FORUMS
Remove All Ads from XDA

Running Homebrew Native Executables - Status: DONE!!

1,605 posts
Thanks Meter: 2,473
 
By Heathcliff74, Inactive Recognized Developer on 6th June 2011, 08:16 PM
Post Reply Email Thread
14th June 2011, 12:50 PM |#21  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Starting todays hacking, shall we?

Going through some research i'w found pretty fast.
MSDN > Security Loader

"
LVMOD uses the following criteria to determine whether to run an application:

* Any module loaded from read-only memory (ROM) can run.
* Any module that is digitally signed with a certificate from the device certificate store can run. For more information about digital signing with a certificate, see Signing Binaries.
* Any module that does not meet these criteria cannot run.
"

Microsoft's new retarded function:
MSDN > LoaderVerifierAuthorize
MSDN > LoaderVerifierAuthenticateFile

guidAuthClass: MSDN > LV_AUTHENTICATIONGUID_

Code:
HRESULT LoaderVerifierAuthorize(
    __in HANDLE                  hslauthnFile,
    __out LV_AUTHORIZATION*      pslauthz
);

HRESULT LoaderVerifierAuthenticateFile(
    __in const GUID*        guidAuthClass,
    __in_opt HANDLE         hFile,
    __in LPCWSTR            szFilePath,
    __in_opt LPCWSTR        szHashHint,
    __in HANDLE             hReserved,
    __out LPHANDLE          phslauthnFile
);
How it calls our exe to check it:

Code:
BOOL success = LoaderVerifierAuthenticateFile(
    LV_AUTHENTICATIONGUID_PORTABLEEXECUTABLE,
    fopen("\\Windows\\ExeX.exe") // file handle IO
    "\\Windows\\ExeX.exe",
    LoaderVerifierGetHash( ... ) //unknown if called OR NULL
    NULL,
    &OUT_authInfo);


BOOL success2 = LoaderVerifierAuthorize(
    OUT_authInfo, //from the function above; chained call.
    &OUT_auth
);
if second call "LoaderVerifierAuthorize" fails (return value = 0):

INT code = GetLastError();
Code:
LV_E_BLOCKED
The file is blocked by security policy.
LV_E_NO_SIGNATURE
The file is not digitally signed by trusted authorities.
LV_E_TAMPERED
The module has been tampered with.
LV_E_CERTIFICATE_EXPIRED
The signing certificate or one of the certificates in the trust chain is expired.
LV_E_CERTIFICATE_NOT_TRUSTED
The signing certificate or one of the certificates in the trust chain is not trusted.
LV_E_CERTIFICATE_USAGE_VIOLATION
The signing certificate or one of the certificates in the trust chain violated its usage constraint.
LV_E_RESTRICTED_TO_LAUNCH
The security policy restricted the file to launches from only one specific chamber.
The Following 3 Users Say Thank You to fiinix For This Useful Post: [ View ] Gift fiinix Ad-Free
 
 
14th June 2011, 01:20 PM |#22  
Heathcliff74's Avatar
OP Inactive Recognized Developer
Thanks Meter: 2,473
 
Donate to Me
More
Heeyy,

Very nice info. Have you tried to call these functions? Are you allowed to call them from your Silverlight app in LPC? We really got to disassemble these functions!

Heathcliff74
The Following User Says Thank You to Heathcliff74 For This Useful Post: [ View ] Gift Heathcliff74 Ad-Free
14th June 2011, 01:27 PM |#23  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Quote:
Originally Posted by Heathcliff74

Heeyy,

Very nice info. Have you tried to call these functions? Are you allowed to call them from your Silverlight app in LPC? We really got to disassemble these functions!

Heathcliff74

Nope haven't called them, but i certainly can say they are access denied due these functions really needs to be protected.

Currently searching for "un-protected" exes (like this new one: TestShow.exe)
It HAS a compass Int32 value displayed, but that's an exe so we need disassemble that one.
14th June 2011, 01:37 PM |#24  
Heathcliff74's Avatar
OP Inactive Recognized Developer
Thanks Meter: 2,473
 
Donate to Me
More
Quote:
Originally Posted by fiinix

Nope haven't called them, but i certainly can say they are access denied due these functions really needs to be protected.

Currently searching for "un-protected" exes (like this new one: TestShow.exe)
It HAS a compass Int32 value displayed, but that's an exe so we need disassemble that one.

Are we talking about the same thing?

I meant, have you tried to call the functions LoaderVerifierAuthorize() and LoaderVerifierAuthenticateFile() with your homebrew exe?? And did you get an error code that specifies why it is not allowed? Or does it possibly return 0x800704ec again, meaning that we cannot verify the executables from our LPC at all? I should try these functions with my own cert added to the "Code Integrity" store. See if that makes any difference.
14th June 2011, 01:52 PM |#25  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Quote:
Originally Posted by Heathcliff74

Are we talking about the same thing?

I meant, have you tried to call the functions LoaderVerifierAuthorize() and LoaderVerifierAuthenticateFile() with your homebrew exe?? And did you get an error code that specifies why it is not allowed? Or does it possibly return 0x800704ec again, meaning that we cannot verify the executables from our LPC at all? I should try these functions with my own cert added to the "Code Integrity" store. See if that makes any difference.

Yes, we are talking about the same thing.

... I cant run the exe yet (damn you MS). Closing up it feels like.
Trying to move certificates in registry seeing if the cert must be placed at a certain spot (like "Code Integrity" that im querying right now if Samsungs certs are placed there).
Anyways, im working on it

edit:

Queried "Code integrity":
Code:
<wap-provisioningdoc>
    <characteristic type="Registry">
        <characteristic type="HKLM\Comm\Security\SystemCertificates\Code Integrity\Certificates">
        <characteristic type="DF23D303099CEA31D0972CE7BE50888CE813BC98">
        <parm name="Blob" value="GQAAAAEAAAAQAAAAluGFuUORiaPrhijL8uIA9wMAAAABAAAAFAAAAN8j0wMJnOox0Jcs575QiIzoE7yYFAAAAAEAAAAUAAAA/BbYgY+vonEvlvnMQI08DiYt1rsgAAAAAQAAAPoBAAAwggH2MIIBY6ADAgECAhBwg7tiP7fZtUeaZ4vbQFmJMAkGBSsOAwIdBQAwDzENMAsGA1UEAxMEWERBQTAgFw05OTEyMzEyMjAwMDBaGA8yMDk4MTIzMTIyMDAwMFowDzENMAsGA1UEAxMEWERBQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApWr17Nr3XFeJx0Ezvetzcm/eyeRupgBUYBpPr86qWFgj+Ji4dgoRWt8n4UahhNmLLSS3YKtyoDuEupIhScDpe8NDBbUw3K9AhZ4evh9Q5Tw/qdI5s2N+oPjSPm5XuL3f8fuWf93Lzr1of9UHM38UpeJl9xCkMKIr2yXbM10U+QsCAwEAAaNZMFcwEwYDVR0lBAwwCgYIKwYBBQUHAwMwQAYDVR0BBDkwN4AQSCc3lIRQ2S59Ow4cA7Cu5KERMA8xDTALBgNVBAMTBFhEQUGCEHCDu2I/t9m1R5pni9tAWYkwCQYFKw4DAh0FAAOBgQBKt5jTKL5kbxhf/irvidctDhqC9wEL2kPUjFsyyZTAftzw+5xDhq2cTif/48LaGI+fUgqQa8Rqy/Bg/7+C04Xxdjd6ABMdzChUJarClwdM9zCM+cQTe8PicQ2xEs+ACnBCo5uiue1l0wNHjpSShoCg8cCl3s007o8jH7LLhbTAWA==" datatype="binary"/>
    </characteristic>
    <characteristic type="5D7B0B2BFB11333939314503BA1814E5F1E12797">
        <parm name="Blob" value="GQAAAAEAAAAQAAAAIGSXFCzgjCQjHOthmG4CqgMAAAABAAAAFAAAAF17Cyv7ETM5OTFFA7oYFOXx4SeXFAAAAAEAAAAUAAAASmIbEcGQ4f3msnUlXF+9eTxaebYgAAAAAQAAACACAAAwggIcMIIBiaADAgECAhCAsNUge1CouEfLkFfAxlhuMAkGBSsOAwIdBQAwGTEXMBUGA1UEAxMOTXlUb2tlblNpZ25pbmcwHhcNMTEwNTI0MjA0ODIxWhcNMzkxMjMxMjM1OTU5WjAZMRcwFQYDVQQDEw5NeVRva2VuU2lnbmluZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArTnEs3BZu1gQ9VpKhdk3sqR5vg/ZhzWiMBCI7MjZHY4gpCkP9wNA8TbOXg956rLYJM6LLVqPMWwituXx42W/AzDN0H9RrXhFbocO/x7n6jPUOYYHRLIHFTSG7X/VkxwvJfv9IMnymQwBcTpxlT8Wbrja7d5zOCKedZpFw9xMNikCAwEAAaNtMGswHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMDMEoGA1UdAQRDMEGAEGvHUDNqxgXEeAROjgdBZWehGzAZMRcwFQYDVQQDEw5NeVRva2VuU2lnbmluZ4IQgLDVIHtQqLhHy5BXwMZYbjAJBgUrDgMCHQUAA4GBAKS90d/wFPwJSmeQyc1kkyCDo/FpAJJEeqPNcB1WtygycF4X3LQd/OqwXtYAN1S3rltPgE6Ah9+0OhjN6rauBqGQaHtOU1UB28tBJqtLXhBDf/dGP/ncBvtfhaF7R1GjXJZSLGhG8p0Gj+vbyjmaUToLdJ/m3z8Wzy8cf7j5unVj" datatype="binary"/>
    </characteristic>
    <characteristic type="069DBCCA9590D1B5ED7C73DE65795348E58D4AE3">
        <parm name="Blob" value="GQAAAAEAAAAQAAAA48A32G3o9ghrL81/Td3aHwQAAAABAAAAEAAAAF4PAHwXprKljykNiZvwZnsDAAAAAQAAABQAAAAGnbzKlZDRte18c95leVNI5Y1K4xQAAAABAAAAFAAAAJXMkJNc+BBwAycKIAvGcZoAsi1/DwAAAAEAAAAUAAAAzEC+mIXRGiL9j4sU/WF/d2o1s6EgAAAAAQAAAOIDAAAwggPeMIICxqADAgECAhAm46JNImxi27dg7J7yh2KIMA0GCSqGSIb3DQEBBQUAMIGIMQswCQYDVQQGEwJVUzESMBAGA1UEChMJTWljcm9zb2Z0MS4wLAYDVQQLEyVNaWNyb3NvZnQgV2luZG93cyBNb2JpbGUgQXBwbGljYXRpb25zMTUwMwYDVQQDEyxWZXJpU2lnbiBNb2JpbGUgUm9vdCBBdXRob3JpdHkgZm9yIE1pY3Jvc29mdDAeFw0xMDAyMDUwMDAwMDBaFw0zMDAyMDQyMzU5NTlaMIGIMQswCQYDVQQGEwJVUzESMBAGA1UEChMJTWljcm9zb2Z0MS4wLAYDVQQLEyVNaWNyb3NvZnQgV2luZG93cyBNb2JpbGUgQXBwbGljYXRpb25zMTUwMwYDVQQDEyxWZXJpU2lnbiBNb2JpbGUgUm9vdCBBdXRob3JpdHkgZm9yIE1pY3Jvc29mdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHeicFoy6MpKB1CLBAF3zWRWKQfPjXXo4A7uO2gRxixbAQQOpYwtgN9ITPMmBh9m5RaIUyo+qbyRWkxk7mMSH7oBwZUdwDBsvxq458mJjLB+J1+JdHxItMctCEmcU22UnnpbZPwJfgHgLiejp1fWfIT9rpHzyIRlmeXtlDnIE9FaZ6hGTcccfhzo3mkjpbP8IW1NvLvh8Ksxs9uhD1gy1gYyoT+IumLCt6Lj5flRckCJr01nGfHtMn+rIWDj9lmmmEDvlr8PkIiHW440tZLYzBCnUI7qa3zdXoGlsJQGwnmN5QTQQmUyh+fekZ+sJ7B39Acaifnvi4sujorzkn54msCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJXMkJNc+BBwAycKIAvGcZoAsi1/MA0GCSqGSIb3DQEBBQUAA4IBAQAMsL3iVdg5og9hGQvTIawZ3fbq5741QTlmedwGZMcYcIm4vTocGKfJiPyZ1CI6ZjgxeFdZGn7k6sP2it0ruA2MRAjo5hcuAdY2Pjor99xOlEhBb/v4bY6bDt+0x9zkW0zRm2IImrIKWhkLUfhsFL+gv6mM/QOLJ9QGeTCDc2O/DzKKmi4acll620SOYZ2htIdnPl778MQH876m60cVSj6pt5sZFG8nc5clD67EdEAK5U6fiaOROG805xIxFxpDVUF8d2QUekk8S/kmIeZKYvYcJmui276P8Gs6PA8Sjkp8takZFExR+VUQ2P6nQ/owDZJTQ+HoReLO25I0BmJHsM0D" datatype="binary"/>
    </characteristic>
    <characteristic type="91B318116F8897D2860733FDF757B93345373574">
        <parm name="Blob" value="DwAAAAEAAAAUAAAAZc5F5m0sh15+DH6IIxjT/11xYIEZAAAAAQAAABAAAACStsc/iBLcyfAjAQKDM4ybAwAAAAEAAAAUAAAAkbMYEW+Il9KGBzP991e5M0U3NXQUAAAAAQAAABQAAABRrrL/mcmFNKQnLvpYMSkb9vEVFwQAAAABAAAAEAAAAIE9sLZ4IwYOvTqvT0bNM/cgAAAAAQAAAL8FAAAwggW7MIIDo6ADAgECAgphBlNcAAAAAAAnMA0GCSqGSIb3DQEBBQUAMF8xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxLTArBgNVBAMTJE1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTAxMTQyMjQzMDBaFw0xOTAxMTQyMjUzMDBaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBNb2JpbGUgRGV2aWNlIFZTRCBQQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0pla9AzjkvW4+mMNycgudyPcLnXSmkemtn+f1oHni50dp16+pXA2I8NQglwKMwVnulyyT5zktf8IfCm6al6wIpgxkC1m4d9uduUS023beqWRmhlOaeIblVSbQ//bWWvZPdz5rFW37SZ6PsjUUUetD1ZcI8NCjsfcpahIOUzWxmpzf7nArbqaogodjJjVkZb5WDpvj2+MoDcjtlIJ5XAzPilaMPMRG5P/kyg9vBzhZEmkpZM2sVqa50lYf/oerjnQSVgAm7XMglY6E4RNVqtB2EGTXWvmYAV/Ti5IY92EhMU57yZrJF2ZKpT/quoNYmRCZiqdK4+I0oXpm7BabyWnVAgMBAAGjggFYMIIBVDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRRrrL/mcmFNKQnLvpYMSkb9vEVFzALBgNVHQ8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwHwYDVR0jBBgwFoAUDqyCYEBWJ5flJRP8KuEKU5VZ5KQwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvbWljcm9zb2Z0cm9vdGNlcnQuY3JsMFQGCCsGAQUFBwEBBEgwRjBEBggrBgEFBQcwAoY4aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNyb3NvZnRSb290Q2VydC5jcnQwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcKAw4wDQYJKoZIhvcNAQEFBQADggIBAOOR5vSFmEGP5L0MgWK9dKBmAQx/cNO2/Xa/wMCgdWTRzinCUD0sni2rExnVM9Ah4a0Z9tmnftU9ZRw538XUWnnwzlrtxbco9sFw9GKAxHx3WEq7lefkPWTm00GT9USzHrWVpmbPx3/ysn3qdPb6MKliFXwLKHQUwAdi6cqxIeQqO2eVwjxmTqLUy6uSqWwgQLhgE7PpAfJIWmXB1+llsS51rg2rkvjb+JlZm32tH7M7Tl6M9z3MdE8m0VvDDi5gYpHqSmzCguQTBwL9omdFrzlVDxzFLzrLF3RxWIA/ASTgff4eu5JFJVZ+w1qiOhwwaQv2m2VXk29lElzlVyVEUh/8omGR7NvgYHj4UujzRvqdczXPH3NRjN352lAYMexDyPVgk6wrpJs8hwrx26O0FOJWT7uV8W0XNLwHNhSmTnm/i1IFZOA2WYQxcv+ClAv3szIikRfHFZrzSXf2apxd5FdSgAH8uOtUbCGtL6zTbJ6eV437N5U3xtmKHdp7ar3fdLrrsfRlGg6uJtTiGtmMuXCk2fR2qTjia3IZeP3gu07vItYN0n2cqe0XK+/M24x7pBbzk8bvF/g3HRyBRasjbBV8oKkTo3WFWj+Cg6jbySeWDWuj8Hh6wDbrtnT3wmOS5OL1FPXctU9BUFphNqSbdSHJRIpZn5j2Y6ptbMOQLHlv" datatype="binary"/>
    </characteristic>
    <characteristic type="1C8229F5C8D6E256BDCB427CC5521EC2F8FF011A">
        <parm name="Blob" value="DwAAAAEAAAAUAAAAmf2W5q2592GGi+Rbthfx2JF6uKEZAAAAAQAAABAAAAB44T4q9yDuTCWMZ3KZF+d1AwAAAAEAAAAUAAAAHIIp9cjW4la9y0J8xVIewvj/ARoUAAAAAQAAABQAAAD1OjUUMHjHKohiymv4Oq2jrrPS2AQAAAABAAAAEAAAAI7EuqqJPUQTC2SKr1NzfTUgAAAAAQAAAMkFAAAwggXFMIIDraADAgECAgphCDiqAAAAAAAjMA0GCSqGSIb3DQEBBQUAMF8xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxLTArBgNVBAMTJE1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wODAxMTgwMDAxMzhaFw0xOTAxMTgwMDExMzhaMIGHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTEwLwYDVQQDEyhNaWNyb3NvZnQgTW9iaWxlIERldmljZSBVbnByaXZpbGVnZWQgUENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm7VKWDVneVBx1ixGpNxzxOY2LIoVzRCTtZO0AohXZWMyqz9nfRIWc1HJCVbAMxJ3N3NK/IyX3FWuX9BC3lEcbpI1mUD/C7MpcdEUE6zARLJuPuanSvQS5SaZkGx9i5FG4Rhp2f/xacyt4znq9lfiu5s97AyLC6iripeDPu4m7LdDRtUf3nO9Dng6BDy/QCA/mnVuMm0PJanqvmLK/8nWLXeyPAAlVznunmur5VCIxkXx6/i8G+n9xWlyvv89EuvImN0/LHhCU05ccgI19ICXqMr3seGZ8o/1E9hljqh3Mc4ZhSSsaE7lV2OvcZ06IOw1czXRkRDEo7VNGuTsI72URQIDAQABo4IBWDCCAVQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU9To1FDB4xyqIYspr+Dqto66z0tgwCwYDVR0PBAQDAgGGMBAGCSsGAQQBgjcVAQQDAgEAMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFA6sgmBAVieX5SUT/CrhClOVWeSkMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL21pY3Jvc29mdHJvb3RjZXJ0LmNybDBUBggrBgEFBQcBAQRIMEYwRAYIKwYBBQUHMAKGOGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljcm9zb2Z0Um9vdENlcnQuY3J0MB8GA1UdJQQYMBYGCCsGAQUFBwMDBgorBgEEAYI3CgMOMA0GCSqGSIb3DQEBBQUAA4ICAQCgbB61fNLj/gIdOcEvwAFmxEe+cphH1NfnfOWV55xOuu0hKSOke4u5LFhoJOxsZh7pu6diitqUxG+crVKwjd4hC86zf27ALtcucZPmqDIREK3NagE0xsdk7lwwGydqzN5Dto2baM4jSK+qjk+SIuhCldgFW2ZOE/C/YitqnNFyYjra5fHkfbElTsEAKT+igipkpnYSm9ICmRl1fRaceRMRoTT3akyBiRA/ujNlJQKcch6ZB6mAfPjfjRMsTJhrMg7GPedRE9sZTx+Ur889yupAJqbSjQchc79W+WrGWaT7eDEFrEeFKRGxB5rvQxAIteKDq6jWhxoorv4cMfnM2Jh+frRQUOXa31m/PrysJeFeS0JFqNPFM3I7q/UQ473UjdadDbPPRc9wfUHbwqZR4uOalIycUbUZJ1FoNNzns5U2TW6HDalwRXG3CKrvHJBGtARRmHVs5C9hGrp8fCObCge/+f1fMqyU/8O+WfcicYCYTapW6/pkbT68UMz9ozGsWpzHPGVI4Sg0sDLhkDzYh4qZDD224bJ2qMVS4VU+/PNN8qtNr/TpIFKJKPiFJnKWI4U2ALmtn5C68Nn9e9+tkCAciyg0TUAPDIMxslNL/B9zrpn5xvEyCe+Xs9vc4nqV9ZQaiufjlU8DLapLgIUz2DHngQNvuFYPAXPIRNYXH4jB7g==" datatype="binary"/>
    </characteristic>
    <characteristic type="88BCAEC267EF8B366C6E6215AC4028E7A1BE2DEB">
        <parm name="Blob" value="GQAAAAEAAAAQAAAA8plkMMu7HOj7uc20ChmrKAMAAAABAAAAFAAAAIi8rsJn74s2bG5iFaxAKOehvi3rFAAAAAEAAAAUAAAAewH9c9UGi0ZMCbhua46pWRC6/GYgAAAAAQAAAL8FAAAwggW7MIIDo6ADAgECAgphBBuNAAAAAAAlMA0GCSqGSIb3DQEBBQUAMF8xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxLTArBgNVBAMTJE1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wODA0MjUyMjU1MTBaFw0xOTA0MjUyMzA1MTBaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBNb2JpbGUgRGV2aWNlIFRDQiBQQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHp1Wi1YuAE4KQTu9SlCh6VSjG//7sPwxAM3owPWd8v8rFK58Pg7oORQXN4E6m+SmfwxduGzQRVdBsnUas9kkB5AS8d1LqE5uvYZNT7KAi+qizlPbRraJF0B6hG1WD7LBHavbzNQxD8CAgoraUlYLEV/IuyP93tEnG78GWZc9KAfdAzQOdLXbP3dZntp7rzkCKadxSEKC9pX4zBWGZ4BpUgwPStNjXve+Z2bLYXtzIMHUlvMSCLeU5t8ALJntnTLfNMg1NTkRibdwqNw/R+Rqaj2YsdUvFjQSytKVa1KcRmT5c70O5zyIulGG8eAqRFvt1oRYL4uj6BMOEk2/zGDSDAgMBAAGjggFYMIIBVDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR7Af1z1QaLRkwJuG5rjqlZELr8ZjALBgNVHQ8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwHwYDVR0jBBgwFoAUDqyCYEBWJ5flJRP8KuEKU5VZ5KQwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvbWljcm9zb2Z0cm9vdGNlcnQuY3JsMFQGCCsGAQUFBwEBBEgwRjBEBggrBgEFBQcwAoY4aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNyb3NvZnRSb290Q2VydC5jcnQwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcKAw4wDQYJKoZIhvcNAQEFBQADggIBAKOT5oP+8wJEIVSvI0i4QwDdqRRNCNnLRieuX1F7ygaiuE1gJaP693+O2taBDMCTr8NtbsQXRqg35DJ3x4PBkWLlxpL+jx3ypFg+64UM2v2wJX5csuDz1ngUoMGDyqAfsBFHcwVUcYqICF8oS8rTaaWIrsMzKRmY7yFoQmTDwTdNyA/1ag7AWdDSa/meYbMdQSfGpFdxTOz2QrV+lLcF2/lNdB0/Y4kyMGeVGG5nC4gGfjWlOuhfTTH0P+VBIBDDlRhjYXygkrAIfkhiEufth0VZLvScb5IcFiMilm/hb3/mL/ojwLOAk6e/OLfh/N6G3Nlhl9em34+I1ze85t9zG7SqBkrO52W6zh8EcOswWzRvfHPK2BB0oKa5N4Kmt1Z53qcK3kDWTmoMu7j5Jd8xrZIraRiVW6SnIfhQFouZUSd6y9r6XklFGAX/RmrZbNHwZlUIFSGCyAM6RM+fPyqvUHSQ/wW/SrV4b7/07JS2kyRJjFtcOyNfUxHScVROIGFdsOTWGXiNMHpEdofOQXllaacRCUFiDVH+AP4Lbqw4+M49mgz/rNPQMF5jaFyzK7i3r/9GV4e78LgbAKlZ9w3aEEuTc5os7JF1tUJl7Zdnvlounung61XlgD/cgx9NBuV5WXHfYalDmhts6w0w/77CBYilo/iEtISS0E1RorsdZI72" datatype="binary"/>
    </characteristic>
    <characteristic type="CED778D7BB4CB41D26C40328CC9C0397926B4EEA">
        <parm name="Blob" value="GQAAAAEAAAAQAAAAqR7YebjaKX+LtlktkpeRqAMAAAABAAAAFAAAAM7XeNe7TLQdJsQDKMycA5eSa07qFAAAAAEAAAAUAAAA1njFAtGE1tJFpeSrO7PoYovnXzsgAAAAAQAAAMcFAAAwggXDMIIDq6ADAgECAgphB1kQAAAAAAAiMA0GCSqGSIb3DQEBBQUAMF8xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxLTArBgNVBAMTJE1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wODAxMTgwMDAwNDBaFw0xOTAxMTgwMDEwNDBaMIGFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS8wLQYDVQQDEyZNaWNyb3NvZnQgTW9iaWxlIERldmljZSBQcml2aWxlZ2VkIFBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5IQGX4lUOIWcjBO7FNo7z9VwzKfXOqjfww2ubFErSZrpScGzAtsM6+gsG3gdR8HYNpZLWzD1qT0n/MJF8edBAPgHVWAzFNXczv6FsuwzkFKF9e11rR+YSBqzRWYY2rlCie7nA1/+EX9eK1gScF+L7zjVIVrH60BgYmH/vCk90bQSHFqFSb93tG+dLMas7bSnqmap/1wr+ozRvfJfJesKViE13hRLf1u7MGf33qYLvyiDxdof/dIB7u85HCd/rda8V+EX0Mgd4AYrNJRYcJ3FTEHamz1RopUG4KJPa5Rihzsg1nWUD8divrV0QYVHnYp0RfRmyiUPS/7fJKkdB7ilkCAwEAAaOCAVgwggFUMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNZ4xQLRhNbSRaXkqzuz6GKL5187MAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQOrIJgQFYnl+UlE/wq4QpTlVnkpDBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9taWNyb3NvZnRyb290Y2VydC5jcmwwVAYIKwYBBQUHAQEESDBGMEQGCCsGAQUFBzAChjhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY3Jvc29mdFJvb3RDZXJ0LmNydDAfBgNVHSUEGDAWBggrBgEFBQcDAwYKKwYBBAGCNwoDDjANBgkqhkiG9w0BAQUFAAOCAgEAamVd4sC/GIbpMhornoyraUqDZ9PS9qZS9bHpAD9P0Pi1OUugJWGRuXwRyp2zCueTI86IB0unJhL4gTfZUSUOza+3uvOASf23yKS8XAXL895xkoUqb2Q9Uux09NHPuckqQryAbLorht6iPA+mMQd1r2okzj4d4qs/0rAFQrI2HDPT+6gwaA6OrrpGQ7BITerQ4aeuYh6wO6gedUbtr6n9NC670IHy7wtAkR/yTQkDvbeKfJ2GRJhvRz/SqgyQ/lWjWUkQyt3g8OffNj+nL/ToZO93DqmsYCxHVFukrxMbhdGDU1YceVtZxcF+Tm6Nrkbw45ml5lioCeRex92uzqeSH/jrdlhMQh7VSiAtywcB33T+RvxE/C3Q/opdaXF77wOubl55hXpFuoo73ye4ab6XSGpYyIkBLM5de6ZfRQDoeMuE0d/Gr7RXZij3XAc8vhX2X0MjMPAMl3YiMmNrcR52BP9TF8Rr+qhvY5YBfZno38zFG0BK5ylphFuTaJYZjLbzRvKOV4FVZHWuO/WQdxJk6HL9vb2E5DjLmTD3Th7y/OZmkUKple4lg8IaKM+oW/Qq+BKQFpOXhaOYPu+nqJjUkCa2t59AUvCe4LG16CDVcLMKDW83qtdYltR7f7mJgx1IWTh68+1nj/x4JPgHP9N4AVlmVDcReyuoQrVVDpVXQNU=" datatype="binary"/>
    </characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Ehh? What is this one doing there "MyTokenSigning0" (your certificate, and how did it get there?) haha.


Certificates in "CI" (Base64 decoded):
(0): unk, not readable text (maker, name, etc) edit: lol it was my certificate: XDAA_0, how did it come here?
(1) Yours lol.
(2) Microsoft1.0,U%Microsoft Windows Mobile Applications1503U,VeriSign Mobile Root Authority for Microsoft
(3) microsoft1-0+U$Microsoft Root Certificate Authority0 Washington10URedmond10U
Microsoft Corporation1(0&UMicrosoft Mobile Device VSD PCA0�"0
(4) Microsoft Corporation110/U(Microsoft Mobile Device Unprivileged PCA0�"0 microsoft1-0+U$Microsoft Root Certificate Authority0
(5) HA! here it is: Microsoft Corporation1(0&UMicrosoft Mobile Device TCB PCA0�"0
(6) Microsoft Corporation1/0-U&Microsoft Mobile Device Privileged PCA0�"0
The Following User Says Thank You to fiinix For This Useful Post: [ View ] Gift fiinix Ad-Free
14th June 2011, 02:04 PM |#26  
Heathcliff74's Avatar
OP Inactive Recognized Developer
Thanks Meter: 2,473
 
Donate to Me
More
Quote:
Originally Posted by fiinix

Yes, we are talking about the same thing.

...

Ehh? What is this one doing there "MyTokenSigning0" (your certificate, and how did it get there?) haha.

I'll PM you.
14th June 2011, 04:43 PM |#27  
Member
Thanks Meter: 14
 
More
The juice to get loose is protected by a private message?! LOL

This is the most interesting and thought provoking thread I've read in some time. Keep up the great work everyone and I'm so glad fiinix dropped in to help heathcliff out here.

I'd say they are 2 of the 5 best wm7 users on here. We need to open up a thanks thread just for these few people who are pioneering the homebrew scene.

Thank you.
The Following User Says Thank You to CopyCounsler For This Useful Post: [ View ] Gift CopyCounsler Ad-Free
14th June 2011, 10:06 PM |#28  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Quote:
Originally Posted by blindpet

I agree with CopyCounsler, I check this thread multiple times a day.

My only current concern is posting the code you guys are trying to execute and that MS might do something to counteract it. If I were you I'd stick to code posting via PM so your hard work isn't in vain!

Good luck!

That was ~ of what i have been thinking, if we now succeed hacking it, running exe.
What if "code posting via PM" is a Microsoft guy, right? Then he gets the source (obfuscated, but still traceable).
What if someone here on xda leaks the xap, then its all over. sigh...

Now, everybody wants that awesome code, right, but if he is a "noob" (sry, dont take it against yourself if you are one, nobody wants to be a noob), ill directly in mind, point that person as "dangerous leak" because it could be a Microsoft guy only hunting for the source code. Then again, it would be unfair if only "older" members could get it. Then once again, what if there was a "older" Microsoft member guy. sigh....

Then ill just stay with nodo (because then they cant patch it lololol).
Or ill release it after Mango if we get this working.
14th June 2011, 10:22 PM |#29  
Heathcliff74's Avatar
OP Inactive Recognized Developer
Thanks Meter: 2,473
 
Donate to Me
More
Quote:
Originally Posted by blindpet

I agree with CopyCounsler, I check this thread multiple times a day.

My only current concern is posting the code you guys are trying to execute and that MS might do something to counteract it. If I were you I'd stick to code posting via PM so your hard work isn't in vain!

Good luck!

LOL! You wouldn't believe how much PM's I got from people asking source-code (related to this thread, WP7 Root Tools, NoDo unlocking etc). If I would print it out I could paper my wall with it Anyway, I got a real shitload of exploits at the moment. Most of them are not very useful. Others are extremely useful or have the potential to be very useful. I open up these threads to attract people that can explore the possibilities. And if I'm confident enough that someone can really contribute to the homebrew/exploit thing, I'll share that over PM. And the most important stuff is being discussed in PM already. But until now that have only be a handful of people, that I'm confident I can share this stuff with. So don't worry. I'll keep the important stuff away from the Microsofties
15th June 2011, 03:41 PM |#30  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Dump-time!
edit: Added ".c" source code file in attachment.

So, i had this de-compiled "PolicyLoader.exe" (\Windows), and now when i opened it in notepad once again i detected this (call arguments help aka ".exe /?")

Oh, Microsofties, you did not see this one coming, did you.
Modify policy rights.

System: S-1-5-112-0-0X00
My idea:
LEAST_PRIVILEGE_CHAMBER_GROUP_NAME: S-1-5-112-0-0X80
Modify to:
LEAST_PRIVILEGE_CHAMBER_GROUP_NAME S-1-5-112-0-0X00

=> <Macro Id="SYSTEM_CHAMBER_GROUP_NAME" Description="TCB Chamber Group" Value="S-1-5-112-0-0X00" />

RAW:
info: sub_15339 is "printf"

Code:
  sub_15339(1, &dword_1103C);
  sub_1539C(1, (int)L"%s:", (unsigned int)L"PolicyLoader.exe");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  Tool for reading and writing CE Policy and Account databases.");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"Syntax:");
  sub_15339(1, &dword_1103C);
  sub_1539C(1, (int)L"  %s <flags> @<response file name> <XML policy file names...>", (unsigned int)L"PolicyLoader.exe");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  Flags begin with '/' or '-'. Specify the '@' character followed by a file");
  sub_15339(1, L"  name to read additional parameters from the specified response file. Any");
  sub_15339(1, L"  parameter that does not begin with '/', '-', or '@' is treated as the name of");
  sub_15339(1, L"  an XML policy file that should be loaded.");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  Values for flags are specified as -flag=value or -flag:value. Quotes may be");
  sub_15339(1, L"  used if the value contains spaces, e.g. -flag=\"value with spaces\".");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"Sequence of operation:");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  - Load any XML policy files specified.");
  sub_15339(1, L"  - Merge the XML files.");
  sub_15339(1, L"  - Optionally write a merged XML policy file. (Enabled by default.)");
  sub_15339(1, L"  - Optionally add the loaded data to the Policy and Account databases.");
  sub_15339(1, L"    (Enabled by default.)");
  sub_15339(1, L"  - Optionally load all data from the Policy and Account databases and dump");
  sub_15339(1, L"    the data to an XML policy file. (Disabled by default.)");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"Flags:");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -verbosity=Verbosity (abbreviation: -v)");
  sub_1539C(1, (int)L"   Specifies the detail of logging. Valid values are between %u and %u. Set -v=%u", 1);
  sub_1539C(1, (int)L"   to only display errors, -v=%u to display errors and warnings, -v=%u to include", 2);
  sub_1539C(1, (int)L"   informational status messages, -v=%u for verbose status, and -v=%u for", 4);
  sub_1539C(1, (int)L"   additional debug output. Default is -v=%u.", 3);
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -output=Devices (abbreviation: -o)");
  sub_1539C(1, (int)L"   Specifies the output device(s) for logging. Valid values are between %u and", 1);
  sub_1539C(1, (int)L"   %u. Set -o=%u to log to the standard output stream, -o=%u to log to the debug", 3);
  sub_1539C(1, (int)L"   stream, and -o=%u to log to both. Default is -o=%u.", 3);
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -merged=FileName (abbreviation: -mer)");
  sub_15339(1, L"   Specifies the name of the Merged policy XML file to be written. Default is");
  sub_1539C(1, (int)L"   \"%s\".", (unsigned int)L"PolicyMerged.xml");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -nowritemerged (abbreviation: -nme)");
  sub_15339(1, L"   Specifies that the Merged policy XML file should not be written. Default is");
  sub_15339(1, L"   to write the Merged policy XML file.");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -expandmacros (abbreviation: -exp)");
  sub_15339(1, L"   Specifies that macro references should be expanded when writing the Merged");
  sub_15339(1, L"   policy XML file. Default is to not expand macros. Note that if macros are to");
  sub_15339(1, L"   be expanded, all referenced macros must be defined in one of the loaded XML");
  sub_15339(1, L"   policy files.");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -canonicalize (abbreviation: -can)");
  sub_15339(1, L"   Specifies that all identifiers should be canonicalized when writing the");
  sub_15339(1, L"   Merged policy XML file. Default is to not canonicalize. Note that if");
  sub_15339(1, L"   canonicalization is enabled, macros will always be expanded.");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -adb=FileName");
  sub_15339(1, L"   Specifies the name to display for the Account database file in diagnostic");
  sub_1539C(
    1,
    (int)L"   messages. Default is \"%s\". (Note that regardless of the file ",
    (unsigned int)L"cesecurity.vol");
  sub_15339(1, L"   name given here, the device's built-in Account database will be used.)");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -pdb=FileName");
  sub_15339(1, L"   Specifies the name to display for the Policy database file in diagnostic");
  sub_1539C(1, (int)L"   messages. Default is \"%s\". (Note that regardless of the file ", (unsigned int)L"policy.vol");
  sub_15339(1, L"   name given here, the device's built-in Policy database will be used.)");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -mdb=FileName");
  sub_1539C(
    1,
    (int)L"   Specifies the name of the Metadata XML file. Default is \"%s\".",
    (unsigned int)L"PolicyMeta.xml");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -nowritedb (abbreviation: -ndb)");
  sub_15339(1, L"   Specifies that the loaded data should not be added to the Account database,");
  sub_15339(1, L"   Policy database, and Metadata XML file. Default is to add the data.");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -dbdump=FileName (abbreviation: -dmp)");
  sub_15339(1, L"   Specifies the name of the XML policy file to which all data should be");
  sub_1539C(1, (int)L"   dumped. Default is \"%s\".", (unsigned int)L"PolicyDump.xml");
  sub_15339(1, &dword_1103C);
  sub_15339(1, L"  -writedump (abbreviation: -wdmp)");
  sub_15339(1, L"   Specifies that all data from the Account database, Policy database, and");
  sub_15339(1, L"   Metadata XML file should be loaded, merged, and dumped to an XML policy");
  sub_15339(1, L"   file. Default is to not dump the data.");
  sub_15339(1, &dword_1103C);
  return sub_15BEE();
__

Humanized:
I can not guaranty that the "int" values are "printf" corrected.
Code:
  PolicyLoader.exe

  Tool for reading and writing CE Policy and Account databases.

Syntax:

    PolicyLoader.exe <flags> @<response file name> <XML policy file names...>

  Flags begin with '/' or '-'. Specify the '@' character followed by a file");
  name to read additional parameters from the specified response file. Any");
  parameter that does not begin with '/', '-', or '@' is treated as the name of");
  an XML policy file that should be loaded.

  Values for flags are specified as -flag=value or -flag:value. Quotes may be used if the value contains spaces, e.g. -flag="value with spaces".

Sequence of operation:

  - Load any XML policy files specified.
  - Merge the XML files.
  - Optionally write a merged XML policy file. (Enabled by default.)
  - Optionally add the loaded data to the Policy and Account databases.(Enabled by default.)
  - Optionally load all data from the Policy and Account databases and dump; the data to an XML policy file. (Disabled by default.)

Flags:

  -verbosity=Verbosity (abbreviation: -v)
     Specifies the detail of logging. Valid values are between 1 and 4. Set -v=1 to only display errors, -v=2 to display errors and warnings, -v=2 to include informational status messages, -v=4 for verbose status, and -v=4 for additional debug output. Default is -v=3.

  -output=Devices (abbreviation: -o)
     Specifies the output device(s) for logging. Valid values are between 1 and 3. 
     Set -o=1 to log to the standard output stream, -o=3 to log to the debug stream, and -o=2 to log to both. Default is -o=3.

  -merged=FileName (abbreviation: -mer)
   Specifies the name of the Merged policy XML file to be written. Default is PolicyMerged.xml

  -nowritemerged (abbreviation: -nme)
   Specifies that the Merged policy XML file should not be written. Default is to write the Merged policy XML file.

  -expandmacros (abbreviation: -exp)
   Specifies that macro references should be expanded when writing the Merged policy XML file. Default is to not expand macros. Note that if macros are to be expanded, all referenced macros must be defined in one of the loaded XML policy files.

  -canonicalize (abbreviation: -can)
   Specifies that all identifiers should be canonicalized when writing the Merged policy XML file. Default is to not canonicalize. Note that if canonicalization is enabled, macros will always be expanded.

  -adb=FileName
   Specifies the name to display for the Account database file in diagnostic messages. Default is "cesecurity.vol". (Note that regardless of the file cesecurity.vol name given here, the device's built-in Account database will be used.)

  -pdb=FileName");
   Specifies the name to display for the Policy database file in diagnostic messages. Default is "policy.vol". (Note that regardless of the file policy.vol name given here, the device's built-in Policy database will be used.)

  -mdb=FileName");
     Specifies the name of the Metadata XML file. Default is "PolicyMeta.xml.

  -nowritedb (abbreviation: -ndb)
   Specifies that the loaded data should not be added to the Account database, Policy database, and Metadata XML file. Default is to add the data.

  -dbdump=FileName (abbreviation: -dmp)");
   Specifies the name of the XML policy file to which all data should be dumped. Default is "PolicyDump.xml.

  -writedump (abbreviation: -wdmp)");
   Specifies that all data from the Account database, Policy database, and Metadata XML file should be loaded, merged, and dumped to an XML policy file. Default is to not dump the data.

  return sub_15BEE();
We cant modify it except we are system, so using leaked ROOT dll's are still blocked to access the file. Thats where PolicyLoader.exe etc comes in.
Code:
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/FILESYS/PRIMARY/WINDOWS/SECURITY/POLICYDB.VOL" SpeakerAccountId="S-1-5-112-0-0-1" Description="Protect the policy DB from everyone but the system">
    <Stop>
        <Match AccountId="S-1-5-112-0-0XFF" />
    </Stop>
</Rule>
Attached Files
File Type: zip PolicyLoader.zip - [Click for QR Code] (15.0 KB, 57 views)
15th June 2011, 04:04 PM |#31  
Heathcliff74's Avatar
OP Inactive Recognized Developer
Thanks Meter: 2,473
 
Donate to Me
More
Hmm.. Two things:

1. It doesn't seem that there are any policies about the PolicyLoader.exe itself. That would probably mean that it is subject to standard rights and that we should be able to run it with our exploit, which uses elevated rights

2. Be very careful with the change you proposed: LEAST_PRIVILEGE_CHAMBER_GROUP_NAME S-1-5-112-0-0X00. This can also be used for "Blahblahblah is allowed by LEAST_PRIVILEGE_CHAMBER_GROUP_NAME". But since you still run under S-1-5-112-0-0X80, you lock yourself out of the system!!! You suddenly don't have access to anything that is normally accessible to LPC!

So I think this could be a very good find, but try to use it in a different way as you proposed. Read the opening post again plz. This might be the missing link for us.

Ciao,
Heathcliff74
Post Reply Subscribe to Thread

Tags
executable, homebrew, mango, native, wp7

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes