The issue
I found spyware-like code in the Dransik client (client.exe). Basically, it allows Iron Will Games to look at the list of running processes (open programs) on your computer, at any time. When the client receives a certain packet (command) from the server, it will send a full process listing back to the server.
Here is the relevant code (generated using a demo version of IDA):
As you can see, there's even a small memory leak (296 bytes per request). Tisk tisk, sloppy code!
You can verify this yourself using a hex editor or disassembler - look at file offset 21CCB inside C:\Program files\Iron Will Games\Dransik\data\client.exe (path may vary).
Section 14 of the EULA states:
Furthermore, if you request any technical support, you consent to our remote accessing and review of the computer you load the Software onto for purposes of support and debugging.
This partially justifies that code being in the executable. However:
- I found it odd that this code is right below some code which checks for some known hacks. Retreiving a user's process list might facilitate GMs or developers to check if the player is running any cheat programs that the game doesn't automatically recognize - which, obviously, isn't listed in the EULA.
- The user is not notified in any way when the server requests the process list. If this were used only for the purpose described in the EULA, there would be no problem with adding some code which would ask permission from the user first.
Your right to privacy
While I can't say for sure if Iron Will Games would use this feature to spy on you without your consent, it is certainly possible. That's why I am offering you a way to block this "feature". I have written a small program that patches a running copy of the game (in memory), to make it ignore the "send me the process list" command. After you apply this patch, and, until you close Dransik, if the server will request the process list - Dransik will simply ignore the packet. You may run the program again to remove the patch from memory. If you wish to stay "protected" all the time, you will have to run this program every time you launch Dransik from the Iron Will Games Launcher.
The full source code is included. The program is written in the D programming language and uses the Tango standard library.
Download: antispy.zip (52 kB)
Technical information: the program patches an address in a jump table inside the relevant function. The jump table controls which code is executed when certain packets arrive, and is the machine-code representation of a C switch statement. The patch redirects the corresponding address from the "send process list" code block to the "go to next packet" block.
This page was written in regards to the September 11th, 2007 build of the game - which was the current publicly-available version at the time of writing this page, September 28th.