Tuesday, December 25, 2012

How to hack games from the Windows 8 store

Hi folks,

In this article I’ll share the results of ad-hoc security vulnerabilities research I’ve done on windows 8 apps deployment. Specifically, we’ll discuss fundamental design flaws that allow to Reverse Engineer Win8 apps, modification of installed apps and the negative implications on Intellectual Property rights protection, Licensing models and overall PC security. Finally we’ll discuss some creative ideas on how to mitigate these security issues. 

Meet the mother-load: C:\Program Files\Applications

All Windows 8 applications in the developer preview are installed under the clandestine C:\Program Files\Applications location. I will hazard a guess and say that once the Windows App Store goes online it will install all apps under that folder. Currently the folder is an invisible one and cannot be accessed from Windows Explorer user interface on a new Win8 developer preview install.

Here’s an example of some of the 29 apps Win8 apps installed on the Win8 developer preview:
Print screen of Windows 8 apps start screen

And here’s the hidden folder backing it up:
C:\Program Files\applications folder

Gaining Access to C:\Program Files\Applications

In essence you’ll need to navigate to that folder, hit “Security Tab” and set yourself up as the owner. Let me walk you through that process step-by-step.
1. Type in “C:\Program Files\Applications” in the Windows Explorer address bar and hit enter.
Typing in C:\Program Files\applications to the address bar
2. Observe in shock and dismay the system dialogue saying you don’t own a folder on your own machine. Hit “Continue”.
You don't have permission to access this folder dialogue
3. After hitting “Continue”, you’ll be confronted by the following dialogue:
you have been denied permission to access this folder dialogue
Do not hit “close”, instead click the “security tab” link.
4. In the following system dialogue click “advanced”.
Security tab for C:\Program Files\Applications 
5. Click the “change” link in the owner security field.
Advanced Security tab for C:\Program Files\Applications
6. Add in your live ID or windows 8 user name to the “select user or group” system dialogue.
Select user or group for C:\Program Files\Applications owner

7. Click “OK”, Click “OK”, Click “Ok”.
j owner of C:\Program Files\Applications

8. Type in “C:\Program Files\Applications” in the Windows Explorer address bar and hit enter. You now have access to the Applications folder.
C:\Program Files\Applications in Windows Explorer

What type of apps ship with Windows 8?

Looking at this folder it’s fairly easy to determine what type of apps ship with Windows 8 developer preview.
Windows 8 developer preview apps: 29 total, 5 C# XAML, 22 HTML, 2 C++

What’s in C:\Program Files\Applications?

For HTML apps the folder contains all of their source code and it can modified.
For C# apps the folder contains the XAML source code and a compiled reverse-engineerable and modifiable version of the C# code.
For C++ directX apps the folder contains compiled binaries.  Honestly, C++ isn’t my specialty so I’ll avoid discussing it at any great length.

Reverse Engineering HTML & Javscript & CSS Win8 apps

There’s a fundamental design flaw in the concept of HTML apps. HTML, Javascript and CSS are all interpreted languages, and not compiled languages. Meaning you have to ship the source code for your app instead of shipping compiled binaries. That puts the Intellectual Property of anyone choosing to write any HTML & JS & CSS only app for any platform under risk.

For example, here’s the HTML source code for the Tweet@rama Win8 app code:
Tweet@rama app folder with page source code in notepad

And here’s the tweet@rama Javascript code that does the actual posting to Twitter:
Tweet@rama app folder with page javascript source code in notepad

Modifying HTML & Javscript & CSS Win8 apps

Part of the problem with interpreted languages is that they don’t compile until the very instance they are executed. Which allows evil-doers to edit the code prior to execution.

For example, here’s a print screen of the tweet@rama default app;
Tweet@rama default visuals pre-modification
Let’s modify the HTML, Javascript and CSS for this application: (for the sake of brevity we’ll only walkthrough a simple HTML change)
Tweet@rama default.html with "Tweet@rama" title

Tweet@rama default.html with "Tweet@rama, Justin Angel Edition" title

By modifying the HTML & CSS & Javascript source code we can change the visual design to something a bit more visually pleasing:
 Tweet@rama Justinified visuals post-modification
Notice that we’ve changed both the design and behaviour of the app by modifying the source code. The new design has a different title, and the new behaviour is using the picture of the logged in user as the background. We have the power to completely change both the visual design and the executing source code of HTML & CSS & JS win8 apps.

New breed of viruses?

Any unauthorized malware that gains access to C:\Program Files\Applications could potentially modify source code to execute in malicious ways. Since this is the direction Win8 apps are taking writing this type of viruses is likely to become a growth industry.
For example we could look at the tweet@rama app once again. The most valuable asset that app has is our twitter oauth credentials. A virus would be able to modify the tweet@rama source code so once it executes it retrieves those credentials and sends those to a malicious remote endpoint. The following code interjected into the Javascript code of tweet@rama would do just that:
source code to get Tweet@rama's oatu credentials sent to a remote server

New breed of cracks?

Any unauthorized executable that gains access to C:\Program Files\Applications could potentially modify source code to workaround Windows Store app purchasing and licensing logic. The whole concept of Trials and feature purchases are based on Javascript, C# or C++ code invoking Windows 8 RuntimeTime APIs for the Windows Store. Any change to that code could potentially change the purchasing and licensing logic for that app.
For example, In BUILD conference Microsoft’s Arik Cohen demonstrated (35:25) the following code that performs a Javascript check for isTrial.
It would be a trivial endavour to manually edit this Javascript file and remove the “licenseInformation.isTrial” check. And by doing so removing Trial restrictions from this sample Win8 app. 
If this set of problems are not mitigated, app piracy through app modification for Windows Store apps will likely become quite prevalent.

Reverse Engineering C# + XAML Win8 apps

C# code is shipped in compiled EXE & DLL binaries. XAML is shipped as plain text source code. That makes both forms of code extremely susceptible to reverse engineering.
C# memories app folder

For example, we could open up the “Memories” (C# WinRT XAML app) MainPage.xaml in KaXaml and see the XAML source code:

Memories MainPage.xaml source code

Using JetBrains dotPeek it would be possible to see the C# source code for the Memories app:

dotPeek reverse engineering MainViewModel for Memories app

Modifying C# + XAML Win8 apps

The XAML for Win8 apps is stored in plain-text and can be edited from any text editing tool. The .net binaries are unsigned and thus can be edit using the MSIL Weaving tool Reflexil.

For example, here’s the “Memories” C# XAML app shipping with Windows 8 developer preview:
default visuals for memories app pre-modification

Editing the XAML is fairly trivial since it’s stored as a plain text file:
Default XAML for AlbumsView memories XAML
Modified AlbumsView.xaml file

Editing C# can be done using Reflector’s Reflxil MSIL Editor:
Editing Memories MSIL with Reflxil
Editing hardcoded text in C#

With some light modifications to the XAML and C# code we can change the display and behaviour of the app:
Memories app with XAML and C# modifications

Reverse Engineering C++ Win8 apps

I’ll confess to not being a strong C++ developer (gasp!) so I’ll keep this brief by showing C++ apps are also susceptible to reverse engineering. It appears that Microsoft’s Store app is written in C++. The most important asset that app would have are the endpoints for the Microsoft store. Opening the C:\Windows\System32\WinStore\WinStoreUI.dll in notepad and searching for “https” addresses reveals the following URL:

WinStoreUI.dll opened up in Notepad with a URL highlighted

Following the http://go.microsoft.com/fwlink/?LinkId=195322&clcid=0x409 URL leads to a currently inactive URL ofhttps://services.apps.microsoft.com/browse. I would hazard a guess that this is the URL currently being used to test the Windows App Store.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.