Warden information

[Leeroy Jenkins]

-----)(Please leave the copyright text intact)(-----
This post is copyright by the user posting it and MMOwned.com - World of Warcraft Exploits,Hacks, Bots and Guides, where it was posted. You may not copy or reproduce this information on any other site without written permission from both the poster and MMOwned.com

recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the ' warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the ' world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

thats all i could find out bout warden

bye now

[Tokolosi]

O_o

I doubt you wrote that.
But +rep anyway. Good info.

[Razmataz]

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

May I understand why this website hasn't yet been reported or closed down if thats the case?

[Leeroy Jenkins]

If wared is spyware then why cant we sue them?

[Demonkunga]

That is old information. You didn't write all that out. But yes, it is very old information. I can't tell if that is true info or not though. I don't believe it does some of those things to be honest.

[Rohi]

its 8.5 million not 4.5 O.o

[Nugma]

its 8.5 million not 4.5 O.o

I doubt all 8.5 million accounts worldwide are online at the same time.

[DJ Zodiac]

I doubt all 8.5 million accounts worldwide are online at the same time.

I agree with ya nugma

[devilish_hunter]

May I understand why this website hasn't yet been reported or closed down if thats the case?

Because you are 100% correct in your skepticism. Warden does not do all of what he claims.

It DOES however do ALOT of it.

If you ever wish to see exactly what Warden DOES do for yourself, and stop trusting the paranoid crazies, run The Governor yourself. As always, use at your own risk on a trial account, blah blah blah you know the drill.

The official website is here:
http://www.rootkit.com/newsread_print.php?newsid=371

[rmores]

I've posted this in the glider forums but looks like they're never serious about this.

I know little about law, even less about american law, but here goes.

I'll quote an example that could fit in the matter:
In my country, night clubs have been charging an entrance fee, converted into consumables, to justify it's use. They want to guarantee that you will spend at least XX money in their club, so you have to pay that much to enter, and will have the right to consume that for *free* . I see two problems in this: they can charge any price they want, which they do, to make you need to consume more than just that. Monopoly. And here's the point in all this which is:
They are obstructing my freedom to go and return(Again, I really don't know how this is called, or if this exists in american law. ). This means i have the right to be in there, as it is a public place, and accept or deny their services based on my concerns only. Now how does that apply to WOW?

I chose to play the game, so I went to http://www.website.com and bought it. When I installed it, there was no warden. I bought this in 2004, no warden at all. I read the EULA and other disclaimers in the game and agreed to all that. They changed it many times since. Upon each change i just hit the 'I accept' button, not really aware of the changes, which i should have(!!), but no software has the right to hide piece of it's code into invisible scans on my computer, disrespecting my privacy and of others that might use my computer without any specific warning that would indicate to me that scan is going to be performed. Hence it is invasion of my privacy. I agreed to this, but i have the right to no longer agree, without being subject to penalties or faults that may or may not be described in any contract, hence the nature of the agreement in question. By declining this absurd agreement from Blizzard, I am now restricted from the game's enviroment. How is that legal? Are they going to refund me the initial game purchase AND the time left on my subscriptions? Are they going to review their malicious code, regardless of it's purpose and intent?

I know all the efforts they have put in making the game enviroment as fair as possible to everyone, but that's justifying the end with the middle(Machiavel). Bottom line is, you can't break freedom rights to guarantee them for everyone.

[sneakysam]

May I understand why this website hasn't yet been reported or closed down if thats the case?

Blizz has there hands full as of now. They are suing wowglider, ( if blizz wins they will have the right to mmoglider) + this site is just a forumn we have the right to talk about stuff, (at least thats what i think)

[shik]

If wared is spyware then why cant we sue them?

because, when you hit "I Accept" you're saying they're allowed to.

[Ub3r St4r]

what file did you disassemble?
... are you the real leeroy?

[Cypher]

This is written by Greg Hoglund of Rootkit.com if I remember correctly (and I'm not going to check because I have a pretty good memory). Please give credit where credit's due.

Also, this information is extremely outdated, and posting such old information here as new does more harm than good.

[Leeroy Jenkins]

Sorry had no idea it was old