Darknet Diaries - Ep 8: Manfred (Part 2)
Episode Date: December 1, 2017Manfred found a way to turn his passion for video games and reverse engineering into a full time business. He exploited video games and sold virtual goods and currency for real money. This wa...s his full time job. Listen to this episode to hear exactly how he did this.Â
Transcript
Discussion (0)
Real quick, before we get started, this is part 2 of a two-part series on Manfred.
If you want to hear how he hacks online games for fun, check out part 1 first.
The first hack I ever did was on a game called SimCity.
It's the original city-building game.
My curious teenage self found where the saved game files were stored and began inspecting these files.
It was gibberish, as far as I could tell.
I decided to load the file into a hex editor.
This converts the contents of the file to a hexadecimal format. I started changing a few
numbers around. I was just guessing and then loading the game back up to see if anything had
changed. I knew I was in the right area because I was changing things like the year and the name
of the town. I kept tweaking values and loading it again and again. Eventually I loaded the game and I was amazed at what I saw.
I had given myself $100 billion in game dollars.
The feeling I got from hacking the game was so much more exciting than actually playing the game.
With that amount of money, I built some very large cities.
Hacking the money system in a single-player game is one thing.
But what if you could hack the money system in a massive multiplayer online game?
This is Darknet Diaries.
True stories from the dark side of the internet.
I'm Jack Recider.
This episode is sponsored by Delete.me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information
from hundreds of data brokers' websites,
and continuously works to keep it off.
Data brokers hate them, because Delete.me makes sure your personal profile
is no longer theirs to sell.
I tried it, and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to join delete me.com slash dark net diaries and enter code dark net at checkout.
That's join delete me.com slash dark net diaries. Use code dark net.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security
training. You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
In this episode, we pick back up with Manfred.
Hello.
As you heard in the last episode, he hacks online video games.
But the last episode was all just fun and games.
In this episode, it's all business.
There's lots of money to be made in hacking online games.
So let's dial back the clock to the late 90s
when he first started making money hacking online games.
The game he was playing at that time was Ultima Online.
It was just like any other MMO RPG where you level up your character, equip items, and
slay monsters.
Manfred had played the game, got good at it, and then got bored.
So he started tinkering and reverse-engineering the client, and manipulating the packets.
In Ultima Online, players could buy houses and place them on the map.
This would be a safe place for your character to store things and rest.
The houses took up space on a map, though, just like houses do in real life.
So the game developers added a feature where you could demolish a house.
And they also added another feature where houses would become abandoned and fall down if the owner did not go in it for a while.
So initially, I was trying to find out how the process of demolishing your own house worked.
Like you could demolish the house and get the deed back. I was curious to see how that worked
at the protocol level. Like what was the client sending to the server to cause a house deletion
event to happen. So when I saw that it was pretty simple. It was the operation code that said,
hey let's delete this house. And it was the ID of the house.
I was like, wow, that's pretty simple. There has to be
more to it, like how the server must
be checking if you own this house.
So I was like, okay.
Then I
went over to my neighbor's house, got that
house's ID by interacting
with it a little bit and looking at the packets, and I
saw that the ID was this.
So I sent
a house deletion event with that house ID and nothing happened I was like this is weird why
isn't this working then I did the same thing again with my house I opened up my house menu
and I sent the deletion packet and it deleted my house. I was like huh maybe
maybe they fixed it like maybe server-side they're checking if I'm the
owner of the house or not. So I tried it once more just to make sure. So I opened
up my house menu item just double-check on some information in the packets and I
left my house menu up and then I sent my packet with my neighbor's house ID.
And to my surprise, my neighbor's house just disappeared.
Everything that was in that house, the furniture, equipment,
everything he ever collected, he or she,
just was laying there on the ground because the house wasn't there to hold it anymore.
So at first I was like, oops, my bad.
I really didn't mean to do that, but there's nothing I could do to hold it anymore. So first I was like, oops, you know, my bad. I really didn't
mean to do that, but there's nothing I could do to undo it. So I just kind of threw up my hands
and said, crap, sorry. The conclusion was that no, the server doesn't check if you're the owner
of this house when you send a delete packet. The thing that it wants is it wants you to make sure that you have a house menu dialogue up when you're interacting with a house.
So as long as you're interacting with a house that you own, you're able to control another player's house.
And ultimately delete it if that's what you want to do.
I think initially I started deleting players' homes of rival guilds, because it was a game centered around PvP, and there were a lot of griefing and trolling guilds on the server I was playing on, so I think I took a bit of retaliation on them and started deleting their guild headquarters and stuff like that. So one of the guilds was called Players of Asia, and they were mainly Chinese players
that were accused of hacking themselves.
The GMs didn't really like specifically that guild and guilds associated with them, so
you know, I'm not sure if they ever sent out a complaint ticket, I'm sure they did, and
I think the GM GM just ignored it.
And then, you know,
after I'd delete their house, I'd place a house of my own up there.
When Manfred would delete another player's house,
the deed to that house would show up in his inventory.
Not only was he able to collect
all the items that were stored in that house,
but he would also essentially take
ownership of that house, since he now
had the deed and could build it right back
in the same spot where he deleted the house.
And after a while you know I'd have like a dozen houses and I was like what am I gonna do with all these houses?
And that's when eBay came into play. I noticed that houses were selling for
hundreds sometimes thousands of dollars depending on the size of a house.
Usually most players had a house that was just a single room where they could
store minimal items. The largest house was a castle which was huge
to accommodate the guild and all their items. So a castle
could easily sell up from between two and maybe
ten thousand dollars. As this turned into a business model
I needed more and more houses
because, you know, everything I'd put up on eBay would sell out pretty quickly.
So I couldn't, you know, I ran out of guilds to, or rival guilds to demolish
their houses. So I started looking for houses that were in danger of collapsing.
Seven days passed and they were about to
collapse. So usually when the house is about to collapse there's like a huge collapsing party,
tons of players come in and they try to place their house on top of a house that just collapsed.
So I don't want to compete with like 20 other players trying to place a house.
So as soon as I go around and looking for a house that's in danger of collapsing that
had no players around it. So I could go in, delete this house, place my house on top of it
without anybody suspecting anything. Except in this one case, I go in, I find the tower,
which is pretty big. It's a big rectangular structure that's pretty tall. So this thing is in danger of collapsing. I look around, there's nobody around.
So I run to exploit a Collapser Tower and place three small houses in its place.
Shortly after that, maybe a couple minutes, this guy comes in.
And he's totally baffled. He's looking around, running back and forth. He thinks maybe he
came into the wrong section
of town.
And he's like, hey, was there a
tower here? And I'm like,
I don't know. I was
just like, I was on the newbie character.
I was like level one.
I had nothing on me, just like a t-shirt and some
torn pants. So I was like, I don't know what's going on.
I wait a few more minutes and like a few more members
of his guild join in
I guess
they're pretty silent, I guess
they're talking out of band
in like IRC or something
but there's a lot of commotion going on
so I'm just standing around going
hey, let's see where this goes
I've never been in a situation like this So I'm just standing around going, hey, let's see where this goes.
I've never been in a situation like this.
I was kind of afraid that a GM would pop in and they'd see that.
And I thought that maybe the GM would be able to see that I deleted this house and placed these three in place of it.
So I was like, I might as well just hang around and see if that's the case. Let's see how good the GM tools are and how good the server logging is when they manage their houses.
I was pretty nervous because, you know, this turned into a pretty good business model.
And here I am thinking I'm going to lose it any minute.
So, you know, I'm really curious to see how this is going to play out.
So I hang around.
Violent commotion happens. A GM pops in, the GM is pretty much
clueless, everybody's basically shouting at him in game, going, hey, what's going on?
I kind of felt sorry for the GM, because after a few minutes I could tell that the GM had
no idea what was going on. Five minutes in, he has no answer, and the GM tools weren't mature
enough or advanced enough to get a tracking of was there a house here, who deleted it,
and who placed these houses and when. Ten minutes in, no answer. He had lots of angry
players around him. After 20 minutes, it was obvious that the GM had no idea what was going on
and then the famous quote of this guy going was either GMs or hackers.
You know they were accusing the GM of deleting the house or hackers. I knew I was off the hook
for you know getting banned and getting that exploit fixed right there and there. Well, it was obvious that
they didn't have any records of
what transpired.
So I was like, I was relieved
at that point. For all the GM
maybe they were totally fabricating
this story
trying to defraud me with
three houses on that spot.
Yeah, that's one of my
favorite moments
in my career of hacking online games.
Manfred then found a bug that gave him
the ability to build a house underground.
This was interesting because if somebody walks over the house,
the game would think they're in his house
so he could kill them without repercussion.
Because this bug was not important to Manfred,
he reported it to the GM.
The GM reported it to the developers. And the game company fired the GM. The game company thought the
hackers who reported this must have gotten some kind of inside information from the GM to find
these exploits. So the company thought the GM was working with the hackers to hack the game.
On top of the GM getting fired, Manfred and his friends got banned. Manfred was just trying to help the game developers by reporting these bugs,
so he was upset that they reacted this way.
So Manfred waited until late Sunday night,
when GMs and developers were asleep,
and created a new character.
He ran around the game, deleting every house he could find.
He deleted 20 houses, 50 houses,
100 houses,
and then switched to another server and deleted all the houses there.
200 houses were deleted.
And he kept switching servers
and deleting even more houses.
300 houses deleted.
400.
500.
Eventually, he ran out of houses to delete.
And he waved one last goodbye to the game
and said farewell.
He logged off for the last time and never returned. That Monday morning, there were so many complaints
and such chaos in the game that the developers had to roll back the servers to a save point on
Sunday before the houses were deleted. All players had their houses restored. The developers did
acknowledge a bug in the game and apologized to players for the rollback.
They even disabled house features until they could fix the bug.
Manfred's cash cow of making money selling houses in Ultima Online was dead.
That was back in my crazy college days where, I mean, as the screenshot showed, I was causing players harm.
After seeing the kind of impact that it caused the players, basically everything I did
in online games went even more undercover than it was, meaning that any exploit I ran
was completely invisible to the players, and also, importantly, it was also invisible to
the game developers. So Manfred slipped into the shadows and became invisible.
This episode is sponsored by Vanta.
Trust isn't just earned, it's demanded.
Whether you're a startup founder navigating your first audit
or a seasoned security professional scaling your GRC program,
proving your commitment to security has never been more critical or more complex.
And that's where Vanta comes in. Businesses use Vanta to establish trust by automating compliance needs across over 35
frameworks like SOC 2 and ISO 27001, centralized security workflows, complete questionnaires up to
five times faster, and proactively manage vendor risk. Vanta helps you start or scale your security
program by connecting you with auditors and experts to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform, Vanta gives you time back so you can focus on building your company.
Join over 9,000 global companies like Atlassian, Quora, and Factory who use Vanta to manage risk and prove security in real time.
For a limited time, listeners get $1,000 off Vanta
at vanta.com slash darknet.
That's spelled V-A-N-T-A,
vanta.com slash darknet,
for $1,000 off.
Manfred Dent found an amazing bug in another game.
Shortly after the Ultima Online house deletion fiasco,
I moved on to a game called Dark Age of Camelot.
In that one, it was the same story.
I'd play the game, get bored of it, start reversing it,
learn about the packets,
and then I noticed that one of the packets
would allow me to log in twice.
Basically, I'd be in-game.
I could pass off my items,, my gold to another player,
like a mule character, and then I'd cause myself to log in again without logging out the previous character.
So what would happen server-side is I get a fresh reload of the database and I'd have all my items and my gold again.
So basically, this is called a dupe glitch,
where you duplicate items.
Or in this case, I duplicate my entire character.
Because in-game, if you were to look at me,
you'd see two copies of the same character standing in-game,
which is pretty unique.
I've never encountered a game like that,
where you could log in two characters at once that
were the same
database instance.
Duplication exploit is a jackpot of
exploits. Just the ability to
duplicate in-game gold alone is
a jackpot. Even if he started
with one gold coin, if he duplicated
it 20 times, he'd have
over 1 million gold.
He possesses the ability to make as much gold as he wants, whenever he wants.
So for a little bit, I tweaked out my character, got the best items, and all that.
And then I went on eBay, and I noticed that people were selling items in gold in Dark Age of Camelot.
And I was like, hey, I have lots of items in gold in Dark Age of Camelot. And I was like, hey, I have lots of items in gold. So
I made an eBay account
and started selling
Dark Age
of Camelot platinum
and items on eBay.
This particular
bug, where you can log in twice
and duplicate
the character's inventory,
lasted until 2013, I believe.
So it lasted for about 14 years.
So initially I sold on eBay, I think around 2003 or 2004,
eBay banned the sale of virtual goods using their platform. But the thing is, it created this huge black market economy
on the internet for virtual goods.
So I started selling directly to a Chinese supplier back then.
And it was ige.com.
So I went from selling on eBay to ige.com for a few years.
I want to step in here for a second
and underline the situation.
By using a duplication bug in the game,
Manfred is able to create an unlimited amount
of in-game gold,
and then sell this gold to players
who are paying real US dollars for it.
By using the bug he found,
he could single-handedly meet all market demand
for people who are willing to pay for in-game gold.
As you can imagine, this could become a very lucrative business model.
Yeah, I mean, you have as many dollars as the market dictates.
And remember that long list of video games he said he hacked?
World of Warcraft was the only one, the only game that I never found a way to hack the money system.
Let's go over some more games he's hacked.
Asheron's Call 2.
He used an exploit that would allow him to crash an instance.
So he'd move all his items to a friend,
that friend would then log off,
he'd crash the instance,
and then when they'd both log back in,
they both have the same exact items.
This gave him the ability to duplicate anything he had, including gold.
Anarchy online.
He found an integer overflow bug that allowed him to subtract his strength beyond zero,
which gave him 65,000 strength points.
He did the same thing for intelligence, dexterity, and stamina.
Lineage 2.
He found a bug when buying items from a vendor.
He could change the item ID the vendor was selling
and buy any item he wanted for any price he wanted,
even items that were not allowed for players to have.
And the reverse was true.
He could sell a stick to a vendor,
but change the item ID in the packet,
and the vendor would pay as if it was a high-level,
expensive item.
Final Fantasy Online, the first one.
He found numerous integer overflow exploits in this game.
Like when he tried to give another player a negative amount of something,
that player would end up with the maximum amount of it instead.
Lord of the Rings Online.
He could sell a rock to a vendor, but say it was a diamond,
and the vendor would buy rocks at diamond prices.
Rift Online.
He could withdraw negative platinum from the guild bank,
which would result in positive platinum in his inventory,
allowing him to create as much gold as he wanted out of thin air.
Final Fantasy XIV.
It had the same exact exploits as the first Final Fantasy.
One allowed him to split stacks of items, like potions,
and conduct an integer overflow during the split,
like trying to take negative one potion from the stack.
This resulted in him getting two billion potions wild star online
so that one was creating a bid on an auction house uh so the specifics of that one were
you'd create a maximum signed 64-bit integer bid uh which was around 9 quintillion, whatever.
You'd have to Google it to get the exact number.
And the game would take
that maximum bid of 9 quintillion
and it would
add a 20% fee on top of that,
which would put it up into
11 quintillion or whatever.
So when they tried to subtract 11 quintillion
from your character,
it would roll your money amount back into the positive,
and you'd end up with 9 quintillion in-game platinum.
If you were to take all the Wildstar online platinum that Manfred had
and sell it for real money in today's market value,
Manfred would have 397 trillion US dollars.
Of course, there isn't enough market demand for him to sell that much platinum.
He's only able to sell to people who are willing to buy in-game platinum.
This was my one and only job.
Everything went on my taxes.
It was a legit income.
I was basically expanding the game's functionality
to provide players with in-app purchases
before in-app purchases were a thing.
I like to think of it as ethical black hat hacking
because I really was providing a service
that the game companies weren't providing yet.
I've never heard the term before.
Ethical black hat hacking. So I spent a
long time talking about this with Manfred to really understand what he means. To understand
this, let's use an analogy. Let's go back to the 1920s when movie theaters didn't sell popcorn or
snacks in the theater. Imagine that Manfred is a guy who sold popcorn outside the movie theater.
People want some kind of snack while watching the film, but since the theater didn't sell any, they turned to the guy selling popcorn outside and they'd sneak it in. The popcorn
seller isn't competing with the theater in any way. But then the movie theater saw how much the
popcorn seller was making and couldn't keep the popcorn outside the movie theaters, so they decided
to start selling it themselves. Now the popcorn seller would be competing with the movie theater.
In fact, today movie theaters make more money selling snacks than they do selling movie themselves. Now the popcorn seller would be competing with the movie theater. In fact,
today movie theaters make more money selling snacks than they do selling movie tickets.
So Manfred would only sell gold to players for games that weren't already doing that themselves.
He thinks it would be unethical to compete with game companies that sell gold to players since
it hurts their revenue. And just like how movie theaters make more money selling snacks today,
game companies make more money through in-app purchases today
than they do actually selling the game.
Some game companies have stopped charging entirely for their game
because of how profitable in-app purchases are.
And while Manfred tries to stay ethical while hacking,
there are a lot of hackers that don't.
A lot of the Chinese and Russian hackers that are involved in this, and there's a lot of hackers that don't. A lot of the Chinese and Russian hackers that are
involved with this, and there's a lot of them, they hack in a way that's completely black hat
and completely unethical. They don't care about compromising servers. They'll send malware to
people that play the game just so they could install a keylogger and steal their game credentials
and they'll log into hundreds of accounts at a time
and basically strip the characters and accounts naked.
Immensely hurting the players that are playing this game.
Also, another little inside secret is...
So let's say you're playing World of Warcraft
and you go to a World of Warcraft fan website
where players talk about the game and the upcoming patches and maybe databases of items in the game.
It's a community for World of Warcraft players.
Often these community sites will be run by either the Chinese or the Russians. And you want to take a
guess as to why the Chinese and Russians would want to run a fan site for video
game players? It's really simple because the main reason is people tend to reuse
their email addresses and passwords. So if you log into a fan site for World of
Warcraft, chances are pretty good
that same username and password you're using for that fan site will also work on your World
of Warcraft account.
This is probably the most unethical way of getting in-game gold. It hurts the players
who love and play the game. But these kind of hackers didn't stop there.
They'll denial of service attack game companies' game servers in retaliation.
They'll try and, you know, root through systems to get a hold of databases,
which happened in Guild Wars 2 and probably a lot of other games.
I mean, it's the Wild West. It's a multi-billion dollar industry, and you have a lot of hackers out there that don't care
or are out of reach of the long arm of the law.
Because they're in China or Russia, and they don't care about breaking any U.S. laws.
As a quick sidebar, in 2011, the New York Times reported hackers that were sponsored by North Korea and Kim Jong-il were caught hacking into the Lineage video game servers.
The story says they were doing
it to raise money for North Korea. This is the only time I've ever heard of a nation-state
sponsoring a hack against a video game company. It's also unique because most nation-state hacks
aren't done simply to make extra money. The article says North Korea hackers made $6 million
in their hacks against Lineage servers. Manfred did not believe he broke any laws doing
what he did. Yes, it was against the game rules, and if he was caught, he was banned. At one point,
he was even sent a cease and desist letter. But never did the game company try to come after him
using any law enforcement. He's also proud that he didn't harm any other players, and he didn't
compete with the video game maker's business model. This is why he calls it
ethical. But he still calls it black hat hacking, since he's breaking the rules of the game and the
client to accomplish his hacks. The line is certainly gray on where ethics and laws meet here.
The way game companies look at security, they frown upon people modding their clients,
people reverse engineering.
I think they really should take a step back and try and work
with
hackers in the community to help
secure their games.
Because over the past 20 years
every single game has an
integer overflow and that's something
that really shouldn't happen.
It's akin to having
SQL injection on the website these days.
It happens, but it shouldn't be in every single instance of a game.
And for example, like Wildstar Online,
I think their budget to create that game was in excess of $50 million.
And they had extremely simple exploits in that game, right?
They didn't allocate, you know allocate just a small percentage of that
budget into spending
even a day
unit testing some of the
publicly
player-facing functionality that the game
server provides. I think
most of these bugs or exploits,
especially the integer
overflows, could be
identified and fixed
within just a
week's worth of time.
It's time to take a different
approach to
trying to assist people.
If somebody comes forward with a hack
don't ban them, don't be a
dick.
Just work with them and say thanks.
Don't ban them and create more problems.
It sounds like these online games don't give people any incentive to report the exploits they
find. A lot of companies today offer bounty rewards for people who find bugs, but not very
many game companies are doing this yet. And as you said, game companies are moving into providing the
sale of virtual goods directly through their
in-game interface and mechanics and this is exactly why I decided to leave. This is really
going from a gray area to almost illegal but it would be unethical for me to go in and undermine
a company's in-app purchase business model so that's why last year I threw in the towel and I moved on.
It's kind of interesting because there were a few discussions online about the DEF CON talk.
And people were saying, people frowned upon companies doing in-app purchases.
They're like, why is this guy stepping away now when he should be going in
right now and undermining their entire business model that's screwing players over. My main point
is that I did this as a business while I felt it was ethical and legal and last year I stopped doing
it because I thought I was encroaching into unethical territory by competing
with the games in that purchase business model. For the last 20 years, Manfred has been able to
support himself solely through exploiting online video games. But his epic journey now comes to an
end. He no longer exploits games and sells virtual items. Now Manfred works for a security assessment company and has gone completely white hat.
This is why he's now able to tell his story about what he's been doing for the last 20 years.
Even though he thinks it's unethical to compete with companies who have in-app purchases,
there are still many other hackers who continue to exploit online video games.
And this will probably continue until there's no longer a demand for virtual goods. But that is not going to happen
anytime soon.
You've been listening to Darknet Diaries. There's a bunch of screenshots of Manfred's
adventures at darknetdiaries.com. Be sure to check them out as well as links to some of the stories that were mentioned.
Music is provided by Ian Alex Mack, Kevin McLeod, and Tabletop Audio.