Hacking Windows 8 Games - JustinAngel

7/29/2019 Hacking Windows 8 Games - JustinAngel

1/20


2/20

#1: Compromising in-app purchases by modifying IsoStore

The Win8 gameSoulcraftis a top gameon Androidand is subjectively one ofbest examples ofits genre on Windows8. Its a basic RPG

where you play an archangel battling the forces ofevil in stylish 3D. Youve got a character, its got equipment and you pay with gold with

gold to buy better equipment. The gold has to be purchased for real money using the platforms in-app purchase. For example on Android

here are the prices for gold:

Ive spent 20$+ on game gold for Soulcraft THDon my Google Nexus 7 so far. So I asked myselfhow does that games gold data gets

stored on Windows8, and whether or not we can change it.

Quick refresher from the previous articleall Windows 8 apps are stored on your local HD at:

C:\Program Files\WindowsApps

So for example all the assemblies for Soulcraft on Windows8 will be stored at:

C:\Program Files\WindowsApps\MobileBitsGmbH.SoulCraft_0.8.5.3_neutral__n3knxnwpdbgdc

Also, all IsoStore files are stored at:

C:\Users\\AppData\Local\Packages\

So on my machine Soulcrafts IsoStore is at:

C:\Users\Justin\AppData\Local\Packages\MobileBitsGmbH.SoulCraft_n3knxnwpdbgdc\LocalState


3/20

When opening up these files in Notepad we can see some ofthese files are encrypted while others are not.

So now the question becomes, can we decrypt the AccountData.xml file, edit the amount ofgold our character has and simply run thegame? Well, as it turns out the answer is Yes. Normally encrypted files are bad news ifyoure trying to tamper with apps. But we should

remember this is all running on the local machine . We have the algorithm used for encryption, we have the hash key and we have the

encrypted data. Once we have all ofthose its pretty simple to decrypt anything.

Using dotPeek/ILSpy/JustDecompileits possible to reverse engineer most ofthe Soulcraft source code and find out how the

AccountData.xml gets stored and how to change it. Lets assume weve done that and we know which classes and assemblies are used to

decrypt, edit and encrypt this XML file. Well start offby create a new Win8 app and reference the appropriate DLLs from the Soulcraft

game.


4/20

Next, since these assemblies read files from IsoStore well copy the encrypted game files to our own App2 IsoStore.

Now weve staged a new app with the proper assemblies and populated IsoStore with Soulcrafts Data. The next step is to reverse engineer

the assemblies and figure out the correct calling order for methods. For example this code would load up AccountData.xml, edit the amount

ofgold and save it again.

using Delta.Utilities.Helpers;

using Delta.Utilities.Xml;

public sealed partial class MainPage : Page

{

public MainPage()

{

this.InitializeComponent();

this.Loaded += MainPage_Loaded;

}

private async void MainPage_Loaded(object sender, RoutedEventArgs e)

{

var filePath = Path.Combine(DirectoryHelper.GetBaseDirectory(), "AccountData.xml");

var accountDataXml = XmlNode.LoadFile(filePath);

accountDataXml.Children.First().AddAttribute("Gold", "1000000");

accountDataXml.Save(filePath);

}

}

Heres the before and after ofthe XML file:


5/20

Copying the file back to Soulcrafts IsoStore and starting Soulcraft we can see a first level character with 1,000,000 gold.

At this point some ofyou must be thinking so what? its fake game money. True, but this fake in-game money would be worth over a

thousand dollar on Android and iOS. Without a secure storage location for game state, we cant be surprised that 3rd party cracking will

arise to make consumers avoid in-app purchases.

#2: Cracking trial apps to paid versions for free

One ofthe top revenue streams for Windows8 developers is by shipping paid apps. At the same time consumers tend to be loss averse and

are afraid to lose money on apps. The solution to that are Trial apps. Paid apps can offer a free version with limited functionality or on atime limited basis. That works fine unless consumers attempt to manipulate this tentative status-quo by cracking trial apps. To emphasize the

impact ofthis problem we can look at the Windows Phone ecosystem where 45% ofpaid apps offer trials.


6/20

Lets have a look at Meteor Madness. Its a cool arcade asteroid shooter game. Meteor madness costs 1.5$USD and offers a free trial

with limited functionality. It also happens to be open sourceso you can go check that out too.

When downloading the app as a trial we can see that it offers the options to buy the game and locks some game options. Note the Buy

now rock at the bottom left and the locked Arcade game rock on the top right.


7/20

In the previous section weve seen theres a fundamental problem when storing game data on Windows8. Storing encrypted data locally,

alongside with the algorithm and the algorithm key/hash is a recipe for security incidents. One ofthe problems with allowing offline execution

oftrial apps is that it mandates the trial flag to be stored locally. And as weve seen, ifits stored locally, we can find it, read it and

modify it.

Specifically the License for Windows8 apps is stored in the following file:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WSLicense\tokens.dat

When we open this file up in Notepad we can find the license for Meteor Madness and where it says its a trial purchase .

Also, in the same file we can see there are other apps installed. Such as free apps, paid apps and preinstalled apps. Here for example ifthe


8/20

Full installation ofBing.

An educational WinForms app named WSService_crkloads this file into memory, shows the License XMLs and modifies it as a FullPreinstalled license. Theres a lot going on here other then simply reading and modifying files.WSService_crk has to decrypt the file, re-

encrypt it and then store it. All ofthat is documented with WSService_crk as its distributed with full source code.

When opening up WSService_crk on my machine shows the following list ofinstalls apps.

WSService_crk can then show the current license and even modify it from a Trial to a Full Preinstalled License.


9/20

When running Meteor Madness now we can see that it no longer has any trial app functionality limitations.


10/20

#3: Removing in-app ads from games by editing XAML files

Another way developers monetize their apps is through in-app advertising. Developers often take the path ofleast resistance and its quite

easy to add ads to your app. Ifapps are popular and the viewcounts are racking up it could become quite profitable. As a result consumers

dont have to pay for some great titles and successful developers can get paid. That all works pretty well unless opportunistic consumers

choose to keep the free app but disable ads. To emphasize the importance ofmobile app ads lets mention that some 3rd party estimatesput

the field at over 10B in overall yearly revenue.

One app that is now (surprisingly) advertising supported on Windows8 is Microsofts Minesweeper.

As weve seen previously the executable ofall Windows8 apps can be located easily. Minesweeper is installed locally at:

C:\Program Files\WindowsApps\Microsoft.MicrosoftMinesweeper_1.1.0.0_x86__8wekyb3d8bbwe

In that folder we can find the file MainPageAd.xaml under the\Common\AdsModule\View folder. Alongside with other in-app ads used

by Minesweeper.


11/20

We can make this ad disappear by simply adding the Visibility=Collapsed property to the aforementioned root user control.

After weve made this small change, when we run the Minesweeper app we wont be able to see the ad anymore.

By simply editing XAML files we can hide away in-apps ads from Windows8 ads.

#4: Reducing the cost ofin-game items by editing game data files


12/20

Most games out there are composed oftwo distinctive pieces: a game engine and game data files used by the engine. For more on this

dichotomy you can read this great article Battle for Wesnothfrom the creative commons bookThe Architecture ofOpen Source

Applications. Lets look at a real world example in the form ofthe windows8gameUltraviolet Dawn. The game is my all time favourite

iPad gameand is a cool 2D space shooter. Like other games players start-offwith a certain amount ofin-game currency and can buy

items to improve their spaceship.

Ifwe go back to the dichotomy weve heard about earlier then we can see how it applies to Ultraviolet Dawn. Theres a game engine that

knows about store items and theres going to be a list somewhere ofwhat they are. So one thing we could do is take advantage of

Windows8 on-disk storage and modify the games data files. As weve previously seen executables for windows8 apps can be located

and modified. Specifically, Ultraviolets Dawn can be found here:

C:\Program Files\WindowsApps\8DF9EE77.UltravioletDawn_1.0.0.37_x86__dd4ev9dvfndxm

We can open up the res_store_items.txt file and edit the price ofin-game items. In our example well edit all the weapons to be free.


13/20

When we run Ultraviolet Dawn again we can see the price of items in the store is now 0.

Weve just shown that using the simplest tools we can edit game files to compromise the experience ofWindows8games.

#5: Compromising In-app purchase items by injecting scripts into the IE10process


14/20

Even though weve already shown that in-app purchases are comprisable Id like for us to see an example ofthat with Windows8 HTML

& JS apps. Up until now weve seen examples ofC# and C++ apps, so lets see that with WinJS apps . Lets have a look at the massively

popular and successful WInJS Windows8gameCut the Rope. The game follows a freemium model where the first few levels are free

and additional levels cost 4.99$ to unlock.

As we know by now executables for Windows8games can be found on the local disk. Specifically Cut the Rope executeables can be

found at:

C:\Program Files\WindowsApps\ZeptoLabUKLimited.CutTheRope_1.1.0.9_neutral__sq9zxnwrk84pj

Ifwe open up the default.js file in thejs folder we can see the following code that obviously governs the in-app purchasing logic. We cansee there are IS_PAID_FULL_VERSION and SIMULATE_PURCHASES variables set to false. One wonder what happens ifwe

change those values to true.


15/20

We dont really have to understand the specifics but we can see theres an if-else condition that determines in-app purchases. We cant

directly change Javascript files as thatll corrupt the Javascript package and Windows8 will refuse to open the app. So instead ofchanging

the files on the local disk, we can inject JS scripts at runtime into IE10 process.

Visual Studio 2012 has a built-in debugging mechanism for any installed Windows8 app. Even ifthat wasnt there we could still easily inject

scripts to IE10, but since it is there we can use that familiar tool. Lets use VS2012 to Debug Installed App Package. (Here are the

Jacascript docs, C# docs and C++ docsto those unfamiliar with the feature)

Next well choose to Debug Cut The Rope. Make sure to check the Stop at first Statement checkbox since well use it to navigate to

default.js.


16/20

After we click start we can see were debugging the Cut the Rope app. This is the important bit, weve now got the full force ofVS2012

Javascript runtime debugging in a Win8 store app. This first breakpoint will always be the same file at the same row: the first row ofthe

base.js file from the WinJS framework.

Using a smart combination ofStep over and using the Solution Explorer we can set the following breakpoint after setting the variables

weve previously seen.


17/20

Stepping over this deceleration we can then see the following values in our Locals window.

And now using the Immediate Window we can execute any javascript wed like. For the purpose ofthis demo well set

SIMULATE_PURCHASES=true. We could have saved some time by setting IS_PAID_FULL_VERSION=true, but Id like for us to see

this runtime behaviour.

Now when we click the purchase button we can see Windows8 in-app purchase simulator. Well tell it that the purchase was successful.


18/20

And now we can see all game levels are unlocked.

Weve just shown how to inject arbitrary javascript into a Win8 store bought WinJS IE10 app and weve affected in-app purchase items

inventory.

Summary: What have we seen?


19/20

We were able to show that the majority ofways games and apps developers would make money arent secure by default on Windows8.

Weve shown this for C# & XAML apps (Minesweeper), weve shown this for C# + Direct3D apps (Soulcraft), weve shown this for

C++ & Direct3D apps (Ultraviolet Dawn), weve shown this for HTML & WinJS apps (Cut the Rope) and weve shown this for any app

using Trial (Meteor Madness).

Lets repeat what weve seen so far, what the root cause ofthe issue is and what could be done at the framework level to mitigate this issue:

1. In-app purchase items Storage: In-app purchase is fast becoming the #1 revenue stream for game developers. Weve seen we

can trickgames local storage to acknowledge consumable items that havent been purchased. The real problem here is that

Windows8 apps dont have any truly secure location thats inaccessible to the user and can be secured in offline scenarios. One

possible improvement here would be for Microsoft to offer such storage for all apps. Let developers have a secure encrypted isolated

storage by default. Also, another possibility would be to turn on code obfuscation and minification by default in order to avoid the

reverse engineering needed for this exploit.

2. Trial apps: Trial apps will likely be adopted by around 50% ofWindows8games. Weve seen how the Trial licenses are stored inthe Tokens.datfile and how easy it is to edit it. The real problem here is that Trial apps are downloaded to the client machine with the

full unlocked logic embedded in them. One way to fix this issue would be to have developers build two app packages (one limited

functionality trial package and one full functionality package) and have those secured by the Win8 store purchasing system.

3. In-apps ads: Mobile advertising in apps is a major industry and a source ofrevenue for developers. Weve shown how by simply

editing the XAML files on disk we can turn offads in games. It shouldnt be possible to tamper with XAML/HTML files and then

have them loaded to memory. One improvement Microsoft can undertake here is have better on-disk tampering checks.

4. Game data files and in-game items: Weve shown game data files can be edited and theyll then be loaded into apps . It shouldnt

be possible to modify any game file and then have it loaded to memory. Microsoft could follow tothe aforementioned

recommendation from item #3 to help mitigate this issue.

5. Injecting arbitrary Javascript affecting in-app purchase: Weve seen we can inject any javascript code to run inside the IE10

process for a Win8 WinJS store app. That shouldnt be possible. One possible improvement would be for the IE10 team to lock

down the IE10 process for signed scripts only when not on a development machine.

Weve seen a myriad ofissues and offered potential fixes to them all. Any mildly competent developer can productize these security attack

vectors into shipping products. IfMicrosoft doesnt take it upon itselfto fix these security attack vectors its not because it couldnt, its

because it chooses not to.

What havent we been able to do?

What has been fixed since early Win8 betas is editing DLLs or HTML/JS files on the disk is no longer possible. When thats attempted the

code integrity system kicks-in verifies file hashes and prevents app execution. One is left to wonder about how secure those

AppxBlockMap.xml hashes really are and ifthey can be reversed engineer to be generated on the client side.

Heartfelt disclaimers


20/20

1. Games: The games appearing in this article are awesome and you should buy them and give them money . Ive been a generous

benefactor ofeach game and so should you! go download them and give them money. In order ofappearance in article: Soulcraft,

Meteor Madness, Minesweeper, Ultraviolet Dawnand Cut The Rope.

2. Game developers: The game developers for the aforementioned games are professionals. For the most part you cant work

around a broken platform. Theres nothing obvious about any ofthese issues.

3. Article format: This is an educational article written in the hope both developers and Microsoft can benefit from an open exchange of

knowledge.

4. My employer: I have an employer and they had nothing to do with this article . Both research and authoring this article was

undertaken at my leisure time.

FeedbackQuestions? Rebuttals? Thoughtful discussion? Sound offin the comments below.

Remember to read the previous article Reverse Engineering and Modifying Windows8apps ifanything is unclear as it outlines many of

the techniques used here.

-- Justin Angel

Hacking Windows 8 Games - JustinAngel

Documents

Transcript of Hacking Windows 8 Games - JustinAngel