You are on page 1of 19

This is Google's cache of http://justinangel.net/HackingWindows8Games. It is a snapshot of the page as it appeared on 11 Dec 2012 03:17:37 GMT.

The current page could have changed in the meantime. Learn more Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar. Text-only version

Hacking Windows 8 Games

JustinAngel
HI folks, This article is a follow-up to my previous 2011 article on Reverse Engineering and Modifying Windows 8 apps. In this article we’ll see how to use innate Windows 8 security attack vectors in such a way that could compromise Windows 8 games revenue stream. We’ll review real-world examples for all Win8 programming languages and frameworks.

But first, why Games?
In the previous article we’ve seen security loopholes affecting all Windows 8 apps. However in this article we’ll focus on how to use these techniques to compromise games security. The reason we’ll be focusing on games is that they account for 51%+ of developer revenue on

For example we can see from official Microsoft statistics that 64% of app purchases on Windows Phone 7 are for games. The majority of mobile apps make their money from a combination of in-app ads. games account for the majority of developer revenue. its got equipment and you pay with gold with gold to buy better equipment. Let me repeat that. You’ve got a character.every mobile developer platform. It’s important to mention the methods shown in this article can be applied to every app and not just games. in-app purchases or paid app downloads. The gold has to be purchased for real money using the platform’s in-app . #1: Compromising in-app purchases by modifying IsoStore The Win8 game Soulcraft is a top game on Android and is subjectively one of best examples of its genre on Windows 8. Google IO 2012 had this great slide illustrating all the ways a mobile app developer can get paid: In this article we’ll show how insecure each of those payment streams are on Windows 8 with real-world examples from game development. It’s a basic RPG where you play an archangel battling the forces of evil in stylish 3D.

SoulCraft_n3knxnwpdbgdc\LocalState .3_neutral__n3knxnwpdbgdc Also. So I asked myself how does that game’s gold data gets stored on Windows 8.purchase. For example on Android here are the prices for gold: I’ve spent 20$+ on game gold for Soulcraft THD on my Google Nexus 7 so far. and whether or not we can change it. Quick refresher from the previous article all Windows 8 apps are stored on your local HD at: C:\Program Files\WindowsApps So for example all the assemblies for Soulcraft on Windows 8 will be stored at: C:\Program Files\WindowsApps\MobileBitsGmbH. 5.SoulCraft_0.8. all IsoStore files are stored at: C:\Users\<username>\AppData\Local\Packages\ So on my machine Soulcraft’s IsoStore is at: C:\Users\Justin\AppData\Local\Packages\MobileBits GmbH.

We have the algorithm used for encryption. But we should remember this is all running on the local machine. edit the amount of gold our character has and simply run the game? Well. . we have the hash key and we have the encrypted data.xml gets stored and how to change it. edit and encrypt this XML file. So now the question becomes.xml file. We’ll start off by create a new Win8 app and reference the appropriate DLLs from the Soulcraft game. Using dotPeek/ILSpy/JustDecompile it’s possible to reverse engineer most of the Soulcraft source code and find out how the AccountData. Normally encrypted files are bad news if you’re trying to tamper with apps. Once we have all of those it’s pretty simple to decrypt anything. Let’s assume we’ve done that and we know which classes and assemblies are used to decrypt. can we decrypt the AccountData. as it turns out the answer is “Yes”.When opening up these files in Notepad we can see some of these files are encrypted while others are not.

Without a secure storage location for game state. but this fake in-game money would be worth over a thousand dollar on Android and iOS.000. we can’t be surprised that 3rd party cracking will arise to make consumers avoid in-app purchases. .Next. Here’s the before and after of the XML file: Copying the file back to Soulcraft’s IsoStore and starting Soulcraft we can see a first level character with 1.xml. The next step is to reverse engineer the assemblies and figure out the correct calling order for methods. True.000 gold. For example this code would load up AccountData. At this point some of you must be thinking “so what? it’s fake game money”. since these assemblies read files from IsoStore we’ll copy the encrypted game files to our own App2 IsoStore. edit the amount of gold and save it again. Now we’ve staged a new app with the proper assemblies and populated IsoStore with Soulcraft’s Data.

Let’s have a look at Meteor Madness. It’s a cool arcade asteroid shooter game. Meteor madness costs 1.5$USD and offers a free trial with limited functionality. That works fine unless consumers attempt to manipulate this tentative status-quo by cracking trial apps. When downloading the app as a trial we can see that it offers the options to buy the game and locks some game options. Note the “Buy now” rock at the bottom left and the locked “Arcade” game rock on the top right. It also happens to be open source so you can go check that out too. To emphasize the impact of this problem we can look at the Windows Phone ecosystem where 45% of paid apps offer trials. Paid apps can offer a free version with limited functionality or on a time limited basis. . At the same time consumers tend to be loss averse and are afraid to “lose” money on apps.#2: Cracking trial apps to paid versions for free One of the top revenue streams for Windows 8 developers is by shipping paid apps. The solution to that are Trial apps.

In the previous section we’ve seen there’s a fundamental problem when storing game data on Windows 8. read it and modify it. There’s a lot . And as we’ve seen. alongside with the algorithm and the algorithm key/hash is a recipe for security incidents. paid apps and preinstalled apps. An educational WinForms app named WSService_crk loads this file into memory. Also. we can find it. shows the License XMLs and modifies it as a “Full Preinstalled” license. Storing encrypted data locally. Such as free apps.dat When we open this file up in Notepad we can find the license for Meteor Madness and where it says it’s a trial purchase. if it’s stored locally. Here for example if the “Full” installation of Bing. in the same file we can see there are other apps installed. One of the problems with allowing offline execution of trial apps is that it mandates the “trial flag” to be stored locally. Specifically the License for Windows 8 apps is stored in the following file: C:\Windows\ServiceProfiles\LocalService\AppData\L ocal\Microsoft\WSLicense\tokens.

When running Meteor Madness now we can see that it no longer has any trial app functionality limitations. When opening up WSService_crk on my machine shows the following list of installs apps. WSService_crk can then show the current license and even modify it from a Trial to a Full Preinstalled License. #3: Removing in-app ads from games by editing XAML files Another way developers monetize their apps is through in-app advertising. re-encrypt it and then store it. All of that is documented with WSService_crk as it’s distributed with full source code.going on here other then simply reading and modifying files. If apps are popular and the viewcounts are racking . WSService_crk has to decrypt the file. Developers often take the path of least resistance and it’s quite easy to add ads to your app.

That all works pretty well unless opportunistic consumers choose to keep the free app but disable ads.up it could become quite profitable.xaml under the \Common\AdsModule\View folder.1. . As we’ve seen previously the executable of all Windows 8 apps can be located easily. As a result consumers don’t have to pay for some great titles and successful developers can get paid. One app that is now (surprisingly) advertising supported on Windows 8 is Microsoft’s Minesweeper. Alongside with other in-app ads used by Minesweeper.MicrosoftMinesweepe r_1.0.0_x86__8wekyb3d8bbwe In that folder we can find the file MainPageAd. Minesweeper is installed locally at: C:\Program Files\WindowsApps\Microsoft. To emphasize the importance of mobile app ads let’s mention that some 3rd party estimates put the field at over 10B in overall yearly revenue.

Let’s look at a real world example in the form of the windows 8 game Ultraviolet Dawn. Like other games players start-off with a certain amount of in-game currency and can buy items to . For more on this dichotomy you can read this great article Battle for Wesnoth from the creative commons book The Architecture of Open Source Applications. By simply editing XAML files we can hide away in-apps ads from Windows 8 ads. when we run the Minesweeper app we won’t be able to see the ad anymore.We can make this ad disappear by simply adding the Visibility=”Collapsed” property to the aforementioned root user control. #4: Reducing the cost of in-game items by editing game data files Most games out there are composed of two distinctive pieces: a game engine and game data files used by the engine. After we’ve made this small change. The game is my all time favourite iPad game and is a cool 2D space shooter.

In our example we’ll edit all the weapons to be free.txt” file and edit the price of in-game items.37_x86__dd4ev9dvfndxm We can open up the “res_store_items.improve their spaceship. Ultraviolet’s Dawn can be found here: C:\Program Files\WindowsApps\8DF9EE77. 0. So one thing we could do is take advantage of Windows 8 on-disk storage and modify the game’s data files. There’s a game engine that knows about “store items” and there’s going to be a list somewhere of what they are.UltravioletDawn_1. If we go back to the dichotomy we’ve heard about earlier then we can see how it applies to Ultraviolet Dawn.0. We’ve just shown that using the simplest tools we can . When we run Ultraviolet Dawn again we can see the price of items in the store is now 0. Specifically. As we’ve previously seen executables for windows 8 apps can be located and modified.

The game follows a freemium model where the first few levels are free and additional levels cost 4.edit game files to compromise the experience of Windows 8 games. so let’s see that with WinJS apps. Let’s have a look at the massively popular and successful WInJS Windows 8 game Cut the Rope. We can see there are IS_PAID_FULL_VERSION and SIMULATE_PURCHASES . Specifically Cut the Rope executeables can be found at: C:\Program Files\WindowsApps\ZeptoLabUKLimited.9_neutral__sq9zxnwrk84pj If we open up the default.1. #5: Compromising In-app purchase items by injecting scripts into the IE10 process Even though we’ve already shown that in-app purchases are comprisable I’d like for us to see an example of that with Windows 8 HTML & JS apps. As we know by now executables for Windows 8 games can be found on the local disk.99$ to unlock. Up until now we’ve seen examples of C# and C++ apps.CutTheRop e_1.0.js file in the js folder we can see the following code that obviously governs the in-app purchasing logic.

One wonder what happens if we change those values to true. (Here are the Jacascript docs. Even if that wasn’t there we could still easily inject scripts to IE10. So instead of changing the files on the local disk. C# docs and C++ docs to those unfamiliar with the feature) Next we’ll choose to Debug Cut The Rope. Let’s use VS2012 to “Debug Installed App Package”. . Make sure to check the “Stop at first Statement” checkbox since we’ll use it to navigate to default. we can inject JS scripts at runtime into IE10 process. We don’t really have to understand the specifics but we can see there’s an if-else condition that determines inapp purchases. Visual Studio 2012 has a built-in debugging mechanism for any installed Windows 8 app.variables set to false. but since it is there we can use that familiar tool. We can’t directly change Javascript files as that’ll corrupt the Javascript package and Windows 8 will refuse to open the app.js.

Using a smart combination of “Step over” and using the Solution Explorer we can set the following breakpoint after setting the variables we’ve previously seen. we’ve now got the full force of VS2012 Javascript runtime debugging in a Win8 store app. Stepping over this deceleration we can then see the following values in our Locals window.After we click start we can see we’re debugging the Cut the Rope app. but I’d like for us to see this runtime behaviour. And now using the Immediate Window we can execute any javascript we’d like.js file from the WinJS framework. For the purpose of this demo we’ll set SIMULATE_PURCHASES=true. We could have saved some time by setting IS_PAID_FULL_VERSION=true. This first breakpoint will always be the same file at the same row: the first row of the base. This is the important bit. .

We’ve just shown how to inject arbitrary javascript into a Win8 store bought WinJS IE10 app and we’ve affected inapp purchase items inventory. We’ll tell it that the purchase was successful. . we’ve shown this for C# + Direct3D apps (Soulcraft).Now when we click the purchase button we can see Windows 8 in-app purchase simulator. we’ve shown this for HTML & WinJS apps (Cut the Rope) and we’ve shown this for any app using Trial (Meteor Madness). We’ve shown this for C# & XAML apps (Minesweeper). And now we can see all game levels are unlocked. Summary: What have we seen? We were able to show that the majority of ways games and apps developers would make money aren’t secure by default on Windows 8. we’ve shown this for C++ & Direct3D apps (Ultraviolet Dawn).

We’ve seen how the Trial licenses are stored in the Tokens. what the root cause of the issue is and what could be done at the framework level to mitigate this issue: In-app purchase items Storage: In-app purchase is fast becoming the #1 revenue stream for game developers. We’ve shown how by simply editing the XAML files on disk we can turn off ads in games. One possible improvement here would be for Microsoft to offer such storage for all apps. Trial apps: Trial apps will likely be adopted by around 50% of Windows 8 games. The real problem here is that Trial apps are downloaded to the client machine with the full unlocked logic embedded in them. Let developers have a secure encrypted isolated storage by default.dat file and how easy it is to edit it. The real problem here is that Windows 8 apps don’t have any truly secure location that’s inaccessible to the user and can be secured in offline scenarios. It shouldn’t be possible to tamper with XAML/HTML files and then . In-apps ads: Mobile advertising in apps is a major industry and a source of revenue for developers. We’ve seen we can trick games local storage to acknowledge consumable items that haven’t been purchased.Let’s repeat what we’ve seen so far. One way to fix this issue would be to have developers build two app packages (one limited functionality trial package and one full functionality package) and have those secured by the Win8 store purchasing system. Also. another possibility would be to turn on code obfuscation and minification by default in order to avoid the reverse engineering needed for this exploit.

Microsoft could follow tothe aforementioned recommendation from item #3 to help mitigate this issue. Game data files and in-game items: We’ve shown game data files can be edited and they’ll then be loaded into apps. One is left to wonder about how secure those AppxBlockMap.xml hashes really are and if they can be reversed engineer to . Any mildly competent developer can productize these security attack vectors into shipping products. it’s because it chooses not to. Injecting arbitrary Javascript affecting in-app purchase: We’ve seen we can inject any javascript code to run inside the IE10 process for a Win8 WinJS store app. One possible improvement would be for the IE10 team to lock down the IE10 process for signed scripts only when not on a development machine. When that’s attempted the code integrity system kicks-in verifies file hashes and prevents app execution. It shouldn’t be possible to modify any game file and then have it loaded to memory.have them loaded to memory. That shouldn’t be possible. What haven’t we been able to do? What has been fixed since early Win8 betas is editing DLLs or HTML/JS files on the disk is no longer possible. One improvement Microsoft can undertake here is have better on-disk tampering checks. If Microsoft doesn’t take it upon itself to fix these security attack vectors it’s not because it couldn’t. We’ve seen a myriad of issues and offered potential fixes to them all.

Feedback Questions? Rebuttals? Thoughtful discussion? Sound off in the comments below. My employer: I have an employer and they had nothing to do with this article. Article format: This is an educational article written in the hope both developers and Microsoft can benefit from an open exchange of knowledge.be generated on the client side. Ultraviolet Dawn and Cut The Rope. Meteor Madness. . In order of appearance in article: Soulcraft. Remember to read the previous article “Reverse Engineering and Modifying Windows 8 apps” if anything is unclear as it outlines many of the techniques used here. Minesweeper. Heartfelt disclaimers Games: The games appearing in this article are awesome and you should buy them and give them money. There’s nothing “obvious” about any of these issues. Game developers: The game developers for the aforementioned games are professionals. Both research and authoring this article was undertaken at my leisure time. For the most part you can’t work around a broken platform. I’ve been a generous benefactor of each game and so should you! go download them and give them money.

Comments Search: http://justinangel.0 Unported License.-.Justin Angel Published on 12/10/2012 12:00:00 AM by Justin Angel ©2012.net/Feed . This work is licensed under a Creative Commons Attribution 3.