FTP+HTTP Client public library - need testers

Hi Friends.
I did some attempts to make working WP7 FTP(+HTTP) library. It may allow to endpoint applications to list, upload and download ANY files (include binaries etc.) from FTP or HTTP servers.
The simpliest way is to use web service. I have got working one, but based on closed code hacked, then it is possible for my internal use only, not for public presentation. Second problem is web services unstability.
Second way is native code, allowed by RootProject or custom ROM. First I tried MFC Internet+FTP classes. But WinInet functions are disabled or not present in WP7 core (or I do not know only, how to allowe them).
Then I have got public multiplatform source FTPClient library, based on native sockets management, and did (very small) changes in it to be usable at unlocked WP7. Library is working now. But, only simple native test application is finished and I have no free time now.
If you somebody want to participate, write here or send me PM. I will send FTP account to site, containing full source code and FTP test subsite too.
It is needed:
1. To repair SIZE command. On some servers library gets code 550 SIZE is not allowed in ASCII mode (library changes mode in download time only).
2. To make better, WM/WP consistent interface.
3. To make managed wrapper (we will do it to w.i.n.c.o's wNativeCom library and as Phone Commander plugin, but WP7DllImport wrapper is needed too).
4. To make automatical tests or to test all functions manually.
5. To refactorize all project by used code opensource licence.

Martin7Pro said:
Second way is native code, allowed by RootProject or custom ROM. First I tried MFC Internet+FTP classes. But WinInet functions are disabled or not present in WP7 core (or I do not know only, how to allowe them).
Click to expand...
Click to collapse
WININET is working and internally used by MS apps.

ultrashot said:
WININET is working and internally used by MS apps.
Click to expand...
Click to collapse
Thanks for info. I thought that it must be used. But, when I use WinInet CE6 API, I have got error "This function is not supported on this system". What I must do to use InternetConnect() etc? Thanks, M.

Martin7Pro said:
Thanks for info. I thinked it must be used. But, when I use WinInet CE6 API, I have got error "This function is not supported on this system". What I must do to use InternetConnect() etc? Thanks, M.
Click to expand...
Click to collapse
I don't know what you use and from where do you get this error - it mustn't happen if you use APIs directly.

ultrashot said:
I don't know what you use and from where do you get this error - it mustn't happen if you use APIs directly
Click to expand...
Click to collapse
Code:
HINTERNET hInternetConnect;
HINTERNET hOpen = InternetOpen (L"FTP",
INTERNET_OPEN_TYPE_PRECONFIG,
NULL, NULL, 0); /// This function works OK.
if ( !hOpen )
{
AfxMessageBox(L"Failed to open WinInet");
}
else
{
hInternetConnect =
InternetConnect(hOpen,
m_URL,
INTERNET_DEFAULT_FTP_PORT,
m_Username,
m_Password,
INTERNET_SERVICE_FTP,
INTERNET_FLAG_PASSIVE,
0); /// This function returns error.
if( hInternetConnect ){
AfxMessageBox(L"Internet Connect succeded");
/*
if(FtpGetFile(hInternetConnect, m_Filename_Remote, m_Filename_Local, 0, 0, FTP_TRANSFER_TYPE_BINARY, 0))
{
}
else{
AfxMessageBox(L"Get File Failed");
return false;
}
*/
InternetCloseHandle(hInternetConnect);
}
else
{
CString csError = ErrorString(GetLastError());
TRACE(csError);
AfxMessageBox(csError);
return false;
}
InternetCloseHandle(hOpen);
}
returns:
This function is not supported on this system. Error code : 78
And another, bigger problem:
When I uncomment FtpGetFile part, application is compiled and deployed OK. But after starting it does nothing, it does not want to start totally. I do not understand, how can the unused portion of the code affect the behavior of the application starts.
Socket library does not do anything similar.

Microsoft!!!
http://support.microsoft.com/kb/2735592
But patch is developed for ARM >=5 only and licensed to PB customers.

Finished - test binaries
Hi friends. There are binaries for testing. Predefined values download nice picture from our Czech glamour atelier to your "Storage card" device directory, but you can try much other servers, directories and accounts. All directory contents may be downloaded to your :Storage card" directory, no selecting is possible in example. I mean there will problems after firewalls etc., post your feedback. WinInet really does not work on WP7 for FTP servers, there is used little changed class from D. J. Bernstein and codeproject. If anybody know, how to export STL templates from dll, help me. Use "Exit" button for appclosing instead WP7 usual "Esc".
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Edit: There is actual version (without licencing conflict probably).
Managed wrapper will be added later (by wNativeCom probably). XAP istallable example for non-developers in deeper future.
Code is totally thread unsafe, after validation I will use http://forum.xda-developers.com/showthread.php?t=2208647 for it.

You can try unfinished Silverlight version:
http://wp7ftp.howto.cz/XDA/FTPClientExample.xap ... will be updated. EDIT: Xap 1.1 version is available from April 5th.
http://wp7ftp.howto.cz/XDA/FtpClientLibrary.dll ... this native library is needed in your device "\Windows\" directory (download and transport it to place). EDIT: If it not works on any device, try to delete \Windows\FtpClientLibrary.dll and install xap 1.1 version only.
Preliminary results:
1. Native FTP library works well.
2. Managed/Native callbacks synchronisation works well. (Thanks to MS idiots I must code all desktop like functionality again). There is a most important part for mechanism studying.
3. Silwerlight for WP7 is the most stupid and bugged Microsoft feature.
Simple app description:
Type Host, User, Pass and Remote (dir) values. You can stay predefined for testing. Tap to "Connect". You can see result in scrollable block on the bottom. If unsuccess, check your internet connection and typed strings, try again. If success, tap to second empty line under "Remote" (thanks to normal multiselectbox WP7 absention). Check wanted file names and tap do bottom cross (is it normal in ListPicker to have two crosses???). Tap to "Download". It is all. You can tap to "Disc.", change remote path or server values and tap to "Connect" again. First empty line under "Remote" contains remote directories list, but I am too busy to finish any logical directory tracing with bugged and unlogical Silverlight Toolkit features.
Known bug: Edit: Solved in 1.1 version. If deadlock occures still (unavailable FTP response), app restart (or phone reboot) helps you. Do you know anybody, if SL TextBox has limited capacity and how to bind string list to ListPicker?
Attention: "Connect" again after successfull previous connect and without disconnect = possible memory leaking!
Note: It is FTP. Must wait for all directives any seconds. If unsuccess, try the same again. This is normal FTP beahiour by mobile connection.
If anybody want, libraries are opensource and you can download them from the same FTP, which is used as predefined example values, or equal http http://wp7ftp.howto.cz/XDA/. You all have full FTP access, do not change anything important, upload relevant patches only! Managed part (Visual Studio 2010 for WP) is usable along by FTPClientUIDebugManagedWrappers.sln solution. I want to add FTP as plugin to Phone Commander only, I mean two-pane UI is the best solution of the FTP client. But, standalone FTP client can be usable too, when somebody Silverlight experienced will repair listControls behaviour there (all n/m callbacks are prepared, UI finishing is necessary only). Download only is finished in native library, upload will repaired in next versions.

Version 1.3
Uploaded FTPClient v 1.3 (the newest version is allways on http://wp7ftp.howto.cz/XDA/FTPClientExample.xap) solves ListPicker issues. Instead Remote Directories ListPicker is used totally wrong, but functioning global strings listbox, I am too busy to solve SL toolkit bugs now.
Known bug: Native library losts connection sometime and does not inform main application about it. You will see empty directories list from non-empty directories in this case. Application (or sometime device) reset helps you.
Known restriction: Server must be typed by name alias, not by IP address. I do not know why still, it will probably repaired in future versions.

Version 1.4
V 1.4:
Repaired file unselect after directory changing.
Showed "./././.." instead ".." as "Up" directory for better tapping.
Response TextBox content is rounded to 1000 characters. Is it a known TextBox bug to show any first characters only?