Sunteți pe pagina 1din 14

How to: crack windows mobile apps.

Cerinta> unlocked wp phone .. nu vb despre asta aici. Aplicatiile pt windows phone vin in formatul XAP si se pot instala prin Marketplace direct pe telefon sau prin descarcare Download and install manually si instalare apoi cu Tom xap installer sau xap deployer Formatul .xap este de fapt o arhiva zip, ce se poate deschide cu winrar/zip De mentionat ca mai nou fisierele de pe www.windowsphone.com vin acum criptate. Pt a obtine varianta decriptata se instaleaza aplicatia dorita in telefon si cu program manager de aici http://forum.xdadevelopers.com/attachment.php?attachmentid=1489928&d=1353191485 din el se alege a treia optiune de jos, cu XAP

Optiunea va crea fisierul XAP decriptat. Acesta se gaseste pe telefon aici


Applications/data/12345678-87BF-4D87-A529-0DFF41EFD592/isolatedstore/data/xap/

De aici cu file explorer eu l-am dus in \My Documents, l-am redenumit in .doc si cu aplicatia Office i-am dat Share pe skydrive, de aici putand fi descarcat pe pc si redenumit direct in .zip Am ales ca tinta programul Turbo camera, care face poze in lant si apoi din ele gif. Ce ne intereseaza din arhiva zip: clar, turbocamera.dll Il deschidem cu ida pro 5.5, ( http://
http://thepiratebay.sx/torrent/5235650/IDA_Pro_Advanced_v5.5.0.925t_and_Hex-Rays_v1.1.0.090909 www.4shared.com/zip/vFtlV0qe/IDApro55dapro55.html )

alegem New, de duem la categoria .NET si alegem .NET Dynamic Library, ok, alegem fisierul nostru. Aici daca ne uitam un pic in IDA View-A sau cautam dupa Text: Trial mode Gasim asa

Avem instructiunea ble.s care ne trimite la mesajul cu Trial

Noi nu dorim sa ajungem acolo, asa ca gasim e inseamna ble.s, aici http://en.wikipedia.org/wiki/List_of_CIL_instructions 0x31 ble.s <int8 (target)> Branch to target if less than or equal to, short fo

Instructiunea opusa, ca sa nu ajungem la trial este: 0x30 bgt.s <int8 (target)> Branch to target if greater than, short form.

A alternativa putem pune NOP x00 nop Do nothing pt a fi 100% ca nu se va sari de instructiunea ble.s sau bgt.s. Dam click pe ble.s, trecem in Hex view-a avem asa

Cautam cu un hex editor hex string 31 12 72 58 03 00 70 *pt siguranta ;) Inlocuim 31 12 cu 00 00 nop.

Am scapat de un mesaj, daca suntem sarguinciosi mai ne uitam in program si mai gasim la offset 25e4 asta

Aici se poate ajunge din 3 instructiuni 1. Bne.un.s (instructiunea opusa e: 0x34 bge.un.s <int8 (target)>)

2,3. Brfalse => trebuie schimbate in brtrue 0x39 devine 0x3A Alternativa e sa punem nop peste toate aceste 3 instructiuni Mai gasim la offset @278c un bne.un.s care ne duce la trial, facem nop si peste el. La @2b4f gasim asa

Brfalse trebuie trecut in brtrue Ultima si e gata @FFA0

Brtrue in brfalse. Ca o mica paranteza aici se mai poate face o fenta daca nu gasim salturi conditionale avem ldc.i4.3 asta zice ca putem face gif din 3 cadre Corespunzator instructiunii gasim in hex 19 . in locul ei daca ne uitam in tabela de instructiuni putem pune in locul ei maxim: 0x1E ldc.i4.8 = Push 8

onto the stack as int32. Deci 19 devine 1E si atunci pot face un gif in maxim 8 cadre..altceva!!! Acestea fiind spuse restul e simplu: se fac inlocuirile in .dll, se pune .dll in arhiva zip, se redenumeste .zip in .xap, se pune xap pe net, skydrive, se pune in telefon. Spor*

Hai ca e loc si de una mai simpla Night_Stand_Clock_v2.3.0.0.xap (8.2 MB) http://www.multiupload.nl/3EBSYR9AHI se urmeaza procedura de obtinere a fisierului xap decriptat * se poate lua dll direct din \applications\install\19c26c3-etc etc\NightStandClock.dll. gasim in el asa:

2 functii care returneaza 2 stringuri

System.String get_FlurryFullApiKey() si System.String get_FlurryTrialApiKey() Ideea e ca trialapikey sa returneze aceeasi cheie ca fullapikey Daca dam click pe ldstr "4TNNDWG2RP8K3VQJZXHX" in hexa ii corespunde 72 B9 0B 00 70 iar lui ldstr "ZG5KXFCWST72M2VJXB83" - 72 E3 0B 00 70, hex ce va fi inlocuit de 72 B9 0B 00 70, ca sa returneze cheia de la full.

Save, enjoy.
Neajiji did this.sugestii, reclamatii nuimipasa@mail.com Pacpac! Main article: Common Intermediate Language This is a list of the instructions in the instruction set of the Common Intermediate Language bytecode.Opcode Instruction Description Type of instruction 0x58 add Add two values, returning a new value.

0xD6 0xD7 0x5F

add.ovf Add signed integer values with overflow check. add.ovf.un and Add unsigned integer values with overflow check.

Bitwise AND of two integral values, returns an integral value. arglist Return argument list handle for the current method. Branch to target if equal. Branch to target if equal, short form. Branch to target if greater than or equal to. Branch to target if greater than or equal to, short form. Branch to target if greater than or equal to (unsigned or unordered). Branch to target if greater than or equal to (unsigned or unordered), short form

0xFE 0x00 0x3B 0x2E 0x3C 0x2F 0x41 0x34

beq <int32 (target)> beq.s <int8 (target)> bge <int32 (target)> bge.s <int8 (target)> bge.un <int32 (target)> bge.un.s <int8 (target)>

0x3D 0x30 0x42 0x35 0x3E 0x31 0x43 0x36 0x3F 0x32 0x44 0x37 0x40 0x33 0x8C 0x38 0x2B 0x01 0x39 0x2C

bgt <int32 (target)> bgt.s <int8 (target)> bgt.un <int32 (target)> bgt.un.s <int8 (target)> ble <int32 (target)> ble.s <int8 (target)> ble.un <int32 (target)> ble.un.s <int8 (target)>

Branch to target if greater than. Branch to target if greater than, short form. Branch to target if greater than (unsigned or unordered). Branch to target if greater than (unsigned or unordered), short form. Branch to target if less than or equal to. Branch to target if less than or equal to, short form. Branch to target if less than or equal to (unsigned or unordered). Branch to target if less than or equal to (unsigned or unordered), short form

blt <int32 (target)> Branch to target if less than. blt.s <int8 (target)>Branch to target if less than, short form. blt.un <int32 (target)> blt.un.s <int8 (target)> bne.un <int32 (target)> bne.un.s <int8 (target)> box <typeTok> Branch to target if less than (unsigned or unordered). Branch to target if less than (unsigned or unordered), short form. Branch to target if unequal or unordered. Branch to target if unequal or unordered, short form.

Convert a boxable value to its boxed form

br <int32 (target)> Branch to target. br.s <int8 (target)> Branch to target, short form. break Inform a debugger that a breakpoint has been reached. Branch to target if value is zero (false). Branch to target if value is zero (false), short form.

brfalse <int32 (target)> brfalse.s <int8 (target)>

0x3A 0x2D

brinst <int32 (target)> brinst.s <int8 (target)>

Branch to target if value is a non-null object reference (alias for brtrue). Branch to target if value is a non-null object reference, short form (alias for brtrue.s).

0x39 0x2C 0x3A 0x2D 0x39 0x2C 0x28 0x29 0x6F 0x74

brnull <int32 (target)> brnull.s <int8 (target)> brtrue <int32 (target)> brtrue.s <int8 (target)> brzero <int32 (target)> brzero.s <int8 (target)> call <method>

Branch to target if value is null (alias for brfalse). Branch to target if value is null (alias for brfalse.s), short form. Branch to target if value is non-zero (true). Branch to target if value is non-zero (true), short form. Branch to target if value is zero (alias for brfalse). Branch to target if value is zero (alias for brfalse.s), short form.

Call method described by method.

calli <callsitedescr> Call method indicated on the stack with arguments described by callsitedescr. callvirt <method> Call a method associated with an object. castclass <class> ceq cgt cgt.un Cast obj to class. Push 1 (of type int32) if value1 equals value2, else push 0. Push 1 (of type int32) if value1 > value2, else push 0. Push 1 (of type int32) if value1 > value2, unsigned or unordered, else push 0.

0xFE 0x01 0xFE 0x02 0xFE 0x03 0xC3

ckfinite Throw ArithmeticException if value is not a finite number. clt clt.un Push 1 (of type int32) if value1 < value2, else push 0. Push 1 (of type int32) if value1 < value2, unsigned or unordered, else push 0. Call a virtual method on a type constrained to be type T Prefix to

0xFE 0x04 0xFE 0x05 0xFE 0x16 instruction 0xD3 0x67 0x68 0x69 0x6A 0xD4 conv.i conv.i1 conv.i2 conv.i4 conv.i8

constrained. <thisType>

Convert to native int, pushing native int on stack. Convert to int8, pushing int32 on stack. Convert to int16, pushing int32 on stack. Convert to int32, pushing int32 on stack. Convert to int64, pushing int64 on stack. Convert to a native int (on the stack as native int) and throw an exception on overflow. Convert unsigned to a native int (on the stack as native int) and throw an exception on

conv.ovf.i

0x8A conv.ovf.i.un overflow. 0xB3 0x82 conv.ovf.i1 conv.ovf.i1.un

Convert to an int8 (on the stack as int32) and throw an exception on overflow. Convert unsigned to an int8 (on the stack as int32) and throw an exception on overflow.

0xB5

conv.ovf.i2

Convert to an int16 (on the stack as int32) and throw an exception on overflow.

0x83

conv.ovf.i2.un

Convert unsigned to an int16 (on the stack as int32) and throw an exception on overflow.

0xB7 0x84

conv.ovf.i4 conv.ovf.i4.un

Convert to an int32 (on the stack as int32) and throw an exception on overflow. Convert unsigned to an int32 (on the stack as int32) and throw an exception on overflow.

0xB9 0x85

conv.ovf.i8 conv.ovf.i8.un

Convert to an int64 (on the stack as int64) and throw an exception on overflow. Convert unsigned to an int64 (on the stack as int64) and throw an exception on overflow. Convert to a native unsigned int (on the stack as native int) and throw an exception on

0xD5 conv.ovf.u overflow. 0x8B conv.ovf.u.un on overflow. 0xB4 conv.ovf.u1

Convert unsigned to a native unsigned int (on the stack as native int) and throw an exception

Convert to an unsigned int8 (on the stack as int32) and throw an exception on overflow.

0x86 conv.ovf.u1.un overflow. 0xB6 conv.ovf.u2

Convert unsigned to an unsigned int8 (on the stack as int32) and throw an exception on

Convert to an unsigned int16 (on the stack as int32) and throw an exception on overflow.

0x87 conv.ovf.u2.un overflow. 0xB8 conv.ovf.u4

Convert unsigned to an unsigned int16 (on the stack as int32) and throw an exception on

Convert to an unsigned int32 (on the stack as int32) and throw an exception on overflow.

0x88 conv.ovf.u4.un overflow. 0xBA conv.ovf.u8

Convert unsigned to an unsigned int32 (on the stack as int32) and throw an exception on

Convert to an unsigned int64 (on the stack as int64) and throw an exception on overflow.

0x89 conv.ovf.u8.un overflow. 0x76 0x6B 0x6C 0xE0 0xD2 0xD1 0x6D 0x6E

Convert unsigned to an unsigned int64 (on the stack as int64) and throw an exception on

conv.r.un Convert unsigned integer to floating-point, pushing F on stack. conv.r4 Convert to float32, pushing F on stack. conv.r8 Convert to float64, pushing F on stack. conv.u Convert to native unsigned int, pushing native int on stack.

conv.u1 Convert to unsigned int8, pushing int32 on stack. conv.u2 Convert to unsigned int16, pushing int32 on stack. conv.u4 Convert to unsigned int32, pushing int32 on stack. conv.u8 Convert to unsigned int64, pushing int64 on stack. cpblk Copy data from memory to memory.

0xFE 0x17

0x70 0x5B 0x5C 0x25 0xDC

cpobj <typeTok> div div.un dup

Copy a value type from src to dest.

Divide two values to return a quotient or floating-point result. Divide two values, unsigned, returning a quotient. Duplicate the value on the top of the stack.

endfault End fault clause of an exception block. endfilter End an exception handling filter clause. End finally clause of an exception block.

0xFE 0X11 0xDC 0x4C

endfinally

idind.u8 Indirect load value of type unsigned int64 as int64 on the stack (alias for ldind.i8). initblk Set all bytes in a block of memory to a given byte value.

0xFE 0x18 0xFE 0x15 0x75 0x27

initobj <typeTok> Initialize the value at address dest. Test if obj is an instance of class, returning null or an instance of that class or interface. Exit current method and jump to the specified method. Load argument numbered num onto the stack.

isinst <class> jmp <method>

0xFE 0x09 0x02 0x03 0x04 0x05 0x0E ldarg.0 ldarg.1 ldarg.2 ldarg.3

ldarg <uint16 (num)>

Load argument 0 onto the stack. Load argument 1 onto the stack. Load argument 2 onto the stack. Load argument 3 onto the stack. Load argument numbered num onto the stack, short form. Fetch the address of argument argNum.

ldarg.s <uint8 (num)>

0xFE 0x0A 0x0F 0x20 0x16 0x17 0x18 0x19 0x1A 0x1B 0x1C 0x1D 0x1E 0x15

ldarga <uint16 (argNum)>

ldarga.s <uint8 (argNum)> ldc.i4 <int32 (num)> ldc.i4.0 ldc.i4.1 ldc.i4.2 ldc.i4.3 ldc.i4.4 ldc.i4.5 ldc.i4.6 ldc.i4.7 ldc.i4.8

Fetch the address of argument argNum, short form. Push num of type int32 onto the stack as int32.

Push 0 onto the stack as int32. Push 1 onto the stack as int32. Push 2 onto the stack as int32. Push 3 onto the stack as int32. Push 4 onto the stack as int32. Push 5 onto the stack as int32. Push 6 onto the stack as int32. Push 7 onto the stack as int32. Push 8 onto the stack as int32.

ldc.i4.m1 Push -1 onto the stack as int32.

0x15 0x1F 0x21 0x22 0x23 0xA3 0x97 0x90 0x92 0x94 0x96 0x98 0x99

ldc.i4.M1 Push -1 of type int32 onto the stack as int32 (alias for ldc.i4.m1). ldc.i4.s <int8 (num)> ldc.i8 <int64 (num)> ldc.r4 <float32 (num)> ldc.r8 <float64 (num)> Push num onto the stack as int32, short form. Push num of type int64 onto the stack as int64. Push num of type float32 onto the stack as F. Push num of type float64 onto the stack as F.

ldelem <typeTok> Load the element at index onto the top of the stack. ldelem.i Load the element with type native int at index onto the top of the stack as a native int. ldelem.i1 Load the element with type int8 at index onto the top of the stack as an int32. ldelem.i2 Load the element with type int16 at index onto the top of the stack as an int32. ldelem.i4 Load the element with type int32 at index onto the top of the stack as an int32. ldelem.i8 Load the element with type int64 at index onto the top of the stack as an int64. ldelem.r4 Load the element with type float32 at index onto the top of the stack as an F ldelem.r8 Load the element with type float64 at index onto the top of the stack as an F.

0x9A ldelem.ref Load the element at index onto the top of the stack as an O. The type of the O is the same as the element type of the array pushed on the CIL stack. 0x91 0x93 0x95 ldelem.u1 ldelem.u2 ldelem.u4 Load the element with type unsigned int8 at index onto the top of the stack as an int32. Load the element with type unsigned int16 at index onto the top of the stack as an int32. Load the element with type unsigned int32 at index onto the top of the stack as an int32. Load the element with type unsigned int64 at index onto the top of the stack as an int64 (alias

0x96 ldelem.u8 for ldelem.i8). 0x8F 0x7B 0x7C ldelema <class> ldfld <field> ldflda <field>

Load the address of element at index onto the top of the stack. Push the value of field of object (or value type) obj, onto the stack. Push the address of field of object obj on the stack. Push a pointer to a method referenced by method, on the stack.

0xFE 0x06 0x4D 0x46 0x48 0x4A 0x4C 0x4E 0x4F 0x50 ldind.i

ldftn <method>

Indirect load value of type native int as native int on the stack

ldind.i1 Indirect load value of type int8 as int32 on the stack. ldind.i2 Indirect load value of type int16 as int32 on the stack. ldind.i4 Indirect load value of type int32 as int32 on the stack. ldind.i8 Indirect load value of type int64 as int64 on the stack. ldind.r4 Indirect load value of type float32 as F on the stack. ldind.r8 Indirect load value of type float64 as F on the stack. ldind.ref Indirect load value of type object ref as O on the stack.

0x47 0x49 0x4B 0x8E

ldind.u1 Indirect load value of type unsigned int8 as int32 on the stack ldind.u2 Indirect load value of type unsigned int16 as int32 on the stack ldind.u4 Indirect load value of type unsigned int32 as int32 on the stack ldlen Push the length (of type native unsigned int) of array on the stack. ldloc <uint16 (indx)> Load local variable of index indx onto stack.

0xFE 0x0C 0x06 0x07 0x08 0x09 0x11 ldloc.0 ldloc.1 ldloc.2 ldloc.3

Load local variable 0 onto stack. Load local variable 1 onto stack. Load local variable 2 onto stack. Load local variable 3 onto stack. Load local variable of index indx onto stack, short form. Load address of local variable with index indx.

ldloc.s <uint8 (indx)>

0xFE 0x0D 0x12 0x14 0x71 0x7E 0x7F 0x72 0xD0

ldloca <uint16 (indx)>

ldloca.s <uint8 (indx)> ldnull

Load address of local variable with index indx, short form.

Push a null reference on the stack. Copy the value stored at address src to the stack. Push the value of field on the stack. Push the address of the static field, field, on the stack. Push a string object for the literal string. Convert metadata token to its runtime representation.

ldobj <typeTok> ldsfld <field> ldsflda <field> ldstr <string> ldtoken <token>

0xFE 0x07 0xDD 0xDE

ldvirtftn <method> Push address of virtual method method on the stack. Exit a protected region of code. Exit a protected region of code, short form.

leave <int32 (target)> leave.s <int8 (target)>

0xFE 0x0F 0xC6 0x5A 0xD8 0xD9 0x65 0x8D 0x73

localloc Allocate space from the local memory pool.

mkrefany <class> Push a typed reference to ptr of type class onto the stack. mul Multiply values.

mul.ovf Multiply signed integer values. Signed result shall fit in same size mul.ovf.un neg Multiply unsigned integer values. Unsigned result shall fit in same size

Negate value. Create a new array with elements of type etype. Allocate an uninitialized object or value type and call ctor.

newarr <etype> newobj <ctor>

0xFE 0x19 no. { typecheck, rangecheck, nullcheck } The specified fault check(s) normally performed as part of the execution of the subsequent instruction can/shall be skipped. Prefix to instruction

0x00 0x66 0x60 0x26

nop not or pop

Do nothing. Bitwise complement. Bitwise OR of two integer values, returns an integer. Pop value from the stack.

0xFE 0x1E readonly. Specify that the subsequent array address operation performs no type check at runtime, and that it returns a controlled-mutability managed pointer Prefix to instruction 0xFE 0x1D 0xC2 0x5D 0x5E 0x2A refanytype Push the type token stored in a typed reference.

refanyval <type> rem

Push the address stored in a typed reference.

Remainder when dividing one value by another.

rem.un Remainder when dividing one unsigned value by another. ret Return from method, possibly with a value. rethrow Rethrow the current exception. Shift an integer left (shifting in zeros), return an integer. Shift an integer right (shift in sign), return an integer. Shift an integer right (shift in zero), return an integer. sizeof <typeTok> Push the size, in bytes, of a type as an unsigned int32. Store value to the argument numbered num.

0xFE 0x1A 0x62 0x63 0x64 shl shr shr.un

0xFE 0x1C 0xFE 0x0B 0x10 0xA4 0x9B 0x9C 0x9D 0x9E 0x9F 0xA0 0xA1 0xA2 0x7D 0xDF 0x52 0x53

starg <uint16 (num)>

starg.s <uint8 (num)>

Store value to the argument numbered num, short form.

stelem <typeTok> Replace array element at index with the value on the stack stelem.i Replace array element at index with the i value on the stack. stelem.i1 Replace array element at index with the int8 value on the stack. stelem.i2 Replace array element at index with the int16 value on the stack. stelem.i4 Replace array element at index with the int32 value on the stack. stelem.i8 Replace array element at index with the int64 value on the stack. stelem.r4 Replace array element at index with the float32 value on the stack. stelem.r8 Replace array element at index with the float64 value on the stack. stelem.ref stfld <field> stind.i Replace array element at index with the ref value on the stack. Replace the value of field of the object obj with value.

Store value of type native int into memory at address

stind.i1 Store value of type int8 into memory at address stind.i2 Store value of type int16 into memory at address

0x54 0x55 0x56 0x57 0x51

stind.i4 Store value of type int32 into memory at address stind.i8 Store value of type int64 into memory at address stind.r4 Store value of type float32 into memory at address stind.r8 Store value of type float64 into memory at address stind.ref Store value of type object ref (type O) into memory at address stloc <uint16 (indx)> Pop a value from stack into local variable indx.

0xFE 0x0E 0x0A 0x0B 0x0C 0x0D 0x13 0x81 0x80 0x59 0xDA 0xDB stloc.0 stloc.1 stloc.2 stloc.3

Pop a value from stack into local variable 0. Pop a value from stack into local variable 1. Pop a value from stack into local variable 2. Pop a value from stack into local variable 3. Pop a value from stack into local variable indx, short form.

stloc.s <uint8 (indx)> stobj <typeTok> stsfld <field> sub

Store a value of type typeTok at an address. Replace the value of field with val.

Subtract value2 from value1, returning a new value.

sub.ovf Subtract native int from a native int. Signed result shall fit in same size sub.ovf.un Subtract native unsigned int from a native unsigned int. Unsigned result shall fit in same size.

0x45

switch <uint32, int32,int32 (t1..tN)> tail.

Jump to one of n values. Prefix to instruction

0xFE 0x14 0x7A throw

Subsequent call terminates current method

Throw an exception. unaligned. (alignment) Subsequent pointer instruction might be unaligned. Prefix to

0xFE 0x12 instruction 0x79 0xA5

unbox <valuetype> Extract a value-type from obj, its boxed representation. unbox.any <typeTok> Extract a value-type from obj, its boxed representation Prefix to instruction

0xFE 0x13 0x61 xor

volatile. Subsequent pointer reference is volatile. Bitwise XOR of integer values, returns an integer.