A quick lesson in reverse engineering with WP7

  • First of all, you can’t play with this unless your phone is completely unlocked. Since the new version of the wp marketplace, all xap files are completely encrypted. So you can’t download them, and unzip them as before…
  • Second of all: this is only a very basic post on this matter, but it’s a good start for more 🙂

Well, let us start with a random no-name application.
You’ll need a .net decompiler as well! Just google one 🙂
I’ll use ilspy because it’s fast and portable 🙂

Here you can read some things about how wp7 trials CAN work, using the istrial() method.
This function is added, making sure the xap you’ve downloaded is the trial version.
Developers are given the choice on the marketplace to upload two different versions of any application: a trial version and a “full/paid” version.

Next, you’ll need the wp7 app (or parts from it) on your computer.
As mentioned earlier, Microsoft now encrypts the entire xap file (which I don’t blame them for). So we’ll have to install the app on the phone and copy the necessary files from our phone to a desktop computer 🙂

You can do this using a file managers. I used the “root webserver” application to download some dll’s from my phone to my computer.
Just fire up a browser, or even a WMDC/USB connection, browse to \Applications\Install\*applicationid*\Install\, and take a look around. This is the place you applications are actually stored.

So, when you’ve got your dll-files, open them in your decompiler!

Next, the real “hacking” begins. Take your time to examine the source code, and find a way to exploit it 😛
If you can write an application, you can read one as well 😉 (reading is not always easier than writing 😉 )

You’re looking for a boolean value, or a method you can bypass, or something you don’t like that you want to disable (or want to enable!)

In our example we find the method istrial(), which pretty much says it all…
You notice the code is a bit obfuscated, again to make it a bit harder for you like hashsums, dynamic memory allocation, … I’ll blog about this subject later 😉

If we let this function always return “true”, we’re done already.

This gives the biggest challenge: making it actually work. This “easy” method described above definitely won’t work in all cases. Most of the time there are more functions and checks you’ll need to bypass.

Maybe in another part of the dll there’s a piece of code checking the date. You can adjust that specific call, always returning a day in 2017.
Or even funnier, maybe there is a config file with a boolean “istrial”, and you can change it to “false”, and you’re done as well.

Be creative!

To wrap up: you decompile the dll completely. Open the result in visual studio, just change the stupid line to always return the boolean value “true”, compile the new dll and you put that back onto your phone!

This posts only describes a very basic technique in .net for wp7, but at least it gives you an idea how to start exploring the wonderful world of reverse engineering, and you can go WAY deeper. Start google’ing about software instrumentation (extremely cool technique), disassemblers (bypass loops in x86 assembly code), debuggers, hex editors and you’ll probably never stop reading.

Maybe I’ll write something about reverse engineering pc apps as well 🙂


Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit /  Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )


Verbinden met %s

%d bloggers liken dit: