Darknet Diaries - Ep 7: Manfred (Part 1)
Episode Date: December 1, 2017Manfred has had the most epic story of all online video game stories. For the last 20 years, he's been hacking online games. ...
Transcript
Discussion (0)
Back in 2002, I got banned from playing EverQuest.
This was a massive multiplayer online role-playing game, or MMORPG.
I spent years playing the game as a half-elf bard traveling through the world of Norrath.
It consumed my life, but I had ventures that I'll never forget.
Like the time I got together with 80 other players and killed dragons like Lady Vox and Nagafin.
But after years of doing the same repetitive things over and over,
and making it to the top, I got bored. And I quit. But that didn't last long, because I found myself playing again
a few weeks later. I had spent years working on my character, and it was just too hard to let it go.
I got to the point where I just couldn't quit the game. So the only solution I could think of
to force me to quit was to find a way to get banned. So I started using a bot.
The bot would take control of my character and automate it for me.
This was strictly against game rules.
I would leave the bot run all night long,
fighting monsters and gain experience while I was sleeping.
And when I woke, I was surprised to see that I was still fighting monsters.
Still not banned.
I kept botting and letting it run night after night.
And eventually players complained to a GM or game master,
which is like the game's admin,
and I got just what I wanted, banned.
While this story is epic in my own memories,
it's nothing compared to the story you're about to hear.
You're about to hear possibly the most epic online video game story of all time.
This tale is so crazy that it was even featured in Wired magazine. The world will become altered in ways you've never expected, and there will be massive amounts of gold and
wealth. So gather around and listen to a tale of epic proportions. This is Darknet Diaries,
true stories from the dark side of the internet. I'm Jack Recider. And our personal information is all over the place online. Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them.
Because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring
the internet for my name and gave me reports on what they found. And then they got busy deleting
things. It was great to have someone on my team when it comes to my privacy. Take control of your
data and keep your private life private by signing up for Delete.me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete.me plan when you go to joindeleteme.com Bye. at checkout. That's joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher. And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this. The whole thing is pay what you can. Black Hills believes that great intro security
classes do not need to be expensive, and they are trying to break down barriers to get more people
into the security field. And if you decide to pay over $195, you get six months access to the
MetaCTF Cyber Range, which is great for practicing your skills and showing them off
to potential employers, head on over to BlackHillsInfosec.com to learn more about what
services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com. I feel really lucky to have captured this story.
This is one that almost got away and disappeared into the sunset forever.
It's a rare one to be heard.
This is a story from a guy named Manfred.
Hello, hey, how's it going?
Manfred has kept his story quiet for 20 years.
He's never publicly told these stories until this year.
He first spoke about this at DEF CON, the largest hacker conference in the world. But he didn't get to say everything
he wanted to say. So I was going to show two zero-day exploits in a couple of games. So I was
in the green room at DEF CON like 15 minutes before my talk. One of the DEF CON team members, goons,
they asked me what my talk's about
and we got on the subject of me demonstrating this exploit.
He went and talked to another goon
and they both came back to me and they were like,
you probably don't want to do this.
Like, you can talk about the exploit,
just don't demonstrate how to reproduce it.
So then I was like, you know, you guys are probably right.
He did talk about the numerous games he did hack during his DEF CON talk,
which was recorded and put on YouTube.
But that didn't last long.
My DEF CON talk got taken down due to a copyright claim by ArenaNet, the makers of Guild Wars 2.
As you can see, the story is not only rare, but in some ways, forbidden.
So let's begin, shall we?
First off, what kind of name is Manfred?
So back in the early days of Ultima Online, I did a lot of PKing and griefing and all
that good stuff.
So originally, my name wasn't Manfred, it was Fuckchop. It was P-H-U-C-K-C-H-O-P.
I guess it kind of like added insults to injury to the players that I'd kill, and you know,
take all their hard-earned resources. All good fun, you know, it's not me in real life,
it was just a game, and I did it all in good fun. Under that name of Fuckjob, I player killed PK80, as it's called, for weeks and maybe
months.
And then one day, I was just in AFK in town, under guard protection, next to an in-game
bank, and I went out to get some Krispy Kreme donuts for lunch.
That was my usual lunch, Like a dozen of those.
They're pretty awesome.
I came back and I looked at my character and my name was Manfred.
I was like, hmm, this is interesting.
So I looked at the chat log
and I saw that a GM
told me that
he can't have me going around killing players
as Fuckchop.
He's like, you can kill players or
whatever it's part of the game but we can't have that name so he just changed my name to a random
name and it happened to be manfred and it's stuck ever since that story took place 20 years ago
manfred has been playing mmo rpgs ever since it always starts out the same way he'll play
have fun learn the game inside
and out, and then eventually get bored and start to tinker with it. For fun, I reverse engineer
games and I reverse engineer how the protocol talks to the server and vice versa, how the
server talks back to the client. He hacks online video games. This is what he's good at. And after
20 years of doing this, he's an expert at finding bugs and MMOs. He captures the packets and analyzes what's in them. He'll inject his own
data into packets and see how the game responds. He'll find ways into the game client and manipulate
what traffic is sent to the server. The exploit he finds in almost every game is an integer overflow.
To understand this, imagine you have a clock and the time time is 1 o'clock. Now if you were to subtract 1 minute from it, the time would then be 1259.
Do you see how by subtracting, it resulted in a larger number?
Computers have a limit of how high they can count, and once they hit that limit,
it rolls all the way around to the lowest number they can count.
And video games don't always check if you can subtract from the lowest amounts.
So Manfred tries to subtract from 0, and he sometimes gets surprising results.
He's doing this at the packet level, sort of like a man in the middle.
When a packet is sent from his computer to the server, he captures it, changes some values, and sends it off.
He's been doing this for a long time, so he can pretty much find bugs in any game.
So far, he's found bugs in all these games. Ultima Online, Dark Age of Camelot, Anarchy Online,
Lineage 2, Final Fantasy Online,
the first one, World of Warcraft, Rift Online,
Elder Scrolls Online, Lord of the Rings Online,
Rift Online, the second, Final Fantasy XIV,
Guild Wars 2, and Wildstar Online.
I'm sure I forgot five or six more.
Because I personally played a lot of World of Warcraft, let's start there.
World of Warcraft was leading the pack as the most popular MMORPG in 2007.
Back when I was playing it, I think it had close to 10 million players.
Manfred had been playing for a while, and he was having fun leveling up his characters,
fighting creatures, and exploring the world.
This game had a thing called a talent system.
For every level you level up, you get one talent point to put into improving your character.
Manfred became curious what packets the computer was sending to the server
when he would use a talent point.
But there was a problem.
The packets between his computer and the server were encrypted,
so he couldn't see what was inside them or inject his own data in it. But he's a reverse engineer, so he starts to tinker with...
Slightly modifying the game client so I could take over the communication
before encryption happens when the packets are outgoing, and I take over communication
after encryption happens when they're coming from the server.
Once he has his hooks in the game communication, he played the game and spent a talent point to boost his character.
And he saw what the data looks like when this happens.
So he tried replaying that same packet back to the game client.
What he was expecting to see was that he had spent one talent point
and his talent would go up by one.
And I noticed that my skills didn't match up with the talent points I spent.
There was like a disconnect.
Supposedly I had, for example, like 15 skill points in this one skill tree, but I didn't
use any of my talent points, which was weird.
Somehow, at least initially, I thought it was just a client-side glitch where I raised
my talents without using any skill points.
So I logged out of the game, closed down the client, and I'd pull up a fresh copy of my character from the server.
That would tell me the true story of what's going on.
So I log into the game and I still have my 15 points in my talent tree and I still have my 15 skill points.
So I was like,
okay, this is interesting. Let's see what's going on here. Talent points are rare, and you can only get a certain amount. And you can only spend a maximum of five on a specific skill. But Manfred
found a way to spend talent points without using talent points, and to spend more than five. I was
able to boost it up to 15 points using only five points.
Any exploits that improved your character's strength
or gave you an advantage over another player were pretty significant
because, you know, you gained an advantage,
an unfair advantage over 10 million players, basically.
After Manfred overloaded his talents with this exploit,
he became godlike in the game.
His powers were far more superior than any other player.
He started decking out his character in all the best equipment and made himself even more
powerful.
And then I wanted to see if I could like, complete a dungeon solo.
He was able to easily clear dungeons that normally takes 5 people to complete, allowing
him to gather even better equipment and improving more.
He kept pushing his abilities to see what was possible to do with this super character.
At one point, his goal became Molten Core.
This was a raid-level dungeon, which required 40 people to clear, so he tried to solo it.
My character wasn't powerful enough to complete Molten Core,
so we started getting some friends together.
So I buff up my characters and my friends' characters,
and we'd go in and complete Molten Core, which I think was a 40% dungeon.
We'd do it with like eight people.
It was a lot of fun. It was challenging.
We used this talent exploit to complete dungeons with very few people for probably eight to nine months.
Game developers never detected or caught Manfred doing these exploits.
You'd think they'd have metrics on all these dungeons and they could see
you know how quickly a group of players could finish a dungeon or whatnot, but they didn't.
He went back to reverse engineering the client.
He found there were debug packets that were enabled in production servers.
After spending time analyzing the debug packets, he found ways of doing some amazing things.
Things like broadcasting messages to the entire server that could teleport directly to the player.
Even after using these exploits for a few months, he still wasn't caught or detected.
So he eventually started getting bored with the game and decided to see how far he can
push this before getting banned.
So usually the way this ends is in PvP.
People complain when they get killed instantly.
So we started going out into the PvP lands and just basically one-shotting people, killing a
person like a super buffed up level 80 person or level 50 whatever the level
cap was back then you know in a single hit or a couple of hits. So the players
would start complaining, they'd take screenshots, they'd call GMs and you know
fairly quickly maybe one or two weeks,
maybe three weeks afterwards, we'd all get banned.
What surprises me most about this story is how a game the size of World of Warcraft
can have these exploits in them.
The game had 10 million players who were all paying $15 a month to play.
The game developers were bringing in over $100 million a month,
or $3 million a day.
With a budget like that, you'd think they'd have solved every exploit.
That was a huge oversight on the developers' part. You know, they shouldn't have included
development packets in their production MMORPG on the scale of World of Warcraft.
So while Manfred was banned from World of Warcraft,
it was no problem for him because he could just move on to another game.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how
much stolen identity data criminals have at their disposal, from credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for
protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime with a mission to end criminals' ability
to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure
from third-party breaches, successful phishes,
or info-stealer infections.
Get your free Darknet exposure report
at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
A few years before that, he played a game called Shadowbane. It was an MMORPG. You level up your
character by killing monsters, equip new items, and you fight other players too, but only in
certain areas. Manfred was amazed at how buggy this game was. He concluded the game must have skipped
any alpha testing, any beta testing, and went directly to final release. In all his 20 years
of hacking video games, none have come close to how bad Shadowbane was in terms of bugs.
So I think Shadowbane deserves its own category and maybe a movie made after it.
Shadowbane was so hopelessly insecure that, you know, if I were to write a game to demonstrate to game developers,
you know, do not write the game like this because this is very insecure, I'd basically give them Shadowbane.
The story starts the same way as others.
Manfred played the game, got good at it,
and then got bored and started reverse engineering the client.
He saw that when you get experience points,
a packet is sent to the game indicating how many experience points you just earned.
He captured that packet, sent it a second time,
and sure enough, he got experience points in the game just for resending that packet again.
He could keep getting unlimited experience points
by just sending specially crafted packets to the server.
Within a few minutes, he gained over 100 levels.
He found that there was no server-side validation
for any packet he sent,
so he could do almost anything he wanted.
He could open up other players' bank vaults,
take items from them.
He could load any piece of equipment into
his inventory. He could even gain massive amounts of strength and hit points. Pretty much anything
that I tried, any exploit I tried worked. It was like, is this real life? He tried to see if anyone
would be willing to buy equipment, gold, or characters from him for real dollars.
But there just wasn't enough demand because there wasn't enough players playing Shadowbane.
He decided the game was so buggy and he didn't want to play it anymore.
So we just decided to do a grand finale hack and basically uninstall the game and move on.
I knew if we made this super obvious that servers would get rolled back so we
had we did have to kind of go over the top because I mean if we killed a few
players here and there and blah blah blah you know they'd complain to
developers on the forums and they ignored it but if we do like a mass scale
game mechanic changing attack where it kills hundreds of players and totally alters the rules
of the game then they get rolled back so one of our grand finale acts was to basically teleport
high level monsters into safe haven cities that new players would start in so like let's say
create a new character in shadowbane you're sent into this little island where the game teaches you how to play.
It's supposed to be completely safe.
But we teleported like level 200 monsters in there to kill anybody that joined the game.
So you join the game as a new player a course of 30 minutes to an hour. So they'd slowly drown. They weren't drowning fast enough so we also teleported the monsters with them so that the monsters would kill the drowning players.
So we're killing newbies joining in the game, we're killing active players, we're teleporting players into the ocean. It's just complete chaos. It was, yeah, it was pretty funny.
I mean, it was all good fun,
and I was kind of shocked and awed.
It was funny that, you know,
that the events that were going on,
you know, players being teleported under the sea,
monsters being teleported into new areas
where players are supposed to be safe.
It was shocking that, you know,
how is it possible that we can pull this off in a supposedly final game? But still, that wasn't enough. He decided to
make every safe zone in the game a PvP zone. This means the players could attack other players
anywhere in the world. There was no place to hide. Manfred had used his exploits to level his
character high up and gave his character all the best equipment in the game.
So now that the whole world is a PvP area,
you can guess what he did next.
Me and my friends just going in and decimating everybody with highly overpowered characters.
Yeah, it was complete chaos and disorder.
All good fun.
Manfred's chaos impacted everyone on the entire server.
There were hundreds of tombstones
everywhere you looked.
And everyone was wondering
what in the world is happening.
Some people are saying the gods went crazy
and other people are saying
there's bugs in the game.
After about an hour of total chaos, the servers went offline.
Him and his friends were banned from the game and the server rolled back to a save point
before the chaos began and all players were restored.
Initially the Shadowbane people thought, you know, somebody rooted their servers, you know,
gained illegal access to their servers. And they thought their servers were
compromised when all we were doing was just using in-game mechanics. And I look at the aftermath in
the Shadowbane forums, and some of the players were saying like, this should happen more often.
This was like the most fun they've ever had since they bought the game. So, I mean, there were some
players that were kind of annoyed and some players were like, hey, this is pretty cool.
Let's do it again.
This Shadowbane hack was so ridiculous
that Wired wrote an article about it back in 2003 when it happened.
Nobody ever knew who was behind this until now.
Wired posted a comment from the game developers,
which said, quote,
We're working with law enforcement,
and we promise all of you that these individuals
will be prosecuted to the full extent of the law.
End quote.
That was all Bark.
I think they realized that their servers weren't compromised,
and we were just using the game protocol and the game logic against itself by, you know,
finding unintended features in the protocol.
Manfred was never contacted by game developers or law
enforcement for this event.
Manfred has tried working with game developers
to responsibly disclose the bugs
he finds. Back in the early days
when I started doing this, I tried
to work with game developers
and it's always backfired.
For one example
would be Anarchy Online.
I think it came out in 2000 or 2001 so I page GM in game
and I go hey I want to talk to one of your developers about some exploits I found so we
go in we talk in IRC you know you can go out of band outside the game and talk over IRC
and we're like, here's these
exploits and here's how we produce them
and here's how to do them.
And they're like, okay, cool, thanks.
Next day we wake up
and our accounts are banned.
This happened twice
early on and
you know, if it happens twice
or if it happens in one game and then it happens
in another game with a completely different development team then you gotta assume you know
maybe the game industry doesn't want to work with people responsibly disclosing hacks i think their
main point is they don't want people reversing their client in the first place so maybe i think
that's their motive for banning people that find
these sorts of things. But it's kind of counterintuitive because you don't want to ban the people that
are trying to help you out. You'd think they'd want to give us resources or additional resources
or be like, hey, here's some free accounts and here's our private test servers. Have
that. The opposite happened. They just said, we're going to ban you. Don't come back.
This year, Manfred gave a talk at DEF CON. He was going to expose two unfixed bugs
in Elder Scrolls Online and Wildstar Online. He decided not to demonstrate the hack.
After the talk, one of the companies that was behind Elder Scrolls Online came up to me,
and they were like, here's my business card, let's talk.
So I talked to them, I showed them the exploit shortly after DEF CON, while we were still
in Vegas, I showed it to them in person, and they were like, cool, thanks.
The other one for Wildstar Online, I sent them an email describing the issue at hand and its ramifications,
and they got back to me and said, cool, thanks, and that's about it.
For Elder Scrolls Online, I last checked about a month and a half ago, which was about six
weeks after DEFCON and its closure, and it
still hasn't been fixed.
Wildstar Online I haven't checked since.
But this is just chapter one of Manfred's epic journey.
All of these exploits you've heard are just for fun.
But he found exploits in other games that would change his life for decades.
He found ways to turn his virtual
items into real U.S. dollars. No longer was this about funding games. It became a serious,
full-time business. Let me just say that given the option of getting a day job as a software
engineer, and you can imagine how much a software engineer makes these days. Given the option of doing that versus
hacking online video games, I chose to hack online video games because the pay was good, but also because I was running my own business and making my own hours. Join us in part two of as we shift from putting coins into the game to taking coins out of the game.
You've been listening to Darknet Diaries.
There's a bunch of screenshots of Manfred's adventures at darknetdiaries.com.
Be sure to check them out, as well as links to some of the stories that were mentioned.
Music is provided by Ian Alex Mack, Kevin Macleod, and5, C5.
Let's play a game.
It's your move.