Reverse engineering and modifying windows 8 apps

Reverse Engineering and Modifying Windows 8 apps
Angel
Justin
Hi folks,
In this article I’ll share the results of ad-hoc security vulnerabilities research I’ve done on
windows 8 apps deployment. Specifically, we’ll discuss fundamental design flaws that
allow to Reverse Engineer Win8 apps, modification of installed apps and the negative
implications on Intellectual Property rights protection, Licensing models and overall PC
security. Finally we’ll discuss some creative ideas on how to mitigate these security
issues.
Meet the mother-load: C:Program FilesApplications
All Windows 8 applications in the developer preview are installed under the clandestine
C:Program FilesApplications location. I will hazard a guess and say that once the
Windows App Store goes online it will install all apps under that folder. Currently the
folder is an invisible one and cannot be accessed from Windows Explorer user interface
on a new Win8 developer preview install.
Here’s an example of some of the 29 apps Win8 apps installed on the Win8 developer
preview:
Reverse Engineering and Modifying Windows 8 apps http://justinangel.net/ReverseEngineerWin8Apps
1 of 32 21-Dec-12 12:36 PM

And here’s the hidden folder backing it up:
2 of 32 21-Dec-12 12:36 PM

Gaining Access to C:Program FilesApplications
In essence you’ll need to navigate to that folder, hit “Security Tab” and set yourself up as
the owner. Let me walk you through that process step-by-step.
1. Type in “C:Program FilesApplications” in the Windows Explorer address bar and hit
enter.
2. Observe in shock and dismay the system dialogue saying you don’t own a folder on
your own machine. Hit “Continue”.
3 of 32 21-Dec-12 12:36 PM

3. After hitting “Continue”, you’ll be confronted by the following dialogue:
Do not hit “close”, instead click the “security tab” link.
4. In the following system dialogue click “advanced”.
4 of 32 21-Dec-12 12:36 PM

5. Click the “change” link in the owner security field.
6. Add in your live ID or windows 8 user name to the “select user or group” system
dialogue.
5 of 32 21-Dec-12 12:36 PM

7. Click “OK”, Click “OK”, Click “Ok”.
6 of 32 21-Dec-12 12:36 PM

8. Type in “C:Program FilesApplications” in the Windows Explorer address bar and hit
enter. You now have access to the Applications folder.
What type of apps ship with Windows 8?
Looking at this folder it’s fairly easy to determine what type of apps ship with Windows 8
developer preview.
7 of 32 21-Dec-12 12:36 PM

What’s in C:Program FilesApplications?
For HTML apps the folder contains all of their source code and it can modified.
For C# apps the folder contains the XAML source code and a compiled reverse-
engineerable and modifiable version of the C# code.
For C++ directX apps the folder contains compiled binaries. Honestly, C++ isn’t my
specialty so I’ll avoid discussing it at any great length.
Reverse Engineering HTML & Javscript & CSS Win8
apps
There’s a fundamental design flaw in the concept of HTML apps. HTML, Javascript and
CSS are all interpreted languages, and not compiled languages. Meaning you have to
ship the source code for your app instead of shipping compiled binaries. That puts the
8 of 32 21-Dec-12 12:36 PM

Intellectual Property of anyone choosing to write any HTML & JS & CSS only app for any
platform under risk.
For example, here’s the HTML source code for the Tweet@rama Win8 app code:
And here’s the tweet@rama Javascript code that does the actual posting to Twitter:
9 of 32 21-Dec-12 12:36 PM

Modifying HTML & Javscript & CSS Win8 apps
Part of the problem with interpreted languages is that they don’t compile until the very
instance they are executed. Which allows evil-doers to edit the code prior to execution.
For example, here’s a print screen of the tweet@rama default app;
10 of 32 21-Dec-12 12:36 PM

Let’s modify the HTML, Javascript and CSS for this application: (for the sake of brevity
we’ll only walkthrough a simple HTML change)
11 of 32 21-Dec-12 12:36 PM

By modifying the HTML & CSS & Javascript source code we can change the visual
design to something a bit more visually pleasing:
Notice that we’ve changed both the design and behaviour of the app by modifying the
source code. The new design has a different title, and the new behaviour is using the
12 of 32 21-Dec-12 12:36 PM

picture of the logged in user as the background. We have the power to completely
change both the visual design and the executing source code of HTML & CSS & JS
win8 apps.
New breed of viruses?
Any unauthorized malware that gains access to C:Program FilesApplications could
potentially modify source code to execute in malicious ways. Since this is the direction
Win8 apps are taking writing this type of viruses is likely to become a growth industry.
For example we could look at the tweet@rama app once again. The most valuable asset
that app has is our twitter oauth credentials. A virus would be able to modify the
tweet@rama source code so once it executes it retrieves those credentials and sends
those to a malicious remote endpoint. The following code interjected into the Javascript
code of tweet@rama would do just that:
New breed of cracks?
Any unauthorized executable that gains access to C:Program FilesApplications could
potentially modify source code to workaround Windows Store app purchasing and
licensing logic. The whole concept of Trials and feature purchases are based on
Javascript, C# or C++ code invoking Windows 8 RuntimeTime APIs for the Windows
Store. Any change to that code could potentially change the purchasing and licensing
logic for that app.
For example, In BUILD conference Microsoft’s Arik Cohen demonstrated
(http://channel9.msdn.com/Events/BUILD/BUILD2011/APP-123T) (35:25) the following
code that performs a Javascript check for isTrial.
13 of 32 21-Dec-12 12:36 PM

It would be a trivial endavour to manually edit this Javascript file and remove the
“licenseInformation.isTrial” check. And by doing so removing Trial restrictions from this
sample Win8 app.
If this set of problems are not mitigated, app piracy through app modification for
Windows Store apps will likely become quite prevalent.
Reverse Engineering C# + XAML Win8 apps
C# code is shipped in compiled EXE & DLL binaries. XAML is shipped as plain text
source code. That makes both forms of code extremely susceptible to reverse
engineering.
For example, we could open up the “Memories” (C# WinRT XAML app) MainPage.xaml
14 of 32 21-Dec-12 12:36 PM

in KaXaml (http://kaxaml.com/) and see the XAML source code:
Using JetBrains dotPeek (http://www.jetbrains.com/decompiler/) it would be possible to
see the C# source code for the Memories app:
15 of 32 21-Dec-12 12:36 PM

Modifying C# + XAML Win8 apps
The XAML for Win8 apps is stored in plain-text and can be edited from any text editing
tool. The .net binaries are unsigned and thus can be edit using the MSIL Weaving tool
Reflexil (http://reflexil.net/).
For example, here’s the “Memories” C# XAML app shipping with Windows 8 developer
preview:
16 of 32 21-Dec-12 12:36 PM

Editing the XAML is fairly trivial since it’s stored as a plain text file:
17 of 32 21-Dec-12 12:36 PM

Editing C# can be done using Reflector’s Reflxil MSIL Editor:
18 of 32 21-Dec-12 12:36 PM

With some light modifications to the XAML and C# code we can change the display and
behaviour of the app:
19 of 32 21-Dec-12 12:36 PM

Reverse Engineering C++ Win8 apps
I’ll confess to not being a strong C++ developer (gasp!) so I’ll keep this brief by showing
C++ apps are also susceptible to reverse engineering. It appears that Microsoft’s Store
app is written in C++. The most important asset that app would have are the endpoints
for the Microsoft store. Opening the C:WindowsSystem32WinStoreWinStoreUI.dll in
20 of 32 21-Dec-12 12:36 PM

notepad and searching for “https” addresses reveals the following URL:
Following the http://go.microsoft.com/fwlink/?LinkId=195322&clcid=0x409
(http://go.microsoft.com/fwlink/?LinkId=195322&clcid=0x409) URL leads to a currently
inactive URL of https://services.apps.microsoft.com/browse
(https://services.apps.microsoft.com/browse). I would hazard a guess that this is the
URL currently being used to test the Windows App Store.
What have we conclusively proven during this blog
post?
Keeping in mind that Windows 8 is only an alpha developer release, we’ve seen a
21 of 32 21-Dec-12 12:36 PM

couple of disturbing things:
It is possible to reverse engineer and modify HTML, JavaScript and CSS code
shipped in Win8 apps.
1.
It is possible to reverse engineer and modify C#/VB.Net source code shipping with
Win8 apps.
2.
It is possible to reverse engineer and modify XAML source code shipping with
Win8 apps.
3.
It is possible to (at some limited level?) reverse engineer C++ Win8 apps.4.
Can Microsoft completely solve this problem?
No. In my opinion, apps shipping as part of all app stores will always be vulnerable at
some limited level to reverse engineering and modification.
Can Microsoft mitigate this problem?
Yes, Microsoft can make apps significantly more temper-proof and pile a lot of hardships
on those seeking to reverse engineer and modify Win8 apps. Assuming malicious code
and people can’t access C:Program FilesApplications seems naïve at best.
22 of 32 21-Dec-12 12:36 PM

Here are few suggestions for what some of those potential aforementioned hardships
might be:
Obfuscate C#/VB.Net projects by default: .net projects default to shipping with
unobfuscated source code. If Microsoft is serious about introducing a Windows
App store obfuscation has to be turned on by default for all .net project, not just a
nice-to-have addon like it is right now. The VS2011 team should investigate and
integrate an obfuscation solution directly into the product and turn it on for all new
.net projects. This would make it harder to reverse engineer .net apps.
1.
Minify HTML, Javascript and CSS projects by default: With the joys of desktop
deployment web developers will likely forsake Javascript, HTML and CSS
minification. Again, a good path forward here is to make sure all HTML, Jacascript
and CSS code is minified by default. This step would make it harder to reverse
engineer HTML apps.
2.
Strongly sign all .net assemblies by default: Strong-signing has been part of the
.net framework for 10 years now. Turn it on by default with a unique developer
license certificate for all Win8 .net apps. Make sure Win8 AppContainers only run
signed apps, don’t even have a hidden registry key to enable unsigned apps (like
WP7 does (http://twitpic.com/6josnn)). That would make it harder to modify .net
apps.
3.
Checksum HTML, Javascript and CSS project before startup: Even if it’s
unpreventable that modifying Win8 HTML apps would take place, run a checksum
on all files before loading the app into memory. That would make it harder to
modify Win8 HTML apps. It sounds like AppBlockMap.xml is supposed to do
something similar, but it doesn’t seem to work.
4.
Don’t store App’s executing files as plain-old files on the user’s hard-drive: It
shouldn’t be possible to even see the files shipping with an app by default using
just Windows Explorer. A lossless compressed folder with DRM protection would
be a good step forward here. This should make it harder to reverse engineer Win8
apps.
5.
tl;dr: If Microsoft doesn’t undertake the aforementioned steps or comparable ones it’s
not because it can’t, it’s because it doesn’t want to. If Microsoft chooses to ignore this
problem for the remaining one year (?) development lifecycle for Windows 8 then it’s not
because it couldn’t solve these problems.
Visual Studio 2011 App Deployment
Apps deployed by Visual Studio 2011 do not get deployed to C:Program
FilesApplications but rather get deployed to C:Users<UserName>AppxLayouts.
23 of 32 21-Dec-12 12:36 PM

The alternate location for Visual Studio app deployment and all other app deployment
are controlled by the registry folder HKEY_CURRENT_USERSoftwareClassesLocal
SettingsSoftwareMicrosoftWindowsCurrentVersionAppModel.
Feedback
Have questions about the methodologies used in this article?
Have more interesting workarounds you’ve tried and like to share?
Have interesting suggestions for the Microsoft folks on how to help mitigate this
problem?
Sound off in the comments!
-- Justin Angel
(Disclaimer: this article represents research I undertook on my own and is unsanctioned
by any organizations or corporations I might be related with.)
Published on 9/20/2011 12:00:00 AM by Justin Angel ©2012.
This work is licensed under a Creative Commons Attribution 3.0 Unported License
24 of 32 21-Dec-12 12:36 PM

(http://creativecommons.org/licenses/by/3.0/).
Comments
Jeremy Says:
Very nice article Justin, thanks for sharing. I started to look at the
proportion of HTML vs XAML vs Native apps and I appreciate your
diagram. I'm looking forward seeing what Microsoft will do to mitigate
those issues.
pedro Says:
You seem to forget a little detail.. Final apps will be signed.
Justin Angel Says:
Signed apps would be one of the small obstacles I've mentioned.
However, I'm not sure what signing apps would mean for HTML
apps. How exactly does one sign HTML files?
Also, more importantly, Signing attempts to protect against
Modification. It does nothing to solve the Reverse Engineering
issue.
pedro Says:
I'm guessing that app packages will be encripted and signed.
And the reverse engineering is a non issue. How do you
protect current apps from being reverse engineered? Even
obfuscating .NET apps doesn't really protect you, it only makes
it harder.
If signing the apps is enough to prevent tempered code to be
executed, I'm OK with that.
DrPizza Says:
Can you explain to me which of these is a Windows 8 issue?
Consider that the .NET decompilers are for, uh, all .NET
programs, not just Windows 8 ones, and that Web browsers let
you look at both HTML and JavaScript directly.
25 of 32 21-Dec-12 12:36 PM

How does one sign HTML files? You stick a signature in a file
and put it alongside the rest. You know, the same way that you
sign .inf files in driver packages.
Justin Angel Says:
Windows 8 made the choice to consume interpreted
languages as offline application development languages. I
am calling out that it there are some issues with that plan
going forward in regards to the aforementioned concerns.
How does one sign HTML files? It is possible to sign &
encrypt anything. HTTPS for example is an encrypted and
signed HTTP transport layer.
Addressing the core point of your argument: I believe that
Microsoft has people smarter than myself that could
provide more realistic solutions to the issues I've raised.
IMO This is a set of problems that have potential solutions.
Luke Says:
On the default user you enter more pc settings (from
metro) and open user.
There is an option to switch to Microsoft account.
This option is not available by default on the build-in
administrator account.
Is it possible to enable this on the build-in
administrator?
I can use most of the metro apps on the build-in
administrator account when/if I change
this regkey FilterAdministratorToken from 0 to 1
Sarkie Says:
When looking for string data in .exes.
Use Strings
http://technet.microsoft.com/en-us/sysinternals/bb897439
Aside:
Why is this whole site in Silverlight?
Alberto Says:
26 of 32 21-Dec-12 12:36 PM

Whats the problem the site beeing in silverlight?
-.-
Michael Crump Says:
Excellent blog post Justin! I have also heard that final apps will be
signed. But right now you have exposed several flaws that Microsoft
needs to be aware of.
Jeremy Brayton Says:
Signing happens at the project level, not individual files. I want to
speculate that the dev preview was simply rushed and the DRM
protection we're about to see in the Mango store is going to hit AppX
too. Having to what amounts to unzipping an app before every run is
going to increase at least that initial load time but you could use a
temporary secure location to cache this kind of stuff. They might've
thought this would be sufficient but you proved how easy it was to
unlock that jail cell.
Regarding checksums against HTML content, I would say just do a
checksum against the *entire project* as one motion. It's essentially the
same thing but we're really interested in the sum, not so much individual
files but doing them individually would be a way for us to tell which file
has been tampered with so I'm a little on the fence about my own
suggestion.
I think if we start to get to the beta and RC stages and no significant
changes are made in this area that all of us should worry. I'm glad they
can address it now and I'm glad you figured this out to make sure they
do. There's still plenty of time to plug these holes but we definitely need
to keep a fire up their ass to make sure our apps aren't cracked in one
fell swoop. If I'm relying on your app store and one point of failure is all
that is needed to expose EVERY app, you might want to rethink your
design a bit and I hope they at least give us the option to run extra
licensing mechanisms on top if we so choose. If they don't plug these
holes AND get heavy handed there, I could never recommend
developing for their app store.
Fallon Massey Says:
Does that mean that C++ is the best language to program in?
Because with C++, you'll need a disassembler, and that still won't net
you the correct code.
27 of 32 21-Dec-12 12:36 PM

Philippe Da Silva Says:
With every new OS comes new security threats especially when you're
adding something new that hasn't been tested accross mainstream
audience.
While I don't care much about seeing people modifying apps I purchase
since it opens the way to application "mods" that us, consumers, will
decide to use or not, I'm way more worried about the Win8 Apps being a
real system security threat for viruses and other malware that could act
on my behalf in my machine.
This should definitivelly be the top security priority of Microsoft from my
point of view.
I personally see Win8 Apps as Rich Clients for distributed & cloud
content or processing. I can't think of any application that would make
use of the Metro UI and paradigm that don't fall into such user
requirements.
For all other user requirements, we'll stick to our old yet very familiar
Explorer environment ;)
All in all, I'm really glad to see Microsoft finally taking a step backward,
looking at the market and sharing with us what they see as the future of
our computer/software usage ;)
Ian Griffiths Says:
Session PLAT-905C went into quite a lot of detail on application
packaging. The signing mechanism covers everything in the package,
and is independent of file type. You could even put binary files with a
format of your own devising in there and it'd still be able to check their
validity. Logically speaking, it's pretty similar to how Silverlight supports
it - you sign the container rather than individual files. In Silverlight, you
can apply a digital signature to the ZIP file, and that'll cover everything
in there, no matter what the format of the individual files. The fact that
the streams happen to be extracted out into files in a folder in Win8 is
no obstacle to this - it just requires a scheme for how the whole
directory should be handled - as long as Win8 knows that (say) the appx
manifest contains a list of signatures for everything (including itself),
then it can check everything. IIRC, that's pretty much how ClickOnce
worked - it was able to check validity even when each of the resources
in the app was downloaded separately. So this is not new.
Nor is reverse engineering. C++, Xaml, and JavaScript are precisely as
easy to reverse engineer in Win8 as they were before.
28 of 32 21-Dec-12 12:36 PM

piers7 Says:
As an aside, in the keynote Sinofsky claimed the Apps app was written
in Javascript/HTML, whereas you seem to suggest C++...
dsurendra Says:
Cool....
ZUyq5def Says:
Maliscious won't have access to the program filesapplications directory
(among other things, such as signing). The steps that Justin goes
through to access the directory require explicit user action - they can't
be done programmatically (unless the app already has privileges - in
which case it doesn't really make sense for the app to go messing w
other apps, because it can already do whatever the maliscious user
wants).
Justin Angel Says:
Yep, the Program FilesApplications folder is protected the same
way modern-day Program Files directory and Windows directory
are protected.
However many viruses, spyware and malware (if not the majority of
those) currently use those locations to hide, store and modify their
executables.
Theoretically, you're right to say there's a hurdle here. Practically,
you'll have to ignore the entire history of modern-day malware to
claim it'll matter in the long run.
rtruth Says:
HTML and javascript are plaintext on the web, I don't see that
preventing developers from writing code.
Second of all, it doesnt matter if the code is plain text, .net, or
assembled c code, you can always see the code. Even in c code, you
just disassemble the binary and its right there in front of you. You can do
the same things you are doing now with html.
Also,even if the apps are signed, its only trivial to patch the check by the
29 of 32 21-Dec-12 12:36 PM

OS. On an open system like a PC, its impossible to stop this.
Its just the reality of software development. If you make good software,
it will be pirated. And those that pirate will never buy your stuff in the
first place anyways.
Zach Heise Says:
Hi Justin, I was curious about this in the Customer Preview released
yesterday, so I found your blog entry by searching for "windows 8
programs file tree location" and got here. It looks as if in this version,
c:program filesapplications no longer exists. Where could all of these
newly-available "store-bought" (free) apps be living now that they're
downloaded?
I hate all this handholding Metro does. I have a feeling I'm going to be
ignoring it 90% of the time unless I want a news reader on a bus ride
home with a tablet. For actual work, it's useless.
Zach Heise Says:
Nevermind, found it! CMD, plus dir /a:h in the program files folder,
found that it's now stored under c:program fileswindowsapps. You
probably already knew that though!
Vamshi Says:
Wow thats a great find ! ,now i can at least some code of my favourite
apps ;)
niks Says:
y i m nt able to use these apps ???
i hv devloper preview...
Alex Says:
Excellent article! I'm looking forward to your next article concerning
apps.
Christian Says:
Anybody who argues that people write html+js for the web even though
30 of 32 21-Dec-12 12:36 PM

anyone can see it is an idiot. Almost all the code that ACTUALLY
MATTERS is server side. On Windows 8 all the important code will be
right there for people to steal. Think before you post next time.
Kapil Says:
Now folder name is WindowsApps.......
Rufus Pearce Says:
I have the RTM version of Windows 8 Pro, and the folder 'Program
Files/Applications' does not exist. It has been moved somewhere else.
Any idea where these apps can now be found?
Brandon Says:
How can one change the default install path for apps? I really don't want
all these apps eating up my small SSD drive!
Alex Says:
Seeing that you can change certain thing in the folder, is there any way
to launch desktop applications, while preserving image subway tile, only
shifting toward openness. Exe or link?
JuanK Says:
This is not a microsoft problem, is allsoftware engineering problem.
Decompile managed code is more dificult than just edit a javascript, but
still being an easy task. Decompile or extract/modify logic from native
binaries is more dificult , but not impossible.
Kept in moder times. Times when you assume that compile aan app will
secure your code is far far away in the past.
If somebody wants to get the algoritms or logic in your aasemblies ,
even native assemblies, just need to hire a young 19 years old guy with
passion for technology to reconstruct the algorithm based on
opcodes/assembly, this is not trivial but not impossible, just the kid with
free time could do it.
If you want to modify any application behavior, just need to known what
platform is and make the changes.
31 of 32 21-Dec-12 12:36 PM

How you think 'hackers' crack Adobe products one release after other,
just few days or hour before program availability? one or two guys with
free time knowing assembly, change the opcodes or object linkg for
another and .... pufff ... the program think you have an original copy.
Current world is not easy. You want to protect your algorithms or logic?
--> get patents for those you really need to protect.
Even thinks like connection string to db connections are in risk, you
could encript a connection string to avoid direct code/config files
attacks, but in some time, even for little bit of time, the string will be
decrypted in memory and then a young guy with lot of free time could
get the string after hours of patience and retries.
Legal terms, agreements etc are the final protections.
Sure, you need to protect your application in any way, obfusctate code,
use in memory secure strings for sensitive data, encription in any
complexity levels etc, thats necesary because for more protections you
use, less 'young ' people with lots of free time will success breaking your
secure barriers.
JuanK Says:
btw, take a llook at this important notes: http://stackoverflow.com
/questions/12754265/is-there-any-prevention-methods-for-removing-
istrial-and-trivially-cracking-wi
Scott Says:
LOL..once again you're breaking into jail with this one ;)
Oh man.. that just makes me sad to see the above and how simple it
was to hax0r it (not that I knew, but now we do know).
Thessaly Says:
How can I gain access to your article "reverse engineering for Win8
games"?
32 of 32 21-Dec-12 12:36 PM

Reverse engineering and modifying windows 8 apps

More Related Content

What's hot (20)

Similar to Reverse engineering and modifying windows 8 apps (20)

Recently uploaded (20)

Reverse engineering and modifying windows 8 apps