I'm playing World of Warcraft in my spare time. A part of the success of the game lies in it's customizability. It supports LUA addons that reach deeply into the UI and allow a totally different look and feel. One problem however is, that Blizzard somehow manages to break the functionality of many addons with new patches so Updates are required on a frequent basis.
There is a library called Ace that abstracts a lot of things to change from the addon developer. This allows fixing a lot of addons quite automatically by fixing the library (which the authors do in a very fast cycle). There was a tool called "Wow Ace Updater" that scanned your addons automatically and applied patches as needed. However - unfortunately the project was taken offline due to the amount of traffic generated and the resulting costs.
I stepped over a similar tool called WowMatrix Updater and became curious where it takes it's addons from and how it's working, so here is what I found out.
I want to note that this article is basicly about analysing programs you don't have the code of. I'll show you some freely available tools and what they can do for you.
The first interesting thing about the updater is the way it's packaged. Inside the ZIP file is basicly a 2.8MB exe file that does not require any further installation but is just started. To get an idea of the overall program structure I checked out the imports using FileAlyzer.
The interesting thing to notice here is that the importet DLLs don't provide enough API coverage for what the application is doing. I'm not too familiar with Input Method Manager, but what you are missing here for a normal Windows executable are things like user32.dll and system32.dll. My initial thought here was, that the executable is compressed and probably bundled with other files. When you are compressing an executable you mostly end up with a file with as few imports as this one has, however you won't get anything dealing with multimedia here. Opening the executable with TinyHexer reveals that it is neither compressed nor encrypted. You'll see a lot of plain text here and memories with lot'sof nulled data.
The next idea was to find out, what happens when you launch the application. I launched Process Monitor and narrowed down the filter to the executable.A good filter to find out which DLLs are loaded is just selecting "Show Process and Thread Activity" in Process Explorer. This directly showed that a lot more DLLs are bound when the executable starts. Apart from the standard system DLLs those two caught my attention:
C:\Documents and Settings\Andreas\Anwendungsdaten\Acreon\WowMatrix\Libraries\wmzip.dll
C:\Documents and Settings\Andreas\Anwendungsdaten\Acreon\WowMatrix\Libraries\wmweb.dll
The first information this reveals is, that there is more of the application under the directory above. Later you'll see one more interesting thing that Process Monitor reveals later down in the log.
At this point I turned to what the program is actually doing to get to it's data.
The Network Analysis
Using Wireshark I logged the network communication from the moment where the application starts to the point where all addons have been updated.
The first network packet of interest is this:
I noticed that with each request the number in the Url changes. The host is wowmatrix and the User-Agent is quite interesting. In the end it lead me to the product Revolution which appears to be a RAD tool for creating applications on Windows, Mac or Unix. I scanned the executable for "Revolution" and found a runtime signature.
This definitely explains the strange packaging.Since platform crossing frameworks have to be platform agnostic in some of their concepts, you'll happen to see weird packaging constructs all the time here. I downloaded the file from the request manually using the browser and unpacked it using 7-ZIP. Since .gz is no archive but just a compressed stream there is only one file inside.
The file appears to be in some kind of proprietary Revolution format. Everything after the header looks like jibbrish. After this file another one is loaded from wowmatrix:
Then the default page of swupdate.wowmatrix.com
is retrieved - in my test to return "304 Not Modified". Now the next two packets are really interesting:
Notice how much information is passed over to quantserve.com in the url of the request. The only information I can surely identify here is my screen resolution - what is the rest of the data and what is quantserve.com? In the response you get a gif image 1x1 pixel and a cookie expiring in 10 years. Ok, some one is really making long term plans here :P
You'll see two similar packets to the same host right after that. Ok, this convinced me how the project might be financed. By the way - notice the user agent. It seems like Internet Explorer is making the requests which will make the cookie persist.
Next you'll see a request to a file called addondb.gz being retrieved from swupdate.wowmatrix.com that contains the same signature as previously retrieved files.
Now we come to another interesting part:
I saw several requests like this to wow.curse.com and one to www.wowinterface.com.All of these pages return html pages with information about the specific addon and are probably parsed for changes and the download link. Any interesting thing to see back in Process Monitor is, that the requests are made via Curl which is a free executable for requesting files via multiple protocols. I suppose this was done to disguise the user agent as Internet Explorer which will prevent those sites from getting suspicious.
One really funny thing is that if you inspect the html returned from curse and wowinterface you'll see tags like this:
So both of these pages also provide data mining for quantcast.
It seems that the wowmatrix updater is partially hostile in that it syndicates data without permission and without crediting. I cannot tell you how much in use this tool is right not - it's definitly good in doing it's job. I suspect a lot of additional traffic on curse.com and wowinterface.com from this. If you use the tool and don't clear your cookies afterwards, you will leave a long trace in the web. I added two lines to my hosts file (/windows/system32/drivers/etc/hosts):
This will prevent the quantserve servers from being contacted.
I hope you found this article interesting.