Daily Archives: October 13, 2012

Decompiling Windows 8 Apps

So you’ve got Windows 8 install and all these cool news apps that you can download but  you want to learn more about how Microsoft writes its JavaScript apps or maybe you want to understand how secure your app code is?  Well here is a quick guide to gaining access to an apps directory and having a nose through all that interesting information.

For the sake of this post I will decompile Microsoft’s own live apps which are written in both JavaScript and some .net. The first thing we need to do is find out where these apps actually reside on our system.  And easy way to do this is open up task manager and find an app that runs inside of metro.  These are normally shown as “Suspended” when you’re in desktop so that makes them easier to find.

As you can see in my list of apps I have the Mail app running.  If select the mail app and then right click and choose “Open File Location”  I find that I am blocked by permissioning.

Ok so that seems right, Microsoft don’t want me looking at all their code so I will have to do a little more to gain access.  Of course I know I should have access as I need to run the apps so at the very least I should have read access.

If we look at the “Details” tab on task manager you will notice that the mail app is is nowhere to be seen.  This is in part due to the way Windows 8 runs JavaScript apps but also in part due to how the app has been built.   JavaScript apps running in Windows 8 require a container in order to execute. Basically it needs access to IE in order to perform rendering etc. Therefore Microsoft have created an exe called “WWAHost.exe” which hosts these kinds of apps.

That said we are not even 100% sure that the mail apps and people apps etc run in the container.  Therefore its back to our old friend process monitor in order to see what’s going on when we run the apps.   After a quick capture I can see that when running the Mail app there is a lot of activity in the process LiveComm.exe.

If I look at the process information for one of these entries I can find the location of where this process is actually running.

Ok that looks promising, taking the location of the exe and popping into explorer I can now browse directly to the folder and see its contents.  As expected this looks like the apps execution directory and we can see all the files for each of the common “Live” apps.

Now all you need to do is go browsing through the js files to learn how to develop your apps with the same way Microsoft has or dig our reflector for .net stuff.

You should be able to use this approach for most types of apps.  Obviously C++ apps will probably be the most secure when it comes to decompilation.  Also note, you cannot change any of files as all assets etc are digitally signed and will be checked when you try and run them in Windows8.

Happy hacking