Reverse engineering and modifying windows 8 apps

Reverse Engineering and Modifying Windows 8 apps

AngelJustin

Hi folks,

In this article I’ll share the results of ad-hoc security vulnerabilities research I’ve done onwindows 8 apps deployment. Specifically, we’ll discuss fundamental design flaws thatallow to Reverse Engineer Win8 apps, modification of installed apps and the negativeimplications on Intellectual Property rights protection, Licensing models and overall PCsecurity. Finally we’ll discuss some creative ideas on how to mitigate these securityissues.

Meet the mother-load: C:\Program Files\Applications

All Windows 8 applications in the developer preview are installed under the clandestineC:\Program Files\Applications location. I will hazard a guess and say that once theWindows App Store goes online it will install all apps under that folder. Currently thefolder is an invisible one and cannot be accessed from Windows Explorer user interfaceon a new Win8 developer preview install.

Here’s an example of some of the 29 apps Win8 apps installed on the Win8 developerpreview:

Reverse Engineering and Modifying Windows 8 apps http://justinangel.net/ReverseEngineerWin8Apps

1 of 32 21-Dec-12 12:36 PM

And here’s the hidden folder backing it up:


2 of 32 21-Dec-12 12:36 PM

Gaining Access to C:\Program Files\Applications

In essence you’ll need to navigate to that folder, hit “Security Tab” and set yourself up asthe owner. Let me walk you through that process step-by-step.

1. Type in “C:\Program Files\Applications” in the Windows Explorer address bar and hitenter.

2. Observe in shock and dismay the system dialogue saying you don’t own a folder onyour own machine. Hit “Continue”.


3 of 32 21-Dec-12 12:36 PM

3. After hitting “Continue”, you’ll be confronted by the following dialogue:

Do not hit “close”, instead click the “security tab” link.

4. In the following system dialogue click “advanced”.


4 of 32 21-Dec-12 12:36 PM

5. Click the “change” link in the owner security field.

6. Add in your live ID or windows 8 user name to the “select user or group” systemdialogue.


5 of 32 21-Dec-12 12:36 PM

7. Click “OK”, Click “OK”, Click “Ok”.


6 of 32 21-Dec-12 12:36 PM

8. Type in “C:\Program Files\Applications” in the Windows Explorer address bar and hitenter. You now have access to the Applications folder.

What type of apps ship with Windows 8?

Looking at this folder it’s fairly easy to determine what type of apps ship with Windows 8developer preview.


7 of 32 21-Dec-12 12:36 PM

What’s in C:\Program Files\Applications?

For HTML apps the folder contains all of their source code and it can modified.

For C# apps the folder contains the XAML source code and a compiled reverse-engineerable and modifiable version of the C# code.

For C++ directX apps the folder contains compiled binaries. Honestly, C++ isn’t myspecialty so I’ll avoid discussing it at any great length.

Reverse Engineering HTML & Javscript & CSS Win8apps

There’s a fundamental design flaw in the concept of HTML apps. HTML, Javascript andCSS are all interpreted languages, and not compiled languages. Meaning you have toship the source code for your app instead of shipping compiled binaries. That puts the


8 of 32 21-Dec-12 12:36 PM

Intellectual Property of anyone choosing to write any HTML & JS & CSS only app for anyplatform under risk.

For example, here’s the HTML source code for the Tweet@rama Win8 app code:

And here’s the tweet@rama Javascript code that does the actual posting to Twitter:


9 of 32 21-Dec-12 12:36 PM

Modifying HTML & Javscript & CSS Win8 apps

Part of the problem with interpreted languages is that they don’t compile until the veryinstance they are executed. Which allows evil-doers to edit the code prior to execution.

For example, here’s a print screen of the tweet@rama default app;


10 of 32 21-Dec-12 12:36 PM

Let’s modify the HTML, Javascript and CSS for this application: (for the sake of brevitywe’ll only walkthrough a simple HTML change)


11 of 32 21-Dec-12 12:36 PM

By modifying the HTML & CSS & Javascript source code we can change the visualdesign to something a bit more visually pleasing:

Notice that we’ve changed both the design and behaviour of the app by modifying thesource code. The new design has a different title, and the new behaviour is using the


12 of 32 21-Dec-12 12:36 PM

picture of the logged in user as the background. We have the power to completelychange both the visual design and the executing source code of HTML & CSS & JSwin8 apps.

New breed of viruses?

Any unauthorized malware that gains access to C:\Program Files\Applications couldpotentially modify source code to execute in malicious ways. Since this is the directionWin8 apps are taking writing this type of viruses is likely to become a growth industry.

For example we could look at the tweet@rama app once again. The most valuable assetthat app has is our twitter oauth credentials. A virus would be able to modify thetweet@rama source code so once it executes it retrieves those credentials and sendsthose to a malicious remote endpoint. The following code interjected into the Javascriptcode of tweet@rama would do just that:

New breed of cracks?

Any unauthorized executable that gains access to C:\Program Files\Applications couldpotentially modify source code to workaround Windows Store app purchasing andlicensing logic. The whole concept of Trials and feature purchases are based onJavascript, C# or C++ code invoking Windows 8 RuntimeTime APIs for the WindowsStore. Any change to that code could potentially change the purchasing and licensinglogic for that app.

For example, In BUILD conference Microsoft’s Arik Cohen demonstrated(http://channel9.msdn.com/Events/BUILD/BUILD2011/APP-123T) (35:25) the followingcode that performs a Javascript check for isTrial.


13 of 32 21-Dec-12 12:36 PM

It would be a trivial endavour to manually edit this Javascript file and remove the“licenseInformation.isTrial” check. And by doing so removing Trial restrictions from thissample Win8 app.If this set of problems are not mitigated, app piracy through app modification forWindows Store apps will likely become quite prevalent.

Reverse Engineering C# + XAML Win8 apps

C# code is shipped in compiled EXE & DLL binaries. XAML is shipped as plain textsource code. That makes both forms of code extremely susceptible to reverseengineering.

For example, we could open up the “Memories” (C# WinRT XAML app) MainPage.xaml


14 of 32 21-Dec-12 12:36 PM

in KaXaml (http://kaxaml.com/) and see the XAML source code:

Using JetBrains dotPeek (http://www.jetbrains.com/decompiler/) it would be possible tosee the C# source code for the Memories app:


15 of 32 21-Dec-12 12:36 PM

Modifying C# + XAML Win8 apps

The XAML for Win8 apps is stored in plain-text and can be edited from any text editingtool. The .net binaries are unsigned and thus can be edit using the MSIL Weaving toolReflexil (http://reflexil.net/).

For example, here’s the “Memories” C# XAML app shipping with Windows 8 developerpreview:


16 of 32 21-Dec-12 12:36 PM

Editing the XAML is fairly trivial since it’s stored as a plain text file:


17 of 32 21-Dec-12 12:36 PM

Editing C# can be done using Reflector’s Reflxil MSIL Editor:


18 of 32 21-Dec-12 12:36 PM

With some light modifications to the XAML and C# code we can change the display andbehaviour of the app:


19 of 32 21-Dec-12 12:36 PM

Reverse Engineering C++ Win8 apps

I’ll confess to not being a strong C++ developer (gasp!) so I’ll keep this brief by showingC++ apps are also susceptible to reverse engineering. It appears that Microsoft’s Storeapp is written in C++. The most important asset that app would have are the endpointsfor the Microsoft store. Opening the C:\Windows\System32\WinStore\WinStoreUI.dll in


20 of 32 21-Dec-12 12:36 PM

notepad and searching for “https” addresses reveals the following URL:

Following the http://go.microsoft.com/fwlink/?LinkId=195322&clcid=0x409(http://go.microsoft.com/fwlink/?LinkId=195322&clcid=0x409) URL leads to a currentlyinactive URL of https://services.apps.microsoft.com/browse(https://services.apps.microsoft.com/browse). I would hazard a guess that this is theURL currently being used to test the Windows App Store.

What have we conclusively proven during this blogpost?

Keeping in mind that Windows 8 is only an alpha developer release, we’ve seen a


21 of 32 21-Dec-12 12:36 PM

couple of disturbing things:

It is possible to reverse engineer and modify HTML, JavaScript and CSS codeshipped in Win8 apps.

1.

It is possible to reverse engineer and modify C#/VB.Net source code shipping withWin8 apps.

2.

It is possible to reverse engineer and modify XAML source code shipping withWin8 apps.

3.

It is possible to (at some limited level?) reverse engineer C++ Win8 apps.4.

Can Microsoft completely solve this problem?

No. In my opinion, apps shipping as part of all app stores will always be vulnerable atsome limited level to reverse engineering and modification.

Can Microsoft mitigate this problem?

Yes, Microsoft can make apps significantly more temper-proof and pile a lot of hardshipson those seeking to reverse engineer and modify Win8 apps. Assuming malicious codeand people can’t access C:\Program Files\Applications seems naïve at best.


22 of 32 21-Dec-12 12:36 PM

Here are few suggestions for what some of those potential aforementioned hardshipsmight be:

Obfuscate C#/VB.Net projects by default: .net projects default to shipping withunobfuscated source code. If Microsoft is serious about introducing a WindowsApp store obfuscation has to be turned on by default for all .net project, not just anice-to-have addon like it is right now. The VS2011 team should investigate andintegrate an obfuscation solution directly into the product and turn it on for all new.net projects. This would make it harder to reverse engineer .net apps.

1.

Minify HTML, Javascript and CSS projects by default : With the joys of desktopdeployment web developers will likely forsake Javascript, HTML and CSSminification. Again, a good path forward here is to make sure all HTML, Jacascriptand CSS code is minified by default. This step would make it harder to reverseengineer HTML apps.

2.

Strongly sign all .net assemblies by default: Strong-signing has been part of the.net framework for 10 years now. Turn it on by default with a unique developerlicense certificate for all Win8 .net apps. Make sure Win8 AppContainers only runsigned apps, don’t even have a hidden registry key to enable unsigned apps (likeWP7 does (http://twitpic.com/6josnn)). That would make it harder to modify .netapps.

3.

Checksum HTML, Javascript and CSS project before st artup : Even if it’sunpreventable that modifying Win8 HTML apps would take place, run a checksumon all files before loading the app into memory. That would make it harder tomodify Win8 HTML apps. It sounds like AppBlockMap.xml is supposed to dosomething similar, but it doesn’t seem to work.

4.

Don’t store App’s executing files as plain-old file s on the user’s hard-drive: Itshouldn’t be possible to even see the files shipping with an app by default usingjust Windows Explorer. A lossless compressed folder with DRM protection wouldbe a good step forward here. This should make it harder to reverse engineer Win8apps.

5.

tl;dr: If Microsoft doesn’t undertake the aforementioned steps or comparable ones it’snot because it can’t, it’s because it doesn’t want to. If Microsoft chooses to ignore thisproblem for the remaining one year (?) development lifecycle for Windows 8 then it’s notbecause it couldn’t solve these problems.

Visual Studio 2011 App Deployment

Apps deployed by Visual Studio 2011 do not get deployed to C:\ProgramFiles\Applications but rather get deployed to C:\Users\<UserName>\AppxLayouts.


23 of 32 21-Dec-12 12:36 PM

The alternate location for Visual Studio app deployment and all other app deploymentare controlled by the registry folder HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel.

Feedback

Have questions about the methodologies used in this article?Have more interesting workarounds you’ve tried and like to share?Have interesting suggestions for the Microsoft folks on how to help mitigate thisproblem?

Sound off in the comments!

-- Justin Angel

(Disclaimer: this article represents research I undertook on my own and is unsanctionedby any organizations or corporations I might be related with.)

Published on 9/20/2011 12:00:00 AM by Justin Angel ©2012.This work is licensed under a Creative Commons Attribution 3.0 Unported License


24 of 32 21-Dec-12 12:36 PM

(http://creativecommons.org/licenses/by/3.0/).

Comments

Jeremy Says:

Very nice article Justin, thanks for sharing. I started to look at theproportion of HTML vs XAML vs Native apps and I appreciate yourdiagram. I'm looking forward seeing what Microsoft will do to mitigatethose issues.

pedro Says:

You seem to forget a little detail.. Final apps will be signed.

Justin Angel Says:

Signed apps would be one of the small obstacles I've mentioned.However, I'm not sure what signing apps would mean for HTMLapps. How exactly does one sign HTML files?

Also, more importantly, Signing attempts to protect againstModification. It does nothing to solve the Reverse Engineeringissue.

pedro Says:

I'm guessing that app packages will be encripted and signed.And the reverse engineering is a non issue. How do youprotect current apps from being reverse engineered? Evenobfuscating .NET apps doesn't really protect you, it only makesit harder.If signing the apps is enough to prevent tempered code to beexecuted, I'm OK with that.

DrPizza Says:

Can you explain to me which of these is a Windows 8 issue?Consider that the .NET decompilers are for, uh, all .NETprograms, not just Windows 8 ones, and that Web browsers letyou look at both HTML and JavaScript directly.


25 of 32 21-Dec-12 12:36 PM

How does one sign HTML files? You stick a signature in a fileand put it alongside the rest. You know, the same way that yousign .inf files in driver packages.

Justin Angel Says:

Windows 8 made the choice to consume interpretedlanguages as offline application development languages. Iam calling out that it there are some issues with that plangoing forward in regards to the aforementioned concerns.

How does one sign HTML files? It is possible to sign &encrypt anything. HTTPS for example is an encrypted andsigned HTTP transport layer.

Addressing the core point of your argument: I believe thatMicrosoft has people smarter than myself that couldprovide more realistic solutions to the issues I've raised.IMO This is a set of problems that have potential solutions.

Luke Says:

On the default user you enter more pc settings (frommetro) and open user.There is an option to switch to Microsoft account.This option is not available by default on the build-inadministrator account.Is it possible to enable this on the build-inadministrator?I can use most of the metro apps on the build-inadministrator account when/if I changethis regkey FilterAdministratorToken from 0 to 1

Sarkie Says:

When looking for string data in .exes.

Use Stringshttp://technet.microsoft.com/en-us/sysinternals/bb897439

Aside:Why is this whole site in Silverlight?

Alberto Says:


26 of 32 21-Dec-12 12:36 PM

Whats the problem the site beeing in silverlight?-.-

Michael Crump Says:

Excellent blog post Justin! I have also heard that final apps will besigned. But right now you have exposed several flaws that Microsoftneeds to be aware of.

Jeremy Brayton Says:

Signing happens at the project level, not individual files. I want tospeculate that the dev preview was simply rushed and the DRMprotection we're about to see in the Mango store is going to hit AppXtoo. Having to what amounts to unzipping an app before every run isgoing to increase at least that initial load time but you could use atemporary secure location to cache this kind of stuff. They might'vethought this would be sufficient but you proved how easy it was tounlock that jail cell.

Regarding checksums against HTML content, I would say just do achecksum against the *entire project* as one motion. It's essentially thesame thing but we're really interested in the sum, not so much individualfiles but doing them individually would be a way for us to tell which filehas been tampered with so I'm a little on the fence about my ownsuggestion.

I think if we start to get to the beta and RC stages and no significantchanges are made in this area that all of us should worry. I'm glad theycan address it now and I'm glad you figured this out to make sure theydo. There's still plenty of time to plug these holes but we definitely needto keep a fire up their ass to make sure our apps aren't cracked in onefell swoop. If I'm relying on your app store and one point of failure is allthat is needed to expose EVERY app, you might want to rethink yourdesign a bit and I hope they at least give us the option to run extralicensing mechanisms on top if we so choose. If they don't plug theseholes AND get heavy handed there, I could never recommenddeveloping for their app store.

Fallon Massey Says:

Does that mean that C++ is the best language to program in?

Because with C++, you'll need a disassembler, and that still won't netyou the correct code.


27 of 32 21-Dec-12 12:36 PM

Philippe Da Silva Says:

With every new OS comes new security threats especially when you'readding something new that hasn't been tested accross mainstreamaudience.

While I don't care much about seeing people modifying apps I purchasesince it opens the way to application "mods" that us, consumers, willdecide to use or not, I'm way more worried about the Win8 Apps being areal system security threat for viruses and other malware that could acton my behalf in my machine.This should definitivelly be the top security priority of Microsoft from mypoint of view.

I personally see Win8 Apps as Rich Clients for distributed & cloudcontent or processing. I can't think of any application that would makeuse of the Metro UI and paradigm that don't fall into such userrequirements.For all other user requirements, we'll stick to our old yet very familiarExplorer environment ;)

All in all, I'm really glad to see Microsoft finally taking a step backward,looking at the market and sharing with us what they see as the future ofour computer/software usage ;)

Ian Griffiths Says:

Session PLAT-905C went into quite a lot of detail on applicationpackaging. The signing mechanism covers everything in the package,and is independent of file type. You could even put binary files with aformat of your own devising in there and it'd still be able to check theirvalidity. Logically speaking, it's pretty similar to how Silverlight supportsit - you sign the container rather than individual files. In Silverlight, youcan apply a digital signature to the ZIP file, and that'll cover everythingin there, no matter what the format of the individual files. The fact thatthe streams happen to be extracted out into files in a folder in Win8 isno obstacle to this - it just requires a scheme for how the wholedirectory should be handled - as long as Win8 knows that (say) the appxmanifest contains a list of signatures for everything (including itself),then it can check everything. IIRC, that's pretty much how ClickOnceworked - it was able to check validity even when each of the resourcesin the app was downloaded separately. So this is not new.

Nor is reverse engineering. C++, Xaml, and JavaScript are precisely aseasy to reverse engineer in Win8 as they were before.


28 of 32 21-Dec-12 12:36 PM

piers7 Says:

As an aside, in the keynote Sinofsky claimed the Apps app was writtenin Javascript/HTML, whereas you seem to suggest C++...

dsurendra Says:

Cool....

ZUyq5def Says:

Maliscious won't have access to the \program files\applications directory(among other things, such as signing). The steps that Justin goesthrough to access the directory require explicit user action - they can'tbe done programmatically (unless the app already has privileges - inwhich case it doesn't really make sense for the app to go messing wother apps, because it can already do whatever the maliscious userwants).

Justin Angel Says:

Yep, the Program Files\Applications folder is protected the sameway modern-day Program Files directory and Windows directoryare protected.

However many viruses, spyware and malware (if not the majority ofthose) currently use those locations to hide, store and modify theirexecutables.

Theoretically, you're right to say there's a hurdle here. Practically,you'll have to ignore the entire history of modern-day malware toclaim it'll matter in the long run.

rtruth Says:

HTML and javascript are plaintext on the web, I don't see thatpreventing developers from writing code.

Second of all, it doesnt matter if the code is plain text, .net, orassembled c code, you can always see the code. Even in c code, youjust disassemble the binary and its right there in front of you. You can dothe same things you are doing now with html.

Also,even if the apps are signed, its only trivial to patch the check by the


29 of 32 21-Dec-12 12:36 PM

OS. On an open system like a PC, its impossible to stop this.

Its just the reality of software development. If you make good software,it will be pirated. And those that pirate will never buy your stuff in thefirst place anyways.

Zach Heise Says:

Hi Justin, I was curious about this in the Customer Preview releasedyesterday, so I found your blog entry by searching for "windows 8programs file tree location" and got here. It looks as if in this version,c:\program files\applications no longer exists. Where could all of thesenewly-available "store-bought" (free) apps be living now that they'redownloaded?

I hate all this handholding Metro does. I have a feeling I'm going to beignoring it 90% of the time unless I want a news reader on a bus ridehome with a tablet. For actual work, it's useless.

Zach Heise Says:

Nevermind, found it! CMD, plus dir /a:h in the program files folder,found that it's now stored under c:\program files\windowsapps. Youprobably already knew that though!

Vamshi Says:

Wow thats a great find ! ,now i can at least some code of my favouriteapps ;)

niks Says:

y i m nt able to use these apps ???i hv devloper preview...

Alex Says:

Excellent article! I'm looking forward to your next article concerningapps.

Christian Says:

Anybody who argues that people write html+js for the web even though


30 of 32 21-Dec-12 12:36 PM

anyone can see it is an idiot. Almost all the code that ACTUALLYMATTERS is server side. On Windows 8 all the important code will beright there for people to steal. Think before you post next time.

Kapil Says:

Now folder name is WindowsApps.......

Rufus Pearce Says:

I have the RTM version of Windows 8 Pro, and the folder 'ProgramFiles/Applications' does not exist. It has been moved somewhere else.Any idea where these apps can now be found?

Brandon Says:

How can one change the default install path for apps? I really don't wantall these apps eating up my small SSD drive!

Alex Says:

Seeing that you can change certain thing in the folder, is there any wayto launch desktop applications, while preserving image subway tile, onlyshifting toward openness. Exe or link?

JuanK Says:

This is not a microsoft problem, is allsoftware engineering problem.Decompile managed code is more dificult than just edit a javascript, butstill being an easy task. Decompile or extract/modify logic from nativebinaries is more dificult , but not impossible.

Kept in moder times. Times when you assume that compile aan app willsecure your code is far far away in the past.

If somebody wants to get the algoritms or logic in your aasemblies ,even native assemblies, just need to hire a young 19 years old guy withpassion for technology to reconstruct the algorithm based onopcodes/assembly, this is not trivial but not impossible, just the kid withfree time could do it.

If you want to modify any application behavior, just need to known whatplatform is and make the changes.


31 of 32 21-Dec-12 12:36 PM

How you think 'hackers' crack Adobe products one release after other,just few days or hour before program availability? one or two guys withfree time knowing assembly, change the opcodes or object linkg foranother and .... pufff ... the program think you have an original copy.

Current world is not easy. You want to protect your algorithms or logic?--> get patents for those you really need to protect.

Even thinks like connection string to db connections are in risk, youcould encript a connection string to avoid direct code/config filesattacks, but in some time, even for little bit of time, the string will bedecrypted in memory and then a young guy with lot of free time couldget the string after hours of patience and retries.

Legal terms, agreements etc are the final protections.

Sure, you need to protect your application in any way, obfusctate code,use in memory secure strings for sensitive data, encription in anycomplexity levels etc, thats necesary because for more protections youuse, less 'young ' people with lots of free time will success breaking yoursecure barriers.

JuanK Says:

btw, take a llook at this important notes: http://stackoverflow.com/questions/12754265/is-there-any-prevention-methods-for-removing-istrial-and-trivially-cracking-wi

Scott Says:

LOL..once again you're breaking into jail with this one ;)

Oh man.. that just makes me sad to see the above and how simple itwas to hax0r it (not that I knew, but now we do know).

Thessaly Says:

How can I gain access to your article "reverse engineering for Win8games"?


32 of 32 21-Dec-12 12:36 PM

Reverse engineering and modifying windows 8 apps

Technology

Transcript of Reverse engineering and modifying windows 8 apps