Hacking and Modding Windows Universal Apps and Games (UWP)

Cheatengine modifying Forza Motorsport 6: Apex

There are a lot of misconceptions about Windows 10 UWP Apps.
Most people think that you can’t do anything to them, in terms of modding or hacking.

Well, this is not true at all.

In fact, you can do a whole heck of a lot with them and have fun in all sorts of ways. Including to mod the shit out of them.

Windows 10s UWP Apps are built upon Win32, which we all know and love (and/or hate to the core…)
Windows 8s UWP Apps are a slightly different story but who ever used that shit, right?

Here I’ll give you a quick rundown on how you can hack and mod the shit out of them.
We first begin with just reading and modifying things in memory, go over DLL-Injections and

Misconception #1: Cheating

To kick things off, let’s begin with something real easy… Cheatengine, which can also be used for way more than what its name implies.

Note: I don’t support cheating in (multiplayer) Games, but it’s here to prove a point. 

A lot of people seem to think that there at least won’t be much cheating in Games when they are UWP exclusive, at least a single strong point for them, you might think.

But nope, Cheatengine just works perfectly fine. The inbuilt debugger from Cheatengine just plain works, too!
Here is a screenshot of Cheatengine modifying a text string in Forza Motorsport 6: Apex

Cheatengine modifying Forza Motorsport 6: Apex

I’ve also tried and casually played with x64dbg, but didn’t play around all too seriously, but I also expect it to work just fine for more serious usage (outside of cheating).

Misconception #2: Programs like FRAPS cannot and will never Work.

This is also everything else but true.
It is correct that FRAPS itself does not work, however, the latest FRAPS release was from February 2013.
Let that sink in for a minute.

But now, let us first look at how Programs like FRAPS, other in-game overlays, recording or benchmarking software even work.

Those programs, basically, work by hooking DirectX’s “End-Scene” call, which, as you might guess, is called at the end of every frame rendering.
Of course, this is slightly different when recording OpenGL or Vulkan or whatever but the general idea is the same.

How do they hook this function? They basically just inject a DLL and then hook the specific method.

So we’re talking about DLL-Injection and Function-Hooking, which also just works perfectly fine in UWP-Apps.  with most, if not all, injection and hooking techniques.

But, and there is always a but, you have to look out for two things.

First:
The Window, in which the UWP app renders its content, is not owned by the Apps executable.
Instead “ApplicationFrameHost” does, and this is where FRAPS falls short since FRAPS directly targets the window, rather than the process itself.
Note: Because of this, you cannot create new windows, like message boxes for example, when injected in a UWP-App

Second:
The DLL you want to inject has to have “Read, Execute” as well as the “Read” permissions set for the “ALL APPLICATION PACKAGES”-Group

Properties

You can set this via the properties tab of the DLL-file but the name may differ depending on your system language.
You could also just use the following little code snippet which I’ve taken from StackOverflow (so don’t mind the “goto”s) to set the permissions programmatically.

Afterward, inject your DLL with your preferred injector/method, and your DLLs code will magically function.

Since UWP-Apps use the Win32 API under the hood, you can expect KernelBase.dll, Kernel32.dll, ntdll.dll, and user32.dll to be loaded in them. You will also find d2d1.dll and either d3d11.dll or d3d12.dll (used in a handful of apps) loaded in all UWP apps, including the new UWP calculator app.

For function hooking, as you might now expect, it works the same way it does for Win32 Programs.
A Handy little library which I’ve used for this is MinHook

So recording and benchmarking software and in-game overlays could work just fine.
An example of a perfectly fine working recording software would be Dxtory which was updated back in September 2015 to support UWP-Apps!

Misconception #3: You cannot create Mods

Well… Again you very well can create mods!
With Cheatengine, debuggers like x64dbg, and DLL-injection and function hooking working, there is nothing to stop anyone from modding the shit out of any UWP-App.

But let us begin with why this misconception exists in the first place.

Without taking control over the (hidden) “C:\Program Files\WindowsApps\” directory, or wherever you might have it, you cannot access the files of UWP-Apps. But you can just take control of this, and any subdirectories and its files without any problems.

You could also always just open up a shell as NT-Authority and access them that way.

If you just wanted to mod a simple config file or something you should be fine.
However, some Apps, not all of them, check if their files were tampered with. But that’s easily circumvented.

All you have to do is Hook the “CreateFileW“-Method in “KernelBase.dll“, monitor the file access and then reroute those access requests to load your modified version from some directory you can access just fine.

Unfortunately though, this method doesn’t appear to work for sound files or files that are streamed. If anyone has a fix for this, I’d love to know…

Here’s an example that does exactly what just described, using the previously mentioned MinHook library

A few more things

You can’t just launch a UWP-App like a regular Win32 Program using CreateProcess.
Luckily for us, M$ has provided us with  the IApplicationActivationManager interface which lets developers launch UWP apps from regular Win32 programs.

If we want to do something to an App before it is launched, we can suspend it before that

Important note: Call

// Initialize COM objects, only need to do this once per thread
DWORD hresult = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
if (!SUCCEEDED(hresult)) return hresult;

Before you launch an App or do anything call this afterward:

CoUninitialize();

5 thoughts on “Hacking and Modding Windows Universal Apps and Games (UWP)”

    1. This is true, however, most (all?) UWP Games use DX12, in which case, it doesn’t really matter.
      For non-gaming apps it irrelevant anyways.

      I don’t think it’s that big of a deal.

      Besides, I didn’t say anything about fullscreen, right? 😉

  1. hello, how do i use reshade in uwp cracked games like recore?
    The program injects fine but can’t display the reshade ui to apply the shaders (shift+f2)

  2. Hello, I honestly don’t know anything about UWP. It would be helpful if you or anyone could help me in replacing a file in the Minecraft windows 10 UWP app folder. I have been trying to change a file in there for a few months now, but cant seem to figure it out. I never get permission not change anything in there, I’ve tried messing with permissions to make me the owner, doesn’t work, Deleting the folder and replace it with a copy app doesn’t open. I don’t know if its possible to even change a file in there. Help will be appreciated.

Leave a Reply to Peter Repukat Cancel reply

Your email address will not be published. Required fields are marked *