作者 主题: 小羊的编程笔记  (阅读 10625 次)

副标题:

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
小羊的编程笔记
« 于: 2010-07-08, 周四 21:40:35 »
Just a note topic on the solutions of some of the problems I encountered, whether in job or at home.
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
小羊的编程笔记
« 回帖 #1 于: 2010-07-08, 周四 21:40:43 »
Question: In IE, How do you write external <script> tag into iframe using javascript, and make it work?

Problem: When you write into iframe (either by contentWindow.document.write or by innerHTML), <script> tags losts their src attribute.

Solution: Before writing into iframe, do a scan to extract all the external script first, then write them *before* real contents.

Tested on: IE7, IE8
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
小羊的编程笔记
« 回帖 #2 于: 2010-07-08, 周四 21:40:54 »
Question: How to mass rename files in Power Shell?

Problem: Power Shell Rename-Item command doesn't work with mass rename like dos prompt version.
In fact you get this error:
引用
Rename-Item : Cannot process argument because the value of argument "path" is invalid. Change the value of the "path" argument and run the operation again.
+ ren <<<<  *-utf8.txt *.*
    + CategoryInfo          : InvalidArgument: (:) [Rename-Item], PSArgumentException
    + FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.RenameItemCommand

Solution: Chain up commands and use .Net method. To rename *-utf8.txt to *-big5.txt, type:
dir *-utf8.txt | rename-item -NewName {$_.name.replace("-utf8","-big5")}

Tested on: Windows 7
« 上次编辑: 2010-07-08, 周四 21:42:07 由 Sheepy »
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
Re: 小羊的编程笔记
« 回帖 #3 于: 2010-08-14, 周六 17:39:22 »
Question: You got data from MySQL 4.X which have a latin field containing character in some other character set.  Now you need it in correct charset.

When a text/varchar field already contains data in another character set, it can be converted by casting to binary (strip away original, wrong encoding info) and then casting back with the specified encoding:

e.g. given a latin1 field "data" which contains GBK data (or Big5, Shift_JIS, whatever), you can:

select cast(cast(data as binary) as char character set gbk)

And the result can then be used to update or populate another table with utf-8 fields or a field with the correct character set / collation set.


However, the cast will stop conversion as soon as it meet a character that it cannot parse, so there is a potential lost of data here, as happened on this very forum.  To prevent this, the raw data need to be converted with some other methods, such as using libiconv.
« 上次编辑: 2010-08-14, 周六 17:45:58 由 Sheepy »
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
Re: 小羊的编程笔记
« 回帖 #4 于: 2010-08-14, 周六 17:44:36 »
Question: "statememt may not be safe to log in statement format"
Question: OFF.000001, OFF.000002, OFF.XXXXXX is taking up lots of space.  Really, really lots.

You may see this after you upgraded database to MySQL 5.1 or upper.
You may have searched and found that this is related with binary log.

So, either you disable the binary log, or you fixes the queries.

To disable binary log, make sure config file my.ini does not mention anything about binary log.
Setting log_bin=Off won't work - at least in our case it is regarded as basename meaning you will see OFF.000001, OFF.000002, etc.

Just comment out them.

#log_gin=XXX
#binlog_format=XXX

And if you are still seeing binary logs and warnings, check that you have removed the default configuration file my.ini from mysql's root, assuming you are putting your config file in another path.
« 上次编辑: 2010-08-14, 周六 17:46:44 由 Sheepy »
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
Re: 小羊的编程笔记
« 回帖 #5 于: 2010-08-24, 周二 11:06:46 »
Question: When compiling C++, you get error C2275 Illegal use of this type as an expression

Answer: Declarations must be made at start of function, not between statements.
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
Re: 小羊的编程笔记
« 回帖 #6 于: 2011-04-08, 周五 15:22:39 »
代码: [选择]
/**
 Given a search term string, return a regular expression string to test data.
 Supports search by regx (if the search string starts with /), random order terms, "search phase", -exclude term/phase, and OR terms.
*/
function(s){
  if(!s.length||s[0]=='/')return s.replace(/(^\/|\/$)/g,'');
  s = s.replace(/([\\.+?|()[\]{}])/g,'\\$1').replace(/\*/g,'\\S*')
       .match(/(-?"[^"]+"|[^\s]+)/g).map(function(n){
    return n.replace(/(^(-)?"|"$)/g,'$2').trim()
  }).concat(['','']);
  s = s.map(function(n,i){
    if(s[i+1]=='OR'){
      s[i+2]=$.makeArray(n).concat(s[i+2]);
      return ''
    }else
      return n=='OR'?'':n
  });
  return '^'+s.map(function(n){
    if(!n.length) return n;
    if($.isArray(n)) n='('+n.join('|')+')';
    return(n[0]=='-'?'(?!.*?'+n.substring(1):('(?=.*?'+n))+')'
  }).join('')+'.*$'
}
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 猫儿

  • 我希望你能跟我立下契约,成为我的pc,喵☆kire~
  • Diver
  • ******
  • 帖子数: 3759
  • 苹果币: 1
Re: 小羊的编程笔记
« 回帖 #7 于: 2011-04-21, 周四 17:09:34 »
为什么页面里还有滚动页面··
十年弹指一挥间

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
Re: 小羊的编程笔记
« 回帖 #8 于: 2011-04-21, 周四 17:15:26 »
为什么页面里还有滚动页面··

[code]
...
[/code]
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译

离线 Sheepy

  • 纯良的白色生物
  • 风纪委
  • *
  • 帖子数: 14117
  • 苹果币: 2
Re: 小羊的编程笔记
« 回帖 #9 于: 2012-12-12, 周三 10:16:46 »
Win8 apps 破解
剧透 -   :
Hacking Windows 8 Games
Justin Angel

HI folks,

This article is a follow-up to my previous 2011 article on Reverse Engineering and Modifying Windows 8 apps. In this article we’ll see how to use innate Windows 8 security attack vectors in such a way that could compromise Windows 8 games revenue stream. We’ll review real-world examples for all Win8 programming languages and frameworks.

 
But first, why Games?

In the previous article we’ve seen security loopholes affecting all Windows 8 apps. However in this article we’ll focus on how to use these techniques to compromise games security. The reason we’ll be focusing on games is that they account for 51%+ of developer revenue on every mobile developer platform. Let me repeat that, games account for the majority of developer revenue. For example we can see from official Microsoft statistics that 64% of app purchases on Windows Phone 7 are for games.

Diagram showing 64% of windows phone 7 paid app purchases come from games

The majority of mobile apps make their money from a combination of in-app ads, in-app purchases or paid app downloads. Google IO 2012 had this great slide illustrating all the ways a mobile app developer can get paid:

 Slide showing Monetization Options: Free, Premium, Trial and Freemium

In this article we’ll show how insecure each of those payment streams are on Windows 8 with real-world examples from game development. It’s important to mention the methods shown in this article can be applied to every app and not just games.

 
#1: Compromising in-app purchases by modifying IsoStore

The Win8 game Soulcraft is a top game on Android and is subjectively one of best examples of its genre on Windows 8. It’s a basic RPG where you play an archangel battling the forces of evil in stylish 3D. You’ve got a character, its got equipment and you pay with gold with gold to buy better equipment. The gold has to be purchased for real money using the platform’s in-app purchase. For example on Android here are the prices for gold:

Gold purchasing screen in Soulcraft

I’ve spent 20$+ on game gold for Soulcraft THD on my Google Nexus 7 so far. So I asked myself how does that game’s gold data gets stored on Windows 8, and whether or not we can change it.

Quick refresher from the previous article all Windows 8 apps are stored on your local HD at:

    C:\Program Files\WindowsApps

So for example all the assemblies for Soulcraft on Windows 8 will be stored at:

    C:\Program Files\WindowsApps\MobileBitsGmbH.SoulCraft_0.8.5.3_neutral__n3knxnwpdbgdc

List of files in Soulcraft WIn8 app

 

Also, all IsoStore files are stored at:

    C:\Users\<username>\AppData\Local\Packages\

So on my machine Soulcraft’s IsoStore is at:

    C:\Users\Justin\AppData\Local\Packages\MobileBitsGmbH.SoulCraft_n3knxnwpdbgdc\LocalState

Files in Soulcraft's Win8 IsoStore

 

When opening up these files in Notepad we can see some of these files are encrypted while others are not.

Print screen showing side-by-side of encrypted file and unecrypted file

 

So now the question becomes, can we decrypt the AccountData.xml file, edit the amount of gold our character has and simply run the game? Well, as it turns out the answer is “Yes”. Normally encrypted files are bad news if you’re trying to tamper with apps. But we should remember this is all running on the local machine. We have the algorithm used for encryption, we have the hash key and we have the encrypted data. Once we have all of those it’s pretty simple to decrypt anything.

SmartArt showing: Encryption Algorithm + Hash/Key + Encrypted Data = Unecrypted data

 

Using dotPeek/ILSpy/JustDecompile it’s possible to reverse engineer most of the Soulcraft source code and find out how the AccountData.xml gets stored and how to change it. Let’s assume we’ve done that and we know which classes and assemblies are used to decrypt, edit and encrypt this XML file. We’ll start off by create a new Win8 app and reference the appropriate DLLs from the Soulcraft game.

4 Soulcraft assemblies referenced in new App2 app

 

Next, since these assemblies read files from IsoStore we’ll copy the encrypted game files to our own App2 IsoStore.

Diagram showing we need to copy files, edit them and copy them back

 

Now we’ve staged a new app with the proper assemblies and populated IsoStore with Soulcraft’s Data. The next step is to reverse engineer the assemblies and figure out the correct calling order for methods. For example this code would load up AccountData.xml, edit the amount of gold and save it again.

    using Delta.Utilities.Helpers;
    using Delta.Utilities.Xml;

    public sealed partial class MainPage : Page
    {
        public MainPage()
        {
            this.InitializeComponent();
            this.Loaded += MainPage_Loaded;
        }

        private async void MainPage_Loaded(object sender, RoutedEventArgs e)
        {
            var filePath = Path.Combine(DirectoryHelper.GetBaseDirectory(), "AccountData.xml");
            var accountDataXml = XmlNode.LoadFile(filePath);
            accountDataXml.Children.First().AddAttribute("Gold", "1000000");
            accountDataXml.Save(filePath);
        }
    }

Here’s the before and after of the XML file:

XML file with Gold changing from 10 to 1,000,000

 

Copying the file back to Soulcraft’s IsoStore and starting Soulcraft we can see a first level character with 1,000,000 gold.

Soulcraft start screen with a 1,000,000 gold

 

At this point some of you must be thinking “so what? it’s fake game money”. True, but this fake in-game money would be worth over a thousand dollar on Android and iOS. Without a secure storage location for game state, we can’t be surprised that 3rd party cracking will arise to make consumers avoid in-app purchases.

 
#2: Cracking trial apps to paid versions for free

One of the top revenue streams for Windows 8 developers is by shipping paid apps. At the same time consumers tend to be loss averse and are afraid to “lose” money on apps. The solution to that are Trial apps. Paid apps can offer a free version with limited functionality or on a time limited basis. That works fine unless consumers attempt to manipulate this tentative status-quo by cracking trial apps. To emphasize the impact of this problem we can look at the Windows Phone ecosystem where 45% of paid apps offer trials.

Pie chart showing 45% of paid apps have trials on Windows Phone 7

 

Let’s have a look at Meteor Madness. It’s a cool arcade asteroid shooter game. Meteor madness costs 1.5$USD and offers a free trial with limited functionality. It also happens to be open source so you can go check that out too.

WIndows 8 Store Meteor Madness page

 

When downloading the app as a trial we can see that it offers the options to buy the game and locks some game options. Note the “Buy now” rock at the bottom left and the locked “Arcade” game rock on the top right.

Meteor Madness Trial mode print screen

 

In the previous section we’ve seen there’s a fundamental problem when storing game data on Windows 8. Storing encrypted data locally, alongside with the algorithm and the algorithm key/hash is a recipe for security incidents. One of the problems with allowing offline execution of trial apps is that it mandates the “trial flag” to be stored locally. And as we’ve seen, if it’s stored locally, we can find it, read it and modify it.

Specifically the License for Windows 8 apps is stored in the following file:

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WSLicense\tokens.dat

When we open this file up in Notepad we can find the license for Meteor Madness and where it says it’s a trial purchase.

Tokens.dat file showing MeteorMadness license as trial

 

Also, in the same file we can see there are other apps installed. Such as free apps, paid apps and preinstalled apps. Here for example if the “Full” installation of Bing.

Tokens.dat file showing Bing license as Full

 

An educational WinForms app named WSService_crk loads this file into memory, shows the License XMLs and modifies it as a “Full Preinstalled” license. There’s a lot going on here other then simply reading and modifying files. WSService_crk has to  decrypt the file, re-encrypt it and then store it. All of that is documented with WSService_crk as it’s distributed with full source code.

 

When opening up WSService_crk on my machine shows the following list of installs apps.

WSService_crk lists all Licenses in Tokens.dat

 

WSService_crk can then show the current license and even modify it from a Trial to a Full Preinstalled License.

Changing MeteorMadness license XML from Trial to Full

 

When running Meteor Madness now we can see that it no longer has any trial app functionality limitations.

Meteor Madness print screen with no trial limitations

 
#3: Removing in-app ads from games by editing XAML files

Another way developers monetize their apps is through in-app advertising. Developers often take the path of least resistance and it’s quite easy to add ads to your app. If apps are popular and the viewcounts are racking up it could become quite profitable. As a result consumers don’t have to pay for some great titles and successful developers can get paid. That all works pretty well unless opportunistic consumers choose to keep the free app but disable ads. To emphasize the importance of mobile app ads let’s mention that some 3rd party estimates put the field at over 10B in overall yearly revenue.

Bar chart showing 19B$ in total mobile monetization

 

One app that is now (surprisingly) advertising supported on Windows 8 is Microsoft’s Minesweeper.

Minesweeper app with built-in ads

 

As we’ve seen previously the executable of all Windows 8 apps can be located easily. Minesweeper is installed locally at:

    C:\Program Files\WindowsApps\Microsoft.MicrosoftMinesweeper_1.1.0.0_x86__8wekyb3d8bbwe

In that folder we can find the file MainPageAd.xaml under the \Common\AdsModule\View folder. Alongside with other in-app ads used by Minesweeper.

MainPageAd.xaml print screen

 

We can make this ad disappear by simply adding the Visibility=”Collapsed” property to the aforementioned root user control.

Adding Visiblity=Collapsed on ArkUserControl

 

After we’ve made this small change, when we run the Minesweeper app we won’t be able to see the ad anymore.

Minesweeper with no ads

 

By simply editing XAML files we can hide away in-apps ads from Windows 8 ads.

 
#4: Reducing the cost of in-game items by editing game data files

Most games out there are composed of two distinctive pieces: a game engine and game data files used by the engine. For more on this dichotomy you can read this great article Battle for Wesnoth from the creative commons book The Architecture of Open Source Applications.  Let’s look at a real world example in the form of the windows 8 game Ultraviolet Dawn. The game is my all time favourite iPad  game and is a cool 2D space shooter. Like other games players start-off with a certain amount of in-game currency and can buy items to improve their spaceship.

Ultraviolat Dawn game store with items costing in-game currency

 

If we go back to the dichotomy we’ve heard about earlier then we can see how it applies to Ultraviolet Dawn. There’s a game engine that knows about “store items” and there’s going to be a list somewhere of what they are. So one thing we could do is take advantage of Windows 8 on-disk storage and modify the game’s data files. As we’ve previously seen executables for windows 8 apps can be located and modified. Specifically, Ultraviolet’s Dawn can be found here:

    C:\Program Files\WindowsApps\8DF9EE77.UltravioletDawn_1.0.0.37_x86__dd4ev9dvfndxm

We can open up the “res_store_items.txt” file and edit the price of in-game items. In our example we’ll edit all the weapons to be free.

Changing res_store_items.txt to reduce items prices

 

When we run Ultraviolet Dawn again we can see the price of items in the store is now 0.

Ultraviolat Dawn game store with all free items

 

We’ve just shown that using the simplest tools we can edit game files to compromise the experience of Windows 8 games.

 
#5: Compromising In-app purchase items by injecting scripts into the IE10 process

Even though we’ve already shown that in-app purchases are comprisable I’d like for us to see an example of that with Windows 8 HTML & JS apps. Up until now we’ve seen examples of C# and C++ apps, so let’s see that with WinJS apps. Let’s have a look at the massively popular and successful WInJS Windows 8 game Cut the Rope. The game follows a freemium model where the first few levels are free and additional levels cost 4.99$ to unlock.

Cut The Rope purchase screen asking to confirm 4.99$ purchase

 

As we know by now executables for Windows 8 games can be found on the local disk. Specifically Cut the Rope executeables can be found at:

    C:\Program Files\WindowsApps\ZeptoLabUKLimited.CutTheRope_1.1.0.9_neutral__sq9zxnwrk84pj

If we open up the default.js file in the js folder we can see the following code that obviously governs the in-app purchasing logic. We can see there are IS_PAID_FULL_VERSION and SIMULATE_PURCHASES variables set to false.  One wonder what happens if we change those values to true.

Javascript file with IS_PAID_FULL_VERSION and SIMULATE_PURCHASES variables set to false

 

We don’t really have to understand the specifics but we can see there’s an if-else condition that determines in-app purchases. We can’t directly change Javascript files as that’ll corrupt the Javascript package and Windows 8 will refuse to open the app. So instead of changing the files on the local disk, we can inject JS scripts at runtime into IE10 process.

 

Visual Studio 2012 has a built-in debugging mechanism for any installed Windows 8 app. Even if that wasn’t there we could still easily inject scripts to IE10, but since it is there we can use that familiar tool. Let’s use VS2012 to “Debug Installed App Package”. (Here are the Jacascript docs, C# docs and C++ docs to those unfamiliar with the feature)

Starting VS2012 Debug Installed App Package

 

Next we’ll choose to Debug Cut The Rope. Make sure to check the “Stop at first Statement” checkbox since we’ll use it to navigate to default.js.

The Debug Installed App Package screen with Cut The Rope selected and Stop at First Statement checked

 

After we click start we can see we’re debugging the Cut the Rope app. This is the important bit, we’ve now got the full force of VS2012 Javascript runtime debugging in a Win8 store app. This first breakpoint will always be the same file at the same row: the first row of the base.js file from the WinJS framework.

The base.js file loaded into the VS2012 Javascript debugger with a breakpoint

 

Using a smart combination of “Step over” and using the Solution Explorer we can set the following breakpoint after setting the variables we’ve previously seen.

Breakpoint on IS_PAID_FULL_VERSION

 

Stepping over this deceleration we can then see the following values in our Locals window.

Breakpoint after setting variables IS_PAID_FULL_VERSION and SIMULATE_PURCHASES to false

 

And now using the Immediate Window we can execute any javascript we’d like. For the purpose of this demo we’ll set SIMULATE_PURCHASES=true. We could have saved some time by setting IS_PAID_FULL_VERSION=true, but I’d like for us to see this runtime behaviour.

The immediate window javascript changing the value of SIMULATE_PURCHASES to true

 

Now when we click the purchase button we can see Windows 8 in-app purchase simulator. We’ll tell it that the purchase was successful.

Cut The Rope purchase screen using the Win8 Store in-app purchase simulator

 

And now we can see all game levels are unlocked.

Purchased levels on Cut The Rope

 

We’ve just shown how to inject arbitrary javascript into a Win8 store bought WinJS IE10 app and we’ve affected in-app purchase items inventory.

 
Summary: What have we seen?

Grumpy cat meme answering "Are Windows 8 Games & apps secure?" with "NO"

 

We were able to show that the majority of ways games and apps developers would make money aren’t secure by default on Windows 8. We’ve shown this for C# & XAML apps (Minesweeper), we’ve shown this for C# + Direct3D apps (Soulcraft), we’ve shown this for C++ & Direct3D apps (Ultraviolet Dawn), we’ve shown this for HTML & WinJS apps (Cut the Rope) and we’ve shown this for any app using Trial (Meteor Madness).

Let’s repeat what we’ve seen so far, what the root cause of the issue is and what could be done at the framework level to mitigate this issue:

    In-app purchase items Storage: In-app purchase is fast becoming the #1 revenue stream for game developers. We’ve seen we can trick games local storage to acknowledge consumable items that haven’t been purchased. The real problem here is that Windows 8 apps don’t have any truly secure location that’s inaccessible to the user and can be secured in offline scenarios. One possible improvement here would be for Microsoft to offer such storage for all apps. Let developers have a secure encrypted isolated storage by default. Also, another possibility would be to turn on code obfuscation and minification by default in order to avoid the reverse engineering needed for this exploit.
    Trial apps: Trial apps will likely be adopted by around 50% of Windows 8 games. We’ve seen how the Trial licenses are stored in the Tokens.dat file and how easy it is to edit it. The real problem here is that Trial apps are downloaded to the client machine with the full unlocked logic embedded in them. One way to fix this issue would be to have developers build two app packages (one limited functionality trial package and one full functionality package) and have those secured by the Win8 store purchasing system.
    In-apps ads: Mobile advertising in apps is a major industry and a source of revenue for developers. We’ve shown how by simply editing the XAML files on disk we can turn off ads in games. It shouldn’t be possible to tamper with XAML/HTML files and then have them loaded to memory. One improvement Microsoft can undertake here is have better on-disk tampering checks.
    Game data files and in-game items: We’ve shown game data files can be edited and they’ll then be loaded into apps. It shouldn’t be possible to modify any game file and then have it loaded to memory. Microsoft could follow tothe aforementioned recommendation from item #3 to help mitigate this issue.
    Injecting arbitrary Javascript affecting in-app purchase: We’ve seen we can inject any javascript code to run inside the IE10 process for a Win8 WinJS store app. That shouldn’t be possible. One possible improvement  would be for the IE10 team to lock down the IE10 process for signed scripts only when not on a development machine. 

We’ve seen a myriad of issues and offered potential fixes to them all. Any mildly competent developer can productize these security attack vectors into shipping products. If Microsoft doesn’t take it upon itself to fix these security attack vectors it’s not because it couldn’t, it’s because it chooses not to.

 
What haven’t we been able to do?

What has been fixed since early Win8 betas is editing DLLs or HTML/JS files on the disk is no longer possible. When that’s attempted the code integrity system kicks-in verifies file hashes and prevents app execution. One is left to wonder about how secure those AppxBlockMap.xml hashes really are and if they can be reversed engineer to be generated on the client side.

 
Heartfelt disclaimers

"Please don't sue me" t-shirt

    Games: The games appearing in this article are awesome and you should buy them and give them money. I’ve been a generous benefactor of each game and so should you! go download them and give them money. In order of appearance in article: Soulcraft, Meteor Madness, Minesweeper, Ultraviolet Dawn and Cut The Rope.
    Game developers: The game developers for the aforementioned games are professionals. For the most part you can’t work around a broken platform. There’s nothing “obvious” about any of these issues.
    Article format: This is an educational article written in the hope both developers and Microsoft can benefit from an open exchange of knowledge.
    My employer: I have an employer and they had nothing to do with this article. Both research and authoring this article was undertaken at my leisure time.

 
Feedback

Questions? Rebuttals? Thoughtful discussion? Sound off in the comments below.
Remember to read the previous article “Reverse Engineering and Modifying Windows 8 apps” if anything is unclear as it outlines many of the techniques used here.

-- Justin Angel
Published on 12/10/2012 12:00:00 AM by Justin Angel ©2012.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
(10:23:05 PM) 欧剃: 咩的笑话一般不仅冷,而且是黑漆漆的阴冷?
(10:23:11 PM) 布布: 这只是,对别人来说是掉SAN值的腹黑,对咩来说仅仅是笑话而已
(10:23:45 PM) ***Sheepy 耸肩, 一笑置之
(10:24:17 PM) ***布布 死了
  D&D 4e 殁土英豪 头两章试译