Looking inside your screenshots

[reQuorter]

This is totally insane. We should hire/donate some great programmers or someone to reverse engineering this thingy.

[Sendatsu]

Considering Bruce Davis stop working at activision in 1991... THIS MUST MEAN HE HAS A TIME MACHINE! TO PREDICT WOW and thus slip in sleeper agents into blizzard.

Nice try to mislead but... No Dice.

You are the one trying to mislead I'm afraid...

The "convenient" comment meant that there is a direct connection between Activision Blizzard and Digimarc, a company which specializes in watermarking. They could have used a different company, but Digimarc's patents seem quite appropriate for what Blizzard is trying to accomplish.

[Sendatsu]

Until we hear from an Assembly programmer, I am trying to reverse engineer this pattern visually.

Reference: http://i.imgur.com/I4hnr.jpg

Red: static, Blue: dynamic

It has become obvious to me that the dynamic parts indeed contain a timestamp of hours and minutes (HH:MM), but not seconds.

If you capture two screenshots within the same minute you will see that they have exactly the same patterns.

If you capture them after the minute changes, the entire dynamic part is different, which means that the blue part I've marked in the image contains HH:MM.

Please note, this is based on the server clock! Not your local clock/time.

Now... let's work on the red part

[l0l1dk]

Oh and btw heres a screenshot with the watermarking removal tool

http://s15.postimage.org/akeszx94r/W...912_230610.jpg

Still there... Damn they must have MULTIPLE secret watermarks.

Also maybe you guys should actually test what you use to back up your wild claims.

You either didn't use it or you used it incorrectly. Here's part of a screenshot of before using it (see it?) and after using it (and its gone). It works.

[Sendatsu]

You either didn't use it or you used it incorrectly. Here's part of a screenshot of before using it (see it?) and after using it (and its gone). It works.

l0l1dk that's a really interesting screenshot: http://i.imgur.com/v3vv0.jpg

I thought that this pattern was the old pattern used before Patch 4.2, but apparently you still have it.

What's your screen resolution?

[l0l1dk]

l0l1dk that's a really interesting screenshot: http://i.imgur.com/v3vv0.jpg

I thought that this pattern was the old pattern used before Patch 4.2, but apparently you still have it.

What's your screen resolution?

It's 1920 by 1080. I took that screenshot right before posting. That's a small piece of the full screenshot though. I also increased the contrast on it with Photoshop.

[Sendatsu]

Agh then I made a mistake. There is only one pattern, nothing changed last year. I'll correct my posts. Thank you.

[Sendatsu]

After going over all the info a few times I have come up with a couple basic conclusions the first being that there are a few people in this thread running around like chickens with there heads cut off yelling the sky is falling secondly that no one actually knows the purpose of these water marks other than there might be water marks thirdly that there is no way blizzard is using water marks to track people who glitch as a fail safe because there too ****ing easy to get around and the solution just does not make sense. I mean they could ALT print screen or use fraps or use all manner of work around. and if changing your screen shot resolution changes if the alleged water marks shows up than that is not the actual water mark.

simple solution don't go look for zebras when you hear hoof beats. if you paranoid about blizzard hunting you down and setting you on fire then watching you burn you should probably not take screenshots of yourself pissing in blizzards coffee so to speak or just go with a ui hidden video. For the rest of us I would not recommend downloading any "Magic fixes" from anyone on these forums I mean this is a website where no offense but total offense you can buy stolen wow accounts , People look for the shortest route to easy street and so on. So I will leave you with this when in company with snakes make boots, and if you don't know how try not to get bitten.

Thank you for sharing your thoughts.

I do not know if Blizzard is using any other methods of watermarking; I just know what I see. What I see is a white image with a hidden repeating (watermark) pattern which changes based on the minute the realm's clock is set at. A repeating pattern which stays the same if you printscreen within the same minute, even if you move your camera and take different shots. A repeating pattern which is aimlessly repeating itself, not to save us disk space by compressing the image, but in order to be able to prevail among our graphics and have at least one full piece of it survive even if we modify the image.

If you want the why's and the when's, ask Blizzard why they did it and when they started doing it; I'm not their lawyer nor their business/technical consultant.

If you want the how's, take a look at the Assembly code post in the previous pages (http://www.ownedcore.com/forums/worl...#post2489452):

ScrnScreenshot(s_captureScreen, s_pWatermarkData, s_uWatermarkDataBytes, s_screenshotFolder, s_screenshotNameOverride, s_depthNameOverride)

This function saves your screenshot. This function also puts a watermark on top of your screenshot.

This thread post has nothing to do with aliens, government conspiracies or murlocs. It's about the fact that Blizzard has been using watermarking technologies to tag the screenshots we create, using their in-game mechanism, with our information -- because they can.

[Sendatsu]

yes but you cannot prove the artifacts that you see are indeed the water mark as of this point

Please stop calling them artifacts, as if these very specific repeating patterns "happened" to occur "randomly". It is a watermark; it is the very definition of a watermark.

I am trying to reverse engineer it from the outside using trial and error at the moment. The dynamic part seems to be affected by the hour:minute combination so it looks like a date/timestamp or something that is affected by the current minute. I do not yet know for sure exactly what is contained in the static part. Feel free to experiment and help out.

[_Mike]

I am trying to reverse engineer it from the outside using trial and error at the moment. The dynamic part seems to be affected by the hour:minute combination so it looks like a date/timestamp or something that is affected by the current minute. I do not yet know for sure exactly what is contained in the static part. Feel free to experiment and help out.

Use cheat engine (or any other memory viewer) and look at "wow.exe+DC9240" (windows 32 bit client). The data is 88 bytes long and the first 64 are reserved for account name. (wow account, not battle.net account). Then there's a 4 byte timestamp (server time, 1 minute precision) and 20 bytes of something else.

[_Mike]

I made a quick cheat engine script to get "clean" screenshots of the watermarks. It clears the framebuffer just before the watermark is added so only the watermark itself is saved. It also forces watermarks to be added to lossless tga images. I didn't bother checking if the addresses are watched by warden (unlikely, but not impossible) so use at your own risk or use a trial account.

How to use:
In cheat engine click "Memory View"
From the Tools menu select Auto Assemble
Paste the script
Press execute
take a screenshot in wow

Remember to set the screenshot format to TGA. Paste
/console screenshotFormat tga
in the chat.

Code:

alloc(newmem,2048)
alloc(memset, 100)
label(returnhere)
label(originalcode)
label(exit)

memset:
push edi
push ecx
push eax
pushfd
cld
mov edi, eax // pixel buffer
imul ecx, edx // ecx = height, edx = width
mov eax, FF0000FF // light blue color, full alpha
rep stosd
popfd
pop eax
pop ecx
pop edi
ret

newmem:
call memset

originalcode:
call wow.exe+7B6780

exit:
jmp returnhere

wow.exe+18DCD2:
jmp newmem
returnhere:

wow.exe+18DCAC: // TGA patch
nop
nop

wow.exe+18DCB5: // jpeg quality patch
nop
nop

Example image https://dl.dropbox.com/u/12654979/Wo...012_114416.tga
The fact that all 11 rectangles are pixel-perfect identical, and the tga format itself, should prove that it's not compression artifacts.

The data encoding seems to be in column-major order with 4x5 pixel "bits". A dark bit is 0 and light is 1. There also seems to be some kind of CRC/ECC.

[eldavo1]

Yep, get the artifacts when I take a screenshot as well.

[allesist]

Thank you _Mike for your research!

I made a small program which is able to differ between the dark and the light pixels. All pixels with a blue-level higher of 240 (RGB) will be threaten as 0. The remaining pixels will be threten as 1. This seems to be the most accurate value to differ them. Here is your picture converted: http://img89.imageshack.us/img89/883/outputk.png (use photoshop or gimp in zoom view - not irfanview).

Now i will try to translate the binary result into printable text. Lets see if it works.

[Ziggeh]

I have little doubt that it's an actual watermark. However, if the only name it reveals is the account name (which can be linked to you only by Blizzard, and I really doubt they'd put character names or account email into the watermark), I wouldn't be too fussed about it. It is very unlikely that Blizzard has a squad of cyberspies who stalk forums like this one.










Or do they?
*CUE DRAMATIC MUSIC*

[_Mike]

Thank you _Mike for your research!

I made a small program which is able to differ between the dark and the light pixels. All pixels with a blue-level higher of 240 (RGB) will be threaten as 0. The remaining pixels will be threten as 1. This seems to be the most accurate value to differ them. Here is your picture converted: http://img89.imageshack.us/img89/883/outputk.png (use photoshop or gimp in zoom view - not irfanview).

Now i will try to translate the binary result into printable text. Lets see if it works.

Nice filtering. A bit easier to see than the blue on blue It's not per-pixel though. Each bit is 4x5 pixels, and column-major ordering starting at top left. That image starts with 1000...

I have little doubt that it's an actual watermark. However, if the only name it reveals is the account name (which can be linked to you only by Blizzard, and I really doubt they'd put character names or account email into the watermark), I wouldn't be too fussed about it. It is very unlikely that Blizzard has a squad of cyberspies who stalk forums like this one.




Or do they?
*CUE DRAMATIC MUSIC*

Yes the account name is the only personal data in there. And yes it seems strange that they'd try to track players this way. It might possibly be used to track internal leaks of screenshots of unreleased content. But even that is a bit far fetched.

Btw, bonus +rep to whomever first posts my account name I've verified that it's in there.