I am currently inspecting the decrypted version of WP8Diag.xap from GoodDayToDie, big thanks!!
So far,
Inside WP8Diag.dll we have
WP8Diag._7_ETC namespace and
RegistryOperationsCheck class with the useful
ButtonWrite_Click method.
Code:
private void ButtonWrite_Click(object sender, RoutedEventArgs e)
{
if (string.IsNullOrWhiteSpace(this.ValueTextBox.get_Text()))
{
return;
}
bool? isChecked = this.IsDwordCheckBox.get_IsChecked();
if (isChecked.GetValueOrDefault() && isChecked.get_HasValue())
{
try
{
uint num;
CRPCComponent.Registry_SetDWORD(this.hKey, this.PathTextBox.get_Text(), this.KeyTextBox.get_Text(), uint.Parse(this.ValueTextBox.get_Text()), ref num);
this.ValueTextBox.set_Text((num == 1u) ? "OK!" : "Failed!");
return;
}
catch (Exception ex)
{
this.ValueTextBox.set_Text(ex.get_Message().ToString());
return;
}
}
try
{
uint num2;
CRPCComponent.Registry_SetString(this.hKey, this.PathTextBox.get_Text(), this.KeyTextBox.get_Text(), this.ValueTextBox.get_Text(), ref num2);
this.ValueTextBox.set_Text((num2 == 1u) ? "OK!" : "Failed!");
}
catch (Exception ex2)
{
this.ValueTextBox.set_Text(ex2.get_Message().ToString());
}
}
Seems
CRPCComponent.Registry_SetDWORD() and
CRPCComponent.Registry_SetString() are doing good stuff.
WMAppManifest.xml has tons of esoteric capabilities:
Code:
<Capabilities>
<Capability Name="ID_CAP_APPOINTMENTS" />
<Capability Name="ID_CAP_CONTACTS" />
<Capability Name="ID_CAP_IDENTITY_DEVICE" />
<Capability Name="ID_CAP_IDENTITY_USER" />
<Capability Name="ID_CAP_LOCATION" />
<Capability Name="ID_CAP_MAP" />
<Capability Name="ID_CAP_MEDIALIB_AUDIO" />
<Capability Name="ID_CAP_MEDIALIB_PLAYBACK" />
<Capability Name="ID_CAP_MICROPHONE" />
<Capability Name="ID_CAP_NETWORKING" />
<Capability Name="ID_CAP_NETWORKING_ADMIN" />
<Capability Name="ID_CAP_CSP_FOUNDATION" />
<Capability Name="ID_CAP_CSP_OEM" />
<Capability Name="ID_CAP_CSP_W4_APPLICATION" />
<Capability Name="ID_CAP_PHONEDIALER" />
<Capability Name="ID_CAP_PUSH_NOTIFICATION" />
<Capability Name="ID_CAP_SENSORS" />
<Capability Name="ID_CAP_WEBBROWSERCOMPONENT" />
<Capability Name="ID_CAP_CELL_API_COMMON" />
<Capability Name="ID_CAP_CELL_API_UICC" />
<Capability Name="ID_CAP_CELL_API_UICC_LOWLEVEL" />
<Capability Name="ID_CAP_CELL_API_LOCATION" />
<Capability Name="ID_CAP_CELL_API_OEM_PASSTHROUGH" />
<Capability Name="ID_CAP_CELL_WNF" />
<Capability Name="ID_CAP_INTEROPSERVICES" />
<Capability Name="ID_CAP_ISV_CAMERA" />
<Capability Name="ID_CAP_MEDIALIB_PHOTO_FULL" />
<Capability Name="ID_CAP_OEMPUBLICDIRECTORY" />
<Capability Name="ID_CAP_DEVICE_MANAGEMENT_SECURITY_POLICIES" />
<Capability Name="ID_CAP_DEVICE_MANAGEMENT_ADMIN" />
</Capabilities>
It also declares the CRPCComponent as a InProcessServer:
Code:
<InProcessServer>
<Path>RPCComponent.dll</Path>
<ActivatableClass ActivatableClassId="RPCComponent.CRPCComponent" ThreadingModel="both" />
</InProcessServer>
RPCComponent.dll is compiled for ARM.
Let's have a look at its import table:
There we have our beloved RegSetValueExW. As this application got installed with really privileged capabilities I suppose the final call to RegSetValueExW works.
I have just tried to deploy the decrypted xap with the Microsoft SDK to my Lumia 920 but doesn't work. It fails with error 0x81030120, I think because of the privileged capabilities the manifest declares.
I hope someone could install this xap from the store with any spoofing technique, cheating the download and installation of the marketplace app.
Maybe the installation done by the marketplace app doesn't check for privileged capabilities inside the manifest.
Keep up the good work guys!!