# Forum > World of Warcraft > World of Warcraft General >  Looking inside your screenshots

## Sendatsu

*Updated 12/09 (the watermarking apparently started in 2007):*

*DISCLAIMER: This thread post contains detailed information on how to view a hidden watermark which has been verified to exist embeded in JPG screenshots produced by the WoW client. The watermark itself includes, encoded in unencrypted bytes, the user's account name (\World of Warcraft\WTF\Account\), an HH:MM timestamp and the IP address of the server. If you do not care about Blizzard secretly watermarking your screenshots without any specific prior notification in the ToS or EULA, then this post probably isn't for you  Thank you for your attention.*

Dear everyone

This post may have been moved to WoW General, but it still remains an exploit - *one which is used against us...*

1) Go somewhere where there aren't any (or a lot) of textures. I used the druid blink bug to go to the north end of the world but you should *go below Dalaran in Crystalsong Forest*, as bluesius suggested, because you will get a better screenshot if you stick your face in the pure white trees.

2) Type:

*/console SET screenshotQuality "9"*

Make sure you use 9, not 10.

3) *Take a few screenshots of the clear, no textures, white area by zooming into a tree and hitting ALT Z, so that your entire screen is white.*



4) Open this image in an image editing program like *IrfanView* (it's freeware), click CTRL+E, select the *Sharpening filter*, use the highest possible sharpening value (99) and click OK. Now do this two more times, again: CTRL+E, Sharpen 99, OK.

5) You are now looking at your character's *WoW watermark* / custom bar-code / qr code look-a-like / call it what you will:



Apparently, each user has a different set of these repeatable patterns, which contain *account and realm information*, and it looks like *if they are scanned by software that recognizes them*, they can *reveal* our character's account name/id, the time of the screenshot and the *the full information of the realm, including its IP address* (think "private servers").

Note that if your screen resolution is too high, the pattern will look something like this: 

 (larger footprint)

The pattern, which consists of approximately 88 bytes of data, *repeats itself many times* depending on the resolution of your screen. See below for a colored representation: the account id and realm information are depicted in red and the current time (seconds not included) is depicted in blue:




*IMPORTANT NOTE: IF YOU CAN'T BOTHER READING ANYTHING ELSE, READ THIS:*

The secret watermark which is being intentionally embedded inside WoW generated screenshots below top quality, *DOES NOT CONTAIN the account password, the IP address of the user or any personal information like name/surname etc*. It *does contain the account ID, a timestamp and the IP address of the current realm*. It can be used by malicious hackers to link alt. characters to accounts and target specific spam or scam attacks, and it can be used by Blizzard to track down private WoW servers.

Based on Blizzard's ToS (Legal â Blizzard Entertainment), Blizzard is allowed to *communicate information* about our hard drive, CPU, operating systems, IP addresses, running tasks, account name and current time and date. It *never mentions anything though about embedding some of these data into every screenshot we capture using the WoW printscreen tool*. The users [mistakenly] *assume* that Blizzard will use a *safe channel via battle.net*, *not our public screenshots* that we share with the world, *unaware of their secret contents*. This unencrypted watermarking mechanism *fails to protect our privacy*, not from Blizzard employees (they already know everything about our computer systems), but from malicious hackers looking for something or someone to take advantage of.

If they only wanted it for screenshot-authenticity reasons, as some argued, they could have just watermarked a unique version of their logo or perhaps an encrypted key. But we found account and realm information which means that its aim is *to secretly track the users, in addition to the known tracking methods that we agree to in the ToS*.

_Mike, schlumpf and Master674 have managed to disassemble the watermark data and help us verify which pieces of information are contained inside. Do note that this covert watermarking has been confirmed, by multiple sources, to have started immediately or soon after *Patch 2.1.0 in 2007* (before the Activision deal), which introduced JPG screenshots for the first time (Search - WoW), so you may want to *delete/remove from the public domain all your JPG screenshots captured by WoW.* Sorry Activision haters, looks like this one was on Blizzard  :Smile: 

The contained information can be easily recovered and decrypted by malicious hackers (if we did it, so can they). For example, *someone could use this to identify which account holds which characters and perhaps stalk and annoy its user, or help perpetrators choose their phishing victims with a more targeted approach.* They could unleash Web spider bots scanning for WoW screenshots, decode their hidden watermark data and quickly create a comprehensive database of which account has which alts in it, that they can then sell to anyone interested. Perhaps someone is already using this since the watermark has been around for *five* years already.

Bear in mind that when this started, back in 2007, *we were still using our account name to login* so, before the battle.net conversion in 2009, the watermarks actually had _really_ sensitive information... Between *May 22, 2007* and *November 11, 2009*, any malicious hacker who knew about this could have used a screenshot of a lucrative character to find their *actual username & active realm* and then either try to scam them out of their password, or just brute-force it.

It looks like when Blizzard decided to add JPG screenshots into the WoW client, they also teamed up with *Digimarc* (Digimarc - Digital Transformation with Digital Watermarks) to provide us this _wonderful_ service of *secretly tagging our in-game screenshots* with our account and realm information. Although it has not yet been verified, it is possible that Blizzard is using an automated monitoring service which downloads image files from various Internet sites and checks them for the presence of their embedded digital watermark data, kindly provided by Digimarc: US7653210B2 - Method for monitoring internet dissemination of image, video, and/or audio files 
- Google Patents

I must repeat, once more, that these patterns are *not* "random artifacts", because random artifacts don't produce account IDs: Looking inside your screenshots - Page 6 (Looking inside your screenshots)

Thanks to _Mike, we also verified that there is no pattern included in high quality screenshots like TGA and JPG/10. So, in order to avoid any further watermarking, type: */console SET screenshotQuality "10"* which will set the quality of your screenshots to the maximum and create screenshots that *do not* include the watermark.

l0l1dk has developed a tool to disable the addition of watermarks in the lower quality screenshots but *use it at your own risk/responsibility* because it could corrupt the WoW client, which could then require a clean re-installation of the game (_it's also against the ToS_). *It is much simpler to just set the JPG quality to max.*

Finally, a lot of people are asking how we managed to *decode* the watermark pattern. Well it took a lot of teamwork, which you can find in the next pages here, and we came up with two source codes which successfully read the pattern data:

Java: http://www.ownedcore.com/forums/worl...ml#post2492716

C#: http://www.ownedcore.com/forums/worl...ml#post2493450

Try it yourselves. Read the rest of the thread for more information. If you have any comments, ideas or suggestions please share. Politeness is appreciated.

----------


## ev0

upload your images on an external image hosting site: imgur.com


No one responded because they couldn't see them

----------


## Sendatsu

> upload your images on an external image hosting site: imgur.com
> 
> 
> No one responded because they couldn't see them


Thank you.

**UPDATED**

----------


## 403Forbidden

For quite a while i suspected this kind of tracking was possible. thank you for researching & proving it to be true! 
+cookies your way

Edit: To people who do not understand the importance, this shows how Blizzard has possible ways of tracking screenshots to the related accounts even with name/character model / etc censored out. It also provides knowledgeable people with more ways to censor the image to prevent the above from happening.

----------


## Sendatsu

> For quite a while i suspected this kind of tracking was possible. thank you for researching & proving it to be true! 
> +cookies your way
> 
> Edit: To people who do not understand the importance, this shows how Blizzard has possible ways of tracking screenshots to the related accounts even with name/character model / etc censored out. It also provides knowledgeable people with more ways to censor the image to prevent the above from happening.


Thank you! If you actually want to censor your screenshot, apart from the character name and chat, you also have to blur out the shape of the pattern in the last image (https://i.imgur.com/3FDgG.jpg). It's like a capital T merged with an inverted capital T (dots added for centering), so it basically looks like an *Ξ* with a smaller middle line for small resolutions and a larger middle line for large resolutions:

*
___
..|..
--!--
*

It's always in the middle of your screen, and always the same pattern per character. That is why my screenshots are so low-res, I couldn't afford them being recognized.

----------


## AraiXplorer

For me it looks like JPG compression artifacts, remember thath JPG is a highly destructive algorithm.
Try entering this :




> /console SET screenshotFormat "tga"
> /console SET screenshotQuality "12"


Redo your method and we'll see.

----------


## allesist

Maybe this is just a watermark to prove it's from WoW itself and not a manipulated image (even the pattern changes).
But i will try to reproduce this and then I will try to decode it somehow.

// Edit

Got those patterns too. But i think - like others in this thread told already - this is just because the jpeg compression. Can't see any difference on two different accounts on the same place.

----------


## Sendatsu

> For me it looks like JPG compression artifacts, remember thath JPG is a highly destructive algorithm.
> Try entering this :
> 
> 
> 
> Redo your method and we'll see.


Thank you for the suggestion. I just experimented with all the qualities of JPG and the patterns disappear *only* at quality 10 (there is no higher quality than 10). Qualities 1-9 include these patterns. The lossless TGA format has no patterns in any of the qualities.

If this indeed was JPG artifacts I would expect them to spread throughout the image. If an image format expert can give some insight on this it would be great.

For now I am switching to JPG quality 10 until I know more. Thanks for the tip.

----------


## AraiXplorer

Long story short : JPG is bad, go PNG people.

@Frito : Tinfoil hats off to you  :Big Grin:

----------


## Sendatsu

> Since the human eye is much more sensitive to luminance than chrominance, you can afford to discard much more information about an image’s chrominance, especially the higher frequencies.


We agree that JPG removes a lot of information from the image to make it smaller, but from all over the image, not always just the middle *Ξ* section.




> The number used to calculate the quantization constants is stored in the JPEG image file’s header, making decoding of the coefficients possible.


The file header is not visible in the image, so it's not that.




> Since the output file contains Huffman codes, the original encoding information (like the Huffman tree or the data table generated from the Huffman tree) must also be stored in the output file in order for decompression to be possible. (...) One drawback is that the actual output file is larger than it needs to be. This is because information about the compressed data’s frequencies must also be stored in order to make data decompression possible.


Ok so let's say that what I'm looking at is the storage of a Huffman tree embedded into the graphics. How can two different images (https://i.imgur.com/nClSc.jpg & https://i.imgur.com/0PWKW.jpg) have the same hidden pattern inside? They are different images so a different Huffman tree must have been created for each. I merged the top part of the first image with the bottom part of the second and I found the same pattern repeated 5 times in 3 different rows (2-1-2).

Any suggestions? Politeness is appreciated  :Smile:

----------


## pac7

Interesting find, rep+
Blizz has alot of cash to develop such complex algorythms to track you.

I always knew they were monitoring me.

----------


## Sendatsu

> But here you go I took the "Secret Barcode" and I went ahead and converted every color in the pattern to a more noticeable one.
> Feel free to decode my account information and I'll be waiting on my ban from blizzard.
> http://img12.imageshack.us/img12/8409/secretsa.png


The screenshot you just posted is from a high resolution monitor. Can you confirm?

----------


## Sendatsu

You see, I was going through my old screenshots and I found one from early 2011 where I print-screened a buggy field that was all light brown:

https://i.imgur.com/QFugi.jpg

I then sharpened the image and found this pattern:

https://i.imgur.com/auofc.jpg

This pattern is completely different from the current pattern that I found on my screenshots from yesterday and today (https://i.imgur.com/3FDgG.jpg). 

*Update: this happens when the screen resolution is too high because the pattern tries to make sure it will be visible enough so that at least one complete piece of it survives after any image modifications.*

You asked me why I sharpen the image. Well if you zoom into my sharpened image above, you will see this:

*===> https://i.imgur.com/Qc5ME.jpg <===*

Does this remind you of something? Maybe this:

https://i.imgur.com/Okxgz.jpg

QR codes are basically visual representations of binary digits which, when translated into ASCII, form text. So, these patterns that I found in the images are not just random artifacts or removal of colors that the human eye can't see: *they are actually machine readable data*.

You are claiming that this extra padding has been added by the JPG compression algorithm Blizzard is using to assist with the decompression of the screenshots, and I respect that. I just don't see the reason why this extra "padding" has to be added in such a visible place in all images regardless of their compression needs. I captured a black screen with JPG quality 9 and it created a larger file than a JPG quality 10, because JPGs 1-9 also contain this extra padding inside, whereas 10s don't.

This could just be a method Blizzard is using to decrease the size of really colorful files, thinking that adding this padding (which _might_ only contain decompression information) is worth it, because who ever captures monochrome screens, right? :P

I was a bit worried to discover a machine readable data pattern (custom bar-code, as I called it :P) hidden within every screenshot I shot since 2010.
1) I still don't understand why the new pattern is comprised of the same 3 elements repeating again and again (wasn't one time enough?).
2) I also don't understand why two different images produced the same patterns (if it were just decompression information, shouldn't it be different?).
3) And finally, if Blizzard indeed came up with their own proprietary JPG compression algorithm that uses padded pattern-data to assist with the decompression, how will all the image software applications of the world know how to understand this custom system if Blizzard never advertised it? Because I have never before seen so much intentional "*noise*" (ehem) inside a jpg file I sharpened.

Anyhow, I don't know how you translate these codes into binary digits and text but I would be really interested to ask a Blizzard developer what information is stored inside.  :Smile:

----------


## Sendatsu

> Seriously, if it was some kind of tracking system, they'd use EXIF fields which JPGs can contain. Screenshots don't look malformed, and such, the data you're viewing has been generated using the input as an image, and anything not visible on the screenshot; isn't on the screenshot. Simple as.


I couldn't find any patterns by sharpening your image which either means a) you used JPG quality 10 or b) it was too colorful for a human to notice.

If they used EXIF/IPTC comments, anyone would be able to read their extra data in plain text format. By embedding the data inside the screenshot (by padding it among its bytes while at the same time keeping it as invisible a possible), they manage to create a mechanism where only their programmers are able to extract the hidden information contained inside (like steganography does). Still, this is "security by obscurity". If a hacker is dedicated enough, they can easily reserve-engineer it and figure out what it says.

Screenshots don't look malformed when you are viewing a lot of colors, but when it's monochrome it can be easily spotted. By using sharpening techniques you can "single out" the hidden data and can easily see that they create a standardized pattern that resembles a machine readable code.

Just because you can't see IR light, doesn't mean your remote control magically changes the channels of your TV every time you press a button. The hidden data are there; I just wonder what they hold.

----------


## McYawgi

For those of you who want to check it out... You don't have to take several screenshots and merge together. Just fly up to the world ceiling and take a screenshot just below the horizon.

Also, if you turn down the screenshot quality in-game you can see the effect without using any other image editing software. (Just remember to set it back to 10 after.)



> /console set screenshotQuality 1

----------


## Winsane

> sooooooooo blizzard goes through literally MILLLIONS OF SCREENSHOTS to find out ZOMG little tiny fell down a well and is exploiting it. pretty much this theory is so dumb that it should be moved out of the exploit section to infowars right now lol.


What? Why would they be going through millions of screenshots? Are you retarded?

This could be a way for them to be able to know from what character/account the screenshot was taken, it wouldn't be that hard to implement..

I do agree that it does seem a bit far fetched, but with teams like RAoV posting insane exploits (dupes, server crashes) it wouldn't surprise me if they did something like this.

Even if the marks have nothing to do with tracking characters, i would love to know why they are there.

----------


## Sendatsu

> sooooooooo blizzard goes through literally MILLLIONS OF SCREENSHOTS to find out ZOMG little tiny fell down a well and is exploiting it. pretty much this theory is so dumb that it should be moved out of the exploit section to infowars right now lol. also this seems fitting


*Actually, this remains to be seen.* But still, most people are stupid enough to brag about exploiting bugs in public, well known, forums using screenshots to prove it. I'll name one such forum: it starts with owned. And don't tell me that you do it because you love the game (http://www.ownedcore.com/forums/gene...75301-why.html). If you indeed cared for it, you wouldn't be reporting the bugs in here for everyone to see and exploit, but straight to Blizzard's private bugtraq.

As I mentioned above, it's a bit fishy that Blizzard covers/embeds HALF the screenshot with padded data that we don't know what they store. The pattern repeats itself 5 times, as if it's trying to prevail among your graphics, making sure the person at the other end - who knows about its existence - gets the message. Notice that the middle, where you character usually stands, is empty. The sides the bottom and the top, where your bars usually are, are also empty. I am truly amazed that no one has ever noticed this before now (or have they?).

Feel free to laugh and make fun of what you don't understand. But don't dismiss it until you make sure it's really nothing.

----------


## Sendatsu

> Idea: Can anyone go to Crystalsong forrest, close to dalaran, and grab a few screens from there? They have some trees there that has a overwhelming white color, if you disable the display of your character (console), you could theoretically get a totally white image. It would be cool to see the patterns on that image.


That was a smart idea bluesius, I didn't remember those trees. With JPG 10 there's nothing, as expected. With JPG 9 though, well here you go:

https://i.imgur.com/ZK5l1.jpg

Edit: Woah I can now see the full actual code!! We can use this as basis! Go for the trees if you are going to try to decode this!

https://i.imgur.com/IKMrX.jpg

----------


## nishila

Screenshot by Lightshot would you just drop this already ?

Theory is Theory

----------


## Sendatsu

> Screenshot by Lightshot would you just drop this already ?


Please type:

*/console SET screenshotFormat "jpg"
/console SET screenshotQuality "9"*

BEFORE you take the screenshots.

If quality is at 10, the patterns don't appear.

----------


## _Mike

```
__text:00B3C980                   ; =============== S U B R O U T I N E =======================================
__text:00B3C980
__text:00B3C980                   ; Attributes: bp-based frame
__text:00B3C980
__text:00B3C980                   ; ScrnScreenshot(void (*)(int), unsigned char *, unsigned int, char  const*, char  const*, char  const*)
__text:00B3C980                   __Z14ScrnScreenshotPFviEPhjPKcS3_S3_ proc near
__text:00B3C980                                                           ; CODE XREF: Script_Screenshot(lua_State *)+37
__text:00B3C980                                                           ; sub_76C3C0+36
__text:00B3C980
__text:00B3C980                   arg_0           = dword ptr  8
__text:00B3C980                   arg_4           = dword ptr  0Ch
__text:00B3C980                   arg_8           = dword ptr  10h
__text:00B3C980                   arg_C           = dword ptr  14h
__text:00B3C980                   arg_10          = dword ptr  18h
__text:00B3C980                   arg_14          = dword ptr  1Ch
__text:00B3C980
__text:00B3C980 55                                push    ebp
__text:00B3C981 89 E5                             mov     ebp, esp
__text:00B3C983 8B 45 08                          mov     eax, [ebp+arg_0]
__text:00B3C986 A3 C4 7F 98 01                    mov     ds:__ZL15s_captureScreen, eax ; s_captureScreen
__text:00B3C98B 8B 45 0C                          mov     eax, [ebp+arg_4]
__text:00B3C98E A3 C8 7F 98 01                    mov     ds:__ZL16s_pWatermarkData, eax ; s_pWatermarkData
__text:00B3C993 8B 45 10                          mov     eax, [ebp+arg_8]
__text:00B3C996 A3 CC 7F 98 01                    mov     ds:__ZL21s_uWatermarkDataBytes, eax ; s_uWatermarkDataBytes
__text:00B3C99B 8B 45 14                          mov     eax, [ebp+arg_C]
__text:00B3C99E A3 D0 7F 98 01                    mov     ds:__ZL18s_screenshotFolder, eax ; s_screenshotFolder
__text:00B3C9A3 8B 45 18                          mov     eax, [ebp+arg_10]
__text:00B3C9A6 A3 D4 7F 98 01                    mov     ds:__ZL24s_screenshotNameOverride, eax ; s_screenshotNameOverride
__text:00B3C9AB 8B 45 1C                          mov     eax, [ebp+arg_14]
__text:00B3C9AE A3 D8 7F 98 01                    mov     ds:__ZL19s_depthNameOverride, eax ; s_depthNameOverride
__text:00B3C9B3 C9                                leave
__text:00B3C9B4 C3                                retn
__text:00B3C9B4                   __Z14ScrnScreenshotPFviEPhjPKcS3_S3_ endp
__text:00B3C9B4
__text:00B3C9B4                   ; ---------------------------------------------------------------------------
```

source: osX build 15662

The watermark contains your account name, a timestamp and some other data that I haven't bothered looking at.

----------


## Sendatsu

> The watermark contains your account name, a timestamp and some other data that I haven't bothered looking at.


Nice find! It is possible that the information is encoded based on the image dimensions, but I have no way of confirming this (only the theory on QR codes).

For those of us who don't "speak" Assembly, can you explain what we are looking at please? What is contained in s_pWatermarkData?

----------


## drm420

> ```
> __text:00B3C980                   ; =============== S U B R O U T I N E =======================================
> __text:00B3C980
> __text:00B3C980                   ; Attributes: bp-based frame
> __text:00B3C980
> __text:00B3C980                   ; ScrnScreenshot(void (*)(int), unsigned char *, unsigned int, char  const*, char  const*, char  const*)
> __text:00B3C980                   __Z14ScrnScreenshotPFviEPhjPKcS3_S3_ proc near
> __text:00B3C980                                                           ; CODE XREF: Script_Screenshot(lua_State *)+37
> __text:00B3C980                                                           ; sub_76C3C0+36
> ...


no where in any of what you posted is there a time stamp or a character name nor is there any proof of where you got that from Im calling trolling if you want to prove this 100% let us put up our own screenshot to test you.

----------


## _Mike

> no where in any of what you posted is there a time stamp or a character name nor is there any proof of where you got that from Im calling trolling if you want to prove this 100% let us put up our own screenshot to test you.


I gave you the client build number and the offsets. Look it up yourself.

----------


## _Mike

It's a disassembly listing from IDA Pro of the beta mac binary (because it has function names which the windows version doesn't).
58D9F0 is the address of the same function in the current live windows 32 bit exe.
Put a breakpoint on it and look at what the 2nd argument contains when you press print screen.
58DA60 is the function which takes the actual screenshot, and BB6990 is where the watermark data is encoded.
I'm working on a decoder but the functions are a bitch to reverse  :Frown: 

And I'm sorry for the harsh tone earlier. I had 2 tabs open and I mistook this for the mem editing section so I assumed people would know how to verify it themselves.

----------


## Sendatsu

As far as I understand up until now, based on the new data I acquired thanks to the white tree idea of bluesius, the repeating pattern has some static parts and some dynamic parts.

1) The static parts remained the same on ALL characters who took the screenshot while being in the same account_id+location+guild+realm and having the same screen resolution (I don't know which of these factors are stored so I mentioned them all).

2) The dynamic parts keep changing every time you take a new screenshot regardless of the character, so it probably has something to do with current time/date.

If we change the screen resolution, the entire representation changes but the new screenshots still follow the above two rules.

In order to see this visually, I singled out the unique element which comprises the pattern (by repeating itself 5 times on my resolution) and I used red for the static parts and blue for the dynamic parts:

https://i.imgur.com/I4hnr.jpg

_(red dots intentionally blurred out for obvious reasons)_

Thanks to _Mike's disassembly (thanks Mike!), we now know that these extra data are not added for decompression reasons but as an extra watermark on top of the image.

Can someone please analyze the Assembly code further and find what is stored in s_pWatermarkData and in s_uWatermarkDataBytes?

----------


## Sendatsu

Until you are finished with the programming part, I had a look at Blizzard's Terms of Use.

The first part that I assume almost everyone knows is that we don't own anything, even though we pay for it every month:




> No Ownership Rights in Account.
> NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, YOU ACKNOWLEDGE AND AGREE THAT YOU SHALL HAVE *NO OWNERSHIP* OR OTHER PROPERTY INTEREST IN ANY ACCOUNT STORED OR HOSTED ON A BLIZZARD SYSTEM, INCLUDING WITHOUT LIMITATION ANY BNET ACCOUNT OR WORLD OF WARCRAFT ACCOUNT, AND YOU FURTHER ACKNOWLEDGE AND AGREE THAT ALL RIGHTS IN AND TO SUCH ACCOUNTS ARE AND SHALL FOREVER BE OWNED BY AND INURE TO THE BENEFIT OF BLIZZARD.


The second part that not all may know is that, when the game is running, apart from checking our RAM and CPU processes for possible "unauthorized tasks", they also:




> B. WHEN THE GAME IS RUNNING, BLIZZARD MAY OBTAIN CERTAIN IDENTIFICATION INFORMATION ABOUT YOUR COMPUTER, INCLUDING WITHOUT LIMITATION YOUR *HARD DRIVES*, *CENTRAL PROCESSING UNIT*, *IP ADDRESS(ES)* AND *OPERATING SYSTEM(S)*, FOR PURPOSES OF IMPROVING THE GAME AND/OR THE SERVICE, AND TO POLICE AND ENFORCE THE PROVISIONS OF ANY BLIZZARD AGREEMENT.


Yes, Blizzard may obtain information about your hard drives, your CPU, your IP address (obviously) and your operating system, to police and enforce provisions. And apart from that, they can also:




> IN THE EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, BLIZZARD MAY (a) *COMMUNICATE* INFORMATION BACK TO BLIZZARD, INCLUDING WITHOUT LIMITATION THE *ACCOUNT NAME*, *DETAILS* ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE *TIME AND DATE* THE UNAUTHORIZED THIRD PARTY PROGRAM WAS DETECTED;


So, basically, every time a new patch comes along and we rush through the ToS screens to quickly check out the new content, Blizzard asks us, in full-caps rage, to allow them to communicate our *account name*, details about the running task(s) and the *time and date* of the detections.

With the above in mind, it starts to become clearer why this information is included in each screenshot, and that we should be thankful they omitted also adding it on top of the full quality images like JPG10 or TGA (possibly to avoid deteriorating the quality).

As certain laws point out though, like the newly voted Cookie law (which may apply mainly for websites but has already set a general standard), we must be specifically informed for every piece of information we are sharing with them.

I understand from the ToS that they are scanning my hard disk and I have to agree with it, hoping that they won't access my personal files. But it was never explained that every time we share a screenshot, we also share our account name with it and possibly our IP address. If hackers find a way to read these data, it could endanger the security of our account and/or system. As I said a few posts back, *security by obscurity never works, and you have been uncovered*.

----------


## Sendatsu

Introductory post updated with all the information we know up until now.

----------


## Etherea

Clearly JPEG artifacts as pointed out by Frito and Arai. Anyone who continues to think this is a conspiracy is a complete moron. Given the nature of JPEG compression it wouldn't even be possible to code in high-detail QR codes, and if they were really doing this it would appear in lossless format as well.

----------


## ReignDrop

so i skipped pages 2 and 3 to say this. Is there seriously an argument that blizz might be tracking us through our print screens when we readily allow them all of our information via our internet connection to their servers? Any and everything that exists on a screen shot, hidden or not, they already have access to on their servers. 

What would be the point of finding you through a screen shot when they have people who already go through their server information to gather much more accurate and relevant information?

----------


## Sendatsu

> so i skipped pages 2 and 3 to say this. Is there seriously an argument that blizz might be tracking us through our print screens when we readily allow them all of our information via our internet connection to their servers? Any and everything that exists on a screen shot, hidden or not, they already have access to on their servers. 
> 
> What would be the point of finding you through a screen shot when they have people who already go through their server information to gather much more accurate and relevant information?


You are saying this under the *impression* that Blizzard's employees are omnipresent and omniscient. The ticket waiting time on my realm is currently *6 days*, the GMs are already working at full speed while at the same time trying to be polite and keep up with all their work at a basic wage, and Blizzard is losing customers faster than a bag of sand with a hole at the bottom.

When you screenshot something and share it with the world it's usually something you feel like sharing, something *different*: a new transmo, an achievement, a bug, a cheat, a hack. They are not doing this to track your latest hairdo but to make sure that, even if you erase your character's name and chat, they will still be able to track the origin of the event you are showing off and THEN check their logs to see what happened and how they can fix it.

It's not paranoia, it's business thinking.

----------


## Sendatsu

> This is my last post in this thread, Its beyond stupid and I'm not gonna be a part of it.


Hey Frito, I thought you said you wouldn't be a part of this any more :P

So, you never told me, your screenshot (http://img12.imageshack.us/img12/8409/secretsa.png) was from a high resolution screen right?




> But remember guys! Only if you use the super low quality jpg format that has artifacts and is a lossy format, If you use the nice quality loss less formats they don't wanna track you anymore.


No, as I said many times, use the maximum quality minus one, so instead of 10, go for 9. All JPG qualities between 1-9 contain the watermark. I don't know why it is not included in 10, maybe they wanted us to actually have a high quality option, given that a) it would be really obvious if a high quality shot had so much noise scattered in the middle of the screen and b) the default setting is 3 anyhow, not everyone knows how to change it using console commands and if they do, they are also probably smart enough to use FRAPS to capture their screens (which would skip the watermark function anyway).

It's funny how you won't follow the simple instructions I've written in the first post to see your own watermark. Well it was funny, now it's getting annoying  :Smile:

----------


## Sendatsu

> It's already been proven (on page one) that the "watermark" is in fact JPEG artifacts. The fact that you still deny this despite the evidence demonstrates your lack of knowledge and stubborness. This thread is going nowhere.


Which I disproved in post #21 (http://www.ownedcore.com/forums/worl...ml#post2489037).

*We are way past that.

*_Mike disassembled the client code and found that *a watermark is indeed added intentionally on top of the screenshots.* (http://www.ownedcore.com/forums/worl...ml#post2489452)

We are now waiting for someone to look inside *s_pWatermarkData* and *s_uWatermarkDataBytes* to see what's in there.

----------


## Ssateneth

> Which I disproved in post #21 (http://www.ownedcore.com/forums/worl...ml#post2489037).
> 
> *We are way past that.
> 
> *_Mike disassembled the client code and found that *a watermark is indeed added intentionally on top of the screenshots.* (http://www.ownedcore.com/forums/worl...ml#post2489452)
> 
> We are now waiting for someone to look inside *s_pWatermarkData* and *s_uWatermarkDataBytes* to see what's in there.


I +repped you to DENYING Etherea SO HARD. It was well-deserved.

----------


## Sendatsu

> Many techniques have been proposed, such as in
> [1-6]. However, most of them are fragile in the sense that the
> hidden data cannot be recovered when compression or other
> small alteration is applied to the marked image


You just read the first two sentences and that's it? Did you even see the abstract?




> We then propose a novel robust lossless data hiding technique, which does not generate salt-pepper noise. This technique has been successfully applied to many commonly used images


Any MSc student can apply a way to successfully hide/embed a watermark in an image, they even teach it in unis: http://www.csee.wvu.edu/~xinl/course...ata_hiding.ppt

Another interesting read for you, encrypted text messages in color images: http://www.ijcaonline.org/volume4/nu...pxc3871071.pdf

----------


## Sendatsu

Ehem.




> *Bruce Davis* (https://en.wikipedia.org/wiki/Bruce_...me_industry%29) is an American businessman, currently CEO and chairman of *Digimarc*. Formerly the head of both Imagic and *Activision*, he is known for his role in the development of the video game industry.





> *Digimarc* (https://en.wikipedia.org/wiki/Digimarc) is a *digital watermarking technology provider* enabling the invisible embedding of information into many forms of content, including printed material, audio, video, *imagery*, and certain objects. Digimarc technology provides solutions for media identification and management, *counterfeit and piracy deterrence*, and digital commerce.


Convenient.

----------


## Sendatsu

Ok, are you ready?

*US7653210: The general "seek and id" system patent: http://www.google.co.uk/patents/US7653210*

*US8045748: The watermarking patent: http://www.google.co.uk/patents/US8045748*

*US8027508: Another one of the watermarking patents: http://www.google.co.uk/patents/US8027508*

*US6104812: An old patent that looks like the predecessor of the one WoW is using: http://www.google.co.uk/patents/US6104812*

*US7502759: Same concept as above: http://www.google.co.uk/patents/US7502759*

----------


## l0l1dk

I wrote a tool that will disable the watermarking by patching WoW. It's posted here (Screenshot Watermark Disabler) in the bots and programs section.

----------


## Sendatsu

> I wrote a tool that will disable the watermarking by patching WoW. It's posted here (Screenshot Watermark Disabler) in the bots and programs section.


Thank you l0l1dk, I'll have a look at the C++ code now but did you ever figure out what's in the watermark?

----------


## l0l1dk

> Thank you l0l1dk, I'll have a look at the C++ code now but did you ever figure out what's in the watermark?


I never really looked at what all's in it. _Mike said that it contains your account name and a timestamp.

----------


## Sendatsu

> I never really looked at what all's in it. _Mike said that it contains your account name and a timestamp.


What are the chances of your PatchBytes[] corrupting the WoW client?  :Smile:

----------


## l0l1dk

> What are the chances of your PatchBytes[] corrupting the WoW client?


The program checks that the bytes at the address are valid (either the patched bytes or the original bytes) before patching, so unless I did something wrong, it shouldn't ever happen.

----------


## Winsane

This is now getting very interesting, how hard would it be to figure out a way to decrypt the watermarks?

----------


## Sendatsu

> This is now getting very interesting, how hard would it be to figure out a way to decrypt the watermarks?


_Mike has already mentioned a few tips in http://www.ownedcore.com/forums/worl...ml#post2489487 :




> Source: osX build 15662
> 58D9F0 is the address of the same function in the current live windows 32 bit exe.
> 58DA60 is the function which takes the actual screenshot, and BB6990 is where the watermark data is encoded.


If someone is an expert in Assembly, they can peek into the memory and see what's in *s_pWatermarkData*.

----------


## Saronite

Sendatsu i gonna have to come out of my lurkerhole and give it to you, for me this is the single best speculating topic ever made. 
Opening of yoggybox comes close but we all knew it wasnt able to open, but the read was fun .
I really like how you have put your teeth into this and neglecting all negativity about it and continue your voyage into solving this.
After reading your topic i have to admid, their realy is something about those ''barrcodes'' and it really got me started to think what use it has for blizzard.
It should be allready clear that its not for detecting bots or whatever becouse they have other resources for that, but what is it?
That one enlarged picture clearly shows a pattern that could be decoded somehow by blizzard.
I dont see a single reason to put something like that right infront of our eyes, invisible but its there for blizzard to use, but what for?
I give you rep for this and i am allready exited on what tomorrow wil bring to this topic.

----------


## reQuorter

This is totally insane. We should hire/donate some great programmers or someone to reverse engineering this thingy.

----------


## Sendatsu

> Considering Bruce Davis stop working at activision in 1991... THIS MUST MEAN HE HAS A TIME MACHINE! TO PREDICT WOW and thus slip in sleeper agents into blizzard.
> 
> Nice try to mislead but... No Dice.


You are the one trying to mislead I'm afraid...

The "convenient" comment meant that there is a *direct connection* between Activision Blizzard and Digimarc, a company which *specializes in watermarking*. They could have used a different company, but Digimarc's patents seem *quite appropriate* for what Blizzard is trying to accomplish.

----------


## Sendatsu

Until we hear from an Assembly programmer, I am trying to reverse engineer this pattern visually.

Reference: https://i.imgur.com/I4hnr.jpg

_Red: static, Blue: dynamic_

It has become obvious to me that the dynamic parts indeed contain a timestamp of hours and minutes (HH:MM), *but not seconds*.

If you capture two screenshots within the same minute you will see that they have *exactly the same patterns*.

If you capture them after the minute changes, the entire dynamic part is different, which means that the blue part I've marked in the image contains HH:MM.

Please note, this is based on the server clock! Not your local clock/time.

Now... let's work on the red part  :Smile:

----------


## l0l1dk

> Oh and btw heres a screenshot with the watermarking removal tool
> 
> http://s15.postimage.org/akeszx94r/W...912_230610.jpg
> 
> Still there... Damn they must have MULTIPLE secret watermarks.
> 
> Also maybe you guys should actually test what you use to back up your wild claims.


You either didn't use it or you used it incorrectly. Here's part of a screenshot of before using it (see it?) and after using it (and its gone). It works.

----------


## Sendatsu

> You either didn't use it or you used it incorrectly. Here's part of a screenshot of before using it (see it?) and after using it (and its gone). It works.


l0l1dk that's a really interesting screenshot: https://i.imgur.com/v3vv0.jpg

I thought that this pattern was the old pattern used before Patch 4.2, but apparently you still have it.

What's your screen resolution?

----------


## l0l1dk

> l0l1dk that's a really interesting screenshot: https://i.imgur.com/v3vv0.jpg
> 
> I thought that this pattern was the old pattern used before Patch 4.2, but apparently you still have it.
> 
> What's your screen resolution?


It's 1920 by 1080. I took that screenshot right before posting. That's a small piece of the full screenshot though. I also increased the contrast on it with Photoshop.

----------


## Sendatsu

Agh then I made a mistake. There is only one pattern, nothing changed last year. I'll correct my posts. Thank you.

----------


## Sendatsu

> After going over all the info a few times I have come up with a couple basic conclusions the first being that there are a few people in this thread running around like chickens with there heads cut off yelling the sky is falling secondly that no one actually knows the purpose of these water marks other than there might be water marks thirdly that there is no way blizzard is using water marks to track people who glitch as a fail safe because there too ****ing easy to get around and the solution just does not make sense. I mean they could ALT print screen or use fraps or use all manner of work around. and if changing your screen shot resolution changes if the alleged water marks shows up than that is not the actual water mark.
> 
> simple solution don't go look for zebras when you hear hoof beats. if you paranoid about blizzard hunting you down and setting you on fire then watching you burn you should probably not take screenshots of yourself pissing in blizzards coffee so to speak or just go with a ui hidden video. For the rest of us I would not recommend downloading any "Magic fixes" from anyone on these forums I mean this is a website where no offense but total offense you can buy stolen wow accounts , People look for the shortest route to easy street and so on. So I will leave you with this when in company with snakes make boots, and if you don't know how try not to get bitten.


Thank you for sharing your thoughts.

I do not know if Blizzard is using any other methods of watermarking; I just know what I see. What I see is a white image with a hidden repeating (watermark) pattern which changes based on the minute the realm's clock is set at. A repeating pattern which stays the same if you printscreen within the same minute, even if you move your camera and take different shots. A repeating pattern which is aimlessly repeating itself, not to save us disk space by compressing the image, but in order to be able to prevail among our graphics and have at least one full piece of it survive even if we modify the image.

If you want the *why*'s and the *when*'s, ask Blizzard why they did it and when they started doing it; I'm not their lawyer nor their business/technical consultant.

If you want the *how*'s, take a look at the Assembly code post in the previous pages (http://www.ownedcore.com/forums/worl...#post2489452):




> *ScrnScreenshot*(s_captureScreen, *s_pWatermarkData*, s_uWatermarkDataBytes, s_screenshotFolder, s_screenshotNameOverride, s_depthNameOverride)


This function *saves* your screenshot. This function also puts a *watermark* on top of your screenshot.

This thread post has nothing to do with aliens, government conspiracies or murlocs. It's about the *fact* that Blizzard has been using watermarking technologies to tag the screenshots we create, using their in-game mechanism, with our information -- because they can.

----------


## Sendatsu

> yes but you cannot prove the artifacts that you see are indeed the water mark as of this point


Please stop calling them artifacts, as if these *very specific repeating patterns* "happened" to occur "randomly". It is a watermark; *it is the very definition of a watermark.*

I am trying to reverse engineer it from the outside using trial and error at the moment. The dynamic part seems to be affected by the hour:minute combination so it looks like a date/timestamp or something that is affected by the current minute. I do not yet know for sure exactly what is contained in the static part. Feel free to experiment and help out.

----------


## _Mike

> I am trying to reverse engineer it from the outside using trial and error at the moment. The dynamic part seems to be affected by the hour:minute combination so it looks like a date/timestamp or something that is affected by the current minute. I do not yet know for sure exactly what is contained in the static part. Feel free to experiment and help out.


Use cheat engine (or any other memory viewer) and look at "wow.exe+DC9240" (windows 32 bit client). The data is 88 bytes long and the first 64 are reserved for account name. (wow account, not battle.net account). Then there's a 4 byte timestamp (server time, 1 minute precision) and 20 bytes of something else.

----------


## _Mike

I made a quick cheat engine script to get "clean" screenshots of the watermarks. It clears the framebuffer just before the watermark is added so only the watermark itself is saved. It also forces watermarks to be added to lossless tga images. I didn't bother checking if the addresses are watched by warden (unlikely, but not impossible) so use at your own risk or use a trial account.

How to use:
In cheat engine click "Memory View"
From the Tools menu select Auto Assemble
Paste the script
Press execute
take a screenshot in wow

Remember to set the screenshot format to TGA. Paste
/console screenshotFormat tga
in the chat.



```
alloc(newmem,2048)
alloc(memset, 100)
label(returnhere)
label(originalcode)
label(exit)

memset:
push edi
push ecx
push eax
pushfd
cld
mov edi, eax // pixel buffer
imul ecx, edx // ecx = height, edx = width
mov eax, FF0000FF // light blue color, full alpha
rep stosd
popfd
pop eax
pop ecx
pop edi
ret

newmem:
call memset

originalcode:
call wow.exe+7B6780

exit:
jmp returnhere

wow.exe+18DCD2:
jmp newmem
returnhere:

wow.exe+18DCAC: // TGA patch
nop
nop

wow.exe+18DCB5: // jpeg quality patch
nop
nop
```

Example image https://dl.dropbox.com/u/12654979/Wo...012_114416.tga
The fact that all 11 rectangles are pixel-perfect identical, and the tga format itself, should prove that it's not compression artifacts.

The data encoding seems to be in column-major order with 4x5 pixel "bits". A dark bit is 0 and light is 1. There also seems to be some kind of CRC/ECC.

----------


## eldavo1

Yep, get the artifacts when I take a screenshot as well.

----------


## allesist

Thank you _Mike for your research!

I made a small program which is able to differ between the dark and the light pixels. All pixels with a blue-level higher of 240 (RGB) will be threaten as 0. The remaining pixels will be threten as 1. This seems to be the most accurate value to differ them. Here is your picture converted: http://img89.imageshack.us/img89/883/outputk.png (use photoshop or gimp in zoom view - not irfanview).

Now i will try to translate the binary result into printable text. Lets see if it works.

----------


## Ziggeh

I have little doubt that it's an actual watermark. However, if the only name it reveals is the account name (which can be linked to you only by Blizzard, and I really doubt they'd put character names or account email into the watermark), I wouldn't be too fussed about it. It is very unlikely that Blizzard has a squad of cyberspies who stalk forums like this one.










Or do they?
*CUE DRAMATIC MUSIC*

----------


## _Mike

> Thank you _Mike for your research!
> 
> I made a small program which is able to differ between the dark and the light pixels. All pixels with a blue-level higher of 240 (RGB) will be threaten as 0. The remaining pixels will be threten as 1. This seems to be the most accurate value to differ them. Here is your picture converted: http://img89.imageshack.us/img89/883/outputk.png (use photoshop or gimp in zoom view - not irfanview).
> 
> Now i will try to translate the binary result into printable text. Lets see if it works.


Nice filtering. A bit easier to see than the blue on blue  :Smile:  It's not per-pixel though. Each bit is 4x5 pixels, and column-major ordering starting at top left. That image starts with 1000...




> I have little doubt that it's an actual watermark. However, if the only name it reveals is the account name (which can be linked to you only by Blizzard, and I really doubt they'd put character names or account email into the watermark), I wouldn't be too fussed about it. It is very unlikely that Blizzard has a squad of cyberspies who stalk forums like this one.
> 
> 
> 
> 
> Or do they?
> *CUE DRAMATIC MUSIC*


Yes the account name is the only personal data in there. And yes it seems strange that they'd try to track players this way. It might possibly be used to track internal leaks of screenshots of unreleased content. But even that is a bit far fetched.

Btw, bonus +rep to whomever first posts my account name  :Smile:  I've verified that it's in there.

----------


## eldavo1

> Btw, bonus +rep to whomever first posts my account name  I've verified that it's in there.


First two letters? Working on something...

----------


## Desconocido

Account name, realm, time and ip stored in digital watermark. When Blizzard added that stamp into screenshots?

----------


## Desconocido

> Btw, bonus +rep to whomever first posts my account name  I've verified that it's in there.


Being working on that, waiting while IDA burning my laptop :P

----------


## Sendatsu

> Account name, realm, time and ip stored in digital watermark. When Blizzard added that stamp into screenshots?


Around 2010 based on my screenshots, but I could be wrong because I just messed with the sharpening trick, not actual coding.

I am now trying to find your username Mike, let's see who gets it first :P

----------


## _Mike

> First two letters? Working on something...


10???????#? it's a trial account so no "real" (alphabetic) name.
It's standard 8-bit ASCII encoding with a tiny twist.

----------


## allesist

Here is a pattern image: http://img521.imageshack.us/img521/7825/output2.png
It fits for the upper part of the watermark but not for the lower part. You can check this by overlapping both images (the example image of mike and this image) in gimp. Now add some transparency to the pattern image. I will try to decode it somehow  :Big Grin: .

----------


## Iaccidentallytwink

Don't know yet if this is tinfoil hat stuff for sure, but it looks like there might be some truth to this.

Good thing I never upload my screenshots. I just PrnScn and then paste it.

----------


## Ziggeh

> 10???????#? it's a trial account so no "real" (alphabetic) name.


Just on side note, only pre-Battle.net accounts have alphabetic names. Since then it's just numbers.

----------


## Etherea

Couple of things...

First off I would like to apologize for being such an A-hole in my previous posts in this thread.

After re-reading the posts and _Mikes detailed analysis I believe there is an 88 byte watermark including your account name/numbers.

It is very sneaky of Blizzard to only add the watermark to JPEG screenshots that don't use the highest quality compression. This was probably done intentionally to make the watermark harder to discover and decipher. I'm sure the vast majority of users use default format and compression which includes the watermark.

While I believe my assertion that you could not encode a high detail QR code into a lossy JPEG image is correct, its certainly possibly to encode a smaller chunk of data. A QR code can hold up to 3000 bytes whereas this watermark contains only 88 bytes.

In short all of _Mikes analysis satisfies all the irregularities, such as confirming no watermark in lossless or quality 10, etc. This seemed so strange that without the detailed explanation and reversing of WoW process I would not believe it. 

I would also further venture that the watermark may be decoded / partially decoded even in resized/resaved images of reasonable quality. Given that each bit is 4x5 square and the pattern repeats. 

It would be awesome if someone could write a one-click program for decoding account names from screenshots, and I wonder how difficult it would be programmaticly to detect the watermark in a typical screenshot.

----------


## KuRIoS

I gave a couple of infractions in this thread... Some people are soon banned from OC if they continue to troll and act like morons.

----------


## stoneharry

Moved to WoW General as this is not a exploit.

This is a very interesting thread. Thanks for the information. It makes you think.

----------


## Master674

```
int __cdecl ClientServices::GetClientStamp()
{
  void *v0; // [email protected]
  const char *v1; // [email protected]
  int v2; // [email protected]
  int result; // [email protected]
  char v4; // [sp+14h] [bp-24h]@4
  char v5; // [sp+15h] [bp-23h]@8
  char v6; // [sp+16h] [bp-22h]@8
  char v7; // [sp+17h] [bp-21h]@8
  int v8; // [sp+18h] [bp-20h]@8
  int v9; // [sp+1Ch] [bp-1Ch]@8
  int v10; // [sp+20h] [bp-18h]@8
  int v11; // [sp+24h] [bp-14h]@8
  int v12; // [sp+28h] [bp-10h]@8
  int v13; // [sp+2Ch] [bp-Ch]@1

  v0 = __stack_chk_guard_ptr;
  v13 = *(_DWORD *)__stack_chk_guard_ptr;
  v1 = 0;
  if ( ClientServices::s_accountName )
    v1 = &ClientServices::s_accountName;
  if ( ClientServices::m_selectRealmInfoValid )
  {
    WowTime::WowEncodeTime(&v4, LODWORD(g_clientGameTime_ptr));
    memset(ClientServices::m_ClientStamp, 0, 0x58u);
    if ( v1 )
    {
      strcpy(ClientServices::m_ClientStamp, v1);
      byte_177FAA0 = v4;
      byte_177FAA1 = v5;
      byte_177FAA2 = v6;
      byte_177FAA3 = v7;
      v8 = dword_177FA08;
      v9 = dword_177FA0C;
      v10 = dword_177FA10;
      v11 = dword_177FA14;
      v12 = dword_177FA18;
      SockAddr::Normalize(&v8);
      dword_177FAA4 = v8;
      dword_177FAA8 = v9;
      dword_177FAAC = v10;
      dword_177FAB0 = v11;
      byte_177FAB4 = 0;
      byte_177FAB5 = -1;
      byte_177FAB6 = 63;
      byte_177FAB7 = 15;
      if ( v12 == 3 && v8 )
        SMemFree(v8);
      v8 = 0;
      v9 = 0;
      v10 = 0;
      v11 = 0;
      v12 = 0;
    }
  }
  else
  {
    WowTime::WowEncodeTime(&v4, LODWORD(g_clientGameTime_ptr));
    memset(ClientServices::m_ClientStamp, 0, 0x58u);
  }
  result = (int)ClientServices::m_ClientStamp;
  if ( *(_DWORD *)v0 != v13 )
    __stack_chk_fail(v2, *(_DWORD *)v0 ^ v13);
  return result;
}
```

----------


## schlumpf

> ```
> int __cdecl ClientServices::GetClientStamp()
> ....
> ```


Rather:



```
ClientStamp* ClientServices::GetClientStamp()
{
  memset(&m_ClientStamp, 0, sizeof(ClientStamp));

  if ( m_selectRealmInfoValid && s_accountName[0] )
  {
    strcpy(m_ClientStamp.accountName, s_accountName);

    WowTime::WowEncodeTime(&m_ClientStamp.gameTime, g_clientGameTime);

    m_ClientStamp.current_realm = m_CurrentRealmAddr;
    m_ClientStamp.current_realm.Normalize();
    m_ClientStamp.current_realm.addr = 0xF3FFF00u;
  }

  return &ClientServices::m_ClientStamp;
}
```

----------


## _Mike

> Just on side note, only pre-Battle.net accounts have alphabetic names. Since then it's just numbers.


I see, thanks. Thought only trial accounts were like that.




> Couple of things...
> 
> First off I would like to apologize for being such an A-hole in my previous posts in this thread.
> 
> After re-reading the posts and _Mikes detailed analysis I believe there is an 88 byte watermark including your account name/numbers.
> 
> It is very sneaky of Blizzard to only add the watermark to JPEG screenshots that don't use the highest quality compression. This was probably done intentionally to make the watermark harder to discover and decipher. I'm sure the vast majority of users use default format and compression which includes the watermark.
> 
> While I believe my assertion that you could not encode a high detail QR code into a lossy JPEG image is correct, its certainly possibly to encode a smaller chunk of data. A QR code can hold up to 3000 bytes whereas this watermark contains only 88 bytes.
> ...


Technically the full watermark is 5808 bytes*, but because of the added checksum (or perhaps some kind of ECC) and the huge amount of repetitions the effective payload is only 88 bytes. A QR code has the advantage of being a single color pattern on a clear background. This is designed to both be stealthy and, as you mentioned, survive resizing and resaving. It is also quite possible that the payload is so small because they simply felt that they didn't need any more data.
As for how hard it would be to extract the watermark from a real screenshot with the world and UI being rendered, I can't say. I'm no imaging expert. I have no idea (yet) how to do it though.

*) At the resolution I used at least. I haven't tested but I believe from looking at the code that the position and size (and therefore recovery accuracy) is resolution dependent.

----------


## stoneharry

I've cleaned up the thread as best as I can. Please use the report function (found on the bottom left of a post next to +Rep) when you find a post not being constructive (also known as flaming/trolling).

----------


## MoD

@ Sendatsu: Great find, glad you kept researching despite the useless trolls that tried to pull you down.
+Rep if you care.

@ Schlumpf: Welcome back ! Very glad to see you around, damn spoon. We have to talk about something  :Big Grin: 

You know where to find me!

----------


## Jaerin

You know it wouldn't surprise me if they encoded in game location data in the screenshots as well so when someone reports a bug with a screenshot they know where it took place.

Hell your phone tags your photos with all kinds of meta data, wouldn't surprise me if this was in there.

----------


## schlumpf

> You know it wouldn't surprise me if they encoded in game location data in the screenshots as well so when someone reports a bug with a screenshot they know where it took place.
> 
> Hell your phone tags your photos with all kinds of meta data, wouldn't surprise me if this was in there.


In my post you can see exactly, what the clientStamp contains.

----------


## maslt

I have no idea how I could contribute to the thread, but what you guys are doing is insanely interesting if nothing else. Keep up the good work!

----------


## Sendatsu

UPDATED#2:

*Found it!*

I'm attaching the latest version of the code which extracts the bits from the pattern image.

You will also need the pattern itself. I have isolated it in an uncompressed PNG, based on a clean screenshot from _Mike which was further enhanced by allesist, and I uploaded it here: https://i.imgur.com/dYQAd.png

Java code follows:



```
/*
    Written by Sendatsu (12/09/2012) v1.2
    http://www.ownedcore.com/forums/world-of-warcraft/
    world-of-warcraft-general/375573-looking-inside-your-screenshots.html
*/

import java.awt.image.BufferedImage;
import java.io.*;
import javax.imageio.*;

public class Readwatermark 
{
    static final int pWidth=356; // Pattern width
    static final int pHeight=240; // Pattern height
    
    static final int pxWidth=4; // Pixels width
    static final int pxHeight=5; // Pixels height    

    static final int bWidth=89; // Bits table width
    static final int bHeight=48; // Bits table height

    static final int Black=0xFF000000; // Black = 1 (yes, 1)
    static final int White=0xFFFFFFFF; // White = 0 (yes, 0)
    
    static final String filenameSrc = "pattern.png"; // Stores the filename
    
    
    public static byte[][] getPatternBits(BufferedImage image)
    {
        byte barcode[][] = new byte[bWidth][bHeight]; // Stores the bits

            for (int y=0, i=0; y<pWidth; y+=pxWidth, i++)
                for (int x=0, j=0; x<pHeight; x+=pxHeight, j++)
                    if (image.getRGB(y+1,x)==Black)
                    // We check y+1 to target correctly (see pattern)
                            barcode[i][j]=1; // Got black (1)
                    else
                            barcode[i][j]=0; // Got white (0)
        return barcode;		
    }
    
    
    public static BufferedImage readImage(File file)
    {
        try
        {
            return (ImageIO.read(file));
        }
        catch (IOException e) 
        {
            return (null);
        }   		
    }
    
    
    public static void main(String[] args)
    {
        byte barcode[][]; // Stores the bits

        File fileSrc = new File(filenameSrc); // Create file reference

        BufferedImage imageSrc=readImage(fileSrc); // Read file

        if (imageSrc==null)
            System.exit(1); // No file found
        
        barcode=getPatternBits(imageSrc); // Get bits
        
        for (int i=0; i<bWidth; i++) // Print the pattern
            for (int j=7; j<bHeight; j+=8) // 8 bits in a Byte
                for (int k=j; k>=j-7; k--)
                    System.out.print(barcode[i][k]);
    }
}
```

Notes:
a) the bits are 4x5: *1 is black and 0 is a white "space invader"* that looks like this: https://i.imgur.com/o8Kcx.png)
b) the bits are stored top to bottom but *you have to reverse them per 8s* before you turn them into a byte (already in the code)

Feel free to use & extend and remember to reference source  :Wink: 



For those of you without a Java compiler, the output is this:



```
001100010011000000110111001101100011010000110010001100010011011000111001001000110011000111001001001101010100110101111110111011011001101110100101100101101110010110010111101101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011101100010010100010110111111110001101010011001010110011001011010001100011011011011011011001000001110010100000100000110011000011000011001111001011100101000000000000000000000000000000000000000001101011100101000111001110011010000110111000101100101001110100111000110110110111100001100000000000000000000000000000000000000000000000000000000000000000111111110011111100001111000000001111111111001010111111100011110011000111101011001100011110011101111011110111011000110001001100000011011100110110001101000011001000110001001101100011100100100011001100011100100100110101010011010111111011101101100110111010010110010110111001011001011110110100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001110110001001010001011011111111000110101001100101011001100101101000110001101101101101101100100000111001010000010000011001100001100001100111100101110010100000000000000000000000000000000000000000110101110010100011100111001101000011011100010110010100111010011100011011011011110000110000000000000000000000000000000000000000000000000000000000000000011111111001111110000111100000000111111111100101011111110001111001100011110101100110001111001110111101111011101100011000100110000001101110011011000110100001100100011000100110110001110010010001100110001110010010011010101001101011111101110110110011011101001011001011011100101100101111011010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111011000100101000101101111111100011010100110010101100110010110100011000110110110110110110010000011100101000001000001100110000110000110011110010111001010000000000000000000000000000000000000000011010111001010001110011100110100001101110001011001010011101001110001101101101111000011000000000000000000000000000000000000000000000000000000000000000001111111100111111000011110000000011111111110010101111111000111100110001111010110011000111100111011110111101110110
```

And once again, I can't thank you all enough for your help and support with this; especially you _Mike  :Smile:

----------


## Sendatsu

So, schlumpf and Master674, if I understand correctly: 


_strcpy(m_ClientStamp.accountName, s_accountName)_ ==> they copy our *account name* which is either alphabetic (pre-bnet) or numeric (post-bnet), so we're looking for a string


_WowTime::WowEncodeTime(&m_ClientStamp.gameTime, g_clientGameTime);_ ==> they copy the *current realm time*

_WowTime::WowEncodeTime(&v4, LODWORD(g_clientGameTime_ptr));_ ==> low-order double-word (4 bytes) so the seconds are not included, and we're looking for a number


_m_ClientStamp.current_realm = m_CurrentRealmAddr;_ ==> they copy the *information of the realm*

_m_ClientStamp.current_realm.Normalize();_ ==> and then normalize it somehow

_m_ClientStamp.current_realm.addr = 0xF3FFF00u;_ ==> plus *the IP address of the realm* (right?), *does this mean they use this to track private servers?* o.o


_return &ClientServices::m_ClientStamp;_ ==> do they record anything else apart from the above?


Thanks for the listings!


PS: Any lawyer here able to tell us if it's even legal to add a secret watermark with account info in the screenshots, *without mentioning it in the ToS*, and then using it to track the actions of the users and *identify the private servers* they may use?

PS2: I know the ToS mentions that they can communicate our info back to Blizzard, but the user assumes they will use *a safe channel* via battle.net, not our screenshots that we share with the world, unaware of their secret contents.

PS3: I know that private servers are illegal to run, but it is probably also illegal to track them down using *ambiguous methods* such as this. It's like bugging everyone's phone in advance just in case they ever think of trying something against the law. Oh, wait.

----------


## Etherea

Some interesting information here.. seems this is not an uncommon practice in digital media to protect copyright.
Digital watermarking - Wikipedia, the free encyclopedia

However, this tag identifies you and not it's owner (and can be used maliciously against you if decrypted - esp. by 3rd parties...)
GG Blizzard for violating our privacy once again! ... >.<

FTA:
"Like traditional watermarks, digital watermarks are only perceptible under certain conditions, i.e. after using some algorithm, and imperceptible anytime else."

"A digital watermark is called _robust_ with respect to transformations if the embedded information may be detected reliably from the marked signal, even if degraded by any number of transformations. Typical image degradations are JPEG compression, ..."

"A digital watermark is called _perceptible_ if its presence in the marked signal is noticeable."


The watermark is clearly robust since it withstands JPEG compression. Given that the watermark is perceptible under the right conditions, it should be possible to filter out the watermark in "normal" screenshots. Granted it's no simple task, but all the information is out there...

----------


## LuckLuka

Hey guys!

Internal MoP builds started coming out 4.1ish, we have seen the first instance of these watermarks in 4.2.

These watermarks have been added to track internal leaks so If someone makes a screenshot of an internal mop alpha, they'll know who did it and take charges against him/her.(Everyone who has access to alpha signed an NDA) Enjoy!

----------


## eldavo1

> Hey guys!
> 
> Internal MoP builds started coming out 4.1ish, we have seen the first instance of these watermarks in 4.2.
> 
> These watermarks have been added to track internal leaks so If someone makes a screenshot of an internal mop alpha, they'll know who did it and take charges against him/her.(Everyone who has access to alpha signed an NDA) Enjoy!


Blizzard rep?

First attempt at getting it to work, not so good, I think. Reading each column back to front (As mike said it starts with 1000 (Looking inside your screenshots)).

EXE: http://www.mediafire.com/?ty5xb1p4t22h4cv

NOTE THIS DOESNT WORK LOOK ONWARDS (PAGE 7 OR 16) FOR PROPER EXE'S THAT WILL DECODE PERFECT SCREENSHOTS

Using a stripped image at 1440*730.

Result BINARY:


```
1000011100111111000010001111011100111101000110111100010000110111010000100010100100001000101101111001110000101011011000001011001110011011111010111000110011111011100111101011110111101010110110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000111001111110000100011110111001111010001101111000100001101110100001000101001000010001011011110011100001010110110000010110011100110111110101110001100111110111001111010111101111010101101100111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101110111111101110111011100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011101111111011101110111110110101101110011111101111010111110111110101000110111101111111110011000111011001100111010001000110011111000100111101100110111111111101011111111100010101011100100100100101101111100000000011010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001101101011011100111111011110101111101111101010001101111011111111100110001110110011001110100010001100111110001001111011001101111111111010111111111000101010111001001001001011011111000000000110100101010101100111010001110101010001000110010101010110011011101101010101000101011011001101111111001110110011011110111011111111110101100110011101100111011101110110111001111111011011111110011101110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001010101011001110100011101010100010001100101010101100110111011010101010001010110110011011111110011101100110111101110111111111101011001100111011001110111011101101110011111110110111111100111011101011100100011000010000011001100011110011100011010001000010101110000111001101111000100011110111001111011001001101001100001111110100001000100001100010001011011100010100101000110110000010111011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010111001000110000100000110011000111100111000110100010000101011100001110011011110001000111101110011110110010011010011000011111101000010001000011000100010110111000101001010001101100000101110110111011101111111011101111111111101110111111101111111111101111111011111110111011111110111111111110111011111110111111111110111011101110111011101111111011111111111011111111111011111110111011111110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001110111011111110111011111111111011101111111011111111111011111110111111101110111111101111111111101110111111101111111111101110111011101110111011111110111111111110111111111110111111101110111111101111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000001110011011100000000011101110011010100010011010001000011011101000010001000010000000000110111000101000010001101100000001100110001001101100011000001000111001100010110001101010110001001010001000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101111111111001110111111011110110011110111010011000101011001101101011011100111111011110101111101111101010001101111011111111100110001110110011001110100010001100111110001001111011001101111110000111111101110111111101111111111101110111111101111111111101110111011101110111011111110111111111110111111111110111111101110111111101111111111111111111111111111111111111111111111111111111111111111000011111011111111110011101111110111101100111101110100110001010110011011010110111001111110111101011111011111010100011011110111111111001100011101100110011101000100011001111100010011110110011011111110111010111110111110111011101010100011011110100111111000110011101011101111011111100111111011100110011101101110111101110111011011101110011011110110011011111110011101100110111101110111111111101100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000101110101111101111101110111010101000110111101001111110001100111010111011110111111001111110111001100111011011101111011101110110111011100110111101100110111111100111011001101111011101111111111011000100010001110101010101100110011011010100111001001101111101100110101000000010000100000010001000111000101000110000000000101111110000110011001110001100111101110111110111010111010011000111111101000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000001000100011101010101011001100110110101001110010011011111011001101010000000100001000000100010001110001010001100000000001011111100001100110011100011001111011101111101110101110100110001111111011010100110011100100011001101101111001110100111011011100011011001110011011111110111001110111111011100111111011110111111011110110011101101110011111100111011111101110011111100111011111101110011010000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000010101001100111001000110011011011110011101001110110111000110110011100110111111101110011101111110111001111110111101111110111101100111011011100111111001110111111011100111111001110111111011100110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001011010110111001111110111101011111011111010100011011110111111111001100011101100110011101000100011001111100010011110110011011111111110101111111110001010101110011010110010110111010010000001001000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000010111011110111111001111110111001100111011011101111011101110110111011100110111101100110111111100111011001101111011101111111111011110111011111110111111111111111011100111011111100111111001110111100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000101010000000100001000000100010001110001010001100000000001011111100001100110011100011001111011101111101110101110100110001111111010000100010000110001000101100110001010010100111001001001111101100000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111011101110111011101110111011111110111111101110111111111111111011111111111011101111111111101110111101110110111001110110011011110110111001111110111101111111011111110110011011110111111111100001100110111111101110011101111110111001111110111101111110111101100111011011100111111001110111111011100111111001110111111011100110111011100110011101100111011101101111011111100111011011100111011000000111101110111011101110111011101110111111101111111011101111111111111110111111111110111011111111111011101111011101101110011101100110111101101110011111101111011111110111111101100110111101111111111110001001111011001101111110001000110011111000100011111101110111101110101111101111100110111010100000110101101001111100000100011010111011010111111001111110111001000111011011001101011101110110111000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001100010011110110011011111100010001100111110001000111111011101111011101011111011111001101110101000001101011010011111000001000110101110110101111110011111101110010001110110110011010111011101101110010001000101011111011100111011011111110011001111111011111110110001100110011101110111011001100110111101101110011011111111011001101010001000100011001000100010001110101010001100100010001011111110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000100010001010111110111001110110111111100110011111110111111101100011001100111011101110110011001101111011011100110111111110110011010100010001000110010001000100011101010100011001000100010111111100001100110011000000000011001100110001000100110000000000110011000000100010000100000000001100110001000000100011001000000011001100010011001000110000000000110011000100100011000100100010000100010000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000011001100110000000000110011001100010001001100000000001100110000001000100001000000000011001100010000001000110010000000110011000100110010001100000000001100110001001000110001001000100001000100111011011100111111001110111111011100111111001110111111011100110111011100110011101100111011101101111011111100111011011100111011001110111011111110111011111111111011101111111011111111111011111110000011110111111111110111011111111111011101111011101101110011101100110111101101110011111101111011111110111111101100110111101111111111011100111011001100111011001100110011111100110111101100110111111100001110110111001111110011101111110111001111110011101111110111001101110111001100111011001110111011011110111111001110110111001110110011101110111111101110111111111110111011111110111111111110111111101111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000011101011111011111001101110101000001101011010011111000001000110101110110101111110011111101110010001110110110011010111011101101110110001001111011001101111110001010110011011010101011111111110111000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000011001100111011101110110011001101111011011100110111111110110011010100010001000110010001000100011101010100011001000100010111111100011001100111010111011110111011111111111011101101110011111110110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001000010001010010000100010110111100111000010101101100000101100111001101111101011100011001111101110011110101111011110101011011001110010111001111110001100111110111001111010001101111010101001101100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111101101110011111101111011111110111111101100110111101111111111011100111011001100111011001100110011111100110111101100110111111111111011111111110011101111110111101100111101110100110001010110010000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001111011011100111111011110111111101111111011001101111011111111110111001110110011001110110011001100111111001101111011001101111111111110111111111100111011111101111011001111011101001100010101100101110110101111110011111101110010001110110110011010111011101101110110001001111011001101111110001010110011011010101011111111110111101110101111101111101110111010101000110111101001111110001100111000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000011101101011111100111111011100100011101101100110101110111011011101100010011110110011011111100010101100110110101010111111111101111011101011111011111011101110101010001101111010011111100011001110010100010001000110010001000100011101010100011001000100010111111100011001100111010111011110111011111111111011101101110011111110110001000100011101010101011001100110110101001110010011011111011001000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000101000100010001100100010001000111010101000110010001000101111111000110011001110101110111101110111111111110111011011100111111101100010001000111010101010110011001101101010011100100110111110110011001101111101011100011001111101110011110101111011110101011011001110010111001111110001100111110111001111010001101111010101001101110101001100111001000110011011011110011101001110110111000110110010000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111011111110111011101111111011111110111111111110111111101111111011101111111011111111111000010011011111010111000110011111011100111101011110111101010110110011100101110011111100011001111101110011110100011011110101010011011101010011001110010001100110110111100111010011101101110001101100111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001001100011101100110011101000100011001111100010011110110011011111111110101111111110001010101110010010010010110111110000000001101011101101011011100111111011110101011101111101110001100111011111110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001010100010101101100110111111100111011001101111011101111111111010110011001110110011101110111011011100111111101101111111001110111101000100011001100100011001000101010101100100010001100111111111000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000010001000100100010001100010001001100110001000000100001001100000000000000010010001000110001000100000010000100000000001100110001000100000001000000100001000100010010000100010010000000010001001000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111011111110111011101111111011111110111111111110111111101111111011101111111011111111111111101110111011101110111011101110111111101111111011101111111111100001100101110011111100011001111101110011110100011011110101010011011101010011001110010001100110110111100111010011101101110001101100111001101111111011100111011111101110011111101111011111101111011000000111111111111111111111111111111111111111101110111111101110111011111110111111101111111111101111111011111110111011111110111111111111111011101110111011101110111011101111111011111110111011111111111111110101111111110001010101110010010010010110111110000000001101011101101011011100111111011110101011101111101110001100111011111111100010011110110011011111100010001100111110001000111111011101111000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001111101011111111100010101011100100100100101101111100000000011010111011010110111001111110111101010111011111011100011001110111111111000100111101100110111111000100011001111100010001111110111011110110011001110110011101110111011011100111111101101111111001110111101000100011001100100011001000101010101100100010001100111111111000100010001010111110111001110110111111100110011111110111111101100000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001100110011101100111011101110110111001111111011011111110011101111010001000110011001000110010001010101011001000100011001111111110001000100010101111101110011101101111111001100111111101111111011010000100010000110001000101101110001010010100011011000001011101100010011011000110000110001110011000111100011010111100010010100011100001110011111100001000111101110011110100011011110001000011011100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000100001000100001100010001011011100010100101000110110000010111011000100110110001100001100011100110001111000110101111000100101000111000011100111111000010001111011100111101000110111100010000110111111011101110111111101111111111101111111111101111111011101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000011110111111101111111111101111111011111110111011111110111111111111111011101110111011101110111011101111111011111110111011111111111111101111111111101110111111111110111011110111011011100111011001100001110111011101111111011111111111011111111111011111110111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000111011010110111001111110111101010111011111011100011001110111111111000100111101100110111111000100011001111100010001111110111011110111010111110111110011011101010000011010110100111110000010001101000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001010001000110011001000110010001010101011001000100011001111111110001000100010101111101110011101101111111001100111111101111111011000110011001110111011101100110011011110110111001101111111101100110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000100110110001100001100011100110001111000110101111000100101000111000011100111111000010001111011100111101000110111100010000110111010000100010100100001000101101111001110000101011011000001011001100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110011000111011001100111010001000110011111000100111101100110111111111101011111111100010101011100110101100101101110100100000010010011011010110111001111110111101011111011111010100011011110111111110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000110001110110011001110100010001100111110001001111011001101111111111010111111111000101010111001101011001011011101001000000100100110110101101110011111101111010111110111110101000110111101111111110111001101111011001101111111001110110011011110111011111111110111101110111111101111111111111110111001110111111001111110011101111010101010110011101000111010101000100011001010101011001101110110100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000101110011011110110011011111110011101100110111101110111111111101111011101111111011111111111111101110011101111110011111100111011110101010101100111010001110101010001000110010101010110011011101101000000000000001000110011000100010011001100010001001100010011000100000000000000100010001000000000000100100001000000010011001000000001000000000000001000000000000000110001000000100000000000010011000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000010001100110001000100110011000100010011000100110001000000000000001000100010000000000001001000010000000100110010000000010000000000000010000000000000001100010000001000000000000100110000111001101110000000001110111001101010001001101000100001101110100001000100001000000000011011100010100001000110110000000110011000100110110001100000100011100110001011000110101011000100101000100000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000001110011011100000000011101110011010100010011010001000011011101000010001000010000000000110111000101000010001101100000001100110001001101100011000001000111001100010110001101010110001001010001011111110111011111110111111111110111011111110111111111110111011101110111011101111111011111111111011111111111011111110111011111110111111111111111111111111111111111111111111111111111111111111111100001111010111111111000101010111001101011001011011101001000000100100110110101101110011111101111010111110111110101000110111101111111110011000111011001100111010001000110011111000100111101100110111110000111111101110111111101111111111101110111111101111111111101110111011101110111011111110111111111110111111111110111111101110111111101111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000011011101111111011111111111111101110011101111110011111100111011110101010101100111010001110101010001000110010101010110011011101101010101000101011011001101111111001110110011011110111011111111110100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000010001000011000100010110011000101001010011100100100111110110001011100100011000010000011001100011110011100011010001000010101110000111001101111000100011110111001111011001001101001100001111110000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001101110011001110110011101110110111101111110011101101110011101100111011101111111011101111111111101110111111101111111111101111111011111110111011111110111111111110111011111110111111111110111011100000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101101011011100111111011110101111101111101010001101111011111111100110001110110011001110100010001100111110001001111011001101111111111010111111111000101010111001101011001011011101001000000100100000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001011010110111001111110111101011111011111010100011011110111111111001100011101100110011101000100011001111100010011110110011011111111110101111111110001010101110011010110010110111010010000001001001011101111011111100111111011100110011101101110111101110111011011101110011011110110011011111110011101100110111101110111111111101111011101111111011111111111111101110011101111110011111100111011110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000010111011110111111001111110111001100111011011101111011101110110111011100110111101100110111111100111011001101111011101111111111011110111011111110111111111111111011100111011111100111111001110111110101000000010000100000010001000111000101000110000000000101111110000110011001110001100111101110111110111010111010011000111111101000010001000011000100010110011000101001010011100100100111110110000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000101010000000100001000000100010001110001010001100000000001011111100001100110011100011001111011101111101110101110100110001111111010000100010000110001000101100110001010010100111001001001111101100110011011111110111001110111111011100111111011110111111011110110011101101110011111100111011111101110011111100111011111101110011011101110011001110110011101110110111101111110011101101110011101100000001110011101100110011101100110011001111110011011110110011011111111111101111111111001110111111011110110011110111010011000101011001101101011011100111111011110101111101111101010001101111011111111100001100110111111101110011101111110111001111110111101111110111101100111011011100111111001110111111011100111111001110111111011100110111011100110011101100111011101101111011111100111011011100111011001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000011000100111101100110111111000101011001101101010101111111111011110111010111110111110111011101010100011011110100111111000110011101011101111011111100111111011100110011101101110111101110111011011000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000001000100010101011101110011001101110111001100110111001101110011000100010001010101010101000100010011010100110001001101110101000100100000000000000100000000000000011000100000010000000000001101110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000001110011011100000000011101110011010100010011010001000011011101000010001000010000000000110111000101000010001101100000001100110001001101100011000001000111001100010110001101010110001001010001000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111111011101111111111101110111101110110111001110110011011110110111001111110111101111111011111110110011011110111111111101110011101100110011101100110011001111110011011110110011011111110000111111101110111111101111111111101110111111101111111111101110111011101110111011111110111111111110111111111110111111101110111111101111111111111111111111111111111111111111111111111111111111111111000011110111111111110111011111111111011101111011101101110011101100110111101101110011111101111011111110111111101100110111101111111111011100111011001100111011001100110011111100110111101100110111111101110101111101111100110111010100000110101101001111100000100011010111011010111111001111110111001000111011011001101011101110110111011000100111101100110111111000101011001101101010101111111111011100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000011101011111011111001101110101000001101011010011111000001000110101110110101111110011111101110010001110110110011010111011101101110110001001111011001101111110001010110011011010101011111111110111001100110011101110111011001100110111101101110011011111111011001101010001000100011001000100010001110101010001100100010001011111110001100110011101011101111011101111111111101110110111001111111011000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000011001100111011101110110011001101111011011100110111111110110011010100010001000110010001000100011101010100011001000100010111111100011001100111010111011110111011111111111011101101110011111110110100001000101001000010001011011110011100001010110110000010110011100110111110101110001100111110111001111010111101111010101101100111001011100111111000110011111011100111101000110111101010100110110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001000010001010010000100010110111100111000010101101100000101100111001101111101011100011001111101110011110101111011110101011011001110010111001111110001100111110111001111010001101111010101001101111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001011010110111001111110111101011111011111010100011011110111111111001100011101100110011101000100011001111100010011110110011011111111110101111111110001010101110011010110010110111010010000001001000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000010111011110111111001111110111001100111011011101111011101110110111011100110111101100110111111100111011001101111011101111111111011110111011111110111111111111111011100111011111100111111001110111100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000101010000000100001000000100010001110001010001100000000001011111100001100110011100011001111011101111101110101110100110001111111010000100010000110001000101100110001010010100111001001001111101100000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011101111111011101110111111101111111011111111111011111110111111101110111111101111111111100001100110111111101110011101111110111001111110111101111110111101100111011011100111111001110111111011100111111001110111111011100110111011100110011101100111011101101111011111100111011011100111011000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111011111110111011101111111011111110111111111110111111101111111011101111111011111111111100110001110110011001110100010001100111110001001111011001101111111111010111111111000101010111001001001001011011111000000000110101110110101101110011111101111010101110111110111000110011101111111000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001001100011101100110011101000100011001111100010011110110011011111111110101111111110001010101110010010010010110111110000000001101011101101011011100111111011110101011101111101110001100111011111110101010001010110110011011111110011101100110111101110111111111101011001100111011001110111011101101110011111110110111111100111011110100010001100110010001100100010101010110010001000110011111111100000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001010100010101101100110111111100111011001101111011101111111111010110011001110110011101110111011011100111111101101111111001110111101000100011001100100011001000101010101100100010001100111111111000001000100010010001000110001000100110011000100000010000100110000000000000001001000100011000100010000001000010000000000110011000100010000000100000010000100010001001000010001001000000001000100100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000010001000100100010001100010001001100110001000000100001001100000000000000010010001000110001000100000010000100000000001100110001000100000001000000100001000100010010000100010010000000010001001110010111001111110001100111110111001111010001101111010101001101110101001100111001000110011011011110011101001110110111000110110011100110111111101110011101111110111001111110111101111110111101100000011110111111111110111011111111111011101111011101101110011101100110111101101110011111101111011111110111111101100110111101111111111011100111011001100111011001100110011111100110111101100110111111100001100101110011111100011001111101110011110100011011110101010011011101010011001110010001100110110111100111010011101101110001101100111001101111111011100111011111101110011111101111011111101111011001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000011101011111011111001101110101000001101011010011111000001000110101110110101111110011111101110010001110110110011010111011101101110110001001111011001101111110001010110011011010101011111111110111000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000011001100111011101110110011001101111011011100110111111110110011010100010001000110010001000100011101010100011001000100010111111100011001100111010111011110111011111111111011101101110011111110110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001000010001010010000100010110111100111000010101101100000101100111001101111101011100011001111101110011110101111011110101011011001110010111001111110001100111110111001111010001101111010101001101100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111110111111111110111111101111111011101111111011111111111111101110111011101110111011101110111111101111111011101111111111111110111111111110111011111111111011101111011101101110011101100110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000011110111111101111111111101111111011111110111011111110111111111111111011101110111011101110111011101111111011111110111011111111111111101111111111101110111111111110111011110111011011100111011001111101101011011100111111011110101011101111101110001100111011111111100010011110110011011111100010001100111110001000111111011101111011101011111011111001101110101000001101011010011111000001000110100001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000111011010110111001111110111101010111011111011100011001110111111111000100111101100110111111000100011001111100010001111110111011110111010111110111110011011101010000011010110100111110000010001101101000100011001100100011001000101010101100100010001100111111111000100010001010111110111001110110111111100110011111110111111101100011001100111011101110110011001101111011011100110111111110110011000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001010001000110011001000110010001010101011001000100011001111111110001000100010101111101110011101101111111001100111111101111111011000110011001110111011101100110011011110110111001101111111101100110010011011000110000110001110011000111100011010111100010010100011100001110011111100001000111101110011110100011011110001000011011101000010001010010000100010110111100111000010101101100000101100110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111011111110111011101111111011111110111111111110111111101111111011101111111011111111111000000100110110001100001100011100110001111000110101111000100101000111000011100111111000010001111011100111101000110111100010000110111010000100010100100001000101101111001110000101011011000001011001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100001001100011101100110011101000100011001111100010011110110011011111111110101111111110001010101110010010010010110111110000000001101011101101011011100111111011110101011101111101110001100111011111110000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000001010100010101101100110111111100111011001101111011101111111111010110011001110110011101110111011011100111111101101111111001110111101000100011001100100011001000101010101100100010001100111111111000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000000000000000100010001000000000001000100000000000100000001000000000000000000010001000100000000000000010000000000000001000100000000000000000000000100000000000000010000000000010000000000000001000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101011111111100010101011100110101100101101110100100000010010011011010110111001111110111101011111011111010100011011110111111111001100011101100110011101000100011001111100010011110110011011111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111010111111111000101010111001101011001011011101001000000100100110110101101110011111101111010111110111110101000110111101111111110011000111011001100111010001000110011111000100111101100110111111101110111111101111111111111110111001110111111001111110011101111010101010110011101000111010101000100011001010101011001101110110101010100010101101100110111111100111011001101111011101111111111010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011011101111111011111111111111101110011101111110011111100111011110101010101100111010001110101010001000110010101010110011011101101010101000101011011001101111111001110110011011110111011111111110100001000100001100010001011001100010100101001110010010011111011000101110010001100001000001100110001111001110001101000100001010111000011100110111100010001111011100111101100100110100110000111111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001000011000100010110011000101001010011100100100111110110001011100100011000010000011001100011110011100011010001000010101110000111001101111000100011110111001111011001001101001100001111110110111001100111011001110111011011110111111001110110111001110110011101110111111101110111111111110111011111110111111111110111111101111111011101111111011111111111011101111111011111111111011101110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001101110011001110110011101110110111101111110011101101110011101100111011101111111011101111111111101110111111101111111111101111111011111110111011111110111111111110111011111110111111111110111011101111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111001110110011001110110011001100111111001101111011001101111111111110111111111100111011111101111011001111011101001100010101100110110101101110011111101111010111110111110101000110111101111111110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001110011101100110011101100110011001111110011011110110011011111111111101111111111001110111111011110110011110111010011000101011001101101011011100111111011110101111101111101010001101111011111111101100010011110110011011111100010101100110110101010111111111101111011101011111011111011101110101010001101111010011111100011001110101110111101111110011111101110011001110110111011110111011101101100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000100111101100110111111000101011001101101010101111111111011110111010111110111110111011101010100011011110100111111000110011101011101111011111100111111011100110011101101110111101110111011011
```

Result TEXT (converted same method as http://home.paulschou.net/tools/xlate/, only allowing alpha numerics and #):


```
7B7BwwwwUgGTFUfTVfvwvwUgGTFUfTVfvwvw yWoCnFv yWoCnFvhD lblbJ 1YQ11YQ1U9731U9731W5ubwwwwwwsswwwwwwssoguvrfoguvrfvg33sQvg33sQLLHDLLHD77337Ak#kv6p3775Qy9ss371Yss371Yvrfb7jvrfb7jQwsU97QwsU97wKWwElggwnoz#22#wwwwwwwwwwwwwwnwgognwgogfvwvw3#3vgfvwvw3#3vgCnFvk7CnFvk7wwww0WwOfFGA#22#oc3770lacJ8ssCty01sYn1sYnUgGTFUfUgGTFUf3311  13311  1njnBnFfjnjnBnFfjW5MVtuDeVnElbhpiQ1sYnQ1sYn31R31R3376Ws7s771UQSu phD lblbJ wwsss37wwsss37uvrfb7juvrfb7j33sQws33sQwsBBW5ubwwwwwwnwgnwgTVfvwvw3#3TVfvwvw3#377337Ak#kv6p3775Qy9wwwwwwwswwwwwwwsnwgogunwgogu3#3vg33s3#3vg33sk7Bwk7BKWwElggwnoz#22#sYnsYnUgGTFUfTVUgGTFUfTVR yWoR yWos371YQs371YQb7jb7j
```

Any ideas on whats wrong? How I'm reading: http://pastebin.com/GztviHW6

----------


## Sendatsu

> Hey guys!
> 
> Internal MoP builds started coming out 4.1ish, we have seen the first instance of these watermarks in 4.2.
> 
> These watermarks have been added to track internal leaks so If someone makes a screenshot of an internal mop alpha, they'll know who did it and take charges against him/her.(Everyone who has access to alpha signed an NDA) Enjoy!


Dear LuckLuka

I have seen the first instance of these watermarks in *Live 4.0* (Cataclysm 2010) so you probably weren't paying enough attention (but don't worry, neither were we until recently).

The mechanism was already there in the official release, so it's only logical to leave it in for MoP alpha (and beta, and soon live) since no one had complained or discovered it for 2 whole years.

That's the past now. And no, there's nothing to "enjoy" in unknowingly sharing your account and realm id for the duration of an entire expansion...

----------


## Sendatsu

Found it...

*107642169#1*

----------


## eldavo1

Grats! What was the change you made?

----------


## Sendatsu

> Grats! What was the change you made?


I'll update the code now, basically I had it upside down and it cost me a lot of time for no reason :P

*UPDATED the source code post above.*

Use the new code/output. Basically start from the bottom right, splitting in bytes and NOTing them. Convert the first 11 bytes to ASCII to find the account id. I'll work on the rest later :P

----------


## _Mike

> Blizzard rep?
> 
> First attempt at getting it to work, not so good, I think. Reading each column back to front (As mike said it starts with 1000 (Looking inside your screenshots)).
> 
> EXE: ImageToBinary.exe
> 
> Using a stripped image at 1440*730.
> 
> Result BINARY:
> ...


Your bit pattern is off. The first 16 bits should be "10001100 00001100" which results in the ASCII characters "10".
Your method of text decoding is also slightly wrong. Or actually the method is correct, but it requires an additional "decoding" step before. And only the account name itself is actual text, the rest are binary numbers which would make no sense to try to view as text. Except maybe to look for patterns but personally I prefer hex numbers for that.
Compare 10001100 to the bit pattern of the character '1' and it should be fairly obvious what you need to do before sending it to the text decoder.

You also don't need that big of an image area for testing. You can crop to one of the 352x240 rectangles and only read the first 1408 bits or 88*2 bytes. I'm assuming the double size of the payload is because of the added ECC but I haven't looked at it in detail. After that it just repeats the same pattern over and over again. (3 times per rectangle * 11 rects for a total of 33 repetitions)

Bits should be read in this order:


```
1    49
2    50
.     .
.     .
48   96
```

Try starting out by reading and decoding those 16 bits by hand first so you're sure you understand the process before you work on a full image. There's also the ECC which I haven't bothered looking at which in the watermark seems to start directly after the 11 chars of the account name, whereas in the client memory the account name is padded with zeroes to 64 bytes length.

----------


## _Mike

> Found it...
> 
> *107642169#1*


Good job!  :Smile:  I'll give you the promised rep a bit later. I already gave you for the OP so I can't do it again yet  :Smile:

----------


## Sendatsu

> Good job!  I'll give you the promised rep a bit later. I already gave you for the OP so I can't do it again yet


Finding it was satisfactory enough! Thanks for the confirmation  :Wink:

----------


## _Mike

> Finding it was satisfactory enough! Thanks for the confirmation


Now do a filter to extract it from a live screenshot  :Stick Out Tongue:  I have no clue on image filtering or I would try it myself  :Frown:

----------


## Sendatsu

> There's also the ECC which I haven't bothered looking at which in the watermark seems to start directly after the 11 chars of the account name, whereas in the client memory the account name is padded with zeroes to 64 bytes length.


So that's what it was :P

And it's really odd they'd use 64 bytes to represent an 11 character (max) username.. unless it's based on the maximum email address size that battle.net is using now for its usernames.

----------


## eldavo1

> Your bit pattern is off. The first 16 bits should be "10001100 00001100" which results in the ASCII characters "10".
> Your method of text decoding is also slightly wrong. Or actually the method is correct, but it requires an additional "decoding" step before. And only the account name itself is actual text, the rest are binary numbers which would make no sense to try to view as text. Except maybe to look for patterns but personally I prefer hex numbers for that.
> Compare 10001100 to the bit pattern of the character '1' and it should be fairly obvious what you need to do before sending it to the text decoder.
> 
> You also don't need that big of an image area for testing. You can crop to one of the 352x240 rectangles and only read the first 1408 bits or 88*2 bytes. I'm assuming the double size of the payload is because of the added ECC but I haven't looked at it in detail. After that it just repeats the same pattern over and over again. (3 times per rectangle * 11 rects for a total of 33 repetitions)
> 
> Bits should be read in this order:
> 
> 
> ...


Ah, derp! I actually was reading it correctly the FIRST time i coded it, but then my converter was wrong so it didn't appear properly, and I was trying to fix it by messing with the bit pattern. I was wondering why it wasn't making any sense. I'm getting this now:



```
100011000000110011101100011011000010110001001100100011000110110010011100110001001000110010010011101011001011001001111110101101111101100110100101011010011010011111101001001011010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000110111010100101011010001111111101011000100110011001101101101000001100011011011101101100000100101001110010000010011000011000011001100000100111110100111000000000000000000000000000000000000000011010110001010011100111001011001110110001101000110010100110010111011000111101101011000010000000000000000000000000000000000000000000000000000000000000000111111111111110011110000000000001111111101010011011111110011110011100011001101011110001110111001111101110110111010001100000011001110110001101100001011000100110010001100011011001001110011000100100011001001001110101100101100100111111010110111110110011010010101101001101001111110100100101101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011011101010010101101000111111110101100010011001100110110110100000110001101101110110110000010010100111001000001001100001100001100110000010011111010011100000000000000000000000000000000000000001101011000101001110011100101100111011000110100011001010011001011101100011110110101100001000000000000000000000000000000000000000000000000000000000000000011111111111111001111000000000000111111110101001101111111001111001110001100110101111000111011100111110111011011101000110000001100111011000110110000101100010011001000110001101100100111001100010010001100100100111010110010110010011111101011011111011001101001010110100110100111111010010010110100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001101110101001010110100011111111010110001001100110011011011010000011000110110111011011000001001010011100100000100110000110000110011000001001111101001110000000000000000000000000000000000000000110101100010100111001110010110011101100011010001100101001100101110110001111011010110000100000000000000000000000000000000000000000000000000000000000000001111111111111100111100000000000011111111010100110111111100111100111000110011010111100011101110011111011101101110
```

However, how do you get 10 from 10001100 00001100? I can't seem to get that from the pattern...

EDIT: C# has byte order backwards, silly me. Got it working now! Full pattern in ASCII is



> 107642169#15MJ52mrksv107642169#15MJ52mrksv107642169#15MJ52mrksv


*You can use this http://www.mediafire.com/?2r5hu1jsjcg533c to see the watermark on processed images (isolated to be perfect with _Mike's patch, turned to black & white as allesist has done. Ignore patch option)*

I wonder why blizz has done this kind of watermarking though... it's pretty much impossible to retrieve something from a normal screenshot that will give you a proper data set. To even get it working we needed a perfect screenshot that had the watermark applied to a blank image, which isn't viable for most images. What would be the point on having such a useless watermark? Doing the sharpen trick gives you the watermark pattern, but no reliable information could come out of it.

----------


## Winsane

> I wonder why blizz has done this kind of watermarking though... it's pretty much impossible to retrieve something from a normal screenshot that will give you a proper data set. To even get it working we needed a perfect screenshot that had the watermark applied to a blank image, which isn't viable for most images. What would be the point on having such a useless watermark? Doing the sharpen trick gives you the watermark pattern, but no reliable information could come out of it.


A software that knows exactly where the pixels are and knows the pattern ect, doesn't need to sharpen an image to find the data.

----------


## McYawgi

> Do note that this covert watermarking has been going on since, at least (!), 2010 (Patch 4+) so you may want to delete/remove from the public domain all your post-Cataclysm screenshots captured by WoW.


I've got screenshots from early WotLK (November 26th 2008.) that have these patterns in them. I haven't found anything in any BC screenshots, so it seems they started doing this with the release of WotLK.

----------


## bojax

Perhaps that's a way of recognizing/monitoring accounts which might relate to exploits. But then again, how many people which have posted exploits with screenshots at ownedcore.com have been banned ever since cataclysm started?

----------


## biervertrieb

Sendatsu are you sure the first screenshot is dated 2010 and not earlier?
I dont know anything about this and am deeply impressed with the amount of research that went into this by you guys and now you have a working method to decipher it.
This is amazing but on the other hand scary.

My thoughts on this are like someone stated earlier the only use Blizzard has with this is tracking NDA. It makes no sense in context with screenshots despite NDA tracking or busting some explorers. And I don't think explorers are a problem that Activision Blizzard is willing to put that much effort into because they hurt no one.
However like you stated there is a connection between Activision and a company that specializes in watermarks.
As we all know Activisions intention over all is MONEY. The most obvious reason in my eyes is market research.

May I ask you to check screenshots from other online games? Diablo 3 comes to mind.


Edit: just read this




> I've got screenshots from early WotLK (November 26th 2008.) that have these patterns in them. I haven't found anything in any BC screenshots, so it seems they started doing this with the release of WotLK.


This is what I expected. 2008 Blizzard merged with Activision!!!!

----------


## _Mike

I made a little tool for those who want to play around or experiment with the watermarks. Only works for the current (16016) 32-bit windows client.

https://dl.dropbox.com/u/12654979/WatermarkTool.rar
Hopefully it'll work without you guys needing to have visual studio installed, dunno what the dependencies are. It does require .net 4.5 though, mainly because I can't figure out how to target earlier versions  :Smile: 
Excuse the semi-ugly UI, but it isn't obfuscated so you should be able to use something like reflector to rip the logic and make your own if you feel like it.
And don't complain about the sometimes messy code. The debugger is a work in progress  :Stick Out Tongue:

----------


## TOM_RUS

> I've got screenshots from early WotLK (November 26th 2008.) that have these patterns in them. I haven't found anything in any BC screenshots, so it seems they started doing this with the release of WotLK.


I can confirm for example build 3.0.2.8885 (Aug 27 2008) already has this watermarking stuff.

----------


## _Mike

> A software that knows exactly where the pixels are and knows the pattern ect, doesn't need to sharpen an image to find the data.


Correct, but the watermark pixels are blended with the real pixels so you'd still need to filter them out somehow.

----------


## schlumpf

> So, schlumpf and Master674, if I understand correctly: 
> 
> 
> _strcpy(m_ClientStamp.accountName, s_accountName)_ ==> they copy our *account name* which is either alphabetic (pre-bnet) or numeric (post-bnet), so we're looking for a string
> 
> 
> _WowTime::WowEncodeTime(&m_ClientStamp.gameTime, g_clientGameTime);_ ==> they copy the *current realm time*
> 
> _WowTime::WowEncodeTime(&v4, LODWORD(g_clientGameTime_ptr));_ ==> low-order double-word (4 bytes) so the seconds are not included, and we're looking for a number
> ...


The code shows: They copy the account name, the realm / game time, the realm IP.

This holds for official and private servers. The normalization is irrelevant, 0xF3FFF00u seems to be some end-identifier instead of the addr, which would be useless anyway.

So yes, they can track your account on a private server. They can't track anything else.

----------


## Sendatsu

Hello guys, I'll respond to all:




> The code shows: *They copy the account name, the realm / game time, the realm IP.*
> 
> *This holds for official and private servers.* The normalization is irrelevant, 0xF3FFF00u seems to be some end-identifier instead of the addr, which would be useless anyway.
> 
> So yes, they can track your account on a private server. They can't track anything else.


Thank you for re-confirming this. So we have agreed on: *account name/id, realm time (to the minute) and realm IP address*.




> I can confirm for example build 3.0.2.8885 (Aug 27 200 already has this watermarking stuff.





> I've got screenshots from early WotLK (November 26th 2008.) that have these patterns in them. I haven't found anything in any BC screenshots, so it seems they started doing this with the release of WotLK.





> Sendatsu are you sure the first screenshot is dated 2010 and not earlier?


Thank you all for looking into this. I took another, harder, look into my old screenshots and I could indeed find it myself before 2010. I updated the introductory post to say that this covert watermarking has been confirmed, by multiple sources, to be going on since, at least (!!), 2008 (Patch 3+), which is the year Blizzard was acquired by Activision.




> Correct, but the watermark pixels are blended with the real pixels so you'd still need to filter them out somehow.


Yes indeed, you'd have to use really *smart recovery algorithms* and methods, like the ones that Digimarc has been patenting for two decades now: http://www.ownedcore.com/forums/worl...ml#post2490910 (Looking inside your screenshots)

Our "space invader" white pixel, as I called it, seems to be dating back to 1998 (!! US patent #6104812, figures 2-12) when it was still just a dot, so all this watermarking is certainly not new. The current problem with this action though, is the fact that not only we weren't informed this was going on, but since we were kept in the dark we were unwillingly endangering our account and realm id every time we shared a screenshot for the past 4 years.

This may not sound like much to some, but think that if someone (outside Digimarc) has found out about this, they could already be using it to identify which account holds which characters and perhaps stalk and annoy its user, or maybe even *help perpetrators choose their phishing victims with a more targeted approach*.




> Perhaps that's a way of recognizing/monitoring accounts which might relate to exploits. But then again, how many people which have posted exploits with screenshots at ownedcore.com have been banned ever since cataclysm started?


You see, the exploiters are the just the small fishes in the big pond of Blizzard. They could indeed be using this to pinpoint bugs presented in screenshots and then fix them or perhaps ban a user for a while. But *the "big fishes" that Blizzard is interested in are a) people who release information against their NDA (because they paid them) and b) people who maintain, and profit from, private servers (because they probably make them lose money):* basically, *people they can sue*.

It is important to note that after 2008, when Activision took over, *private servers started dropping like flies* (Blizzard legal targets private servers) which eventually led to the *amazing $88 million dollars lawsuit* they won (http://www.gamasutra.com/view/news/2...rver_Owner.php). I am not saying they shouldn't have protected their intellectual property but the important factor one should consider is that: *if* they used illegal (covert) methods of tracking these private servers[/B], by *"bugging" all WoW users* to act as their *"unaware informants"*, while at the same time endangering their privacy and security http://www.ownedcore.com/forums/worl...ml#post2496404, then *you see how this whole case could take a completely different turn...*

----------


## stoneharry

> You see, the exploiters are the just the small fishes in the big pond of Activision. They could indeed be using this to pinpoint bugs presented in screenshots and then fix them or perhaps ban a user for a while. But *the "big fishes" that Activision Blizzard is interested in are a) people who release information against their NDA and b) people who maintain, and profit from, private servers:* basically, *people they can sue*.
> 
> It is important to note that after 2008, when Activision took over and apparently installed this secret watermark without mentioning it in the End user license agreement, *private servers started dropping like flies* (Blizzard legal targets private servers) which eventually led to the *amazing $88 million dollars lawsuit* they won (Gamasutra - News - Blizzard Wins $88M Judgment Against WoW Private Server Owner). I am not saying they shouldn't have protected their intellectual property but the important factor one should consider is that: *if they used illegal (covert) methods of tracking these private servers*, by *"bugging" all WoW users* to act as their *"unaware informants"*, while at the same time endangering their privacy and security in the name of profit, then *you see how this whole case can take a completely different turn...*


Be careful not to follow a slippery slope argument.

I very much doubt this is in place to create targets to prosecute - especially as they did not profit from the case you describe and because it only led to that after they ignored the C&D letters. (DId not profit as the person being prosecuted only made estimated $2 million profit so how could he pay the full $88 million - blizzard would have paid a lot in legal fees).

----------


## sn4rk

> I can confirm for example build 3.0.2.8885 (Aug 27 200 already has this watermarking stuff.


looked through my screens and tried to find some clear readings of watermarks
so i got
WoWScrnShot_120907_014454 - it's possible to see it but not clear (date September 12 2007) Patch 2.1.3
WoWScrnShot_012308_224421 - clear watermark ( Jan 23 2008 )

----------


## potemkin

Hello, sorry for the intrusion, but some news of this has appeared and I was wondering if the author is going to release this news himself? (to slashdot/reddit or what have you?)

----------


## Sendatsu

> Hello, sorry for the intrusion, but some news of this has appeared and I was wondering if the author is going to release this news himself? (to slashdot/reddit or what have you?)


Hello potemkin.

An article is being prepared  :Smile: 

Edit#1: But posting it to slashdot for starters was a good idea, thank you! Let's see if they approve my post :P http://slashdot.org/submission/22529...warcraft-users

Edit#1.2: "Achievement unlocked! Submitted a Story That Was Posted" http://games.slashdot.org/story/12/0...warcraft-users *Hello slashdotters!*

Edit #2: Also posted this on reddit. Let's get the word out now that we know what's going on. *Hello redditors!*
WoW: http://www.reddit.com/r/wow/comments...n_through_wow/ (thanks stoneharry!)
Games: http://www.reddit.com/r/Games/commen...marking_world/
Gaming: http://www.reddit.com/r/gaming/comme...marking_world/

Thanks Erboo!

----------


## Erboo

World of Warcraft and gaming.reddit: what's new in gaming are probably better subreddits to post this in.

----------


## MadameGrip

What people might not understand is that, it doesn't matter to censor your character name when they can just decrypt it :P

----------


## Sendatsu

> What people might not understand is that, it doesn't matter to censor your character name when they can just decrypt it :P


And it's also important to note once more that the watermark information *is not encrypted*. It's written in *plain text among the graphics*. Any hacker with enough determination can figure out a way to get them out.

----------


## Sendatsu

What a useful coincidence! (World of Warcraft Developer Reddit AMA, Sept. 11 - World of Warcraft)




> "Tuesday, September 11 beginning at 5:30 p.m. PDT, we’ll be conducting a live developer “Ask Me Anything” (AMA) on /r/WoW. I’ll be on-hand to host the chat and will have Lead Systems Designer Greg Street, Lead Quest Designer Dave Kosak, Lead Encounter Designer Ion Hazzikostas, and Game Director Tom Chilton available to field your questions."


*Everyone head to World of Warcraft today and let's ask them to hear their side of the story about the watermarks.*

I have already prepared the ground here: kgkoutzis comments on Blizzard will be doing an IAMA in r/WoW tomorrow with the top MoP developers!

----------


## Erboo

Sendatsu just a heads up-- the area you posted was just a notification of when the Q & A will take place. You will have to repost your question in the appropriate thread once they actually create the Q & A thread (which should be 5:30 PDT)

----------


## Sendatsu

> Sendatsu just a heads up-- the area you posted was just a notification of when the Q & A will take place. You will have to repost your question in the appropriate thread once they actually create the Q & A thread (which should be 5:30 PDT)


Yes, we need to ask them during the live AMA. Let's see if the game designers have been informed about this.

----------


## [Pat]

By law no company can harvest PII without telling their customers and giving them an opt out, I'm going to just say that this is nothing but fear mongering and paranoia.

----------


## AussieGamer

Hey guys - I write for gaming news site Aussie-Gamer.com -- just letting you know that we've picked up this story, ran it and have contacted the PR guys at Blizzard to provide a comment.

Millions of World of Warcraft Players Accounts Compromised

Hopefully we can open some dialogue with them to see what they have to say on the matter. I mean, this is a website full of WoW exploits so who knows, but this is a pretty big issue...

Cheers!

----------


## Sendatsu

> Hey guys - I write for gaming news site Aussie-Gamer.com -- just letting you know that we've picked up this story, ran it and have contacted the PR guys at Blizzard to provide a comment.
> 
> Millions of World of Warcraft Players Accounts Compromised
> 
> Hopefully we can open some dialogue with them to see what they have to say on the matter. I mean, this is a website full of WoW exploits so who knows, but this is a pretty big issue...
> 
> Cheers!


Hello AussieGamer

Thanks for spreading the word. Regardless of where we figured this out, the fact still remains that Activision Blizzard has been secretly watermarking our screenshots without notifying us for many years now. I hope at some point we will receive an official response from a representative.

----------


## TehVoyager

> Hey guys - I write for gaming news site Aussie-Gamer.com -- just letting you know that we've picked up this story, ran it and have contacted the PR guys at Blizzard to provide a comment.
> 
> Millions of World of Warcraft Players Accounts Compromised
> 
> Hopefully we can open some dialogue with them to see what they have to say on the matter. I mean, this is a website full of WoW exploits so who knows, but this is a pretty big issue...
> 
> Cheers!


Millions of world of Warcraft player accounts compromised? um wow. Fear mongering much? Typical newsie. OMG OMG THE SKY IT IS FALLING! Considering this information has JUST been discovered, and you would STILL need to get the password for the account (not shared in the data) AND you would have to get past the Authenticator if the user has one (the only ones who don't are dumber than a box of retarded rocks, to be honest. they are basically free, if you pay the S&H... or completely free for the mobile phone) before any type of account compromise could occur.

but, to draw in viewers, you create a sensationalized title to your news article to draw in ad revenue right?

OP should request Aussie-Gamer remove that article until it can be written in a non-sensationalized manner.

----------


## AussieGamer

Hey - thanks for your concern. It's been noted. Trust me, ad revenue is not something we really give much attention to, it's a labor of love I assue you.

We of course want to get to the bottom of the story. Or we can just... not. Either way - just thought I'd give you guys the heads up since you did all the leg work discovering the exploit. Do headlines draw people in? Obviously. Is it any less true? Millions play WoW, taking screenshots is a standard, basic part of playing that game for most users. If personal data is being printed onto those screenshots, then yeah - that's a security breach that compromises those accounts.

Thus is the theory behind the headline.

The theory behind posting here is to give you guys a heads up. Delete, ban, remove - whatever. I clearly joined just to shoot a "thanks, we're on it" from a "media" point of view to you guys. If anyone wants to get in touch to divulge more info (or dumb it down for readers), please hit us up on the site.

Thanks.

----------


## Sendatsu

> Hey - thanks for your concern. It's been noted. Trust me, ad revenue is not something we really give much attention to, it's a labor of love I assue you.
> 
> We of course want to get to the bottom of the story. Or we can just... not. Either way - just thought I'd give you guys the heads up since you did all the leg work discovering the exploit. Do headlines draw people in? Obviously. Is it any less true? Millions play WoW, taking screenshots is a standard, basic part of playing that game for most users. If personal data is being printed onto those screenshots, then yeah - that's a security breach that compromises those accounts.
> 
> Thus is the theory behind the headline.
> 
> The theory behind posting here is to give you guys a heads up. Delete, ban, remove - whatever. I clearly joined just to shoot a "thanks, we're on it" from a "media" point of view to you guys. If anyone wants to get in touch to divulge more info (or dumb it down for readers), please hit us up on the site.
> 
> Thanks.


It is essential to note that the only information we have found inside the watermark is: account id, timestamp and realm IP address.

*No passwords have been disclosed, nor any user IP addresses.*

The press is free to write what they like, but if it's not the truth then they lose all credibility.

Please update your article accordingly, in order to show that *no account has been hacked because of this*, but there is still the capability of linking alt. character names to a single account, thus creating targets for spam or scam artists.

----------


## Unholyshaman

Some impressive work you guys have done here with some very interesting finds. I'm fascinated to know what intended use Blizzard has for these watermarks. I mean the sheer amount of bans that could have been handed out based on screenshots posted on forums such as this is huge. Where people thought they were "safe" by blacking out their names.

I suspect Blizzard uses this information for market research more than anything else. Purely statistical information - although how much of a reliable representation it would have I don't know, considering it would only be from Screenshots actually posted.

Then again, these days companies collect statistics on the weirdest things.

----------


## AussieGamer

Thanks - we've added an update to the article.

----------


## Demot2

> Some impressive work you guys have done here with some very interesting finds. I'm fascinated to know what intended use Blizzard has for these watermarks. I mean the sheer amount of bans that could have been handed out based on screenshots posted on forums such as this is huge. Where people thought they were "safe" by blacking out their names.
> 
> I suspect Blizzard uses this information for market research more than anything else. Purely statistical information - although how much of a reliable representation it would have I don't know, considering it would only be from Screenshots actually posted.
> 
> Then again, these days companies collect statistics on the weirdest things.


Like that guy said before, it's probably to find users breaking the NDA. ArenaNet did this in Guild Wars 1 alpha though they didn't try to hide it like Blizzard.

----------


## Discipline

I don't have Diablo, but it would interest me if similar watermarking is used there, could not find anything from screenshots on google.

----------


## ZdejPoham

> Now do a filter to extract it from a live screenshot  I have no clue on image filtering or I would try it myself


In sound signal processing you can find a faint repetitive signal hidden in noise by superimposing sample slices of the same length as is the sought signal's wavelength (1/frequency), which makes the sought signal to stand out from the background noise, that gets "averaged out" with each consecutive iteration of overlaying sample slices. I believe the same principle would apply here. You know where and how big the regions containing watermark data are, and being more than one of them on the screenshot might just be so this kind of "filtering" is possible.

My 2c.

----------


## spoutnik

I really fail to see where the issue is. In fact, I don't think that there is an issue at all.

Okay, so the watermark contains, as Schlumpf said on page 7, the account name, not your email adress, but the account name which is a different thing. Remember, before Battle.net 2.0 we used to have account names instead of e-mail adresses. So, now, instead of [email protected] you have something like 107642169#1 (see here (Looking inside your screenshots). 
It also stores the IP adress of the realm you're actually playing on (and not your IP adress) and the date and hour of the screenshot.

How on earth can you be "hacked" when the only data hackers can have is an account name like "107642169#1" ?
If you try to enter this account name while logging into the game you have this message :



And you get redirected to a page that asks you your email adress and your password.
So, please. Tell me how this can be used to "hack" someone or compromise accounts.

----------


## thedruid

From what i understand the watermark gets generated when World of Warcraft trigger their own screenshot function and wow saves the screen shot?

If above is correct why the hell would you install some kind of hack to disable it? Just use the OS built in screenshot function and not World of Warcraft screen shots?
Mac user: Cmd + shift + 3.
Windows: Printscreen button then go to paint and press ctrl + v.

Problem solved?

----------


## stoneharry

> From what i understand the watermark gets generated when World of Warcraft trigger their own screenshot function and wow saves the screen shot?
> 
> If above is correct why the hell would you install some kind of hack to disable it? Just use the OS built in screenshot function and not World of Warcraft screen shots?
> Mac user: Cmd + shift + 3.
> Windows: Printscreen button then go to paint and press ctrl + v.
> 
> Problem solved?


It does solve it but it means you have to copy it from your clipboard and save it where you want it. A lot of people like to randomly prt screen during a boss encounter (or similar) as they get something cool without having to stop.  :Smile:  The tools just provides more flexibility, and you could just set quality to 10 which is a single in game command that doesn't break the ToS.

----------


## schlumpf

> It does solve it but it means you have to copy it from your clipboard and save it where you want it.


On OS X, you don't. ⌘⇧3 saves directly to the desktop by default.

----------


## powerblaze

Someone make a non blizzard screenshot capture app that doesnt create any watermark or use the prntscr Function for now I guess. But very interesting find.

----------


## Sendatsu

Answers:




> From what i understand the watermark gets generated when World of Warcraft trigger their own screenshot function and wow saves the screen shot?
> 
> If above is correct why the hell would you install some kind of hack to disable it? Just use the OS built in screenshot function and not World of Warcraft screen shots?
> Mac user: Cmd + shift + 3.
> Windows: Printscreen button then go to paint and press ctrl + v.
> 
> Problem solved?





> Someone make a non blizzard screenshot capture app that doesnt create any watermark or use the prntscr Function for now I guess. But very interesting find.



There is a much simpler solution. You just set the JPG quality to 10 and WoW skips the watermark function by default.

*/console SET screenshotQuality "10"*





> I really fail to see where the issue is. In fact, I don't think that there is an issue at all.
> 
> Okay, so the watermark contains, as Schlumpf said on page 7, the account name, not your email adress, but the account name which is a different thing. Remember, before Battle.net 2.0 we used to have account names instead of e-mail adresses. So, now, instead of [email protected] you have something like 107642169#1 (see here (Looking inside your screenshots). 
> It also stores the IP adress of the realm you're actually playing on (and not your IP adress) and the date and hour of the screenshot.
> 
> How on earth can you be "hacked" when the only data hackers can have is an account name like "107642169#1" ?
> If you try to enter this account name while logging into the game you have this message :
> 
> [image omitted, see above]
> ...



It's really interesting that you decided to use this "playing dumb" approach, by even trying to login using an account name instead of the battle.net email...

A malicious hacker could unleash Web spider bots scanning for WoW screenshots, decode their hidden watermark data and quickly create a database of which account has which alts in it, that they can then sell to anyone interested because information is power and sells for a profit.

If the malicious hackers who recently attacked Blizzard (http://us.blizzard.com/en-us/securityupdate.html Important Security Update FAQ - Battle.net Support) also managed to grab the account names (it is not clearly stated in the official report, it only says "emails"), then they could combine the two to create a really comprehensive database of battle.net ids and characters, for anyone who is interested in buying it.

----------


## Sonikk

This thread makes me very curious if it could be a similar system GW2 used during their closed beta where people allowed in had to sign an NDA. As far as i remember, they banned several accounts even though the character and/or account names were never visible.

----------


## saillaw

I’m not at all competent to discuss the technical aspects of this. TBH, when I first saw the thread I dismissed it as fear mongering nonsense. However, since the OP and others have been persistent in following through with their research, I’ve been converted and now think it is likely that indeed there are hidden watermarks in our images. So assuming that they are in fact embedding watermarks, here are my thoughts:



> PS: Any lawyer here able to tell us if it's even legal to add a secret watermark with account info in the screenshots, *without mentioning it in the ToS*, and then using it to track the actions of the users and *identify the private servers* they may use?


IMHO, under US law, I don’t see anything in what Blizzard is doing that is likely to be held to be “illegal”. Remember the three contracts that we agree to in order to be able to use the game (The World of Warcraft Terms of Use Agreement (the “TOU”), The World of Warcraft End User License Agreement (the “EULA”), and the Battle.net Terms of Use Agreement (the “BNTOU”)) all clearly state that what we are purchasing is the right to use the service and limited license therein. They go on to further clarify that *we do not* have any ownership right in any of the part of the game. 
In particular the EULA states in relevant part (emphasis added):




> *Ownership.*
> All title, ownership rights and intellectual property rights in and to the Game and all copies thereof (including without limitation any titles, computer code, themes, objects, characters, character names, stories, dialog, catch phrases, locations, concepts, artwork, character inventories, structural or landscape designs, animations, sounds, musical compositions and recordings, audio-visual effects, storylines, character likenesses, methods of operation, moral rights, and any related documentation) are owned or licensed by Blizzard. The Game is protected by the copyright laws of the United States, international treaties and conventions, and other laws. The Game may contain materials licensed by third parties, and the licensors of those materials may enforce their rights in the event of any violation of this License Agreement.


I think it is highly likely that a U.S. judge would read that laundry list to include screenshots. Meaning, that any screenshot we take, is still the property of Blizzard. As such, Blizzard could put any information it desires into their screenshots, provided such information does not share otherwise legally protected information of the user. 

The EULA also states (emphasis added):




> *WORLD OF WARCRAFT®
> END USER LICENSE AGREEMENT*
> Last Updated August 22, 2012 
> 
> *IMPORTANT! PLEASE READ CAREFULLY.*
> 
> THIS SOFTWARE IS LICENSED, NOT SOLD. BY INSTALLING, COPYING OR OTHERWISE USING THE GAME (DEFINED BELOW), YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, YOU ARE NOT PERMITTED TO INSTALL, COPY OR USE THE GAME. IF YOU REJECT THE TERMS OF THIS AGREEMENT WITHIN THIRTY (30) DAYS AFTER YOUR PURCHASE, YOU MAY CALL (800)757-7707 TO REQUEST A FULL REFUND OF THE PURCHASE PRICE. 
> 
> This software program, and any files that are delivered to you by Blizzard Entertainment, Inc. (via on-line transmission or otherwise) to "patch," update, or otherwise modify the software program, as well as any printed materials and any on-line or electronic documentation (the "Manual"), and any and all copies and derivative works of such software program and Manual (collectively, with the "Game Client" defined below, the "Game") is the copyrighted work of Blizzard Entertainment, Inc. or its licensors (collectively referred to herein as "Blizzard"). Any and all uses of the Game are governed by the terms of this End User License Agreement (the "License Agreement" or "Agreement"). The Game may only be played by obtaining from Blizzard access to the World of Warcraft massively multi-player on-line role-playing game service (the "Service"), which is subject to a separate Terms of Use agreement (the "Terms of Use") incorporated into this Agreement by this reference. The Game is distributed solely for use by authorized end users according to the terms of this License Agreement. Any use, reproduction, modification or distribution of the Game not expressly authorized by the terms of the License Agreement is expressly prohibited.


I think a screenshot is very likely to be classified as a “derivative work” and as such I think Blizzard would claim it owns the copyrights thereto. IMHO, it would likely be successful in making that claim.

With that in mind, I think there are potentially some interesting and unclear legal issues with regards to screenshots (suppose I take a screenshot that is Ansel Adams beautiful, and people want to buy it from me and I want to sell it, would I have the right? Could Blizzard stop it?), but those issues are separate from, and should not be confused with, the issue of whether or not Blizzard has the right to control what information ends up in the file dump that is created when you hit the screenshot button. The fact is that all the information that goes into the screenshots is dictated by Blizzard’s programing and this watermark information is just a small part of what their program creates. It would be very hard to argue that they are free to control all the other information (color info, etc) but not this information, since their program “makes it all”.




> By law no company can harvest PII without telling their customers and giving them an opt out, I'm going to just say that this is nothing but fear mongering and paranoia.


They give the disclosure, and the opt-outs, in the TOU, EULA, and the BNTOU. We all accepted that the first time we installed and used the game and after every patch since.




> PS2: I know the ToS mentions that they can communicate our info back to Blizzard, but the user assumes they will use *a safe channel* via battle.net, not our screenshots that we share with the world, unaware of their secret contents.


That is probably a bad assumption on the part of the user. There is nothing in the TOU, EULA, or BNTOU (“the Agreements) that I read which would lead me to think I have an expectation of privacy in how Blizzard choses to enforce the Agreements when it comes to non-personal information (e.g. server name, server address, server time, etc.). If they were submitting, and “broadcasting” personal information (e.g. my credit card info, address, real name, etc.), that would be a different story. But, since:




> It is essential to note that the only information we have found inside the watermark is: account id, timestamp and realm IP address.
> 
> *No passwords have been disclosed, nor any user IP addresses.*


I don’t think a judge would hold that Blizzard is under any obligation to keep account id, timestamp and realm IP address private. This is particularly true given that this information is arguably still private, it is well hidden and none of us knew about it for years. Even now we still can’t extract this information from a “normal” screenshot (i.e. if Blizzard was obligated to keep this information private, which I don’t think they are, then they have probably met their burden by using the current method).




> PS3: I know that private servers are illegal to run, but it is probably also illegal to track them down using *ambiguous methods* such as this. It's like bugging everyone's phone in advance just in case they ever think of trying something against the law. Oh, wait.


I think that’s a bad analogy. What you are essentially saying, if I understand you correctly, is that you want the right to violate the Agreements, but still use the software with complete privacy. I think you give up what little expectation of privacy you might have, when you chose to violate the Agreements.

A better analogy might be a thief who steals my camera, but thinks I should not be allowed to look at the exif data on the photos to prove it was taken with my camera, since he took the photo and it’s his artwork? Not to imply you are a thief of course. 




> It is important to note that after 2008, when Activision took over and apparently installed this secret watermark without mentioning it in the End user license agreement, *private servers started dropping like flies* (Blizzard legal targets private servers) which eventually led to the *amazing $88 million dollars lawsuit* they won (Gamasutra - News - Blizzard Wins $88M Judgment Against WoW Private Server Owner). I am not saying they shouldn't have protected their intellectual property but the important factor one should consider is that: *if they used illegal (covert) methods of tracking these private servers*, by *"bugging" all WoW users* to act as their *"unaware informants"*, while at the same time endangering their privacy and security in the name of profit, then *you see how this whole case can take a completely different turn...*


As I stated above, I don’t think they used illegal methods of tracking private servers. The code for these watermarks was assumedly in all released copies of WoW, it was not somehow stealthily injected into only the copies of suspected private server users. I also have a hard time seeing how this information can be seen to be “endangering their privacy and security in the name of profit”. Frankly, I respect the work you’ve done in this thread, but these sorts of statements needlessly undermine the creditability of your legitimate technical findings. 

I’ve been a member of this forum for a long time (mainly a lurker), please don’t read any of the above to mean that I support what Blizzard is doing, or that I am against the creative activities we enjoy and discuss: I just don’t think it’s worth wasting much effort or hope on thinking that “we have Blizzard by the balls this time! What they are doing is illegal!!” I think the truth of the matter, is that they are likely fully within their rights to embed such information into screenshots. 

Thanks for making us aware of this, and I for one will certainly take it into consideration when posting public screen shots in the future.

*Disclaimer:* I am an attorney, but I am not your attorney. The thoughts expressed in this post are my own personal opinion on the issues discussed therein, and should not be viewed or interpreted as legal advice. My thoughts expressed do not represent the opinion of anyone else on the forum or the forum itself (or the owners, employees, officers, or directors thereof). My opinions should not be relied upon to make decisions regarding any course of action you may or may not have against Blizzard. If you think you have been wronged, you should consult your own personal attorney.

----------


## Heresy86

> This thread makes me very curious if it could be a similar system GW2 used during their closed beta where people allowed in had to sign an NDA. As far as i remember, they banned several accounts even though the character and/or account names were never visible.


Most likely. It's a very good way to track NDA related material.

----------


## shad8w

I find this thread hilarious. Sendatsu posted it and instantly got flamed and now after research and bringing up evidence people instantly edit their flame posts.

Sendatsu you owned them hardcore.

----------


## Zoidberg

> This thread makes me very curious if it could be a similar system GW2 used during their closed beta where people allowed in had to sign an NDA. As far as i remember, they banned several accounts even though the character and/or account names were never visible.


Well there was an overlay that filled the screen with your email address during alpha and beta... So unless someone managed to remove that overlay and still got banned for leaking NDA stuff, I don't think anyone has been banned during alpha/beta because of a similar system.

----------


## Sendatsu

Hello saillaw

I really liked your comment, I was hoping for a lawyer to participate in this thread  :Smile: 

I never said "we had them", ever. Nor did I say that we should all be breaking the law and getting away with it. I just said "hey, I discovered this and it's interesting that we didn't know about this before, even though I thought we should".

Indeed Blizzard can argue all these things you mentioned and life will go on. I just need to make one comment:




> the issue of whether or not Blizzard has the right to control what information ends up in the file dump that is created when you hit the screenshot button. The fact is that all the information that goes into the screenshots is dictated by Blizzard’s programing and this watermark information is just a small part of what their program creates. It would be very hard to argue that they are free to control all the other information (color info, etc) but not this information, since their program “makes it all”.


Activision Blizzard has every right/capability to control what is included in the screenshots, both technically and legally. It is a programming choice that this watermark is included in the final output; a choice they can just set to off, like they did for high quality images. And it is not mandated (as far as I know) by any government agency to add these watermarks, so they are free to do as they please.

Apart from that though, I'm afraid you are absolutely right, it will be really hard for anyone to make a case that will reach the court.

As far as technical aspects are concerned, at least now we know what information we have been unwillingly sharing all this time, and I hope we now know better than sharing low quality watermarked shots  :Smile:

----------


## saillaw

> I never said "we had them", ever. Nor did I say that we should all be breaking the law and getting away with it.


Yes you are right, sorry I didn't mean to imply you had said that, I was trying to paraphrase the general feel of the thread rather than you in particular. 




> I just said "hey, I discovered this and it's interesting that we didn't know about this before, even though I thought we should".


A very cool discovery, its really amazing to me that it remained undiscovered (or unleaked) for so long. In fact that is part of why I originally thought it was BS. I thought, surely someone from Blizzard or Digimarc would have let people know they had this information by now if it is true? Or surely during one of the enforcement cases you linked it would have presented as evidence. 

The fact that they successfully were able to keep this quite for so long is really quite impressive, IMHO.

----------


## Jaerin

> This thread makes me very curious if it could be a similar system GW2 used during their closed beta where people allowed in had to sign an NDA. As far as i remember, they banned several accounts even though the character and/or account names were never visible.


Having one of those accounts I can tell you that it was not nearly so obfuscated. The Dev client had your account name watermarked very clearly while you were playing. It looks like they used some kind of shader over the entire game.

----------


## thedruid

> a choice they can just set to off, like they did for high quality images..


Was that a choice?
Sounds like a bug for me, haven't researched this on a deep level tho.

Anyway your point is correct and +rep for finding this and informing us about this hidden watermark so we can avoid it.

----------


## Sendatsu

So, our findings have been mentioned in WoW Insider now too  :Smile:  Blizzard may be hiding information in your screenshots, but it can't hurt you

Funny fact: I feel like I'm reliving our deleted troll conversations in the comment section below that post hehe

I'm really tired already from all the reddit trolling, I'll try to take a break until the AMA session. *Let's see if we manage to get Blizzard to confirm it*  :Smile: 


Edit: Also on Kotaku! http://kotaku.com/5942274/theres-mor...ft-screenshots

Edit#2: Plus, a quite sober article over PC Gamer: http://www.pcgamer.com/2012/09/11/wo...n-screenshots/

----------


## niguz

> I made a little tool for those who want to play around or experiment with the watermarks. Only works for the current (16016) 32-bit windows client.


Crashes when starting in my sandboxie; anyone else having this problem? No error message.

Anyway; is this <quality10 speculation because you couldn't find it with sharpening or is there real evidence from the assembly that there is a function that checks for imgquality and only watermarks then q<10? Becaus the latter one seems not convenient and rather stupid tbh from blizz side.


EDIT: For the people wondering if opening your screenshot in irfan view or anything and then doing another screenshot of it the watermark will also be in this picture too.

----------


## stoneharry

> Crashes when starting in my sandboxie; anyone else having this problem? No error message.
> 
> Anyway; is this <quality10 speculation because you couldn't find it with sharpening or is there real evidence from the assembly that there is a function that checks for imgquality and only watermarks then q<10? Becaus the latter one seems not convenient and rather stupid tbh from blizz side.


Read the full thread.

To clarify, yes there has been code posted from the assembly detailing the function that handles this and showing that it is true. There are 4 related posts quoting direct code/memory addresses if I remember correctly.

----------


## Sendatsu

> Crashes when starting in my sandboxie; anyone else having this problem? No error message.
> 
> Anyway; is this <quality10 speculation because you couldn't find it with sharpening or is there real evidence from the assembly that there is a function that checks for imgquality and only watermarks then q<10? Becaus the latter one seems not convenient and rather stupid tbh from blizz side.


As mentioned by _Mike here: http://www.ownedcore.com/forums/worl...ml#post2491687 (Looking inside your screenshots)

His code "forces watermarks to be added to lossless TGA" and JPEG images.



```
wow.exe+18DCAC: // TGA patch
nop
nop

wow.exe+18DCB5: // jpeg quality patch
nop
nop
```

I myself took high quality screenshots and using a Hex Editor had a look inside and saw that indeed the specific watermark wasn't present.

Feel free to experiment more on this, we still don't know why they didn't include it in the high quality images.

----------


## niguz

Ok maybe I didn't find it but none of the codes showed that there is any check for img quality setting; so I suppose it's also in quality10 jpegs, you just cannot find it that easy with the method.

wow.exe+18DCB5: // jpeg quality patch 
So it nops the memory adress here; this was a quality check?

For the people wondering if opening your screenshot in irfan view or anything and then doing another screenshot of it - the watermark will also be in this picture too.

----------


## allesist

On lower resolutions the pattern looks different. But i think it's possible to read it the same way.

Example 720x576 (Feralas night sky, unedited, you can see the pattern without editing the image): http://img853.imageshack.us/img853/4747/otherrr.jpg
(Try to press SHIFT+U (auto adjust colors) in irfanview on this image).

// Edit:
The hardest thing to do is to detect this watermark on "normal" random screenshots (without extracting the raw watermark pattern).
I think it would be possible to detect this pattern by extracting each pixel's RGB value in a screenshot. There have to be an algorithm for this to detect such a pattern (an specific range of differences in the rgb values which indicates them).

----------


## iFarmer

Wow. This thread really blew up. It's even linked to on the front page of r/gaming.

----------


## spoutnik

> If the malicious hackers who recently attacked Blizzard (http://us.blizzard.com/en-us/securityupdate.html Important Security Update FAQ - Battle.net Support) also managed to grab the account names (it is not clearly stated in the official report, it only says "emails"), then they could combine the two to create a really comprehensive database of battle.net ids and characters, for anyone who is interested in buying it.


Email != account name.
They managed to stole encrypted passwords, and in the slight probability that they managed to decypher those encrypted passwords, there's nothing that they can do, unless of course if you haven't changed password since the attack, then this is your fault, and your fault only for being hacked. And the authentificator provides enough security.

So... There is absolutely nothing to fear with those watermarks, you won't be hacked with this.

----------


## Sendatsu

> Email != account name.
> They managed to stole encrypted passwords, and in the slight probability that they managed to decypher those encrypted passwords, there's nothing that they can do, unless of course if you haven't changed password since the attack, then this is your fault, and your fault only for being hacked. And the authentificator provides enough security.
> 
> So... There is absolutely nothing to fear with those watermarks, you won't be hacked with this.


*Seriously, when did I ever say that someone will hack your account??* It's like the *zillionth* time I hear this today!

I said: hackers can figure out which alts belong to an account id and then perhaps use this information to carry out targeted spam or scam attacks.

If they manage to scam you into giving them your password, it's not the watermark's fault; it's yours.

I just wish people actually read what I've written instead of making things up (and spreading false rumors). How can someone even spread false rumors when everything is written down, stored and openly available right in here?

Anyway, enough rage  :Smile:

----------


## yxcvk

uhm sorry but realy?


i dont mind poeple playing around tring to find "easy ways" to get things but this hard cheater hunt is just <3


Finding an awsome way out of the box to achivement something is fun , creatif and all , but i think there is a limit no to cross i dont like "cheaters" botters and stuff like that .


shit i love blizzard for this action !  :Smile: 

they got my respect for that action , showing us how serious they take the hunt  :Smile:

----------


## Lunera68

I wonder if it still works if you take a screenshot with fraps,

----------


## Turgid

A response from Europe - I take your legal eagle's comments on US law with interest - here in the EU and in the UK it would be in breach of the Data Protection Act (they've actively used a method which could make personally identifiable data insecure) and under both the DPA and the recent EU law on Cookies they'd have to openly gain your permission first - have you checked images from EU servers to see if the watermarks are on those?

----------


## Sendatsu

> I wonder if it still works if you take a screenshot with fraps,


No, the watermark is not embedded in WoW's graphics. It is only added on top of the screenshots produced by the in-game mechanism.





> A response from Europe - I take your legal eagle's comments on US law with interest - here in the EU and in the UK it would be in breach of the Data Protection Act (they've actively used a method which could make personally identifiable data insecure) and under both the DPA and the recent EU law on Cookies they'd have to openly gain your permission first - have you checked images from EU servers to see if the watermarks are on those?


The watermarks appear both in US and EU servers, they have been part of the live client for many years now.

----------


## Lunera68

> No, the watermark is not embedded in WoW's graphics. It is only added on top of the screenshots produced by the in-game mechanism.
> 
> 
> 
> 
> The watermarks appear both in US and EU servers, they have been part of the live client for many years now.


That's what I thought. No need to worry then :P

----------


## Sendatsu

The Ask Me Anything chat is open!

I posted the "question" here: kgkoutzis comments on World of Warcraft Developer AMA

They don't have to answer my question in specific, as long as they answer someone's question on watermarking.

Let's see what happens  :Smile:

----------


## hp94

I would love to see if this affects Diablo 3 and other recent Blizzard games. I would test this myself but I don't have any Blizzard games any more. All I can offer is rep to someone who tries (whether it is there or not I'd still love to know).

----------


## sn4rk

> I would love to see if this affects Diablo 3 and other recent Blizzard games. I would test this myself but I don't have any Blizzard games any more. All I can offer is rep to someone who tries (whether it is there or not I'd still love to know).


Checked screens of diablo 3 and sc2 - don't see any watermarks with using sharpening method or any filter from filters gallery in photoshop cs6

----------


## Zomtorg

I have a question, I've been looking at old screenshots for a plain one and come across this one. IT IS UNEDITED IN ANYWAY but can I see the pattern before I even do anything?

UNEDITED: http://img88.imageshack.us/img88/495...3011063224.jpg

After: http://img703.imageshack.us/img703/4...3011063224.jpg

Any ideas?

----------


## Ariakan

Whats going on?

----------


## Sendatsu

> I have a question, I've been looking at old screenshots for a plain one and come across this one. IT IS UNEDITED IN ANYWAY but can I see the pattern before I even do anything?
> 
> UNEDITED: http://img88.imageshack.us/img88/495...3011063224.jpg
> 
> After: http://img703.imageshack.us/img703/4...3011063224.jpg
> 
> Any ideas?


Yea that's an easy one, open it full screen on an LCD monitor and tilt the screen :P

----------


## Sendatsu

Ok so the reddit "ask me anything (that I can answer)" session has ended. They were asked the "watermark" question at least 11 times and they ignored all 11 of them.

They have been probably told by Blizzard to keep quiet about this until their legal team prepares an official statement (I suppose/hope?).

_(Unless they are just waiting for the whole thing to wear out and be forgotten/go away)._

The most interesting comment I found in the session was by Tom Chilton (lead designer), saying:




> I'll come out and say it. Activision gets an unfair reputation among our players for this, as does Bobby Kotick. We do demos for the Activision executive team about twice per year (sometimes only once). They ask intelligent questions about why we're doing what we're doing, but at no point have any mandates (or even "suggestions") about the game's design been issued.


Anyway.  :Smile:

----------


## _Mike

> Ok so the reddit "ask me anything (that I can answer)" session has ended. They were asked the "watermark" question at least 11 times and they ignored all 11 of them.


In their defense they are just game designers. They probably don't even know about this.

----------


## hp94

I'm very interested in this thread because I've been looking in to cryptology for a while. If I can get some images of different Blizzard games from some Ownedcore users, I have a cryptanalysis and steganalysis workstation set up in at my college that will get to the bottom of this.

----------


## eldavo1

I have been trying to get a proper watermark out of a normal screenshot (not taken with _Mike's patch) and it just comes up with gibberish... A massive problem with this kind of watermarking is that if even one bit is the wrong color (so black instead of white) then the entire character will be off, unless we use the ECC that comes with it, but I don't have any experience with that (unlike stenography). My program can extract a (broken) watermark out of images now and convert it to something like this (random parts cut out incase it turns out to be decipherable): https://i.imgur.com/EDtkJ.png

It doesn't use sharpening but uses image levels & curves so no information is lost but still no readable info  :Frown:

----------


## FattyXP

> For quite a while i suspected this kind of tracking was possible. thank you for researching & proving it to be true! 
> +cookies your way
> 
> Edit: To people who do not understand the importance, this shows how Blizzard has possible ways of tracking screenshots to the related accounts even with name/character model / etc censored out. It also provides knowledgeable people with more ways to censor the image to prevent the above from happening.


It also provides them with somewhat of a way to detect morphing hacks, and ban the accounts using them. As well as anything else that isn't in line with the ToS. Upload that screenshot of your toon with OHack enabled and your named smudged out? BANHAMMAH.

----------


## saillaw

> A response from Europe - I take your legal eagle's comments on US law with interest - here in the EU and in the UK it would be in breach of the Data Protection Act (they've actively used a method which could make personally identifiable data insecure) and under both the DPA and the recent EU law on Cookies they'd have to openly gain your permission first - have you checked images from EU servers to see if the watermarks are on those?


What is the "personally identifiable data" that they have made secure? I am not familiar with the DPA, but I wonder if any of the data that is view-able, would classify as "personally identifiable data", it doesn't identify anything about you personally. Also, would not the encryption in the images live up to the required level of protection under the law, even if it was in fact "personally identifiable data"? 

I'd be curious to see what "openly gain your permission" requires? Do not the terms of the EULA and TOS achieve that?

Finally, assuming the above two issues did not fall in Blizzard's favor, wouldn't it still not be a violation of the DPA since it was not Blizzard who has published this information, but rather the end users?

----------


## blacky74

There are few white bricks around stormforge where you can get to stare directly at bright white brick (near the entrance to the palace and a couple of other places).

Secondly, the edge detection in gimp does a VERY impressive job of showing these off (use prewitt compass at full) and then you can use the curves (under colours menu) to enhance (pull the curve to the top near the beginning):



I've cut a small section of mine up so im not identifiable (i hope)

----------


## Thundathigh

> Your bit pattern is off. The first 16 bits should be "10001100 00001100" which results in the ASCII characters "10".


I understand how to convert the image to the bit values, but am having trouble going from the bits to the ASCII characters. Using sites such as ASCII Code - The extended ASCII table I get that the previous binary should translate to ŒFF (	Latin capital ligature OE + Form Feed), which is clearly incorrect. (The ASCII on that site shows 0011000100110000 as 10). What am I doing wrong here?

----------


## _Mike

> I understand how to convert the image to the bit values, but am having trouble going from the bits to the ASCII characters. Using sites such as ASCII Code - The extended ASCII table I get that the previous binary should translate to ŒFF (	Latin capital ligature OE + Form Feed), which is clearly incorrect. (The ASCII on that site shows 0011000100110000 as 10). What am I doing wrong here?


Reverse each byte before converting to ASCII. 10001100 00001100 -> 00110001 00110000

----------


## Thundathigh

Haha I realized that right after I posted, why is it Little-Endian though?
Thanks for the help though!

----------


## Anonie

> I'm very interested in this thread because I've been looking in to cryptology for a while. If I can get some images of different Blizzard games from some Ownedcore users, I have a cryptanalysis and steganalysis workstation set up in at my college that will get to the bottom of this.


Read this guy's message and his following posts, and possibly pm him for some direct info. From his post, it seems that nothing is encrypted, you just gotta decode the message to begin with.

http://www.ownedcore.com/forums/worl...ml#post2489452 (Looking inside your screenshots)

----------


## hootersam

great find. +rep

----------


## streppel

German IT-News Site Golem.de just posted about this.
Great find, +rep

@Blizzard: you're bad and you should feel bad!

----------


## sn4rk

> I'm very interested in this thread because I've been looking in to cryptology for a while. If I can get some images of different Blizzard games from some Ownedcore users, I have a cryptanalysis and steganalysis workstation set up in at my college that will get to the bottom of this.


pmed you with a link to screens

----------


## Ehnoah

If I remember right -> It is not allowed in Germany to get Process Information, so surely they have to remove it in Germany

----------


## stoneharry

> If I remember right -> It is not allowed in Germany to get Process Information, so surely they have to remove it in Germany


I don't think anyone's going to go to great lengths to try and do anything about it when it is so unclear whether it is even infringing any laws. Blizzard haven't even given a PR response.

----------


## Sendatsu

> What is the "personally identifiable data" that they have made secure? I am not familiar with the DPA, but I wonder if any of the data that is view-able, would classify as "personally identifiable data", it doesn't identify anything about you personally. Also, would not the encryption in the images live up to the required level of protection under the law, even if it was in fact "personally identifiable data"? 
> 
> I'd be curious to see what "openly gain your permission" requires? Do not the terms of the EULA and TOS achieve that?
> 
> Finally, assuming the above two issues did not fall in Blizzard's favor, wouldn't it still not be a violation of the DPA since it was not Blizzard who has published this information, but rather the end users?


Hello saillaw

Just a few more comments on this. The information inside the watermark is *not encrypted*, it is *just encoded*. This means that as soon as someone figures out the algorithm to get them out from a normal image (we got half way there in 48 hours using a clean image) then they can extract the account id and realm id from *any available screenshot* on the Web (after 2008 apparently).

Now, combine this with an automated Web spider bot which scans for images and categorizes them based on account and realm id, and you can quickly make a database showing which screenshots belong to which character and have the users identify who is who. Note that a website (cogshanks.org) which used the capabilities of the ignore list* to help users realize which accounts holds which characters, has now been disabled "because [of] heathens", as it states - whatever that means. I am pretty sure Blizzard wants to be the only one who knows who is who in the game.

In addition to this, as soon as someone is able to successfully extract the full watermark from a normal image, they can then also *re-encode it into a clean image*  :Smile:  This way they can use the Assembly code mentioned in this thread to skip the their watermark, screenshot themselves performing weird hacks or cheats and then embed the watermark of another character - which is like *framing* them for something they didn't do. Blizzard will then be checking the logs of the framed character to identify the hacks but they won't be finding anything (which will make them even more worried :P).

If Blizzard had published this information back in 2008, users who wanted to maintain their privacy (_not everyone does, unfortunately_) would know better than publicly share their WoW generated screenshots on the Web. Now that we discovered these unencrypted data after approximately four years, we only prove that anyone could have already been using this "hack" already and just keeping quiet about it. It wouldn't be hard for Blizzard to encrypt the data using a strong private key so that only them could be able to read them (and it would still also be nice if we knew :P). This whole case was *an accident waiting to happen* and I wonder for how long Blizzard expected us to continue without noticing.


* Apparently, if you ignore a character, you also ignore all the characters in his account which, if it's used correctly/widely enough, can eventually produce the full character list.

----------


## _Mike

> In addition to this, as soon as someone is able to successfully extract the full watermark from a normal image, they can then also *re-encode it into a clean image*  This way they can use the Assembly code mentioned in this thread to skip the their watermark, screenshot themselves performing weird hacks or cheats and then embed the watermark of another character - which is like *framing* them for something they didn't do. Blizzard will then be checking the logs of the framed character to identify the hacks but they won't be finding anything (which will make them even more worried :P).


Just a side note; Doing this is easy and doesn't need any image editing. Just change the account name in memory and let the client do the watermarking.  :Wink:

----------


## Sendatsu

> Just a side note; Doing this is easy and doesn't need any image editing. Just change the account name in memory and let the client do the watermarking.


http://i2.kym-cdn.com/photos/images/.../Slow-Clap.gif

_(Can't re-rep you yet :P)_

----------


## DBRecycler

This system existed already on the 2.4.3 client and its also on private servers enabled. I found out that the current time is being saved in form of "Hours/Minutes", this confirms again that this is an active working system not just some "JPG artefacts". Just make each minute a SS and you will see that one part small is changing each time, its not changing in less than 1 minute though.

Surprisingly the realm name seems to be not saved (Not sure about realmlist yet), I made identical screenshots with different realm names but the saved information was exactly the same (Only the minute part changed after 20 secs as it should be).

----------


## Sendatsu

Hello DBRecycler




> This system existed already on the 2.4.3 client and its also on private servers enabled.


Thank you for your contribution. Can you please post some reference for this? It sounds very interesting.

----------


## DBRecycler

> Hello DBRecycler
> 
> 
> 
> Thank you for your contribution. Can you please post some reference for this? It sounds very interesting.


You are welcome, I hope you understand that I can't use my real nickname here because too many eyes are watching this thread.

Well I simply started my 2.4.3 client and connected to an private TBC server, afterwards I modified the pictures with Irfanview (_Set sharpness to max, gamma to 0.01)_ and see very clearly the saved informations.

*Edit:* It seems to be saving only the HALF informations as it does on Cata though (Compared screenshots), the data lines are way thinner on TBC. So I guess it got improved with LK/Cata as Warden did to spy more informations about the user.

Then I changed the realm name and couldn't see any changes in the pictures (Apart from minute part of the time).

I'm testing currently the realmlist but for some reason the picture is on each client started different! Also opening 2 WoW clients at once is creating strange results, it might be saving the process name or ID (PID) which would explain the different result.

----------


## Sendatsu

> You are welcome, I hope you understand that I can't use my real nickname here because too many eyes are watching this thread.
> 
> Well I simply started my 2.4.3 client and connected to an private TBC server, afterwards I modified the pictures with Irfanview (_Set sharpness to max, gamma to 0.01)_ and see very clearly the saved informations.
> 
> Then I changed the realm name and couldn't see any changes in the pictures (Apart from minute part of the time).
> 
> I'm testing currently the realmlist but for some reason the picture is on each client started different! Also opening 2 WoW clients at once is creating strange results, it might be saving the process name or ID (PID) which would explain the different result.


Make sure you are using the same graphic settings for both clients because even the smallest difference in resolution or color depth can change the appearance of the entire watermark.

----------


## DBRecycler

> Make sure you are using the same graphic settings for both clients because even the smallest difference in resolution or color depth can change the appearance of the entire watermark.


I did don't worry, I created like 100~ test pictures so far to compare the results properly with same settings / position / view angle etc. Edited my post above about the Cataclysm part.

----------


## Ermiz

Hah, ok I'm speechless. Good find.

----------


## Sendatsu

> Well I simply started my 2.4.3 client and connected to an private TBC server, afterwards I modified the pictures with Irfanview (_Set sharpness to max, gamma to 0.01)_ and see very clearly the saved informations.
> 
> *Edit:* It seems to be saving only the HALF informations as it does on Cata though (Compared screenshots), the data lines are way thinner on TBC. So I guess it got improved with LK/Cata as Warden did to spy more informations about the user.


Fun fact: Patch 2.4.3 is the *first patch* Blizzard released *after their official acquisition* from Activision and the *last patch of the Burning Crusade* expansion.

This basically means that *we're looking at mid-2008, near the end of BC [15/07/2008]*, so it appears that BC was probably also affected by this.

----------


## filuta

This is in game since beta 2.1.0 (May 2007), when saving screenshots as jpg has been added.

----------


## Sendatsu

> This is in game since beta 2.1.0 (May 2007), when saving screenshots as jpg has been added.


Can you provide us with a screenshot please? Feel free to blur stuff out as needed  :Smile:

----------


## Ramono

I can confirm 2.4.3 also has this watermark in its screenshots

----------


## filuta

unedited 25/5/2007

----------


## Sendatsu

> unedited 25/5/2007


I can't find this specific pattern in there with image filters + naked eye I'm afraid.

Maybe it used to have a different form back then, if this indeed started as early as 2007.

Any filtering ideas? Any JPG screenshot after 22/05/2007 will do (monochromes preferred).

----------


## filuta

You can see that something is there. Second screenshot is from 15/10/2007.

----------


## Sendatsu

> unedited 25/5/2007


There appears to be something data-like inside the tooltip. I messed with the threshold and got this: https://i.imgur.com/Eic8f.jpg

These steep straight lines and shapes reminded me of when I changed the threshold in my original image and saw this: https://i.imgur.com/cnaHh.jpg

The cloud behind the transparent tooltip though is a bit tricky, it might just be its shadow.

Maybe there's something in there, maybe not. Until we figure out a way to extract watermarks from normal images we can't be sure. I'll see what else I can find. Thanks for sharing.

----------


## sn4rk

here is screen - sharpen works date September 12 2007 Patch 2.1.3

----------


## Sendatsu

> You can see that something is there. Second screenshot is from 15/10/2007.





> here is screen - sharpen works date September 12 2007 Patch 2.1.3


Yes I can see obvious patterns in both of these images with sharpen.

*So, this basically means that, the watermarking started before the Activision deal was announced on December 2, 2007.*

So, Blizzard decided this on their own, without any external pressure/order.

I guess that could have been what Tom Chilton meant when he said that Activision "_at no point have any mandates (or even "suggestions") about the game's design been issued_". :P

(It could be slightly related because the OP had asked 6 questions http://www.reddit.com/r/wow/comments...er_ama/c66v1ef, the first one being the watermark, and Tom answered the second one directly, "discretely" skipping the first)

_Updated the introductory post to show that this started in 2007!_

----------


## DeXoY

I found a pretty good solution to "check" normal screenshots, for that pattern.
go here: Free Online Image Error Level Analysis using HTML5 - 29a.ch
drag and drop your screenshot in there and play around with the sliders.
This is an example from my screenshot. I just marked the pattern with paint.

https://i.imgur.com/r7DiL.jpg
https://i.imgur.com/ojPZ5.jpg
https://i.imgur.com/j7rVr.jpg
https://i.imgur.com/oUKaY.jpg
https://i.imgur.com/vsffK.jpg


Found them again and again and again inside my screenshots. I feel kinda naked now...
I know that there is no sensible Data inside them, but i feel really naked against that company now. I knew every chat-log was saved before, but that's some kind of freaky cause it was secretly hidden all the time right in front of our eyes.

Edit: A big german gaming magazine wrote already about it. http://www.gamestar.de/spiele/world-...2,3004862.html
And also a big german "IT Online Newssite" http://winfuture.de/news,71963.html

----------


## Sendatsu

> I found a pretty good solution to "check" normal screenshots, for that pattern.
> go here: Free Online Image Error Level Analysis using HTML5 - 29a.ch
> drag and drop your screenshot in there and play around with the sliders.
> This is an example from my screenshot. I just marked the pattern with paint.
> 
> https://i.imgur.com/r7DiL.jpg
> https://i.imgur.com/ojPZ5.jpg
> https://i.imgur.com/j7rVr.jpg
> https://i.imgur.com/oUKaY.jpg
> ...


That's a really cool tool DeXoY! Gotta love HTML5!  :Big Grin:  Thanks for sharing!

----------


## DeXoY

No problem. That little tool allows all the none believers to simply check their own screenshots without any knowledge.

----------


## filuta

Found a screenshot from 2.1.0 PTR with a visible pattern. original pattern

----------


## Fayntic

Can you post it so they can check the timestamp?

----------


## FattyXP

Is it possible that these "barcodes" could contain process/memory information? Such as the values of certain commonly hacked variables? Or do we definitively know everything that these codes say?
Or perhaps just something like the readout you get when you crash and then the report to blizzard window comes up, lists all of the loaded modules inside of wow (including things like OHack, anything that is injected comes up in this list AFAIK, at least the hacks I've used) Would be a really good way for them to detect people since anyone with a brain doesn't send in crash reports when they are hacking.

----------


## Sendatsu

> Is it possible that these "barcodes" could contain process/memory information? Such as the values of certain commonly hacked variables? Or do we definitively know everything that these codes say?
> Or perhaps just something like the readout you get when you crash and then the report to blizzard window comes up, lists all of the loaded modules inside of wow (including things like OHack, anything that is injected comes up in this list AFAIK, at least the hacks I've used) Would be a really good way for them to detect people since anyone with a brain doesn't send in crash reports when they are hacking.


Hello FattyXP

We now know exactly what is stored inside the watermarks so no need for guessing  :Smile:  Please see this post: http://www.ownedcore.com/forums/worl...ml#post2493603 (Looking inside your screenshots)

----------


## ukilliheal

My theory is that the current watermark could be used to figure out if a screencap submitted with a bug report has been edited, which would explain why its taking up so much space. However that is not to say that the watermark doesn't serve some other purposes such as tracking down private servers and catching people doing stuff that blizzard would disagree with.

----------


## Sendatsu

> My theory is that the current watermark could be used to figure out if a screencap submitted with a bug report has been edited, which would explain why its taking up so much space. However that is not to say that the watermark doesn't serve some other purposes such as tracking down private servers and catching people doing stuff that blizzard would disagree with.


If they only wanted it for authenticity reasons, they could have just watermarked a unique version of their logo or perhaps an encrypted key. But we found account and realm info which means that its original aim was to secretly track the users, *in addition to the known tracking methods* that we agree to in the ToS.

Bear in mind that *when this started, back in 2007, we were using our account name to login* so, before the battle.net conversion in 2009, the watermarks actually had _really_ sensitive information. Between *May 22, 2007* and *November 11, 2009*, any malicious hacker who knew about this could use a screenshot of a lucrative character to find their actual username & active realm and then either try to scam them out of their password, or just brute-force it.

----------


## FattyXP

> Hello FattyXP
> 
> We now know exactly what is stored inside the watermarks so no need for guessing  Please see this post: http://www.ownedcore.com/forums/worl...ml#post2493603 (Looking inside your screenshots)


Ahh thank you, that post was rather buried lol.

----------


## g1zm0

Can clearly see the pattern in screenshots from December 2007. Never really noticed it until now so it was well hidden. On the right of the moon.

----------


## Thundathigh

Looking at one of _Mike's earlier pictures, it seemed that the watermark was applied to SS's by adding a little more blue. But using a SS from inside of the tree in Crystalsong Forest, I made a program in Java to check the RGB value of each Pixel, and found that where the watermark was applied, it changed ALL of the RBG values (253 or 254 instead of 255).

Watermark - Imgur (All from the Crystalsong Forest picture, Shadowmoon Valley not shown.)

Since I had trouble doing the same with an almost black SS from the Nether in Shadowmoon Valley, it seems to imply that the watermark is subtracting some of the RBG value, rather than adding any one color ontop. Does anyone know how the watermark is applied?

----------


## Sendatsu

> Looking at one of _Mike's earlier pictures, it seemed that the watermark was applied to SS's by adding a little more blue. But using a SS from inside of the tree in Crystalsong Forest, I made a program in Java to check the RGB value of each Pixel, and found that where the watermark was applied, it changed ALL of the RBG values (253 or 254 instead of 255).
> 
> Watermark - Imgur (All from the Crystalsong Forest picture, Shadowmoon Valley not shown.)
> 
> Since I had trouble doing the same with an almost black SS from the Nether in Shadowmoon Valley, it seems to imply that the watermark is subtracting some of the RBG value, rather than adding any one color ontop. Does anyone know how the watermark is applied?


Looks like progress! Nicely done  :Smile:  I believe it may have something to do with luminance hiding, like steganography does. You may want to check out Digimarc's patents to learn more: http://www.ownedcore.com/forums/worl...ml#post2490910 (Looking inside your screenshots)


EDIT:

I'll help some more. Start with a normal un-cropped and un-blurred screenshot that you just captured from WoW. Let's say it's *1680 x 1028* so the first appearance of the pattern would start at *121 x 151*. The next *352 x 240* pixels is a full version of the pattern hidden among the graphics. Retrieve those pixels only and split them in *4x5* parts to end up with a total of *4224* items (*88* bits per row, *48* per column). Mess with the luminance, or any other thing you may think of, in order to figure out which one is a full black item and which one has a space invader inside :P Then you'll have the pattern ready for conversion into 0s and 1s  :Smile: 


EDIT#2:

I also updated my Java code to make the pattern => bits conversion faster, check it out: http://www.ownedcore.com/forums/worl...ml#post2492716

----------


## Thundathigh

> ...
> the first appearance of the pattern would start at *121 x 151*. 
> ...


That's what I'm having trouble with, where are you finding that number from?

I was trying to do x = imageWidth/2 - patternWidth, (where patternWidth is 352), but that gets me no where near the right amount. I realize that a SS taken with resolution like _Mike's would require me to subtract the pattern width twice, but that still doesn't get me 121 (it gets me 136). How are you coming up with those numbers?

----------


## Sendatsu

> That's what I'm having trouble with, where are you finding that number from?
> 
> I was trying to do x = imageWidth/2 - patternWidth, (where patternWidth is 352), but that gets me no where near the right amount. I realize that a SS taken with resolution like _Mike's would require me to subtract the pattern width twice, but that still doesn't get me 121 (it gets me 136). How are you coming up with those numbers?


If you look closely, you'll see that the same pattern repeats 4-3-4. Horizontally they have +[8,12,8] pixels in-between and vertically +[4,4] pixels. So we have:

Horizontal axis: 352+8+352+12+352+8+352=1408+28=*1436 pixels*
Vertical axis: 240+4+240+4+240=720+8=*728 pixels*

So now you have to center a 1436 x 728 watermark inside a 1680 x 1028 image.

Width: 1680 - 1436 = 244 / 2 = 122
Height: 1028 - 728 = 300 / 2 = 150

And you are right, the centering is not correct, it's -2 to the left. Interesting. I wonder if that is because of our conversion or their code.

It should have been 122+1x150+1 but now its 120+1x150+1 and the extra 2 pixels are to the right of the watermark, so it leans a bit to the left.

----------


## Aegean

I approve of this thread  :Stick Out Tongue:  +rep

----------


## Shu1ch1

> If you look closely, you'll see that the same pattern repeats 4-3-4. Horizontally they have +[8,12,8] pixels in-between and vertically +[4,4] pixels. So we have:
> 
> Horizontal axis: 352+8+352+12+352+8+352=1408+28=*1436 pixels*
> Vertical axis: 240+4+240+4+240=720+8=*728 pixels*
> 
> So now you have to center a 1436 x 728 watermark inside a 1680 x 1028 image.
> 
> Width: 1680 - 1436 = 244 / 2 = 122
> Height: 1028 - 728 = 300 / 2 = 150
> ...


It's Funny though how the shape of the watermark changes with screen resolutuion.

On 1920x1080 it is really well centered (959.5, 539.5 [-0.5,-0.5]), too. And looks diffrent from your 1680x1028 version.
At 800x600 (windowed) the center is at 360,380 which is off by [-40, -20]. But at that resolution the first "line" of the pattern looks strange. (top: 100px: https://i.imgur.com/y9fOo.png) [A problem with windowed mode?]
On my netbooks native resolution (@1024x600) the watermark looks different again: just one "row" with 2 parial columns (that would combine to 1 complete column) and 2 normal columns. But I have a hard time getting a clean shot with those low graphics & fps. I should probably try to add a solid texture on top of the whole UI (with kgpanels).

----------


## Sendatsu

> It's Funny though how the shape of the watermark changes with screen resolutuion.
> 
> On 1920x1080 it is really well centered (959.5, 539.5 [-0.5,-0.5]), too. And looks diffrent from your 1680x1028 version.
> At 800x600 (windowed) the center is at 360,380 which is off by [-40, -20]. But at that resolution the first "line" of the pattern looks strange. (top: 100px: https://i.imgur.com/y9fOo.png) [A problem with windowed mode?]


You should have seen all the funny versions I experimented with when I switched to windowed mode (non-fullscreen) and started changing the size of the window by a little every time to see when the pattern would split into more rows :P




> On my netbooks native resolution (@1024x600) the watermark looks different again: just one "row" with 2 parial columns (that would combine to 1 complete column) and 2 normal columns. But I have a hard time getting a clean shot with those low graphics & fps. I should probably try to add a solid texture on top of the whole UI (with kgpanels).


Just use the trick I just mentioned to "simulate" the netbook resolution on a larger monitor  :Wink:

----------


## _Mike

> If you look closely, you'll see that the same pattern repeats 4-3-4. Horizontally they have +[8,12,8] pixels in-between and vertically +[4,4] pixels. So we have:
> 
> Horizontal axis: 352+8+352+12+352+8+352=1408+28=*1436 pixels*
> Vertical axis: 240+4+240+4+240=720+8=*728 pixels*
> 
> So now you have to center a 1436 x 728 watermark inside a 1680 x 1028 image.
> 
> Width: 1680 - 1436 = 244 / 2 = 122
> Height: 1028 - 728 = 300 / 2 = 150
> ...


You are getting close  :Smile: 
The rect is actually 356x240 though (the last "bit column" is empty) and x,y is 120,150.
Me and Main has been working on reversing the code. Nothing majorly exciting so far though.

----------


## Sendatsu

> You are getting close 
> The rect is actually 356x240 though (the last "bit column" is empty) and x,y is 120,150.
> Me and Main has been working on reversing the code. Nothing majorly exciting so far though.


That actually makes sense! So they leave 4px distance both on x and y.

By the way, I updated the Java code to give a more straightforward output.


*New calculations:*

Horizontal axis: 356+4+356+8+356+4+352=1424+16=1440
Vertical axis: 240+4+240+4+240=720+8=728 pixels

So now you have to center a 1440 x 728 watermark inside a 1680 x 1028 image.

Width: 1680 - 1436 = 240 / 2 = 120
Height: 1028 - 728 = 300 / 2 = 150

They probably add the extra 2px in the middle to get round division results later on, or something like that.

So, 120+1x150+1, there it is  :Smile:

----------


## Thundathigh

Since everyone is confused on what each resolution looks like (me included), I changed my settings so that I could record each one, and then processed them to find the watermarks. (1360x768 native if it matters). I could not choose any option higher then 1366x768, so someone else will have to do those.

Watermark Resolutions - Imgur

The column labeled "Watermark" is the pattern that it appears in, ie the number in the top, middle, and bottom row.

Edit: Couldn't find a good way to host a .txt, just took a SS of it and threw it in imgur with the others.

----------


## Thundathigh

> The rect is actually 356x240 though (the last "bit column" is empty)


Ah, the values I have in the Horizontal row should all become 4 then (except for 1366x768 which would become 3??). That does make a lot more sense, thanks for clearing that up!



> Me and Main has been working on reversing the code. Nothing majorly exciting so far though.


Haha keep it up!

Edit: Chart changed to reflect actual watermark size.

----------


## filuta

> Can you post it so they can check the timestamp?


Black Temple PTR and new loot discussion - Page 13 - Elitist Jerks

----------


## eldavo1

> Since everyone is confused on what each resolution looks like (me included), I changed my settings so that I could record each one, and then processed them to find the watermarks. (1360x768 native if it matters). I could not choose any option higher then 1366x768, so someone else will have to do those.
> 
> Watermark Resolutions - Imgur
> 
> The column labeled "Watermark" is the pattern that it appears in, ie the number in the top, middle, and bottom row.
> 
> Edit: Couldn't find a good way to host a .txt, just took a SS of it and threw it in imgur with the others.


What's with 800*600? That looks like the odd one out to me... 

Anyway, been working on cropping the screenshots into something like that, I got near to what you found. Still can't extract that damn watermark, though

----------


## tongotan

Keep up the good work.

----------


## _Mike

> Ah, the values I have in the Horizontal row should all become 4 then (except for 1366x768 which would become 3??). That does make a lot more sense, thanks for clearing that up!


Just to clarify; It is empty in the ss I was referring to in the quote but not at all resolutions though.




> What's with 800*600? That looks like the odd one out to me...


Yes 800x600 is special.


```
rects.Add(new Rect(-384, 384, -220, 220)); // x_offset from center, width, y_offset from center, height
rects.Add(new Rect(0, 300, -285, 285));
rects.Add(new Rect(-340, 340, 0, 250));
rects.Add(new Rect(0, 340, 0, 250));
```

Update:
Watermark positioning. Not 100% perfect though. It is off by 1 pixel on the Y offset on some resolutions.


```
public struct Rect
{
	public short X;
	public short Width;
	public short Y;
	public short Height;

	public Rect(short x, short width, short y, short height)
	{
		X = x;
		Width = width;
		Y = y;
		Height = height;
	}
}

Rect[] GenerateRects(int width, int height, int numBytes) // screen width, screen height, number of bytes in watermark (88 bytes)
{
	List<Rect> ret = new List<Rect>();

	if (width != 800 || height != 600)
	{
		int tmp = ((((((numBytes << 4) + (numBytes * 2)) * 3) - 1) / (numBytes * 2 * 3) * (numBytes * 2 * 3)) + 7) >> 3;
		int numVerticalBits = (int)((height * 0.2325581395348837 + 4) * 0.2);
		int numHorizontalBits = (int)Math.Floor((8 * tmp) / (float)(int)numVerticalBits) + 1;
		if (numHorizontalBits > width)
			return null;
		short rheight = (short)(5 * (int)numVerticalBits);
		short rwidth = (short)(4 * (int)numHorizontalBits);

		if (8 * numHorizontalBits > (width - 16))
		{
			ret.Add(new Rect((short)Math.Floor(rwidth * -0.5), rwidth, (short)Math.Floor(rheight * -1.55), rheight));
			ret.Add(new Rect((short)Math.Floor(rwidth * -0.5), rwidth, (short)Math.Floor(rheight * -0.5), rheight));
			ret.Add(new Rect((short)Math.Floor(rwidth * -0.5), rwidth, (short)Math.Floor(rheight * 0.55000001), rheight));
		}
		else
		{
			int totalx = rwidth >> 1;
			ret.Add(new Rect((short)-(rwidth >> 1), rwidth, (short)-(rheight >> 1), rheight));
			short v10 = (short)(rwidth >> 1);
			short v13;
			if ((rwidth >> 1) + (rwidth + 4) < (width >> 1))
			{
				do
				{
					if (ret.Count > 30)
						break;
					v13 = (short)(v10 + 4);
					v10 = (short)(rwidth + v13);
					ret.Add(new Rect(v13, rwidth, (short)Math.Floor(rheight * -0.5), rheight));
					ret.Add(new Rect((short)-v10, rwidth, (short)Math.Floor(rheight * -0.5), rheight));
				} while (v10 + rwidth + 4 < (width >> 1));
			}
			int v15 = rwidth + 4;
			int v16 = 0;
			if ((rwidth + 4) < (width >> 1))
			{
				double v17 = 1.5;
				do
				{
					if (ret.Count > 28)
						break;
					int v18 = v16 + 4;
					v16 = rwidth + v18;
					totalx = rwidth + v15 + 4;
					ret.Add(new Rect((short)v18, rwidth, (short)(-4 - ((int)Math.Floor(rheight * v17))), rheight));
					ret.Add(new Rect((short)v18, rwidth, (short)(4 - (int)Math.Floor(rheight * -0.5)), rheight));
					ret.Add(new Rect((short)-(rwidth + v18), rwidth, (short)(-4 - ((int)Math.Floor(rheight * v17))), rheight));
					ret.Add(new Rect((short)-(rwidth + v18), rwidth, (short)(4 - (int)Math.Floor(rheight * -0.5)), rheight));
					v15 = totalx;
				} while (totalx < (width >> 1));
			}
		}
	}
	else
	{
		ret.Add(new Rect(-384, 384, -220, 220));
		ret.Add(new Rect(0, 300, -285, 285));
		ret.Add(new Rect(-340, 340, 0, 250));
		ret.Add(new Rect(0, 340, 0, 250));
	}


	return ret.ToArray();
}
```

----------


## eldavo1

> Just to clarify; It is empty in the ss I was referring to in the quote but not at all resolutions though.
> 
> 
> Yes 800x600 is special.
> 
> 
> ```
> rects.Add(new Rect(-384, 384, -220, 220)); // x_offset from center, width, y_offset from center, height
> rects.Add(new Rect(0, 300, -285, 285));
> ...


I'm guessing thats part of the code you are reversing. That would make decoding images a lot easier than guestimating what to do, if you ever get it finished I could whip something together easily to get the watermarks out of screenies

----------


## Thundathigh

Wow that really makes things easier, thanks for looking up everything!



> Watermark positioning. Not 100% perfect though. It is off by 1 pixel on the Y offset on some resolutions.


If that's the code that the program uses, how could it be off by a pixel? Either way really awesome dude



> I'm guessing thats part of the code you are reversing.


I don't think that anyone needs to reverse any more code, the large section of code that _Mike posted generates a list of Rect's that contain the x and y position, as well as the width and height of the watermarks that will be added to the SS. You should be able to move onto decoding the watermarks from actual SS's.

That said... did you figure out what the watermark actually is _Mike? (Change of opacity or of RGB values?)

----------


## eldavo1

> If that's the code that the program uses, how could it be off by a pixel? Either way really awesome dude


He reversed engineered it, meaning that he got the assembly and tried to make the same code, but obviously not exact




> That said... did you figure out what the watermark actually is _Mike? (Change of opacity or of RGB values?)


Waiting on this, the code he posted is to get the watermark only and remove everything else

EDIT: _Mike, your code results in wierd values... what am I doing wrong here: https://i.imgur.com/3ZYnU.png Why is it returning negative values for x & y? Does it for any image here: http://imgur.com/a/NvGET

----------


## _Mike

> Why is it returning negative values for x & y?


Offset from center of image.

----------


## Thundathigh

Tested multiple SS (pure white, pure black, normal) using


```
int color = image.getRGB(i, j);
int alpha = (color >> 24) & 0xff;
```

alpha (or opacity) is always set to 255, so no need to check in the code.

----------


## eldavo1

> Offset from center of image.


Sweet. Cropped the 1024*768 to this: https://i.imgur.com/XHLRX.png

----------


## Luckdogg2211

yup thats it

----------


## Thundathigh

Pure black screens have no changes in them at all, no opacity or RGB changes... so just keep it in mind if you're writing anything to use an actual SS that the watermark is removing some of the RGB values.

----------


## Sendatsu

> Sweet. Cropped the 1024*768 to this: https://i.imgur.com/XHLRX.png


I think you missed some parts from the left? Can you check please? Otherwise well done, keep up! (I'll rep everyone as soon as it lets me  :Smile: )

----------


## Sendatsu

> Pure black screens have no changes in them at all, no opacity or RGB changes... so just keep it in mind if you're writing anything to use an actual SS that the watermark is removing some of the RGB values.


I still believe it has something to do with *luminance*. They even mention it in their patents: Patent US7822969 - Watermark systems and methods - Google Patents

Based on some code I found on the Web, you can use:

Y = 0.2126*R + 0.7152*G + 0.0722*B

if Y < 128 then black else white

Can someone try this? Thank you  :Smile:

----------


## eldavo1

> I think you missed some parts from the left? Can you check please? Otherwise well done, keep up! (I'll rep everyone as soon as it lets me )


Exact copy & paste of what mike gave me. I'll try fine tuning it after I finish my work...




> I still believe it has something to do with *luminance*. They even mention it in their patents: Patent US7822969 - Watermark systems and methods - Google Patents
> 
> Based on some code I found on the Web, you can use:
> 
> Y = 0.2126*R + 0.7152*G + 0.0722*B
> 
> if Y < 128 then black else white
> 
> Can someone try this? Thank you


Already tried, thats what my patch does after it crops it and tries to isolate it into a black & white pattern. It seems to leave some parts out when converting the colors from sharpened to pure.



```
// look at every pixel in the rectangle
            for (Int32 xx = rectangle.X; xx < rectangle.X + rectangle.Width; xx+=4)
            {
                for (Int32 yy = rectangle.Y; yy < rectangle.Y + rectangle.Height; yy+=5)
                {
                    Int32 avgR = 0, avgG = 0, avgB = 0;
                    Int32 imagePixelCount= 0;

                    // average the color of the red, green and blue for each pixel in the
                    // size while making sure you don't go outside the image bounds
                    for (Int32 x = xx; (x < xx + 4 && x < image.Width); x++)
                    {
                        for (Int32 y = yy; (y < yy + 5 && y < image.Height); y++)
                        {
                            Color pixel = image.GetPixel(x, y);

                            avgR += pixel.R;
                            avgG += pixel.G;
                            avgB += pixel.B;

                            imagePixelCount++;
                        }
                    }

                    avgR = avgR / imagePixelCount;
                    avgG = avgG / imagePixelCount;
                    avgB = avgB / imagePixelCount;

                    float Y = 0.2126f * avgR + 0.7152f * avgG + 0.0722f * avgB;

                    if (Y > 128)
                    {
                        avgR = 255;
                        avgG = 255;
                        avgB = 255;
                    }
                    else
                    {
                        avgR = 0;
                        avgG = 0;
                        avgB = 0;
                    }

                    //set each pixel to that color
                    for (Int32 x = xx; x < xx + 4 && x < image.Width && x < rectangle.Width; x++)
                        for (Int32 y = yy; y < yy + 5 && y < image.Height && y < rectangle.Height; y++)
                            image.SetPixel(x, y, Color.FromArgb(avgR, avgG, avgB));
                }
            }
```

Here is a normal vs. patched comparison: https://i.imgur.com/1sFQl.jpg

----------


## Winsane

So is the goal right now to create a program that can automatically get all the info out of any screenshot? I'm *very* impressed.

----------


## eldavo1

> So is the goal right now to create a program that can automatically get all the info out of any screenshot? I'm *very* impressed.


Hopefully. I doubt you can extract enough information out of normal screenshots anyway, but currently we can do it with perfect screenshots, trying to get it with screenshots on a blank terrain then on normal screenshots.

What I done quickly: You can change quality of luminosity and cropping. Has a patch preview now (although aspect ratio is broken), I removed the image manipulation besides luminescence and cropping because it didnt work very well. My GUI skills aren't the greatest either, sorry.

EXE: ImageToBinary.exe

Image of it: https://i.imgur.com/ilAtt.png

----------


## stvs

This looks like a false alarm to me, probably caused by IrfanView integer rounding funkiness.

The posted all-white image [uploaded at https://i.imgur.com/HyGGl.jpg] that's supposed to to contain the stego really is all white. Undoubtedly the poster has detected some silly rounding artifact from IrfanView, which doesn't use the greatest jpeg libraries. The rest of the comments are just a goose chase extracting meaning from rounding noise. 

Here's a few simple tests.

Compare every single pixel's RGB value to 0xff in Matlab:

>> A = imread('~/Downloads/HyGGl.jpg'); >> size(A) ans = 225 400 3 >> A(1,1,1) ans = 255 >> all(A( :Smile:  == 255) ans = 1

Or just try to equalize it in Adobe Photoshop and get the error message "Could not complete the Equalize command because the image has only one brightness value."

That's enough, but let's take the opportunity to play with stegdetect (looks for a few common strategies) and look at the jpeg headers.

There's no there there.

$ sudo port install jhead stegdetect

$ stegdetect HyGGl.jpg
HyGGl.jpg : negative

$ jhead -v HyGGl.jpg
Jpeg section marker 0xdb size 67
Jpeg section marker 0xdb size 67
JPEG image is 400w * 225h, 3 color components, 8 bits per sample
Jpeg section marker 0xc4 size 21
Jpeg section marker 0xc4 size 20
Jpeg section marker 0xc4 size 20
Jpeg section marker 0xc4 size 20
File name : HyGGl.jpg
File size : 846 bytes
File date : 2012:09:13 09:46:50
Resolution : 400 x 225

----------


## Trixiap

Yes... everyone here is goose and Adobe Photoshop use same library as IrfanView... Code in client for include watermark in screenshot is bug from IrfanView, we know... Open your screen and use Sharpening filter in any photoediting soft you will see. I think that white "screenshot" is not screenshot from game, just white image to show what you need achieve to be able extract watermark

BTW you can get "clear" screenshot if you take your view distance to min and fly high up then take screenshot without UI and 1st person view

----------


## 5tvs

The imgur.com images and the OP's original images are different.

I retract my comments above based on the imgur.com file—when you look at the poster's original files, not the imgur.com files, you clearly see the watermarks by simple sharpening.

Furthermore, stegdetect gets a hit with the F5 algorithm:

$ stegdetect -t F scr2sm.jpg
scr2sm.jpg : f5[0.312094](**)

stegbreak doesn't go after F5, but I'd look to F5 crackers first to extract the information. Anyone done this yet?

----------


## Sendatsu

> What I done quickly: You can change quality of luminosity and cropping. Has a patch preview now (although aspect ratio is broken), I removed the image manipulation besides luminescence and cropping because it didnt work very well. My GUI skills aren't the greatest either, sorry.
> 
> EXE: ImageToBinary.exe
> 
> Image of it: https://i.imgur.com/ilAtt.png



I really like how this is moving along!





> I think that white "screenshot" is not screenshot from game, just white image to show what you need achieve to be able extract watermark





> The imgur.com images and the OP's original images are different.
> 
> I retract my comments above based on the imgur.com file—when you look at the poster's original files, not the imgur.com files, you clearly see the watermarks by simple sharpening.



Yes, the white screenshot was purely white, not to be taken literally. In order to avoid any further confusion I replaced it with one that contains a watermark inside: https://i.imgur.com/c9h2w.jpg





> Furthermore, stegdetect gets a hit with the F5 algorithm:
> 
> $ stegdetect -t F scr2sm.jpg
> scr2sm.jpg : f5[0.312094](**)
> 
> stegbreak doesn't go after F5, but I'd look to F5 crackers first to extract the information. Anyone done this yet?



That's an interesting find. I had used "StegSpy2.1" and it only gave me a false positive on one image and nothing on the rest.

If this is indeed true, someone needs to have a look at it. http://cs.marlboro.edu/term/spring06...reaking_f5.pdf

----------


## Thundathigh

> I found a pretty good solution to "check" normal screenshots, for that pattern.
> go here: Free Online Image Error Level Analysis using HTML5 - 29a.ch
> drag and drop your screenshot in there and play around with the sliders.
> This is an example from my screenshot. I just marked the pattern with paint.


This was posted 4 pages back... come on guys catch up! =P



> ...
> My GUI skills aren't the greatest either, sorry.
> 
> Image of it: https://i.imgur.com/ilAtt.png


Haha if you think that that GUI is bad, probably shouldn't be showing mine anytime soon xD

----------


## ukilliheal

Is there anyway i can help with this? I know a little bit of java ( ytuscheduler - The only desktop app that can schedule a Youtube upload - Google Project Hosting ) and a little unix scripting ( autocrack - Automatic WEP cracking - Google Project Hosting )

----------


## Sendatsu

> Is there anyway i can help with this? I know a little bit of java ( ytuscheduler - The only desktop app that can schedule a Youtube upload - Google Project Hosting ) and a little unix scripting ( autocrack - Automatic WEP cracking - Google Project Hosting )


Hello ukilliheal

Thanks for offering! We are currently trying to find a way to identify the embedded watermark inside normal screenshots. We are experimenting with luminance and other factors to differentiate between actual pixels and altered ones. Take a look at the currently available source codes, screenshots, papers and patents mentioned in this thread and perhaps you will be able to figure out a way to extract this without any loss.

We also have a few open questions like whether this watermark has been inserted using a steganography algorithm like F5 (see above) or perhaps some other multiple-pass method.

Whatever you can come up with will help  :Smile:

----------


## ukilliheal

> Hello ukilliheal
> 
> Thanks for offering! We are currently trying to find a way to identify the embedded watermark inside normal screenshots. We are experimenting with luminance and other factors to differentiate between actual pixels and altered ones. Take a look at the currently available source codes, screenshots, papers and patents mentioned in this thread and perhaps you will be able to figure out a way to extract this without any loss.
> 
> We also have a few open questions like whether this watermark has been inserted using a steganography algorithm like F5 (see above) or perhaps some other multiple-pass method.
> 
> Whatever you can come up with will help


I will see what i can do!

----------


## Myuu

Well I never thought I would read a story about this website in a Norwegian newspaper:
«World of Warcraft»-bildene dine inneholder hemmelig informasjon - PressFire.no

This is extremely interesting and somewhat scary.

----------


## Skuddle

Curious,

Where are you getting that it has information in regards that is has server information and other sorts like that. I get that your getting a fractal time stamp as well as a random number generation, but I have yet to see any sort of code decipher.

Let me key you in on a few things.

You guys are reading the barcodes wrong. TOP DOWN is not the way they are handled. They are compressed fragments of AZTEC style coding.




> Bits Field Polynomial Used for
> 4 GF(16) x4+x+1 Mode message
> 6 GF(64) x6+x+1 1–2 layers
> 8 GF(256) x8+x5+x3+x2+1 3–8 layers
> 10 GF(1024) x10+x3+1 9–22 layers
> 12 GF(4096) x12+x6+x5+x3+1 23–32 layers


Turn them side ways, push them together. Interested in what the codes read. Nothing but gibberish system data and property flags.





> SET readTOS "1"
> SET readEULA "1"
> SET readScanning "-1"
> SET readContest "-1"
> SET locale "enUS"
> SET showToolsUI "1"
> SET accounttype "MP"
> SET readTerminationWithoutNotice "-1"
> SET installType "Retail"
> ...



It is the same pattern generator used for the debug. It is also fragmented in HQ, just appended inside the file as EXIF data.

----------


## Thundathigh

> Where are you getting that it has information in regards that is has server information and other sorts like that. I get that your getting a fractal time stamp as well as a random number generation, but I have yet to see any sort of code decipher.


.
Did you look at page 2? =P



> ```
> __text:00B3C980                   ; =============== S U B R O U T I N E =======================================
> __text:00B3C980
> __text:00B3C980                   ; Attributes: bp-based frame
> __text:00B3C980
> __text:00B3C980                   ; ScrnScreenshot(void (*)(int), unsigned char *, unsigned int, char  const*, char  const*, char  const*)
> __text:00B3C980                   __Z14ScrnScreenshotPFviEPhjPKcS3_S3_ proc near
> __text:00B3C980                                                           ; CODE XREF: Script_Screenshot(lua_State *)+37
> __text:00B3C980                                                           ; sub_76C3C0+36
> ...

----------


## Sendatsu

> Curious,
> 
> Where are you getting that it has information in regards that is has server information and other sorts like that.



Please refer to the three disassemblies contained in this thread, also summed up in: http://www.ownedcore.com/forums/worl...ml#post2493603 (Looking inside your screenshots)





> I get that your getting a fractal time stamp as well as a random number generation, but I have yet to see any sort of code decipher.



The account name may be a randomly generated number now, but it was once an alphabetic username which we used as our username to login. It may not be as important as it used to be but the fact still remains that it has been embedded, unencrypted, into all of our screenshots and that it can be extracted (although we are still working on a way for full color images).





> Let me key you in on a few things.
> 
> You guys are reading the barcodes wrong. TOP DOWN is not the way they are handled. They are compressed fragments of AZTEC style coding.
> 
> Turn them side ways, push them together. Interested in what the codes read. Nothing but gibberish system data and property flags.
> 
> It is the same pattern generator used for the debug.



I read the watermark per column, left to right, top to bottom, split the input into bytes, reversed each one (http://www.ownedcore.com/forums/worl...ml#post2492716) and I successfully found the account name (http://www.ownedcore.com/forums/worl...ml#post2493377).

I don't believe we have tried AZTEC style encoding yet. Did you write a source code which does all these transformations and finally produces the output you pasted? If so, please post it so that we can check the validity of this hypothesis. (Tutorial here, if someone has the time: http://wiki.verkata.com/en/wiki/Aztec_code)





> It is also fragmented in HQ, just appended inside the file as EXIF data.



Even though I checked for IPTC info, I didn't think of checking for data hidden as EXIF. I will have a look, thanks.

----------


## Skuddle

Sadly the analysis tools I am using is from my job. Missile programmer.

Here is an example barcode.




I apologize about the blur, i chose to take a close up in order to protect a decrypt of my barcode.
We use them in the military, its an expanded view of the aztec style. Its just unfolded. Notice the 3 bars at the bottom. its the check pyramid that is in the middle folded outwards.

I do not deny there is stuff there, but the assumption here is probably that it was going to be used for some sort of trouble shooting or help.




I would like to also piggy back a little on my expertise. I stated I was a missile programmer. I understand barcodes and missiles do not go hand in hand, however I work alot with RFID's and NFC/d's and we play with Mini[qr] all day long because of the RFID pogs we use.

The military uses an unfolded Aztec I believe its known as PDF417 encoding, in which its an unfolded line by line read side ways. (I know that PDF417 is used by others. But it reads like PDF417 however is layed out in check digits of Aztec that is unfolded on the far right)

Each row has a series of check digits for the inner data.


*************
Further fun.

I decided to try and use our test set to decode it. It doesn't like fragmented trash. Using a cleaner from a screenshot I got the same thing that was presented on page 16.

I have access to a little bit more expensive fun software than most people. I ran it through the database and it came up with something...interesting.



The software blends multiple iterations and variations until it finds a product match for the encoded barcode. Notice there are no check pyramids. The software works by generating multiple chunk cube and offsets

x4. x8 and x2x4x6 as mentioned on my table above. It will place 2-3 check pyramids (alignment tools for the non techies) and on focus pyramid in the middle to attempt to find a common barcode in a database. We use it when were attempting to identify munitions from forieng counties by counter balancing the munition items and manufacturer based on ISO data on the barcodes. Doing a search for this resulted in non other than:

http://us.battle.net/?help=URI(user)...cter)(account2)

Matched 



and they line up.

----------


## Sendatsu

> [...]


Ok, I'm trying to wrap my head around this, I'm no barcode expert but I'll do my best, so correct me if I'm wrong.

You're saying that the pattern repeats so many times because it has to fold onto itself in order to form an AZTEC barcode which would then be translated into:



```
http://us.battle.net/?help=URI(user)(name)(account)(realm)(character)(account2)
```

?

matching a battle.net registered product barcode? Does the watermark actually produce all this information (account id, username, character name, account2) or are those just placeholders?


PS: I used bcTester - FREEWARE : Barcodes aus Bilddateien lesen und testen and checked the code you provided (imgur: the simple image sharer) so I know it says what you claimed, I just can't reproduce your transformation at the moment.


EDIT:

Ok, if this stuff is real, this post just got WAY too much interesting...


*"This determination can be memorialized by a PDF417 2D barcode added to the alpha channel."* (US8194986, p44) http://www.google.com/patents/US8194986

_"PDF417 is a stacked linear barcode symbol format used in a variety of applications, primarily transport, identification cards, and inventory management. PDF stands for Portable Data File. The 417 signifies that each pattern in the code consists of 4 bars and spaces, and that each pattern is 17 units long."_

Also from the same patent:

_"PDF417 is exemplary only. Other barcodes-such as 1D, Aztec, Datamatrix, High Capacity Color Barcode, Maxicode, QR Code, Semacode, and ShotCode-or other machine-readable data symbologies-such as OCR fonts and data glyphs[--can naturally be used. Glyphs can be used both to convey arbitrary data, and also to form halftone image depictions."_

----------


## eldavo1

Interesting development, however I am wondering why the way we read it (top down) still resulted in a plain text of our account name...

----------


## Sendatsu

> Interesting development, however I am wondering why the way we read it (top down) still resulted in a plain text of our account name...



Maybe it's part of some check digits? I can't be sure at the moment.


*TODO List:*

1) Capture a *high quality screenshot* (JPG/10 or perhaps TGA) and look for *fake EXIF data* which are actually pattern pieces (hex editing/reading skills required).

2) Check the lower quality screenshots (JPG/9 - JPG/1) for the pattern information *hidden in the alpha channel* (image editing/reading skills required).

3) Try to understand what Skuddle said somehow and figure out if the watermark is *PDF417* or *Aztec based* (algorithm/cryptography skills required).

4) If any of the above is true, prepare for this thread post/page being deleted by some government agency :P


Also, can someone with a disassembler check if when JPG is set to quality 10 it executes a different version of the screenshot function? Perhaps when there is no compression, the pattern can easily hide itself among the actual data, instead of bothering with alpha channels. It would also prove 1). Use _Mike's post to start: http://www.ownedcore.com/forums/worl...ml#post2491687 (Looking inside your screenshots)

----------


## Thundathigh

> 2) Check the lower quality screenshots (JPG/9 - JPG/1) for the pattern information *hidden in the alpha channel* (image editing/reading skills required).


I already checked the alpha channels (of pure white, pure black, and a normal SS), and there is nothing in the alpha channels (though it would be so much easier if there was). Every single alpha value is set to 255, but perhaps they are different in SS quality 10 and above.

BTW really interesting stuff Skuddle, you seem like a much better expert on this stuff than any of us =P

----------


## _Mike

> Crap that Skuddle said


GFTO out of the thread and stop trolling please.

Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just ignore him.

----------


## W00T3RS

idk wtf i'm reading... code this, pdf that, aztecs and incas or some crap. but this is better than most books i've read. wish i could help!

----------


## eldavo1

> GFTO out of the thread and stop trolling please.
> 
> Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just report him for trolling and move on.


Thinking about it, you are correct. No way you can fit all that information (the URL) into 88 bytes and somehow get the account name decoded when doing a simple binary conversion

----------


## Thundathigh

> GFTO out of the thread and stop trolling please.
> 
> Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just ignore him.


Haha he's elite and got there by leeching rep? I've got to change my strategy!
Thanks for clearing it up though _Mike

----------


## Smitten

> GFTO out of the thread and stop trolling please.
> 
> Guys, this is certainly not the first time Skuddle has tried to leech rep by posting fake shit. Just ignore him.


My thoughts exactly. Someone in the military, working on munitions would not:

a) post any of their own barcodes of any sort, blurred or not.

b) risk using any military equipment on game screenshots. I'm sure the shit they do is logged.

c) even be allowed to talk about their job and what they do and how it's done.

----------


## Sendatsu

> My thoughts exactly. Someone in the military, working on munitions would not:
> 
> a) post any of their own barcodes of any sort, blurred or not.
> 
> b) risk using any military equipment on game screenshots. I'm sure the shit they do is logged.
> 
> c) even be allowed to talk about their job and what they do and how it's done.


Hehe that's why I said that only if any of the above turns out true, then his posts would have to be deleted for reasons of "national security" and the like :P

If everything he said is just an obvious disinformation trolling technique then I wonder how come he is still allowed to maintain Elite User status in here.

Either way, food for thought.

----------


## Thundathigh

Edit2: Fixed my derp...
[Derp]
Scaled Watermark, Color shift? - Imgur
[/Derp]
Just had to set the image type to RGB and remove the alpha shift (255<<24).

_Mike, are you sure that the watermarks are only 1 pixel off? I'm getting blurry watermark's that should be pretty clean, so I'm just wondering what code in my program is off.

----------


## _Mike

> _Mike are you sure the pixel value for the watermark is only 1 off, or is part of my code wrong?


For the resolutions I tested, yes. If you tell me the resolution of the image you're using I can get you the exact coords the client is using. Or if you want to check yourself the memory addresses are:
wow.exe + 0xDCCA60 : number of rects
wow.exe + 0xDCC960 : array of rects, 16 bit ints in the order x, width, y, height

Just remember to take a screenshot at the correct resolution first before you read them or they won't be correct.

----------


## jack445

I haven't really been posting here too much before but if it's useful for you in any way, I'll be more than happy to help.
Recently, I've been creating a program to generate QR codes (sadly, I can't share the source code of it), however I can share with you how the data is encoded there.

Due to my postcount being too low, I can't post all those links. You'll have to change h**p to http manually.

QR codes have an ability to encode data in numeric, alphanumeric or 8-bit byte modes. Each mode handles input data in a different way:
- in numeric mode the input is divided into groups of 3 digits starting from the left (most significant) digit. After that, those 3-digit numbers are converted into 10-bit binary representation. If the last numer contains only 2 or 1 digit it is converted to 7 and 4 bits respectively.
- in alphanumeric mode the input data is divided to groups of 2 letters, starting from the left as well. Letters are given the numeric value according to the encoding table (h**p://i.imgur.com/m6HwR.jpg). Those groups of 2 values (assigned to letters) are then encoded as following: 45*first_val+second_val
- in 8-bit mode there's no encoding, at all, 8-bit bytes are directly added to the data bit stream

From what I've seen so far, the account name is added to the WoW's barcode in 8 bit byte pieces, each in reversed order. This is almost the same as QR code 8-bit mode, while the rest of the data such as realm time/realm ip etc. are somewhat encoded, which I guess will be similar to QR code's numeric/alphanumeric encoding.

As a sidenote, those wondering how QR code is filled with data/error correction bytes:
- byte placement: h**p://i.imgur.com/GAhmJ.jpg
- bit placement: h**p://i.imgur.com/YMVBG.jpg

Hope someone finds it useful. If you have any further question about QR codes, I'll try to help.

----------


## stoneharry

I find this particularly interesting:




> Between May 22, 2007 and November 11, 2009, any malicious hacker who knew about this could have used a screenshot of a lucrative character to find their actual username & active realm and then either try to scam them out of their password, or just brute-force it.


Although brute forcing just would not have been feasible (you get some attempts then it bans your IP for a short duration), if your character name was in the screenshot, it could have been very dangerous.

Know character name, realm and account name. Time to go and harass them/try to blackmail them?

----------


## saillaw

It looks like the folks at The Daily Blink have cracked the code:

----------


## Sendatsu

> I haven't really been posting here too much before but if it's useful for you in any way, I'll be more than happy to help.
> Recently, I've been creating a program to generate QR codes (sadly, I can't share the source code of it), however I can share with you how the data is encoded there.
> 
> Due to my postcount being too low, I can't post all those links. You'll have to change h**p to http manually.
> 
> QR codes have an ability to encode data in numeric, alphanumeric or 8-bit byte modes. Each mode handles input data in a different way:
> - in numeric mode the input is divided into groups of 3 digits starting from the left (most significant) digit. After that, those 3-digit numbers are converted into 10-bit binary representation. If the last numer contains only 2 or 1 digit it is converted to 7 and 4 bits respectively.
> - in alphanumeric mode the input data is divided to groups of 2 letters, starting from the left as well. Letters are given the numeric value according to the encoding table (h**p://i.imgur.com/m6HwR.jpg). Those groups of 2 values (assigned to letters) are then encoded as following: 45*first_val+second_val
> - in 8-bit mode there's no encoding, at all, 8-bit bytes are directly added to the data bit stream
> ...



Hello and thank you for sharing this information. I will see how I can apply it to our case.





> It looks like the folks at The Daily Blink have cracked the code: [img]



Loved it  :Big Grin:

----------


## Vip3ra

According to Lore in Legendary 93, he has known about this watermarking since the burning crusade, when blizzard used this information to ban people that leaked screenshots.

----------


## Sendatsu

> According to Lore in Legendary 93, he has known about this watermarking since the burning crusade, when blizzard used this information to ban people that leaked screenshots.


Thank you for this! Go to 1:11:11 @ Watch Legendary 93: Buff Wizards! | Legendary - The World Of Warcraft Show Episodes | Blip

----------


## filuta

So what was the screenshot format in TBC alpha - JPG or TGA?

----------


## Sendatsu

> So what was the screenshot format in TBC alpha - JPG or TGA?


That's a good point filuta. Well, TBC alpha was being used back in August 2006 (WoW Burning Crusade in alpha testing - PC Games) and the JPG screenshot format was available (officially) for the first time in May 2007, so either:

1) They were using a watermarking mechanism for TGAs back then or
2) Lore heard rumors that weren't true or applied to WotLK alpha.

*We need to find unconverted* TGA screenshots before 22 May 2007* (Patch 2.1.0) and see if we manage to identify a watermark somehow embedded inside.

* By unconverted I mean: don't upload them as JPGs or PNGs, leave them as they were when you captured them (TGAs) and upload them somewhere that doesn't make any changes to the files

----------


## Smitten

> That's a good point filuta. Well, TBC alpha was being used back in August 2006 (WoW Burning Crusade in alpha testing - PC Games) and the JPG screenshot format was available (officially) for the first time in May 2007, so either:
> 
> 1) They were using a watermarking mechanism for TGAs back then or
> 2) Lore heard rumors that weren't true or applied to WotLK alpha.
> 
> *We need to find unconverted* TGA screenshots before 22 May 2007* (Patch 2.1.0) and see if we manage to identify a watermark somehow embedded inside.
> 
> * By unconverted I mean: don't upload them as JPGs or PNGs, leave them as they were when you captured them (TGAs) and upload them somewhere that doesn't make any changes to the files


I have some tga from release right up to 2.1.0 on my old hard drive. 

I'll see if I can find a caddy / cables to retrieve them.

----------


## _Mike

> Thank you for this! Go to 1:11:11 @ Watch Legendary 93: Buff Wizards! | Legendary - The World Of Warcraft Show Episodes | Blip


Funny guy..
2.1.0 is the first patch where the watermark code is included. I checked all the known 2.0.x binaries including 3 alpha versions. So unless I made some major mistakes he's just making things up to appear like he knows stuff.  :Wink:

----------


## Sendatsu

> Funny guy..
> 2.1.0 is the first patch where the watermark code is included. I checked all the known 2.0.x binaries including 3 alpha versions. So unless I made some major mistakes he's just making things up to appear like he knows stuff.


Oh I definitely trust Assembly more than rumors  :Big Grin:

----------


## Unholyshaman

Here are a list of pre-bc and TBC screenshots that have been uploaded by someone. I've had these bookmarked for a while but I don't know if they have been edited at all etc. Maybe some of you will find them useful.

Index of /Screenshots/Wow04-07(classic)
Index of /Screenshots/Wow07-08(bc)/Screenshots/Converted

----------


## JSmith86

Hey guys, stumbled here from an external site, just a very casual wow player. 

How are you guys coming along in being able to actually extract the embedded codes from non-trivial screen shots? I have some familiarity with this subject matter, and whoever said it was jpeg artifactting is just off their rocker, but being able to extract this data without having source originals to compare against is extremely complicated to say the least. I mean, you have the trivial cases where you're looking at solid color mappings and then you can just delta luminesence extract the patterns, but the fact they're *ONLY* in the shittier jpeg compressed versions makes me wonder even more, it even further complicates any extraction, because from the looks of it, the watermarking is applied, then the entire image compressed, instead of the image compressed and the watermark interleaved on top, so you're talking even more data blending to make it almost unrecoverable in a lot of cases. 

I can't provide actual proof for the above statements, but I don't think it's possible to reliably recover the information wholly from jpegs at the 1-3 compression level without any ecc in the watermarks, when that's images of actual scenery, not single color mappings, unless they also have a 6 set of camera information somewhere in the screenshots that hasn't been found yet. If you guys are making any progress towards this, I would love to help, but it doesn't seem like that's really being achieved at any meaningful level.

----------


## Sendatsu

> Hey guys, stumbled here from an external site, just a very casual wow player. 
> 
> How are you guys coming along in being able to actually extract the embedded codes from non-trivial screen shots? I have some familiarity with this subject matter, and whoever said it was jpeg artifactting is just off their rocker, but being able to extract this data without having source originals to compare against is extremely complicated to say the least. I mean, you have the trivial cases where you're looking at solid color mappings and then you can just delta luminesence extract the patterns, but the fact they're *ONLY* in the shittier jpeg compressed versions makes me wonder even more, it even further complicates any extraction, because from the looks of it, the watermarking is applied, then the entire image compressed, instead of the image compressed and the watermark interleaved on top, so you're talking even more data blending to make it almost unrecoverable in a lot of cases. 
> 
> I can't provide actual proof for the above statements, but I don't think it's possible to reliably recover the information wholly from jpegs at the 1-3 compression level without any ecc in the watermarks, when that's images of actual scenery, not single color mappings, unless they also have a 6 set of camera information somewhere in the screenshots that hasn't been found yet. If you guys are making any progress towards this, I would love to help, but it doesn't seem like that's really being achieved at any meaningful level.


Hello JSmith86

Thank you for your input. It may have taken me a while but I think I eventually managed to convince everyone that this indeed isn't a case of jpg artifacts, but watermarks. A few people are currently experimenting with extracting the pattern from normal (colorful) screenshots and I hope we will soon have some progress on this.

Additionally, I would like to think that a company like Blizzard would not get into so much trouble to secretly watermark our screenshots since 2007, if they did not know of a way to successfully ready these watermarks every time. It is only a matter of time before someone figures out an algorithm based on the Digimarc patents or the rest of the available publications on the subject.

----------


## Laria

Hi  :Embarrassment: 

Just got interested in this topic and thought to contribute some bits  :Smile:  I hooked up a local server + 3.3.5a for more "mobility" (ex so I can play with debuggers without getting banned). For debugging I use ollydbg 201 beta2.

That for now I managed to find the code that generates the actual watermark + bypassed it to lossless tga  :Smile:  The watermark is being "painted" in a set of loops: in ollydbg from 0x4AA7EC to 0x4AADA0 (for wow 3.3.5a). And the function containing those loops is at 0x4AA760. The complete watermark thingy again is at 0x4A93B0
So my guess at 0x4AA760 the watermark picture (the pattern) is actually being rendered. And guessing at 0x4A93B0 is the "top" function for all the watermark rendering matter. 

A tga sample converted to jpg: https://i.imgur.com/vJxtW.jpg
The code in 3.3.5a wow.exe that generates the watermark: https://i.imgur.com/WfO8I.jpg
To save the watermark into tga, look at this screenshot and use the instructions: i.imgur.com/2IvK5.jpg

Now I am looking what actually is being "stored" inside there  :Smile: 

Sorry that I am using the 3.3.5a client, but on that server (arcemu) I can do like anything, flying outside the world (to get just a plain background color) etc. If someone want's the 3.3.5a exe I am using for reverse engineering issues, pm me I will send you a link to it, if allowed so by the community  :Smile:

----------


## Sendatsu

> Hi 
> 
> Just got interested in this topic and thought to contribute some bits  I hooked up a local server + 3.3.5a for more "mobility" (ex so I can play with debuggers without getting banned). For debugging I use ollydbg 201 beta2.
> 
> That for now I managed to find the code that generates the actual watermark + bypassed it to lossless tga  The watermark is being "painted" in a set of loops: in ollydbg from 0x4AA7EC to 0x4AADA0 (for wow 3.3.5a). And the function containing those loops is at 0x4AA760. The complete watermark thingy again is at 0x4A93B0
> So my guess at 0x4AA760 the watermark picture (the pattern) is actually being rendered. And guessing at 0x4A93B0 is the "top" function for all the watermark rendering matter. 
> 
> A tga sample converted to jpg: https://i.imgur.com/vJxtW.jpg
> The code in 3.3.5a wow.exe that generates the watermark: https://i.imgur.com/WfO8I.jpg
> ...



Hello Laria

Thank you for looking into this! It looks like you've already found some useful points of reference.

You have probably seen a few of these Assembly posts, but I'll just list them here FYI:

http://www.ownedcore.com/forums/worl...ml#post2489452 (Looking inside your screenshots)

http://www.ownedcore.com/forums/worl...ml#post2491447

http://www.ownedcore.com/forums/worl...ml#post2491687

http://www.ownedcore.com/forums/worl...ml#post2492494

http://www.ownedcore.com/forums/worl...ml#post2492511

And one about cleaning up the pattern you are capturing:

http://www.ownedcore.com/forums/worl...ml#post2491783

Please tell us if you find anything on how the watermark is stored/painted over the screenshot; maybe it will help with the reversing. Thanks  :Smile:

----------


## BuloZB

this is very good informations post thx! rep


i have some questiosn

Does the watermark actually produce information about personal data of acc?

----------


## woenvlgo

I find this thread hilarious.

----------


## stoneharry

> this is very good informations post thx! rep
> 
> 
> i have some questiosn
> 
> Does the watermark actually produce information about personal data of acc?


Grunt account name, realm IP, time/date. You can decide if this information is personal. Using the new battlenet 2 protocol the username comes out as a number which is available from the armoury (etc). When this system was first implemented, it used your real account name.

----------


## Sendatsu

> Grunt account name, realm IP, time/date. You can decide if this information is personal. Using the new battlenet 2 protocol the username comes out as a number which is available from the armoury (etc). When this system was first implemented, it used your real account name.


Thank you for answering that one stoneharry. Do you know of a way to retrieve the account name/number of a character from the armory at the moment?

----------


## stoneharry

> Thank you for answering that one stoneharry. Do you know of a way to retrieve the account name/number of a character from the armory at the moment?


MoP ingame Lua API vs. Community Platform API - WowAce Forums

----------


## Sendatsu

> MoP ingame Lua API vs. Community Platform API - WowAce Forums


That is an interesting link, thanks for sharing. It's good to know that there are many of us out there who still care about privacy.

Fun fact: apparently Blizzard "won" the BigBrother2012 award in the "Consumer Protection" category :P If only they knew back in August what we found out one month later :P

https://www.bigbrotherawards.de/2012/.cons

----------


## Skuddle

http://www.onlinebarcodescan.com/
(Better quality)

To all that say otherwise.

Please upload the barcode that was linked in my post. Prove me otherwise that information cannot link.

Thanks.

I will take my business other places.

Heres a link for the lazies




> https://i.imgur.com/QtYP7.jpg
> https://i.imgur.com/VRrz7.png


Now you all can go die in a fire and figure it out yourself, over thinking monkies.

As for you _Mike,

You are? Who?

As Sendatsu showed the PDF format can contain fragments and glyphs for larger sets of instructions.

As for a military barcode its using the Aztec style of PDF formatting. I can upload a blurred screenie all day and it means nothing to you. I can tell you what I do in the military because once again. It means nothing to you. I can use the software for whatever the hell I want because data is logged on PICM cards when I work on missile stuff. Other than that its a tough book and an internet connection. Stop with your secret squirrel bullshit seeing as you have no idea what your talking about. Everything I linked is relevant and is point you in the right direction.

What I am assuming is that Blizzard was trying to use Screenshots as a sort of support ticket/help tool at one point. The reason being is that back when we would mess with Warden modules it would hook into the debug system and screenshot system. In WoTLK it stopped using those addresses and never touched them again. Putting the two together using basic logic would suggest 

-that they used it as a form of monitoring, maybe to catch the slew of retards using bots and posting screenies on the internet to monitor it.
-were using it to find/gather a list of 'account' names from a 'private' server the screenshot came from and compare?
-were using it to gather information on a targets computer during the 'submitting system data' by stuffing information into the dfil and wfil files that they never used.
-were using it as a form of debug tool to authenticate. Hence the upload a screenshot in your account management when you submit a ticket. The files become unreadable after you upload them. Viewing the attachment link creates a .dat file from the cdn server. Maybe they have software reading the valdility of the file you uploaded. Hell even ClamAV has this ability to ready watermarkings.

[Insert big brother theory here].



http://www.freepatentsonline.com/7152161.html


And go.

World of Warcraft uses this Patent



Enjoy reading the legal, it refrences a sub patent of 7152161 for snowy effect to mask it in channels.

Reading over the entire patent will show you how to dissolve it.

Now, I must go back to doing more important things. Because obviously I troll.

----------


## Laria

Beforehand: This information goes for wow client 3.3.5a. 
I have done some more reversing work now and got some more information out of it. Just want to let you know of it.  :Smile:  Maybe some things may already known or not, sorry if so. I was more into work instead of reading all single lines of this thread, forgive me please  :Roll Eyes (Sarcastic):  And sorry for bad English and explaining I am very tired of today as it's late  :Wink: . 

Just wrote an app in c which decodes that watermark data. Btw: Yep, there is no encryption stage for the watermark, so the data is directly encoded / written from wow's memory. In other words, you can find the same information in wow's memory when taking a screenshot... However, I do not 100% know what exactly (kind of data) is stored there. 

Here is an example:


```
00000000  41 44 4D 49 4E 10 00 00 00 00 00 98 88 48 4E 17  ADMIN......˜ˆHN.
00000010  D0 06 5E F0 68 75 00 00 00 00 00 00 00 00 00 00  **.^ðhu..........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  00 00 00 00 00 00 00 62 00 D7 4A 8C FB 21 09 82  .......b.×JŒû!.‚
00000080  8C 57 29 C2 84 0C 31 32 37 30 30 30 30 30 30 D4  ŒW)Â„.127000000Ô
00000090  4A BE 3E 09 58 C7 DF 78 F2 07 30 30 31 30 38 31  J**>.XÇßxò.001081
000000A0  32 39 FF 3F 0F 32 99 95 FA 09 A2 1C 91 9E D4 EF  29ÿ?.2™•ú.¢.‘žÔï
000000B0  41 44 4D 49 4E 00 00 00 00 00 00 98 88 48 4E 17  ADMIN......˜ˆHN.
000000C0  D0 06 5E F0 68 75 00 00 00 00 00 00 00 00 00 00  **.^ðhu..........
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000120  00 00 00 00 00 00 00 62 00 D7 4A 8C FB 21 09 82  .......b.×JŒû!.‚
00000130  8C 57 29 C2 84 0C 31 32 37 30 30 30 30 30 30 D4  ŒW)Â„.127000000Ô
00000140  4A BE 3E 09 58 C7 DF 78 F2 07 30 30 31 30 38 31  J**>.XÇßxò.001081
00000150  32 39 FF 3F 0F 32 99 95 FA 09 A2 1C 91 9E D4 EF  29ÿ?.2™•ú.¢.‘žÔï
00000160  41 44 4D 49 4E 00 00 00 00 00 00 98 88 48 4E 17  ADMIN......˜ˆHN.
00000170  D0 06 5E F0 68 75 00 00 00 00 00 00 00 00 00 00  **.^ðhu..........
00000180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001D0  00 00 00 00 00 00 00 62 00 D7 4A 8C FB 21 09 82  .......b.×JŒû!.‚
000001E0  8C 57 29 C2 84 0C 31 32 37 30 30 30 30 30 30 D4  ŒW)Â„.127000000Ô
000001F0  4A BE 3E 09 58 C7 DF 78 F2 07 30 30 31 30 38 31  J**>.XÇßxò.001081
00000200  32 39 FF 3F 0F 32 99 95 FA 09 A2 1E 91 9E D4 EF  29ÿ?.2™•ú.¢.‘žÔï
```

Yep, the same data block also repeats for 3 times. Note: There may only a difference when doing "dirty" work on the bitmap, while editing, cropping stretching or when the picture is just bad etc. So independent from that, it is bit-equal in wow's memory anyway .

Ok the first info "ADMIN" is my test server login name, "127000000" and "00108129" (Idk why they used to split this string  :Frown: ) is my test server address (127.0.0.1) and the port 8129.

If you look at this image https://i.imgur.com/RD0uh.jpg , the above decoded example is extracted from the white block. The other 10 ones (In blue) are just the same as the white block. I think they are repeated for redundancy and robustness. Conclusion: together with the redundancy inside a single block, you have literally 3 * 11 = 33 times the same data distributed inside one screenshot!!!

Ok here is the decoder thingy:



```
// wow bitpattern tool 
// Reads a 32-bit bitmap into a binary raw data file.
// written from scratch, sorry for readability

//bitmap >MUST be 32-Bit per pixel, windows bitmap!


#include <Windows.h>
#include <stdio.h>


FILE* open_bitmap(char *filename);
int getfilesize(FILE *thefile);

struct rgb
{
	BYTE r;
	BYTE g;
	BYTE b;
	BYTE a;
};

rgb *colordata;

BYTE *bitmap;

BYTE *bits = new BYTE[500000]();

int main(int argc, void* argv[])
{
	tagBITMAPFILEHEADER  bm_file_header;
	tagBITMAPINFOHEADER  bm_info_header;
	
	FILE *bitmapF = open_bitmap("V:\\Games\\World of Warcraft\\Screenshots\\example_0001.bmp"); //enter your bitmap here <<
	fread((void*)&bm_file_header,1,sizeof(tagBITMAPFILEHEADER),bitmapF);
	fread((void*)&bm_info_header,1,sizeof(tagBITMAPINFOHEADER),bitmapF);

	int bwi = bm_info_header.biWidth;   // ((bm_info_header.biWidth % 4));
	int bhi = bm_info_header.biHeight;

	int csize = abs(bwi * bhi);

	colordata = (rgb*)calloc(1,csize * 4);
	fread((void*)colordata,csize * 4,1,bitmapF);
	fclose(bitmapF);

	SetCursorPos(0,0);
	
	

	//note: bitmaps are read upside-down
	//note: bits gets scanned "mirrored" on the x axis, i.e right to left. 
	
	int thrsh = 255; //threshold value (below = 0) (higher/eqal = 1)
	int pos=0;
	for(int c=(bhi-1);c>=0;c--)
	{

		for(int i=(bwi-1);i>=0;i--)
		{
			if(colordata[i+(c*45)].r >= thrsh)
			{
				bits[pos] = 1;
				printf("#"); 
			}
			else
			{
				bits[pos] = 0;
				printf(" "); 
			}
			pos++;
		}
		printf("\n");
	}

	int byte_count = csize / 8;
	BYTE *data_array = new BYTE[byte_count]();

	BYTE data=0;

	for(int pos_byte=0;pos_byte<byte_count;pos_byte++)
	{
		for(int pos_bit=0;pos_bit<8;pos_bit++)
		{
			if(bits[(pos_byte * 8)+pos_bit]==1)
			{
				data_array[pos_byte] = data_array[pos_byte] | (1 << pos_bit);
			}
		}
	}



	FILE *data_out = fopen("V:\\raw_data.out","wb"); //<< and your raw output data file here <<
	fwrite(data_array,1,byte_count,data_out);
	fclose(data_out);
	return 0;
}

FILE* open_bitmap(char *filename)
{
	FILE *mybmp = fopen((const char*)filename,"rb");
	return mybmp;
}

int getfilesize(FILE *thefile)
{
	fseek(thefile,0,SEEK_END);
	int size = ftell(thefile);
	fseek(thefile,0,SEEK_SET);
	return size;
}
```

Just view the output file with a hex viewer (like HxD or so).

Also a side-note: I am using photoshop for the crop, scaling and color conversion process. I will post a tutorial / info for that tomorrow.

If you want a finished bitmap I made for the above example for testing, get it here: mediafire.com/view/?7wdtud3j7i1ve13 (use the download button in top-left corner there to get the BMP) Sorry I could not load the bmp to imgur as it converts it to jpg  :Roll Eyes (Sarcastic): 

Laria

----------


## eldavo1

Makes sense - that would be why the numbers were stored backwards (they are read backwards). I'll look into changing my program to get it from the hex  :Smile:  It should read from any screenshot that hasn't been compressed besides original comprssion

----------


## Optical1985

What happened with the thread here? Any more news or progress?

----------


## rafowner

well that sure is inersting

----------


## TjinTao

Bullshit. When you set the console to 9-10 you're asking for HQ pictures, which will correspond with your monitor's refresh rate.
Capturing + brightening + sharpening will just show the behind laying refresh 'zones'.
Fail bloke.

----------


## Sendatsu

> Bullshit. When you set the console to 9-10 you're asking for HQ pictures, which will correspond with your monitor's refresh rate.
> Capturing + brightening + sharpening will just show the behind laying refresh 'zones'. Fail bloke.


Your post is not only offensive but also completely idiotic and ignorant. Go back and actually *READ* the thread posts and findings, and then, if you have *something useful* to add to this conversation, go ahead and comment - *you wretched troll*, hiding behind a username you just created only to disrespect and undervalue the work of others. Shameful yet shameless; the hypocritical know-it-all enemies of anything new or unexpected - true offspring of the Inquisition. I despise you, and your kindred.

----------


## DNASt1st

hi, to avoid this all together does just print screening from your computer rather then the in game one work or does that still show the watermarks? i'm asuming it adds the watermark when you hit print? or is it always there? thanks ahead of time.

----------


## Sendatsu

> hi, to avoid this all together does just print screening from your computer rather then the in game one work or does that still show the watermarks? i'm asuming it adds the watermark when you hit print? or is it always there? thanks ahead of time.


Hello there

In order to avoid any further watermarking, type: */console SET screenshotQuality "10"* which will set the quality of your screenshots to the maximum and create screenshots that *do not* include the watermark.

Alternatively, you can just *paste the screenshot* you just print-screened in an image editor and *save it manually* from there.

The watermark is *only added* in screenshots generated by the *in-game capturing mechanism*, and only for *JPG qualities 1-9*.

I hope this helps.


PS: I can confirm the watermark still exists (Patch 5.1); the latest ToS/EULA is still not updated to clearly depict its existence.

----------


## Optical1985

Reviving this thread here since the subject was so interesting, any more news about it?

Wargaming, the developer for the tank simulation game known as World of Tanks had also implemented a similar method, displayed here : For the Record: Hidden tags in WoT screenies , to prevent leaks from the private test servers.

Is this thing still active in 5.3? I don't have my account active to check any more.

----------


## Alfalfa

> Reviving this thread here since the subject was so interesting, any more news about it?
> 
> Wargaming, the developer for the tank simulation game known as World of Tanks had also implemented a similar method, displayed here : For the Record: Hidden tags in WoT screenies , to prevent leaks from the private test servers.
> 
> Is this thing still active in 5.3? I don't have my account active to check any more.


I can confirm it still exists as of 5.3.

I gaussian blurred them both so you couldn't identify my account (unless you go to great lengths to un blur?)

https://i.imgur.com/b0m4xLr.jpg - with watermark and screenshotQuality "1"
https://i.imgur.com/SMvqYMU.jpg - without watermark and screenshotQuality "10"

----------


## DARKFOXX

you should send these barcode screenshots into blizzard to see if it gets screenshot of the day, you can put the caption, "Blizzard, as bad as the U.S. governement."

----------


## WizardTrokair

Thanks very much to OP for his work on this subject. *+7 rep.*
I'll def be setting my SS's to quality 10 tonight.

----------


## scylla

So they have watermarks. Not a big deal really.... unless of course you play at a private server and even if you do, what can they do to you?

----------


## jimmys96

> So they have watermarks. Not a big deal really.... unless of course you play at a private server and even if you do, what can they do to you?


They haven't seem to done anything with this yet...

----------


## Cecu

> So they have watermarks. Not a big deal really.... unless of course you play at a private server and even if you do, what can they do to you?


Yea, not a big deal if they could uniquely identify you from all other 7mil WoW players, when you capture your exploits, really not a big deal!

----------


## scylla

Yeah it really isn't a big deal, for me anyways. I can just use something else to take Screenies like Razer Cortex or Raptr or the good ol printscreen button.

----------


## Sendatsu

Hello everyone

I tried to reproduce the watermarking issue under Patch 6.1, and it appears that it has now been *removed* from the game's screenshot capture mechanism.

So, *WoW Screenshot Watermarking*: 2.1.0 (_15/05/2007_) – 6.1.0 (_24/02/2015_)


*RIP*?... We shall see.

----------


## snarffff

> Hello everyone
> 
> I tried to reproduce the watermarking issue under Patch 6.1, and it appears that it has now been *removed* from the game's screenshot capture mechanism.
> 
> So, *WoW Screenshot Watermarking*: 2.1.0 (_15/05/2007_) – 6.1.0 (_24/02/2015_)
> 
> 
> *RIP*?... We shall see.


After thoroughly investigating the 'data' in the images as posted, the pattern which you were seeing is most definitely consistent of artifacts present during jpg compression of rendered images (tile based world) and is primarily responsible for exacerbating the differentials between adjacent tiles where they meet. As noted, changing to a non-lossy (or compression pattern that is less lossy), reduces these artifacts to invisible using the above methods for highlighting the superfluous areas where the image data is less consistent.

Having done extensive work in stenography, and various other (prefer not to disclose) ciphering techniques, it is fairly easy to spot that this entire thread was founded upon a weak understanding of image compression, and stenography. I will admit that I was amused throughout this fictional read, however some conspiracies remain simply a conspiracy with or without believers, but no data (or fraudulent/misunderstood data) to back up the argument.

Watching the 'source' code projects was even more incredible as the authors did not release their code, however they also only work on machines where a Warcraft account was present at one point. I am not sure if this was a deliberate attempt to perpetuate this fallacy, or they honestly decided to make up some patterns hoping that no one will actually test them.

World of Warcraft players, you can be rest assured that Blizzard did not implement stenography on your Warcraft Screenshots. What is even more exciting is that this can be disproved even from the opposing side of 'decoding' screenshots as typically players would not "fly up really high" or otherwise take a screenshot of a whited (or other color) out screen. The content of screenshots is usually more full, and contains more complex patterns especially when it includes building models / etc.

"decoding" these would require a method similar to removing two bits off every other pixel, which this pattern doesn't even apply, thus making any retrieval of any viable information (again going on the premise it is true when it really isn't, but just for arguments sake), impossible or near impossible, and highly dependent on the location of the image and/or contents of the image.

transmission -- it is much more difficult to maintain a battery of machines to receive and process images for stenographic contents, than it would be to drop a straight cipher using a persistent connection to blizzard via battle.net or the client itself.

retrieval -- assuming the data is posted on social media/etc, this would compound the issue of transmission as it would now require processing of all images encountered for the possibility it may be a screenshot from within wow, at specific resolutions, and specific compression quality, without clipping, etc etc.


What is even more illustrious, is that I believe this is a thread that has some folks in other "underground" scenes like HonorBuddy up in a fluff with Tin Foil hats on (eg, chinajade), when they are usually the first to jump down on other people for 'speculation'. Cute thread none-the-less. Troll rating: A+ .

----------


## Sendatsu

I am not sure why trolls still bother to post in this thread... I could explain for the _n-th_ time that the watermark was real, that we produced source codes in different languages that successfully decoded it (_we released the code and anyone can find the links in my 1st post_), that we could find the patterns in screenshots dating back to 2007... I could explain all these things, once again. But I won't.

Instead, I'll just say that the actual term is "*steganography*". But you already knew that, *troll*, didn't you?

----------

