Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[Q] Hacking Windows RT to Run Desktop Apps?

OP revxx14

7th January 2013, 12:04 PM   |  #221  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by samco08

cool !
Do you think that Microsoft can patch your exploit ?
You think we should stop Surface Update until you provide us a tool or something like that ?
I dont know if you foresee to do that
@+

They could, but since we can reinstall the OS from the recovery partition and there'll always be a copy of the unpatched recovery partition around we can revert any patches they throw out.

They could also ban MS accounts for doing this too, though I don't expect them to do that.
7th January 2013, 01:03 PM   |  #222  
Recognized Developer
Thanks Meter: 214
 
1,150 posts
Join Date:Joined: Apr 2004
Donate to Me
Hmm, seems that there is already a working and very easy method that allows running unsigned apps on RT:
http://younsi.blogspot.ru/2012/10/no...dows-8-rt.html
Just create UMCIAuditMode=1 in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr ol\CI" and reboot.

Can someone confirm that it works? As far as I see - this really should work, as this sets in ci.dll the g_CiOptions|=0x40, that later sets g_CiDeveloperMode=6, which should allow unsigned apps in dir specified in "HKLM\System\CurrentControlSet\Control\CI\TRSD ata" "TestPath" key (see this post: http://forum.xda-developers.com/show...5&postcount=10).

So all greetings for finding a working and easy "desktop-unlocking" method should go to Thomas Younsi

Edited:
As far as I see - this effectively turns on the "CI Audit" mode, that does not block unsigned apps from running, but just logs them. So adding a path to the "TestPath" should not be necessary.
And yes, this can be blocked by MS in later updates. But I really don't think that they would do that soon (or ever).
Last edited by mamaich; 7th January 2013 at 01:15 PM.
7th January 2013, 01:18 PM   |  #223  
Member
Thanks Meter: 53
 
69 posts
Join Date:Joined: Aug 2009
@mamaich:
I can confirm that it doesn't work That would have been a nice way to do it though, very easy and scriptable.
7th January 2013, 01:24 PM   |  #224  
Recognized Developer
Thanks Meter: 214
 
1,150 posts
Join Date:Joined: Apr 2004
Donate to Me
Unhappy

But strange - I've decompiled ci.dll from a device dump, and see that it checks those registry keys. But his is THUMB, so I may have mislooked something.
7th January 2013, 01:25 PM   |  #225  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More


Nesting VNC windows is fun.

(Also, yes, I misspelled the name on my tablet.)


The main issue I had with recompiling, other than the libs, was the SxS manifests. I couldn't get them to work, so I just disabled them. Also, TightVNC has /machine:x86 set statically a few times in their configs, though that was easy enough to fix.


Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.
Attached Files
File Type: zip TightVNC_ARM.zip - [Click for QR Code] (949.4 KB, 6487 views)
File Type: zip putty_arm.zip - [Click for QR Code] (296.3 KB, 1042 views)
Last edited by netham45; 7th January 2013 at 01:43 PM.
The Following 4 Users Say Thank You to netham45 For This Useful Post: [ View ]
7th January 2013, 02:06 PM   |  #226  
Senior Member
Thanks Meter: 10
 
459 posts
Join Date:Joined: May 2006
i can't confirm it, none of your app works,

"windows cannot verify the digital signature ..."
7th January 2013, 02:07 PM   |  #227  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by rheza02

i can't confirm it, none of your app works,

"windows cannot verify the digital signature ..."

Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.

Edit: Unless you were responding to mamaich, in which case ignore me.
7th January 2013, 02:15 PM   |  #228  
Member
Flag wuhan
Thanks Meter: 12
 
53 posts
Join Date:Joined: Dec 2009
More
Quote:
Originally Posted by netham45

Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.

Edit: Unless you were responding to mamaich, in which case ignore me.

1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.


3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}

can you pls share your source code?i'm not familiar with the arm assembly
The Following User Says Thank You to Dewinter For This Useful Post: [ View ]
7th January 2013, 02:17 PM   |  #229  
lilstevie's Avatar
Senior Recognized Developer
Thanks Meter: 1,040
 
1,334 posts
Join Date:Joined: Apr 2009
Donate to Me
More
Quote:
Originally Posted by Dewinter

1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.


3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}

can you pls share your source code?i'm not familiar with the arm assembly

You need to indent all opcodes.
7th January 2013, 02:18 PM   |  #230  
Member
Flag Oxford
Thanks Meter: 11
 
35 posts
Join Date:Joined: Sep 2010
More
Quote:
Originally Posted by netham45

Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.

What problems did you have with winspool? Only issue I had (couldn't find it at runtime) was resolved by putting a copy of it named winspool.dll in PuTTY's working directory.
Last edited by peterdn; 7th January 2013 at 02:24 PM.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes