Episode Show Notes
[START OF RECORDING]
JACK: Back in 2002, I got banned from playing EverQuest. [MUSIC] This was a massive multiplayer online roleplaying game, or MMORPG. I spent years playing the game as a half-elf bard traveling through the world of Norrath. It consumed my life but I had ventures that I'll never forget, like the time I got together with eighty other players and killed dragons like Lady Vox and Nagafen. But after years of doing the same repetitive things over and over and making it to the top, I got bored and I quit. But that didn't last long because I found myself playing again a few weeks later. I had spent years working on my character and it was just too hard to let it go. I got to the point where I just couldn't quit the game, so the only solution I could think of to force me to quit was to find a way to get banned. So I started using a bot.
The bot would take control of my character and automate it for me. This was strictly against game rules. I would leave the bot run all night long, fighting monsters and gaining experience while I was sleeping. When I awoke, I was surprised to see that I was still fighting monsters, still not banned. I kept botting and letting it run night after night. Eventually players complained to a GM, or Game Master, which is like the game's admin and I got just what I wanted - banned. While this story is epic in my own memories, it's nothing compared to the story you're about to hear. You're about to hear possibly the most epic online video game story of all time. This tale is so crazy that it was even featured in Wired Magazine. The world will become altered in ways you've never expected. There will be massive amounts of gold and wealth, so gather around and listen to a tale of epic proportions.
JACK (INTRO): [INTRO MUSIC] This is Darknet Diaries, true stories from the dark side of the internet. I'm Jack Rhysider. [INTRO MUSIC ENDS]
JACK: I feel really lucky to have captured this story. This is one that almost got away and disappeared into the sunset forever. It's a rare one to be heard. This is a story from a guy named Manfred.
MANFRED: Hello. Hey, how's it going?
JACK: Manfred has kept his story quiet for twenty years. He's never publically told these stories until this year. He first spoke about this at Defcon, the largest hacker conference in the world, but he didn't get to say everything he wanted to say.
MANFRED: I was going to show two zero-day exploits in a couple of games. I was in the Green Room at Defcon like, fifteen minutes before my talk. One of the Defcon team members, goons, they asked me what my talk's about and began the subject of me demonstrating this exploit. He went to talk to another goon and they both came back to me and they're like, you probably don't want to do this. You can talk about the exploit; just don't demonstrate how to reproduce it. Then I was like, you guys are probably right.
JACK: He did talk about the numerous games he did hack during his Defcon talk, which was recorded and put on YouTube. But that didn't last long.
MANFRED: My Defcon talk got taken down due to a copyright claim by ArenaNet, the makers of Guild Wars 2.
JACK: As you can see, the story is not only rare but in some ways, forbidden. So let's begin, shall we? First off, what kind of name is Manfred?
MANFRED: Back in the early days of Ultima Online I did a lot of PKing and griefing and all that good stuff. Originally my name wasn't Manfred. It was Phuckchop. P-H-U-C-K-C-H-O-P. I guess it kind of added insults to injury to the players that I'd kill. They'd [inaudible] their hard-earned resources. All good fun, you know. It's not me in real life. It was just a game. I did it all in good fun. Under that name of Phuckchop I player-killed, PKD, as it's called, for weeks and maybe months. Then one day I was just sitting AFK in town under guard protection next to an in-game bank. Then I went out to get some Krispy Kreme doughnuts for lunch. That was my usual lunch. I get a dozen of those. They're pretty awesome. [00:05:00] I came back and I looked at my character and my name was Manfred. I was like hmm, this is interesting. I looked at the chat log and I saw that a GM told me that he can't have me going around killing players as Phuckchop. He's like, you can kill players or whatever, it's part of the game, but we can't have that name so he just changed my name to a random name and it happened to be Manfred. It stuck ever since.
JACK: That story took place twenty years ago. Manfred has been playing MMORPGs ever since. It always starts out the same way; he'll play, have fun, learn the game inside and out, and then eventually get bored and start to tinker with it.
MANFRED: For fun I reverse-engineer games and I reverse-engineer how the protocol talks to the server and vice versa, how the server talks back to the client.
JACK: He hacks online video games. This is what he's good at. After twenty years of doing this, he is an expert at finding bugs in MMOs. He captures the packets and analyzes what's in them. He'll injects his own data into packets and see how the game responds. He'll find ways into the game client and manipulate what traffic is sent to the server. The exploit he finds in almost every game is an integer overflow.
To understand this, imagine you have a clock and the time is 1:00. Now, if you were to subtract one minute from it, the time would then be 12:59. Do you see how by subtracting, it resulted in a larger number? Computers have a limit of how high they can count and once they hit that limit it rolls all the way around to the lowest number they can count. Video games don't always check if you can subtract from the lowest amounts, so Manfred tries to subtract from zero and he sometimes gets surprising results. He's doing this at the packet level, sort of like a man-in-the-middle. When a packet is sent from his computer to the server, he captures it, changes some values, and sends it off. He's been doing this for a long time so he can pretty much find bugs in any game. So far he's found bugs in all these games.
MANFRED: Ultima Online, Dark Age of Camelot, Anarchy Online, Lineage II, Final Fantasy Online, the first one, World of Warcraft, RIFT Online, Elder Scrolls Online, Lord of the Rings Online, RIFT Online II, Final Fantasy XVI, Guild Wars II, and WildStar Online. I'm sure I forgot five or six more.
JACK: Because I personally played a lot of World of Warcraft, let's start there. World of Warcraft was leading the pack as the most popular MMORPG in 2007.
MANFRED: Back when I was playing it I think it had close to ten million players.
JACK: Manfred had been playing for a while and he was having fun leveling up his characters, fighting creatures, and exploring the world. This game had a thing called a talent system, and for every level you level up, you get one talent point to put into improving your character. Manfred became curious what packets the computer was sending to the server when he would use a talent point, but there was a problem. The packets between his computer and the server were encrypted so he couldn’t see what was inside them or inject his own data in it. But he's a reverse-engineer, so he starts to tinker with...
MANFRED: Slightly modifying the game client so I could take over the communication before encryption happens, when the packets are outgoing. Then I take over communication after encryption happens, when they're coming from the server.
JACK: Once he has his hooks in the game communication, he played the game and spent a talent point to boost his character. He saw what the data looks like when this happens. He tried replaying that same packet back to the game client. What he was expecting to see was that he had spent one talent point and his talent would go up by one.
MANFRED: I noticed that my skills didn't match up with the talent points I spent. There was a disconnect. Supposedly I had, for example, like fifteen skill points in this one skill tree but I didn't use any of my talent points, which was weird. Somehow at least initially I thought was just a client-side glitch where I raise my talents without using any skill points. I logged out of the game, closed down the client, and I pull up a fresh copy of my character from the server that told me the true story of what’s going on. I log into the game and I still have my whatever, fifteen points in my talent tree, and I still have my fifteen skill points. I was like okay, this is interesting. Let's see what's going on here.
JACK: [MUSIC] Talent points are rare and you can only get a certain amount. You can only spend a maximum of five on a specific skill but Manfred found a way to spend talent points without using talent points, and to spend more than five.
MANFRED: I was able to boost it up to fifteen points using only five points. Any exploits that improves your character's strength or gave you an advantage over another player were pretty significant 'cause you gain an advantage, an unfair advantage, over ten million players, basically.
JACK: After Manfred overloaded his talents with this exploit, he became god-like in the game. His powers were far more superior than any other player. [00:10:00] He started decking out his character in all the best equipment and made himself even more powerful.
MANFRED: Then I went to see if I could complete a dungeon solo.
JACK: He was able to easily clear dungeons that normally takes five people to complete, allowing him to gather even better equipment and improving more. He kept pushing his abilities to see what was possible to do with this super character. At one point his goal became Molten Core. This was a raid-level dungeon which required forty people to clear. He tried to solo it.
MANFRED: My character wasn't powerful enough to complete Molten Core so we started getting some friends together. I'd buff up my characters and my friends' characters and we'd go and complete Molten Core, which I think was a forty-person dungeon. We'd do it with like, eight people. It was a lot of fun. It was challenging. We used this talent exploit to complete dungeons with very few people for probably eight to nine months.
JACK: [MUSIC] The game developers never detected or caught Manfred doing these exploits.
MANFRED: You'd think they'd have metrics on all these dungeons and they could see how quickly a group of players could finish a dungeon or whatnot, but they didn't.
JACK: He went back to reverse-engineering the client. He found there were debug packets that were enabled in production servers. After spending time analyzing the debug packets he found ways of doing some amazing things.
MANFRED: Things like broadcasting messages to the entire server, like teleport directly to a player.
JACK: Even after using these exploits for a few months he still wasn't caught or detected, so he eventually started getting bored with the game and decided to see how far he can push this before getting banned.
MANFRED: Usually the way this ends is in PVP. People complain when they get killed instantly. We started going out into the PVP lands and just basically one-shotting people, killing the person, like a super buffed-up Level 80 person or Level 50, whatever the level cap was back then, in a single hit or a couple of hits. The players would start complaining. They'd take screen shots, they'd call GMs, and fairly quickly, maybe one or two weeks, maybe three weeks afterwards, we all get banned.
JACK: What surprises me most about this story is how a game the size of World of Warcraft can have these exploits in them. The game had ten million players who were all paying $15 a month to play. The game developers were bringing in over $100,000,000 a month or $3,000,000 a day. With a budget like that you'd like they'd have solved every exploit.
MANFRED: That was a huge oversight on the developer's part. They shouldn't have included development packets in their production MMORPG on the scale of World of Warcraft.
JACK: While Manfred was banned from World of Warcraft, it was no problem for him because he could just move on to another game. [MUSIC] A few years before that, he played a game called Shadowbane. It was an MMORPG. You level up your character by killing monsters, equip new items, and you fight other players too, but only in certain areas. Manfred was amazed at how buggy this game was. He concluded the game must have skipped any Alpha testing, any Beta testing, and went directly to final release. In all his twenty years of hacking video games, none have come close to how bad Shadowbane was in terms of bugs.
MANFRED: I think Shadowbane deserves its own category and maybe a movie made after it. Shadowbane was so hopelessly insecure that -- no, if I were to write a game to demonstrate the game developers, no, do not write the game like this 'cause this is very insecure. I'd basically give them Shadowbane.
JACK: The story starts the same way as others. Manfred played the game, got good at it, and then got bored and started reverse-engineering the client. He saw that when you get experience points, [NOTIFICATION SOUNDS] a packet is sent to the game indicating how many experience points you just earned. He captured that packet, sent it a second time, and sure enough he got experience points in the game just for resending that packet again. He could keep getting unlimited experience points by just sending specially crafted packets to the server. Within a few minutes he gained over 100 levels. [00:15:00] He found that there was no server side validation for any packet he sent, so he could do almost anything he wanted. He could open up other players' bank vaults, take items from them, he could load any piece of equipment into his inventory; he could even gain massive amounts of strength and HIT points. [LEVEL UP SOUND]
MANFRED: Pretty much anything that I tried, any exploit I tried, worked. It was like, is this real life?
JACK: He tried to see if anyone would be willing to buy equipment, gold, or characters from him for real dollars. But there just wasn't enough demand because there wasn't enough players playing Shadowbane. He decided the game was so buggy and he didn't want to play it anymore.
MANFRED: We just decided to do a grand finale hack and basically uninstall the game and move on. I knew if we made this super obvious that servers would get rolled back, so we did have to kind of go over the top. 'Cause if we killed a few players here and there and blah, blah, blah, they'd complain to developers on the forums and they'd ignore it. But if we do a mass scale game-mechanics changing attack where it kills hundreds of players, totally alters the rules of the game, then they'd get rolled back. One of our grand finale acts was to basically teleport high-level monsters into safe haven cities that new players would start in. Let's say, create a new character in Shadowbane, you're sent into this little island where the game teaches you how to play. It's supposed to be completely safe.
But we teleported like Level 200 monsters in there to kill anybody that joined the game. You joined the game as a new player, and then suddenly this Level 200 dragon just totally decimates you. On this little island of new players, we probably killed dozens and dozens and dozens of them. New players joined the game and were respawning over a course of thirty minutes to an hour. We teleported an entire town full of people under the ocean. They'd slowly drown. They weren't drowning fast enough, so we also teleported monsters with them so that the monsters would kill the drowning players. [MONSTER SOUNDS] We're killing newbies joining in the game, we're killing active players, we're teleporting players into the ocean; it's just complete chaos.
It was yeah, it was pretty funny. It was all in good fun. I was kind of in shock and awe. It was funny that the events that were going on; players being teleported into the sea, monsters being teleported into newbie areas where players are supposed to be safe. It was shocking that, you know, how is it possible that we could pull this off in a supposedly final game?
JACK: But still, that wasn't enough. He decided to make every safe zone in the game a PVP zone. This means the players could attack other players anywhere in the world. There was no place to hide. Manfred had used his exploits to level his character high up and gave his character all the best equipment in the game. Now that the whole world is a PVP area, you can guess what he did next.
MANFRED: Me and my friends just going in and decimating everybody with highly overpowered characters. [FIGHTING SOUNDS] Yeah, it was complete chaos and disorder. All in good fun.
JACK: Manfred's chaos impacted everyone on the entire server. There were hundreds of tombstones everywhere you looked and everyone was wondering what in the world is happening? Some people are saying the gods went crazy and other people are saying there's bugs in the game. After about an hour of total chaos the servers went offline. Him and his friends were banned from the game and the server rolled back to a save point before the chaos began and all players were restored.
MANFRED: Initially the Shadowbane people thought somebody [inaudible] their servers, gained illegal access to their servers and they thought their servers were compromised when all we were doing was just using in-game mechanics. I look at the aftermath in the Shadowbane forums and some of the players were saying this should happen more often, this was like, the most fun they've ever had since they bought the game. There are some players that were kind of annoyed and some players were like hey, this is pretty cool. Let's do it again.
JACK: This Shadowbane hack was so ridiculous that Wired wrote an article about it back in 2003 when it happened. Nobody ever knew who was behind this until now. Wired posted a comment from the game developers which said, quote, "We're working with law enforcement and we promise all of you that these individuals will be prosecuted to the full extent of the law." End quote.
MANFRED: That was all bark. I think they realized that their servers weren't [00:20:00] compromised and we were just using the game protocol and the game logic against itself by finding unattended features in the protocol.
JACK: Manfred was never contacted by game developers or law enforcement for this event. Manfred has tried working with game developers to responsibly disclose the bugs he finds.
MANFRED: Back in the early days when I started doing this, I tried to work with the game developers. It's always backfired. For one example would be Anarchy Online. I think it came out in 2000 or 2001. I paged GM in the game and I go hey, I want to talk to one of your developers about some exploits I've found. We go in; we talk in the IRC, try and go out of the band, outside the game, and talk over IRC. We're like, here's the exploits, here's how to reproduce them, here's how to do them. They're like okay cool, thanks. The next day we wake up and our accounts are banned. This happened twice early on and if it happens twice or it if it happens in one game and then it happens in another game, typically it'd be different development game. You've got to assume maybe the game industry doesn't want to work with people responsibly disclosing hacks.
I think their main point is they don't want people reverse-engineering their client in the first place. Maybe, I think, that's their motive for banning people that find these sorts of things. It was kind of counter-intuitive because you don't want to ban the people that are trying to help you out. You'd think they'd want to give us resources or additional resources or be like hey, here's some free accounts and here's our private test servers, have at. The opposite happened. They just said we're gonna ban you; don't come back.
JACK: This year Manfred gave a talk at Defcon. He was going to expose two unfixed bugs in Elder Scrolls Online and WildStar Online. He decided not to demonstrate the hack.
MANFRED: After the talk, one of the companies that was behind Elder Scrolls Online came up to me. [MUSIC] They were like here's my business card, let's talk. I talked to them. I showed them the exploit shortly after Defcon. While we were still in Vegas I showed it to them in person. They were like cool, thanks. The other one for WildStar Online, I sent him an e-mail describing the issue at hand and its ramifications. They got back to me and said cool, thanks. That's about it. For Elder Scrolls Online I last checked about a month and a half ago, which was about six weeks after Defcon and disclosure. It still hasn't been fixed. WildStar Online, I haven't checked since.
JACK: But this is just Chapter One of Manfred's epic journey. All of these exploits you've heard are just for fun but he found exploits in other games that would change his life for decades. He found ways to turn his virtual items into real US dollars. No longer was this about fun and games. It became a serious full-time business.
MANFRED: Let me just say that given the option of getting a day job as a software engineer, and you can imagine how much a software engineer makes these days, given the option of doing that versus hacking online video games, I chose to hack online video games because the pay was good but also because I was running my own business and making my own hours.
JACK: Join us in Part 2 of this story as we shift from putting coins into the game to taking coins out of the game.
JACK [OUTRO]: [OUTRO MUSIC STARTS] You've been listening to Darknet Diaries. There's a bunch of screenshots of Manfred's adventures at darknetdiaries.com. Be sure to check them out as well as links to some of the stories that were mentioned. Music is provided by Ian Alex Mac, Kevin MacLeod, and Tabletop Audio.
[OUTRO MUSIC ENDS]
[END OF RECORDING]
Transcription performed by Leah Hervoly