Two days ago I upgraded to Windows8 (Thank you Microsoft for your MSDNAA Platform!)
And to my suprise I actually like it a lot, especially the ease of installing applications through the Windows 8 Store. However what I didn’t like was that most free apps feature ads now, it’s pretty much: “Buy the app or get annoyed by ads!”
For this article I will be using the Windows8 version of the twitter-client named “metrotwit” – sorry to the folks at Pixel Tucker for using your app to illustrate this ‘issue’! But metrotwit is a great, beautiful and slick looking client and I can only recommend using it!
[Edit: I do admit that my original intention was to see if I could remove ads, but this article is not supposed to just show how to remove ads, it's more like a call for attention that the new system is not secure at all by illustrating the ease of modifying (almost) any app!]
So I did a little searching to see if I could locate the app and modify it, those were my steps how I removed the ads:
Step 1: Searching the Registry
Bingo! – There is the location of all Windows8 Apps!
Step 2: Taking ownership of the app-folder
Unfortunately I am not able to edit stuff in the app-folder right away, so I took ownership of the folder:
Step 3: Locating the files to modify
Within the folder of the metrotwit app there were quite a few files and folders, one that caught my attention was a folder called “views”. Inside the views-folder were a bunch of XAML-files, including one called “MainPage.xaml”.
Step 4: Editing the file
I opened MainPage.xaml and search for the term “Upgrade to Pro”, this was the label right below the ad. After that I located the visibility-property for the ad-container I just changed the binding to the variable “VerifiedProUser” – which I was not! (see screenshot below) – the ads were gone! Other ways to removed the ads that have proven to work:
- Set the width&height of the ad-container to 0px 0px
- change the dom-location of the container so the element is blocked by other elements
But there are certain restrictions when editing those files, that I found out about:
The filesize has to stay the same, since there is a checksum of each file listed in the ‘AppxBlockMap.xml’ that is checked every time the application is launched. I was not able to regenerate the checksum, it uses the SHA256 algorithm but apparently with a salt to it, which was too much of a hassle for me to figure outUPDATE: I was messing around with some apps a little more today and just found out that you can remove just anything from the ‘AppxBlockMap.xml’ or delete this xml-file entirely => If no ‘AppxBlockMap.xml’ is present, no files will be checked for their checksum, which means that you can now freely add or remove code from any files without worrying about the filesize: Well done Microsoft!
- If the XAML-Object contains an ‘x:Name‘ it cannot be commented out, this will cause the app to throw an error and not launch
The final step was saving the file and starting the application, and there you go: The ads were not visible any more!
I have tested this with several apps and with every app it was a fairly easy goal to accomplish.
What can developers do to prevent this? I’d say the question is: What should microsoft do to prevent this?
However, as a developer I would consider adding certain methods that check the visibility and location of an ad every couple seconds – I have not yet looked into modifying app-logic but I’d imagine this is not as easy as modifying a simple XAML-view.
Or developers can use C++ as this would require a disassambler to get to the source and even then it would be hard to modify stuff…or at least a lot harder than with XAML files.
Thoughts on this are welcome!
Update #2: Obviously there is a tool available that let’s you upgrade trial-versions of app to full-versions for free with on click of a button. I have not tested that tool yet nor would I encourage anyone to use it. But there is no doubt that many users will do so as it gains popularity(can you blame them?). But Microsoft should act quickly.
Update #3: As I got some feedback from people saying “it’s not nice to rip off developers [ect...]” – I do agree! But the point here goes way beyond that: If I am able to modify an app within 15 minutes – then a virus will be able to do the same. Imagine a virus adding some lines of code to the application logic and the next time I use the application all my data(that is accessible by the application) could be sent to an evil server – just to give one brief example.