Episode Show Notes
[START OF RECORDING]
JACK: Real quick before we get started; this is Part 2 of a two part series on Manfred. If you want to hear how he hacks online games for fun, check out Part 1 first. [MUSIC] The first hack I ever did was on a game called Sim City. It's the original city-building game. My curious teenage self found where the save-game files were stored and began inspecting these files. It was gibberish as far as I could tell. I decided to load the file into a hex editor. This converts the contents of the file to a hexadecimal format. I started changing a few numbers around. I was just guessing and then loading the game back up to see if anything had changed. I knew I was in the right area because I was changing things like the year and the name of the town. I kept tweaking values and loading it again and again.
Eventually I loaded the game and I was amazed at what I saw. I had given myself 100 billion in game dollars. The feeling I got from hacking the game was so much more exciting than actually playing the game. With that amount of money, I built some very large cities. Hacking the money system in a single-player game is one thing. But what if you could hack the money system in a massive multiplayer online game?
JACK (INTRO): [INTRO MUSIC] This is Darknet Diaries, true stories from the dark side of the internet. I'm Jack Rhysider. [INTRO MUSIC ENDS]
JACK: In this episode we pick back up with Manfred.
JACK: As you heard in the last episode, he hacks online video games, but the last episode was all just fun and games. In this episode it's all business. There's lots of money to be made in hacking online games. Let's dial back the clock to the late 90s when he first started making money hacking online games. [MUSIC] The game he was playing at that time was Ultima Online, and was just like any other MMORPG where you level up your character, equip items, and slay monsters. Manfred had played the game, got good at it, and then got bored, so he started tinkering and reverse-engineering the client and manipulating the packets. In Ultima Online players could buy houses and place them on the map. This would be a safe place for your character to store things and rest. The houses took up space on a map though, just like houses do in real life. The game developers added the feature where you could demolish a house. Then they also added another feature; houses would become abandoned and fall down if the owner did not go in it for a while.
MANFRED: Initially I was trying to find out how the process of demolishing your own house worked. You could demolish the house and get the deed back. I was curious to see how that worked at the protocol level. Like, what was the client sending to the server to cause the house deletion event to happen? When I saw that, it was pretty simple. The operation code that said hey, let's delete this house and it was the ID of the house. I was like wow, that's pretty simple. There has to be more to it like how the server must be checking if you own this house. I was like okay, then I went over to my neighbor's house, got the house's ID by interacting with it a little bit and looking at the packets. I saw that the ID was this, so I sent a house deletion event with that house ID. Nothing happened. I was like, this is weird. Why isn't this working?
Then I did the same thing again with my house. I opened up my house menu and I sent the deletion packet and it deleted my house. [DEMOLISH SOUNDS] I was like huh, maybe they fixed it. Maybe server sites are checking if I'm the owner of the house or not. I tried it once more just to make sure. I opened up my house menu item just to double check on some information in the packets, and I left my house menu up. Then I sent my packet with my neighbor's house ID. To my surprise, my neighbor's house just disappeared. [DEMOLISH SOUNDS] Everything that was in that house, the furniture, equipment, everything he ever collected, he or she, just was laying there on the ground 'cause the house wasn't there to hold it anymore. At first I was like oops, my bad. I fully didn't mean to do that but there's [00:05:00] nothing I could do to undo it. I just kind of threw up my hands and said crap, sorry.
The conclusion was that no, the server doesn't check if you're the owner of this house when you send the delete packet. The thing that it wants is it wants you to make sure that you have a house menu dialog up when you're interacting with the house. As long as you're interacting with a house that you own, you're able to control another player's house and ultimately delete it if that's what you want to do. [MUSIC] I think initially I started deleting players' homes of rival guilds [DEMOLISH SOUNDS] 'cause it was a game censored around PVP and there were a lot of griefing and controlling guilds on the server I was playing on. I think I took a bit of retaliation on them and started deleting their guild headquarters and stuff like that. One of the guilds was called Players of Asia and they were mainly Chinese players that were accused of hacking themselves. The GMs didn't really like specifically that guild and guilds associated with them, so I'm not sure if they ever sent us a complaint ticket. I'm sure they did and I think the GMs just ignored it. Then after I'd delete their house, I'd place a house of my own up there. [BANGING]
JACK: When Manfred would delete another player's house, the deed to that house would show up in his inventory. Not only was he able to collect all the items that were stored in that house but he would also essentially take ownership of that house since he now had the deed and could build it right back in the same spot where he deleted the house.
MANFRED: After a while I'd have a dozen houses and I was like, what am I gonna do with all these houses? That's when eBay came into play. I noticed that houses were selling for hundreds, sometimes thousands of dollars depending on the size of the house. Usually most players had a house that was just a single room where they could store minimal items. The largest house was a castle, which was huge to accommodate a guild and all their items. A castle could easily sell up from between two and maybe ten thousand dollars. As this turned into a business model, I needed more and more houses 'cause everything I'd put up on eBay would sell out pretty quickly. I couldn't -- I ran out of guilds or rival guilds to demolish their houses so I started looking for houses that were in danger of collapsing. Seven days passed and they were about to collapse.
Usually when the house is about to collapse, there's a huge collapsing party, tons of players come in, they try to place their house on top of a house that just collapsed. I don't want to compete with like, twenty other players trying to place a house. So I'd go around looking for a house that's in danger of collapsing that had no players around it. I could go in, delete this house, place my house on top of it without anybody suspecting anything. Except in this one case, I go in, I find the tower, which is pretty big. It's a big rectangular structure that's pretty tall. This thing is in danger of collapsing. I look around, there's nobody around so I run the exploit, [DEMOLISH SOUNDS] collapse their tower and place three small houses in its place. [BANGING]
Shortly after that, maybe a couple minutes, this guy comes in and he's totally baffled. [FOOTFALLS] He's looking around, running back and forth, he thinks maybe he came into the wrong section of town. He's like hey, was there a tower here? I'm like, I don't know. I was just -- I was on the newbie character. I was Level 1. I had nothing on me, just a t-shirt and some torn pants so I was like, I don't know what's going on. The guy waits a few more minutes and a few more members of his guild join in. I guess they're pretty silent, I guess they're talking of a band of like, IRC or something but there was a lot of commotion going on. I'm just standing around going hey, let's see where this goes. I've never been in a situation like this. I was kind of afraid that a GM would pop in and they'd see that -- I thought that maybe the GM would be able to see that I had deleted this house and placed these three in place of it. I was like, I might as well just hang around and see if that's the case. Let's see how good the GM tools are and how good the server logging is when they manage their houses.
I was pretty nervous 'cause this turned into a pretty good business model and here I am thinking I'm going to lose it any minute. I'm really curious to see how this is going to play out so I hang around. [BACKGROUND COMMOTION] While the commotion happens, a GM pops in. [00:10:00] The GM is pretty much clueless. Everybody's basically shouting at him in the game, going hey, what's going on? I kind of felt sorry for the GM 'cause after a few minutes I could tell that the GM had no idea what was going on. Five minutes in, he has no answer and the GM tools weren't mature enough or advanced enough to get a tracking; was there a house here, who deleted it, and who placed these houses and when?
Ten minutes in, no answer. He had lots of angry players around him. After twenty minutes it was obvious that the GM had no idea what was going on. Then the famous quote of this guy going, "It was either GMs or hackers." They were accusing the GM of deleting the house, or hackers. I knew I was off the hook for getting banned in a game that exploit fixed right there and there. It was obvious that they didn't have any records of what transpired, so I was relieved at that point. For all the GM knew, maybe they were totally fabricating the story, trying to defraud me with three houses on that spot. Yeah, that's one of my favorite moments in my career of hacking online games.
JACK: Manfred then found a bug that gave him the ability to build a house underground. This was interesting because if somebody walks over the house, the game would think they're in his house so he could kill them without repercussion. Because this bug was not important to Manfred, he reported it to the GM. The GM reported it to the developers and the game company fired the GM. The game company thought the hackers who reported this must have gotten some kind of inside information from the GM to find these exploits, so the company thought the GM was working with the hackers to hack the game. On top of the GM getting fired, Manfred and his friends got banned.
Manfred was just trying to help the game developers by reporting these bugs, so he was upset that they reacted this way. So Manfred waited until late Sunday night when GMs and developers were asleep and created a new character. He ran around the game deleting every house he could find. He deleted twenty houses, fifty houses, a hundred houses, and then switched to another server and deleted all the houses there. Two hundred houses were deleted and he kept switching servers and deleting even more houses. Three hundred houses deleted, four hundred, five hundred. Eventually he ran out of houses to delete and he waved one last goodbye to the game and said farewell. He logged off for the last time and never returned. That Monday morning there were so many complaints and such chaos in the game that the developers had to roll back the servers to a save point on Sunday before the houses were deleted.
All players had their houses restored. The developers did acknowledge a bug in the game and apologized to players for the roll back. They even disabled the house features until they could fix the bug. Manfred's cash cow of making money selling houses in Ultima Online was dead.
MANFRED: That was back in my crazy college days where -- I'm going to ask this screen shot show that I was causing the players harm. After seeing the impact that it caused the players, basically all -- everything I did in online games went even more undercover than it was, meaning that any exploit I ran was completely invisible to the players and also importantly, was also invisible to the game developers.
JACK: Manfred slipped into the shadows and became invisible. Manfred then found an amazing bug in another game.
MANFRED: Shortly after the Ultima Online house deletion fiasco, I moved onto a game called Dark Age of Camelot. That one was the same story; I played the game, get bored of it, start reversing it, learned about the packets. Then I noticed that one of the packets would allow me to log in twice. Basically I'd be in-game, I could pass off my items, my gold, to another player like a mule character, and then I'd cause myself to log in again without logging out the previous character. What would happen server side is I'd get a fresh [00:15:00] reload of the database and I'd have all my items and my gold again. Basically this is called a dupe glitch where you duplicate items, or in this case, I duplicate my entire character. In-game, if you were to look at me, you'd see two copies of the same character standing in-game, which was pretty unique. I've never encountered a game like that where you could log in two characters at once that were the same database instance.
JACK: Duplication exploit is the jackpot of exploits. Just the ability to duplicate in-game gold alone is a jackpot. Even if he started with one gold coin, if he duplicated it twenty times he'd have over one million gold. He possess the ability to make as much gold as he wants, whenever he wants.
MANFRED: For a little bit I tweaked out my character, got the best items and all that. Then I went on eBay and I noticed that people were selling items and gold in Dark Age of Camelot. I was like hey, I have lots of items and gold. So I made an eBay account and started selling Dark Age of Camelot platinum and items on eBay. This particular bug, where you can log in twice and duplicate the character's inventory lasted until 2013, I believe. It lasted for about fourteen years. Initially I sold on eBay. I think around 2003 or 2004 eBay banned the sale of virtual goods using their platform. But the thing is, is it created this huge black market economy on the internet for virtual goods. I started selling directly to a Chinese supplier back then. It was ige.com. I went from selling on eBay to ige.com for a few years.
JACK: I want to step in here for a sec and underline the situation; by using a duplication bug in the game, Manfred is able to create an unlimited amount of in-game gold and then sell this gold to players who are paying real US dollars for it. By using the bug he found, he could single-handedly meet all market demand for people who were willing to pay for in-game gold. As you can imagine, this could become a very lucrative business model.
MANFRED: Yeah, you have as many dollars as the market dictates.
JACK: Remember that long list of video games he said he hacked?
MANFRED: Word of Warcraft was the only one, the only game that I never found a way to hack the money system.
JACK: Let's go over some more games he's hacked. Asheron's Call 2; he used an exploit that would allow him to crash an instance, so he'd move all his items to a friend. That friend would then log off. He'd crash the instance and then when they'd both log back in they'd both have the exact same items. This gave him the ability to duplicate anything he had, including gold.
MANFRED: Anarchy Online.
JACK: He found an integer overflow bug that allowed him to subtract his strength beyond zero, which gave him 65,000 strength points. He did the same thing for Intelligence, Dexterity, and Stamina.
MANFRED: Lineage II.
JACK: He found a bug when buying items from a vendor he could change the item ID the vendor was selling and buy any item he wanted for any price he wanted, even items that were not allowed for players to have. The reverse was true; he could sell a stick to a vendor but change the item ID in the packet and the vendor would pay as if it was a high-level, expensive item.
MANFRED: Final Fantasy Online, the first one.
JACK: He found numerous integer overflow exploits in this game, like when he'd try to give another player a negative amount of something, that player would end up with the maximum amount of it instead.
MANFRED: Lord of the Rings Online.
JACK: You could sell a rock to a vendor but say it was a diamond and the vendor would buy rocks at diamond prices.
MANFRED: RIFT Online.
JACK: He could withdraw negative platinum from the guild bank which would result in positive platinum in his inventory, allowing him to create as much gold as he wanted out of thin air.
MANFRED: Final Fantasy XVI.
JACK: It had the same exact exploits as the first Final Fantasy. One allowed him to split stacks of items like potions and conduct an integer overflow during the split, like trying to take negative one potion from the stack. This resulted in him getting two billion potions.
MANFRED: WildStar Online. That one was creating a bid on an auction house, so the specifics of that one were, you'd create a maximum signed 64-bit integer bid, which was around 9 quintillion, whatever, you'd have to Google it to get the exact number. The game would take that maximum bid of nine quintillion and it would add a twenty percent fee on top of that, which would put it up into you know, eleven [00:20:00] quintillion or whatever. When I tried to subtract eleven quintillion from [inaudible] it would roll your money amount back into the positive and you'd end up with nine quintillion in game platinum.
JACK: If you were to take all the WildStar Online platinum that Manfred had and sell it for real money in today's market value, Manfred would have 397 trillion US dollars. Of course, there isn't enough market demand for him to sell that much platinum. He was only able to sell to people who were willing to buy in-game platinum.
MANFRED: This was my one and only job. Everything went on my taxes. It was legit income. I was basically extending the -- or expanding the game's functionality to provide players with in-app purchases before in-app purchases were a thing. I like to think of it as ethical black-hat hacking 'cause I really was providing a service that the game companies weren't providing yet.
JACK: I've never heard the term before.
MANFRED: Ethical black-hat hacking.
JACK: I spent a long time talking about this with Manfred to really understand what he means. To understand this, let's use an analogy. Let's go back to the 1920s when movie theatres didn't sell popcorn or snacks in the theatre. Imagine that Manfred is the guy who sold popcorn outside the movie theatre. People want some kind of snack while watching the film but since the theatre didn't sell any, they turned to the guy selling popcorn outside and they'd sneak it in. The popcorn seller isn't competing with the theatre in any way. But then the movie theatre saw how much the popcorn seller was making and couldn't keep the popcorn outside the movie theatres, so they decided to start selling it themselves. Now the popcorn seller would be competing with the movie theatre.
In fact, today movie theatres make more money selling snacks than they do selling movie tickets. Manfred would only sell gold to players for games that weren't already doing that themselves. He thinks it would be unethical to compete with game companies that sell gold to players since it hurts their revenue. Just like how movie theatres make more money selling snacks today, game companies make more money through in-app purchases today than they do actually selling the game. Some game companies have stopped charging entirely for their game because of how profitable in-app purchases are. While Manfred tries to stay ethical while hacking, there are a lot of hackers that don't.
MANFRED: A lot of the Chinese and Russian hackers that are involved with this, and there's a lot of them, they hack in the way that's completely black-hat and completely unethical. They don't care about compromising servers. They'll send malware to people that play the game just so they could install a key logger and steal their game credentials. They'll log into hundreds of accounts at a time and basically strip the characters and accounts naked, immensely hurting the players that are playing this game.
[MUSIC] Also, another little insight secret is, let's say you're playing World of Warcraft and you go to a World of Warcraft fan website, where players talk about the game and the upcoming patches, and maybe databases of items in the game. It's a community for World of Warcraft players. Often these community sites will be ran by either the Chinese or the Russians and you want to take a guess as to why the Chinese and Russians would want to run the fan site for video game players? It's really simple 'cause the main reason is people tend to re-use their e-mail addresses and passwords. If you log into a fan site for World of Warcraft, chances are pretty good that same username and password you're using for that fan site will also work on your World of Warcraft account.
JACK: This is probably the most unethical way of getting in-game gold. It hurts the players who love and play the game but these kind of hackers didn't stop there.
MANFRED: Denial of service attack game companies game servers in retaliation. They'll try and root through systems to get ahold of the databases, which happened to Guild Wars II and probably a lot of other games. It's the Wild West, it's a multi-billion dollar industry and you have a lot of hackers out there that don't care or are out of reach of the long arm of the law 'cause they're in China or Russia and they don't care about breaking any US laws.
JACK: As a quick side bar, in 2011 the New York Times reported hackers that were sponsored by North Korea and Kim Jong-Il were caught hacking into the Lineage video game servers. The story says they were doing it to raise money for North Korea. This is the only time I've ever heard of a nation state sponsoring a hack against a video game company. It's also unique because most nation state hacks aren't done simply to make extra money. The article says North Korea hackers made six million dollars in their [00:25:00] hacks against Lineage servers.
Manfred did not believe he broke any laws doing what he did. Yes, it was against the game rules and if he was caught he was banned. At one point he was even sent a cease and desist letter, but never did the game company try to come after him using any law enforcement. He's also proud that he didn't harm any other players and he didn't compete with the video game makers' business model. This is why he calls it ethical but he still calls it black-hat hacking since he's breaking the rules of the game and the client to accomplish his hacks. The line is certainly gray on where ethics and laws meet here.
MANFRED: The way game companies look at security, they frown upon people modding their clients, people reverse-engineering, but I think they really should take a step back and try and work with hackers in the community to help secure their games. Because over the past twenty years, every single game has integer overflow and that's something that really shouldn't happen. It's akin to having SQL injection in a website. It happens but it shouldn't be in every single instance of the game.
For example, WildStar Online, I think that their budget to create that game was in excess of fifty million dollars and they had extremely simple exploits in that game. They didn't allocate just a small percentage of that budget into spending even a day -- even testing some of the publically player-facing functional that the key server provides. I think most of these bugs or exploits, especially the integer overflows, could be identified and fixed within just a week's worth of time. It's time to take a different approach to trying to assist people. If somebody comes forward with a hack, don't ban them. Don't be a dick. Just work with them and say thanks. Don't ban them and create more problems.
JACK: It sounds like these online games don't give people any incentive to report the exploits they find. A lot of companies today offer bounty rewards for people who find bugs, but not very many game companies are doing this yet.
MANFRED: As you said, the game companies are moving into providing the sale of virtual goods directly through their in-game interface mechanics. This is exactly why I decided to leave. [MUSIC] This is really going from a gray area to almost illegal but it would be unethical for me to go in and undermine a company's in-app purchase business model, so that's why last year I threw in the towel and I moved on. It's kind of interesting 'cause there were a few discussions online about the Defcon talk and people were saying people frowned upon companies doing in-app purchases. They're like, why is this guy stepping away now when he should be going in right now and undermining their entire business model that's screwing players over? My main point is that I did this as a business while I felt it was ethical and legal. Last year I stopped doing it 'cause I thought I was encroaching into unethical territory by competing with the game's in-app purchase business model.
JACK: For the last twenty years, Manfred has been able to support himself solely through exploiting online video games but his epic journey now comes to an end. He no longer exploits games and sells virtual items. Now Manfred works for a security assessment company and has gone completely white-hat. This is why he's now able to tell his story about what he's been doing for the last twenty years. Even though he thinks it's unethical to compete with companies who have in-app purchases, there are still many other hackers who continue to exploit online video games. This will probably continue until there's no longer a demand for virtual goods. But that is not going to happen anytime soon.
JACK (OUTRO): [OUTRO MUSIC] You've been listening to Darknet Diaries. There's a bunch of screenshots of Manfred's adventures at darknetdiaries.com. Be sure to check them out as well as links to some of the stories that were mentioned. Music is provided by Ian Alex Mac, Kevin MacLeod, and Tabletop Audio.
[OUTRO MUSIC ENDS]
[END OF RECORDING]
Transcription performed by Leah Hervoly
Transcription performed by Leah Hervoly www.leahtranscribes.com