This is Google's cache of http://justinangel.net/HackingWindows8Games. It is a snapshot of the page as it appeared on !ec "# " #$: %:$% G&T.

The current page could ha'e changed in the meantime. (earn more Tip: To )uickl* find *our search term on this page+ press Ctrl+F or -F ,&ac- and use the find .ar. Te/t0onl* 'ersion

Hacking Windows 8 Games

JustinAngel
HI folks+ This article is a follow0up to m* pre'ious "# article on 1e'erse 2ngineering and &odif*ing Windows 8 apps. In this article we3ll see how to use innate Windows 8 securit* attack 'ectors in such a wa* that could compromise Windows 8 games re'enue stream. We3ll re'iew real0world e/amples for all Win8 programming languages and frameworks.

But first, wh

Games!

In the pre'ious article we3'e seen securit* loopholes affecting all Windows 8 apps. Howe'er in this article we3ll focus on how to use these techni)ues to compromise games securit*. The reason we3ll .e focusing on games is that the* account for 4 56 of de'eloper re'enue on

e'er* mo.ile de'eloper platform. (et me repeat that+ games account for the majorit* of de'eloper re'enue. 7or e/ample we can see from official &icrosoft statistics that "#$ of a%% %urchases on Windows &hone ' are for games.

The majorit* of mo.ile apps make their mone* from a com.ination of in0app ads+ in0app purchases or paid app downloads. Google I8 "# " had this great slide illustrating all the wa*s a mo.ile app de'eloper can get paid:

In this article we3ll show how insecure each of those pa*ment streams are on Windows 8 with real0world e/amples from game de'elopment. It3s important to mention the methods shown in this article can .e applied to e'er* app and not just games.

()* Com%romising in-a%% %urchases + modif ing ,so-tore

The Win8 game 9oulcraft is a top game on :ndroid and is su.jecti'el* one of .est e/amples of its genre on Windows 8. It3s a .asic 1;G where *ou pla* an archangel .attling the forces of e'il in st*lish $!. <ou3'e got a character+ its got e)uipment and *ou pa* with gold with gold to .u* .etter e)uipment. The gold has to .e purchased for real mone* using the platform3s in0app

purchase. 7or e/ample on :ndroid here are the prices for gold:

I3'e spent "#=6 on game gold for 9oulcraft TH! on m* Google >e/us % so far. 9o I asked m*self how does that game3s gold data gets stored on Windows 8+ and whether or not we can change it. ?uick refresher from the pre'ious article all Windows 8 apps are stored on *our local H! at: C*.&rogram Files.WindowsA%%s 9o for e/ample all the assem.lies for 9oulcraft on Windows 8 will .e stored at: C*.&rogram Files.WindowsA%%s./o+ileBitsGm+H0-oulCraft12080 3041neutral11n4kn5nw%d+gdc

:lso+ all Iso9tore files are stored at: C*.6sers.7username8.A%%9ata.:ocal.&ackages. 9o on m* machine 9oulcraft3s Iso9tore is at: C*.6sers.Justin.A%%9ata.:ocal.&ackages./o+ileBits Gm+H0-oulCraft1n4kn5nw%d+gdc.:ocal-tate

When opening up these files in >otepad we can see some of these files are encr*pted while others are not.

9o now the )uestion .ecomes+ can we decr*pt the AccountData.xml file+ edit the amount of gold our character has and simpl* run the game@ Well+ as it turns out the answer is A<esB. >ormall* encr*pted files are .ad news if *ou3re tr*ing to tamper with apps. Cut we should remem.er this is all running on the local machine. We ha'e the algorithm used for encr*ption+ we ha'e the hash ke* and we ha'e the encr*pted data. 8nce we ha'e all of those it3s prett* simple to decr*pt an*thing.

Dsing dot;eek/I(9p*/Eust!ecompile it3s possi.le to re'erse engineer most of the 9oulcraft source code and find out how the AccountData.xml gets stored and how to change it. (et3s assume we3'e done that and we know which classes and assem.lies are used to decr*pt+ edit and encr*pt this F&( file. We3ll start off .* create a new Win8 app and reference the appropriate !((s from the 9oulcraft game.

>e/t+ since these assem.lies read files from Iso9tore we3ll cop* the encr*pted game files to our own :pp" Iso9tore.

>ow we3'e staged a new app with the proper assem.lies and populated Iso9tore with 9oulcraft3s !ata. The ne/t step is to re'erse engineer the assem.lies and figure out the correct calling order for methods. 7or e/ample this code would load up :ccount!ata./ml+ edit the amount of gold and sa'e it again. Here3s the .efore and after of the F&( file:

Gop*ing the file .ack to 9oulcraft3s Iso9tore and starting 9oulcraft we can see a first le'el character with +###+### gold.

:t this point some of *ou must .e thinking Aso what@ it3s fake game mone*B. True+ .ut this fake in0game mone* would .e worth o'er a thousand dollar on :ndroid and i89. Without a secure storage location for game state+ we can3t .e surprised that $rd part* cracking will arise to make consumers a'oid in0app purchases.

(;* Cracking trial a%%s to %aid <ersions for free

8ne of the top re'enue streams for Windows 8 de'elopers is .* shipping paid apps. :t the same time consumers tend to .e loss a'erse and are afraid to AloseB mone* on apps. The solution to that are Trial apps. ;aid apps can offer a free 'ersion with limited functionalit* or on a time limited .asis. That works fine unless consumers attempt to manipulate this tentati'e status0)uo .* cracking trial apps. To emphasiHe the impact of this pro.lem we can look at the Windows ;hone ecos*stem where #3$ of %aid a%%s offer trials.

(et3s ha'e a look at &eteor &adness. It3s a cool arcade asteroid shooter game. &eteor madness costs .4=D9! and offers a free trial with limited functionalit*. It also happens to .e open source so *ou can go check that out too.

When downloading the app as a trial we can see that it offers the options to .u* the game and locks some game options. >ote the ACu* nowB rock at the .ottom left and the locked A:rcadeB game rock on the top right.

In the pre'ious section we3'e seen there3s a fundamental pro.lem when storing game data on Windows 8. 9toring encr*pted data locall*+ alongside with the algorithm and the algorithm ke*/hash is a recipe for securit* incidents. 8ne of the pro.lems with allowing offline e/ecution of trial apps is that it mandates the Atrial flagB to .e stored locall*. :nd as we3'e seen+ if it3s stored locall*+ we can find it+ read it and modif* it. 9pecificall* the (icense for Windows 8 apps is stored in the following file: C*.Windows.-er<ice&rofiles.:ocal-er<ice.A%%9ata.: ocal./icrosoft.W-:icense.tokens0dat When we open this file up in >otepad we can find the license for &eteor &adness and where it sa*s it3s a trial purchase.

:lso+ in the same file we can see there are other apps installed. 9uch as free apps+ paid apps and preinstalled apps. Here for e/ample if the AFullB installation of Cing.

:n educational Win7orms app named W--er<ice1crk loads this file into memor*+ shows the (icense F&(s and modifies it as a A7ull ;reinstalledB license. There3s a lot

going on here other then simpl* reading and modif*ing files. W--er<ice1crk has to decr*pt the file+ re0encr*pt it and then store it. :ll of that is documented with W--er<ice1crk as it3s distri.uted with full source code.

When opening up W--er<ice1crk on m* machine shows the following list of installs apps.

W--er<ice1crk can then show the current license and e'en modif* it from a Trial to a 7ull ;reinstalled (icense.

When running &eteor &adness now we can see that it no longer has an* trial app functionalit* limitations.

(4* =emo<ing in-a%% ads from games + editing >A/: files

:nother wa* de'elopers monetiHe their apps is through in0app ad'ertising. !e'elopers often take the path of least resistance and it3s )uite eas* to add ads to *our app. If apps are popular and the 'iewcounts are racking

up it could .ecome )uite profita.le. :s a result consumers don3t ha'e to pa* for some great titles and successful de'elopers can get paid. That all works prett* well unless opportunistic consumers choose to keep the free app .ut disa.le ads. To emphasiHe the importance of mo.ile app ads let3s mention that some $rd part* estimates put the field at o'er #C in o'erall *earl* re'enue.

8ne app that is now ,surprisingl*- ad'ertising supported on Windows 8 is &icrosoft3s &inesweeper.

:s we3'e seen pre'iousl* the e/ecuta.le of all Windows 8 apps can .e located easil*. &inesweeper is installed locall* at: C*.&rogram Files.WindowsA%%s./icrosoft0/icrosoft/ineswee%e r1)0)0202158"118wek +4d8++we In that folder we can find the file /ain&ageAd05aml under the \Common\AdsModule\View folder. :longside with other in0app ads used .* &inesweeper.

We can make this ad disappear .* simpl* adding the Visibility=Collapsed propert* to the aforementioned root user control.

:fter we3'e made this small change+ when we run the &inesweeper app we won3t .e a.le to see the ad an*more.

C* simpl* editing F:&( files we can hide awa* in0apps ads from Windows 8 ads.

(#* =educing the cost of in-game items + editing game data files
&ost games out there are composed of two distincti'e pieces: a game engine and game data files used .* the engine. 7or more on this dichotom* *ou can read this great article Cattle for Wesnoth from the creati'e commons .ook The :rchitecture of 8pen 9ource :pplications. (et3s look at a real world e/ample in the form of the windows 8 game Dltra'iolet !awn. The game is m* all time fa'ourite i;ad game and is a cool "! space shooter. (ike other games pla*ers start0off with a certain amount of in0game currenc* and can .u* items to

impro'e their spaceship.

If we go .ack to the dichotom* we3'e heard a.out earlier then we can see how it applies to Dltra'iolet !awn. There3s a game engine that knows a.out Astore itemsB and there3s going to .e a list somewhere of what the* are. 9o one thing we could do is take ad'antage of Windows 8 on0disk storage and modif* the game3s data files. :s we3'e pre'iousl* seen e/ecuta.les for windows 8 apps can .e located and modified. 9pecificall*+ Dltra'iolet3s !awn can .e found here: C*.&rogram Files.WindowsA%%s.89F?@@''06ltra<iolet9awn1)020 204'158"11dd#e<?d<fnd5m We can open up the Ares store items.txtB file and edit the price of in0game items. In our e/ample we3ll edit all the weapons to .e free.

When we run Dltra'iolet !awn again we can see the price of items in the store is now #.

We3'e just shown that using the simplest tools we can

edit game files to compromise the e/perience of Windows 8 games.

(3* Com%romising ,n-a%% %urchase items + inAecting scri%ts into the ,@)2 %rocess
2'en though we3'e alread* shown that in0app purchases are comprisa.le I3d like for us to see an e/ample of that with Windows 8 HT&( I E9 apps. Dp until now we3'e seen e/amples of GJ and G66 apps+ so let3s see that with WinE9 apps. (et3s ha'e a look at the massi'el* popular and successful WInE9 Windows 8 game Gut the 1ope. The game follows a freemium model where the first few le'els are free and additional le'els cost K.LL= to unlock.

:s we know .* now e/ecuta.les for Windows 8 games can .e found on the local disk. 9pecificall* Cut t!e "ope e/ecutea.les can .e found at: C*.&rogram Files.WindowsA%%s.Be%to:a+6C:imited0CutDhe=o% e1)0)020?1neutral11sE?F5nwrk8#%A If we open up the default.#s file in the #s folder we can see the following code that o.'iousl* go'erns the in0app purchasing logic. We can see there are I9M;:I!M7D((MN219I8> and 9I&D(:T2M;D1GH:929

'aria.les set to false. 8ne wonder what happens if we change those 'alues to true.

We don3t reall* ha'e to understand the specifics .ut we can see there3s an if$else condition that determines in0 app purchases. We can3t directl* change Ea'ascript files as that3ll corrupt the Ea'ascript package and Windows 8 will refuse to open the app. 9o instead of changing the files on the local disk+ we can inject E9 scripts at runtime into I2 # process.

Nisual 9tudio "# " has a .uilt0in de.ugging mechanism for an* installed Windows 8 app. 2'en if that wasn3t there we could still easil* inject scripts to I2 #+ .ut since it is there we can use that familiar tool. (et3s use N9"# " to ADebug %nstalled App &ac'ageB. ,Here are the Eacascript docs+ GJ docs and G66 docs to those unfamiliar with the feature-

>e/t we3ll choose to !e.ug Cut (!e "ope. &ake sure to check the A9top at first 9tatementB check.o/ since we3ll use it to na'igate to default.#s.

:fter we click start we can see we3re de.ugging the Cut t!e "ope app. This is the important .it+ we3'e now got the full force of N9"# " Ea'ascript runtime de.ugging in a Win8 store app. This first .reakpoint will alwa*s .e the same file at the same row: the first row of the base.#s file from the WinE9 framework.

Dsing a smart com.ination of A9tep o'erB and using the 9olution 2/plorer we can set the following .reakpoint after setting the 'aria.les we3'e pre'iousl* seen.

9tepping o'er this deceleration we can then see the following 'alues in our (ocals window.

:nd now using the Immediate Window we can e/ecute an* ja'ascript we3d like. 7or the purpose of this demo we3ll set 9I&D(:T2M;D1GH:929Otrue. We could ha'e sa'ed some time .* setting I9M;:I!M7D((MN219I8>Otrue+ .ut I3d like for us to see this runtime .eha'iour.

>ow when we click the purchase .utton we can see Windows 8 in0app purchase simulator. We3ll tell it that the purchase was successful.

:nd now we can see all game le'els are unlocked.

We3'e just shown how to inject ar.itrar* ja'ascript into a Win8 store .ought WinE9 I2 # app and we3'e affected in0 app purchase items in'entor*.

-ummar * What ha<e we seen!

We were a.le to show that the majorit* of wa*s games and apps de'elopers would make mone* aren3t secure .* default on Windows 8. We3'e shown this for GJ I F:&( apps ,Minesweeper-+ we3'e shown this for GJ 6 !irect$! apps ,)oulcraft-+ we3'e shown this for G66 I !irect$! apps ,*ltra+iolet Dawn-+ we3'e shown this for HT&( I WinE9 apps ,Cut t!e "ope- and we3'e shown this for an* app using Trial ,Meteor Madness-.

(et3s repeat what we3'e seen so far+ what the root cause of the issue is and what could .e done at the framework le'el to mitigate this issue: ,n-a%% %urchase items -torage* In0app purchase is fast .ecoming the J re'enue stream for game de'elopers. We3'e seen we can trick games local storage to acknowledge consuma.le items that ha'en3t .een purchased. The real pro.lem here is that Windows 8 apps don3t ha'e an* trul* secure location that3s inaccessi.le to the user and can .e secured in offline scenarios. 8ne possi.le impro'ement here would .e for &icrosoft to offer such storage for all apps. (et de'elopers ha'e a secure encr*pted isolated storage .* default. :lso+ another possi.ilit* would .e to turn on code o.fuscation and minification .* default in order to a'oid the re'erse engineering needed for this e/ploit. Drial a%%s: Trial apps will likel* .e adopted .* around 4#5 of Windows 8 games. We3'e seen how the Trial licenses are stored in the (o'ens.dat file and how eas* it is to edit it. The real pro.lem here is that Trial apps are downloaded to the client machine with the full unlocked logic em.edded in them. 8ne wa* to fi/ this issue would .e to ha'e de'elopers .uild two app packages ,one limited functionalit* trial package and one full functionalit* package- and ha'e those secured .* the Win8 store purchasing s*stem. ,n-a%%s ads* &o.ile ad'ertising in apps is a major industr* and a source of re'enue for de'elopers. We3'e shown how .* simpl* editing the F:&( files on disk we can turn off ads in games. It shouldn3t .e possi.le to tamper with F:&(/HT&( files and then

ha'e them loaded to memor*. 8ne impro'ement &icrosoft can undertake here is ha'e .etter on0disk tampering checks. Game data files and in-game items* We3'e shown game data files can .e edited and the*3ll then .e loaded into apps. It shouldn3t .e possi.le to modif* an* game file and then ha'e it loaded to memor*. &icrosoft could follow tothe aforementioned recommendation from item J$ to help mitigate this issue. ,nAecting ar+itrar Ja<ascri%t affecting in-a%% %urchase: We3'e seen we can inject an* ja'ascript code to run inside the I2 # process for a Win8 WinE9 store app. That shouldn3t .e possi.le. 8ne possi.le impro'ement would .e for the I2 # team to lock down the I2 # process for signed scripts onl* when not on a de'elopment machine. We3'e seen a m*riad of issues and offered potential fi/es to them all. :n* mildl* competent de'eloper can productiHe these securit* attack 'ectors into shipping products. If &icrosoft doesn3t take it upon itself to fi/ these securit* attack 'ectors it3s not .ecause it couldn3t+ it3s .ecause it chooses not to.

What ha<enGt we +een a+le to do!

What has .een fi/ed since earl* Win8 .etas is editing !((s or HT&(/E9 files on the disk is no longer possi.le. When that3s attempted the code integrit* s*stem kicks0in 'erifies file hashes and pre'ents app e/ecution. 8ne is left to wonder a.out how secure those :pp/Clock&ap./ml hashes reall* are and if the* can .e re'ersed engineer to

.e generated on the client side.

Heartfelt disclaimers
Games: The games appearing in this article are awesome and *ou should .u* them and gi'e them mone*. I3'e .een a generous .enefactor of each game and so should *ouP go download them and gi'e them mone*. In order of appearance in article: 9oulcraft+ &eteor &adness+ &inesweeper+ Dltra'iolet !awn and Gut The 1ope. Game de<elo%ers: The game de'elopers for the aforementioned games are professionals. 7or the most part *ou can3t work around a .roken platform. There3s nothing Ao.'iousB a.out an* of these issues. Article format: This is an educational article written in the hope .oth de'elopers and &icrosoft can .enefit from an open e/change of knowledge. / em%lo er: I ha'e an emplo*er and the* had nothing to do with this article. Coth research and authoring this article was undertaken at m* leisure time.

Feed+ack
?uestions@ 1e.uttals@ Thoughtful discussion@ 9ound off in the comments .elow. 1emem.er to read the pre'ious article A1e'erse 2ngineering and &odif*ing Windows 8 appsB if an*thing is unclear as it outlines man* of the techni)ues used here.

00 Eustin :ngel ;u.lished on "/ #/"# " ":##:## :& .* Eustin :ngel Q"# ". This work is licensed under a Greati'e Gommons :ttri.ution $.# Dnported (icense.

Comments
9earch:
http://justinangel.net/7eed