C:\Program Files\WindowsApps
So for example all the assemblies for Soulcraft onWindows 8 will be stored at:
C:\ProgramFiles\WindowsApps\MobileBitsGmbH.SoulCraft_0.8.5.3_neutral__n3knxnwpdbgdc
Also, all IsoStore files are stored at:
C:\Users\<username>\AppData\Local\Packages\
So on my machine Soulcraft’s IsoStore is at:
C:\Users\Justin\AppData\Local\Packages\MobileBitsGmbH.SoulCraft_n3knxnwpdbgdc\LocalState
When opening up these files in Notepad we can see someof these files are encrypted while others are not. So now the question becomes, can we decrypt the AccountData.xml file, edit the amount of gold ourcharacter has and simply run the game? Well, as it turnsout the answer is “Yes”. Normally encrypted files are badnews if you’re trying to tamper with apps. But we shouldremember this is all running on the local machine. Wehave the algorithm used for encryption, we have the hashkey and we have the encrypted data. Once we have all of those it’s pretty simple to decrypt - anything.
UsingdotPeek/ILSpy/ JustDecompileit’s possible to
reverse engineer most of the Soulcraft source code andfind out how the AccountData.xml gets stored and how tochange it. Let’s assume we’ve done that and we knowwhich classes and assemblies are used to decrypt, editand encrypt this XML file. We’ll start off by create a newWin8 app and reference the appropriate DLLs from theSoulcraft game.
Next, since these assemblies read files from IsoStore we’llcopy the encrypted game files to our own App2 IsoStore. Now we’ve staged a new app with the proper assembliesand populated IsoStore with Soulcraft’s Data. The nextstep is to reverse engineer the assemblies and figure outthe correct calling order for methods. For example thiscode would load up AccountData.xml, edit the amount of gold and save it again.Here’s the before and after of the XML file:
Copying the file back to Soulcraft’s IsoStore and startingSoulcraft we can see a first level character with1,000,000 gold. At this point some of you must be thinking “so what? it’sfake game money”. True, but this fake in-game moneywould be worth over a thousand dollar on Android andiOS. Without a secure storage location for game state, wecan’t be surprised that 3rd party cracking will arise tomake consumers avoid in-app purchases.
#2: Cracking trial apps to paidversions for free
One of the top revenue streams for Windows 8developers is by shipping paid apps. At the same timeconsumers tend to be loss averse and are afraid to “lose”money on apps. The solution to that are Trial apps. Paidapps can offer a free version with limited functionality oron a time limited basis. That works fine unless consumersattempt to manipulate this tentative status-quo bycracking trial apps. To emphasize the impact of thisproblem we can look at the Windows Phone ecosystemwhere
45% of paid apps offer trials.
Let’s have a look atMeteor Madness. It’s a cool arcadeasteroid shooter game. Meteor madness costs 1.5$USDand offers a free trial with limited functionality. It alsohappens to beopen sourceso you can go check that outtoo. When downloading the app as a trial we can see that itoffers the options to buy the game and locks some gameoptions. Note the “Buy now” rock at the bottom left andthe locked “Arcade” game rock on the top right.
In the previous section we’ve seen there’s a fundamentalproblem when storing game data on Windows 8. Storingencrypted data locally, alongside with the algorithm andthe algorithm key/hash is a recipe for security incidents.One of the problems with allowing offline execution of trial apps is that it mandates the “
trial flag
” to be storedlocally. And as we’ve seen, if it’s stored locally, we canfind it, read it and modify it.Specifically the License for Windows 8 apps is stored inthe following file:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WSLicense\tokens.dat
When we open this file up in Notepad we can find thelicense for Meteor Madness and where it says it’s a trialpurchase. Also, in the same file we can see there are other appsinstalled. Such as free apps, paid apps and preinstalledapps. Here for example if the “
Full
” installation of Bing. An educational WinForms app named
loads this file into memory, shows the License XMLs andmodifies it as a “Full Preinstalled” license. There’s a lot going on here other then simply reading and modifyingfiles.
WSService_crk
has to decrypt the file, re-encryptit and then store it. All of that is documented with
WSService_crk
as it’s distributed with full source code. When opening up
WSService_crk
on my machine showsthe following list of installs apps.
WSService_crk
can then show the current license andeven modify it from a Trial to a Full Preinstalled License. When running Meteor Madness now we can see that it nolonger has any trial app functionality limitations.
#3: Removing in-app ads fromgames by editing XAML files
Another way developers monetize their apps is throughin-app advertising. Developers often take the path of least resistance and it’s quite easy to add ads to yourapp. If apps are popular and the viewcounts are racking up it could become quite profitable. As a resultconsumers don’t have to pay for some great titles andsuccessful developers can get paid. That all works prettywell unless opportunistic consumers choose to keep thefree app but disable ads. To emphasize the importance of mobile app ads let’s mention that some3rd partyestimatesput the field at over 10B in overall yearlyrevenue. One app that is now (surprisingly) advertising supportedon Windows 8 is Microsoft’s Minesweeper. As we’ve seen previously the executable of all Windows 8apps can be located easily. Minesweeper is installedlocally at:
C:\ProgramFiles\WindowsApps\Microsoft.MicrosoftMinesweeper_1.1.0.0_x86__8wekyb3d8bbwe
In that folder we can find the file
MainPageAd.xaml
under the
\Common\AdsModule\View
folder. Alongsidewith other in-app ads used by Minesweeper.
We can make this ad disappear by simply adding the
Visibility=”Collapsed”
property to the aforementionedroot user control. After we’ve made this small change, when we run theMinesweeper app we won’t be able to see the adanymore. By simply editing XAML files we can hide away in-appsads from Windows 8 ads.
#4: Reducing the cost of in-gameitems by editing game data files
Most games out there are composed of two distinctivepieces: a game engine and game data files used by theengine. For more on this dichotomy you can read thisgreat articleBattle for Wesnothfrom the creativecommons book The Architecture of Open SourceApplications. Let’s look at a real world example in theform of the windows 8 gameUltraviolet Dawn. The gameis my all time favourite ipad game is a cool 2D spaceshooter. Like other games players start-off with a certainamount of in-game currency and can buy items to improve their spaceship. If we go back to the dichotomy we’ve heard about earlierthen we can see how it applies to Ultraviolet Dawn. There’s a game engine that knows about “store items”and there’s going to be a list somewhere of what theyare. So one thing we could do is take advantage of Windows 8 on-disk storage and modify the game’s datafiles. As we’ve previously seen executables for windows 8apps can be located and modified. Specifically,Ultraviolet’s Dawn can be found here:
C:\ProgramFiles\WindowsApps\8DF9EE77.UltravioletDawn_1.0.0.37_x86__dd4ev9dvfndxm
We can open up the “
res_store_items.txt
” file and edit theprice of in-game items. In our example we’ll edit all theweapons to be free. When we run Ultraviolet Dawn again we can see the priceof items in the store is now 0.
We’ve just shown that using the simplest tools we can edit game files to compromise the experience of Windows8 games.
#5: Compromising In-apppurchase items by injectingscripts into the IE10 process
Even though we’ve already shown that in-app purchasesare comprisable I’d like for us to see an example of thatwith Windows 8 HTML & JS apps. Up until now we’ve seenexamples of C# and C++ apps, so let’s see that withWinJS apps. Let’s have a look at the massively popularand successful WInJS Windows 8 gameCut the Rope. Thegame follows a freemium model where the first few levelsare free and additional levels cost 4.99$ to unlock. As we know by now executables for Windows 8 gamescan be found on the local disk. Specifically
Cut the Rope
executeables can be found at:
C:\ProgramFiles\WindowsApps\ZeptoLabUKLimited.CutTheRope_1.1.0.9_neutral__sq9zxnwrk84pj
If we open up the
default.js
file in the
js
folder we can seethe following code that obviously governs the in-apppurchasing logic. We can see there areIS_PAID_FULL_VERSION and SIMULATE_PURCHASES
variables set to false. One wonder what happens if wechange those values to true. We don’t really have to understand the specifics but wecan see there’s an
if-else
condition that determines in-app purchases. We can’t directly change Javascript filesas that’ll corrupt the Javascript package and Windows 8will refuse to open the app. So instead of changing thefiles on the local disk, we can inject JS scripts at runtimeinto IE10 process. Visual Studio 2012 has a built-in debugging mechanismfor any installed Windows 8 app. Even if that wasn’t therewe could still easily inject scripts to IE10, but since it isthere we can use that familiar tool. Let’s use VS2012 to“
Debug Installed App Package
Cut The Rope.
Make sure tocheck the “Stop at first Statement” checkbox since we’lluse it to navigate to
default.js
After we click start we can see we’re debugging the
Cut the Rope
app. This is the important bit, we’ve now got thefull force of VS2012 Javascript runtime debugging in aWin8 store app. This first breakpoint will always be thesame file at the same row: the first row of the
base.js
filefrom the WinJS framework. Using a smart combination of “Step over” and using theSolution Explorer we can set the following breakpointafter setting the variables we’ve previously seen. Stepping over this deceleration we can then see thefollowing values in our Locals window. And now using the Immediate Window we can executeany javascript we’d like. For the purpose of this demowe’ll set SIMULATE_PURCHASES=true. We could havesaved some time by setting IS_PAID_FULL_VERSION=true,but I’d like for us to see this runtime behaviour.
Now when we click the purchase button we can seeWindows 8 in-app purchase simulator. We’ll tell it that thepurchase was successful. And now we can see all game levels are unlocked. We’ve just shown how to inject arbitrary javascript into aWin8 store bought WinJS IE10 app and we’ve affected in-app purchase items inventory.