Microsoft Cache: How you can get it working

If you’ve been following Microsoft news closely, you might have heard about an upcoming Microsoft Garage application called “Cache”. “Cache” is a cross-platform, cross-device tool for keeping track of links, maintaining a shared clipboard and so on. This makes it effectively a successor to a number of previously separate projects that have been aborted over the years, such as the Windows Reading List, and the OneClip project that was killed before it launched.

Yesterday,  Paul Thurrott posted a download link that allowed you to download a private beta:

Unfortunately for many, it would reject your sign-in if you did not meet one of the following conditions:

  • You were explicitly whitelisted on a private preview invite service
  • You logged in using a microsoft.com email address

Some enterprising souls obviously got it working, and there’s been many different ways of doing so. Indeed, within the BuildFeed team, we had three people implement their own hacks three different ways to get it to play ball. Here’s mine:
Microsoft Cache v1.5.41.1000 (Private Preview Patch)

Firstly, make sure there’s no copy of Microsoft Cache running in the background – by default, it will keep itself running in the system tray.

Then, simply open up the Cache application folder and replace the existing Microsoft.Cache.Common.dll with this new, patched version.

After doing this, run the application, log in and you’ll find yourself able to use the application regardless of whether you meet the aforementioned conditions.

In-depth

It’s interesting to note that the Cache application isn’t a UWP application, despite how hard Microsoft is pushing that to developers. Instead, it’s a plain old .NET 4 with WPF application. It also sends out a lot of telemetry at this stage – like every couple of minutes just sitting there idle, it was sending out telemetry. I guess that’s mostly down to it being a private preview intended to collect data from a pre-selected audience for debugging purposes. It’s also not a particularly privacy-minded application in concept – everything is shared with the cloud, including everything you copy to the clipboard. It can exclude applications from that clipboard-slurping, but by default, it only covers a few common password managers.

Working around the flaw, as I said, can be done a number of ways. Essentially, it boils down to this key method (shown here in very approximate and simplified pseudocode) in Microsoft.Cache.Common.dll:

There are obviously many ways to subvert this. Some used a man-in-the-middle attack to alter the HTTPS response that CheckUserStatus requests so that it passed that check. Ahmed (@AirportsFan) and Tej (@tej_pp) both disclosed to me that they went this route. This is probably the quickest and least invasive route, since it doesn’t rely on modifying binaries.

Lukas (@tfwboredom) went the patching route. He got out IDA and a hex editor and flipped a conditional within the IsMicrosoft property so that the check will always return true as long as the user has signed in.

I also went the patching route, but used .NET Reflector with Reflexil to alter the entire function to essentially just be the following:

.NET Reflector is obviously a paid product these days, and probably not even the best .NET disassembler on the market anymore, but you can still go that route easily enough with just ildasm.exe (in the .NET/Windows SDK) and ilasm.exe (shipped with .NET Framework itself).