Hacking EverQuest Part Two - How to Stop a Hacker
src="http://www.tentonhammer.com/image/view/195510">In my href="http://www.tentonhammer.com/features/everquest/hacking-eq-part-one">previous
article we took a look at some of the hacks taking place in style="font-style: italic;">EverQuest. These
cheating players were immediately affecting my enjoyment of the game,
and also having a profound negative effect on the server community. I
needed to see what could be done. Were fixes even possible or was the
game just too old? How were these guys doing their cheating anyway?
I called up Sean "Rogean" Norton, who is the administrator of Project
1999, an emulated server that attempts to recreate the game experience
of 1999. The operators of P99 too, had had some problems with hackers
on their emulated server, so I wanted to get some insight as to how
this was happening and what could be done about it.
With Rogean was Project 1999 developer, Jim "Haynar" Seamans. Haynar
had formerly worked on ShowEQ,
which is one of the third party programs some use to gain an unfair
advantage by circumventing some of EverQuest's designs.
"ShowEQ sniffs packets and displays the location of all mobs in the
zone. You can also track spawn timers and players," Haynar explained.
While this may not seem like a major cheat at first glance, keep in
mind the players who opt not to use these third party programs, which
are generally accepted as a breach of the End User License Agreement
set by SOE, are at a severe disadvantage. These 'standard' players have
to track their mobs manually as well as keep track of their own spawn
timers which greatly increases the complexity of the game.
Haynar and Rogean work on Project 1999 I wanted to make sure their
combat against hackers was applicable to the fight SOE faces in the
"It's the same code, really," Rogean said. "It's a very similar setup.
We have a disadvantage compared to SOE, though, because we have no
control over the client. We cannot make any modifications to the client
itself, as that would be a copyright violation. So we aren't easily
able to put anything in that will either prevent the hacks or detect
Though the job may not be as easy as it could be, the team has found a
way to put a stop to the hackers.
MacroQuest is another hacking tool some cheaters use to perform some of
the operations explained in Part One of this series. Rogean told me how
they've stomped out the problem on the emulated servers.
"MacroQuest actually hooks itself into the client " Rogean began, "and
becomes part of the client process and it will start taking over
functions. Like any other program, MacroQuest is coded in such a way
that it expects certain behaviors. For instance, when MacroQuest
receives a specific packet it will try to read a certain variable
within the packet. That variable is never over a certain size. There's
no reason it would ever be over that size. If that variable were to
become over that specified size it would cause the program to overflow
and MQ would attempt to read memory that is out of bounds and get
access violations, causing it to crash.
So when we figure out the variables that MacroQuest is interpreting
incorrectly, we can send packets to the client and see immediately if
the client crashes. If it does, then we know that player was using
The catch? This technique cannot be used on a large scale in the
commercial version of EQ for several reasons. First, as with any report
players make against a hacker, a GM would have to get involved and find
the alleged user online with MacroQuest running, then send them the
packet to see if they crash or not. Secondly, MacroQuest
itself can be updated quickly and easily enough that this technique
would no longer work as soon as the MQ developers were to find out it
"If SOE was crashing clients left and right it would be fixed in a
week," Haynar suggested.
"We use the buffer overflow very selectively," expanded Rogean. "We
could do it on entire zones at once, but we only do it when we know
we're going to catch someone. And our rules are if you get caught using
MQ you'll be permanently banned. We make players think twice about
using cheats. We've banned thousands of accounts already. They know it is
not tolerated so most of them will never use it.
"But SOE has a lot more options available to prevent its use
because they have direct control over the game client. Years ago they
had implemented a code in the client that detected if someone was
cheating. They caught a lot of players that way. MQ eventually fixed
it, but that's the sort of thing SOE could continue doing."
So why is preventing hacks such a challenge to begin with? Why doesn't
SOE just put in code to detect the use and ban the players? Rogean
explained further why it's so difficult to prove someone is cheating,
particularly when it comes to warping across a zone.
"Warping has always been a problem in EverQuest. There are so many ways
that a client can legitimately get across a zone. The server cannot
assume all cases of fast travel are automatically hacks. What if the
client lagged out where the player lost internet connection for a few
seconds? It would look like a warp or a speed hack to the server."
It was becoming clear to me at this point that hacking issues may not
be a simple fix. However, the team at Project 1999 had the drive and
desire to find a solution that worked for them. It may not be a
solution that could work for SOE but given that Sony has an upper hand
with the ability to manipulate the client itself, surely something
could be done.
I knew at that point I had to talk to Sony to find out what they could
do to prevent the hacking that has been going on. There are also rumors
on the various forums suggesting SOE would not ban accounts as it would
mean a loss in revenue and I wanted to see what SOE had to say about
Check out Part Three as I talk to Thom Terrazas,
Producer of EverQuest, about the hacking in the game and what he and
the development team plan to do to put a stop to it.
To read the latest guides, news, and features you can visit our EverQuest Game Page.