Windows8 jailbreak detailed

[preparation knowledge]

When it comes to jailbreak, many people know that ios jailbreak, Android root also belongs to this class, these jailbreak steps generally have the following two steps:

1. Look for vulnerabilities and raise control of the device to the root level.

2. Crack the digital signature authentication of the installed application to install the non-app store application.

Just released Windows 8, the first time to join the function of the app store, since the user installed the win8, directly has the administrator rights, so the jailbreak work is only the second step.

[Principle]

Under win8, there are only two normal ways to install the new Metro interface application:

1. Register the windows account, from the official application The store downloads the installer.

2. Install a Virsual Studio 2012 development program, but only for native debugging.

In addition, there are actually two ways to go. The first road is to register Microsoft's developer account, and then you can install non-certified applications. Some jailbreak tools came out some time ago. For example, Win8 optimization master, this is the way to upgrade the app store account to the developer account.

But this road has fatal drawbacks. It is impossible for all users to register as developers. Developer accounts are now easy to register and free, but maybe one day is like Apple, 100 dollars a year. So, when will Microsoft shut down a lot?

So, there is one way left at this stage:

Microsoft provides a feature in Windows 8 Enterprise Edition that allows users to install applications freely. "Sideloading" Features that need to meet the following conditions:

1. Enable "Allow installation of trusted applications" in the registry or group policy. (The specific registry location is: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\ The AllowAllTrustedApps key value under Windows\\Appx is set to 1)

2. Add the computer to a domain. The master computer of this domain must have the activation key of the Sideloading function (also can be installed locally. Key).

The first one is very easy to do, then all the articles will be done in the second article, please continue to look down.

[Cracking process]

The kost method is to hook the windows store service, so that it thinks that the computer has joined the legal domain, thus achieving the purpose of jailbreaking, he provides a wsservice_crk.dll file. Runs in the background by a service registered as the LocalServiceAndNoImpersonation group.

This way, the application can be installed, but where is the application? Of course, someone has to download it first, then crack it, and then publish it. Users of ios are familiar with these.

To publish your own app, you need to prepare four tools, makeappx, signtool, makecert, and pvk2pfx. The specific usage is mentioned below.

First download and install the app from the app store (TMD has to install it yourself), all apps are installed under C:\\Program Files\\WindowsApps. Note: This directory must first display hidden files, and Give it permission to open it.

Copy the entire directory of the application you want to install (the directory name is represented by a string. If you don't know which one is, open the application name), delete the microsoft.system.package. .metadata subdirectory (hidden folder).

In the first step, you need a root certificate. You need to use the tools makerep and pvk2pfx:

makecert -r -pe -n "CN=microsoft" -a sha256 -cy end -sky exchange -b <certificate start date> -e <certificate expiration date> -sv <filename>.pvk <filename>.cer

"CN=microsoft" In the microsoft representative of the issuer, you can set it yourself, the two file names must be the same, this is also taken by yourself. After entering the Enter key, a dialog box will pop up asking you to enter the private key. To enter it three times, choose a password that you can remember. It will be used later. After completion, a pvk and a cer file will be generated.

pvk2pfx -pvk <filename>.pvk -spc <filename>.cer -pfx <filename>.pfx -pi <private key just entered>

The last generated pfx file is the root certificate you want.

The second step, the package of the program file package:

Modify the AppxManifest.xml file under the program folder before packaging, change the Publisher property of the Identity item to "CN=< Set the certificate issuer >" and save, then open cmd, enter the directory where the MakeAppx tool is located:

MakeAppx.exe pack /d <source folder full path> /p <generated Package path and file name >

The generated package file name must end with appx.

Since the appx application must be digitally signed before it can be installed, sign the package with the root certificate you just created:

signtool sign /v /a /fd SHA256 /p <your Private Key > /f <Certificate Path and File Name> <Package Path and File Name>

The third step, the appx file after the signature is completed, can be run with administrator privileges. PowerShell, type:

Add-AppxPackage <package path and file name>

After the progress bar is finished, open your start screen, congratulations! The installation is complete!

[What can I do after jailbreaking]

1. Install paid apps, because the Windows store now has a very small amount of software, and there are fewer excellent paid apps. Cracking is not the scope of this article. There is time to write the principle and process, kost provides a TokensExtractor tool to crack the paid application, can be released to others after the crack, it seems that no one is released online at this stage.

2. Offline installation package, because the Windows store is slow to visit the snail in the country, some places even need to change the DNS to open, so offline installation is definitely the first choice for the Chinese.

3. Install your own developed and undeveloped applications that cannot be verified by Microsoft (the evil audit system goes to hell!).

[I finally found the tool I wrote]

Volkswagen likes fooling tools, so let me be good, the above process has been integrated into several small buttons. In order to prevent the big guy from being lazy, install the app or pass the above command (don't throw rotten eggs):

< Br>

Note: Only 64-bit enterprise version win8 is supported. After 32-bit, I will add it. The option can set the name of the background crack service, and your own certificate information, certificate file. Comes with it, in the certificate directory. You must right-click to run with administrator privileges.

[A few more nonsense, look into the future]