Skip to main content

How to hack games from the Windows 8 store


Hi folks,

In this article I’ll share the results of ad-hoc security vulnerabilities research I’ve done on windows 8 apps deployment. Specifically, we’ll discuss fundamental design flaws that allow to Reverse Engineer Win8 apps, modification of installed apps and the negative implications on Intellectual Property rights protection, Licensing models and overall PC security. Finally we’ll discuss some creative ideas on how to mitigate these security issues. 

Meet the mother-load: C:\Program Files\Applications

All Windows 8 applications in the developer preview are installed under the clandestine C:\Program Files\Applications location. I will hazard a guess and say that once the Windows App Store goes online it will install all apps under that folder. Currently the folder is an invisible one and cannot be accessed from Windows Explorer user interface on a new Win8 developer preview install.

Here’s an example of some of the 29 apps Win8 apps installed on the Win8 developer preview:
Print screen of Windows 8 apps start screen

And here’s the hidden folder backing it up:
C:\Program Files\applications folder

Gaining Access to C:\Program Files\Applications

In essence you’ll need to navigate to that folder, hit “Security Tab” and set yourself up as the owner. Let me walk you through that process step-by-step.
1. Type in “C:\Program Files\Applications” in the Windows Explorer address bar and hit enter.
Typing in C:\Program Files\applications to the address bar
2. Observe in shock and dismay the system dialogue saying you don’t own a folder on your own machine. Hit “Continue”.
You don't have permission to access this folder dialogue
3. After hitting “Continue”, you’ll be confronted by the following dialogue:
you have been denied permission to access this folder dialogue
Do not hit “close”, instead click the “security tab” link.
4. In the following system dialogue click “advanced”.
Security tab for C:\Program Files\Applications 
5. Click the “change” link in the owner security field.
Advanced Security tab for C:\Program Files\Applications
6. Add in your live ID or windows 8 user name to the “select user or group” system dialogue.
Select user or group for C:\Program Files\Applications owner

7. Click “OK”, Click “OK”, Click “Ok”.
j owner of C:\Program Files\Applications

8. Type in “C:\Program Files\Applications” in the Windows Explorer address bar and hit enter. You now have access to the Applications folder.
C:\Program Files\Applications in Windows Explorer

What type of apps ship with Windows 8?

Looking at this folder it’s fairly easy to determine what type of apps ship with Windows 8 developer preview.
Windows 8 developer preview apps: 29 total, 5 C# XAML, 22 HTML, 2 C++

What’s in C:\Program Files\Applications?

For HTML apps the folder contains all of their source code and it can modified.
For C# apps the folder contains the XAML source code and a compiled reverse-engineerable and modifiable version of the C# code.
For C++ directX apps the folder contains compiled binaries.  Honestly, C++ isn’t my specialty so I’ll avoid discussing it at any great length.

Reverse Engineering HTML & Javscript & CSS Win8 apps

There’s a fundamental design flaw in the concept of HTML apps. HTML, Javascript and CSS are all interpreted languages, and not compiled languages. Meaning you have to ship the source code for your app instead of shipping compiled binaries. That puts the Intellectual Property of anyone choosing to write any HTML & JS & CSS only app for any platform under risk.

For example, here’s the HTML source code for the Tweet@rama Win8 app code:
Tweet@rama app folder with page source code in notepad

And here’s the tweet@rama Javascript code that does the actual posting to Twitter:
Tweet@rama app folder with page javascript source code in notepad

Modifying HTML & Javscript & CSS Win8 apps

Part of the problem with interpreted languages is that they don’t compile until the very instance they are executed. Which allows evil-doers to edit the code prior to execution.

For example, here’s a print screen of the tweet@rama default app;
Tweet@rama default visuals pre-modification
Let’s modify the HTML, Javascript and CSS for this application: (for the sake of brevity we’ll only walkthrough a simple HTML change)
Tweet@rama default.html with "Tweet@rama" title

Tweet@rama default.html with "Tweet@rama, Justin Angel Edition" title

By modifying the HTML & CSS & Javascript source code we can change the visual design to something a bit more visually pleasing:
 Tweet@rama Justinified visuals post-modification
Notice that we’ve changed both the design and behaviour of the app by modifying the source code. The new design has a different title, and the new behaviour is using the picture of the logged in user as the background. We have the power to completely change both the visual design and the executing source code of HTML & CSS & JS win8 apps.

New breed of viruses?

Any unauthorized malware that gains access to C:\Program Files\Applications could potentially modify source code to execute in malicious ways. Since this is the direction Win8 apps are taking writing this type of viruses is likely to become a growth industry.
For example we could look at the tweet@rama app once again. The most valuable asset that app has is our twitter oauth credentials. A virus would be able to modify the tweet@rama source code so once it executes it retrieves those credentials and sends those to a malicious remote endpoint. The following code interjected into the Javascript code of tweet@rama would do just that:
source code to get Tweet@rama's oatu credentials sent to a remote server

New breed of cracks?

Any unauthorized executable that gains access to C:\Program Files\Applications could potentially modify source code to workaround Windows Store app purchasing and licensing logic. The whole concept of Trials and feature purchases are based on Javascript, C# or C++ code invoking Windows 8 RuntimeTime APIs for the Windows Store. Any change to that code could potentially change the purchasing and licensing logic for that app.
For example, In BUILD conference Microsoft’s Arik Cohen demonstrated (35:25) the following code that performs a Javascript check for isTrial.
 image
It would be a trivial endavour to manually edit this Javascript file and remove the “licenseInformation.isTrial” check. And by doing so removing Trial restrictions from this sample Win8 app. 
If this set of problems are not mitigated, app piracy through app modification for Windows Store apps will likely become quite prevalent.


Reverse Engineering C# + XAML Win8 apps

C# code is shipped in compiled EXE & DLL binaries. XAML is shipped as plain text source code. That makes both forms of code extremely susceptible to reverse engineering.
C# memories app folder

For example, we could open up the “Memories” (C# WinRT XAML app) MainPage.xaml in KaXaml and see the XAML source code:

Memories MainPage.xaml source code



Using JetBrains dotPeek it would be possible to see the C# source code for the Memories app:

dotPeek reverse engineering MainViewModel for Memories app


Modifying C# + XAML Win8 apps

The XAML for Win8 apps is stored in plain-text and can be edited from any text editing tool. The .net binaries are unsigned and thus can be edit using the MSIL Weaving tool Reflexil.

For example, here’s the “Memories” C# XAML app shipping with Windows 8 developer preview:
default visuals for memories app pre-modification

Editing the XAML is fairly trivial since it’s stored as a plain text file:
Default XAML for AlbumsView memories XAML
Modified AlbumsView.xaml file

Editing C# can be done using Reflector’s Reflxil MSIL Editor:
Editing Memories MSIL with Reflxil
Editing hardcoded text in C#

With some light modifications to the XAML and C# code we can change the display and behaviour of the app:
Memories app with XAML and C# modifications


Reverse Engineering C++ Win8 apps

I’ll confess to not being a strong C++ developer (gasp!) so I’ll keep this brief by showing C++ apps are also susceptible to reverse engineering. It appears that Microsoft’s Store app is written in C++. The most important asset that app would have are the endpoints for the Microsoft store. Opening the C:\Windows\System32\WinStore\WinStoreUI.dll in notepad and searching for “https” addresses reveals the following URL:

WinStoreUI.dll opened up in Notepad with a URL highlighted

Following the http://go.microsoft.com/fwlink/?LinkId=195322&clcid=0x409 URL leads to a currently inactive URL ofhttps://services.apps.microsoft.com/browse. I would hazard a guess that this is the URL currently being used to test the Windows App Store.

Comments

Popular posts from this blog

How to Hack a Website in Four Easy Steps

Every wondered how Anonymous and other hacktivists manage to steal the data or crash the servers of websites belonging to some of the world biggest organisations? Thanks to freely available online tools, hacking is no long the  preserve of geeks , so we've decided to show you how easy it is to do, in just four easy steps. Step 1: Identify your target While  Anonymous  and other online hacktivists may choose their targets in order to protest against perceived wrong-doing, for a beginner wanting to get the taste of success with their first hack, the best thing to do is to identify a any website which has a vulnerability. Recently a hacker posted a list of 5,000 websites online which were vulnerable to attack. How did he/she identify these websites? Well, the key to creating a list of websites which are likely to be more open to attack, is to carry out a search for what is called a Google Dork. Google Dorking , also known as Google Hacking, enables yo...

How to Hack Facebook Password in 5 Ways

Check out the following post from  fonelovetz blog  on facebook account hacking. This is one of the most popular questions which I'm asked via my email.And today I'm going to solve this problem one it for all.Even though i have already written a few ways of hacking a facebook password.Looks like i got to tidy up the the stuff here.The first thing i want to tell is.You can not hack or crack a facebook password by a click of a button.That's totally impossible and if you find such tools on the internet then please don't waste your time by looking at them! They are all fake.Ok now let me tell you how to hack a facebook account. I'll be telling you 5 of the basic ways in which a beginner hacker would hack.They are: 1.Social Engineering 2.Keylogging 3.Reverting Password / Password Recovery Through Primary Email 4.Facebook Phishing Page/ Softwares 5.Stealers/RATS/Trojans I'll explain each of these one by one in brief.If you want to know more about them just ...

How to Hack Someone's Cell Phone to Steal Their Pictures

Do you ever wonder how all these celebrities continue to have their private photos spread all over the internet? While celebrities' phones and computers are forever vulnerable to attacks, the common folk must also be wary. No matter how careful you think you were went you sent those "candid" photos to your ex, with a little effort and access to public information, your pictures can be snagged, too. Here's how. Cloud Storage Apple's iCloud service provides a hassle free way to store and transfer photos and other media across multiple devices. While the commercial exemplifies the G-rated community of iPhone users, there are a bunch of non-soccer moms that use their iPhones in a more..."free spirited" mindset. With Photo Stream enabled (requires OS X Lion or later, iOS 5 or later), pictures taken on your iPhone go to directly to your computer and/or tablet, all while being stored in the cloud. If you think the cloud is safe, just ask Gizmodo ...

How to Hack Samsung Phone Screen Lock

I have discovered  another  security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing. Video . Of course, if you are unable to download a screen unlocker, this security vulnerability still allows you to  dial any phone number and run any app ! HOWTO From the lock screen, hit the emergency call button. Dial a non-existent emergency services number - e.g. 0. Press the green dial icon. Dismiss the error message. Press the phone's back button. The app's screen will be briefly displayed. This is just about long enough to interact with the app. Using this, you can run and interact with any app / widget / settings menu. You can also use this to launch the dialler. From there, you can dial any phone...