great app can i also download appx from tokenextractor? when i download from "dig appx" it says me access denied
no "Here is your url. Copy-paste it in your favourite browser and download will start. URL is temporary and available only for short time window." it means that i have to paste the url in the brower. and it says me "fck u. i'll never let you download my apps. With love, MS team" I made something wrong but i don't know what
You must ensure windows store client has started downloading. It it has - you can copy-paste URL and download will start.
re Yea dude, im talking about content that you unlock by buying, I mean it's not an update, it's a bare DLC
WARBIRD was broken I'm happy to inform you - I have finally broken WARBIRD spp query system. Not all now, but at least encryption/decryption of NtSetSystemInformation(134,...) Updated version of WSServiceCrk 1.4.0 can sideload apps not signed by MS on ANY edition of win8/2012. Some words about what WARBIRD is. In earlier versions of windows SPP policy values were queried by user mode processes directly through special API. ntdll!NtQueryLicenseValue slc!SLGetWindowsInformation These calls are relatively easy to intercept and fake. In win8/2012 MS created another path - through obfuscrated queries. 1) User mode process prepare encrypted query and pass it to NtSetSystemInformation(134,...) Construction and encryption of data blocks is done in heavy template-expanded functions. Its hard to analyze them. MS also made encryption algorithms in those functions randomly generated. Notepad, Calc, WSService have different cryptors. Query block also contain additional encoded information about transforms and constants used in query data encryption and same thing to be used for encrypting response (they are different !). 2) Flow goes to kernel function. Its also very huge - even bigger than in user mode. It decrypts quiry, executes command encoded in the query, constructs and encrypts response and returns it to the caller. One of known commands - Query Policy Value. I noticed a few more commands. Currently I have only guesses what they do. They are somehow related to licensing of metro apps. When you see "X" on app tile because of bad license - its not just registry magic. Protection system goes to kernel directly ! 3) Caller decrypts response and acts according to the returned data. The thing I discovered is only beginning. It goes to software protection platform. If we dig deeper many interesting things will be revealed. May be about windows activation. WSService has lots of SPPSVC derived code. WSServiceCrk source now contain complete and working universal decryptor/encryptor for warbird queries. I ask you to test sideloading on non-enterprise win8's Try to sideload pyro.appx from release/sideloading/sample
Nice, some people just have too much free time. Is "warbird" the internal name for that encryption scheme and how do you know or do you just call it like that? EDIT: Ok, this answers my question: Being able to spoof NtSetSystemInformation license responses to all user-mode processes should be a nice way to circumvent Windows activation since the only restrictions with a non-activated copy are the restrictions in Explorer, systemsettings.exe etc. and those use exactly that query mechanism iirc. Right?
Warbird name comes from PDB files of notepad, calc .. etc. I'm not sure if its'all called warbird but this name talks for itself Not sure if just spoofing policy values will remove all side effects of having unactivated windows - but some of them - definitely. What I discovered - kernel have local cache of policy values in its RAM. On boot it reads them from ProductOptions key. Then local cache is used to serve queries. Sppsvc talks with kernel through \Device\SPDevice. I looked what is sent there. Huge language. Many commands and data arguments, all encrypted. May be warbird-like scheme, have'nt dug there. I know sppsvc can change PolicyValue cache in kernel RAM through these queries. Kernel also saves changed values to ProductPolicy registry key. I guess similar scheme is used to maintain licensing state of APPx packages. I'll try to discover. I'm very interested WHERE "X" or not "X" state is stored. May be then i'll write tool for enabling all installed metro appx with or without license. Only WSService know about licenses - kernel doesnt. Kernel do what WSService commands. Just need to understand what is set to NtSetSystemInformation in other queries than "Query Policy Value"
v1.4.1 1.4.1 Some code refactorings : Warbird error handling rewritten with exceptions. Tons of ifs gone. Code is easily readable. Hooking/unhooking API in wsservice_crk uses defines. Repeating code fragments gone. Verbose DbgLogging : hexdumping of NtSetSystemInformation(134) and stringdumping of BCryptHashData. Now its possible to analyze wsservice calls with comfort in sysinternals DebugView. Added warbird query format description and sample captures.
Visual Studio kost, this is great work! I tested the pyro appx and it works great. But I want to test the Visual Studio and for some reason I cannot get the dev license. I get this message: With this code below: Code: at Microsoft.Expression.HostUtility.Platform.AppContainerProcessDomainFactory.CreateDesignerProcess(String applicationPath, String clientPort, Uri hostUri, IDictionary environmentVariables, Int32& processId, Object& processData) at Microsoft.Expression.DesignHost.Isolation.Primitives.ProcessDomainFactory.ProcessIsolationDomain..ctor(ProcessDomainFactory factory, IIsolationBoundary boundary, AppDomainSetup appDomainInfo, FrameworkName targetFramework, String identifier, String baseDirectory) at Microsoft.Expression.DesignHost.Isolation.Primitives.ProcessDomainFactory.CreateIsolationDomain(IIsolationBoundary boundary) at Microsoft.Expression.HostUtility.Platform.AppContainerProcessDomainFactory.CreateIsolationDomain(IIsolationBoundary boundary) at Microsoft.Expression.DesignHost.Isolation.Primitives.IsolationBoundary.Initialize() at Microsoft.Expression.DesignHost.Isolation.Primitives.IsolationBoundary.CreateInstance[T](Type type) at Microsoft.Expression.DesignHost.Isolation.IsolatedExportProvider.Initialize() at Microsoft.VisualStudio.ExpressionHost.Services.VSIsolationService.CreateExportProvider(IIsolationTarget isolationTarget, ICatalogFactory catalogFactory, IExportFilter filter) at Microsoft.Expression.DesignHost.Isolation.IsolationService.CreateLease(IIsolationTarget isolationTarget) at Microsoft.Expression.DesignHost.IsolatedDesignerService.CreateLease(IIsolationTarget isolationTarget, CancellationToken cancelToken, DesignerServiceEntry& entry) at Microsoft.Expression.DesignHost.IsolatedDesignerService.IsolatedDesignerView.CreateDesignerViewInfo(CancellationToken cancelToken) at Microsoft.Expression.DesignHost.Isolation.IsolatedTaskScheduler.InvokeWithCulture[T](CultureInfo culture, Func`2 func, CancellationToken cancelToken) at Microsoft.Expression.DesignHost.Isolation.IsolatedTaskScheduler.<>c__DisplayClassa`1.<StartTask>b__6() at System.Threading.Tasks.Task`1.InnerInvoke() at System.Threading.Tasks.Task.Execute() In DebugView I have this lines: Code: [7108] SHIMVIEW: ShimInfo(Complete) [5344] [WsServiceCrk] wsservice.dll appeared [5344] [WsServiceCrk] starting hooking API [5344] [WsServiceCrk] hookedDsRoleGetPrimaryDomainInformation [5344] [WsServiceCrk] hookedBCryptHashData [5344] [WsServiceCrk] hookedBCryptVerifySignature I see this message when I open the MainPage.xaml on a new project in design view. I am still able to write in code view, and compile, but I cannot deploy or debug from VS menu. Using cmd shell, I can use msdeploy and create appx package and then add it to start menu. The app will work, but this ruin my experience as a noob. Do you have any suggestions for this? Even if you can't help with this program, thanks you!
Visual studo is hardcoded for using devlicense functionality. I guess there's no way to make it use other ways of deploying apps.
first of all great work kost!!!! congrats buddy! just one question......i could just convert trials to full versions (not all, but most of the apps), is there a way to get full version apps that are buy only (no trial) ?
v1.4.2 1.4.2 Further wsservice code optimization. Fixed important bug in warbird code. Bug could result in invalid encryption/decryption. Warbird code : added support for comfortable artificial calling of NtSetSystemInformation(134). More precise info about warbird PolicyValueQuery chunk format. Fixed anchoring of some buttons in TokenExtractor. TokenExtractor : added text search capability.
Here kernel winstore protection system saves package state and some other info about packages : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FastCache\Packages\Table HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FastCache\FeatureLicenses\Table HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FastCache\ProductLicenses\Table HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FastCache\PackageOrigins\Table HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FastCache\Data\Volatile Kernel blocks user processes from writing there. Kernel know nothing about xml licenses but know about package origins (developer,sideloading,microsoft), licensing state (enabled/X), code signing requirements (if enabled - kernel check for tampering with app files using signature catalog file) Wsservice tells kernel this info and kernel updates its cache and registry values above. Communication goes through warbird system.
Kost, I tried this tool against Wordfeud, however it doesn't work. Tokensmanager sees it as a full app, however I can clearly see that it still shows ads. So what's next?
Wordfeud is listed as a free app in Windows Store, there is nothing to crack. You can only crack paid apps through this crack.