First of all, what is an exploit anyway?
An exploit is the use of a system in a way that was not intended.
Exploits can often be found in MMORPGs, for example, in which items or game currency are then duped (doubled) by exploiting errors in the server & client structure. This duping is of course NOT intended / wanted by the developers of the MMORPGs - especially because it can duped very valuable items that are often worth several hundred euros and this then of course destroys the economy (AH prices, for example) of the game . The people looking for exploits in MMORPG’s are mostly on the money that comes with it.
If you find an exploit for dupen (quasi the holy grail of exploitation in MMORPGS ), or an exploit for teleporting or something similar … that can bring in a lot of money (keyword selling hacks & gold). I would now like to show some examples of exploits so that you can better understand what an exploit is about.
Example of a harmless exploit:
For some time there was an exploit in World of Warcraft in which the abilities of a warlock were used
to get gold very easily . In a game world that is normally only unlocked from a certain character level, the developers
hidden treasures hidden. These were mostly worth 300-600g. The trick now was that the warlock could summon other players.
All you needed were 3 players. What did you do now? Quite simple - you created a level 1 character, summoned it
to treasure DIRECTLY with the sorcerer , this level 1 character took the treasure, sold it to an NPC (a special mount had a seller), gave the gold
to the sorcerer. Then you deleted the level 1 character and started again with a fresh level 1 character.
This sequence has now been automated with a script and brought in a lot of gold. Bots like Honorbuddy had special addons / plugins
who then even did it completely independently. This exploit was death-exploited until Blizzard got wind of it.
As a result, the exploit was fixed and the players who had exploited this exploit were banned from Perm.
Example of a serious exploit (dupe):
In World of Warcraft there is an auction house in every major capital where players can sell and buy their items.
In Stormwind (Allianz capital) there is an auction house that is right next to a mailbox. Therefore
it was possible to open the mailbox and the auction house AT THE SAME TIME using macro scripts.
How so? Well - whether an action can be carried out or not is only decided on the basis of a radius from the character to the game object.
If the mailbox and auction house are close together, you are within reach for both objects and can use them.
The windows of the mailbox & auction house are only clientside GUIs - they are not necessary
to interact with the 2 things. In short - you can interact with things without using the GUI … you
just have to stand close enough to the respective game object.
Resourceful players (including me) have now come up with something.
We had the following train of thought:
“What happens if I put an item in the auction house, but at the same time send it in a letter to someone else?”
We then managed to send the item by letter at the same time while we also set it up as an auction.
The server was “too slow” when processing the requests. The information of the item (name, item ID, etc.) were simply
packed into the auction house and the letter … only then was the item deleted from the backpack.
In short - each time an item is set or an item is sent by letter, the server automatically copies the item.
Only after copying the item information did the server delete the real item from the backpack.
So if you packed an item at the auction house, but also sent it as a letter at the same time, the item suddenly got twice!
Once in the auction house and once in the letter that was sent. The server was just too slow and then tried
to delete the item from the backpack twice … but since it was only available once, this failed.
The items were still 2 times in spite of this ! The trick that made it all possible was that we used macros to do it all at the same time. This would not have been possible without macros because there are some locks built into the client side that gray out an item in the backpack as soon as it is placed in a letter or auction window. If an item is grayed out, it cannot be put anywhere else within a GUI. The item
but in spite of this lock then put in another letter / auction window (it was just clientside the lock ).
And of course you had to send the letter via macro at the same time & start the auction so that
the server couldn’t keep up . With this dupe you could earn a lot of gold (VERY !!!) for a few days.
With this dupe mounts were duped that had a value of 400-900 €. Some people have made huge amounts of gold from this exploit.
Among other things, so many mounts turned up at ridiculous prices in the auction house through this dupe (sorry ?)
This dupe had pretty much ruined the economy in WoW … until the banwave came and all players the
used this dupe exploit have been banned for life … including all accounts that were online under the same IP.
In addition, BLizzard then deleted all the gold and even reset some auctions.
The money that was earned with it could, of course, NOT be recovered by Blizzard.
Example of a funny exploit (Instant Respawn Mob):
Some resourceful players who like to exploit game mechanics found that in World of Warcraft you
could get outside of the game world while you are in an instance. In every instance there are portals that
teleport you out of the instance when you enter . In a special ini you could now bypass this portal, and thus ended up outside of the intended
Game world. Outside of the proper instance there was a huge area in which there was a “broken game world”.
There were bugged game textures, some game objects that looked very interesting and so on.
That was pretty nice for “exploring” as we call it. In short, exploration is about finding hidden
or secret places within the game world that normal players never see, but still
exist. Among other things, there was a hidden island in WoW that only gamemasters (should ) come to.
There were then dealers who sold Gamemaster clothing, etc. Anyway … back to the exploit.
Breaking out of the intended game world of an instance was not really spectacular in and of itself.
But we players have of course researched what was to be discovered outside … and we … have
found and used another exploit to get to another secret location.
In the middle of nowhere (really nowhere. There was no collision query or texture there)
there was a platform a few centimeters high on which a monster was standing. This monster was not strong,
but it did drop some valuable fabrics, gold and some other items. This mob respawned instantly as soon as they died
. That means - no waiting for a respawn. Bot thrown on … Kill & loot mob in an endless loop …
The developers have secretly hidden a mob and assumed that no one would find him ^^
So … these were some exploits in MMORPGS.
Here in this section I would have liked to list real life exploits …
but since I still use 99% of the exploits that I know about them …
I would cut my own flesh if I listed them here.
The companies would fix the exploits and then fist me. So I leave this !
However, reallife exploits are about finding exploits in systems in general.
This can be server structures, certain processes in companies / systems / devices or something else.
The best example I can give you is the legendary “Lidl Hack”.
You could create a crash in certain cash register systems by buying products that had a
certain price. The prices of the products added together resulted in
a crash in the cash register system … whereupon the cash register system had to be restarted.
The lady at the cash register was often unable to do this herself, but had to call someone who then had
to come to the store (long waiting time for customers).
In short, a real life exploit is simply about exploiting the systems in the real world
. This can now be done for fun, or for fat profit (my division). Most of the time you will get reallife exploits
you have to find it yourself because nobody who finds a real life exploit will tell you about it. If he did this, he would be harming himself as mentioned above.
How do you find exploits?
To find exploits you need a certain mindset & some basic requirements.
But the most important thing is … you have to be able to understand processes and systems well!
For example, if you find a game function in a game, you must
be able to mentally understand this function. You must then have ideas about “How is this function structured? How was it programmed?”
This assumes that you can of course program very well to know how game functions are set up.
Example: You see a function in a game with which you can send an item to another player.
Now you have to be able to understand in your mind how this sending works.
For example, the server could delete the item from your backpack and then
send a copy of the actual item to the other player. As soon as the player to whom the letter is sent
opens the letter, the item is copied into his backpack (database command) and deleted from the letter.
Since we have now mentally understood this function, we can think about how we could now use this process to
, for example, crash the recipient’s game client by using the item
that we send when we send it, manipulate it very nastily
Memory Hacking → Change Itemid → Itemid does not exist → Crash when opening a letter.
This really worked in World of Warcraft and you could even use it to change worthless items to valuable mounts etc.
Simply by manipulating the item id that you put in the letter, and the server then thinks that it really is this
item (mounts, for example).
We could also think about how we could then dup the item (see example above).
In short - we have to be very creative and have to be interested in how things work in the background.
Only when we can empathize with things can we develop exploits based on them.
knowledge & creativity it works … GARNIX With reallife exploits it looks similar - you need background knowledge & creativity to be able to think about processes.
If you order something from a shop (only as an example), you have to be able to mentally grasp what then happens.
That would be, for example, that the employees then get a printout with your order, they then run
into the warehouse, pick out your product, pack it and then wait until the shipping company comes to
pick up your package. The shipping company will then send you the package by using various distribution networks
send to your home. Since we can now basically mentally track how the process is, we can find
approaches here where we can use this system / process to exploit it.
Almost ALL exploits (including buffer overflows & co) are based on errors in processes and people who do not expect
their users to do certain things. Every exploit does things that were not intended when the corresponding
processes / functions were planned. For example, a naive game developer does not assume that someone is
trying to dup an item with a mailbox and the auction house … many developers do not think so far.
Games & systems are developed for the “DAU user” … not for hackers &
As a result, systems are often full of security gaps and bugs.
However, some exploits are also simply based on the fact that systems are just simply stupid structured.
For example, the network protocol of routers was structured in such a way that it is possible
to send fake network packets which then enable any device to be disconnected from the router (deauth attack).
This is then not a real “error” such as a buffer overflow … it is just something that was not thought of in the planning.
In other words … “You do things that the developer wasn’t supposed to do”.
And that’s exactly how you go about finding exploits … you do things that are not expected.
Is there an invisible barrier in a game? Then you try to see if you can fly over it (goes in GW2)
or if you can find a hole in this barrier somewhere (developers often don’t build them really safely) … or
teleport through (World of Warcraft). There is a client-side lock that prevents you from sending a certain item to someone?
Then you try to send another item that is allowed and change the itemid on the fly
before the command is then sent to the server (often such locks are only client-side, server-side this works without problems).
A shipping company wants me to pay 5 € for a stamp to send a letter?
I just write the recipient on it as the sender and a non-existent address as the recipient.
As a result, the letter cannot be delivered and goes “back” to the “sender” who is actually
In short … you do exactly what is not expected of systems and people.
Finding exploits always combines 2 things: Thinking into the course of action + doing things that are not wanted & expected.
Buffer overflows, for example, only work because the developer did not assume that a sick spa * ti would transfer
an infinitely long character string to a function. Who also expects that someone is so badly hammered (; D)
is and does something? A normal user doesn’t usually do that. But you didn’t think far enough …
There is always someone who wants to test and break boundaries. This is what you should pay attention to FIRST when developing systems.
The short version of this thread? …
Exploits are found by thinking about systems and processes and then doing things that are not intended.
It is not even 100% necessary that when you “think in” you find out the real process that is running in the background - it is often enough
just to have a rough schedule in your head to find a starting point where you could start.
If you then find a bug or an exploit through this thought construct, the thought construct has fulfilled its purpose.
For example, we “Exploit Guys” thought back then in World of Warcraft that we could change an item by changing the Item ID of an item
that we wanted to send by letter. Our idea was that the game client
the item id when it is inserted into the letter, and when you then send the item … the item id is simply sent to the server. We hoped that we could simply
manipulate the item ID within the letter before sending it off in order to use a piece of material for example
To make valuable mount. That was our thought. It turned out that the server & client
stores even more information than just the itemid. This then resulted from the fact that we destroyed the item when sending it.
By changing the game ID and the additional information that was still available, the client could
no longer cope with this received letter. As a result, the entire client crashed & the entire GUI was faulty.
A further exploit therefore resulted from an initial thought model for the sequence of a game function.
With the new knowledge we gained, we were now able to generate a letter that completely crashed the game client.
And that as soon as ONLY the mailbox was opened. As a result, we could send letters to players,
which then crashed the game client. And that’s why these players couldn’t receive
or send any more letters … because every time they went to a mailbox, their game client crashed. This of
course meant that they could not delete the letter. Later we were able to modify the whole thing in
order to change items that we sent … but that was fixed relatively quickly on the server side (+ banwave).
In other words … you have to be creative, have (or get) background information … and of course do things
that are not expected. This is the only way to discover exploits. Do you see a restriction / obstacle? Try to bypass it!