warden and how it works

[starpuss]

I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

sry for posting this x 2

[starpuss]

sry i jest wanted to say this info was not made buy me and it was off othere web page's but maybe some ppl may want to see this if u dont know how it works

[gamepin126]

SubZero posted this quite a long time ago.

[starpuss]

Simple solution. Just make a small partition and install WoW on that.

by Shaker
Still, it sucks that people have to go through that just to play a game and keep their privacy at the same time.

by Teksuo
Still, it sucks that you have go through that just to play a game and keep your privacy at the same time.

by Teksuo
Yeah, you should be able to play a game without being spyed on, simple as that.

And looking through hard drives and emails is just plain outright unacceptable.

by dsgamer21
Gah... this is definitely crazy indeed. Now they'll know what kind of porn I like!!! Haha.

by quahog
There are legitimate reasons to do this, like preventing the use of cheating programs and bots. Unfortunately, it's a tricky line to walk - if you disclose that you're doing it, that makes it easy to write programs to counter it.

I think the end, Blizzard will have to disable this portion of their code and rely more on human policing than system policing.

by Ravidrath
While it bothers our natural sense of rights, we probably signed these ones away in the EULA somewhere. And the right to privacy isn't as strong as some other constitutional rights, and can be signed away in some cases. Can you argue that we have a reasonable expectation of privacy when running third party code on our system?

by Elliott
GamePolitics reported that Blizzard addressed the warden client in August.

It seems they're not trying to be invasive, to whatever extent that's possible while they have a client scanning your machine. ;)

[gamepin126]

Those are not solutions.

[starpuss]

this info came from ://www.kotaku.com SubZero may of got it from hear 2 of maybe kotaku got it from him

[stonedpenguin]

sry i jest wanted to say this info was not made buy me and it was off othere web page's but maybe some ppl may want to see this if u dont know how it works

Too bad you can't write as well as the one who wrote that text.

[starpuss]

Too bad you can't write as well as the one who wrote that text.

and? when i type i dont look at what i am typeing so??????

[Zerkeliu]

and? when i type i dont look at what i am typeing so??????

It shows the maturity of an eight year old.

[gamepin126]

It takes literally 2 seconds to reread a whole post and make sure you're not looking like an idiot when you type.

[Zephyrix]

Leave the 8 year old be.

[starpuss]

well i dont have time to look at it

[Pwnd]

well i dont have time to look at it

You do, however, have time to go into your pref. and take those pictures out of your sig, only because they piss me off.

[guy476]

well i dont have time to look at it

wanna shorten your sig?

its annoying scrolling down half the page to reade the next post

[Ganondorf]

Not coming back is my solution.

[howardmeis]

Not coming back is my solution.

Nice one.

Anyways, about warden. If anyone can find a disabler (or loop for it to run through) that's for WC3 that'd be pretty good. I've found one for D2 but other than that nothing.

[SC_Modder]

Nice one.

Anyways, about warden. If anyone can find a disabler (or loop for it to run through) that's for WC3 that'd be pretty good. I've found one for D2 but other than that nothing.

lol, I found one howard, omg go to this site and go to the downloads section! dumthree.zoy.erg. It's my favorite Site!

oh and gamepin, let me in groupseccsz kkthnx. lol. lol.

[The_Jelly]

Yes, your signature is annoyingly long, shorten it.

[Palomino]

I remember reading there exists simple methods to bypass Warden if the hack is using dll injection. It involves simply hiding your module from PEB, or hooking the Toolhelp api's to detect when it's reading your module, and then returning some invalid values. I may be wrong though.

Edit: Also starpuss, please shorten signature thank you.

[kds]

I warned him via PM about the signature. It will be taken care of.