Hacking EverQuest Part Two - How to Stop a Hacker

In Part Two of our three part series Ten Ton Hammer speaks to Rogean and Haynar of Project 1999 to find out what they've done to stop hackers on their own popular emulated server.
EverQuest TeleportationIn my previous article we took a look at some of the hacks taking place in EverQuest. These cheating players were immediately affecting my enjoyment of the game, and also having a profound negative effect on the server community. I needed to see what could be done. Were fixes even possible or was the game just too old? How were these guys doing their cheating anyway?

I called up Sean "Rogean" Norton, who is the administrator of Project 1999, an emulated server that attempts to recreate the game experience of 1999. The operators of P99 too, had had some problems with hackers on their emulated server, so I wanted to get some insight as to how this was happening and what could be done about it.

With Rogean was Project 1999 developer, Jim "Haynar" Seamans. Haynar had formerly worked on ShowEQ, which is one of the third party programs some use to gain an unfair advantage by circumventing some of EverQuest's designs.

"ShowEQ sniffs packets and displays the location of all mobs in the zone. You can also track spawn timers and players," Haynar explained. While this may not seem like a major cheat at first glance, keep in mind the players who opt not to use these third party programs, which are generally accepted as a breach of the End User License Agreement set by SOE, are at a severe disadvantage. These 'standard' players have to track their mobs manually as well as keep track of their own spawn timers which greatly increases the complexity of the game.

EQ teleportationAs both Haynar and Rogean work on Project 1999 I wanted to make sure their combat against hackers was applicable to the fight SOE faces in the commercial game.

"It's the same code, really," Rogean said. "It's a very similar setup. We have a disadvantage compared to SOE, though, because we have no control over the client. We cannot make any modifications to the client itself, as that would be a copyright violation. So we aren't easily able to put anything in that will either prevent the hacks or detect them."

Though the job may not be as easy as it could be, the team has found a way to put a stop to the hackers.
MacroQuest is another hacking tool some cheaters use to perform some of the operations explained in Part One of this series. Rogean told me how they've stomped out the problem on the emulated servers.

"MacroQuest actually hooks itself into the client " Rogean began, "and becomes part of the client process and it will start taking over functions. Like any other program, MacroQuest is coded in such a way that it expects certain behaviors. For instance, when MacroQuest receives a specific packet it will try to read a certain variable within the packet. That variable is never over a certain size. There's no reason it would ever be over that size. If that variable were to become over that specified size it would cause the program to overflow and MQ would attempt to read memory that is out of bounds and get access violations, causing it to crash.

So when we figure out the variables that MacroQuest is interpreting incorrectly, we can send packets to the client and see immediately if the client crashes. If it does, then we know that player was using MacroQuest."

The catch? This technique cannot be used on a large scale in the commercial version of EQ for several reasons. First, as with any report players make against a hacker, a GM would have to get involved and find the alleged user online with MacroQuest running, then send them the packet to see if they crash or not. Secondly, MacroQuest itself can be updated quickly and easily enough that this technique would no longer work as soon as the MQ developers were to find out it was happening.

"If SOE was crashing clients left and right it would be fixed in a week," Haynar suggested.

"We use the buffer overflow very selectively," expanded Rogean. "We could do it on entire zones at once, but we only do it when we know we're going to catch someone. And our rules are if you get caught using MQ you'll be permanently banned. We make players think twice about using cheats. We've banned thousands of accounts already. They know it is not tolerated so most of them will never use it.

"But SOE has a lot more options available to prevent its use because they have direct control over the game client. Years ago they had implemented a code in the client that detected if someone was cheating. They caught a lot of players that way. MQ eventually fixed it, but that's the sort of thing SOE could continue doing."

So why is preventing hacks such a challenge to begin with? Why doesn't SOE just put in code to detect the use and ban the players? Rogean explained further why it's so difficult to prove someone is cheating, particularly when it comes to warping across a zone.

"Warping has always been a problem in EverQuest. There are so many ways that a client can legitimately get across a zone. The server cannot assume all cases of fast travel are automatically hacks. What if the client lagged out where the player lost internet connection for a few seconds? It would look like a warp or a speed hack to the server."

It was becoming clear to me at this point that hacking issues may not be a simple fix. However, the team at Project 1999 had the drive and desire to find a solution that worked for them. It may not be a solution that could work for SOE but given that Sony has an upper hand with the ability to manipulate the client itself, surely something could be done.

I knew at that point I had to talk to Sony to find out what they could do to prevent the hacking that has been going on. There are also rumors on the various forums suggesting SOE would not ban accounts as it would mean a loss in revenue and I wanted to see what SOE had to say about those accusations.

Check out Part Three as I talk to Thom Terrazas, Producer of EverQuest, about the hacking in the game and what he and the development team plan to do to put a stop to it.

About the Author

Last Updated:

Around the Web