Looking inside your screenshots

[ukilliheal]

Hello ukilliheal

Thanks for offering! We are currently trying to find a way to identify the embedded watermark inside normal screenshots. We are experimenting with luminance and other factors to differentiate between actual pixels and altered ones. Take a look at the currently available source codes, screenshots, papers and patents mentioned in this thread and perhaps you will be able to figure out a way to extract this without any loss.

We also have a few open questions like whether this watermark has been inserted using a steganography algorithm like F5 (see above) or perhaps some other multiple-pass method.

Whatever you can come up with will help

I will see what i can do!

[Myuu]

Well I never thought I would read a story about this website in a Norwegian newspaper:
«World of Warcraft»-bildene dine inneholder hemmelig informasjon - PressFire.no

This is extremely interesting and somewhat scary.

[Skuddle]

Curious,

Where are you getting that it has information in regards that is has server information and other sorts like that. I get that your getting a fractal time stamp as well as a random number generation, but I have yet to see any sort of code decipher.

Let me key you in on a few things.

You guys are reading the barcodes wrong. TOP DOWN is not the way they are handled. They are compressed fragments of AZTEC style coding.

Bits Field Polynomial Used for
4 GF(16) x4+x+1 Mode message
6 GF(64) x6+x+1 1–2 layers
8 GF(256) x8+x5+x3+x2+1 3–8 layers
10 GF(1024) x10+x3+1 9–22 layers
12 GF(4096) x12+x6+x5+x3+1 23–32 layers

Turn them side ways, push them together. Interested in what the codes read. Nothing but gibberish system data and property flags.

SET readTOS "1"
SET readEULA "1"
SET readScanning "-1"
SET readContest "-1"
SET locale "enUS"
SET showToolsUI "1"
SET accounttype "MP"
SET readTerminationWithoutNotice "-1"
SET installType "Retail"
SET enterWorld "1"
SET hwDetect "0"
SET videoOptionsVersion "5"
SET graphicsQuality "5"
SET mouseSpeed "1"
SET Gamma "0.900000"
SET ChatMusicVolume "0.29999998211861"
SET ChatSoundVolume "0.39999997615814"
SET ChatAmbienceVolume "0.29999998211861"
SET VoiceActivationSensitivity "0.39999997615814"
SET Sound_MusicVolume "1"
SET Sound_AmbienceVolume "1"
SET farclip "1000"
SET groundEffectDensity "64"
SET groundEffectDist "160"
SET projectedTextures "1"
SET weatherDensity "3"
SET gameTip "124"
SET DesktopGamma "1"
SET uiScale "0.64"
SET Sound_NumChannels "64"
SET Sound_MasterVolume "0.20000000298023"
SET Sound_ZoneMusicNoDelay "1"
SET preferredFullscreenMode "1"
SET Sound_OutputDriverName "System Default"
SET watchFrameWidth "1"
SET shadowTextureSize "2048"
SET Sound_EnableHardware "1"
SET maxFPSBk "100"
SET rippleDetail "1"
SET reflectionMode "0"
SET Sound_OutputQuality "2"
SET Sound_EnableSoftwareHRTF "1"
SET Sound_EnableReverb "1"
SET Sound_SFXVolume "1"
SET Sound_EnableErrorSpeech "0"
SET accountName "xxxx"
SET accountList "xxxxx"
SET g_accountUsesToken "1"
SET gxWindow "1"
SET installLocale "enUS"
SET gxApi "GLL"
SET gxMaximize "0"
SET showNewbieTips "0"
SET minimapTrackedInfo "MINIMAP_TRACKING_REPAIR"
SET questLogCollapseFilter "-1"
SET terrainLodDist "500"
SET componentTextureLevel "0"
SET screenshotQuality "10"
SET textureFilteringMode "0"
SET expandUpgradePanel "0"
SET wmoLodDist "500"
SET worldBaseMip "1"
SET useUiScale "1"
SET lastCharacterIndex "1"

It is the same pattern generator used for the debug. It is also fragmented in HQ, just appended inside the file as EXIF data.

[Thundathigh]

Where are you getting that it has information in regards that is has server information and other sorts like that. I get that your getting a fractal time stamp as well as a random number generation, but I have yet to see any sort of code decipher.

.
Did you look at page 2? =P

Code:

__text:00B3C980                   ; =============== S U B R O U T I N E =======================================
__text:00B3C980
__text:00B3C980                   ; Attributes: bp-based frame
__text:00B3C980
__text:00B3C980                   ; ScrnScreenshot(void (*)(int), unsigned char *, unsigned int, char  const*, char  const*, char  const*)
__text:00B3C980                   __Z14ScrnScreenshotPFviEPhjPKcS3_S3_ proc near
__text:00B3C980                                                           ; CODE XREF: Script_Screenshot(lua_State *)+37
__text:00B3C980                                                           ; sub_76C3C0+36
__text:00B3C980
__text:00B3C980                   arg_0           = dword ptr  8
__text:00B3C980                   arg_4           = dword ptr  0Ch
__text:00B3C980                   arg_8           = dword ptr  10h
__text:00B3C980                   arg_C           = dword ptr  14h
__text:00B3C980                   arg_10          = dword ptr  18h
__text:00B3C980                   arg_14          = dword ptr  1Ch
__text:00B3C980
__text:00B3C980 55                                push    ebp
__text:00B3C981 89 E5                             mov     ebp, esp
__text:00B3C983 8B 45 08                          mov     eax, [ebp+arg_0]
__text:00B3C986 A3 C4 7F 98 01                    mov     ds:__ZL15s_captureScreen, eax ; s_captureScreen
__text:00B3C98B 8B 45 0C                          mov     eax, [ebp+arg_4]
__text:00B3C98E A3 C8 7F 98 01                    mov     ds:__ZL16s_pWatermarkData, eax ; s_pWatermarkData
__text:00B3C993 8B 45 10                          mov     eax, [ebp+arg_8]
__text:00B3C996 A3 CC 7F 98 01                    mov     ds:__ZL21s_uWatermarkDataBytes, eax ; s_uWatermarkDataBytes
__text:00B3C99B 8B 45 14                          mov     eax, [ebp+arg_C]
__text:00B3C99E A3 D0 7F 98 01                    mov     ds:__ZL18s_screenshotFolder, eax ; s_screenshotFolder
__text:00B3C9A3 8B 45 18                          mov     eax, [ebp+arg_10]
__text:00B3C9A6 A3 D4 7F 98 01                    mov     ds:__ZL24s_screenshotNameOverride, eax ; s_screenshotNameOverride
__text:00B3C9AB 8B 45 1C                          mov     eax, [ebp+arg_14]
__text:00B3C9AE A3 D8 7F 98 01                    mov     ds:__ZL19s_depthNameOverride, eax ; s_depthNameOverride
__text:00B3C9B3 C9                                leave
__text:00B3C9B4 C3                                retn
__text:00B3C9B4                   __Z14ScrnScreenshotPFviEPhjPKcS3_S3_ endp
__text:00B3C9B4
__text:00B3C9B4                   ; ---------------------------------------------------------------------------

source: osX build 15662

The watermark contains your account name, a timestamp and some other data that I haven't bothered looking at.

[Sendatsu]

Curious,

Where are you getting that it has information in regards that is has server information and other sorts like that.

Please refer to the three disassemblies contained in this thread, also summed up in: http://www.ownedcore.com/forums/worl...ml#post2493603 (Looking inside your screenshots)

I get that your getting a fractal time stamp as well as a random number generation, but I have yet to see any sort of code decipher.

The account name may be a randomly generated number now, but it was once an alphabetic username which we used as our username to login. It may not be as important as it used to be but the fact still remains that it has been embedded, unencrypted, into all of our screenshots and that it can be extracted (although we are still working on a way for full color images).

Let me key you in on a few things.

You guys are reading the barcodes wrong. TOP DOWN is not the way they are handled. They are compressed fragments of AZTEC style coding.

Turn them side ways, push them together. Interested in what the codes read. Nothing but gibberish system data and property flags.

It is the same pattern generator used for the debug.

I read the watermark per column, left to right, top to bottom, split the input into bytes, reversed each one (http://www.ownedcore.com/forums/worl...ml#post2492716) and I successfully found the account name (http://www.ownedcore.com/forums/worl...ml#post2493377).

I don't believe we have tried AZTEC style encoding yet. Did you write a source code which does all these transformations and finally produces the output you pasted? If so, please post it so that we can check the validity of this hypothesis. (Tutorial here, if someone has the time: http://wiki.verkata.com/en/wiki/Aztec_code)

It is also fragmented in HQ, just appended inside the file as EXIF data.

Even though I checked for IPTC info, I didn't think of checking for data hidden as EXIF. I will have a look, thanks.

[Skuddle]

Sadly the analysis tools I am using is from my job. Missile programmer.

Here is an example barcode.




I apologize about the blur, i chose to take a close up in order to protect a decrypt of my barcode.
We use them in the military, its an expanded view of the aztec style. Its just unfolded. Notice the 3 bars at the bottom. its the check pyramid that is in the middle folded outwards.

I do not deny there is stuff there, but the assumption here is probably that it was going to be used for some sort of trouble shooting or help.




I would like to also piggy back a little on my expertise. I stated I was a missile programmer. I understand barcodes and missiles do not go hand in hand, however I work alot with RFID's and NFC/d's and we play with Mini[qr] all day long because of the RFID pogs we use.

The military uses an unfolded Aztec I believe its known as PDF417 encoding, in which its an unfolded line by line read side ways. (I know that PDF417 is used by others. But it reads like PDF417 however is layed out in check digits of Aztec that is unfolded on the far right)

Each row has a series of check digits for the inner data.


*************
Further fun.

I decided to try and use our test set to decode it. It doesn't like fragmented trash. Using a cleaner from a screenshot I got the same thing that was presented on page 16.

I have access to a little bit more expensive fun software than most people. I ran it through the database and it came up with something...interesting.



The software blends multiple iterations and variations until it finds a product match for the encoded barcode. Notice there are no check pyramids. The software works by generating multiple chunk cube and offsets

x4. x8 and x2x4x6 as mentioned on my table above. It will place 2-3 check pyramids (alignment tools for the non techies) and on focus pyramid in the middle to attempt to find a common barcode in a database. We use it when were attempting to identify munitions from forieng counties by counter balancing the munition items and manufacturer based on ISO data on the barcodes. Doing a search for this resulted in non other than:

http://us.battle.net/?help=URI(user)...cter)(account2)

Matched



and they line up.

[Sendatsu]

[...]

Ok, I'm trying to wrap my head around this, I'm no barcode expert but I'll do my best, so correct me if I'm wrong.

You're saying that the pattern repeats so many times because it has to fold onto itself in order to form an AZTEC barcode which would then be translated into:

Code:

http://us.battle.net/?help=URI(user)(name)(account)(realm)(character)(account2)

?

matching a battle.net registered product barcode? Does the watermark actually produce all this information (account id, username, character name, account2) or are those just placeholders?


PS: I used bcTester - FREEWARE : Barcodes aus Bilddateien lesen und testen and checked the code you provided (imgur: the simple image sharer) so I know it says what you claimed, I just can't reproduce your transformation at the moment.


EDIT:

Ok, if this stuff is real, this post just got WAY too much interesting...


"This determination can be memorialized by a PDF417 2D barcode added to the alpha channel." (US8194986, p44) http://www.google.com/patents/US8194986

"PDF417 is a stacked linear barcode symbol format used in a variety of applications, primarily transport, identification cards, and inventory management. PDF stands for Portable Data File. The 417 signifies that each pattern in the code consists of 4 bars and spaces, and that each pattern is 17 units long."

Also from the same patent:

"PDF417 is exemplary only. Other barcodes-such as 1D, Aztec, Datamatrix, High Capacity Color Barcode, Maxicode, QR Code, Semacode, and ShotCode-or other machine-readable data symbologies-such as OCR fonts and data glyphs[--can naturally be used. Glyphs can be used both to convey arbitrary data, and also to form halftone image depictions."

[eldavo1]

Interesting development, however I am wondering why the way we read it (top down) still resulted in a plain text of our account name...

[Sendatsu]

Interesting development, however I am wondering why the way we read it (top down) still resulted in a plain text of our account name...

Maybe it's part of some check digits? I can't be sure at the moment.


TODO List:

1) Capture a high quality screenshot (JPG/10 or perhaps TGA) and look for fake EXIF data which are actually pattern pieces (hex editing/reading skills required).

2) Check the lower quality screenshots (JPG/9 - JPG/1) for the pattern information hidden in the alpha channel (image editing/reading skills required).

3) Try to understand what Skuddle said somehow and figure out if the watermark is PDF417 or Aztec based (algorithm/cryptography skills required).

4) If any of the above is true, prepare for this thread post/page being deleted by some government agency :P


Also, can someone with a disassembler check if when JPG is set to quality 10 it executes a different version of the screenshot function? Perhaps when there is no compression, the pattern can easily hide itself among the actual data, instead of bothering with alpha channels. It would also prove 1). Use _Mike's post to start: http://www.ownedcore.com/forums/worl...ml#post2491687 (Looking inside your screenshots)

[Thundathigh]

2) Check the lower quality screenshots (JPG/9 - JPG/1) for the pattern information hidden in the alpha channel (image editing/reading skills required).

I already checked the alpha channels (of pure white, pure black, and a normal SS), and there is nothing in the alpha channels (though it would be so much easier if there was). Every single alpha value is set to 255, but perhaps they are different in SS quality 10 and above.

BTW really interesting stuff Skuddle, you seem like a much better expert on this stuff than any of us =P

[_Mike]

Crap that Skuddle said

GFTO out of the thread and stop trolling please.

Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just ignore him.

[W00T3RS]

idk wtf i'm reading... code this, pdf that, aztecs and incas or some crap. but this is better than most books i've read. wish i could help!

[eldavo1]

GFTO out of the thread and stop trolling please.

Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just report him for trolling and move on.

Thinking about it, you are correct. No way you can fit all that information (the URL) into 88 bytes and somehow get the account name decoded when doing a simple binary conversion

[Thundathigh]

GFTO out of the thread and stop trolling please.

Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just ignore him.

Haha he's elite and got there by leeching rep? I've got to change my strategy!
Thanks for clearing it up though _Mike

[Smitten]

GFTO out of the thread and stop trolling please.

Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just ignore him.

My thoughts exactly. Someone in the military, working on munitions would not:

a) post any of their own barcodes of any sort, blurred or not.

b) risk using any military equipment on game screenshots. I'm sure the shit they do is logged.

c) even be allowed to talk about their job and what they do and how it's done.