Replacing Facebook Messenger resources - Xposed Framework Development

I am trying to change the emojies inside of Facebook Messenger by the ones from EmojiOne.
In the first place, I decompiled through dex2jar the messenger APK and did quite a bit of search but no luck, it is obfuscated and pretty hard to read.
So my second guess was to replace each emoji in the resources. To do that, I used aapt to get one and try it:
HTML:
> aapt dump resources msg.apk | grep 1f60f
resource 0x7f020eca com.facebook.orca:drawable/messenger_emoji_1f60f_32: t=0x03 d=0x000017b3 (s=0x0008 r=0x00)
resource 0x7f020ecb com.facebook.orca:drawable/messenger_emoji_1f60f_64: t=0x03 d=0x000017b2 (s=0x0008 r=0x00)
resource 0x7f0c2086 com.facebook.orca:string/emoji_1f60f: t=0x03 d=0x00003439 (s=0x0008 r=0x00)
I tried this :
HTML:
public void handleInitPackageResources(XC_InitPackageResources.InitPackageResourcesParam resparam) throws Throwable {
if (!resparam.packageName.equals("com.facebook.orca"))
return;
XModuleResources modRes = XModuleResources.createInstance(MODULE_PATH, resparam.res);
resparam.res.setReplacement("com.facebook.orca", "drawable", "messenger_emoji_1f60f_32", modRes.fwd(R.drawable.emojione_emoji_1f60f_32));
resparam.res.setReplacement("com.facebook.orca", "drawable", "messenger_emoji_1f60f_64", modRes.fwd(R.drawable.emojione_emoji_1f60f_64));
}
and quite a few other things, but nothing seems to work. My drawable is working since I tried it in an Activity.
Even though I can get this working, would this be a proper solution to my original problem ?
Will I need to replace EACH emoji one by one in the two sizes ?
Thanks in advance

Bump please, no one?

Up for this thanks

This doesn't solve your problem, but I recently decompiled a proguarded apk too, and couldn't find the right resources easily. I found a method too do so though.
First, install xinstaller, then under misc enable debugging apps (allows debugging any app).
Next, connect your phone, make sure adb is on and connected, open Facebook and go to a conversation. Send some emoji too.
In Android studio, go into Android device monitor (ddms), tools -> Android -> Android device monitor. MAKE SURE YOU SET DDMS UP first
Now, find the button in the toolbar that says something like ui automator dump . This will take a layout dump of your displayed screen and give you a screenshot that you can use to click on various layout objects. You will be able to select the emoji and see what resource id is associated with it.
Or at least, it will give you a method to start looking for the resource id's. Combined with a tool like grep for windows, checking out public.xml for the ID's (they're in hex, but if you want to search in code for the ID, convert it to decimal). And you can pretty much find where the code and resource ID's are now !

Related

[APP][DISCONTINUED] TF3D manila mode9 editor

6Fg8 proudly presents:
m9editor
development discontinued
​
m9editor is your little helper when it comes to editing manila files. It lets you edit nearly all aspects of a mode9 file. Additionally it will assist you with graphics, allowing import, export and CFC compression. And It includes a directory viewer with information specific to manila files.
requirements:
m9editor is written in .net, so .netCF3.5 (currently SP1) must be installed (usually its already there). It has been developed and tested using Windows XP x64, but should run on any Windows platform.
usage:
see the manual contained in the download package (PDF)
making of / credits:
thanks to: D-MAN666, sztupy, nixx-X1, Chainfire, pcarvalho, showaco, guap, 12aon, xboxmod, NisseDILLIGAF, smotrs, for contributing knowledge, ideas, testing. Thank you guys (& gals of course) !
version history:
2009-03-10 - v3.3.0.1
BUGFIX: crashed when using selections
2009-03-09 - v3.3.0.0
- LuaConv is now included in the m9editor download package
- CHG: all sourcecode related functions use ".lua" as default extension
- NEW: compile and import function for lua script sourcefiles:
for mode9 files (embedded scripts):
m9editor remembers the filename of the source on a per-node basis and lets you subsequently edit the recently used file from the particular node. You may also attach/detach such a link manually. If a link is established, you may edit the sourcefile (check if you set the "SourceCodeViewer" option in m9editor.cfg) and recompile/import in a single step. When saving the mode9 file the links are saved too (mode9file.ann) and reloaded on next open.
for standalone scripts:
m9editor checks if a correspondig xxxxxxxx_manila.lua exists in the script directory. If yes, you are offered edit and compile options.
- NEW: editor context menu: view source for embedded scripts
- NEW: search previous button
- FIX: editing characterreference threw exception
- NEW: dirviewer context menu for mode9 files: compare with: compare two mode9 files without loading it first
- NEW: dirviewer context menu for all files: hex compare with: compare two files with hexview.
Only available if AptDiff is installed. Edit m9editor.cfg and insert the following line (use the path on your system):
AptDiffPath=c:\Program Files (x86)\Brother Technology\AptDiff 1.5\aptdiff.exe
If AptDiff is installed and configured in m9editor.cfg, text compares are done with AptDiff instead of ExamDiff
WARNING:
during directory analyze, if a lua script is found, m9editor checks for existence of <filename>.luac.lua. If its found it will be renamed to <filename>.lua. In directory viewer the line will be shown blue colored to indicate the presence of a sourcecode file.
during mode9 file load, if a embedded script is found, m9editor checks for existence of <filename>_<bytepos>.luac.lua. If its found it will be renamed to <filename>_<bytepos>.lua. In mode9 editor you will notice the link to the script sourcecode. Dont forget to save the mode9 file to make the link permanent (otherwise if you modify the structure, links might be lost due to changing byteposition).
WARNING2:
The pdf attached doesnt reflect the latest changes to m9editor, update follows.
2009-02-22 - v3.2.0.1
- fixed definitions for weather.mode9 and landscape.mode9 which rendered them unusable after modifying
2009-02-22
I removed the QtcConv and LuaConv tools because they lack of syntactical checks and the same functionality is available in m9editor.
EDIT: added the old LuaConv again, seems to work not that bad i thought it would
2009-02-21 - v3.2.0.0
- font changes for various fields to avoid overlapping
- if "manila files dir" is changed in settings, directoryview will be reloaded
- new: directory viewer context menu option for mode9 files: "extract embedded scripts", writes them to script directory
- changed interpretation of UV property (16.16 instead of INT32)
- picture view: new "save as PNG" and "save as QTC" buttons will save your graphic to a selectable directory
2009-02-19 - v3.1.0.1
bugfix for "save tree to file" function
2009-02-19 - v3.1.0.0
time for a new version
- m9editor now remembers last window/splitter positions and restores them on start and returning from minimize
- HOT compare feature: if a mode9 file is loaded, rightclick on the toplevel node to compare with another mode9 file, or save the treeview as a textfile. Compares are done with a freeware tool named "ExamDiff" from PrestoSoft.
2009-02-18 - v3.0.5.0
new context menu functions in directory viewer: delete, copy to
2009-02-17 - v3.0.4.0
content of XML, HTML displayed in lower right panel
evaluation of XML locales in directory viewer
manual is complete, and now a part of the package
2009-02-16 - v3.0.3.1
annotations now work for new tags as well, and will be copied between instances (+corrected a few flaws during display)
new: search within decompiled lua scripts
new: copy annotations between instances of m9editor
2009-02-11 - v3.0.2.0
bugfix: empty value crash
minor improvements
2009-02-10 - v3.0.1.0
some little improvements:
- sourcecode of embedded scripts and .luac files is shown whenever possible
- zoom percentage display for graphics display
2009-02-09 - v3.0.0.0
I've made a lot of changes to improve m9editor. The most important are:
- integration with sztupy's luadec (thanks and credits to sztupy for great decompiler and permission to use, and of course once again to D-MAN666 for providing knowledge)
- import of compiled lua scripts (ANSI or Unicode, autodetected)
- UI reworked: editor, directory viewer, image viewer combined in one window
planned for next releases of m9editor:
- copy files to/from PDA if connected via ActiveSync
- smart-select referenced graphic files in a mode9 file
- selfcheck for consistent mode9 writing
- analysis of lua script "require"'s for valid manila names
download stats:
v.3.2.0.1: 1554 views (wow! impressed!)
Guess I'll have to try that, seems great !
Your editor seems (as you describe it) only able to change values, but not the structure of the mode9 file, do you intend to change that ?
I have an ongoing project of mode9/xml converter in C, if I can be of some help, don't hesitate to ask
Hi Ximoon,
guess you belong to the "intended audience"
At the moment only changing values is allowed, correct. The main reason for this is that i'm unable to interpret and understand the complete structure, and to make sure that writing of m9 files produces valid files. If there's more info on that i could build it into the editor of course.
What i could imagine is a more generic approach, e.g. allow insertion/deletion of tags based on hex-values. I'll give that a thought.
Do you have any detailed info about the tag-structure? It can be seen in the tagfile but as hexvalues. Ive been able to interpret some of them, but the meaning of many others is unknown to me. So m9editor filters most of them for better reading.
Anyway, there's more to come with m9editor. I already built routines to disassemble lua scripts which run fine, but as its output is only relevant to p-code its pretty useless at this time. Also planned is a tool to allow image replacement. That could go to a point where we have a complete workbench for TF3D, including preview and the like. But thats far beyound my current scope.
Nice anyway !
I have no more information than you do, all I got is from the manilla thread where you posted earlier
But in the end, names of the tags doesn't really matter.
For LUA, I found some decompiler on the web, so I guess a tool to convert lua-unicode to lua-ascii and reverse could work to use those tools.
I guess I'll go on with my editor and see what I could do in the end, for two different approches could be constructive !
Must have been ChunkSpy, right? I found many more but mostly outdated and not working for Lua 5.1.
The Lua routines i've already written allow converting unicode to ascii, and save the scripts in ascii respectively. I'll have to recode them in .net as the first quick approach has been VB
Nice start, man
I was waiting for so long since somebody starts public Manila DevKit since i posted specs i reversed
Drop me a PM if you have any questions
Can't wait to use those lua tools
yeah, right D-MAN, most of that thing is based on your findings, my respect m8.
I'll PM you later, gotta go shopping now for newyears eve
6Fg8 said:
yeah, right D-MAN, most of that thing is based on your findings, my respect m8.
I'll PM you later, gotta go shopping now for newyears eve
Click to expand...
Click to collapse
Yah, sure, after NY eve when my hangover is over
oh oh, nice tool thank you
new version has been released, details here
got ean error if i want to open a file..
System.UnauthorizedAccessException: Der Zugriff auf den Pfad C:\Dokumente und Einstellungen\Administrator\Desktop\HTC\tf3d\2c684cd8_manila wurde verweigert.
bei System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
bei System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
bei System.IO.FileStream..ctor(String path, FileMode mode)
bei m9editor.m9efunctions.readm9(String fname, Boolean writedebug)
bei m9editor.m9editor.fileopen_Click(Object sender, EventArgs e)
bei System.Windows.Forms.Control.OnClick(EventArgs e)
bei System.Windows.Forms.Button.OnClick(EventArgs e)
bei System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
bei System.Windows.Forms.Control.WndProc(Message& m)
bei System.Windows.Forms.ButtonBase.WndProc(Message& m)
bei System.Windows.Forms.Button.WndProc(Message& m)
bei System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
bei System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
Click to expand...
Click to collapse
edit: i was write protected.....
schreda said:
got ean error if i want to open a file..
System.UnauthorizedAccessException: Der Zugriff auf den Pfad C:\Dokumente und Einstellungen\Administrator\Desktop\HTC\tf3d\2c684 cd8_manila wurde verweigert.
Click to expand...
Click to collapse
sorry, i dont have that file on my touch HD, cannot test. Are you sure its a mode9 file? Can you upload it here?
schreda said:
edit: i was write protected.....
Click to expand...
Click to collapse
that explains something
hmm.. i'm trying to port the analog clock from the Diamond to the HD.. i must change the Resolution i think but i got a bad result if i change the size var... ( i took the original file from the Hd to compare it
schreda said:
hmm.. i'm trying to port the analog clock from the Diamond to the HD.. i must change the Resolution i think but i got a bad result if i change the size var... ( i took the original file from the Hd to compare it
Click to expand...
Click to collapse
great idea, i'd appreciate to see a analog clock on the HD
new version has been released, details here
wow! finally someone is doing it
thanks and keep up the good work!!!
what i show in screenshot, is it portion of unparsed data?
can one edit them? i tried and failed cause i dont know what to change...
i'm missing: RectF, X, Y, Width, Height
pcarvalho said:
wow! finally someone is doing it
thanks and keep up the good work!!!
what i show in screenshot, is it portion of unparsed data?
can one edit them? i tried and failed cause i dont know what to change...
i'm missing: RectF, X, Y, Width, Height
Click to expand...
Click to collapse
its the value of the tag above, "Viewport". Currently i dont know how to parse that, as its binary and i dont understand the meaning. Could be 8 x Int16, or 4x Int32, or a mixture of that, and even then i wouldnt understand what these values mean. Obviously parameters for Viewport.
Yes, you can edit that, simply overwrite the hexvalues and press enter, it will be written.
Can you shed light into the purpose of these values? I'll be glad to parse them right.
BTW there is a baaad bug in v1.0.2.0 when writing m9, i'm currently correcting that.
6Fg8 said:
its the value of the tag above, "Viewport". Currently i dont know how to parse that, as its binary and i dont understand the meaning. Could be 8 x Int16, or 4x Int32, or a mixture of that, and even then i wouldnt understand what these values mean. Obviously parameters for Viewport.
Yes, you can edit that, simply overwrite the hexvalues and press enter, it will be written.
Can you shed light into the purpose of these values? I'll be glad to parse them right.
BTW there is a baaad bug in v1.0.2.0 when writing m9, i'm currently correcting that.
Click to expand...
Click to collapse
take your time my friend
those ones for Viewport i only know that they are:
<Property Name="Viewport" Type="RectF" X="0" Y="0" Width="31457280" Height="35127296" Animated="False"/>
cause i used D-MAN666's mode9parser, talk with him cause he might help, i hope

[App] RGUber v1.21a, RGUOrder v1.4

Purpose:
This purpose of this VBScript is to process and organize data in RGU/REG files to remove duplicates, identify faulty entries, and move entries to ascending alphabetical order (the same way it is displayed in a registry editor).
Requirements:
Windows Scripting Host (included in most versions of windows)
rgucomp.exe and cereg400.dll located somewhere in your path (same folder as the script probably won't work if the script is run from another folder)
.reg and .rgu files are expected to be UTF-16LE with BOM
Usage:
Drag a .rgu, .reg, or .hv onto RGUber.vbs OR run "wscript.exe RGUber.vbs example.rgu"
Details:
When an rgu|reg file is specified, RGUber will:
1) create backup of input file
2) rename input file to boot.rgu
3) use rgucomp to convert it to *.hv
4) use rgucomp to convert new .hv to original rgu path\name
5) Reorder all keys in ascending alphabetical order and all values for each key in ascending alphabetical order with default value first
When an hv file is specified, RGUber will:
1) use rgucomp to convert it to *.rgu
2) Reorder all keys in ascending alphabetical order and all values for each key in ascending alphabetical order with default value first
Options
Open RGUber.vbs in your favorite text editor. All options are set at the beginning with (hopefully) meaningful descriptions.
Code:
'//Path to rgucomp (leave this as default if rgucomp.exe is located in your system path)
Const RGUCOMP = "rgucomp.exe"
'//Path to notepad, only needed if %OPENAFTER% is true
Const NOTEPAD = "notepad.exe"
'//The following options can be set to True/False or 0/1
'//Organize registry entries in ascending alphabetical order
Const REORDER = True
'//Open in %NOTEPAD% after conversion is done
Const OPENAFTER = False
'//Save any errors from rgu -> hv conversion
Const LOGERRORS = True
'//Save a backup copy of %INPUTRGU% as "%INPUTRGU%_Backup.rgu"
Const BACKUPRGU = True
Other info
If target file already exists, RGUber will ask if you want to overwrite.
Text files (the MS way) typically contain CRLF for next line. Output from rgucomp.exe contains many CRCRLF. RGUber removes the extra CR.
I have very few comments in the code. If requested, I will upload another copy with as many detailed comments as I can manage.
I tried to code this as efficiently as VBScript can possibly be. I kept getting errors when trying to run 'rgucomp.exe -b -nologo' so instead of running it directly, RGUber creates a bat file, executes it, then deletes it.
On my AMD Phenom 9600 with Vista64 and 3 SATA in Raid5, RGUber completes rgu->hv->rgu of 2084 lines in <3s
RGUber always saves output from rgu->hv conversion but deletes the file if there were no errors.
RGUber crashes on files with no reg entries (e.g. empty app.reg in an EXT package that does not add any registry entries)
Changelog:
v1.21a
Values are now sorted in alphabetical order for each key
v1.2
Replaced Organize function with one from RGUOrder
Lost ability to reorder values for each key (To be readded in next version)
v1.1
Fixed a bug with removing hashdata from output (RGUber would mix data from two keys under one)
Changed sorting algorith with a much faster one
v1.02
Added option to remove RegistryUpdate key from rgucomp output
Fixed a typo where RGUber was not removing the system attribute from input rgu files
v1.01
Fixed typo where RGUber was waiting for backup file instead of log file
Change 'Done' msgbox to one that shows beginning time and ending time
v1.0
Initial Release
RGUOrder v1.4
This script will only reorder the contents of an rgu without processing with RGUComp, thereby keeping comments and delete key entries. RGUComp/cereg400.dll are not needed to use this app.
Changelog:
v1.4
Fixed a bug where if the original rgu did not end with a new line then the last entry after being sorted would be lost.
Fixed two bugs where only the first 25 tabs and first 25 spaces would be removed before sorting (This did not affect data integrity or performance, but the checksum would be different each time you run the output back through RGUOrder until all the original tabs/spaces were removed)
Added code to prevent multiple entries of the same key from being reordered
Fixed other miscellaneous bugs/oddities introduced with v1.3
v1.3
Added code to add a delete key for each subkey of a deleted key so that when reordered, the key deletion isn't broken
v1.2
Fixed a bug where the last key processed was being concatenated to another with no CRLF producing an invalid rgu file
I'm not sure if this relates to your app but I have a small question:
If a dumped a rom (raw, not kitchen type) and removed several apps/programs but did not clean the registry (very tedious), will this help me clean it up (remove dead paths, etc)?
And if so, how will it know just by dragging the .hv file? I mean how will your app know if a registry entry does not have the app/program included in the rom anymore?
Please forgive me if my question does not relate to your app
There is no way for my app to know, it isnt that smart
It would take an extensive app/database to know which keys are related to which apps.
Thanks for this post
updated to v1.1
v1.02 had a bug in the code which removed hash data from output which made it mix data from the key before it with the key after it
If I ever get around to updating again, I will use hvedit instead of rgucomp
I get an error.
Script: D:\RGUber.vbs
Line: 136
Char: 2
Error: File not found
Code: 800A0035
Source: Microsoft VBScript runtime error
Any reason why?
I attach the file i want to sort alphabetically.
I have no idea
It worked for me with no problem (file attached)
Please tell me the location of RGUber.vbs and of 51329f91-0017-4364-bcff-e032c5d45b01.rgu
Great application bro!!
Only limitation is that I have to put reg400.dll and rgucomp in C:\windows
c_shekhar said:
Great application bro!!
Only limitation is that I have to put reg400.dll and rgucomp in C:\windows
Click to expand...
Click to collapse
yeah, I tried to get around that but I didn't find anything feasible with vbscript :-/
Actually, they don't have to go in C:\windows
I reinstall windows regularly so I keep as many apps portable as I can. I have a bin folder on another partition that I add to the system path variable after a new install for stuff like this.
selyb said:
yeah, I tried to get around that but I didn't find anything feasible with vbscript :-/
Actually, they don't have to go in C:\windows
I reinstall windows regularly so I keep as many apps portable as I can. I have a bin folder on another partition that I add to the system path variable after a new install for stuff like this.
Click to expand...
Click to collapse
can you elaborate this a bit more. Because I too would like a similar arranfements...
My C:\ partition has Vista64
My F:\ partition has all my documents, downloads, music, movies, etc and a folder F:\bin\
F:\bin contains >100 downloaded command line programs and vbs scripts that I have written including
RGUber.vbs
lame.exe
rgucomp.exe
cereg400.dll
FixVTS.exe
faad.exe
nuerecmod.exe
Tag.exe
find Advanced System Properties (I can't remember how, it's different for XP/Vista/7) go to the Advanced tab and hit the Environment Variables button
Under system variables, scroll down to 'Path', double click it. This defines your 'system path'. It contains a list of folders separated by semicolon ";". At the end, add a semicolon and the path to the folder you want to add (e.g. ;F:\bin) after that, hit ok. XP may need to reboot to reflect the change but I'm not sure. Vista and 7 are affected immediately.
With this setup, you can open a command prompt in any folder on your computer and type "RGUber.vbs xyz.rgu" and it would work as if all the files are in that folder.
Thanks a lot bro!!!
I am grateful...
I'd really like to use this, but unfortunately I get this error regardless of the app.reg I drag onto the script:
Script: C:\RGUber\RGUber.vbs
Line: 232
Char: 3
Error: The system cannot find the path specified.
Code: 80070003
Source: (null)
Thanks if you can advise.
Quetzecotyl said:
I'd really like to use this, but unfortunately I get this error regardless of the app.reg I drag onto the script:
Script: C:\RGUber\RGUber.vbs
Line: 232
Char: 3
Error: The system cannot find the path specified.
Code: 80070003
Source: (null)
Thanks if you can advise.
Click to expand...
Click to collapse
Hmmm... this line asks the system for what is in the %temp% variable and attempts to change the working directory to the result.
Open RGUber.vbs in notepad and go to line 232
Modify
Code:
WSH.CurrentDirectory = WSH.Environment("SYSTEM")("temp")
to
Code:
WSH.CurrentDirectory = "C:\RGUber\"
then try again
Works great after your fix, selyb. Thank you for this useful app and your many helpful contributions to the Kaiser forums.
Quetzecotyl said:
Works great after your fix, selyb. Thank you for this useful app and your many helpful contributions to the Kaiser forums.
Click to expand...
Click to collapse
Yeah, I may relocate from Kaiser forums to Rhodium. I have an AT&T Tilt 2 in the mail to me ATM
Grats on getting a Rhodium. Found a question after using it for a while. This is just one example of such behavior, but why does:
Code:
[HKEY_CURRENT_USER\Software\HTC\TaskManager\ExclusiveList\System]
"CMBandSwitching.exe"=dword:0
get turned into:
Code:
"CMBandSwitching.exe"=dword:0
How do I make it regard CURRENT_USER keys?
Quetzecotyl said:
Grats on getting a Rhodium. Found a question after using it for a while. This is just one example of such behavior, but why does:
Code:
[HKEY_CURRENT_USER\Software\HTC\TaskManager\ExclusiveList\System]
"CMBandSwitching.exe"=dword:0
get turned into:
Code:
"CMBandSwitching.exe"=dword:0
How do I make it regard CURRENT_USER keys?
Click to expand...
Click to collapse
I had this problem with an earlier version. If you are using v1.1 then please attach the original rgu/reg. I have tried and I can't seem to reproduce it since I fixed it already.
Please, replace rgucomp with hvedit . I really need your help because rgucomp doesn't work for me . Thanks in advance .
tomcug said:
Please, replace rgucomp with hvedit . I really need your help because rgucomp doesn't work for me . Thanks in advance .
Click to expand...
Click to collapse
why doesn't rgucomp work? I would be surprised to learn that hvedit will work when rgucomp won't.

Running Homebrew Native Executables - Status: DONE!!

[2012/06/03] IMPORTANT UPDATE HERE
Hi hackers,
This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.
The goal is to run native homebrew executables on WP7
This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.
The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.
First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity
After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:
Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)
So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.
I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.
I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).
I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.
So why is this not working?
Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:
Code:
Microsoft Mobile Device Privileged PCA - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group
I should find a way to add a policy with my certificate in it. Any ideas?
Ciao,
Heathcliff74
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Flow WP7 said:
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Click to expand...
Click to collapse
That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.
I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.
Thanks!
Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).
taskhost.c (276 KB) in attachments.
edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")
Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
a7 = sub_178E7(v10);
if ( a7 >= 0 )
{
a7 = sub_180A5(v7, v7 + 64);
if ( a7 >= 0 )
{
a7 = ThemeInitialize(v7 + 136);
if ( a7 >= 0 )
{
v11 = sub_1862B(v13, v7);
EnableHostAutoDehydration(v11 == 3);
v16 = 0;
a7 = InitializeEmClientEx(&a2, 0, &v16);
if ( a7 >= 0 )
{
a7 = RegisterPausedHostCallback(sub_19D0D, 0);
if ( a7 >= 0 )
{
a7 = RegisterResumingHostCallback(sub_19D31, 0);
if ( a7 >= 0 )
{
if ( v11 != 3
|| (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
&& (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
{
a7 = RegisterExitHostCallback(sub_19D55, 0);
if ( a7 >= 0 )
a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
}
}
}
}
}
}
}
}
UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
int v4; // [sp+0h] [bp-38h]@1
char Dst; // [sp+4h] [bp-34h]@1
int v6; // [sp+8h] [bp-30h]@1
int v7; // [sp+Ch] [bp-2Ch]@1
int v8; // [sp+18h] [bp-20h]@1
int v9; // [sp+28h] [bp-10h]@1
v4 = 0;
memset(&Dst, 0, 0x34u);
v8 = a3;
v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
v7 = (int)L"FMMain";
v9 = 2;
RunApplication(&v4);
return dword_12034;
}
C++ converted
Code:
UIXApplicationInfo app;
app { ... }
RunApplication(&app);
struct UIXApplicationInfo
{
int UNK_v4 = 0;
char Dst = {0};
char* uixFile;
char* uixEntryPoint;
int UNK_v8;
int UNK_v9 = 2;
}
Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).
___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App -->
<characteristic type="AppInstall">
<nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
athompson said:
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
Click to expand...
Click to collapse
Hello "co-founder of native code on WP7"
I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.
Ciao,
Heathcliff74
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
fiinix said:
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
Click to expand...
Click to collapse
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Heathcliff74 said:
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
fiinix said:
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
Click to expand...
Click to collapse
I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.
Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit
Ciao,
Heathcliff74
Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..
edit:
*Research
"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."
Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___
"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."
Source: http://www.spinics.net/lists/arm-kernel/msg58813.html
As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4
ARMv7 >> ARMv6 compatibility, not more.
_
Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!
__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame
EXPORT start
start
var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4
MOV R12, SP
STMFD SP!, {R4-R7,R11,R12,LR}
ADD R11, SP, #0x1C
SUB SP, SP, #4
MOV R4, R3
MOV R5, R2
MOV R6, R1
MOV R7, R0
.
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
fiinix said:
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
Click to expand...
Click to collapse
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
athompson said:
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
Click to expand...
Click to collapse
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
fiinix said:
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
Click to expand...
Click to collapse
First use Andim's WP7 Rom Tools to extract the rommodules. Remember to always dump a folder, not a single file.
Then use Denomitor's version of Recmod and follow the instructions in the post. That works most of the time.
Going forward
Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"
/QRarch7 is the ARMv7.
edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb
, feels soo good:
main.exe is there.
IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.
Code:
; Input MD5 : B50E8D8395DE7CA2419464DC3CE0BC74
; File Name : C:\Users\Steven\Desktop\burn\main.exe
; Format : Portable executable for ARMI (PE)
; Imagebase : 10000
; Section 1. (virtual address 00001000)
; Virtual size : 00000018 ( 24.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; Processor : ARM
; Target assembler: Generic assembler for ARM
; Byte sex : Little endian
; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32
EXPORT start
start
var_4= -4
SUB SP, SP, #4
MOV R3, #1
STR R3, [SP,#4+var_4]
LDR R0, [SP,#4+var_4]
ADD SP, SP, #4
BX LR
; End of function start
Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
return 1;
}
PE Explorer (main.exe):
Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI
**** so CLOSE!
Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.
Method:
WP7Process p = device.LaunchEXE(@"main.exe", "");
main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.
WP7Process p = device.LaunchEXE(@"ExeX.exe", "");
ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.
There IS different things going on! Something is missing, but what
edit:
Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.
edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:
Risky-mode.Activate();
Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);
"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"
<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>
<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>
edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.
edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.
edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):
Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)
How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.
(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574
edit 6:
Yep, loads of edits, just for you.
Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE
How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
.Where(x => x.Name.LocalName == "Rule")
.Where(x => x.Attributes("ResourceIri").Count() > 0)
.Where(x =>
{
var r = x.Attribute("ResourceIri").Value;
return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
})
.Select(x =>
{
var v = x.Attribute("ResourceIri").Value;
var l = v.LastIndexOf('/');
return v.Substring(l + 1);
})
.Distinct()
.OrderBy(x => x)
.ToArray();
edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
Wow, this truly was a big step today
Done hacking today.
"After a day, there comes another day"
@fiinix,
You did a lot of testing. Good job, man.
A few comments:
0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.
The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.
Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.
I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.
According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol
"Sent from my fingers on my phone", don't expect way too long text
XxXPachaXxX said:
Excuse my ignorance...I'm a noob...This hack may also work on LG devices?
Click to expand...
Click to collapse
At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us
Ciao,
Heathcliff74

[Q] Change source of image from .cs file

Hi. How would you go about to change the source of an image from the .cs file? I've tried this:
xaml.cs:
Code:
BitmapImage yesImage = new BitmapImage(new Uri("/Test;component/Images/yes.png"));
img.Source = yesImage;
The xaml file has a control <image Name="img" /> residing in it.
Would binding in some kind of way solve this?
Sorry for the basic question, but I've searched and wasn't able to find anything that covers this.
Hi,
You're doing it in the right way. I assume you know you're using a URI referencing an image in an external assembly (i.e. a referenced dll separate from the project your .cs file is in)? (in your case called 'Test').
Is the image definitely in an external assembly?
Is that assembly definitely called 'Test'?
Is the image you are trying to load marked as Build Action 'Content' in Visual Studio?
Here's some code that loads an image from an external DLL called Shared:
MyImage.Source = new BitmapImage(new Uri("/Shared;component/Icons/Tick.png", UriKind.Relative));
Here's some similar code that loads it from the same assembly as the .cs file:
MyImage.Source = new BitmapImage(new Uri("/Icons/Tick.png", UriKind.Relative));
Hope that helps,
Ian
That worked! I changed the images (that are local to the project) "Build Action" to "content" and added the UriKind.Relative to the URI and also removed the /Test;component/ from the address.
What i find odd though is that the images (that I added to a folder called Images in the project) had the Build Action set to Resource as default and when i added the source via the property box of Visual Studio to the image control in the XAML it inserted the "/Test;component/Images/yes.png" for me and the images were visible. When changing the Build Action to Content they were gone again.
Anyway, it works now. Thanks
Glad it helped

[Dexplore] Obfuscated code finder | Develop portable Xposed module for obfuscated apps

Library: Dexplore
[Develop Portable Xposed Module] - [For Any Obfuscated Apps]
About: Dexplore is a dex analyzing library for finding obfuscated classes and methods at runtime. There is also a command line tool for static analysis and app de-compilation.
Highlight: Now you can develop portable Xposed module for any obfuscated apps (eg: snapchat, youtube, whatsapp, facebook etc). You don't have to worry about updating the module every time they release new versions, Dexplore will take care of obfuscated classes based on your provided query.
Example: Disable 'msg seen' in messenger
A more detailed explanation and examples can be found at: Github Wiki
The library is available at maven central repository: Dexplore
Java:
repositories {
mavenCentral()
}
dependencies {
implementation 'io.github.neonorbit:dexplore:1.4.5'
}
Command Line tool: Download
Java:
java -jar Dexplore-1.4.5.jar --help
Changelogs:
Release v1.4.5:
- [LIB] Add support for in-memory dex
- [LIB] Add various helper methods
- [LIB] Fix bugs in annotation filter
- [CLI] Update decompiler library
- [CLI] New option: advanced search query
- [LIB+CLI] New condition: set package names
- [LIB+CLI] New condition: set number literals
- [LIB+CLI] New condition: set source filenames
- [LIB+CLI] New condition: set class simple names
Release v1.4.4:
- [LIB] Fix class loading issues
- [LIB] Fix de-serialization failure
- [LIB] Add constructor helper methods
Release v1.4.3:
- [LIB] Fix de-serialization failure
Release v1.4.2:
- [LIB] Minor improvements
- [CLI] Improvement: rewrite from scratch
- [CLI] New command: search [redesigned]
- [CLI] New command: decode [decompiler]
Release v1.4.0:
- [LIB] Make API thread-safe
- [LIB] Add support for batch operation
- [LIB] Add support for parallel execution
- [LIB] Add Filter conditions for annotaion
- [CLI] Fix @file expansion in arguments
Release v1.3.0:
- [LIB] Several enhancements
- [CLI] New option: specify classes (-c)
- [CLI] New option: generate source files (-s)
- [CLI] Improvement: show results in real-time
Release v1.2.0:
- [LIB] Add documentation
- [LIB] Improve search accuracy
- [LIB] Fix several known bugs
- [LIB] Improve performance
Release v1.0.1:
- [LIB] Support multiple preferred dexes
- [CLI] New option: print full details (-d)
Click to expand...
Click to collapse
Source Code: Github
API Overview: Javadoc
Implementation: Github Wiki
If you need any help with implementation, comment here.
For bugs and feature request, create an issue on the github repo.
Used by: ChatHeadEnabler
[reserved]
Xposed Implementation Sample:
- Find all the necessary classes/methods using Dexplore at runtime and save them to Preferences.
- Do your necessary hooking with Xposed.
- Next time simply load them from Preferences.
[Implement dexplore queries to re-fetch automatically whenever version code changes]
Example: Block 'msg seen status' in facebook messenger (check Github Wiki for documentation):
Java:
public class XposedModule implements IXposedHookLoadPackage {
@Override public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) {
if (!lpparam.packageName.equals("com.facebook.orca")) return;
// Create a class filter to find our target class
ClassFilter classFilter = new ClassFilter.Builder()
.setReferenceTypes(ReferenceTypes.builder().addString().build())
.setReferenceFilter(pool ->
pool.contains("Montage thread ")
).build();
// Create a method filter to find our target method from the class
MethodFilter methodFilter = new MethodFilter.Builder()
.setReferenceTypes(ReferenceTypes.builder().addString().build())
.setReferenceFilter(pool ->
pool.contains("has_seen")
).setParamSize(3)
.setModifiers(Modifier.PUBLIC)
.build();
// Load the base apk into Dexplore
Dexplore dexplore = DexFactory.load(lpparam.appInfo.sourceDir);
// Search method
MethodData result = dexplore.findMethod(DexFilter.MATCH_ALL, classFilter, methodFilter);
// Xposed hook: this will block Seen Status from being sent
XposedBridge.hookMethod(result.loadMethod(lpparam.classLoader), XC_MethodReplacement.returnConstant(null)));
}
Hello, After reading github wiki, I could successfully track class name changes dynamically. But when I read back the result from preference and try to deserialize by library method, it throws an IllegalArgumerntException.
ranej700 said:
Hello, After reading github wiki, I could successfully track class name changes dynamically. But when I read back the result from preference and try to deserialize by library method, it throws an IllegalArgumerntException.
Click to expand...
Click to collapse
How exactly did you try to de-serialize it? Could you provide the class name that you are trying to de-serialize?
NeonOrbit said:
How exactly did you try to de-serialize it? Could you provide the class name that you are trying to de-serialize?
Click to expand...
Click to collapse
I followed this Xposed Sample .
Deserialized with:
Java:
ClassData.deserialize(saved_result)
Class name was 3mt I think.
ranej700 said:
Class name was 3mt I think.
Click to expand...
Click to collapse
Got it, I'll release a new version soon.
Update: v1.4.3
Changelog:
- Fix de-serialization failure
NeonOrbit said:
Update: v1.4.3
Changelog:
- Fix de-serialization failure
Click to expand...
Click to collapse
That was quick, thanks.
One more request, I managed to find classes with simple search, but there are some classes that doesn't have anything specific to search with. I read advanced search section, but it's confusing for me. Can I message you personally? I need help with advanced search.
ranej700 said:
Can I message you personally? I need help with advanced search.
Click to expand...
Click to collapse
Sure, anytime.
Update: v1.4.4
Changelog:
- Fix class loading issues
- Fix de-serialization failure
- Add constructor helper methods
This library will be able to load dex files if they are extracted from apk and placed in a separate folder in /data/data/com.example.apk/files?
Blue cat said:
This library will be able to load dex files if they are extracted from apk and placed in a separate folder in /data/data/com.example.apk/files?
Click to expand...
Click to collapse
It supports apk, dex, odex, oat, zip files.
If your app can access the file, so should the library. Doesn't matter where it's placed.
Is it possible to search using string id? 0x7F1201EA or 2131886570
Blue cat said:
Is it possible to search using string id? 0x7F1201EA or 2131886570
Click to expand...
Click to collapse
It would be useless, since resource Ids are not static.
NeonOrbit said:
Example: Block 'msg seen status' in facebook messenger (check Github Wiki for documentation):
Java:
public class XposedModule implements IXposedHookLoadPackage {
@Override public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) {
if (!lpparam.packageName.equals("com.facebook.orca")) return;
// Create a class filter to find our target class
ClassFilter classFilter = new ClassFilter.Builder()
.setReferenceTypes(ReferenceTypes.builder().addString().build())
.setReferenceFilter(pool ->
pool.contains("Montage thread ")
).build();
// Create a method filter to find our target method from the class
MethodFilter methodFilter = new MethodFilter.Builder()
.setReferenceTypes(ReferenceTypes.builder().addString().build())
.setReferenceFilter(pool ->
pool.contains("has_seen")
).setParamSize(3)
.setModifiers(Modifier.PUBLIC)
.build();
// Load the base apk into Dexplore
Dexplore dexplore = DexFactory.load(lpparam.appInfo.sourceDir);
// Search method
MethodData result = dexplore.findMethod(DexFilter.MATCH_ALL, classFilter, methodFilter);
// Xposed hook: this will block Seen Status from being sent
XposedBridge.hookMethod(result.loadMethod(lpparam.classLoader), XC_MethodReplacement.returnConstant(null)));
}
Click to expand...
Click to collapse
I've been looking for a module to do exactly this, do you implement this into anything or is it just a code example currently? I don't know enough about module development to "make it work" myself. I thought about trying to add the code into Weiju2 but I think that is only Lua coding for now. Which of course I don't know
Galaxy-Geek#1 said:
I've been looking for a module to do exactly this, do you implement this into anything or is it just a code example currently? I don't know enough about module development to "make it work" myself. I thought about trying to add the code into Weiju2 but I think that is only Lua coding for now. Which of course I don't know
Click to expand...
Click to collapse
It's just a code example, it works partially. To implement it fully, someone will have to analyze the source code properly.
Absolute legend!
Do you mind adding support for caching ? For example some class that takes Context and app version as an argument and automatically caches the method for you, or it determines whether it should be searched again when the version changes.
I'm back with Messenger Pro development by the way !
Mino260806 said:
Do you mind adding support for caching ? For example some class that takes Context and app version as an argument and automatically caches the method for you, or it determines whether it should be searched again when the version changes.
Click to expand...
Click to collapse
I'm not sure whether it's a good idea for a library to accept Context as argument and perform low level operations like writting to Preferences.
However, it has 'serialize()' and 'deserialize()' methods, you can easily write a helper method to save result + app version in Preferences. Take a look at this Xposed Samples.
Mino260806 said:
I'm back with Messenger Pro development by the way !
Click to expand...
Click to collapse
Good luck :.)

Categories

Resources