IEEE Spectrum December, 2007 - 25

SANDbox StuDIo

other wannabe knights and knaves do battle in EverQuest (dubbed
"EverCrack" for its addictiveness), World of Warcraft, and other
games. Schoolchildren, college students, and GenXers are playing
such online games as Halo 3 on the Xbox 360 or Madden NFL 2008
on the Playstation 3. Many graying gamers take to casual online
games, such as bridge and chess. It doesn't take much more than
a computer and an IP address to access your passion.
Thurman started playing Ultima Online as an undergraduate in
1997. He couldn't help but wonder if, through a few hacks, there
was a way to make his game-playing experience better. After
surfing around, he came upon software such as UOAssist and
EasyUO. When run in conjunction with a game, those programs
gave players advanced macros, which are keyboard shortcuts to
speed up mundane tasks such as healing yourself after battle.
He realized he was on to something.
Thurman left Phoenix in 1998, moved to Dallas, and began working full time as a support engineer for a large software company,
which he also prefers not to name. He continued thinking about
hacking Ultima Online, and he became aware of the growing realworld market for virtual gold. The problem was that he couldn't
amass it fast enough to make a decent buck. But, he thought, if he
could create an auto-playing robot, something that could basically
play the game for him-then maybe he could cash in.
Drawing on his programming knowledge and with the help of
DIY hacker sources online, such as Fravia.com, Thurman got to
work. He started by shelling out $800 for a reverse-engineering
software tool called IDA Pro from DataRescue of Liège, Belgium.
IDA Pro lets users see the structure of a program's logic. Point
it at a program, and it creates a flowchart of how the software
works. Thurman directed the tool to the "client" software he'd
downloaded to his PC to let him to play Ultima Online. (The client
software is what every player downloads in order to play.)
Basically, IDA Pro reverse-engineered Ultima Online's inner
workings. Not only did it let Thurman see the basic functions
of the client software, it also let him see the specific memory
addresses where the software stored key variables such as the
player's location in the game world, an inventory of the player's
possessions, and the status of the player's health.
That information led Thurman to write a chunk of C++ code
that he inserted into the client software to allow it to communicate with Microsoft.Net, a development environment for
Windows computers. In effect, the C++ code functioned as a
kind of outlet to the servers running the game. With that done,
he needed, essentially, to write a plug to stick into the outlet.
He wrote that plug in Visual Basic. Once complete and installed
in his machine, it could exchange information with the Ultima
Online client in his computer and, through that client software,
the Ultima Online servers at the Redwood City headquarters of
Electronic Arts. In other words, he got access to the brains running the game.
Next, Thurman set up his bank of computers. He chose the
cheapest off-the-shelf PCs available that had enough power to
run Ultima Online, and he bought 30 of them. Each was equipped
with an Intel Pentium 4 or a Celeron processor, a gigabyte
of RAM, and a 20-GB hard drive. He connected the
bank of PCs to three monitors and
a network of six cable
modems, four routers,
and a Toshiba tablet PC
that he used to manage the
whole operation.
Then he got down to business. The plan was that each

www.spectrum.ieee.org

of the 30 PCs would play the game individually, creating a character and then using that character to perform tasks that would
earn gold. Thurman wrote software to randomly generate details
about the characters-names, classes (fisherman, say, or fighter),
and skills (such as magic or cooking), saving him the trouble
of creating each character manually. He cloaked his identity by
purchasing anonymous gift cards to set up accounts rather than
paying for them with a personal credit card (the gift cards are
no longer being sold).
Once his computers logged into a game, communication
between them and the game server was fairly straightforward.
For every action happening in the game that involved one of
Thurman's 30 characters, the game server sent the details back
to the relevant client computer, and vice versa. The details
included the skills of a character, the status of its health, and the
size of its bank account. Thurman eliminated the human element-
cut out the middleman, you might say-by programming his
computers to automatically respond to the incoming data from
the game server.
The application performed the functions that a normal player
would have to do with many repetitive keystrokes (Ultima Online
players use keyboards, not joysticks). One thing the program
couldn't do was sniff out moneymaking opportunities, so
Thurman did that himself. But once he identified an opportunity, he would quickly write code that told his characters what
to do to capitalize.
For example, in Ultima Online, gamers can make money by
cooking and selling chickens to tavern keepers. Thurman programmed his characters to buy raw birds from the butcher and
then prepare the food. Ordinarily, a gamer can cook only one
bird at a time, but Thurman automated the process so that his
30 PCs could cook as many as 500 birds at a time; he sold them
in huge quantities to the taverns. In minutes, his bank of computers could rack up an amount of virtual money that it would
take an individual player weeks to earn.
But wouldn't it be easy to spot a user who was cooking
and selling, in minutes, enough chicken to feed an army?
Absolutely. And that's where the real finesse of being a game
hacker comes in. A big part of the tradecraft is simply managing to avoid getting busted by the company game masters,
whose job it is to prowl for hackers. If they even suspect illicit
activity, they look up the associated Internet Protocol address
and can take action. "They would mass-ban your accounts,"
Thurman notes.
So he installed countermeasures. First, he got a separate account
for each of the 30 computers. He had six cable modems, with five
accounts tied to each one. He also paid his Internet service provider
an extra $16 per month to get four IP addresses to use (most households have just one), and wrote software to instruct the modems
to release one of those IP addresses every six hours and grab a
new one to replace it. In a network with dynamically assigned IP
addresses, any modem outage and reboot results in a new address
assigned; Thurman effectively generated his own outages so that
he could get new IP addresses. His constantly
shifting array of IP addresses made it hard
for the sleuths at Electronic Arts to notice
the fantastic quantities of chicken he was
selling, to say nothing of the ore he
was mining, melting into
ingots, and exchanging
for game currency.
But churning the IP
addresses wasn't a fool-

December 2007 | IEEE Spectrum | NA 35

http://www.Fravia.com http://www.Microsoft.Net http://www.spectrum.ieee.org

Table of Contents for the Digital Edition of IEEE Spectrum December, 2007