Friday, February 27, 2009

World of Warcraft's Poor Security

By default, World of Warcraft fails to run properly under a limited account. The game will start and run fine, but no settings are saved (e.g. UI, setup, or addon changes) because everything is stored under the folder that WoW is installed (Program Files) which should be read-only. A reasonable work-around might be to make some of the subfolders under the WoW folder writable (such as WTF, Screenshots, etc.).

A new failure of WoW security design was recently added with the game launcher. On every single run, the game launcher seems to randomly generate a brand-new exe at some random place on your computer. Firewalls are about as thrilled by this as I am. It defeats any kind of whitelist security, and a game has no business complicating computer security like that.

Additionally, there is an uncommon trick World of Warcraft uses that blocks other programs from inspecting its process in memory. This can also prevent other programs from forcefully shutting it down. The technique has to do with Window's Discretionary Access Control List (DACL). It is related to the security tab you see on Windows XP Professional that defines who has what access to various parts of your computer.

A processes's security limitations can be changed dynamically during runtime by the process itself, and that's exactly what WoW does. A process changing it's own security at runtime is not particularly valuable because any other process with equal or greater security access can change it back. It's also meaningless when running as an administrator because every process automatically has all access to everything.

None of this is new. People have known that WoW does for years now. I even ran across a small bit of code specifically to adjust the security of WoW. I've updated it bit to simply remove WoW's security settings then exit.

I'm new to this whole DACL business, so I might have missed some things.

Warning: Any use of this information, whether benign or malicious, might result in having your World of Warcraft account terminated. Take heed, lest you anger the Blizzard gods.

Sunday, February 22, 2009

Locking down my Windows XP machine

During my last Windows XP re-install, I pondered for a moment if I should use proper computer security by running within a limited user account. Eventually my desire for convenience, and realization that I wield the raw power of the OS far too much, kept me with a default admin account.

I’ve never really needed much protection. I can count on one hand the number of viruses my antivirus has found on my computer this decade. Only one of those tricked me to execute it. Over time, my weekly antivirus false-positives caused me to disable the nightly scans.

No, my fear of unwanted programs wasn’t enough to drive me into putting a lock on that admin door. It turned out to be the fear of programs I do want that pushed me to the switch. It started with World Of Warcraft’s Warden, and culminated with Mirror’s Edge’s SecuROM. Invasive DRM and rootkits concern me far more than any virus.

But I’m glad I didn’t try to live in the limited account back then. It would not have lasted very long before I would be sick of always having to switch to an admin account whenever I wanted to burn a CD, change anything in the control panel, install anything, or modify system or program files. There is the "Run as…" option, but that often leaves changes made to the account being "run as", instead of the current account.

Luckily my Linux experiences in the last year taught me that you can have the best of both worlds with a program like sudo. My searches for something like that for Windows led me to 3 open source solutions.

  • SudoWin (Sudo for Windows): This is repeatedly recomenneded by readers of Atwood’s Real Ultimate Programming Power blog.
  • suDown (or sudoWn): Tried briefly before running across…
  • SuRun: Seems to be the new kid on the block. I have been using this one for several weeks now, and so far I love it.

For better or for worse, I disabled having to actually enter a password. This was mainly due to my need for some programs to always run with admin access (especially at startup). For everything else, I get a nice popup that just needs an OK click, not much different from Vista’s UAC. Update 1: The new v1.2.0.6 lets you skip password input for your white-listed apps if you want.

Update 2: After using SuRun even longer now, I’ve only found 2 problems with it: (1) When browsing explorer as administrator, any changes you make don’t get reflected in the file browser (you have to manually refresh to see), and (2) It sometimes takes several seconds to open new Windows explorer windows. In general big delays have occurred for any kind of file system browsing, or low-level associated functions. For example, mounting/unmounting a TrueCrypt volume can take up to 10 seconds, and has even failed with a strange error on unmounting at times.

Update 3: Found an insightful thread where someone discussed with the SuRun creator about some aspects of the program.

It’s kinda comforting to see Process Explorer unable to view any details of admin processes. I know that Warden and SecuROM* will be hitting the same roadblock.

However I ran across something a little disturbing with World of Warcraft the other day. Process Explorer was unable to view details of the Wow.exe process, as if it was running as admin without my knowledge.

To be continued… * I’m aware that SecuROM has been known to install a service, thus always granting it admin access, but I’ve kept a watchful eye on my services and haven’t noticed anything yet.

Sunday, February 15, 2009

Faith Model Continued

I spent several more hours examining the CH_Faith_Cinematic.upk posedAgain StaticMesh. First off, I discovered that my raw data exporter in UE3PackageViewer doesn't seem to work correctly (it cut off half of some of the data). Manually pulling out the data, I found several lists of structures:

struct UnknownStruct1 {
    struct Vertex1 {
        float x;
        float y;
        float z;
    struct Vertex2 {
        float x;
        float y;
        float z;
    int UnknownInt;  /* either 0 or 1 */
    union {
        struct { /* when UnknownInt == 0 */
            short int UnknownStruct1Index;
            short int UnknownStruct1IndexPlus1;
        struct { /* when UnknownInt == 1 */
            short int Count;
            short int TriangleIndex;

struct Triangle {
    short int VertexIndexes[3];
    short int UnknownShort; /* material number? */

struct Vertex {
    float x;
    float y;
    float z;

struct UnknownStruct2 {
    char Unknown1[4];
    char Unknown2[4];
    int NegOne; /* always -1 */
    char Unknown3[4];

struct UnknownStruct3 {
    int UnknownInts[4];

There is also a large list of shorts and another of bools.

The list of Vertex and Triangle work out to the model in my last post. Of the rest, the list of UnknownStruct1 is the most interesting. Those verts aren't normals or texture coordinates (nearly all are > 1.0). When visualized in space, they hover all around the Faith model.

Additional searching about Unreal meshes led me back to the UnrealToX3D converter. The author wrote a nice white paper about converting the t3d format.

The real challenge was converting the texture coordinates. Unreal textures are described as tiling a plane in space coincident with the polygon on which they lie.

Each surface has a 3D vertex for U, another for V, and another for the texture normal (these are usually orthogonal). A pan value (in UV units) may also be supplied. This scheme allows for arbitrary scale, rotation, shear, and displacement of the texture without having to describe UV coordinates for each vertex on a polygon. To turn these various directionals into common UV coordinates, I find a transform that rotates the polygon from its arbitrary orientation onto the XY plane, and apply the same transform to the U and V texture components. I can now use the transformed U sand V component (which are now co-planar with the XY plane) to scale the texture. Using the pan components as offsets, I now use the polygon's coordinates (which are now all in the XY plane) to produce the UV coordinates.

Could those random points in space actually be 3D UV coordinates? I looked at the faces associated with the points, but the relation doesn't make any sense to me.

I wrote an exporter for this model and structures in Python if you want to look at the data yourself.

Other searching led me to comments in forums that say you can convert StaticMesh to brush in UnrealEd, and then export it as OBJ. I tried poking around but haven't quite found how.

Saturday, February 7, 2009

Unreal 3 Engine Model Extraction

While there is a lot of modding that may be possible with Mirror's Edge, my primary desire is to gain access to the various models of the game.

I have searched high and low, with at least 30 different queries thrown at Google, and several hours of scanning results, but nothing has turned up. No one seems to have a way to extract models from the Unreal 3 Engine. Which suggests that this is the first time anyone has.

Faith MeshIf someone has already found a way to extract models, then I'd be more than happy to be wrong. Thus far my mesh explorations have been hit and miss. This Faith StaticMesh resource (CH_Faith_Cinematic .posedAgain) has easily identifiable vertices and triangle indices, but I can't locate the texture coordinates. The resource right next to this mesh (posedAgain_Shaded) is even less clear. The data is tremendously random, with no obvious patterns. The S_M95 weapon StaticMesh appears to be the same.

After several hours of dead-ends I grew frustrated, so I played Unreal Tournament 3 for the rest of the day :) I'll give it another go eventually, but I don't have much hope in the results.

Update: Gildor's Unreal Mesh Viewer has now been updated to extract Mirror's Edge SekeletalMeshes. These are different from StaticMeshes (like the one above), and they include the bone structure of the model as well. The Faith SkeletalMesh (the one you actually see running around in the game) is in CH_TKY_Crim_Fixer.upk as SK_TKY_Crim_Fixer.

Tuesday, February 3, 2009

In Capitalist America, DRM messes with YOU

Suddenly had an itching to play Gears of War today for no reason. You cannot run the game with modified executable code. Please reinstall the game.Stupid #%^$@$## DRM.

Edit: Since the source of the problem is due to the unintentional expiration of the programs digital signature, which was used solely to prevent people from playing PVP with modified executables, there has been a ton of debate whether this is really DRM.

I assume most people consider DRM the new lingo for 'copy protection' (which I think was a more accurate description). This interpretation of DRM obviously does not apply to the core problem above. But given what Digital Rights Management describes (it manages your right to use their data), then I'd say this is certainly DRM. I paid for the game, but I don't get to do whatever I want with it.

On the plus side, maybe the patch they'll probably release will include at least a few other bug-fixes for this crap-tastically buggy game.

Sunday, February 1, 2009

Messin' with SecuROM

Process Monitor is one of the programs that SecuROM blacklists. If you try to start Mirror's Edge with Process Monitor running, you get a beautifully designed*, and clearly explained* dialog that looks like this. A required security module cannot be activated. This program cannot be executed (5025).* /sarcasm

But it's not hard to run Process Monitor with Mirror's Edge. Login as an administrator and startup Process Monitor. Then switch users to a limited account and run the game. Having done this with Mirror's Edge, I can see it creates a dll in your Temp folder called drm_dyndata_#######.dll. The '#######' seems to always be the same number for me, but other people report a different number on their computers. If there is some kind of 'error' (i.e. they want to have more control over your computer than you do) and Mirror's Edge refuses to start, then it also creates a dll called drm_dialog.dll.

The Turtle's Blog Presents: Messin' with SecuROM

Just for fun, I set the security of my temp folder to WRITE-ONLY and started up Mirror's Edge. Well SecuROM sure didn't like that, and somehow concluded that my game is no longer registered, and began its phone home process.

Next I went to the SecuROM registry folder and exported the entries, then deleted them from the registry. Starting up Mirror's Edge, I blocked its attempts to phone home for a new registration. I then restored those exported SecuROM registry entries, and thankfully SecuROM was appeased and my game ran fine again. Note that Mirror's Edge has to be separately activated for every account on your computer. I tried importing these registry entries on another account, but SecuROM rejected it and tried phoning home.

Mirror's Edge phone home process involves trying to connect first to EA (, then Google ( with three different IP addresses, and finally Microsoft ( with two different IP addresses. It gives no indication it is doing this, and if Mirror's Edge fails to make contact with any of its desired sites, it takes about two minutes before finally reporting it needs internet connection. I'm sure there are some oblivious users out there that double-clicked that icon like crazy, and after seeing no response, concluded that there is something wrong with the game or their computer.

I thought I would try being one of those oblivious users, and started Mirror's Edge on an unregistered account--then kept double-clicking the icon until my computer froze briefly and started beeping at me. I had some 15 MirrorsEdge.exe processes started and my CPU maxed. In a few seconds all but the original process closed, but still no indicator that MirrorsEdge.exe was really doing anything until the eventual message is displayed.

When will these game studios learn that this is (one of the reasons) why people hate DRM--because it's implemented so very poorly. I submit that a big reason Valve's Steam has finally been somewhat accepted is because they try to reduce the hassle as much as possible. But I'm sure the rantings on some no-name blog amounts to a hill of Circuit City stock in the eyes of Sony.

Disclaimers: Don't try these sorts of things unless you know what you are doing, are willing to possibly lose one of your 5 registrations, and don't mind if your computer could crash beyond repair. I have a fully legal copy of Mirror's Edge, and was perfectly happy to support the developers that did such a great job on the game. I wish more people would do the same.