This should be a short and hopefully mildly entertaining story about how I got into the world of Runescape bug abuse. The purpose of this post is to document the game’s mechanics and how they were exploited. The timeframe is from late 2010 to early 2012.
Runescape’s game logic was all server sided. Just about every command in runescape required communication with the server, for example walking, opening interfaces, picking up items, and moving items in your inventory. After a command was sent the server would respond with the subsequent action, for example if you asked to talk with an NPC in game the server would respond with a chat box, and from there your client would sync with the server about once every 600ms (RS2 tick rate).
Since most of the games logic was server sided, not many bugs were found in RS2 that involved tampering with the client. Although, custom clients were useful as an extension for controlling server sided bugs, for instance finding player coordinates and item ids.
Stalls and Interfaces
Stalls are a high priority action that you make in game. These actions can stall almost any command and cannot be interrupted in any way. The logout command isn’t enough to break a stall. An example of a stall would be the turkey emote which lasts for about six seconds, during this emote you are unable to do anything.
Server sided interfaces are weak stalls. They can stall some actions but other commands will break them. For example taking direct damage from an opponent will cause an interface to close, but a damage over time effect, such as poison, will be delayed until an interface closes; both of these actions, taking direct damage and taking poison damage would be delayed by a stall. An example of an interface is the report abuse interface.
Infinite stalls have no delay (game ticks) between when the stall starts and ends. An infinite stall could theoretically delay damage until the next system reboot making your character pseudo invincible. Some examples of infinite stalls: Antlers, trying to set up a canon base in an area too small for it, max cape emote, every teleport.
Being able to delay actions behind a stall or an interface opened up many doors while glitching. When teleporting out of areas with items only allowed in those areas, for example the minigame Vinesweeper and the item ogleroots, the action to delete the items executed after the teleport. Opening an interface as soon as the teleport ended kept the item in your inventory. Dropping the ogleroots at this point was possible, and after that the command to delete them executed and you were able to keep them since there were no more checks past that point. This method was used to duplicate chaos runes in Fremennik Sagas resulting in a 30 million gp per hour dupe.
Some commands can be stacked behind interfaces, and some can be stacked behind stalls. There is some order of prioritization going on in the game logic. A few commands could be stacked behind interfaces as many times as you sent them. This may seem useless, but a discovery was made that if more than one thousand commands were stacked behind a stall or interface and all the commands executed at the same time all other commands or actions on your character would be deleted.
Floods were the multipurpose holy grail of bug abuse. For example when you leave an area with items you are supposed to only have in that area, a command is placed on your player to delete that item. Using an interface after leaving the area would stall that command from happening until the interface is closed. It was possible to drop some items at this point then pick them back up, but most area based items had a check for this. Using a flood allowed you to completely delete the command placed on your character to delete the item. Allowing you to smuggle the item out of the area.
Warriors Guild Interface FloodIt was possible to keep the interface from the Warriors Guild shield room by opening up the armour menu and equipping then equipping the shield. The commands in this interface would stack behind a stall, but not an interface. Stacking around one thousand commands behind an infinite stall would result in a flood.
Calling Followers in Randoms FloodIf you had a follower while taken into a random event, your follower would remain outside. If you tried to call your follower you would get the message “That can wait until you’ve finished here.” This command was stackable behind an interface.
Audio Interface FloodAn extremely simple flood, all you had to do was perform a stall and send the “exit sound option” command.
Controlled Forced Teleports
Teleporting and player placement was a major part of the games mechanics. Most parts of the game relied on the mechanic of forcing a player from one coordinate to another, for example the movement of a character from the castle wars waiting room into the game itself. The normal teleports in a player’s spellbook were also a major part of gameplay. These two actions were very similar. Normal teleports that a player can control are Registered and the game often has checks in place to make sure players can’t use them in certain areas (ie the duel arena).
A Controlled Forced Teleport was a method for controlling when the game placed in you a certain location. There were many ways to accomplish this in theory: delaying the action that caused your character to be moved to a certain location, smuggle an interface that had an option to move your character to a certain location in a given area, or smuggle a follower that brought you back to a location. Controlled forced teleports were mainly used to ‘teleport’ out of areas where it wasn’t allowed. This would often be used to smuggle items or even be combined with other glitches to create bigger exploits.
Barbarian Assault Controlled Forced TeleportBarbarian assault is a mini game that involves five players to group together. When the designated leader enters the mini game then everyone is forced into the minigame. If any of the players leave then everyone is forced out of the minigame back into the lobby. By having a single party member use an infinite stall while the rest of the group left it was possible to delay this action on all of the group members. Those group members who left could then go to any area of the game. Once the party member using the infinite stall stopped, every player would be forced back into the lobby from wherever they were.
Personal Area Forced Teleports
A personal area is an area of the runescape map that dynamically allocated when a player enters and deleted when there were no other players in the area. For example player owned houses were Personal Areas, it would have been extremely inefficient to keep a 250x250 square area loaded on the main map at all times. A portion of the map was set aside for these personal areas:
The Personal Area Forced Teleport allowed one player to move into another characters personalized area. This usually worked by trying to enter or re-enter a personalized area that had already been deleted. So after a personalized area is deleted it can either be filled with nothingness or another players personalized area. If you tried to re-enter your personalized area and there was nothingness you would receive the message ‘Invalid Teleport’. If you tried to enter or re-enter your personalized area and someone else had loaded an area where yours used to be, you would enter theirs.
Salt in the Wound PAFTThis one is pretty simple. Teleport away from salt in the wound cave during the salt in the wound quest. Interface once you were out, then use the return to party button. This would try to bring you back to an instance that had been deleted. More often than not you would receive an ‘Invalid Teleport’ message which meant no other personal areas had loaded where yours was deleted.
Amulet of Nature PAFT (founded by ifh abused by many)The amulet of nature allowed a player to bind the amulet to a farming patch and teleport to it when the tree was diseased. Apparently in the games logic coordinates were used when the amulet was bound to a patch and there were understandably no checks in place to stop this. To set up this bug you had to be able to free walk a cutscene that a farming patch was apart of which wasn’t too uncommon since templates from the mainland were often used in cutscenes. One obvious method of free walking a cutscene was to PAFT into someone else’s, another way was to use a flood to delete the command to force your player out of the cutscene consequently allowing you to remain in the cutscene. Once in the cutscene it was possible to bind your amulet of nature to a farming patch within the Personal area, allowing you to teleport back to those coordinates at anytime. After learning about the pattern in which Personal Areas were created it was simple, but tedious, to PAFT into an instance that your friend controlled. Doing so led to even more glitches being discovered: smuggling items out of Personal Areas that weren’t meant to make it back to the mainland, level three accounts getting fire capes, and getting into the Draynor Bank robbery cutscene. There were two reasons why this PAFT was so amazing: it allowed you to re-enter the same personal area multiple times and it allowed you to control your characters return square when exiting the personal area. This bug led to many other exploits such as 700k thieving experience per hour by teleporting out of Pyramid Plunder with the nature of amulet then returning after leaving the Personal Area. It also led to a 500k per hour slayer bug by using the amulet of nature to teleport into the Jade Vine personal area. Each time you teleported in it reset the instance for your character.
Smashing Runescape's game logic was a community effort done for both fun and profit. Many bright people spent many hours inventing, finding, and abusing the bugs mentioned in this post and plenty of others not mentioned. A few that should be mentioned are Hej, Fluid Karma, Quint, Iceforge, roy, ifh, nevs, alta.