Guild Wars 2 used client-side spyware to aid its latest purge of potential cheaters

ArenaNet’s just gone on a purge of potential cheaters in Guild Wars 2.

“Yesterday we suspended 1,583 accounts for a period of 6 months,” Gaile Gray wrote on the forums. “1516 accounts were suspended because we detected that the accounts were running Guild Wars 2 at the same time as one or more of the following programs over a significant number of hours during a multi-week period earlier this year. We targeted programs that allow players to cheat and gain unfair gameplay advantages, even if those programs have other, more benign uses.” Those programs included CheatEngine, Nabster, GW2MHRexe, UNF, and MMOMINION.

The upset in the community, of course, is that the banned players didn’t necessarily use the programs in conjunction with the game. So not only does ArenaNet acknowledge that the programs it banned for have innocent uses, but it also admits that it doesn’t actually know whether the banned players used them in GW2.

Of course, to know what it does know, ArenaNet apparently stealth-installed de facto spyware as part of its early March update. A Redditor named fwosar, who happens to be a skilled at software reverse engineering, dug into the files to figure out how ArenaNet did it.

“The majority of the spy component can be found at address 0x6FBC10. This function implements two major spy mechanisms: It will first enumerate all loaded DLLs within the Guild Wars 2 process using the EnumProcessModules Windows API. It will then obtain the file name associated with the module using the GetModuleFileNameEx function. For each file name resolved this way, it will then go ahead, open the file, read its content and then hash the file’s content using the MD5 cryptographic hash algorithm (function 0x6F4E90). […] After they created MD5 hashes of all the DLL files loaded within the Guild Wars 2 process, they […] obtain a list of all currently running processes using the EnumProcesses Windows API. They will then deobfuscate two strings that they use together with LoadLibrary and GetProcAddress to obtain the address of the QueryFullProcessImageName function from the Windows kernel32.dll library. […] They will then go through all processes and get their file names. Those file names are then fed into the very same hash function as before at 0x6F4E90, which will open the respective files, read all their content, create a MD5 hash of it and returns said hash, which are then, again, stored in a list for later use. […]

“This is exactly why competent anti-cheat developers would never go down this route. There are plenty of more effective, more precise and way less intrusive methods to detect cheating in your game. You don’t have to massively degrade game performance for everyone (reading a shit tonne of files on your system and hashing them isn’t the most lightweight thing to do and if you had stutters or high disk activity during that time, you now know why) and create a metric tonne of problematic and privacy invasive data to catch botter in your games, Arena. I would have expected way better from you.”

“Arena decided it was okay to just snoop around in the processes I was running and decided it found something it didn’t like,” he concludes. “I am not a lawyer, but this kind of spying behaviour surely seems like it would be illegal here in Europe and I am not even sure if it is documented in their EULA/privacy policy.”

The detection code was reportedly removed from the client on March 27th.

Source: Official site, Reddit. With thanks to Mike, Kieran, Marian, Ammalis, and everyone else who sent this in!
SHARE THIS ARTICLE
Code of Conduct | Edit Your Profile | Commenting FAQ | Badge Reclamation | Badge Key

253
LEAVE A COMMENT

Please Login to comment
  Subscribe  
newest oldest most liked
Subscribe to:
Reader
Cynthia Pancake

If I am understanding this correctly, Arenanet suspended my account for “modifying or tinkering the game” but there is no proof of this; I had an old outdated tool that’s used for flash games and wasn’t even hooked onto guild wars 2. With a heavy hand, Anet blanket banned 1500 accounts with several innocent players in the mix, having no idea whether or not these players used anything on their game. By means of their incompetence, Anet has added a controversial spying method to detect cheat engine, but no measures of detecting what it’s being used on, or anti-cheat measures (such as closing client because cheat engine is open). The implementation of these bans came with “necessity” for Anet, but whatever rampant hacked clients anet believes are causing damage to the fairness of the game could be cross analyzed with the accounts’ changes in items, currencies, and other statuses. Drastic changes in my account have not occurred. Nor has the polarized style of my game mode choice: PvP, and I doubt this perceived hacking crisis extends to this game mode . If figureheads at this company want their words of care to be taken seriously, they should have added a cohesive, multi-step, personal investigation which knows the outcomes of cheating, has detection of cheating, and exists beyond a simple Boolean argument.

Reader
Bruno Brito

I’m tired of all this, so i’ll just leave this here for those who insist in NOT READING.

Oranisagu
30 points
·
1 day ago
·
edited 1 day ago
not the source, you basically never have the source of any program you use on your computer. the source gets compiled into a binary which is distributed and can be run (source is just text, can’t be run in itself except for some fringe cases or script languages).

when you install a program you usually get a binary. a hash function (like the used MD5) creates a short sequence over any content (in this case the programs binary) that is reasonably unique (with MD5 it’s fairly clear, but not completely. doesn’t matter in most cases though).

you could compare a hash function to simple stuff like a digit sum. 2048 = 2+0+4+8 = 14 = 1+4 = 5. out of 4 characters you get one and if one digit was off, you’d get a different number, but as soon as 2 digits are off, you might get the same result again. MD5 works similarly but a lot more complicated and reliable. nowadays devs usually use SHA-1 or something similar for this effect because MD5 is in theory a bit unreliable but it’s still ok for simple things like this.

the MD5 sum of those programs can be easily backtraced to the name of the program you use. so anything you run, ANet knows about, no matter its relevance to GW2.

Salting a hash is a method of altering these very identifiable hashes to a point someone had to go through a lot of trouble to identify them. ANet didn’t do that, they used unsalted hashes. technically MD5 doesn’t offer salts, but just adding “ANet hohoho” to the data of a binary before they hash it would have a sufficiently similar effect.

what ANet did, was check what all the programs running alongside GW2 are, locate their binary and create an MD5 sum over their content. then they just sent the whole bunch back to their servers using a very unreliable encryption (RC4).

so what are people angry about (even those not banned like me):

MD5 can be salted by simply altering the input stream, they chose not to – in terms of privacy, that’s what you expect of a junior dev with little expertise

they chose an unsecure encryption algorithm instead of using the 2048 bit RSA public key they already have available (due to signing) and making the data a lot more secure

they transmitted completely unnecessary private data that doesn’t affect them. like if you’re running outlook or thunderbird, which browser you use and so on can all be quickly identified using these unsalted hashes they sent to themselves.

hope this clears some stuff up. they didn’t do anything unlawful, but they most certainly completely broke our trust by spying on us and sending the resulting data in such an amateurish manner over the internet. it also became clear that their detection methods were extremely flawed and false positives are nearly guaranteed (not too common, but still).

Estranged
Reader
Kickstarter Donor
Estranged

ohhhhhhhhhh

Reader
Cosmic Cleric

“Arena decided it was okay to just snoop around in the processes I was running and decided it found something it didn’t like,”

Is there any Windows-based program that won’t do this? WoW’s anti-cheat software dies this (examines OS at runtime).

I’m all for companies not spying on me, but this guy is full of outraged-based b.s. What is described as “spyware” is not in this case.

Reader
Jeremy Barnes

You’re off the mark and highly recommended the writeup on how warden does things differently. You’re also glossing over the way in which was handled.

Reader
Cosmic Cleric

It has been some time since I payed attention to how Warden works, true, but I’m sure Warden examines the O/S. At least it used to, and cant imagine it being effective at what it was doing if it doesn’t now.

7BitBrian
Reader
7BitBrian

People need to know what they are talking about this this, and the reddit poster does not. This is common in gaming. It’s in the Terms of use you agree to and in just about every game ever. WoW uses something exactly like this, and has for years. So does Rift, so does SWTOR, so does FF14.

This isn’t new and it also isn’t used how the reddit poster claimed. Hashing isn’t encrypting anything and the gateways are one way, to the server. this also has limited to no affect on performance. Honestly if you know anything about how this stuff works in the business this whole reddit post reads like bad fan fiction.

Reader
Cosmic Cleric

this also has limited to no affect on performance

While I definitely agree with you overall, there can be a real performance hit for file i/o on slower drives/systems. But then, that should be covered in the “minimum specs” when purchasing the game.

Reader
Jeremy Barnes

sutor, ne ultra crepidam.

Reader
Cosmic Cleric
Reader
Bruno Brito

Warden is completely different from what this is.

YOU’RE the one who doesn’t know what’s being talked about.

Reader
Dave

Warden is different, but not personal information or privacy was being violated. They grabbed a list of running DLLs on the system. Just running libraries. Nothing about that is private or personal.

I still don’t like it being done without me knowing, however, unless Personally Identifiable Information (PII) is taken/compromised, then it’s not considered private data.

Even then, most anti-cheat tools hook into the OS Kernel anyway, giving those tools potential access to your System’s hardware. That’s far scarier and more intrusive than what ANET did with this.

Reader
Jeremy Barnes

I wasn’t actively playing GW2 and didn’t have it installed, but I’ll certainly never go back. Whatever perceived “Good” doesn’t excuse installing software that spies on what I’m doing on my PC.

Reader
Cosmic Cleric

Whatever perceived “Good” doesn’t excuse installing software that spies on what I’m doing on my PC.

We lost that battle when mobile bcame a thing. All MMOs have anti-cheating code that does the same, WoW included.

Reader
Jeremy Barnes

There’s a good writeup on how WoW’s Warden is different. This also ignores the way in which GW2 handled this.

Reader
Cosmic Cleric

Its not that different, truly, just that Warden scans more locally then sends results up to the server, while ANet’s generates hashes that it sends to the server to scan/process (the parts that this article discusses).

The finer points are just minutia for this discussion, no need to keep bringing that up over and over again.

Reader
Jeremy Barnes

You felt the need to keep bringing it up “over and over”. I responded in kind.

Reader
Cosmic Cleric

Er, you posted first, then I replied with ‘over and over’, not the other way around.

Anyway, doesn’t matter. At the end of all things, both Blizzard and Anet snoop around in your PC to see if you are cheating (amongst other things). They just do the processing a little different, not enough to make a difference ethically.

Estranged
Reader
Kickstarter Donor
Estranged

Wow, this comment section took off…

Interesting how many people are willing to give up freedom to punish ” cheaters” and degrade their computer performance through clandestine and unethical behavior.

So, the age old question…

How much freedom/privacy are you willing to give up for the illusion of safety/crime prevention/cheater punishment?

Reader
Cosmic Cleric

How much freedom/privacy are you willing to give up for the illusion of safety/crime prevention/cheater punishment?

As a VERY pro-consumer, anti-corporation, type of guy, I have no problem with my online games checking for cheaters, as long as they stay within that mandate, and don’t profit from it directly.

Basd on the article quote, there’s no money to be had by Anet from selling hashes of running dlls. Honestly, this time, it’s ok what they are doing, really.

Estranged
Reader
Kickstarter Donor
Estranged

No, it’s the premise. Also, the amateurish way in which this was handled could lead to a security issue.

Reader
Cosmic Cleric

What premise? Spied on without permission? You gave it, via the EULA (and for the record, I HATE EULAs, and think they are illegal, but as of right now, in our socieities, they are legal/valid). So both you and I (assuming you play/played GW2) agreed to. Same as we agree to when playing most other online games.

As far as amateurish, its not really, the poster was being hyperbolic somewhat (but not completely). Scanning for DLLs and creating hash files is not a bad thing to do. Is the absolute bestestest way to do it, probably not, but is it the worst way, not at all.

There’s so much emotion on this subject, wish everybody could dial it back some (general speaking, not to your reply specifically). It clouds the issue and any possibility of having a constructive conversation about it.

Reader
Bruno Brito

None whatsoever. Not after friends of mine had issues with law enforcement bullshit and i learned i won’t trust a cop with a ten-feet pole away from me.

velimirius
Reader
velimirius

Well done, only those that are having issues with this are ones that cheat in gw2 or other games they have along. Its not like Anet will say “Hey, we are going to spy you from now on to see if you use: list of programs, and if you do we ban ya” every1 would clean programs and wait till its over.

Just like some1 had issue bellow: “i got banned, dont know why, just had this one program and i had this program as well bla bla bla” lol u dunno but had programs, jeez…

Bottom line, you deserve it if you got banned, enjoy.

Reader
Bryan Turner

I didn’t get banned, I was innocent so I had nothing to fear, I’m livid they didn’t tell me they were putting Spyware on my machine. I’m more than aware Google and Facebook collect info on me to sell to advertisers how ever they are open about it and they provide their services free of charge; I paid for GW2 and have spent hundreds possibly thousand plus dollars in Gems over 4 years so I demand being informed this is happening. On a side note I have no doubt they use this shit to figure out how to market the Gem Store by looking at our browsing habits as well, I sure as hell wouldn’t put it past them at this point. At least Blizzard told us up front about Warden.

Reader
Dave

While I don’t like what they have done, there are a few things to consider here:

* They were only scanning DLL files while playing GW2. No personal or private information was taken. They already know who you are and where you live from payment information

* If you don’t like this, you shouldn’t play ANY game with an anti-cheat system. Many anti-cheat systems of today are hooked into the OS Kernel, potentially giving the anti-cheat system some level of access to your hardware

* While everyone has a right to privacy in their own home, a server owned by someone else is NOT your private property or space – you are responsible for your own privacy in those locations.

* Additionally, anything NOT containing Personally Identifiable Information (PII) is not protected by any privacy laws/regulations.

* Finally, some PII (like IP Address) is already known by whoever you connect to simply because networking doesn’t work without it.

Reader
Cosmic Cleric

Liked what you posted, but this item is incorrect, in the context of a company “spying” on you …

* While everyone has a right to privacy in their own home, a server owned by someone else is NOT your private property or space – you are responsible for your own privacy in those locations.

Scanning a client (not server) PC requires permission. In California, that’s the law from back in the 90’s.

Reader
Bruno Brito

I call this argument: “Bullshit”.

ultorius
Reader
ultorius

The spyware was doing more than just COMMUNICATE ANY INFORMATION BETWEEN HARDWARE YOU USE WITH THE GAME. It was also communicating other information unrelated to the game also. And this is where i draw the line.
Uninstalling and deleting the account, as i did with facebook and as i did with tera because of their security issues.
PS i dont cheat and i didnt get banned, so there are actually people who dont like their practice and are not just salty busted cheaters.

Estranged
Reader
Kickstarter Donor
Estranged

Yeah, Facebook is off all my devices and GW2 is uninstalled.

+1

Reader
Cosmic Cleric

and GW2 is uninstalled.

They’re trying to protect you from in-game cheaters.

Reader
Bruno Brito

And from my evil softwares and hacking enthusiasm, and those filthy j-games that i want to translate.

Reader
Cosmic Cleric

They’re trying to protect you from in-game cheaters.

And from my evil softwares and hacking enthusiasm, and those filthy j-games that i want to translate.

Ok, let’s turn this around then. How would YOU want Anet (or other gaming company) to protect you from cheaters, technically?

Estranged
Reader
Kickstarter Donor
Estranged

Cosmic, I don’t need protection in such a fashion. It’ s sloppy.

Reader
Cosmic Cleric

Cosmic, I don’t need protection in such a fashion. It’ s sloppy.

While I did laugh at your reply (well played, sir, well, played), honestly, we all (myself included) bitch and moan about cheaters all the f’ing time, so I can believe you, or my lying eyes (to quote Grocho Marx).

Reader
Kevin Smith

I have seen so many post on different sites about people bitching and whining about them not telling them they were going to do it, well duh you don’t tell cheaters that you are going to install something to spot them before you do it. Is it ethical to spy on your customers no not really, but to be honest if it removes even one person that is cheating then do it. They should do this install randomly and uninstall it after the bans. If you have a valid reason to use most of the programs which there are a few, you could prove that is what you are using them for an most likely get it reversed by opening a ticket. The people that cry the most are usually the ones who were cheating to begin with.

Also if you think anything you do online isn’t watched and recorded by someone you are ignorant to being with. Even microsoft with windows 10 spy’s on you. Hell almost every company that does anything online spy’s on you.

Reader
Bruno Brito

Since there’s a lot of killers in this world, i may as well shoot someone too!

Reader
Cosmic Cleric

Since there’s a lot of killers in this world, i may as well shoot someone too!

Life is not an on/off switch, binary, it’s a volume control, analog, varied.

Spying to catch cheaters is probably one of the few times it’s ok to spy. Shades of gray, etc. etc.

Reader
hardy83

Got banned and didn’t know why. Opened a ticket, then google, realized they did some mass ban and I laughed. Figured after playing so many MMOs I would’ve been accidentally banned eventually, but thought, no biggie, I didn’t cheat or anything so they’ll unban it.
Got a reply to my ticket saying I used something called UNF, which after Googling I still don’t really know what it is and I’ve never download it, and said tough luck your banned.
Was it GW2Hook? That’s all I had installed. AutoHotkey? I downloaded it cause I thought about buying a music instrument but never installed it because, while I know light coding, I’m also super lazy and don’t care to do that stuff. lol

I… am conflicted. On one hand, I’m mad cause I didn’t cheat and now lost this long time investment of a game I really enjoyed. On of the last few MMOs I actually liked playing. On the other hand I laughed because, being cynical, I knew monetary or any kind of loyalty meant nothing to companies, even ANet, and that after looking into it, the software they used to detect “cheaters” was sketchy and questionable at heck and decided to invade peoples privacy in this manner is a typical terrible execution for something like this from a company.
Companies will commit murder and the company heads will truly believe they did nothing wrong.

Even if I get unbanned, the damage was done. My faith in the company is lost. I doubt I’ll spend any money on it and my interest in the story just went out of the window. Why care about a game if a company is going to half-a** it so poorly that they ban legit players.

Made me wish I actually cheated. If I was gonna get permabanned (it’s not permanent it’s like 4k+ hours) like this with little hope of being unbanned, I wish I actually cheated to make it feel justified.

lol Oh MMOs… What’s the point anymore. :P

Reader
Randall Keirns

Exactly the same situation for me except I loaded nothing else into my system. Their response is that I used UNF which is completely false. I can’t believe I was suspended. I’ve played since GW1 beta, and have a top account. What you say I totally agree. Why return, this is like a relationship gone bad and your significant other is banging your best friend all the while calling you the cheater. Again why return. Others need to see this and question any further investment into anything that is Anet.