The encrypted XAPs use AESCTR, PlayReady. First 32 bytes are a header, last two dwords are a length, the first half (BigEndian) is the 'payload' (actual app(+more?)) and the second half is always -8 bytes. Then comes the 'mal'-formed XML containign PlayReady definitions etc, including base64 encoded key ids etc. I'd like to see someone on custom rom P7 wireshark their network while using a MITM attack (SSL obviously) using an SSL cert accepted as root ca in the phone to see if we can dump any plaintext DRM keys per app, maybe a solid method can be made. For now, not sure. I've been working on it. Key lengths are 16 bytes. I can brute 12 bytes in one month but 16 would take a lot longer. You could also install a custom rom with wdmc on the phone and copy the entire folders off, restructured a little though, unpacked. Hope this helps someone else. All based on PlayReady DRM bs. Smooth Streaming in IIS can support PR too for instance (WRMHEADER aka PlayReady headers):
smoothstreaming-playready-key-id: GUIDSTRIPPED
smoothstreaming-playready-license-url:
http://websitestripped/pr.aspx
smoothstreaming-playready-content-key: BASE64EncodedKEY
smoothstreaming-playready-checksum: BASE64EncodedChecksum
smoothstreaming-playready-algorithm: AESCTR
smoothstreaming-playready-key-id: This is the key ID for this asset.
smoothstreaming-playready-license-url: This is the license URL that is used by the player to authenticate the player and retrieve the decryption key needed for playback.
smoothstreaming-playready-content-key: This is the actual content encryption key (128-bit key) Base64 encoded.
smoothstreaming-playready-checksum: This is a special checksum of the key ID that is needed to authenticate the player.
smoothstreaming-playready-algorithm: This is the encryption algorithm. The most common value is AESCTR.
Ref [
How-to-secure-smooth-streaming-using-PlayReady-DRM-(Silverlight)]
] on the device ...
