Looking inside your screenshots

[JSmith86]

Hey guys, stumbled here from an external site, just a very casual wow player.

How are you guys coming along in being able to actually extract the embedded codes from non-trivial screen shots? I have some familiarity with this subject matter, and whoever said it was jpeg artifactting is just off their rocker, but being able to extract this data without having source originals to compare against is extremely complicated to say the least. I mean, you have the trivial cases where you're looking at solid color mappings and then you can just delta luminesence extract the patterns, but the fact they're *ONLY* in the shittier jpeg compressed versions makes me wonder even more, it even further complicates any extraction, because from the looks of it, the watermarking is applied, then the entire image compressed, instead of the image compressed and the watermark interleaved on top, so you're talking even more data blending to make it almost unrecoverable in a lot of cases.

I can't provide actual proof for the above statements, but I don't think it's possible to reliably recover the information wholly from jpegs at the 1-3 compression level without any ecc in the watermarks, when that's images of actual scenery, not single color mappings, unless they also have a 6 set of camera information somewhere in the screenshots that hasn't been found yet. If you guys are making any progress towards this, I would love to help, but it doesn't seem like that's really being achieved at any meaningful level.

[Sendatsu]

Hey guys, stumbled here from an external site, just a very casual wow player.

How are you guys coming along in being able to actually extract the embedded codes from non-trivial screen shots? I have some familiarity with this subject matter, and whoever said it was jpeg artifactting is just off their rocker, but being able to extract this data without having source originals to compare against is extremely complicated to say the least. I mean, you have the trivial cases where you're looking at solid color mappings and then you can just delta luminesence extract the patterns, but the fact they're *ONLY* in the shittier jpeg compressed versions makes me wonder even more, it even further complicates any extraction, because from the looks of it, the watermarking is applied, then the entire image compressed, instead of the image compressed and the watermark interleaved on top, so you're talking even more data blending to make it almost unrecoverable in a lot of cases.

I can't provide actual proof for the above statements, but I don't think it's possible to reliably recover the information wholly from jpegs at the 1-3 compression level without any ecc in the watermarks, when that's images of actual scenery, not single color mappings, unless they also have a 6 set of camera information somewhere in the screenshots that hasn't been found yet. If you guys are making any progress towards this, I would love to help, but it doesn't seem like that's really being achieved at any meaningful level.

Hello JSmith86

Thank you for your input. It may have taken me a while but I think I eventually managed to convince everyone that this indeed isn't a case of jpg artifacts, but watermarks. A few people are currently experimenting with extracting the pattern from normal (colorful) screenshots and I hope we will soon have some progress on this.

Additionally, I would like to think that a company like Blizzard would not get into so much trouble to secretly watermark our screenshots since 2007, if they did not know of a way to successfully ready these watermarks every time. It is only a matter of time before someone figures out an algorithm based on the Digimarc patents or the rest of the available publications on the subject.

[Laria]

Hi

Just got interested in this topic and thought to contribute some bits I hooked up a local server + 3.3.5a for more "mobility" (ex so I can play with debuggers without getting banned). For debugging I use ollydbg 201 beta2.

That for now I managed to find the code that generates the actual watermark + bypassed it to lossless tga The watermark is being "painted" in a set of loops: in ollydbg from 0x4AA7EC to 0x4AADA0 (for wow 3.3.5a). And the function containing those loops is at 0x4AA760. The complete watermark thingy again is at 0x4A93B0
So my guess at 0x4AA760 the watermark picture (the pattern) is actually being rendered. And guessing at 0x4A93B0 is the "top" function for all the watermark rendering matter.

A tga sample converted to jpg: https://i.imgur.com/vJxtW.jpg
The code in 3.3.5a wow.exe that generates the watermark: https://i.imgur.com/WfO8I.jpg
To save the watermark into tga, look at this screenshot and use the instructions: i.imgur.com/2IvK5.jpg

Now I am looking what actually is being "stored" inside there

Sorry that I am using the 3.3.5a client, but on that server (arcemu) I can do like anything, flying outside the world (to get just a plain background color) etc. If someone want's the 3.3.5a exe I am using for reverse engineering issues, pm me I will send you a link to it, if allowed so by the community

[Sendatsu]

Hi

Just got interested in this topic and thought to contribute some bits I hooked up a local server + 3.3.5a for more "mobility" (ex so I can play with debuggers without getting banned). For debugging I use ollydbg 201 beta2.

That for now I managed to find the code that generates the actual watermark + bypassed it to lossless tga The watermark is being "painted" in a set of loops: in ollydbg from 0x4AA7EC to 0x4AADA0 (for wow 3.3.5a). And the function containing those loops is at 0x4AA760. The complete watermark thingy again is at 0x4A93B0
So my guess at 0x4AA760 the watermark picture (the pattern) is actually being rendered. And guessing at 0x4A93B0 is the "top" function for all the watermark rendering matter.

A tga sample converted to jpg: https://i.imgur.com/vJxtW.jpg
The code in 3.3.5a wow.exe that generates the watermark: https://i.imgur.com/WfO8I.jpg
To save the watermark into tga, look at this screenshot and use the instructions: i.imgur.com/2IvK5.jpg

Now I am looking what actually is being "stored" inside there

Sorry that I am using the 3.3.5a client, but on that server (arcemu) I can do like anything, flying outside the world (to get just a plain background color) etc. If someone want's the 3.3.5a exe I am using for reverse engineering issues, pm me I will send you a link to it, if allowed so by the community

Hello Laria

Thank you for looking into this! It looks like you've already found some useful points of reference.

You have probably seen a few of these Assembly posts, but I'll just list them here FYI:

http://www.ownedcore.com/forums/worl...ml#post2489452 (Looking inside your screenshots)

http://www.ownedcore.com/forums/worl...ml#post2491447

http://www.ownedcore.com/forums/worl...ml#post2491687

http://www.ownedcore.com/forums/worl...ml#post2492494

http://www.ownedcore.com/forums/worl...ml#post2492511

And one about cleaning up the pattern you are capturing:

http://www.ownedcore.com/forums/worl...ml#post2491783

Please tell us if you find anything on how the watermark is stored/painted over the screenshot; maybe it will help with the reversing. Thanks

[BuloZB]

this is very good informations post thx! rep


i have some questiosn

Does the watermark actually produce information about personal data of acc?

[woenvlgo]

I find this thread hilarious.

[stoneharry]

this is very good informations post thx! rep


i have some questiosn

Does the watermark actually produce information about personal data of acc?

Grunt account name, realm IP, time/date. You can decide if this information is personal. Using the new battlenet 2 protocol the username comes out as a number which is available from the armoury (etc). When this system was first implemented, it used your real account name.

[Sendatsu]

Grunt account name, realm IP, time/date. You can decide if this information is personal. Using the new battlenet 2 protocol the username comes out as a number which is available from the armoury (etc). When this system was first implemented, it used your real account name.

Thank you for answering that one stoneharry. Do you know of a way to retrieve the account name/number of a character from the armory at the moment?

[stoneharry]

Thank you for answering that one stoneharry. Do you know of a way to retrieve the account name/number of a character from the armory at the moment?

MoP ingame Lua API vs. Community Platform API - WowAce Forums

[Sendatsu]

MoP ingame Lua API vs. Community Platform API - WowAce Forums

That is an interesting link, thanks for sharing. It's good to know that there are many of us out there who still care about privacy.

Fun fact: apparently Blizzard "won" the BigBrother2012 award in the "Consumer Protection" category :P If only they knew back in August what we found out one month later :P

https://www.bigbrotherawards.de/2012/.cons

[Skuddle]

http://www.onlinebarcodescan.com/
(Better quality)

To all that say otherwise.

Please upload the barcode that was linked in my post. Prove me otherwise that information cannot link.

Thanks.

I will take my business other places.

Heres a link for the lazies

https://i.imgur.com/QtYP7.jpg
https://i.imgur.com/VRrz7.png

Now you all can go die in a fire and figure it out yourself, over thinking monkies.

As for you _Mike,

You are? Who?

As Sendatsu showed the PDF format can contain fragments and glyphs for larger sets of instructions.

As for a military barcode its using the Aztec style of PDF formatting. I can upload a blurred screenie all day and it means nothing to you. I can tell you what I do in the military because once again. It means nothing to you. I can use the software for whatever the hell I want because data is logged on PICM cards when I work on missile stuff. Other than that its a tough book and an internet connection. Stop with your secret squirrel bullshit seeing as you have no idea what your talking about. Everything I linked is relevant and is point you in the right direction.

What I am assuming is that Blizzard was trying to use Screenshots as a sort of support ticket/help tool at one point. The reason being is that back when we would mess with Warden modules it would hook into the debug system and screenshot system. In WoTLK it stopped using those addresses and never touched them again. Putting the two together using basic logic would suggest

-that they used it as a form of monitoring, maybe to catch the slew of retards using bots and posting screenies on the internet to monitor it.
-were using it to find/gather a list of 'account' names from a 'private' server the screenshot came from and compare?
-were using it to gather information on a targets computer during the 'submitting system data' by stuffing information into the dfil and wfil files that they never used.
-were using it as a form of debug tool to authenticate. Hence the upload a screenshot in your account management when you submit a ticket. The files become unreadable after you upload them. Viewing the attachment link creates a .dat file from the cdn server. Maybe they have software reading the valdility of the file you uploaded. Hell even ClamAV has this ability to ready watermarkings.

[Insert big brother theory here].



http://www.freepatentsonline.com/7152161.html


And go.

World of Warcraft uses this Patent



Enjoy reading the legal, it refrences a sub patent of 7152161 for snowy effect to mask it in channels.

Reading over the entire patent will show you how to dissolve it.

Now, I must go back to doing more important things. Because obviously I troll.

[Laria]

Beforehand: This information goes for wow client 3.3.5a.
I have done some more reversing work now and got some more information out of it. Just want to let you know of it. Maybe some things may already known or not, sorry if so. I was more into work instead of reading all single lines of this thread, forgive me please And sorry for bad English and explaining I am very tired of today as it's late .

Just wrote an app in c which decodes that watermark data. Btw: Yep, there is no encryption stage for the watermark, so the data is directly encoded / written from wow's memory. In other words, you can find the same information in wow's memory when taking a screenshot... However, I do not 100% know what exactly (kind of data) is stored there.

Here is an example:

Code:

00000000  41 44 4D 49 4E 10 00 00 00 00 00 98 88 48 4E 17  ADMIN......˜ˆHN.
00000010  D0 06 5E F0 68 75 00 00 00 00 00 00 00 00 00 00  **.^ðhu..........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  00 00 00 00 00 00 00 62 00 D7 4A 8C FB 21 09 82  .......b.×JŒû!.‚
00000080  8C 57 29 C2 84 0C 31 32 37 30 30 30 30 30 30 D4  ŒW)„.127000000Ô
00000090  4A BE 3E 09 58 C7 DF 78 F2 07 30 30 31 30 38 31  J**>.XÇßxò.001081
000000A0  32 39 FF 3F 0F 32 99 95 FA 09 A2 1C 91 9E D4 EF  29ÿ?.2™•ú.¢.‘žÔï
000000B0  41 44 4D 49 4E 00 00 00 00 00 00 98 88 48 4E 17  ADMIN......˜ˆHN.
000000C0  D0 06 5E F0 68 75 00 00 00 00 00 00 00 00 00 00  **.^ðhu..........
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000120  00 00 00 00 00 00 00 62 00 D7 4A 8C FB 21 09 82  .......b.×JŒû!.‚
00000130  8C 57 29 C2 84 0C 31 32 37 30 30 30 30 30 30 D4  ŒW)„.127000000Ô
00000140  4A BE 3E 09 58 C7 DF 78 F2 07 30 30 31 30 38 31  J**>.XÇßxò.001081
00000150  32 39 FF 3F 0F 32 99 95 FA 09 A2 1C 91 9E D4 EF  29ÿ?.2™•ú.¢.‘žÔï
00000160  41 44 4D 49 4E 00 00 00 00 00 00 98 88 48 4E 17  ADMIN......˜ˆHN.
00000170  D0 06 5E F0 68 75 00 00 00 00 00 00 00 00 00 00  **.^ðhu..........
00000180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001D0  00 00 00 00 00 00 00 62 00 D7 4A 8C FB 21 09 82  .......b.×JŒû!.‚
000001E0  8C 57 29 C2 84 0C 31 32 37 30 30 30 30 30 30 D4  ŒW)„.127000000Ô
000001F0  4A BE 3E 09 58 C7 DF 78 F2 07 30 30 31 30 38 31  J**>.XÇßxò.001081
00000200  32 39 FF 3F 0F 32 99 95 FA 09 A2 1E 91 9E D4 EF  29ÿ?.2™•ú.¢.‘žÔï

Yep, the same data block also repeats for 3 times. Note: There may only a difference when doing "dirty" work on the bitmap, while editing, cropping stretching or when the picture is just bad etc. So independent from that, it is bit-equal in wow's memory anyway .

Ok the first info "ADMIN" is my test server login name, "127000000" and "00108129" (Idk why they used to split this string ) is my test server address (127.0.0.1) and the port 8129.

If you look at this image https://i.imgur.com/RD0uh.jpg , the above decoded example is extracted from the white block. The other 10 ones (In blue) are just the same as the white block. I think they are repeated for redundancy and robustness. Conclusion: together with the redundancy inside a single block, you have literally 3 * 11 = 33 times the same data distributed inside one screenshot!!!

Ok here is the decoder thingy:

Code:

// wow bitpattern tool 
// Reads a 32-bit bitmap into a binary raw data file.
// written from scratch, sorry for readability

//bitmap >MUST be 32-Bit per pixel, windows bitmap!


#include <Windows.h>
#include <stdio.h>


FILE* open_bitmap(char *filename);
int getfilesize(FILE *thefile);

struct rgb
{
	BYTE r;
	BYTE g;
	BYTE b;
	BYTE a;
};

rgb *colordata;

BYTE *bitmap;

BYTE *bits = new BYTE[500000]();

int main(int argc, void* argv[])
{
	tagBITMAPFILEHEADER  bm_file_header;
	tagBITMAPINFOHEADER  bm_info_header;
	
	FILE *bitmapF = open_bitmap("V:\\Games\\World of Warcraft\\Screenshots\\example_0001.bmp"); //enter your bitmap here <<
	fread((void*)&bm_file_header,1,sizeof(tagBITMAPFILEHEADER),bitmapF);
	fread((void*)&bm_info_header,1,sizeof(tagBITMAPINFOHEADER),bitmapF);

	int bwi = bm_info_header.biWidth;   // ((bm_info_header.biWidth % 4));
	int bhi = bm_info_header.biHeight;

	int csize = abs(bwi * bhi);

	colordata = (rgb*)calloc(1,csize * 4);
	fread((void*)colordata,csize * 4,1,bitmapF);
	fclose(bitmapF);

	SetCursorPos(0,0);
	
	

	//note: bitmaps are read upside-down
	//note: bits gets scanned "mirrored" on the x axis, i.e right to left. 
	
	int thrsh = 255; //threshold value (below = 0) (higher/eqal = 1)
	int pos=0;
	for(int c=(bhi-1);c>=0;c--)
	{

		for(int i=(bwi-1);i>=0;i--)
		{
			if(colordata[i+(c*45)].r >= thrsh)
			{
				bits[pos] = 1;
				printf("#"); 
			}
			else
			{
				bits[pos] = 0;
				printf(" "); 
			}
			pos++;
		}
		printf("\n");
	}

	int byte_count = csize / 8;
	BYTE *data_array = new BYTE[byte_count]();

	BYTE data=0;

	for(int pos_byte=0;pos_byte<byte_count;pos_byte++)
	{
		for(int pos_bit=0;pos_bit<8;pos_bit++)
		{
			if(bits[(pos_byte * 8)+pos_bit]==1)
			{
				data_array[pos_byte] = data_array[pos_byte] | (1 << pos_bit);
			}
		}
	}



	FILE *data_out = fopen("V:\\raw_data.out","wb"); //<< and your raw output data file here <<
	fwrite(data_array,1,byte_count,data_out);
	fclose(data_out);
	return 0;
}

FILE* open_bitmap(char *filename)
{
	FILE *mybmp = fopen((const char*)filename,"rb");
	return mybmp;
}

int getfilesize(FILE *thefile)
{
	fseek(thefile,0,SEEK_END);
	int size = ftell(thefile);
	fseek(thefile,0,SEEK_SET);
	return size;
}

Just view the output file with a hex viewer (like HxD or so).

Also a side-note: I am using photoshop for the crop, scaling and color conversion process. I will post a tutorial / info for that tomorrow.

If you want a finished bitmap I made for the above example for testing, get it here: mediafire.com/view/?7wdtud3j7i1ve13 (use the download button in top-left corner there to get the BMP) Sorry I could not load the bmp to imgur as it converts it to jpg

Laria

[eldavo1]

Makes sense - that would be why the numbers were stored backwards (they are read backwards). I'll look into changing my program to get it from the hex It should read from any screenshot that hasn't been compressed besides original comprssion

[Optical1985]

What happened with the thread here? Any more news or progress?

[rafowner]

well that sure is inersting