How to find an exploit

**Ghostfang** · 09-17-2015

Have you ever wondered how exactly, how an exploit is found? Rarely it's luck. More often, it's a trained mind. Someone who has the knowledge of what to look for - sometimes, even a team of minds is needed to figure out how to use a bug to our advantage. And using a bug to our advantage, is the definition of an exploit.

So to find an exploit, the first thing we need to recognize is that every game has them. Whenever a patch comes up, it will fix one bug, but likely create another, possibly several. How severe that bug is, can determine how severe the exploit is. For example, one the highest coveted types of bugs, is the dupe bug. A dupe bug, is an exploit, which is used to create a duplicate, either of items or gold. A dupe bug is created, with a combination of things, however it's usually server lag of some sort, a slow save system, and figuring out how to use an opportunity to our advantage. The longest running dupe bug in history, was just fixed in EverQuest. It ran around 15 years. The previous record, was 5 years, with Asheron's Call.

Finding Bugs

So again, to find an exploit - whatever kind that bug may be, we first need to find a bug. A bug is found when you do something, and an unexpected occurrence happens. If you do this, you may have found a bug. But now comes the hard part, repeating the bug. When we repeat the bug, we need to find out exactly what happened, and repeat the process over and over, until we are able to get at least a 20% repeat rate. So if you can do the same thing over and over, and 1 of 5 times, the bug occurs, you found the bug.
Creating the Exploit

But finding the bug is only half of the equation. Applying an exploit, that's the hardest part. It's a matter of finding how a bug can be used to our advantage. It's not unheard of for one person to find a bug, and another to find a way to use that bug.

For an example of creating the exploit, I am going to go way back here, back to around 1999. It was my first MMO, it was Asheron's Call. I knew the basics of how dupe bugs worked, but the hard part was creating server lag strong enough to lag it for others who were not looking at the same area, but still slowing the server to a crawl. So it was noticed that if you shot arrows within a nearby tree, the arrows were able to be retrieved. Shoot enough of them, and the items wouldn't decay fast enough. This created server lag. But it couldn't be done with just one person. Several archers needed to shoot the arrows into trees.

So that's the first part of the equation. The second part is knowing how the system saves. If you are able to transfer items back and forth fast enough, while creating server lag, then it's possible to dupe one or more items. In Asheron's Call, all we needed to do was drag and drop a pack full of items to another person, there was no trade confirmation. Whenever a person receives and another sends an item, then the server should save the transfer from one person to the other, but with server lag, part of the equation was missing. This introduced a major dupe bug, which took several months for Turbine to fix. Sometimes it's one person, sometimes it's more.

**Boscy** · 09-17-2015

I still play Asherons Call hahaha.

**advanta** · 09-17-2015

Originally Posted by Ghostfang

Have you ever wondered how exactly, how an exploit is found? Rarely it's luck. More often, it's a trained mind. Someone who has the knowledge of what to look for - sometimes, even a team of minds is needed to figure out how to use a bug to our advantage. And using a bug to our advantage, is the definition of an exploit.

Great post, lots of valuable insight there, most of which I agree with. I have a slight disagreement though with this paragraph though.

There is a huge element of luck in exploits.

That is not to say a trained mind can't do much better than a untrained mind, but the chance might go from 1/20000 to 1/100 checking any specific area. That still leaves quite a lot of luck.

I'm not sure people understand this but the vast majority of exploiting time is spent on false leads. 40-50 hours a week isn't uncommon. Quite often when I find things its usually while looking for something else altogether. I spoke in length to Leniox about this and the lengths the top exploiters go to in order to find stuff is quite staggering. I'm not going to reveal all his secrets but he does a lot of hard work that even I don't do such as getting loremaster for a specific zone in order to completely eliminate possibilities and permutations in a given piece of content.

Very often also, glitches you do find aren't very useful. Sometimes there are ways to make them useful but more often than not their isn't.

In Nicolar Taleb's "Black Swans" he talks about how the big bang theory was empirically verified by astronomers scanning the heavens with a motorized dish. Weird background noise was ruining their scans. They tried to clean away what they thought was pigeon shit from the dish. It turned out there wasn't any pigeon shit-it was the the sound of creation, radioactivity from the big bang. They weren't looking for the melody of creation of course, they were looking for pigeon shit. Such is discovery.

**Rochet2** · 09-17-2015

On open source the matter of finding bugs is easier and you just need to browse through a lot.
Also if you just work on something you might find a flaw.
Recently when working on scripts I have stumbled on multiple exploits or something not working as it should.

For example some wow addons have an exploit allowing anyone to send addon messages to the player to run lua code on their client, so you can crash or render the user unable to do anything etc.
Also on multiple emulators, like any other software, there are often missing checks for some cases which means just a small tweak on your side and you can exploit the missing checks.
As an example I just found today that it seems nothing checks the validity of skin, hair etc on most emulators. I highly doubt using 255 as skin ID works well. There is also way to disconnect everyone in sight by using 100+ mages and mirror image on TC - at least from what I read. There are also exploits on emulators to learn other class spells and spells not usually available to anyone.

**Confucius** · 09-17-2015

Originally Posted by advanta

In Nicolar Taleb's "Black Swans" he talks about how the big bang theory was empirically verified by astronomers scanning the heavens with a motorized dish. Weird background noise was ruining their scans. They tried to clean away what they thought was pigeon shit from the dish. It turned out there wasn't any pigeon shit-it was the the sound of creation, radioactivity from the big bang. They weren't looking for the melody of creation of course, they were looking for pigeon shit. Such is discovery.

That isn't an accurate account of what happened. There were pigeons nesting in the antenna and droppings that had to be cleaned out. They were scanning the sky for radio waves bounced off of echo balloon satellites. They expected to hear faint radio waves but instead measured residual noise 100 times stronger than expected. So they were looking for noise in the sky and when they found it, in order to verify it wasn't a fault of the equipment, they cleaned it out. They had no idea that the noise could have been related to the big bang until a friend showed one of the radio astronomers were shown a paper by a friend that discussed the possibility of finding left over radiation from the beginning of the universe.

Had the astronomers never read the paper or been told the idea that there could be left over noise from the explosion at the beginning of the universe they never would have realized what it was they had. Even so, the connection would probably have been made later by someone else. The idea that discovery happens only in random, lucky, events is not accurate at all. They weren't looking for pigeon droppings, they were scanning space for interesting radio waves; there were, however, pigeon dropping on the equipment.

I don't understand the need this essayist had to romanticize the collection of bulk data that led to additional evidence of the big bang. It's pretty insulting, demeans the whole field and there is no reason for it to be done. Furthermore, that it is done so poorly and with such crude language is just another slap on the face.

**Xecis** · 09-18-2015

Finding bugs in any game is easy, just start messing with a specific game mechanic long enough till you notice something odd. Finding an exploit to do a specific thing is much harder, so starting off by finding small bugs is almost like a little tool box of yours. Once you have enough bugs or know more about the game and what works and what doesn't, you can then use those small bugs to figure out how to make them into real exploits.

Once you are more experienced in the game and its mechanics, you can then make a narrow search for something like, oh I want to find a dupe. Either way, your going to have to tackle in the way that works best for you, everyone is different but for me its more about learning the game and its mechanics before looking for any specific exploits and actually being successful at finding them. My experience is the small bugs everyone over glances always turned out to be the biggest exploits, so don't discard anything, a bug is a bug and if used the right way can help create more bugs. I've used several bugs to create 1 exploit which was one of the biggest dupe's ive ever found in wow, but great thread like to hear more of this kind of stuff.

**TheEnglishGuy** · 09-18-2015

Originally Posted by Xecis

My experience is the small bugs everyone over glances always turned out to be the biggest exploits, so don't discard anything, a bug is a bug and if used the right way can help create more bugs. I've used several bugs to create 1 exploit which was one of the biggest dupe's ive ever found in wow, but great thread like to hear more of this kind of stuff.

If it is already fixed, you mind elaborating a bit about your findings. They can be very inspirational for some people (like me).

Also, I remember the offline mode by kuzaken. It required a macro to go offline. It didn't look like an exploit you could find by luck.
A question that I keeps me thinking is; how come mount dupes (especially now it seems a mount dupe is live again) are always found by chinese.

**Xecis** · 09-18-2015

Originally Posted by TheEnglishGuy

If it is already fixed, you mind elaborating a bit about your findings. They can be very inspirational for some people (like me).

Also, I remember the offline mode by kuzaken. It required a macro to go offline. It didn't look like an exploit you could find by luck.
A question that I keeps me thinking is; how come mount dupes (especially now it seems a mount dupe is live again) are always found by chinese.

Dupes are not always found by the chinese, but they are the one who normally run most of the dupes or use at a mass scale. People sell dupes to them, at least that is coming from my own experience. I've released many dupe exploits found already, just review my threads if you want examples.

**~~crunk001~~** · 09-20-2015

You must spread some Reputation around before giving it to Ghostfang again.

It is the mind in general. What you specifically want to find, you will find. Good or bad. Bad in a sense of when you (still) focus on things you do not want - and get just them, over and over again. Ingame or especiall in real life. Works the same. Mind is mind. Until you realize that you could just have adjusted your mind differently, and suddenly your entire reality shifts and you are becoming self-confident, wealthy and what not.