Related
OP deleted on account I am knot vary smert.
That's nice. Do you want some French Cries with that Whaa Burger?
Sent from my SCH-I500 using XDA App
Nice. You know, my mom always told me that if you don't have anything good to say, then just don't say anything.
Good advice in my opinion.
You've lost your keys or have problems accessing them - it's your problem, not Google's. This is called security - it's a feature, not a bug.
And you can't delete app for quite obvious reasons: in IT world you should try to not delete anything ever. Want some more practical reason? If you would delete your app and release new one with same package name, but signed with different keys, then people who already downloaded your first app wouldn't be able to install a new one.
Yeah, I guess y'all are right. OP deleted because apparently 15 years of work in IT and 2 degrees makes me stupid for losing a file. Thank god no one else has ever lost a file
Yeah... the android market system is pretty well thought out. But can you imagine if they lost the key to angry birds, or to some corporate app?
Lakers16 said:
Yeah... the android market system is pretty well thought out. But can you imagine if they lost the key to angry birds, or to some corporate app?
Click to expand...
Click to collapse
This is the reason why there are all of these "Keep backup(s) of your private key." warnings
You know, there may be much, much, much worse consequences of losing private keys. Many devices or technologies are designed to restrict access to themselves using keys of their manufacturers. Lets imagine Apple lose keys they use for app signing: there would be no more apps for any existent device - for millions of them! Same for other technologies: one harddisk failure and thousands or millions of devices around the world become totally useless.
Private keys are one of the most important and most secured things in many companies.
Rootstonian said:
OP deleted on account I am knot vary smert.
Click to expand...
Click to collapse
Don't forget childish. 8-D
carnegie0107 said:
Don't forget childish. 8-D
Click to expand...
Click to collapse
Always Never plan on getting old, even though the "50" mark is around the corner! LOL
It wasn't too painful to re-create the app. Now I have my keystore files saved on computer, external drive and burned to CD. Live and Learn I guess
Well, I never did find the keystores to my first 2 apps. Thankfully the user interface is really just there for pulling from my hosted databases. I can update the databases outside of Market updates.
Sorry about "whining" about this, but when I first created these apps, i had NO idea how important that keystore file was. I wish the Eclipse Export popped-up a 30 point font dialog box with:
"WARNING! DO NOT LOSE THIS FILE OR YOU WILL NEVER BE ABLE TO UPDATE YOUR APPLICATION!"
I actually thought the keystore was somehow integrated into the apk (which it might be, I don't know, but you still need the keystore file).
I've gone the extra steps and copied my current keystore files to my hosted site AND e-mailed them to myself. That makes 5 copies! LOL
yay
Sent from my PC36100 using XDA App
jmollabi said:
yay
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
^thanks a bunch!
I'm pretty sure it's for the superbowl commercial thing.
Sent from my PC36100 using XDA App
watch it permissions has changes it wants to read your sms and mms in and out
Now that makes absolutely no sense at all. WTF would Angry Birds want to read your SMS and MMS messages. REMOVING!
This is from Android Cemtral
Update: You might well have noticed that the app now says it needs/has permission to access your SMS messages. The developer, Rovio Mobile, tells us on Twitter that it "Must be a mistake in some permission file. Will get it sorted on Monday."
To be on the safe side, probably won't download until Monday when he fixes it. Is there a changelog to see what all changed?
androidcentral.com/angry-birds-update-brings-30-new-levels
Looks like new levels. And some easter eggs with unlock codes coming in a Super Bowl commercial.
Yeah, let's see here... The permissions say it is reading/sending SMS's, and for a company's flagship $1M+ product to have such a bug in it, I think someone would be called in to fix it on the weekend. After all, it'd take only a few minutes to edit the XML file which declares permissions, sign the APK, then send it to the Market.
I reckon the Superbowl "easteregg" is going to be using SMS's without users' knowledge/consent, and that's why they're waiting until Monday.
drmacinyasha said:
Yeah, let's see here... The permissions say it is reading/sending SMS's, and for a company's flagship $1M+ product to have such a bug in it, I think someone would be called in to fix it on the weekend. After all, it'd take only a few minutes to edit the XML file which declares permissions, sign the APK, then send it to the Market.
I reckon the Superbowl "easteregg" is going to be using SMS's without users' knowledge/consent, and that's why they're waiting until Monday.
Click to expand...
Click to collapse
Editing the xml to not say that is one thing, but what if the app was actually reading/sending sms? It would take time to remove that bit of code. I would rather check to see what it is doing than rely on what it says it is or isnt doing.
Oh, come on people! This is XDA afterall.
You unpack the apk, edit the xml yourself, repackage and sign. Then you beat all then new levels over the weekend at make fun of the people who are waiting until monday.
I saw a $22 angry birds t-shirt at the mall today. Cute but maybe $10 at max.
posted via the xda app with my Evo
Solution: Dont DL angry birds. At least not on YOUR phone!!! In any event. Its too addictive anyway. I had to force myself to uninstall it!!!!
iconoclastnet said:
Oh, come on people! This is XDA afterall.
You unpack the apk, edit the xml yourself, repackage and sign. Then you beat all then new levels over the weekend at make fun of the people who are waiting until monday.
Click to expand...
Click to collapse
You do realize that when a program apk is compiled that programs access is determined according to what it does and what it uses and not manually listed by the devs in an xml file.
The fact that the xml file says it means that apk does in fact use or do some actions that involve sms.
I can make a simple apk that stores numbers in a db for the user at their execution and when compiled the xmls will be automatically updated by eclipse to display the type of permissions it requires along with the actions and access it has to your system.
You can edit the xml like you said but it doesn't remove that bit of code that interacts with the sms operations.
lovethyEVO said:
You do realize that when a program apk is compiled that programs access is determined according to what it does and what it uses and not manually listed by the devs in an xml file.
Click to expand...
Click to collapse
You do realize that you're completely wrong.
http://developer.android.com/guide/topics/manifest/manifest-intro.html#perms
bkrodgers said:
You do realize that you're completely wrong.
http://developer.android.com/guide/topics/manifest/manifest-intro.html#perms
Click to expand...
Click to collapse
So you're telling me that you have personally compiled a program apk in eclipse and you had to manually specify what permissions and access it needs in the android manifest? Your eclipse somehow does not automatically update the manifest as your code changes?
if you can edit whats in their manually.. whats stopping you from falsifying permissions.. i call false.
rovio.com/index.php?mact=Blogs%2Ccntnt01%2Cshowentry%2C0&cntnt01entryid=57&cntnt01returnid=58
I guess its not a bug.
"SMS payment coming to Android devices
We are bringing Angry Birds players on Android the option of purchasing the Mighty Eagle and other cool new content in the future using our brand new payment system, Bad Piggy Bank!
Bad Piggy Bank purchases will be paid through operator billing. No credit card is required, you simply select the content you want to purchase in the game, and select the Bad Piggy Bank icon. You confirm your purchase, the payment is made via SMS, and you will be charged in your phone bill.
The Android version of Angry Birds asks for SMS permission because this mobile payment capability has been added in version 1.5.1.
Angry Birds does not use the SMS functionality of the device for any other purpose than Bad Piggy Bank payments.
If the Bad Piggy Bank is not available for your operator, no purchases can be made, and you cannot be charged for anything.
Right now, the system will be available only in Finland for Elisa customers, with more countries and carriers following later. We are working globally with operators on bringing Bad Piggy Bank to all of our users worldwide - ask your mobile carrier or operator for more details!"
aimbdd said:
if you can edit whats in their manually.. whats stopping you from falsifying permissions.. i call false.
Click to expand...
Click to collapse
The point is that just because you can edit the manifest to stop the permissions after the program has been compiled the bit of code that needed those permissions still exists in the program.
If the developer really wanted their code to run they would/could find a loophole/exploit to have their code run regardless if the program is allowed the permissions.
It's just like rooting our devices. It was possible through the exploit of a flaw in the system.
If rovio (for whatever reason) was really intent on interfacing with the sms functions they would have tried to circumvent the simple permissions in the manifest.
I'm not saying rovio is trying to be malicious with their code but once the program is compiled editing xmls doesn't really change the actual code, just parameters of the program such as strings, values, etc.
Who uses sms anyway?
This is a test
Untouchab1e said:
YubiNotes is an open source secure notes app for Android that supports using either a password or the YubiKey NEO to encrypt/decrypt notes. Encryption/Decryption is based on a simple lock system that stores and wipes necessary keys for decryption.
YubiNotes is the perfect companion for anyone with a YubiKey NEO or the desire to keep their secrets to themselves.
Notes are encrypted using AES/CBC with PKCS5 Padding.The encryption and decryption process is based on 4 security keys. The first two are generated the first time the app is started and subsequently stored for safe keeping. The second two are the result of the hashed password or Yubikey input string.
As long as the device is locked only the unique device id keys are stored on the device. The other two keys are wiped when the note store is locked. A one-way hash of the password is also stored on the device when password mode is used.
Would love to get some feedback, so feel free to give the app a spin and shout out your thoughts and ideas!
Download: Play Store
Click to expand...
Click to collapse
Wow, no feedback yet for this excellent app!!
So, here's mine - excellent app and the perfect companion to Lastpass, as Yubinotes lets me use the yubikey OTP to safely store secure information as well as long passwords for non-yubikey enabled apps such as Roboform, which I have for now as a backup to Lastpass (just migrated). Exactly what I needed, since the Yubikey does not let me use both OTP and Static passwords in Android (without reconfiguring the key, which is not practical). Well done!
Thanks for the nice feedback! The Yubikey is still a bit of a niche product, but personally, I find Yubinotes a useful companion.
Untouchab1e said:
Thanks for the nice feedback! The Yubikey is still a bit of a niche product, but personally, I find Yubinotes a useful companion.
Click to expand...
Click to collapse
Unt, thanks for fixing the inability to edit a note. I am finding that when I select text, the only thing I can do is paste. No other options, such as copy, select all, etc show up.
Bug?
smalis said:
Unt, thanks for fixing the inability to edit a note. I am finding that when I select text, the only thing I can do is paste. No other options, such as copy, select all, etc show up.
Bug?
Click to expand...
Click to collapse
I really need to sit down and give the whole app an overhaul. But Ill def look into that specific issue asap. Thanks for the heads up.
Untouchab1e said:
I really need to sit down and give the whole app an overhaul. But Ill def look into that specific issue asap. Thanks for the heads up.
Click to expand...
Click to collapse
Much appreciated. The app, barebones as it is, does what it is supposed to do and works quite well for me - except that as I use it to store passwords, I need the ability to copy the password so that I can paste it into a form.
Thanks again!
smalis said:
Much appreciated. The app, barebones as it is, does what it is supposed to do and works quite well for me - except that as I use it to store passwords, I need the ability to copy the password so that I can paste it into a form.
Thanks again!
Click to expand...
Click to collapse
Cool to hear that you find it useful! Im actually attending an advanced Android training this week, so maybe Ill just sit down some day this week and work out some much needed improvements.
Possable hack or glitch, that is why I am posting here.
According to a few sites, a glitch has been discovered by setting a proxy, you can make your non-nokia phone be able install apps from Nokia's apps.
Sites for info...
http://www.microsofttranslator.com/...n&a=http://www.wpdang.com/archives/98835.html
http://www.wpdang.com/archives/98835.html
http://www.wpcentral.com/glitch-spotted-windows-phone-store-lumia-apps
Does anyone have clear directions on this so everyone knows how to do it?
Also, I am hoping this would allow us to get to the point of a Marketplace Changer like we used to have for WP7 devices.. I personally would like some HTC apps on my Nokia...and a LG app too.
Figured this would be a great place to start a discussion on this.
The basic "hack" is dead simple, actually. In a way, this is easier than the old Marketplace Switching apps; those worked by changing some configuration files on the phone; this works by editing the communication between the phone and the Marketplace servers *as if* those files had been changed.
It's probably worth the time to write up a small utility to do this yourself, rather than relying on a third party proxy (never a good plan if you don't have to do it). It might even be possible to make the proxy run as an app on the phone itself (it would need to be sideloaded, since there's no way MS would permit such a thing, and you'd probably still need to be on WiFi, but it might be possible).
DavidinCT said:
Possable hack or glitch, that is why I am posting here.
According to a few sites, a glitch has been discovered by setting a proxy, you can make your non-nokia phone be able install apps from Nokia's apps.
Sites for info...
http://www.microsofttranslator.com/...n&a=http://www.wpdang.com/archives/98835.html
http://www.wpdang.com/archives/98835.html
http://www.wpcentral.com/glitch-spotted-windows-phone-store-lumia-apps
Does anyone have clear directions on this so everyone knows how to do it?
Also, I am hoping this would allow us to get to the point of a Marketplace Changer like we used to have for WP7 devices.. I personally would like some HTC apps on my Nokia...and a LG app too.
Figured this would be a great place to start a discussion on this.
Click to expand...
Click to collapse
Guyz, I've tried this on my Huawei W1 but its says, cannot connect,,,,,,,,,, ive also tried changing the region but nothing happens, does anyone tried this already, and successfully installed those nokia exclusive apps?
Thank you,
jakelq said:
Guyz, I've tried this on my Huawei W1 but its says, cannot connect,,,,,,,,,, ive also tried changing the region but nothing happens, does anyone tried this already, and successfully installed those nokia exclusive apps?
Thank you,
Click to expand...
Click to collapse
it is time based. I mean, sometimes it happens. sometime it doesnt. keep trying is all I can say.
GH0ST DR0NE said:
it is time based. I mean, sometimes it happens. sometime it doesnt. keep trying is all I can say.
Click to expand...
Click to collapse
yup, i tried this at home and it worked..
It runs smooth with huawei w1 and i dont experience any missed swipes.
Why does it wasnt released for 512 mb ram?
tnx.
GoodDayToDie said:
The basic "hack" is dead simple, actually. In a way, this is easier than the old Marketplace Switching apps; those worked by changing some configuration files on the phone; this works by editing the communication between the phone and the Marketplace servers *as if* those files had been changed.
It's probably worth the time to write up a small utility to do this yourself, rather than relying on a third party proxy (never a good plan if you don't have to do it). It might even be possible to make the proxy run as an app on the phone itself (it would need to be sideloaded, since there's no way MS would permit such a thing, and you'd probably still need to be on WiFi, but it might be possible).
Click to expand...
Click to collapse
I would gladly test (I am dev unlocked) anything you can come up with here.
Anything that could help progress towards a hack on WP8, even if it's a marketplace changer of some type
aclegg2011 said:
Man, we really need to find a way to dev unlock our phones. :/
Sent from my RM-917_nam_usa_100 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
The same process (dreamspark EDU account, etc) that worked for WP7 works on WP8 but, the limits of 3 apps are still there... So I can sideload 3 apps..
DavidinCT said:
The same process (dreamspark EDU account, etc) that worked for WP7 works on WP8 but, the limits of 3 apps are still there... So I can sideload 3 apps..
Click to expand...
Click to collapse
I have an edu account activated since december 2011. I had on my Omnia W (WP 7.5) only the possibility to sideload 3 apps, but now on my lumia 820 i DONT have this limit of 3 apps..
gipfelgoas said:
I have an edu account activated since december 2011. I had on my Omnia W (WP 7.5) only the possibility to sideload 3 apps, but now on my lumia 820 i dont have this limit of 3 apps..
Click to expand...
Click to collapse
I have a Lumia 928, and I dev unlocked it(got one of those free EDU accounts that was going around, I log in 2 times a year), I put on 3 apps and it gives me an error if I try to add more.
I would like to add more but, No biggie because there is not 3rd party tools or hacks for WP8....YET.
DavidinCT said:
I have a Lumia 928, and I dev unlocked it(got one of those free EDU accounts that was going around, I log in 2 times a year), I put on 3 apps and it gives me an error if I try to add more.
I would like to add more but, No biggie because there is not 3rd party tools or hacks for WP8....YET.
Click to expand...
Click to collapse
I dont mind but it seems that my account has a bug..?!?
GoodDayToDie said:
The basic "hack" is dead simple, actually. In a way, this is easier than the old Marketplace Switching apps; those worked by changing some configuration files on the phone; this works by editing the communication between the phone and the Marketplace servers *as if* those files had been changed.
It's probably worth the time to write up a small utility to do this yourself, rather than relying on a third party proxy (never a good plan if you don't have to do it). It might even be possible to make the proxy run as an app on the phone itself (it would need to be sideloaded, since there's no way MS would permit such a thing, and you'd probably still need to be on WiFi, but it might be possible).
Click to expand...
Click to collapse
Here is a question on this. Is there a list of "proxies" for different carriers/OEMS ? I could not find anything besides this one. Do you know how I can access HTC, Samsung, LG, etc list ?
How does one access the marketplace of another OEM than Nokia ? (I have a Nokia so that is not an issue for me)
It's just a matter of changing the ID string for the phone when it's talking to the Marketplace servers. I'll look into writing a tool to do it.
GoodDayToDie said:
It's just a matter of changing the ID string for the phone when it's talking to the Marketplace servers. I'll look into writing a tool to do it.
Click to expand...
Click to collapse
Awsome, I look forward to something ! Thanks !
GoodDayToDie said:
It's just a matter of changing the ID string for the phone when it's talking to the Marketplace servers. I'll look into writing a tool to do it.
Click to expand...
Click to collapse
Hi ,GoodDayToDie
Try fiddler2 to modify the request send by the phone when talking to the Marketplace servers.
I have made some research and it's intresting.....
@Mattemoller90: Yes, but I can't promise that the app will install correctly afterward. Apps identify, in their manifests, the resolutions they support. If the app requires resolution that the phone doesn't have, the phone will most likely simply refuse to install it.
@GoodDayToDie
How can I cheat the Marketplace with Fiddler2 (for change the resolution) I want try
You are the best
Eh, I'm not going to write a full tutorial right now. Short version is install Fiddler, set it to proxy external connections (will need to be let through your firewall), set your phone to use your PC's IP address and Fiddler's listening port as the proxy, set Fiddler to intercept requests, and then open the Marketplace. You'll see an HTTP GET request from the phone to Microsoft's servers, and the URL will contain a bunch of details about your phone (manufacturer, model, version info, region, etc.) including resolution. Replace the resolution string with the one you want to pretend to have, then have Fiddler "Run to completion".
Note: You'll probably have to do this multiple times. It's OK to not do it for things like partial searches, but you'll of course need to do it for the final search query. It can be scripted, but that's outside the scope of what I'm going to tell you to do here. Look at how @xdevilium does it in his app: http://forum.xda-developers.com/showthread.php?t=2362165
Can fiddler be used for other things? Like seeing where server updates are coming from, and how are phones interacts with developer registration?
Sent from my RM-917_nam_usa_100 using XDA Windows Phone 7 App
In theory, yes it can (or any other HTTP/HTTPS proxy; there are several of them available). However, the functions you describe use HTTPS. To intercept SSL traffic, the proxy needs to forge certificates for the sites you connect to (unless it somehow got ahold of the site's private key). To have your phone trust the forged certificates, the proxy (including Fiddler, if you choose to enable it) can sign the forged certificates using its own private key; if the corresponding public key is trusted by the phone (which can be done just by sending the public key to the phone using email or bluetooth or something, and installing it) then the forged signatures will be trusted.
However, that's only true for the general case. For specific OS functionality, Microsoft (and all the other big mobile vendors) use a technique called "certificate pinning" where the SSL certificate must either exactly match a known certifiacte, or must be signed by an exact match. In this case, it doesn't work to install your proxy's certificate and have it be trusted; a feature using cert pinning doesn't even check the OS's trust store. Therefore, we can't intercept those specific communications.
It's frustrating.
I've never scripted Fiddler, I just re-wrote the requests by hand. It's easy enough; there aren't very many. I could tell you how to do it in a couple other proxy programs.
GoodDayToDie said:
I could tell you how to do it in a couple other proxy programs.
Click to expand...
Click to collapse
I Really Appreciate That
Microsoft just announced today that Windows Phone developers can now unlock their devices for free, with a 2-app sideload limit. Those needing higher limits can grab an account for cheap during the summer ($19 USD).
Just use your Microsoft account with the Windows Phone Developer Registration tool and you should be off and running.
Beginning today we are simplifying the developer phone registration process. Now, any developer can unlock and register 1 phone to load up to 2 apps. Registered developers with Dev Center accounts continue to have the option to unlock up to 3 phones and upload up to 10 apps on each.
Click to expand...
Click to collapse
WithinRafael said:
Microsoft just announced today that Windows Phone developers can now unlock their devices for free, with a 2-app sideload limit. Those needing higher limits can grab an account for cheap during the summer ($19 USD).
Just use your Microsoft account with the Windows Phone Developer Registration tool and you should be off and running.
Click to expand...
Click to collapse
Thats awesome news! That gets rid of the need for Chevron mods for all those WP7 people and that makes it easy to test WP8 apps.
thals1992 said:
thats awesome news! That gets rid of the need for chevron mods for all those wp7 people and that makes it easy to test wp8 apps.
Click to expand...
Click to collapse
this is great news!
This whole thing got me thinking, there might be someway to "abuse" the XAP installer that processes the XAP, since the XAP is downloaded straight from the browser.
Hopefully there's some vulnerabilities in the installer.
IzaacJ said:
This whole thing got me thinking, there might be someway to "abuse" the XAP installer that processes the XAP, since the XAP is downloaded straight from the browser.
Hopefully there's some vulnerabilities in the installer.
Click to expand...
Click to collapse
I think you're on to something here....
Not sure what you mean by "the XAP is downloaded straight from the browser" - Store apps are downloaded over HTTP (HTTPS actually, with cert pinning to boot) but the only apps I've seen actually install if they were downloaded from a web browser (or via email attachment, or sent using Bluetooth) are company / LOB apps, not store apps or unsigned (homebrew/development) apps.
That said, the XAPs do get processed by the installer (and rejected) anyhow. It's possible there's a vulnerability in that check process; is that what you're thinking of? If so, I don't believe it has anything to do with the news in this thread in particular (although it *might* help to have dev-unlock enabled) but it's a worthwhile path of exploration anyhow. The XAP installer is one of the relatively few parts of the system that has fairly high permissions but is easily attackable. Of course, that means MS will have reviewed and fuzz tested the hell out of it, but we can hope...
GoodDayToDie said:
Not sure what you mean by "the XAP is downloaded straight from the browser" - Store apps are downloaded over HTTP (HTTPS actually, with cert pinning to boot) but the only apps I've seen actually install if they were downloaded from a web browser (or via email attachment, or sent using Bluetooth) are company / LOB apps, not store apps or unsigned (homebrew/development) apps.
That said, the XAPs do get processed by the installer (and rejected) anyhow. It's possible there's a vulnerability in that check process; is that what you're thinking of? If so, I don't believe it has anything to do with the news in this thread in particular (although it *might* help to have dev-unlock enabled) but it's a worthwhile path of exploration anyhow. The XAP installer is one of the relatively few parts of the system that has fairly high permissions but is easily attackable. Of course, that means MS will have reviewed and fuzz tested the hell out of it, but we can hope...
Click to expand...
Click to collapse
The XAP's developed in App Studio are downloaded in the browser on the phone, not from the store, which could prove to be a vulnerability, but there might be cert pinning since App Studio apps require you to install a certificate first. Hopefully someone with more knowledge, like you, could look at it. Just prep a simple app in App Studio and go through the process and see what you'll be able to find.
Maybe Fiddler might help to determinate if any cert pinning is done?
Ah sorry, I wasn't looking at App Studio. I will investigate... but unless they're giving us access to the signing key, or raw access to the XAP, it probably won't work for anything *too* exciting. Still, if it's a way to install signed apps that we write ourselves (to any meaningful degree), there's hope...
GoodDayToDie said:
Ah sorry, I wasn't looking at App Studio. I will investigate... but unless they're giving us access to the signing key, or raw access to the XAP, it probably won't work for anything *too* exciting. Still, if it's a way to install signed apps that we write ourselves (to any meaningful degree), there's hope...
Click to expand...
Click to collapse
If I've understood it correctly, there is possibility to do changes to the XAP.
Note this tool is browser driven - no Windows 8 machine required - if you're not going to modify the source code that is. There are plans on the way for more goodies, so keep posted.
Click to expand...
Click to collapse
- Source
Cool. Looks like I need to send a request to get into the beta. I should do that... see what I get back. If the XAPs aren't signed, they probably won't be useful for breaking anything but the interaction with the browser might be interesting. If they are signed...
GoodDayToDie said:
Cool. Looks like I need to send a request to get into the beta. I should do that... see what I get back. If the XAPs aren't signed, they probably won't be useful for breaking anything but the interaction with the browser might be interesting. If they are signed...
Click to expand...
Click to collapse
I didn't have to sign up for the beta, think I could use it right away since I'm a registered dev. Just signed in with my dev account and tried it out right away.
IzaacJ said:
I didn't have to sign up for the beta, think I could use it right away since I'm a registered dev. Just signed in with my dev account and tried it out right away.
Click to expand...
Click to collapse
Awwman! I sent the request more than 24 hours ago and I still haven't received any emails. Also I'm a registered dreamspark dev, but that expired March.
@IzaacJ: Thanks for the tip, I'll try that then.
EDIT: Nope! Still demanding an "invitation code".
How the Windows Phone App Studio deploys
thals1992 said:
Awwman! I sent the request more than 24 hours ago and I still haven't received any emails. Also I'm a registered dreamspark dev, but that expired March.
Click to expand...
Click to collapse
Finally got mine a few hours ago. Haven't got very deep in it yet, but the templates are convenient.
---------- Post added at 10:49 PM ---------- Previous post was at 10:35 PM ----------
IzaacJ said:
The XAP's developed in App Studio are downloaded in the browser on the phone, not from the store, which could prove to be a vulnerability, but there might be cert pinning since App Studio apps require you to install a certificate first. Hopefully someone with more knowledge, like you, could look at it. Just prep a simple app in App Studio and go through the process and see what you'll be able to find.
Maybe Fiddler might help to determinate if any cert pinning is done?
Click to expand...
Click to collapse
Here's the output of an almost empty app.
First things first
Remember you have to install the Certificate we sent you via Email.
Click to expand...
Click to collapse
links to dowappdiagnostics.blob.com/aet/AET.aetx
Code:
<wap-provisioningdoc>
<characteristic type="EnterpriseAppManagement">
<characteristic type="5342258">
<parm datatype="string" name="EnrollmentToken" value="PEFFVD48RW50ZXJwcmlzZUlkIFZhbHVlPSI1MzQyMjU4IiAvPjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMjAwMS9SRUMteG1sLWMxNG4tMjAwMTAzMTUiIC8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+PFJlZmVyZW5jZSBVUkk9IiI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxEaWdlc3RWYWx1ZT5qbVBocDJSTjAydEoxWkJILzVyS0kzVk9tWjNDTmVHOG02bVVIbCtNNkNvPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5OcXlEQ3Qvb0RUb3JIOFBrYlJHNDZNRFpVcTNreWhod1ZEQW5ocUtoYTYxSzhhcEk3SzNkNEJTcmQ1SXFaQVdraEMvRTFmNThRWWF4QWhRaEtPajRhdUxNNG5RaHowNis2OU96em84Q1RYMERjYUxJNHJWWXh4VGdvdXRWSzBnVkc1bVU4c0trZjQ3VmhGSnd4ZndPRHNwdGp1cmZyODNUVFN6OEJjZDlydW9ORGpZV25QWU9wTU9rRnZuNEFVb3hBdzE5M3BjYWsrZmV5c29udEN0cUw2OUNVRUEwTXhTczBXdGVxVkdLVWphd3JPSlJ5SVE3UkFLV1hxZnl3RDVQUS91M0h0REZBRDBGVXgxRDlkZ2VYWlQyZzZIZUxxZkVmdkxCcXY0cHA2ZjZFVXJ4RDVFNkNIV1lXWE9FZnVSbmZVaUFNS2dwZnIrMTBHMUJRZlphQUE9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5U3ViamVjdE5hbWU+Q0E8L1g1MDlTdWJqZWN0TmFtZT48WDUwOUNlcnRpZmljYXRlPk1JSUVTRENDQXpDZ0F3SUJBZ0lRTWYyNzRvTTRBRDkvS09ZV1lCWDB6akFOQmdrcWhraUc5dzBCQVFzRkFEQmtNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhOakEwQmdOVkJBTVRMVk41YldGdWRHVmpJRVZ1ZEdWeWNISnBjMlVnVFc5aWFXeGxJRkp2YjNRZ1ptOXlJRTFwWTNKdmMyOW1kREFlRncweE1qQXpNVFV3TURBd01EQmFGdzB5TnpBek1UUXlNelU1TlRsYU1JR1NNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhMakFzQmdOVkJBc1RKVmRwYm1SdmQzTWdVR2h2Ym1VZ1JXNTBaWEp3Y21selpTQkJjSEJzYVdOaGRHbHZibk14TkRBeUJnTlZCQU1USzFONWJXRnVkR1ZqSUVWdWRHVnljSEpwYzJVZ1RXOWlhV3hsSUVOQklHWnZjaUJOYVdOeWIzTnZablF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3lhVWxNM1VLUW1QNnF5RzdwM0g1bjh0MXpnb3BhUUMrMTVlQlhDaUdXZVJQelIzNFlWeHpvODBSWVlpMHJmMEt0TzlmazVlbTk3ZUw0Y3pRT2hVUE1xK3d0OXQwTEREZjBCcFM3OVlXK0N2SFZwazNCaHlEZTZMai9MaUJSSWY2RWMrRUdjMXNhLy84NVE1eUlxT1RkMU5RQWJBY1oxeDlHOTI1a2RYS24zajZUNTdqNWErNXlQQng5elo0SnNCdm0rc0F6SnI0Mzd5Y2hrK2pwd3BONUJMTFdGMkdLbkVGWGxjSllQYmVvSXlJZkZxa3cxYUpQVGd1cmswWEpnVklXWmozVE1IdHcrcms0dEgxMGIwTmVscFJaRndhLzQ4c1ZmTHE1b1BIS2ZpNFNrUjZmcjRiQWZqQ2R1Z0pyOGJ5NHlpL3dxWUVGMm4zVDJiKzJwZGtsQWdNQkFBR2pnY1l3Z2NNd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQkZCZ05WSFI4RVBqQThNRHFnT0tBMmhqUm9kSFJ3T2k4dlkzSnNMbWRsYjNSeWRYTjBMbU52YlM5amNteHpMMjF6Wm5SbGJuUnRiMkpwYkdWeWIyOTBZMkV1WTNKc01CWUdBMVVkSlFRUE1BMEdDMkNHU0FHRytFVUJDRFFCTUE0R0ExVWREd0VCL3dRRUF3SUJCakFkQmdOVkhRNEVGZ1FVWENwa0cxa1NEdXB3Z0NFVU9GS3RDTW5wbG9Bd0h3WURWUjBqQkJnd0ZvQVVUZXpmSmdiY0pCREF0cG4wMXpuSGJ4bjRKaWd3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUR4V0dkVTB5dHpOd2ZZbEhmMy8rTDNoYkJNZG1XTnNnNktBS2pDQnY4a2d2SDk3b0xXZTE1c01mSG1RNGo5ZVErMDJpdVpFV1FRU0ZZV0xTd0gxTm5WbHpIK1MzMDV4bFFlTVFEVWxVMWxoZGpOeUpXYlFlR0J0OFZZa09JQ005L1pUdm5yMm1YdVpsVHR4eHE4V2U4WTUyK2VaK0Y1R2QrSjBIYmZkYmF3YVhVYXF4L1FnQ3d6TTM4cW9pQld4d2JQZXRXbk83OHhjMmdlYjdSMzBia3hTUXJMTTRFVGNTanhIb3AwaC9JQVdVZUhIcHh3Y29tWkt5NzV1UEllLzJlTnZtcFZLb0dEb0pJOHB6YlNOaDZDMUxLMUZ5ZDNrYXhiQVZKcGVLcFVJSk9Ka0RubzM0bG9hOStZa1BRc1ZIRjI2TVVLQ1BRMHYxdTdqNGY1V3c0cz08L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjxYNTA5RGF0YT48WDUwOUNlcnRpZmljYXRlPk1JSUVMekNDQXhlZ0F3SUJBZ0lDQWFFd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pJeEN6QUpCZ05WQkFZVEFsVlRNUjB3R3dZRFZRUUtFeFJUZVcxaGJuUmxZeUJEYjNKd2IzSmhkR2x2YmpFdU1Dd0dBMVVFQ3hNbFYybHVaRzkzY3lCUWFHOXVaU0JGYm5SbGNuQnlhWE5sSUVGd2NHeHBZMkYwYVc5dWN6RTBNRElHQTFVRUF4TXJVM2x0WVc1MFpXTWdSVzUwWlhKd2NtbHpaU0JOYjJKcGJHVWdRMEVnWm05eUlFMXBZM0p2YzI5bWREQWVGdzB4TXpBMk1EZ3hOalE1TXpoYUZ3MHhOREEyTVRJd09URTNOVGRhTUZreEhqQWNCZ05WQkFzVEZVMXBZM0p2YzI5bWRDQkRiM0p3YjNKaGRHbHZiakVlTUJ3R0ExVUVBeE1WVFdsamNtOXpiMlowSUVOdmNuQnZjbUYwYVc5dU1SY3dGUVlLQ1pJbWlaUHlMR1FCQVJNSE5UTTBNakkxT0RDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVJ3RG1kQzBkM1lGUXNON2FVZnd3WHA1T2RINGYrYlVmWlJMZHlrS2tUS3MyZVFGTHRRL3pUSElobkxEVlYxR2djbGtNeUNGdXFYNk1qZUVWVXlCNFJxS1JvYkI1MTRxa21ZSGdSdUx6emdLcnRSMFdFSy9wMUFwejZRT1RSb05GMVhGK0Y2aitESjBqRFhaV0xveHl0V1hrTjJ4cUJiVmRjNXVGTEE0d1U2L2dFYWp5ZWJTOWFyaDRuWTBNWThsUHBxRE1KTVlRNVQxNVUwdGprdVk3UWtXTnIvMGhGelZneWRaRFRyb2puY2FpSmd1Wm5kRGhjK2NUS3V1OEdKanlkUW9BcUJ5WGNSbnBIS0s0Y3lYZ2JUNjJFUllqVUtYcVVFWmFURlh0dGdyanR5Y2Q5VTM0L3k0dG5TUTYybS9vanIvUjJLaDE4cnhpSTRCWjY5ZitFQ0F3RUFBYU9CeGpDQnd6QWZCZ05WSFNNRUdEQVdnQlJjS21RYldSSU82bkNBSVJRNFVxMEl5ZW1XZ0RBT0JnTlZIUThCQWY4RUJBTUNCNEF3SUFZRFZSMGxCQmt3RndZSUt3WUJCUVVIQXdNR0MyQ0dTQUdHK0VVQkNEUUJNRUVHQTFVZEh3UTZNRGd3TnFBMG9ES0dNR2gwZEhBNkx5OWpjbXd1WjJWdmRISjFjM1F1WTI5dEwyTnliSE12YlhObWRHVnVkRzF2WW1sc1pXTmhMbU55YkRBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlFKQk1lRmYvdUIxeFZHcTVESTluYm9ZTnE2bXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUhRV0dzQmpjcWRoK2F6QjJ0MGxXREJJMWFJRTZVZlQ5cjJUYktBN2pkdjRzdk5KRGIrcy9mTit2ZXMydFJqV25YaDZIS0xacVNkbFpUT3NodzIxV1UxNEE1bUlNNnRMNVdGL1F6dll5aU5HTHAwU1VNa2pSdXpFRDlaT0RrSElkV21Ca0FDS1pGWE92ajQ2TWxPVGZLYVJQdXZPR1NEYktkbGRVY3dWalR3UWpnbHpTY05hUjROL3l0M2FsRUUxQ01jZXJjYUpFZ2xITmpsc0svUFZkMGFTU1YzeHRhNmNvTHBURFlFVlB4bjJ4QnVQd21JeHJ6VHh1QkhUMmNSakN3WDhobC9kRkFxSC94YzBQWFQzbEFVbzZDMDY2b2lEZ3JTQ1gwYUhGcVlTZjROZVNselQ5NFdZTWsrblEwdFBLclVvV2p2N1d1UTlWSUsrMzhmQm5HUT09PC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PC9BRVQ+"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Link to app
http://bit.ly/19fnUyO
It also offers the source code:
http://apps.windowsstore.com/DashBo...4ab6a18?version=59091.elpplk&resource=sources
The file is named WPAppStudio.xap
THIS JUST ADDS MICROSOFT CORPORATION AS A COMPANY ACCOUNT AND DEPLOYS AN XAP BASED ON IT.
So, this isn't really good news. Back to looking at a company account exploit?
thals1992 said:
Finally got mine a few hours ago. Haven't got very deep in it yet, but the templates are convenient.
---------- Post added at 10:49 PM ---------- Previous post was at 10:35 PM ----------
Here's the output of an almost empty app.
links to dowappdiagnostics.blob.com/aet/AET.aetx
Code:
<wap-provisioningdoc>
<characteristic type="EnterpriseAppManagement">
<characteristic type="5342258">
<parm datatype="string" name="EnrollmentToken" value="PEFFVD48RW50ZXJwcmlzZUlkIFZhbHVlPSI1MzQyMjU4IiAvPjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMjAwMS9SRUMteG1sLWMxNG4tMjAwMTAzMTUiIC8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+PFJlZmVyZW5jZSBVUkk9IiI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxEaWdlc3RWYWx1ZT5qbVBocDJSTjAydEoxWkJILzVyS0kzVk9tWjNDTmVHOG02bVVIbCtNNkNvPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5OcXlEQ3Qvb0RUb3JIOFBrYlJHNDZNRFpVcTNreWhod1ZEQW5ocUtoYTYxSzhhcEk3SzNkNEJTcmQ1SXFaQVdraEMvRTFmNThRWWF4QWhRaEtPajRhdUxNNG5RaHowNis2OU96em84Q1RYMERjYUxJNHJWWXh4VGdvdXRWSzBnVkc1bVU4c0trZjQ3VmhGSnd4ZndPRHNwdGp1cmZyODNUVFN6OEJjZDlydW9ORGpZV25QWU9wTU9rRnZuNEFVb3hBdzE5M3BjYWsrZmV5c29udEN0cUw2OUNVRUEwTXhTczBXdGVxVkdLVWphd3JPSlJ5SVE3UkFLV1hxZnl3RDVQUS91M0h0REZBRDBGVXgxRDlkZ2VYWlQyZzZIZUxxZkVmdkxCcXY0cHA2ZjZFVXJ4RDVFNkNIV1lXWE9FZnVSbmZVaUFNS2dwZnIrMTBHMUJRZlphQUE9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5U3ViamVjdE5hbWU+Q0E8L1g1MDlTdWJqZWN0TmFtZT48WDUwOUNlcnRpZmljYXRlPk1JSUVTRENDQXpDZ0F3SUJBZ0lRTWYyNzRvTTRBRDkvS09ZV1lCWDB6akFOQmdrcWhraUc5dzBCQVFzRkFEQmtNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhOakEwQmdOVkJBTVRMVk41YldGdWRHVmpJRVZ1ZEdWeWNISnBjMlVnVFc5aWFXeGxJRkp2YjNRZ1ptOXlJRTFwWTNKdmMyOW1kREFlRncweE1qQXpNVFV3TURBd01EQmFGdzB5TnpBek1UUXlNelU1TlRsYU1JR1NNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhMakFzQmdOVkJBc1RKVmRwYm1SdmQzTWdVR2h2Ym1VZ1JXNTBaWEp3Y21selpTQkJjSEJzYVdOaGRHbHZibk14TkRBeUJnTlZCQU1USzFONWJXRnVkR1ZqSUVWdWRHVnljSEpwYzJVZ1RXOWlhV3hsSUVOQklHWnZjaUJOYVdOeWIzTnZablF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3lhVWxNM1VLUW1QNnF5RzdwM0g1bjh0MXpnb3BhUUMrMTVlQlhDaUdXZVJQelIzNFlWeHpvODBSWVlpMHJmMEt0TzlmazVlbTk3ZUw0Y3pRT2hVUE1xK3d0OXQwTEREZjBCcFM3OVlXK0N2SFZwazNCaHlEZTZMai9MaUJSSWY2RWMrRUdjMXNhLy84NVE1eUlxT1RkMU5RQWJBY1oxeDlHOTI1a2RYS24zajZUNTdqNWErNXlQQng5elo0SnNCdm0rc0F6SnI0Mzd5Y2hrK2pwd3BONUJMTFdGMkdLbkVGWGxjSllQYmVvSXlJZkZxa3cxYUpQVGd1cmswWEpnVklXWmozVE1IdHcrcms0dEgxMGIwTmVscFJaRndhLzQ4c1ZmTHE1b1BIS2ZpNFNrUjZmcjRiQWZqQ2R1Z0pyOGJ5NHlpL3dxWUVGMm4zVDJiKzJwZGtsQWdNQkFBR2pnY1l3Z2NNd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQkZCZ05WSFI4RVBqQThNRHFnT0tBMmhqUm9kSFJ3T2k4dlkzSnNMbWRsYjNSeWRYTjBMbU52YlM5amNteHpMMjF6Wm5SbGJuUnRiMkpwYkdWeWIyOTBZMkV1WTNKc01CWUdBMVVkSlFRUE1BMEdDMkNHU0FHRytFVUJDRFFCTUE0R0ExVWREd0VCL3dRRUF3SUJCakFkQmdOVkhRNEVGZ1FVWENwa0cxa1NEdXB3Z0NFVU9GS3RDTW5wbG9Bd0h3WURWUjBqQkJnd0ZvQVVUZXpmSmdiY0pCREF0cG4wMXpuSGJ4bjRKaWd3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUR4V0dkVTB5dHpOd2ZZbEhmMy8rTDNoYkJNZG1XTnNnNktBS2pDQnY4a2d2SDk3b0xXZTE1c01mSG1RNGo5ZVErMDJpdVpFV1FRU0ZZV0xTd0gxTm5WbHpIK1MzMDV4bFFlTVFEVWxVMWxoZGpOeUpXYlFlR0J0OFZZa09JQ005L1pUdm5yMm1YdVpsVHR4eHE4V2U4WTUyK2VaK0Y1R2QrSjBIYmZkYmF3YVhVYXF4L1FnQ3d6TTM4cW9pQld4d2JQZXRXbk83OHhjMmdlYjdSMzBia3hTUXJMTTRFVGNTanhIb3AwaC9JQVdVZUhIcHh3Y29tWkt5NzV1UEllLzJlTnZtcFZLb0dEb0pJOHB6YlNOaDZDMUxLMUZ5ZDNrYXhiQVZKcGVLcFVJSk9Ka0RubzM0bG9hOStZa1BRc1ZIRjI2TVVLQ1BRMHYxdTdqNGY1V3c0cz08L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjxYNTA5RGF0YT48WDUwOUNlcnRpZmljYXRlPk1JSUVMekNDQXhlZ0F3SUJBZ0lDQWFFd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pJeEN6QUpCZ05WQkFZVEFsVlRNUjB3R3dZRFZRUUtFeFJUZVcxaGJuUmxZeUJEYjNKd2IzSmhkR2x2YmpFdU1Dd0dBMVVFQ3hNbFYybHVaRzkzY3lCUWFHOXVaU0JGYm5SbGNuQnlhWE5sSUVGd2NHeHBZMkYwYVc5dWN6RTBNRElHQTFVRUF4TXJVM2x0WVc1MFpXTWdSVzUwWlhKd2NtbHpaU0JOYjJKcGJHVWdRMEVnWm05eUlFMXBZM0p2YzI5bWREQWVGdzB4TXpBMk1EZ3hOalE1TXpoYUZ3MHhOREEyTVRJd09URTNOVGRhTUZreEhqQWNCZ05WQkFzVEZVMXBZM0p2YzI5bWRDQkRiM0p3YjNKaGRHbHZiakVlTUJ3R0ExVUVBeE1WVFdsamNtOXpiMlowSUVOdmNuQnZjbUYwYVc5dU1SY3dGUVlLQ1pJbWlaUHlMR1FCQVJNSE5UTTBNakkxT0RDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVJ3RG1kQzBkM1lGUXNON2FVZnd3WHA1T2RINGYrYlVmWlJMZHlrS2tUS3MyZVFGTHRRL3pUSElobkxEVlYxR2djbGtNeUNGdXFYNk1qZUVWVXlCNFJxS1JvYkI1MTRxa21ZSGdSdUx6emdLcnRSMFdFSy9wMUFwejZRT1RSb05GMVhGK0Y2aitESjBqRFhaV0xveHl0V1hrTjJ4cUJiVmRjNXVGTEE0d1U2L2dFYWp5ZWJTOWFyaDRuWTBNWThsUHBxRE1KTVlRNVQxNVUwdGprdVk3UWtXTnIvMGhGelZneWRaRFRyb2puY2FpSmd1Wm5kRGhjK2NUS3V1OEdKanlkUW9BcUJ5WGNSbnBIS0s0Y3lYZ2JUNjJFUllqVUtYcVVFWmFURlh0dGdyanR5Y2Q5VTM0L3k0dG5TUTYybS9vanIvUjJLaDE4cnhpSTRCWjY5ZitFQ0F3RUFBYU9CeGpDQnd6QWZCZ05WSFNNRUdEQVdnQlJjS21RYldSSU82bkNBSVJRNFVxMEl5ZW1XZ0RBT0JnTlZIUThCQWY4RUJBTUNCNEF3SUFZRFZSMGxCQmt3RndZSUt3WUJCUVVIQXdNR0MyQ0dTQUdHK0VVQkNEUUJNRUVHQTFVZEh3UTZNRGd3TnFBMG9ES0dNR2gwZEhBNkx5OWpjbXd1WjJWdmRISjFjM1F1WTI5dEwyTnliSE12YlhObWRHVnVkRzF2WW1sc1pXTmhMbU55YkRBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlFKQk1lRmYvdUIxeFZHcTVESTluYm9ZTnE2bXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUhRV0dzQmpjcWRoK2F6QjJ0MGxXREJJMWFJRTZVZlQ5cjJUYktBN2pkdjRzdk5KRGIrcy9mTit2ZXMydFJqV25YaDZIS0xacVNkbFpUT3NodzIxV1UxNEE1bUlNNnRMNVdGL1F6dll5aU5HTHAwU1VNa2pSdXpFRDlaT0RrSElkV21Ca0FDS1pGWE92ajQ2TWxPVGZLYVJQdXZPR1NEYktkbGRVY3dWalR3UWpnbHpTY05hUjROL3l0M2FsRUUxQ01jZXJjYUpFZ2xITmpsc0svUFZkMGFTU1YzeHRhNmNvTHBURFlFVlB4bjJ4QnVQd21JeHJ6VHh1QkhUMmNSakN3WDhobC9kRkFxSC94YzBQWFQzbEFVbzZDMDY2b2lEZ3JTQ1gwYUhGcVlTZjROZVNselQ5NFdZTWsrblEwdFBLclVvV2p2N1d1UTlWSUsrMzhmQm5HUT09PC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PC9BRVQ+"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Link to app
http://bit.ly/19fnUyO
It also offers the source code:
http://apps.windowsstore.com/DashBo...4ab6a18?version=59091.elpplk&resource=sources
The file is named WPAppStudio.xap
THIS JUST ADDS MICROSOFT CORPORATION AS A COMPANY ACCOUNT AND DEPLOYS AN XAP BASED ON IT.
So, this isn't really good news. Back to looking at a company account exploit?
Click to expand...
Click to collapse
It might be possible to find an exploit in the XAP installer that installs the XAPs from the browser, and use that to install an app with higher privileges, and accessing the filesystem and/or the registry with full access?
Actually, that's pretty good. Company apps have lower restrictions, and are easier to install. Also, that's a provxml document... we should see if we can modify it and get it to do anything else interesting for us!
@GoodDayToDie, I was thinking the same thing of the provxml document. That would be EPIC if we could modify it to change registry...
@GoodDayToDie, @snickler I'm gonna try to use fiddler to redirect that request to my own server with an edited file and see what happens. Going to start with setting the MaxUnsignedApp value. Wish me luck
IzaacJ said:
@GoodDayToDie, @snickler I'm gonna try to use fiddler to redirect that request to my own server with an edited file and see what happens. Going to start with setting the MaxUnsignedApp value. Wish me luck
Click to expand...
Click to collapse
Ohhh please tell me how this works out! I wanted to do the same thing, but I have to wait for MS to get back with my invitation code.
Best of luck!
@snickler No matter how I do, it ends up showing the AET.aetx as a text file. Doesn't matter if it's the original one or the edited one.
Original one is available at: http://www.izz0.eu/AET.aetx
Edited one is available at: http://www.izz0.eu/AET2.aetx
Feel free to try on your own.
@GoodDayToDie, you've got any ideas? You're like a walking knowledgebase ;D