Today I’m going to spin the tale of how I became an Everquest hacker, and how at the beginning they didn’t even make it hard to do.

Our story starts back in 1999 ,or maybe late 1998. At work I had just moved positions from our Network Operation Center to working for our Usenet Administrator. I was told my job would consist of two things. The first, be bus insurance. That involved me learning enough about how all the usenet systems worked that should my boss get hit by a bus, I could continue to keep things operational. The second thing was self-entertain. He ran everything clean and smooth, which is expected from someone who wrote parts of the code everyone used.

It was highly suggested that part of that self entertainment include getting an Everquest account. The game was new, every sysadmin in the place was playing it and guilded together, and hey how often does your boss tell you to play games at work? So I did! Now, I’m the type of game player that takes 600 years to advance cause I’m grabbing every crafting ingredient spawn and playing around making equipment instead of killing things, so I never caught up to everyone else to join their power guild. This also left me with idle hands and curiosity while people were busy kiting sand giants, so of course I got lured into the Devil’s work :D

I was a coder by background, and had done some network code as part of my college classes, so I was really curious what all the packets looked like flying back and forth. So I broke out a dumb ethernet hub so I could access the packets from my gaming computer, hooked up a linux box to it, and turned to my old friend tcpdump. When set up a certain way tcpdump takes each packet (chunk of data sent on the network) and displays all the bytes in it in hexadecimal on the left, and ascii (“normal” characters) on the right, something like this:

IP 192.168.4.20.57413 > Camera1.http: tcp 438
        0x0000:  4500 01de f28d 4000 8006 7cb9 c0a8 0414  E.........|.....
        0x0010:  c0a8 046e e045 0050 e423 53f5 2a0f 1888  ...n.E.P.#S.*...
        0x0020:  5018 0402 a9dd 0000 4745 5420 2f69 6e64  P.......GET./ind
        0x0030:  6578 2e68 746d 6c20 4854 5450 2f31 2e31  ex.html.HTTP/1.1
        0x0040:  0d0a 486f 7374 3a20 3139 322e 3136 382e  ..Host:.192.168.
        0x0050:  342e 3131 300d 0a43 6f6e 6e65 6374 696f  4.110..Connectio
        0x0060:  6e3a 206b 6565 702d 616c 6976 650d 0a55  n:.keep-alive..U
        0x0070:  7067 7261 6465 2d49 6e73 6563 7572 652d  pgrade-Insecure-
        0x0080:  5265 7175 6573 7473 3a20 310d 0a55 7365  Requests:.1..Use
        0x0090:  722d 4167 656e 743a 204d 6f7a 696c 6c61  r-Agent:.Mozilla

So if you look on the right, there’s stuff you can read in there, looks like a URL and some other English words in there. If you see this, it tells you something important: there’s no encryption. What did I see when I looked at Everquest’s network data? Words! In some packets I saw character names, guild names, stuff like that. So then it was time to look at the stuff on the left, all the hex values.

I started by taking packets with character names in them and comparing them. At the beginning of the hex data, they all had one byte that was the same, so I guessed that marked “player character” packets. Then I wrote a Perl script that took ALL the packets, looked at that byte, and sorted them into files based on that byte. I look in one file, and yup those all look like players. Look in another, there’s NPCs and monsters. Another one has all the public chat messages in it. Look in a bunch of others and they aren’t as easy to figure out. So looking at PC and NPC data packets, it looked like multiples were in each packet, and it was fairly easy to figure out how long each structure was for each player or npc. Stuff like names were easy to figure out, but the rest is just numbers. So, how do you figure out what the numbers are?

Another script, and statistics! I played a couple hours and recorded all the network traffic. Fed all that into the first script to get all the PC and NPC packets. Then built another script that took all those, broke them down into X length pieces so I got each character or NPC, and compared them ALL to each other. Each byte can be a value from 0 to 255. So for each byte, I figured out how many different values were seen, which values they were, and how often. Then I looked for patterns. Oh, here’s a block of values that all fit in the range of levels the NPCs were. Here’s a set of bytes that all look similar, and the byte count matches the number of visible equipment slots a character has. Here’s three bytes that change as they move around, I bet those are position!

In the end what I found was kinda crazy:

  • Everything was unencrypted. Free and clear.
  • Everyone in a zone, got all the data for every player and npc that was in that zone, whether they were near you or not. I knew exactly where everyone and every monster was at all times, anywhere. Including if they were invisible. I saw when someone spawned into zone, I knew when they left. I knew every monsters level and % of hit points they had left. I knew what light level wisps gave off, so I knew what type of lightstone they carried (old EQ players know this meant printing money).
  • All chat was visible other than private chats. They at least got that right. But if someone used “say” anywhere in the zone, I could read it.
  • Eventually we figured out you could also get equipment stats, mob stats, spell info, see when spell effects went off and where.

Eventually I wrote a program that took network data and a list of monster names, and drew a map with every place those monsters were at, marked with colored dots on the map. I’d enter a zone, sit somewhere safe for hours and collect data. Feed it to the script, out popped a map showing what paths npc guards walked, where special mobs spawned, where players spent most of their time, etc. You also saw a lot of weird shit, it easily showed where there was pathing errors or places mobs got stuck at. I had another program that real time gave a lost of mobs, color coded to how many levels above or below me they were, with distance away and in what direction from me they were.

You’d think all this would lead to lots of easy cheaty leveling and money making, but I actually used it for the opposite. I loved exploring and hated grinding, so my little level 18 Enchanter with her invis and water breathing and illusions used it to sneak around all kinds of places I shouldn’t have been in and see what cool things were hiding where :D My boss expanded on it and figured out a lot more stuff, and his poking around turned into the website “Lucy” that tracked and catalogued all the various spells and equipment that was available in game, that eventually became part of Allakhazam.

Eventually other people figured this out, and developed a Windows gui based tool with built in maps that shows mobs and stuff, and EQ retaliated by “encrypting” the data stream. I use quotes because their first attempts just had them switch around the oder of its in the bytes, or XOR the data with patterns, and I quickly figured that out. But eventually that all turned into a crazy back and forth between the Everquest developers and a cryptologist that was helping reverse engineer each new round or encryption, and I found that whole part of it boring and moved on.

Always use secure encrypted data streams, cause there’s lots of bored geeks out there that’ll figure out when you don’t!

Feel free to comment or discuss things at my Mastodon toot for this entry at gamepad.club/@OffFleek… !