 |
warp back |
 |
|
|
__ |
|
(__`__---= SER()ET SERVICE |
|
~~\\\ : spreading`venom |
|
```--= in ur puny miserable |
|
dream world, |
|
we do! |
|
|
|
Once upon a time there was MMORPG called TMW ruled by drunk polish |
|
sausage but later occupied by communists. We were 3 core members |
|
with seasonal mercenaries most active in 2012-2014. Hai 2 Phoenix |
|
Council and all PKs. Rest in piss dear all. |
|
|
|
|
|
Theoretically I could put here game services because game server is |
|
still running but I care not anymore (last time I visited was week |
|
during 2016), so there will be only words with random historical files |
|
put in dedicated folder. |
|
|
|
All fun consisted of exploits, info gathering, bots and automations. |
|
With public source code for client, server and even server data |
|
(horribly dumbass) it's no surprise. Besides public online player list |
|
there was also public client versions log/summary table, purpose of |
|
which being public I couldn't get explained by everyone, but it gave |
|
deanonymization results compared to scrambled IPs from game master |
|
access level. At worst I could fall for whisper ping logging of course. |
|
|
|
| |
|
| Tools |
|
| |
|
| |
|
|
|
Serqet service production included: |
|
|
|
tmww - monitor/fetch themanaworld online player list |
|
shamana - tmwa ghetto bot engine made with POSIX shell |
|
mananews - newsbeuter exec plugin for ingame news |
|
|
|
Advanced bot ("garcon") with plugin systems, ACLs and all the fancy |
|
features based on supybot is in messed/broken state and won't be |
|
released (if you're aware of OpenKore it was somewhat alike). Simpler |
|
functions including tmww query bindings, chat reroutes, passage guards |
|
and others where delivered on top of shamana in manner of suckless irc |
|
client based on shamana, like this: |
|
|
|
#!/bin/sh |
|
while :; do |
|
sleep 0.1 |
|
read -r line < piper-pong |
|
[ -z "${line}" ] && continue |
|
echo debug $line |
|
case "${line}" in |
|
*[[]@@http*) |
|
echo debug urltitle |
|
urltitle=$( printf "%s\n" "${line}" | \ |
|
sed -r 's,.*[[]@@(http[s]?://[^ |]+).*$,\1,' | |
|
xargs -exec curl -L --retry 0 -s "{}" \; | |
|
sed -n '/<title>/{s/.*<title>//;s|</title>.*||;p;q}' |
|
) |
|
[ -z "${urltitle}" ] && continue |
|
printf "urltitle: %s" "${urltitle}" | |
|
socat - unix-client:piper-ping |
|
;; |
|
*) : ;; |
|
esac |
|
done |
|
|
|
Core script was tmww which assumed simultaneous usage by multiple users |
|
and multiple cron jobs on shared server. Script provided excellent zsh |
|
completion and completely covered with man pages. |
|
|
|
Most up to date files (honestly I don't remember where do last versions |
|
reside because these smell bad): |
|
|
 |
dbchars.txt |
|
dbparty.txt |
|
limited dbplayers.jsonl |
|
|
|
As you can see, dbchars is list of account numbers with associated |
|
character names and dbplayers json-per-line is list of aliases |
|
combining account numbers and metadata for each player (see tmww |
|
documentation for details). |
|
|
|
It started like this: |
|
|
 |
tmww screenshot |
|
|
|
Other service provided was shop adverts watchdog. |
|
|
|
You may get tmww version reports and some historical online lists here: |
|
|
|
client version/online list related logs |
|
|
|
Official game client never had scripting facilities and there was no |
|
neat solution in the wild (not counting tim, manaplus IPC glues and |
|
such). |
|
|
|
| |
|
| Privacy |
|
| |
|
| |
|
|
|
As previously mentioned, online list was made public, which met |
|
opposition of notable persons. With versions table updated within delay |
|
of seconds and public online player list it was pointed out as complete |
|
deanonimyzer method multiple times. Instead, raw log of versions was |
|
put online, obviously instantly updated, providing even more accuracy. |
|
|
|
example investigation |
|
|
|
I should obviously point out that until at least 2016 authentication |
|
was unencrypted. Obviously all chat was clear text too (and there |
|
existed OTR client mod from as early as 2010?) but admin's talks about |
|
not storing game chats server side for possible investigation were |
|
funny. |
|
|
|
Something made me totally upset in 2015 by wushin, probably was idea |
|
(IIRC not implemented) to publish all unobtainable rares count, |
|
probably more idiotic decisions, I just don't remember. |
|
|
|
There were also different small holes, like recreation of purged |
|
character name to grab assigned guild's roster and so on. |
|
|
|
Cases for privacy issues included koop's webcam.now.im controvercy, |
|
which streamed screenshots of game central square (now imagine all |
|
those streaming services). Frost decided it was privacy violation. Holy |
|
baboons, that was ridiculous! Sadly noone jumped in with case of |
|
streaming public chat at the time. |
|
|
|
frost-webcams |
|
|
|
| |
|
| Fun stuff |
|
| |
|
| |
|
|
|
NPC shop checks. Simplest check is to ensure that no shop sell |
|
item cheaper than buy. Other checks of this kind perform multistep |
|
comparison for all derivatives of items (via e.g. NPC crafting) |
|
available over NPC shops. Game knew load of such errors, git remembers |
|
some: |
|
|
|
Adjusted buy price for small mushrooms and amount needed for crafting |
|
iron potion at the alchemist |
|
buy prize changed from 100 to 125 |
|
amount changed from 4 back to 2 |
|
This prevents exploit but makes using the crafting system as attractive as p |
|
Also updated submodule pointer. |
|
commit edec9c5b9da9c981c1f242e7c3e65919b0056a4f |
|
Jen |
|
|
|
Fix an exploit involving buying small mushrooms and selling iron poti |
|
ons. |
|
commit 72bde3af78d170639093e7befd02ead4ffea2ba7 1 parent 5823790 |
|
o11c |
|
|
|
changing buy price of Cotton Shirt to prevent an exploit some correct |
|
ions regarding whitespaces |
|
commit 85ca9a9a049c003de63faa916b99149a5063e869 1 parent 85c2bab |
|
jtoelke |
|
|
|
There surely were more. But they were never enough and it really got me |
|
when it appeared there was yet another with [Short Bow], when you could |
|
do like something this before release: |
|
|
|
#!/bin/sh |
|
rgrep -he '^...-.\.gat.*| *shop' ~/tmwAthena/tmwa-server-data/world/map/npc |
|
cut -d '|' -f 4- | cut -d ',' -f 2- | sed 's/:\*/ /g' | tr ',' '\n' | |
|
sort | while read -r item; do |
|
price=$( tmww item -cn show sell by names "${item%% *}" ) |
|
printf "%s %s\n" "${item}" "${price:-error}" |
|
done | awk '$2 < ($3 + 0) { print }' |
|
|
|
to compare buy/sell fixed prices from NPCs. |
|
|
|
One peculiar bug inherent to how tmw server worked was char switch on |
|
same account. You could bring noob character with tank char into high |
|
level map, switch noob char on same account to damage dealer in same |
|
party with tank, did damage with DD, switch char back to noob and do |
|
last blow with tank, This yielded unbelievable leveling rate, rising |
|
noobs for abusing seasonal quests. |
|
|
|
Particularly good application was bug in illia sister's quest with |
|
character switch on same account allowing noob to enter without level |
|
restriction. Since there was still requirement for some middle level to |
|
barely survive, it opened doors to most expensive game items grinding. |
|
|
|
Saying of illia sisters, another good bug was cumulative time from |
|
doing first quest chapters giving final delay to collect unimportant |
|
but pricey drops in pretty dangerous area, providing order of magniture |
|
higher income than any botting. |
|
|
|
Sometimes we were that bored that finished illia sisters with all |
|
ragers: |
|
|
|
illia with ragers only |
|
|
|
and what's incomparably harder - all banshees being only 3 without |
|
cheating. |
|
|
|
illia with banshee only |
|
|
|
But some just didn't share our passion: |
|
|
|
dyna-takeover-drama |
|
hatespeach |
|
|
|
| |
|
| Community |
|
| |
|
| |
|
|
|
Some words about ruling council of developers and community elected |
|
moderators, which was expected to prevent chaos. |
|
|
|
Wushin broke things multiple times a day on production and painted it |
|
as achievement for fixing shit to previous state or using following |
|
release cycle: "we introduce shit", "shit broken", "shit breaks old |
|
shit", "shit removed". There was manipulation about him being queer and |
|
not about his chaotic behaviour because of overdosing speed. At the end |
|
of 2016 year there was no functional test cycle, and day I checked |
|
there was 50 minutes main server downtime, because noone bothered to |
|
try release on test server to see if it boots at all. |
|
|
|
Noone could explain how player "previously known as skyggen" got to top |
|
ruling position and why it was approved by TMWC. You shouldn't even |
|
breath on content not being power player. Same goes to gumi, initially |
|
introduced to make cosmetic changes. Guys! Noone give a fuck how you |
|
rub your dicks when you can't clearly answer how you introduce new item |
|
drop rate or sword stat numbers. |
|
|
|
meko under RAYS OF FUCKING HATRED |
|
|
|
You can't get technical decisions done required to be popular and |
|
approved among non-technical community, so I consider this model wrong, |
|
contrary to local dictatorship of Platyna's model. |
|
|
|
Now for real world views intervention into project. I'm too suspicious |
|
when someone holding power explains events with god's will. This goes |
|
to wushin and o11c and Frost as person responsible for data migration |
|
from platynium, delegation of privileges and fast disappearance. But |
|
what caught me by surprise was introduction of 3rd gender, with content |
|
dialogs fixed to reflect change. And no, it wasn't because they |
|
introduced some explanative content. That's not how you become claimed |
|
"innovative". |
|
|
|
And last word about platinum. There was open source project. There was |
|
hoster. Hoster ran instance and owner player's data. Have courage to |
|
call things their names. I didn't get meaningful explanation of |
|
Platyna's quirks except for impossibly delayed release cycle. Though |
|
behaviour I inspected years after data move - sticking to weird people |
|
|
|
Now that these idiots merged TMW with Evol. Shrugs. |
|
|
|
I must admit the only thing: now I'm against reintroduction of |
|
unobtainables which I stayed for. |
|
|
|
Now blowed steam off on pricks, there were plenty of good peeps, |
|
dropping in occasionally, doing some insane stuff, like Daneel studying |
|
ban frequencies ("bans time had a sinus wave pattern", that's useful |
|
for botting surely but he did observe much more things) or Toby doing |
|
trade analyses. Damn, even fools delivered much fun: |
|
|
|
cinderweb_vs_o11c |
|
|
|
| |
|
| Afterword |
|
| |
|
| |
|
|
|
I should have pay attention to hercules server community earlier, |
|
marker being vim completion with gnu global wrapper for NPC scripting, |
|
though manaplus being only comfortable open source client AFAIK is not |
|
yet fully compatible. |
|
|
|
Resources links: |
|
|
|
imagebin |
|
logs |
|
pastebin |
|
src |
|
tmww |
|
|
|
Assembled 2018-02-02 |
|
