Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

Video Memory Checksum

Another previously nonexistant component to the version check algorithm that is introduced by the Lockdown module is a checksum over the video memory of the process calling the Lockdown module. At the point in time where the module is invoked by the Blizzard game, the portion of video memory checksummed should correspond to part of the "Battle.net" banner in the log on screen for the Blizzard game. The Lockdown module is currently only implemented for so-called "legacy" game clients, otherwise known as clients that use Battle.snp and the Storm Network Provider system for multiplayer access. This includes all Battle.net-capable Blizzard games ranging from Diablo I to Starcraft and Warcraft II: BNE. Future games, such as Diablo II, are not supported by the Lockdown module.

This represents an additional non-trivial challenge to a would-be attacker. Although the contents of the video memory to be checksummed is static, the way that the Lockdown module retrieves the video memory pointers is through an obfuscated call to several internal Storm routines (SDrawSelectGdiSurface, SDrawLockSurface, and SDrawUnlockSurface) that rely on a non-trivial amount of internal state initialized by the Blizzard game during startup. This makes the use of the internal Storm routines unlikely to simply work "out of the box" in an untrusted process that has not gone to all the trouble to initialize the Storm graphics subsystem and draw the appropriate data on the Storm video surfaces.

This protection mechanism is primarily considered to be an anti-emubot scheme, as it is designed to guard against an untrusted process from succcessfully calling the Lockdown module.