>> alright, hello everybody, like he uh just said my name is Manfred and I’m a security analyst and researcher at independent security evaluators, and today we’ll be talking about 20 years of MMORPG hacking uh the title is better graphics and same exploits, because, cause it really is true. Uh it's been a pretty weird day, this talk is being modified to not include some undisclosed exploits. [booooo] I was told uh yeah [laughs] yeah, so I’ll tell you about that. Alright, disclaimer, I’ve been doing this for 20 years, how I’ve done it for so long without you know uh running into any problems uh I found over 100 ODays and over 22 plus online games, uh the key is to be ethical, uh also be invisible, be Caspar the friendly hacking ghost.  You don’t want the game developers to know you are in there, you don’t want the players to know you’re there you’re kind of in there just doing your own thing kinda like you know controlling the metr matrix. Um, if you can provide a solid service that fills a gap. Um, that means you do it in a way that doesn’t harm players, um don’t disrupt game services, don’t do anything that will negatively impact uh a game company's bottom line, that’s a pretty important one. Um, don’t get roots, don’t own servers and don’t get auth unauthenticated access to uh online game choices. Uh, but you can however use built in game features to find unintended features, stuff that developers you know, never imagined that would be possible. And, if you can provide the servers that puts annoying bot farmers out of business, uh, that's even better cause bot farmers suck [chuckles]. Uh, to be ethical has little uh asterisks next to it, um, twenty, seventeen years ago I did some stuff I wasn’t too proud of, uh don’t do that we’ll talk about it in the next coming slides.Uh with that said let's talk about hacking some online games.  Uh but first let's talk about my name, Manfred, it's a pretty generic name [cheers from audience] Yeah. Uh I use to play ultima online back in pre-alpha, alpha beta and release back in 1997, uh I played on the pacific shard, uh back in its golden age it had free for all pvp ganking, griefing, I mean you kill somebody and you take all their s**t basically. It’s [laughter] it’s it’s the wild west. Um, so, I did a lot of ganking and reefing and pvp jacked a lot of peoples stuff in game uh so I picked a name that kind of fit the persona and that name was f**kchump [laughter] spelled with a p uh you know uh so one day uh I went out I was sitting afk at the bank inside the game and I went afk for like twenty minutes to go grab like some krispy kreme donuts, my typical lunch uh I come back and I notice my name is different and um I look at the text message log and there's like a GM talking to me, he’s like hey we’ve had too many complaints of your griefing and ganking plus we can’t have you running around as f**kchump [laughter] so he just picked a random name and named me Manfred, so I was named by a GM [laughter] so I..ever since, uh that just stuck. Uh, we’ll be talking about I think all of these games except two [laughter]. We’ll be talking about low hanging fruit exploits. Uh, uh all the games in the previous slide had one thing in common and that is they all suffered from integer overflow exploits. Uh, what’s an integer overflow? It’s basically when you perform an arithmetic operation and you basically either change signs or you go from the maximum positive to zero, or you go from zero to the maximum positive and vice versa. Uh it’s a pretty simple concept uh happens a lot. Uh here’s one in action in a debugger so we’ll load up EAX with one will load up ebx with the value of two and then we’ll subtract ebx by one, ebx changes into one, we’ll subtract another one from ebx so ebx is zero, and we’ll subtract from ebx one more time and ebx turn into the maximum thirty tid bit integer value which is four point something billion uh and if he notes eflags on the bottom right uh the carry flag got sent so that's a really simple way to know if uh something overflowed or underflowed. Uh if you go the other way we’ll load up eax with the maximum uh nth thirty two value which is four point some billion and then we’ll add one to it. You know you’d think you’d have four point one billion plus one which you’d go to zero, not a good thing. It’s pretty simple. Um, I’ve seen a lot of people post in like stack overflow about how to test for overflows and you know they try to do high level tests like if x is greater than x plus one then you know you have an overflow, otherwise you're fine [laughter] uh, compilers feed that they’ll look at x is greater than x plus one they’ll be like what the hell is this c**p [laughter]?  So, you know compilers will optimize that stuff out of their unless generally don’t think that. So here’s an overly simplified typical MMORPG architecture, you have your user that's interacting with a game client, the game client is processing UI events, uh it turns these UI events into messages that get sent to the server. So usually all of these events fall down into a single sent data routine uh where it gets encrypted and then sent down the network to the game server. The game server does backwards,  it reads the data from the network, it has like a receive data routine where it decrypts the buffer, analyzes the packet and then takes appropriate actions, and then notifies the game client and any other clients in the vicinity. Um, so when you're hacking online games, you basically want to do man in the middle attacks, you want to take over the protocol and the messages that the client and server are sending to each other. Um, online games usually use proprietary and modified encryption and sometimes they do like weird stuff where they'll use like blowfish and triple des on top of each other and then they’ll exer everything and then they’ll add five to it and then the cherry on top or whatever [laughter]. Um, they try to obfuscate things so that people don’t look at their protocol. Um, it’s time consuming to reverse, you may have to keep track of renegotiations mid session, uh, cypher changes mid session, um plus whatever their doing probably and will change every patch cycle. Uh, especially in rift online they patch like every other day which is really annoying. Um also, online games usually insert anti tampering junk into their packets, like an Hmac, some kind of a checksum, I’ve seen a lot of these games roll with there own checksum which makes things interesting. Uh, delta sequence numbers, they’ll get fancy and do like per packet or per packet type sequence numbers, so uh movement packets will have different sequence numbers than speech packets or inventory interaction packets. Um on top of that they obfuscate opcodes uh, basically the operation code that describes what the packet is going to be. Um, they obfuscate data types  like integers, strings and thirty twos and sixty fours and sixteens, bytes, bullings, uh all of this is done pre encryption, and it's used to basically stop people from modifying the game in memory, like modifying packets in memory using like a simple uh hex. Uh, so if you try to do a network command, the middle approach for dealing with encrypted, compressed, checksummed, sequenced,  and obfuscate packets which is a lot of bull c**p. So, how do you uh go about completely attacking a game?  You do an applicational error man the middle.Uh you inject the DLL , there’s like twenty woops, there’s like twenty different ways to inject DLL into a process especially in widows. Um so the game client has a send data routine so you inject the DLL, the DLL will hoke to send data routine where you can roll your own custom send data routine where you can examine packets and modify packets as you see fit. And then you can get fancy and you can add a whole GUI to the thing so you inject DLL, you spin up the GUI, and the GUI basically spits out uh all the packets and has functionality for uh you know uh replaying the packets and modifying a packet in real time.  And then you have some crazy hacker dude which happens to be somebody we all know and love, um, so power point bulletins and diagrams and stuff is nice but what does it look like in practice?  It looks like a little line [laughter]. Let’s go back, no, alright. It shows up for like a split second. Alright [laughter] well if I just keep doing that you can get like [laughter] Alright hold on, let me see if I uh can play it from the drive.  We have some extra time since uh I won’t be doing the live exploit cause I was told that would be a dumb thing to do [laughter].  Alright, no video uhhhh lets see, try this guy, [VLC], yeah where’s VLC? [inaudible audience talk] Do we have [laughter] Quicktime? [Laughter] [Installer right there][BOOO] N N N Not yet [applause] man this lap tops a piece of s**t [laughter]. What’s going on here? [laughter] No. Is the suspense killing you guys? Oh wait, what do we have? Try what? [inaudible audience member] Yeah, I’m trying to uh uhhh why is it not going full screen? Full screen control F. [Laughter] Oh. [clears throat], uh yeah I’ll have to explain what’s going on so this is an inject uh well on the upper right uh is a GUI that was spun up by an injected DLL uh plugged into Dark Age of Camelot, a really old game from two thousand eleven. And what I’m doing here is modifying speech packets. Um, so I’m sending a text message with the null terminator removed, so I’m getting back server memory [laughter] I mean [clears throat] this worked back in two thousand and eleven and I tested it like a few days ago and it still worked so [laughter] I guess it's not like a huge concern of theres. Uh back when the game was popular back in two thousand and one I could just sit here and like spit out packets after packets with the null terminator removed and I could you know listen on other people's conversations, see weird stuff that was going on the server memory, uh get all sorts of weird strings back. Uh let's see… Alright let’s go to the Ultima online. So we saw the tool I used, uh I saw you saw that I can modify packets and do some stuff that normally shouldn’t happen. Uh, so Ultima online had non instanced housing, uh games these days have instanced housing so pretty much anybody is guaranteed a house. Uh Ultima online had PVP, one of my favorite features, and it had tons of exploits, uh like this exploit right here is uh is normally the skills on the right uh there normally not supposed to go above a hundred points,  [laughter, clears throat]  uh, one day the developers decided to patch in poison in the game, like where you could poison people, uh and they had the bright idea if you drink a poison potion it’ll reduce your stamina by ten points or five points depending on the quality of the poison.  So if you make a character with like two stamina and you drink some poison, it’ll cause your stamina to roll down and become sixty five thousand six five five three five. [laughter] And there’s a lot of skills that are based off of your stamina like alchemy, blacksmithing, and carpentry and stuff like that. So, when you have sixty five thousand stamina, you have some pretty awesome skills, so you can make some, so you can do some epic crafting and make some awesome overly powered stuff. And this one didn’t, yeah you just use the game interface using you don’t have to do anything wonky. Uh Ultima online had housing, um if you’ve seen the picture this house is like new, we’ll talk about that. Uh they implemented a house DK system where it prevents you know uh  players that quit the game or lost interest in the game from having houses that take up valuable real estate in a game. Uh there’s multiple stages uh, there’s like new, like in the picture, where uh a player  interacted with it within an hour, there’s slightly worn, that happens after a week, there’s somewhat worn uh a week after that, fairly worn another week, uh greatly worn a week after that, and then it becomes in danger of collapsing. So after about five or six weeks uh it becomes in danger of collapsing, and this is where it gets fun. Oh man, there’s gonna be another video after this, I hope it works. Uh, so when it goes to in danger of collapsing, they pick a random time of five, ten or fifteen hours, so you don’t really know exactly when it's going to collapse, so you can’t set your alarm and be like hey somebody’s house is going to fall down I’m gonna get some mad loot. Uh, anyway, uh none of this is housing, just to make the point here, there's usually about thirty thousand players per server in Ultima online, but there’s only about three thousand spots for a house, so you have twenty seven thousand homeless players [laughter] that really want a house. Here’s demand and market for stake and effect where you have [laughter] limited supply, uh, high prices. Alright, here’s the video, lets see if this works. Uh, this is a house that’s in danger of collapsing, it’s going to collapse in a few seconds after, if the video starts and then you’ll see craziness go down. Oh, hey it works. So, it’s going to collapse any second now, uh [laughter] you see alderwood just hit the ground and there he buys, basically there’s a riot going on [laughter and applause] there’s like people caging people in with like uh stone walls [laughter] uh, it's kinda like mutually assured destruction with no [laughter] there’s like dead bodies down here, horses [laughter], there’s a ghost running around up there [laughter] anyway, you get the point.  [clears throat] um, since there’s huge housing demand, and market forces are in play, uh this is a quote from Richard Garriott, he created Ultima Online and the Ultima series, pretty interesting guy, uh he said that “after the game launched, it wasn’t unusual to see houses sell on ebay for, uh, ten thousand dollars.” I mean you could get a house in Mexico for that [laughter].  Which is probably nicer than the virtual house that might collapse one day and have a huge fight over it. Um, houses have features, you can transfer ownership of a house, you can change locks, uh you can demolish a house. And then you have unintended features, i.e. hex, [laughter].  Soo to demolish a house, and this was fixed a long time ago in ninety nine, uh all you have to do is have one house on the server,  you open the house menu and you select demolish and then you get like a confirmation screen like do you really wanna do this? Not really, so you don’t wanna confirm, cause you don’t wanna demolish your own house. So you send that [laughter] yeah [laughter] [applause] So you send a crafted packet with a house you want demolished and there house demolishes [laughter]. So I took this screenshot cause um I’d run around it like three o’clock in the morning looking for houses that are in danger of collapsing, cause you know I didn’t want to delete somebody’s house that was new or that they were using. So, I was looking for houses that would normally collapse, I’d go around early in the morning, uh and in this case I found a huge tower uh that was in danger of collapsing. So I was like sweet, so I deleted the tower, I placed three small houses in place, um and then this guy pops in and he’s like “hey where’s my tower?” [laughter] and I’m over here in the purple shirt and purple pants [laughter] and I’m like I don’t know what happened man [laughter]. [clears throat] so, so I’m kinda just sitting around and going hey how’s this gonna play out, this might be interesting [laughter]. So, after a few minutes like all of his buddies show up and their like hey where’s the house? [laughter] Like all my s**t was in your house and now it's all gone [laughter]. So then the GM pops in, uh, the first thing they do is uh the GM is over here in the red robe, uh first thing they do is swarm the GM cause they think the GM deleted their house. [laughter, clears throat] I’m like oh this is isn't going very well [laughter]. So, So, I’m just watching uh the GM’s getting swamped, probably having a bad day, and then there’s the guy up top he knows what’s up [laughter] he’s like either it was GM’s or hackers and and there I am just sitting innocently Ha [laughter]. Um, yeah, so, since I’m not doing the live demo, I have a few minutes to talk about what happens next. So, in  the Ultima online, um, I made a lot of friends with like the GM’s and a lot of people that were counselors that help out with the game so I decided with my friend that we you know we found some hacks and were like we’ll help em out, we’ll the game has so many bugs we’ll give em a few bugs that we really don’t care about, you know just as an act of good faith and so we shared these exploits with them, the GM talked to us, um we kind of developed a relationship where we’d share information with the GM. Uh, so we found an exploit where we could place houses underground, which had interesting consequences cause if you have a house underground and somebody walks on the land above it, they’re invading your house. So you could kill em without repercussions [laughter]. Right, um, so we disclosed this bug to a GM, uh the GM got fired, cause they, the company thought the GM was working with us, cause they’re like how are these guys finding these bugs, you know they have to have inside information. So the GM gets fired, uh, uh I get banned ,my friend gets banned, a bunch of ours get banned. So we’re like alright, we tried to help you out, uh screw you guys [laughter]. So we went around and deleted houses on like all servers that Ultima online ran. We deleted about probably five, six hundred houses. We knew it wouldn’t be a bad thing cause we know they have back ups. But, we did this Sunday night, when nobody's working so, they'd come in and hav- uh deal with a huge headache on Monday morning. So what they did is you know they acknowledged there was a housing exploit, um, and rolled back the servers. I mean, it was a minor inconvenience, but no harm no foul I guess, but you know we moved on, we tried to be helpful and they screwed us so we’re like alright uh, we’ll say our farewell.  Um, a lot of people do hacking for profit, which is a dangerous thing to do. Uh, when you do that, the first step is you know reverse engineer the game configure virtual tools find the exploit, profit, fill player demand. Uh do it in a ethical way, uh like we talked about during the disclosure, once the exploit gets fixed proceed to step one and find a new exploit. Uh, a lot of these games have multiple exploits in my experience, um, there's usually five or six exploits that deal with increasing uh in game currency or in game items. Uh, there’s also a gold rush p-period where uh when a game launches, there’s a lot more players playing, uh most of em are level one being a level one player in a MMORPG kinda sucks. Uh so there they want in game currency to boost up their character so it makes the leveling process easier. Here’s your typical level one MMO character [laughter] fighting to survive. Uh, as you level up, it pretty much stays the same but the crabs change color [laughter][applause] Um, but yeah virtual currency is a valid business model. Uh, there’s huge concern demand, there’s a lot of farming going on, especially in China where um,uh, uh wages are pretty low in two thousand and five they were estimating that there's a hundred thousand full time Chinese farmers. In two thousand and nine they were expecting you know close to a million. Uh, in two thousand and nine the farming market, the underground farming market was estimated to be two billion dollars uh US. So who are the main players in farming and hacking for profit? You have casual hackers, uh, you have professional hackers, who knows how many there are? And then you have Nation States. Uh, North Korea was caught using a team of hackers to infiltrate lineage online in South Korea. Uh, they caught thirty hackers that made six million dollars over two years. They were busted and I guess sent back to North Korea. Uh, yeah, that guy [laughter]. Uh, so the second game I was involved in and hacked was The Dark Age of Camelot. Um, usually in online games, characters are saved every few minutes, uh never in real time cause that would be too much stress on the database. So they usually save em I think in The Dark Age of Camelot they were saved every five minutes and always when you log out. Uh, so when you log out there's a sequence of packets that happens, one of them is a B801 packet. If you send that packet while you’re in game and not doing the logout sequence, you disassociate your session with the instance of your character. So, the game doesn’t think you’re logged in even though your character is logged in. So, you can log in again and get a fresh copy of your character from the database. So, uh, here’s me logged in twice, and what you can do with this is load up your inventory, uh wait for a safe to happen, uh dump your inventory on a friend or on the bank and do the B801 packet where you can log in again and you have all the items that were previously saved. So you can duplicate the entire inventory of your character, including your um gold. Uh, this exploit worked up until two thousand ten I believe. [chuckles, laughter]. I mean, doesn’t surprise me since these have that weird null terminating stream that’s disclosing server memory. Um Anarchy online is next, um you can see I have sixty-five thousand strength, agility, stamina and intelligence.[laughter]. Uh, this was another integer overflow bug that letcha have, get away with crazy things. Uh Asheron’s Call 2, I only spent like a month on that. Uh, I had a pretty lame bug, uh was an instance crash by moving, so you have your inventory and if you move something to an invalid inventory slot like slay slot negative one, uh the game server instance you're on would crash. So what you do is you hand off all of your stuff to a friend, your friend logs out, and then you crash the instance that you’re on and then you log in again with all your items, so you duplicate whatever you want. Um, Shadow Bane, that’s uh, thats a long story but I’ll keep it brief. Uh Shadow Bane developer said should we do an Alpha? Should we do a Beta? And somebody said F**k it, let’s do it live [laughter][applause]. Uh, pretty much anything that was a packet that Shadow Bane had two exploits attached to it. So it was like an exponential curve of exploits [laughter] and like you could change the exploits and basically create your own game. [laughter] Um, you could like open up and loot other players bank accounts, uh my favorite thing was I was watching the incoming packets and I noticed that uh the opcodes for stuff coming to the client were the same as the ones going to the server. So I was like what would happen if the server notified you that you gained some experience, what would happen if you sent that to the server from the client [laughter].  Well, it turns out you get massive quick leveling so [laughter] So here I am just spamming uh in experience gain packets to the server and it's just leveling me up. Each time you level up like puts up a cone of lights above your head and yeah it was pretty interesting to watch. So I got like a hundred and twenty two levels within a few seconds [laughter]. Which you’d think would flag somewhere but they never banned me for that one. [laughter] Uh, Lineage two, so lineage two you could interact with a vendor, you could uh buy items, uh when you buy items you send an op code, an item type an item list slot that the vendor was displaying it in, and the item price. Uh you could change the item type to buy any item in game for whatever price you wanted,[laughter] even the stuff that wasn’t supposed to be purchased in game like GM equipment, GM armor and stuff like that. Same thing for selling, uh you could sell a stick and say it was like a level fifty epic sword and you know get massive gold for a stick. Uh, Final Fantasy online, uh was an interesting one, uh anywhere they dealt with integers, you could overflow them, so there were exploits in player trading, splitting stacks, uh auction house purchases, vendor purchases, vendor sales, there were about six or seven. Uh, World of Warcraft, so World of Warcraft had talent trees, so as you leveled up you could boost yourself and certain aspects of your class. Um, one exploit I kinda found by accident, I was just trying to figure out how the talentrise worked and then I noticed something weird going on, uh I could increase my talents beyond the maximum allowed value. Normally, you’re supposed to have five out of five points maximum, I found the way to increase that to like fifteen out of five so you tripled the effect. So you could create insanely powerful characters in World of Warcraft, like for instance of uh Elf Hunter, you could boost your critical strike chance to eighteen percent instead of a legit six. Where’s the second packet? That’s weird, anyway, um so to be honest, I don’t remember exactly how this worked, this was like eleven years ago, but basically, uh you sent a talent increase packet and then you followed up with a lowering poll being filled when with one switch at zero F and then that would max out uh whatever skill you’re targeting. Um, so I hooked up my friends with this exploit, and we were running molten core I think molten core is a 20 or 40 person dungeon, and we were doing it with 8 people [laughter]. Um, uh this worked for like a year until we kinda got over zealous and started doin- started taking it to PVP and like killing people in one hit and stuff like that, uh players and the GMs didn’t take too kindly on that so uh like a bunch of us got banned. [laughter] Which is pretty typical, um [laughter] it’s kinda like groundhog day, it’s like you play a game, you find the same exploits, you get banned and then you move on to the next game [clears throat]. So, Lord of the Rings online, uh it was similar to Lineage 2 where you could sell and yen to a vendor and say it's something else. So you could sell a rock to a vendor and say it's a diamond and make mass profit. Uh, Rift online,  Rift online gets a gold star for anti reverse engineering technology. Uh, they would patch biweekly usually like uh twice a week, uh they would modify the layout of their functions, so if you had like an area that you’re interested in and they patched, suddenly that area is in a totally different part of the program so you kinda got to start all over. Um, [clears throat] each patch was pre obfuscated before it went to encryption and this obfuscation happened in a different thread. Um, so you have a packet that gets its op code encrypted or obfuscated uh any data types that are in that packet get obfuscated in different threads and then it gets sent to encryption. [clears throat] So, to find a good spot to hook into Rift where you can view all the packets you’d have to track down, you know uh the routines for all 300 packets and then hook em all which is not really realistic. Uh, but they did make one mistake, they didn’t endline their obfuscation routine so any obfuscation they did came in through a common point, so, doing some tricky hacky stuff uh by hooking the obfuscation routines uh you could rebuild the entire packet and then you know have your way with it. Uh, like Final Fantasy online, everything that Rift did with an integer had an overflow bug in it. Uh trading, banking, inventory, and vendors. Uh here’s an example of so it says zero silver withdrawn from the guild bank but then it says you receive 400 platinum. Uh, What I did is I told the game to give me negative 400 platinum. So the message says your silver withdrawn cause it didn’t know how to display negative 400 I guess and then it just gave me 400 platinum s- why not? [chuckle, laughter]. Uh Age of Conan, this one was interesting, uh there was a trade window exploit, uh so if you're playing or uh trading with another player uh you could give em an item and so let's say you give em like an awesome sword and you put it into slot 1 of the trade window and then you could send the packet to si-uh- you could send the packet to put that same sword into slot 2 of the trade window, so they would see 2 swords, that are linked to 1 sword in your inventory. So you could load up somebody’s inventory,uh I mean uh the trade window with a bunch of epic swords, even though you only have one and when the other player accepts it, they get all the swords you promised to give them even though you only had one. So that’s, that was a way of duplicating any item in Age of Conan. Uh, Darkfall Unholy Wars um they had an interesting client was made in Java, it take li-it took like 3 minutes to load, um, uh, I didn’t like that game [chuckles][laughter]. Anyway, but there was a vendor exploit in that one um this wasn’t an integer overflow, it was more of a logic error, so when you sell to a vendor you send the operation type, the vendor ID the number of items you're selling cause uh you can sell items in bulk or batches and then you do a list of items followed by a null item. [clears throat] So, kind of like Age of Conan, you could send, you could sell the same item as many times as you wanted. And I think the maximum packet size was 16,000 bytes. Um, So, and the item ID was about 8 bytes so you could sell the same item a few thousand times. Uh, Star Wars Old Republic online, uh this is one of my ff kind of my favorites cause this was super easy uh you could delete items from your inventory, um so it would look like an op code uh the inventory slot you’re deleting from and the number of items to delete uh so no surprise that you could say I want to delete negative one item. So, the game goes to subtract negative one from your item and then you subtract a negative from a negative and then you get a positive so you increase whatever you have by any amount you wish. Uhhh let’s see So, Guild Wars 2 had two auction house exploits, uh one of em was an integer overflow, where you could buy stuff for free, uh however, when you’re buying stuff for free, the player that listed these items gets the full amount of uh the transaction amount. So if they were selling something for 10,000 gold uh you’d glitch the game to buy it for free, the other player would get 10,000 gold. And also, the second exploit throws an oddity when buying multiple items. Um, you could buy one item legit, and the rest of the items you could buy for a single copper. Again, the player selling these items would get the full amount. Um, I’ll skip over that, actually no I won’t. Um, so when doing the overflow exploit to buy stuff for free uh there’s you you basicall- there was a web interface you basically send uh the number of items you want to buy and the price you want to buy it for, uh if you notice the price has a leading zero on it and that's pretty important for an interesting reason uh the price for this exploit to work must have a leading zero uh server side its 3000 oxel and coding uh typically in Guild of Wars 2 you’re not allowed to bid for more than 10,000 gold I think but if you encode it as an oxel you can bid as much as you want. Um, so if you bid for that much its uh its uh 1/4th of the maximum 64 bit value, so if you buy 4 items uh the price comes out to be 4 copper because you ov- overflow of 64 bit register. Um the second exploit is so it's a little messy but here’s the gist of it, um essentially there’s a feature where you can buy multiple items and multiple price ranges so you could buy a hat for 5 copper, a hat for 6 copper, a hat for 7 copper and a hat for 8 copper. But what if you told the server that you want to buy a hat for 5 copper and the other 3 hats you want to buy for 1 copper, well it works.  Uh, not sure if I should show the video [applause] [laughter]. Oh, it's cause it got moved to the memory stick uh hold on, I got this. Alright, uh so this is the second exploit in action where you’re buying one item legit and you’re buying the other items for a single copper, so what I’m doing is listing 4 items, I’m buying, so I’m listing these items myself, I’m buying the first one legit and I’m buying the other 3 for a single copper. But I get the full amount for all four. So, uh I’m generating like mass amounts of gold in just a few minutes, I think I create 15,000 gold in like 10 minutes, just by automating this exploit, which is pretty cool if you wanna you know buy uh some items in game. Let’s see where were we? Um, Elder Scrolls online, I will not talk about that [chuckles] [laughter] yeah, close your eyes uh ESO does have multiple integer overflows I’ll say that uh and I will say that they use the same code base on PC, PS4 and Xbox so uh the exploits in that game work on consoles too. Uh and it's not video time [laughter] Oh Final Fantasy 14 um so they use the same code base as Final Fantasy uh 11, before they put in the fixes [laughter] so they had Final Fantasy 11, they had all these exploits, they fixed all these exploits and they launch a sequel which has all the same exploits again [laughter]. Yeah hahaha. And also they had an exploit where you separate the stack into two separate pieces, and there was a-a integer overflow in that. Um it was basically an opcode with the source slot, the destination slot and the quantity of items you want to split and as you can see if you overflow it you can create 2 billion silencing potions or 2 billion of whatever you want. [laughter] Yeah, so we were gonna do a live demo but uh 
>>Do it, Do it, just do it 
[applause][whistling] [presenter clears throat]
show me what you've got


>>Yeah hahahahaha [applause] So, I mean I could pass my hat around for a legal fund and if we raise a couple hundred grand [laughter][inaudible audience talk][laughter] 


I mean it's only 200 bitcoins, I mean you guys can spare some bitcoins right? But uh yeah we’ll stop here uh do you guys have any questions? 


>>Boo 


>>Boo hahah [laughter] welp that's it [applause]. Alright, thank you [applause]