Project KONGOR: A Privacy Nightmare for HoN Players
V10
Introduction
The Heroes of Newerth (HoN) community has embraced Project KONGOR (PK) as a way to continue playing the game after its official closure in 2022. To play on this servers, you need to download and run the PKL - Project KONGOR Launcher. This is a closed-source, binary executable (launcher.exe) signed by the unknown iGames, LLC. The first thing PKL does when it starts (hon_x64.exe should be in the same path) is steal your sensitive private data and send it raw over the internet via HTTP, without SSL. This means any host between your PC and Cloudflare data center can potentially steal your private data too. This is a serious privacy breach. For example, hackers can easily steal this data when it is sent over public or unprotected Wi-Fi, and use it to hack into your home network over home Wi-Fi. This article aims to shed light on PKL's alarming data collection practices, highlighting its potential for privacy breaches and advocating for a more responsible approach. In this article, I want to show you what happened and how you can view the private data has stolen from you by Project KONGOR launcher.
Project KONGOR launcher.exe sample
{
URI: “http://cdn.projectkongor.com/patch/wac/x86_64/launcher.zip”,
URI-Archive-Filename: “launcher.exe”,
Magic: “MZ,PE,x64”,
Original-Name: “launcher.exe”,
SHA256: “826348D803946C28CF670A94F3CDB8776AB195CD9C3ECA124D9A980A27C32816”,
MD5: “E991211ABBDF835AEA1B334A735FC3EA”,
Build-Date: “2024-10-08 18:40:51 UTC”,
Meta-Date: “2024-10-08 18:50:00 UTC”,
Signed-By: “iGames, LLC.”,
VT-Link: “https://www.virustotal.com/gui/file/826348d803946c28cf670a94f3cdb8776ab195cd9c3eca124d9a980a27c32816/details”
}
PKL exhibits SpyWare behavior
It hidden collects private data, including corporate information, without informing users about the data being collected, the purpose of the collection, or the volume of data collected. PKL lacks a publicly accessible Terms of Service agreement. It does not display a warning message about data collection when the launcher is first used. It fails to explain why it collects this data, how the data will be used, processed, and stored, and whether it might be sold to third parties.
It's important to note that PKL could potentially use anonymized data for its "OneAccount" (HWID identification) system instead of raw private data. However, its current practices raise serious concerns about privacy violations and lack of transparency. Furthermore, PK does not provide a clear and reliable way to remove this data from their servers, "including all copies".
PKL Data Collection
PKL is collecting sensitive private system information. This data includes:
• Domain computer name: This reveals the name of the computer within your network.
• Deep internal and external network configuration: This includes IP addresses, routes, MAC addresses (including those of network routers), and other network details. This information could be misused by hackers.
• All PC device names and IDs: This can even reveal the use of specific software(if you using USB Super Vagina Online 2019 – be care, they know it/s).
• System Main UUID: This unique identifier can be used for authentication, cryptography and other sensitive purposes.
• Disks and volumes information: This data could reveal the contents of your hard drives (if you store you wife pron on drive labeled MY WIFE BEST PRON – they know it/s).
Also they collecting some base information like CPU data, OS, RAM.
PKL is transmitting this raw, unencrypted data via a POST request to URI http://api.projectkongor.com/launcher.php?v=2&a=0
Look what was stolen from you
This is very simple to do on Windows 10+. Follow next steps:
• Right-click to Start button (or press Windows+X) and select PowerShell(administrator). Staring network capture. In console, type:
netsh trace start capture=yes report=disabled overwrite=yes tracefile=C:\trace.etl
• and press Enter. You should see a message indicating that the trace has started. Do not close this console, as you will need it later.
• Start the Project KONGOR launcher and wait for HoN to start. Exit the game ASAP. Stoping network capture. Return to console, type
netsh trace stop
and press Enter. You can now close the console.
• Open the trace data analyzer Python script (it work inside browser, 🇷🇺 players should use VPN for access this site). Click to Upload files, select file with trace, is C:\trace.etl and click upload. (the file is not actually uploaded to the internet; everything works locally in your browser).
• Click play icon ( |> ).
Wait for script finish analyzing and you will see the your private data that was sent to the PK servers.
Example dump of raw private data
{
"Base Board": [],
"IP Table": {
"0.0.0.0;0.0.0.0;10.0.0.1": [
"DE:06:BF:89:BA:15"
],
"10.0.0.0;255.0.0.0;10.72.173.4": [
"52:54:00:C1:68:D1"
],
"10.255.255.255;255.255.255.255;10.72.173.4": [
"52:54:00:C1:68:D1"
],
"10.72.173.4;255.255.255.255;10.72.173.4": [
"52:54:00:C1:68:D1"
],
"224.0.0.0;240.0.0.0;10.72.173.4": [
"52:54:00:C1:68:D1"
],
"255.255.255.255;255.255.255.255;10.72.173.4": [
"52:54:00:C1:68:D1"
]
},
"Physical Memory": [
"Null String"
],
"System": [
"Null String"
],
"System Enclosure": [
"Null String"
],
"System Name": "DESKTOP-45PFPT2",
"UUID": [
"1220BABF-02AC-464A-B90E-6C350236BE0C"
],
"cpus": [
"Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz"
],
"deviceIds": {
"ACPI Fixed Feature Button": "ACPI\\FIXEDBUTTON\\2&DABA3FF&0",
"ACPI Processor Container Device": "ACPI\\ACPI0010\\2&DABA3FF&0",
"ACPI x64-based PC": "ROOT\\ACPI_HAL\\0000",
"ATA Channel 0": "PCIIDE\\IDECHANNEL\\4&403BEF5&0&0",
"ATA Channel 1": "PCIIDE\\IDECHANNEL\\4&403BEF5&0&1",
"CPU to PCI Bridge": "PCI\\VEN_8086&DEV_1237&SUBSYS_11001AF4&REV_02\\3&267A616A&0&00",
"Composite Bus Enumerator": "ROOT\\COMPOSITEBUS\\0000",
"Extended IO Bus": "ACPI\\PNP0A06\\PCI_HOTPLUG_RESOURCES",
"Fax": "SWD\\PRINTENUM\\{16831C93-8E79-49BF-870C-607BB2D274CB}",
"Generic PnP Monitor": "DISPLAY\\RHT1234\\4&7A3119A&0&UID0",
"HID-compliant mouse": "HID\\VID_0627&PID_0001\\6&37F336B9&0&0000",
"High precision event timer": "ACPI\\PNP0103\\0",
"Intel(R) 82371SB PCI Bus Master IDE Controller": "PCI\\VEN_8086&DEV_7010&SUBSYS_11001AF4&REV_00\\3&267A616A&0&09",
"Intel(R) 82371SB PCI to USB Universal Host Controller": "PCI\\VEN_8086&DEV_7020&SUBSYS_11001AF4&REV_01\\3&267A616A&0&0A",
"Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz": "ACPI\\GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_79_-_INTEL(R)_XEON(R)_CPU_E5-2680_V4_@_2.40GHZ\\_3",
"Microsoft ACPI-Compliant System": "ACPI_HAL\\PNP0C08\\0",
"Microsoft Basic Display Adapter": "PCI\\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\\3&267A616A&0&10",
"Microsoft Basic Display Driver": "ROOT\\BASICDISPLAY\\0000",
"Microsoft Basic Render Driver": "ROOT\\BASICRENDER\\0000",
"Microsoft GS Wavetable Synth": "SWD\\MMDEVAPI\\MICROSOFTGSWAVETABLESYNTH",
"Microsoft Hyper-V Virtualization Infrastructure Driver": "ROOT\\VID\\0000",
"Microsoft Kernel Debug Network Adapter": "ROOT\\KDNIC\\0000",
"Microsoft Print to PDF": "SWD\\PRINTENUM\\{32B670ED-FEFA-487A-9BA3-00264585AD56}",
"Microsoft RRAS Root Enumerator": "SWD\\MSRRAS\\{5E259276-BC7E-40E3-B93B-8F89B5F3ABC0}",
"Microsoft Radio Device Enumeration Bus": "SWD\\RADIO\\{3DB5895D-CC28-44B3-AD3D-6F01A782B8D2}",
"Microsoft Storage Spaces Controller": "ROOT\\SPACEPORT\\0000",
"Microsoft System Management BIOS Driver": "ROOT\\MSSMBIOS\\0000",
"Microsoft Virtual Drive Enumerator": "ROOT\\VDRVROOT\\0000",
"Microsoft XPS Document Writer": "SWD\\PRINTENUM\\{1CD5C32F-8D17-4BAB-BCE5-A5E7F87C83EA}",
"NDIS Virtual Network Adapter Enumerator": "ROOT\\NDISVIRTUALBUS\\0000",
"OneNote": "SWD\\PRINTENUM\\{93C2529F-2379-4B6F-8E5D-909EC4A41AE4}",
"PCI Bus": "ACPI\\PNP0A03\\0",
"PCI to ISA Bridge": "PCI\\VEN_8086&DEV_7000&SUBSYS_11001AF4&REV_00\\3&267A616A&0&08",
"PS/2 Compatible Mouse": "ACPI\\PNP0F13\\4&2C352A27&0",
"Plug and Play Software Device Enumerator": "ROOT\\SYSTEM\\0000",
"QEMU FwCfg Device": "ACPI\\QEMU0002\\3&267A616A&0",
"QEMU HARDDISK ATA Device": "IDE\\DISKQEMU_HARDDISK___________________________2.5+____\\5&3869DF3D&0&1.1.0",
"Red Hat VirtIO Ethernet Adapter": "PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&18",
"Red Hat VirtIO SCSI Disk Device": "SCSI\\DISK&VEN_RED_HAT&PROD_VIRTIO\\4&26072453&0&000000",
"Red Hat VirtIO SCSI controller": "PCI\\VEN_1AF4&DEV_1001&SUBSYS_00021AF4&REV_00\\3&267A616A&0&28",
"Remote Desktop Device Redirector Bus": "ROOT\\RDPBUS\\0000",
"Root Print Queue": "SWD\\PRINTENUM\\PRINTQUEUES",
"Standard PS/2 Keyboard": "ACPI\\PNP0303\\4&2C352A27&0",
"Standard floppy disk controller": "ACPI\\PNP0700\\4&2C352A27&0",
"System CMOS/real time clock": "ACPI\\PNP0B00\\4&2C352A27&0",
"UMBus Root Bus Enumerator": "ROOT\\UMBUS\\0000",
"USB Input Device": "USB\\VID_0627&PID_0001\\28754-0000:00:01.2-1",
"USB Root Hub": "USB\\ROOT_HUB\\4&2E134BF2&0",
"VirtIO Balloon Driver": "PCI\\VEN_1AF4&DEV_1002&SUBSYS_00051AF4&REV_00\\3&267A616A&0&30",
"VirtIO Serial Driver": "PCI\\VEN_1AF4&DEV_1003&SUBSYS_00031AF4&REV_00\\3&267A616A&0&20",
"Volume": "STORAGE\\VOLUME\\{56EA72CB-82A2-11EF-986D-806E6F6E6963}#0000000003300000",
"Volume Manager": "ROOT\\VOLMGR\\0000",
"WAN Miniport (IKEv2)": "SWD\\MSRRAS\\MS_AGILEVPNMINIPORT",
"WAN Miniport (IP)": "SWD\\MSRRAS\\MS_NDISWANIP",
"WAN Miniport (IPv6)": "SWD\\MSRRAS\\MS_NDISWANIPV6",
"WAN Miniport (L2TP)": "SWD\\MSRRAS\\MS_L2TPMINIPORT",
"WAN Miniport (Network Monitor)": "SWD\\MSRRAS\\MS_NDISWANBH",
"WAN Miniport (PPPOE)": "SWD\\MSRRAS\\MS_PPPOEMINIPORT",
"WAN Miniport (PPTP)": "SWD\\MSRRAS\\MS_PPTPMINIPORT",
"WAN Miniport (SSTP)": "SWD\\MSRRAS\\MS_SSTPMINIPORT",
"vport0p1": "{6FDE7547-1B65-48AE-B628-80BE62016026}\\VIOSERIALPORT\\4&24D9CDA8&0&01"
},
"disks": {
"\\\\.\\PHYSICALDRIVE0": "QM00004",
"{5474A0AA-93FA-2DED-37B4-C5DA9F2F87FD}": ""
},
"gpus": [
"Microsoft Basic Display Adapter"
],
"macAddresses": {
"PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&18#{c343047a-fc4f-4c59-aebe-c81d59d2c206}": "52:54:00:C1:68:D1",
"SWD\\MSRRAS\\MS_NDISWANBH#{7767f5b0-38db-47ba-a4a5-73e6fd2df416}": "98:16:20:52:41:53",
"SWD\\MSRRAS\\MS_NDISWANIP#{ec1edd06-ba19-4247-8186-c665014ba237}": "8E:8E:20:52:41:53",
"SWD\\MSRRAS\\MS_NDISWANIPV6#{8bf19482-4c0c-4048-8f10-0288c011e14b}": "92:4A:20:52:41:53"
},
"volumes": [
"\\\\?\\Volume{450baf57-0000-0000-0000-100000000000}",
"\\\\?\\Volume{450baf57-0000-0000-0000-300300000000}",
"\\\\?\\Volume{450baf57-0000-0000-0000-c05e07000000}"
]
}
Data Anonymization
Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.
(from wiki https://en.wikipedia.org/wiki/Data_anonymization )
SSL isn't the main issue if PK anonymizes private user data before sending it. I think they are using this data to generate a HWID, and for this purpose, it can be easily anonymized.
Look for example.
Instead of sending:
> send “MyDirtyWindows”
#capture view: “MyDirtyWindows”
They should send:
> send SHA256(“MyDirtyWindows”)
#capture view: “ad249687a6a01e7eacf9f86ae7af6741e99c3ae68e717785dc118e7c81141b43”
This data remains unique but is slightly anonymized. Why only slightly? Because there are unhashing services where most simple hashed strings can be restored to the original data. For maximum anonymization, PK could use a hashing salt (or static salt), for example:
> GENERAL_SALT = “IWillNeverBreakUserPrivacy” * 10^36
> send SHA256(“MyDirtyWindows”+GENERAL_SALT)
#capture view: “25ae90e1ca14930ec328e3a01ff0d9bf0e1b527e12a2c3ec606e94e38648b51c”
Surprisingly, the data is still unique and now completely safe to send over HTTP without SSL (because it's just random gibberish to anyone else). PK can still identify user hardware securely and store it, but they shouldn't store it in an unsecured way. Additionally, PK could attempt to unhash the data because they know the salt, but this would be unethical.
Example of PCL anonymized dumped data could looks like
This is looks like garbage in article so I uploaded it to https://codebeautify.org/jsonviewer/y24b0d4bc
Mirror: https://jsonblob.com/1307426933401575424
So what can PK do to use user private data safely and ethically, following best practices?
I think they should create an update ASAP that:
• Comments out the entire code section responsible for collecting private user data.
• Enables users to login without SpyWare functionality.
• Removes or hashes all private data stored on their servers.
After this, PK should take a break, start anonymize data before sending, reconsider their data collection practices, and ensure they make them user-privacy-friendly. Add a public ToS that will specify the purpose of data collection, what data is collected and for what purpose, exactly how it is processed and stored, and how to delete it. On first usage PKL should ask player for allow PK collect data. They should only re-enable data collection when they are confident in their approach. This is the right and ethical way to handle private user data.
Is there a way for users to solve this problem on their side?
• You can block these requests in your firewall, but you won't be able to login in game client without providing a response key that is generated when your private data is sent by the launcher.
• You can also use tools like Fiddler or MITMProxy if you know how to use them.
• Stay updated, follow Updates section on this article later.
• Also for temporary workaround I wrote Windows command line script that starts launcher.exe and replaces all your private data with anonymized data on the fly. That script will be accessible until they remove SpyWare functions of launcher or do anonymize.
About PKL Data Anonymizer script
Download script from here by click download button and save it to the HoN directory as kongor_anonymize.bat. After that, right-click the downloaded file in explorer, select properties, click Unblock and OK. Script requires administrator rights to work.
Start script kongor_anonymize.bat instead of run launcher.exe. I cannot provide any support for it in the future. Use this script at your own risk. This script also changes your HWID, but only once and not permanently, I think. They may hash the data already stored and compare it. This script also dump you original private data to file collected_data.json for you can see it.
Finally
Thank you for your attention. I hope this article helps you protect your privacy and understand what data is being stealed from you.
Please share this article on Reddit, Facebook, VK, Discord, and Medium to help protect the privacy of other players.
For contact me use public Telegram channel:
17.11.2024, V10
Donations
Updates
Nothing.