This is Google's cache of It is a snapshot of the page as it appeared on 11 Dec 2012 03:17:37 GMT.

The current page could have changed in the meantime. Learn more Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar. Text-only version

Hacking Windows 8 Games

HI folks, This article is a follow-up to my previous 2011 article on Reverse Engineering and Modifying Windows 8 apps. In this article we’ll see how to use innate Windows 8 security attack vectors in such a way that could compromise Windows 8 games revenue stream. We’ll review real-world examples for all Win8 programming languages and frameworks.

But first, why Games?
In the previous article we’ve seen security loopholes affecting all Windows 8 apps. However in this article we’ll focus on how to use these techniques to compromise games security. The reason we’ll be focusing on games is that they account for 51%+ of developer revenue on

For example we can see from official Microsoft statistics that 64% of app purchases on Windows Phone 7 are for games. games account for the majority of developer revenue. #1: Compromising in-app purchases by modifying IsoStore The Win8 game Soulcraft is a top game on Android and is subjectively one of best examples of its genre on Windows 8.every mobile developer platform. its got equipment and you pay with gold with gold to buy better equipment. It’s a basic RPG where you play an archangel battling the forces of evil in stylish 3D. Let me repeat that. It’s important to mention the methods shown in this article can be applied to every app and not just games. Google IO 2012 had this great slide illustrating all the ways a mobile app developer can get paid: In this article we’ll show how insecure each of those payment streams are on Windows 8 with real-world examples from game development. The majority of mobile apps make their money from a combination of in-app ads. You’ve got a character. The gold has to be purchased for real money using the platform’s in-app . in-app purchases or paid app downloads.

For example on Android here are the prices for gold: I’ve spent 20$+ on game gold for Soulcraft THD on my Google Nexus 7 so far.8. all IsoStore files are stored at: C:\Users\<username>\AppData\Local\Packages\ So on my machine Soulcraft’s IsoStore is at: C:\Users\Justin\AppData\Local\Packages\MobileBits GmbH.SoulCraft_n3knxnwpdbgdc\LocalState .SoulCraft_0.purchase. and whether or not we can change it. 5.3_neutral__n3knxnwpdbgdc Also. Quick refresher from the previous article all Windows 8 apps are stored on your local HD at: C:\Program Files\WindowsApps So for example all the assemblies for Soulcraft on Windows 8 will be stored at: C:\Program Files\WindowsApps\MobileBitsGmbH. So I asked myself how does that game’s gold data gets stored on Windows 8.

Using dotPeek/ILSpy/JustDecompile it’s possible to reverse engineer most of the Soulcraft source code and find out how the AccountData. But we should remember this is all running on the local machine. edit the amount of gold our character has and simply run the game? Well.xml gets stored and how to change it. Normally encrypted files are bad news if you’re trying to tamper with apps. as it turns out the answer is “Yes”. We have the algorithm used for encryption. Let’s assume we’ve done that and we know which classes and assemblies are used to decrypt. edit and encrypt this XML file.When opening up these files in Notepad we can see some of these files are encrypted while others are not. we have the hash key and we have the encrypted data.xml file. We’ll start off by create a new Win8 app and reference the appropriate DLLs from the Soulcraft game. can we decrypt the AccountData. . So now the question becomes. Once we have all of those it’s pretty simple to decrypt anything.

Now we’ve staged a new app with the proper assemblies and populated IsoStore with Soulcraft’s Data.000. For example this code would load up AccountData. edit the amount of gold and save it again. Here’s the before and after of the XML file: Copying the file back to Soulcraft’s IsoStore and starting Soulcraft we can see a first level character with 1.xml. .000 gold. Without a secure storage location for game state. we can’t be surprised that 3rd party cracking will arise to make consumers avoid in-app purchases. True.Next. since these assemblies read files from IsoStore we’ll copy the encrypted game files to our own App2 IsoStore. but this fake in-game money would be worth over a thousand dollar on Android and iOS. At this point some of you must be thinking “so what? it’s fake game money”. The next step is to reverse engineer the assemblies and figure out the correct calling order for methods.

Note the “Buy now” rock at the bottom left and the locked “Arcade” game rock on the top right. It also happens to be open source so you can go check that out too. At the same time consumers tend to be loss averse and are afraid to “lose” money on apps. .5$USD and offers a free trial with limited functionality. Meteor madness costs 1. The solution to that are Trial apps.#2: Cracking trial apps to paid versions for free One of the top revenue streams for Windows 8 developers is by shipping paid apps. When downloading the app as a trial we can see that it offers the options to buy the game and locks some game options. Let’s have a look at Meteor Madness. It’s a cool arcade asteroid shooter game. To emphasize the impact of this problem we can look at the Windows Phone ecosystem where 45% of paid apps offer trials. That works fine unless consumers attempt to manipulate this tentative status-quo by cracking trial apps. Paid apps can offer a free version with limited functionality or on a time limited basis.

One of the problems with allowing offline execution of trial apps is that it mandates the “trial flag” to be stored locally. read it and modify it. we can find it. if it’s stored locally. Specifically the License for Windows 8 apps is stored in the following file: C:\Windows\ServiceProfiles\LocalService\AppData\L ocal\Microsoft\WSLicense\tokens. And as we’ve seen.dat When we open this file up in Notepad we can find the license for Meteor Madness and where it says it’s a trial purchase.In the previous section we’ve seen there’s a fundamental problem when storing game data on Windows 8. Such as free apps. There’s a lot . Storing encrypted data locally. alongside with the algorithm and the algorithm key/hash is a recipe for security incidents. Here for example if the “Full” installation of Bing. shows the License XMLs and modifies it as a “Full Preinstalled” license. paid apps and preinstalled apps. in the same file we can see there are other apps installed. An educational WinForms app named WSService_crk loads this file into memory. Also.

going on here other then simply reading and modifying files. When running Meteor Madness now we can see that it no longer has any trial app functionality limitations. WSService_crk has to decrypt the file. When opening up WSService_crk on my machine shows the following list of installs apps. #3: Removing in-app ads from games by editing XAML files Another way developers monetize their apps is through in-app advertising. If apps are popular and the viewcounts are racking . All of that is documented with WSService_crk as it’s distributed with full source code. Developers often take the path of least resistance and it’s quite easy to add ads to your app. re-encrypt it and then store it. WSService_crk can then show the current license and even modify it from a Trial to a Full Preinstalled License.

That all works pretty well unless opportunistic consumers choose to keep the free app but disable ads.0_x86__8wekyb3d8bbwe In that folder we can find the file MainPageAd. Alongside with other in-app ads used by Minesweeper. As we’ve seen previously the executable of all Windows 8 apps can be located easily.xaml under the \Common\AdsModule\View folder.MicrosoftMinesweepe r_1.0. One app that is now (surprisingly) advertising supported on Windows 8 is Microsoft’s Minesweeper.1. As a result consumers don’t have to pay for some great titles and successful developers can get paid. To emphasize the importance of mobile app ads let’s mention that some 3rd party estimates put the field at over 10B in overall yearly revenue.up it could become quite profitable. . Minesweeper is installed locally at: C:\Program Files\WindowsApps\Microsoft.

For more on this dichotomy you can read this great article Battle for Wesnoth from the creative commons book The Architecture of Open Source Applications. when we run the Minesweeper app we won’t be able to see the ad anymore. Like other games players start-off with a certain amount of in-game currency and can buy items to . #4: Reducing the cost of in-game items by editing game data files Most games out there are composed of two distinctive pieces: a game engine and game data files used by the engine. By simply editing XAML files we can hide away in-apps ads from Windows 8 ads. The game is my all time favourite iPad game and is a cool 2D space shooter. After we’ve made this small change.We can make this ad disappear by simply adding the Visibility=”Collapsed” property to the aforementioned root user control. Let’s look at a real world example in the form of the windows 8 game Ultraviolet Dawn.

txt” file and edit the price of in-game items.0. Specifically. In our example we’ll edit all the weapons to be free. There’s a game engine that knows about “store items” and there’s going to be a list somewhere of what they are. 0.improve their spaceship. We’ve just shown that using the simplest tools we can . As we’ve previously seen executables for windows 8 apps can be located and modified. So one thing we could do is take advantage of Windows 8 on-disk storage and modify the game’s data files. Ultraviolet’s Dawn can be found here: C:\Program Files\WindowsApps\8DF9EE77.UltravioletDawn_1. When we run Ultraviolet Dawn again we can see the price of items in the store is now 0. If we go back to the dichotomy we’ve heard about earlier then we can see how it applies to Ultraviolet Dawn.37_x86__dd4ev9dvfndxm We can open up the “res_store_items.

We can see there are IS_PAID_FULL_VERSION and SIMULATE_PURCHASES .edit game files to compromise the experience of Windows 8 games. Let’s have a look at the massively popular and successful WInJS Windows 8 game Cut the Rope.9_neutral__sq9zxnwrk84pj If we open up the default. The game follows a freemium model where the first few levels are free and additional levels cost 4. #5: Compromising In-app purchase items by injecting scripts into the IE10 process Even though we’ve already shown that in-app purchases are comprisable I’d like for us to see an example of that with Windows 8 HTML & JS apps. As we know by now executables for Windows 8 games can be found on the local disk.CutTheRop e_1.js file in the js folder we can see the following code that obviously governs the in-app purchasing logic.0. Specifically Cut the Rope executeables can be found at: C:\Program Files\WindowsApps\ZeptoLabUKLimited. Up until now we’ve seen examples of C# and C++ apps.1.99$ to unlock. so let’s see that with WinJS apps.

We don’t really have to understand the specifics but we can see there’s an if-else condition that determines inapp purchases.js. One wonder what happens if we change those values to true. Make sure to check the “Stop at first Statement” checkbox since we’ll use it to navigate to default. but since it is there we can use that familiar tool. C# docs and C++ docs to those unfamiliar with the feature) Next we’ll choose to Debug Cut The Rope. (Here are the Jacascript docs.variables set to false. We can’t directly change Javascript files as that’ll corrupt the Javascript package and Windows 8 will refuse to open the app. . we can inject JS scripts at runtime into IE10 process. So instead of changing the files on the local disk. Let’s use VS2012 to “Debug Installed App Package”. Visual Studio 2012 has a built-in debugging mechanism for any installed Windows 8 app. Even if that wasn’t there we could still easily inject scripts to IE10.

This first breakpoint will always be the same file at the same row: the first row of the base. This is the important bit. but I’d like for us to see this runtime behaviour. For the purpose of this demo we’ll set SIMULATE_PURCHASES=true. Using a smart combination of “Step over” and using the Solution Explorer we can set the following breakpoint after setting the variables we’ve previously seen.After we click start we can see we’re debugging the Cut the Rope app. . And now using the Immediate Window we can execute any javascript we’d like. Stepping over this deceleration we can then see the following values in our Locals window. We could have saved some time by setting IS_PAID_FULL_VERSION=true. we’ve now got the full force of VS2012 Javascript runtime debugging in a Win8 store app.js file from the WinJS framework.

. We’ll tell it that the purchase was successful. We’ve just shown how to inject arbitrary javascript into a Win8 store bought WinJS IE10 app and we’ve affected inapp purchase items inventory. we’ve shown this for HTML & WinJS apps (Cut the Rope) and we’ve shown this for any app using Trial (Meteor Madness). We’ve shown this for C# & XAML apps (Minesweeper). And now we can see all game levels are unlocked.Now when we click the purchase button we can see Windows 8 in-app purchase simulator. Summary: What have we seen? We were able to show that the majority of ways games and apps developers would make money aren’t secure by default on Windows 8. we’ve shown this for C++ & Direct3D apps (Ultraviolet Dawn). we’ve shown this for C# + Direct3D apps (Soulcraft).

In-apps ads: Mobile advertising in apps is a major industry and a source of revenue for developers. Also. Trial apps: Trial apps will likely be adopted by around 50% of Windows 8 games. One way to fix this issue would be to have developers build two app packages (one limited functionality trial package and one full functionality package) and have those secured by the Win8 store purchasing system.dat file and how easy it is to edit it. Let developers have a secure encrypted isolated storage by default. We’ve shown how by simply editing the XAML files on disk we can turn off ads in games. It shouldn’t be possible to tamper with XAML/HTML files and then . One possible improvement here would be for Microsoft to offer such storage for all apps. what the root cause of the issue is and what could be done at the framework level to mitigate this issue: In-app purchase items Storage: In-app purchase is fast becoming the #1 revenue stream for game developers.Let’s repeat what we’ve seen so far. The real problem here is that Trial apps are downloaded to the client machine with the full unlocked logic embedded in them. another possibility would be to turn on code obfuscation and minification by default in order to avoid the reverse engineering needed for this exploit. The real problem here is that Windows 8 apps don’t have any truly secure location that’s inaccessible to the user and can be secured in offline scenarios. We’ve seen we can trick games local storage to acknowledge consumable items that haven’t been purchased. We’ve seen how the Trial licenses are stored in the Tokens.

One improvement Microsoft can undertake here is have better on-disk tampering checks. Microsoft could follow tothe aforementioned recommendation from item #3 to help mitigate this issue. When that’s attempted the code integrity system kicks-in verifies file hashes and prevents app execution. One is left to wonder about how secure those AppxBlockMap. What haven’t we been able to do? What has been fixed since early Win8 betas is editing DLLs or HTML/JS files on the disk is no longer possible.have them loaded to memory. It shouldn’t be possible to modify any game file and then have it loaded to memory.xml hashes really are and if they can be reversed engineer to . Any mildly competent developer can productize these security attack vectors into shipping products. We’ve seen a myriad of issues and offered potential fixes to them all. it’s because it chooses not to. If Microsoft doesn’t take it upon itself to fix these security attack vectors it’s not because it couldn’t. That shouldn’t be possible. Game data files and in-game items: We’ve shown game data files can be edited and they’ll then be loaded into apps. One possible improvement would be for the IE10 team to lock down the IE10 process for signed scripts only when not on a development machine. Injecting arbitrary Javascript affecting in-app purchase: We’ve seen we can inject any javascript code to run inside the IE10 process for a Win8 WinJS store app.

Remember to read the previous article “Reverse Engineering and Modifying Windows 8 apps” if anything is unclear as it outlines many of the techniques used here. generated on the client side. For the most part you can’t work around a broken platform. I’ve been a generous benefactor of each game and so should you! go download them and give them money. Article format: This is an educational article written in the hope both developers and Microsoft can benefit from an open exchange of knowledge. Heartfelt disclaimers Games: The games appearing in this article are awesome and you should buy them and give them money. Ultraviolet Dawn and Cut The Rope. Both research and authoring this article was undertaken at my leisure time. Feedback Questions? Rebuttals? Thoughtful discussion? Sound off in the comments below. My employer: I have an employer and they had nothing to do with this article. In order of appearance in article: Soulcraft. . Game developers: The game developers for the aforementioned games are professionals. There’s nothing “obvious” about any of these issues. Meteor Madness.

0 Unported . This work is licensed under a Creative Commons Attribution 3. Comments Search: http://justinangel.Justin Angel Published on 12/10/2012 12:00:00 AM by Justin Angel ©2012.

Sign up to vote on this title
UsefulNot useful