What am I reading?
This is a security whitepaper and roadmap on existing vulnerabilities regarding the Windows Phone 7 Marketplace and Windows Phone 7 anti-piracy mechanisms. In this post we'll show that Microsoft's dereliction has opened the door towards app piracy on Windows Phone 7 and expose each such failure to protect XAPs in great detail. By the end of this whitepaper, each person reading this will be able to work on individual tasks related to enable WP7 app piracy if they should choose to do so.
But why enable WP7 app piracy?
Elementary my dear Watson,
Cory Doctorow says it best when he explains that 97% of content creators benefit from piracy. The real problem isn't that a consumer will avoid buying a record or an app, but rather the sheer obscurity of apps that will prevent consumers from ever hearing about them. Microsoft has rigged the game so all non-Microsoft and non-Partner apps (e.g. Facebook, Twitter, Netflix, et al) remain obscure by using their oppressive Featured Apps section. With Microsoft's own XBox live paid games being aggressively showcased in the Features Apps section, how can non Microsoft affiliated paid apps even compete? This is an attempt to liberate 97% of WP7 apps from obscurity pressed upon them by Microsoft.
It is reasonable to assume that for whatever reasons this whitepaper will soon be deleted from XDA-developers and links to external assets taken down.
Make sure to mirror this whitepaper or it will be lost forever.
1. Downloading all the Windows Phone 7 Marketplace apps locally
The first step to enabling WP7 app piracy is enabling anyone to download all marketplace apps in their disabled state. The
following C# code snippet when invoked from a Visual Studio 2010 Console Application using "new XapDownloader().Download()" will download all the Windows Phone 7 Marketplace XAPs to a local folder on your machine within a few hours.
1.1. Warning
It's reasonable to assume that Microsoft will be logging all incoming HTTP connections to their XAP servers. Make sure to use proxies when executing this code snippet.
1.2. Required Action: Download the Marketplace and seed a torrent
We need a volunteer to download the entire disabled Marketplace (5GB approximately), seed it on torrent and post the relevant information in this thread. Using this torrent, others would be able to pick up the work of unlocking the entire marketplace. It is recommended this individual should be properly protected from any attempts to trace their real life identity. It is also likely to assume Microsoft will soon block this code snippet, but by tracing Zune with Fiddler it is possible to figure out the new Zune Catalog URLs.
2. Circumventing the 10 side-loaded apps limit
Even with all Marketplace apps downloaded and enabled (See Part 3 for enabling the downloaded XAPs) we hit a wall. The enabled XAPs cannot be downloaded from the marketplace, so they must be side-loaded unto WP7 devices. However, Windows Phone 7 enforces a hard limit of 10 side-loaded apps for each unlocked device.
When a WP7 device is unlocked using the DeviceReg.exe tool from the WP7 Developer SDK, it recieves the following response on HTTP:
<ResponseOfRegisteredDeviceStatus xmlns="Microsoft.WindowsMobile.Service.Marketplace " xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><ResponseCode>0x00000000</ResponseCode><ResponseMessage i:nil="true"/><Entity xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.WindowsMobile.Service.Marketplace.BLLDev Portal.Entities"><a:daysLeft>123</a:daysLeft><a:AppsAllowed>10</a:AppsAllowed></Entity></ResponseOfRegisteredDeviceStatus>
It is possible to change the
<a:AppsAllowed>10</a:AppsAllowed> section to allow any number of apps as is demonstrated in this
blog post:
2.1. Required Action: Create a tool that unlocks a WP7 device and enables 100,000 sideloaded apps
You might be able to base your work on previous works in this field, but you should be ready to start from scratch. It is clearly possible to enable a WP7 device to load more than 10 apps with this technique.
3. Enabling the disabled Marketplace apps
It's tricky to enable a disabled WP7 Marketplace XAP but it can be done. Let's explore this notion by attempting to side-load the NASA "I Am a Martian" WP7 app. You can download the XAP (remember to use a Proxy) from
this URL.
3.1. Deploying disabled marketplace XAPs
Attempting to load any disabled XAP using the XapDeploy.exe from the WP7 developer SDK will fail in the XapDeploy.exe:
Using
the following technique it is possible to explore XAPs in Windows 7 as Zip libraries. When viewing the Nasa XAP as a ZIP, delete the WMAppPRHeader.xml:
After deleting the WMAppPRHeader.xml the XAP will successfully deploy to the WP7 emulator and WP7 devices:
3.2. Activating disabled Marketplace XAPs by replacing the entry assembly
After successful deployment of a disabled marketplace XAP attempting to activate the XAP will still not be possible:
However, replacing the released entry assembly in the XAP with a debug entry assembly will enable activating the XAP. Since the NASA "I Am A Martian" app is open source we can download the debug assembly from:
http://beamartian.codeplex.com. Copy the "beamartian1.2\beamartian\NASA.BeAMartian\Bin\Debu g\NASA.BeAMartian.dll" assembly into our modified XAP, deploy it it again and then the app runs flawlessly.
For those who haven't noticed, we've taken a completely disabled marketplace XAP, deployed it, activated it and everything works.
3.3. Published XAPs contain GeoTrust signed entry assemblies
The core difference between our open source version of "NASA.BeAMartian.dll" and the marketplace version of the same DLL is a 6KB security signature at the end of the marketplace published DLL:
3.4. Research Required: Removing Marketplace XAPs security signatures
I'm out of my depth here, we need a cypherpunk or anyone who knows what's what with this security signature. It looks like the whole assembly is changed by this signing process but I'm hopeful the security signing can be reversed. Once the security signature is removed it will be possible to deploy and activate all WP7 marketplace XAPs.
3.5. Replacing the marketplace published entry assembly with a facade debug assembly
It is theoretically possible to replace the entry assembly in published marketplace XAPs with a very light debug shim above it. By inheriting from the "App" class from the original entry assembly and making that inheriting class the entry type and entry assembly it is should be possible to deploy and activate Marketplace XAPs.
3.6. Research Required: What is the correct way to inherit from the App class?
Unfortunately, I have not been able to get the technique listed under 3.5. to work for the majority of Marketplace locked XAPs. Each app seems to be requiring it's own inheritance logic and MSIL changes to work. In the event we cannot remove security signatures from marketplace entry assemblies, We need a tool that will automatically take an entry assembly and create a facade debug assembly for it.
4. Summary
We have downloaded a XAP from the marketplace, deployed it and enabled it. WP7 app piracy is technically feasible. We need people to follow up on this roadmap: Create a Marketplace XAPs torrent, Create a tool that enables XAPs by removing WMAppPRHeader.xml and replacing the entry assembly, and Create a tool that unlocks devices to support thousands of sideloaded apps. I leave these technical challenges in your capable hands.
Thank you for your time,
V@l
Original Source :
http://forum.xda-developers.com/showthread.php?t=890198.