Tutorial How to Hack UWP & Bypass Windows Store App Protection

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
22,668
47


Game: Bubble Witch 3 Saga
Developer: King
Buy (It's free): Microsoft Store

That's right kids: it's time. Time to bypass your first Anti-cheat and prove your skills as a novice game hacker.

What you were expecting EAC or BE?

"You are not ready for that......not even close".

So I'm going to do something a bit different here then I usually do. There's going to be two editions of this tutorial:
  1. The first one will be spoiler free.
  2. The second one will be a more complete guide (including solutions).
Those of you craving a challenge can simply stick to the first one, however if you get stuck you can look and the solutions and see how close you were. Anyway let's dig in!

Introduction:

So a bit of an information dump on Windows Store Apps to begin with. By default on Windows 10 the apps from the store live in this directory:

C:\Program Files\WindowsApps
hidden-file.PNG

"Don't forget to show hidden files."

However attempting to access this directory will result in this happening:

access-denied.png

"Go ahead and click continue Mr Administrator"

You'll be fairly surprised to see this happen:

access-denied-2.png

"What!? No one denies me access to my own machine!"

So let's begin with a fairly simple permissions bypass. Your user account will have access to the game (obviously needs to run it) however Microsoft decided that you really didn't need to be poking around inside their super secret apps directory. So let's do that now:

perms-1.png

"Right click on the Apps folder and click advanced."

Now you should be greeted by this page:

perms-2.png

"As you can see your user account doesn't have the read permissions....permission".

perms-3.png

"Enter your username and click OK."


Make sure you check this box before hitting OK on the main screen (important):

replace-owner.PNG


This will give our user account full access to all files, folders and sub directories.

If you did it correctly you should see this window popup:

perms-4.png

"Windows will now overwrite TrustedInstaller with your user account".

Now we should have full access to to the directory:

pwnt.PNG

"If you get an admin warning just click okay and it'll open."

In case you're worried you've broken something don't. If you check the permissions again you'll see only the owner DACL has changed. All the system permissions are still intact and the game and store will continue to run normally.


still-works.png
"Look at that magnificent casual mess".

Congratulations you've just performed your first small bypass (and it was easy) now we can actually do something a bit more challenging.

 
Last edited:

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
22,668
47
What's the deal with UWP?



So you may be wondering what's the difference between a UWP and a regular application is well here's a pretty good explanation from Wikipedia:
Universal Windows Platform (UWP) is an API created by Microsoft and first introduced in Windows 10. The purpose of this platform is to help develop universal apps that run on Windows 10, Windows 10 Mobile, Xbox One and HoloLens without the need to be re-written for each. It supports Windows app development using C++, C#, VB.NET, and XAML. The API is implemented in C++, and supported in C++, VB.NET, C#, F# and JavaScript. Designed as an extension to the Windows Runtime platform first introduced in Windows Server 2012 and Windows 8, UWP allows developers to create apps that will potentially run on multiple types of devices.
This means a few things:
  1. We cannot assume what language the game is programmed in.
  2. Different UWP games will require different approaches.
So let's do a bit more digging and find out some more information about Bubble Witch. Grab DIE if you don't have it already and drop the main game executable into it:

die.png

"A 32 bit executable written in Visual C++ right at home."

If it had been written in something like C# we'd need to change our approach somewhat however it looks like we can use the normal tools here. Since it's a regular PE file we can also dump the imports and see what's going on inside (attached to post).

Here's a few interesting things:
  • They're using libcurl to (probably) communicate with their server.
  • They're also using DirectX 11 presumably to render to the screen (ImGUI ?).
Before we begin:

This is the part that separates the brave and bold from the weak and timid. If you're going to be playing around with Anti-Cheat you must accept the fact that getting banned is a very real, very likely possibility especially when starting out. No matter how careful you are it's possible to overlook something and get yourself banned or HWID'd. If you aren't willing to risk it then your game hacking journey basically ends here.

That being said there's a few basic things you can do to avoid getting stomped too drastically:
  1. Use a virtual machine.
  2. Use alt accounts.
  3. Write your own damn code.
  4. Know your limitations.
No 4 is a big one. If you have a few months experience and you try to take on Battleye or EAC with some 'bypass' you pasted from UC then don't come crying to me when you've been perma-banned and HWID'd on your main account.

To quote our savior Rake:
Game hacking is not for lazy, stupid or immature people.
Play with fire get burnt: accept it.

So what are we up against here?

Well part of reversing is slowly revealing the bigger picture by trying a methodical structured approach then when that doesn't work by trying every stupid idea that pops into your head. For example what happens if we just try to launch the game process from the directory?

doesntwork.png

"Obviously it @Doesn'tWork ".

So obviously when we said before it was a "normal" PE file are assumptions were incorrect. As it's a UWP we can only assume the there's some type of special loader / initialization routine that needs be called to correctly setup the program to run. If you check the dump file you'll see a bunch of calls to mapping functions and whatnot so that assumption is a pretty safe bet.

We COULD try bypassing all this but why bother? Just run the game normally and see if you can attach a debugger. If you attach too early into the program's execution this interesting thing happens:

whut.PNG

"int 29h seems legit."

However if you WAIT, fucking WAIT you impatient bastard you'll get this:

wait-goddamn-it.PNG


Game running normally, debugger attached, time to move on.
 

Attachments

Last edited by a moderator:

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
22,668
47
The Actual Anti-Cheat Part:

Here's the part where the hand holding stops and you're going to be left on your own (spooky).

Here's the main game screen:

main-screen.PNG


And here's the main game-play screen:

gameplay.PNG


Your mission objectives are as follows:

Main Screen:

Determine if these values are server-sided and then:
  1. Keep your hearts value at 5 (max).
  2. Modify your gold value.
  3. (Optional) Locate the countdown timer and modify that as well.
Gameplay Screen:
  1. Lock the value of current balls (so you have unlimited turns).
  2. Locate and modify the score value.
  3. Locate the owl value (top right) and modify it at will. If you have the correct address you'll essentially be able to "skip" the current level.
Hints:

Since I'm feeling generous here's the first clue:

correct.PNG


This is the function that controls how many balls you have remaining everything else is a red herring. It wont be as simple as nopping out these instructions and just doing a MOV EAX, 1E. Also since the game is a UWP it does perform integrity checks on certain parts of the program's memory (so have fun with that).

This concludes the spoiler free version of this tutorial: Do not post any solutions here post them in the spoiler thread.

Also this is primarily targeted towards beginners so if you're the type of person who likes to swoop in and flex over people because they know less than you just fuck right off: GuidedHacking is not that type of place.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts