Guild Wars 2 used client-side spyware to aid its latest purge of potential cheaters

I'm here to talk with you about patch cadence.
ArenaNet’s just gone on a purge of potential cheaters in Guild Wars 2.

“Yesterday we suspended 1,583 accounts for a period of 6 months,” Gaile Gray wrote on the forums. “1516 accounts were suspended because we detected that the accounts were running Guild Wars 2 at the same time as one or more of the following programs over a significant number of hours during a multi-week period earlier this year. We targeted programs that allow players to cheat and gain unfair gameplay advantages, even if those programs have other, more benign uses.” Those programs included CheatEngine, Nabster, GW2MHRexe, UNF, and MMOMINION.

The upset in the community, of course, is that the banned players didn’t necessarily use the programs in conjunction with the game. So not only does ArenaNet acknowledge that the programs it banned for have innocent uses, but it also admits that it doesn’t actually know whether the banned players used them in GW2.

Of course, to know what it does know, ArenaNet apparently stealth-installed de facto spyware as part of its early March update. A Redditor named fwosar, who happens to be a skilled at software reverse engineering, dug into the files to figure out how ArenaNet did it.

“The majority of the spy component can be found at address 0x6FBC10. This function implements two major spy mechanisms: It will first enumerate all loaded DLLs within the Guild Wars 2 process using the EnumProcessModules Windows API. It will then obtain the file name associated with the module using the GetModuleFileNameEx function. For each file name resolved this way, it will then go ahead, open the file, read its content and then hash the file’s content using the MD5 cryptographic hash algorithm (function 0x6F4E90). […] After they created MD5 hashes of all the DLL files loaded within the Guild Wars 2 process, they […] obtain a list of all currently running processes using the EnumProcesses Windows API. They will then deobfuscate two strings that they use together with LoadLibrary and GetProcAddress to obtain the address of the QueryFullProcessImageName function from the Windows kernel32.dll library. […] They will then go through all processes and get their file names. Those file names are then fed into the very same hash function as before at 0x6F4E90, which will open the respective files, read all their content, create a MD5 hash of it and returns said hash, which are then, again, stored in a list for later use. […]

“This is exactly why competent anti-cheat developers would never go down this route. There are plenty of more effective, more precise and way less intrusive methods to detect cheating in your game. You don’t have to massively degrade game performance for everyone (reading a shit tonne of files on your system and hashing them isn’t the most lightweight thing to do and if you had stutters or high disk activity during that time, you now know why) and create a metric tonne of problematic and privacy invasive data to catch botter in your games, Arena. I would have expected way better from you.”

“Arena decided it was okay to just snoop around in the processes I was running and decided it found something it didn’t like,” he concludes. “I am not a lawyer, but this kind of spying behaviour surely seems like it would be illegal here in Europe and I am not even sure if it is documented in their EULA/privacy policy.”

The detection code was reportedly removed from the client on March 27th.

Source: Official site, Reddit. With thanks to Mike, Kieran, Marian, Ammalis, and everyone else who sent this in!
Previous articleWRUP: How to speak to a cat edition
Next articleFinal Fantasy XIV confirms its next major patch in late May

No posts to display

oldest most liked
Inline Feedback
View all comments