| warp back |
|
__
(__`__---= SER()ET SERVICE
~~\\\ : spreading`venom
```--= in ur puny miserable
dream world,
we do!
Once upon a time there was MMORPG called TMW ruled by drunk po
sausage but later occupied by communists. We were 3 core mem
with seasonal mercenaries most active in 2012-2014. Hai 2 Pho
Council and all PKs. Rest in piss dear all.
Theoretically I could put here game services because game serve
still running but I care not anymore (last time I visited was
during 2016), so there will be only words with random historical f
put in dedicated folder.
All fun consisted of exploits, info gathering, bots and automati
With public source code for client, server and even server
(horribly dumbass) it's no surprise. Besides public online player
there was also public client versions log/summary table, purpos
which being public I couldn't get explained by everyone, but it
deanonymization results compared to scrambled IPs from game ma
access level. At worst I could fall for whisper ping logging of cou
|
| Tools
|
|
Serqet service production included:
|
| tmww - monitor/fetch themanaworld online player list |
| shamana - tmwa ghetto bot engine made with POSIX shell |
| mananews - newsbeuter exec plugin for ingame news |
|
Advanced bot ("garcon") with plugin systems, ACLs and all the f
features based on supybot is in messed/broken state and won't
released (if you're aware of OpenKore it was somewhat alike). Sim
functions including tmww query bindings, chat reroutes, passage gu
and others where delivered on top of shamana in manner of suckless
client based on shamana, like this:
#!/bin/sh
while :; do
sleep 0.1
read -r line < piper-pong
[ -z "${line}" ] && continue
echo debug $line
case "${line}" in
*[[]@@http*)
echo debug urltitle
urltitle=$( printf "%s\n" "${line}" | \
sed -r 's,.*[[]@@(http[s]?://[^ |]+).*$,\1,' |
xargs -exec curl -L --retry 0 -s "{}" \; |
sed -n '//{s/.*<title>//;s|.*||;
)
[ -z "${urltitle}" ] && continue
printf "urltitle: %s" "${urltitle}" |
socat - unix-client:piper-ping
;;
*) : ;;
esac
done
Core script was tmww which assumed simultaneous usage by multiple u
and multiple cron jobs on shared server. Script provided excellent
completion and completely covered with man pages.
Most up to date files (honestly I don't remember where do last vers
reside because these smell bad):
|
| dbchars.txt |
| dbparty.txt |
| limited dbplayers.jsonl |
|
As you can see, dbchars is list of account numbers with associ
character names and dbplayers json-per-line is list of ali
combining account numbers and metadata for each player (see
documentation for details).
It started like this:
|
| 
|
|
Other service provided was shop adverts watchdog.
You may get tmww version reports and some historical online lists h
|
| client version/online list related logs |
|
Official game client never had scripting facilities and there wa
neat solution in the wild (not counting tim, manaplus IPC glues
such).
|
| Privacy
|
|
As previously mentioned, online list was made public, which
opposition of notable persons. With versions table updated within d
of seconds and public online player list it was pointed out as comp
deanonimyzer method multiple times. Instead, raw log of versions
put online, obviously instantly updated, providing even more accura
|
| example investigation |
|
I should obviously point out that until at least 2016 authentica
was unencrypted. Obviously all chat was clear text too (and t
existed OTR client mod from as early as 2010?) but admin's talks a
not storing game chats server side for possible investigation
funny.
Something made me totally upset in 2015 by wushin, probably was
(IIRC not implemented) to publish all unobtainable rares co
probably more idiotic decisions, I just don't remember.
There were also different small holes, like recreation of pu
character name to grab assigned guild's roster and so on.
Cases for privacy issues included koop's webcam.now.im controve
which streamed screenshots of game central square (now imagine
those streaming services). Frost decided it was privacy violation.
baboons, that was ridiculous! Sadly noone jumped in with case
streaming public chat at the time.
|
| frost-webcams |
|
|
| Fun stuff
|
|
NPC shop checks. Simplest check is to ensure that no shop
item cheaper than buy. Other checks of this kind perform multi
comparison for all derivatives of items (via e.g. NPC craft
available over NPC shops. Game knew load of such errors, git remem
some:
Adjusted buy price for small mushrooms and amount needed for c
iron potion at the alchemist
buy prize changed from 100 to 125
amount changed from 4 back to 2
This prevents exploit but makes using the crafting system as at
Also updated submodule pointer.
commit edec9c5b9da9c981c1f242e7c3e65919b0056a4f
Jen
Fix an exploit involving buying small mushrooms and selling ir
ons.
commit 72bde3af78d170639093e7befd02ead4ffea2ba7 1 parent 582379
o11c
changing buy price of Cotton Shirt to prevent an exploit some
ions regarding whitespaces
commit 85ca9a9a049c003de63faa916b99149a5063e869 1 parent 85c2ba
jtoelke
There surely were more. But they were never enough and it really go
when it appeared there was yet another with [Short Bow], when you c
do like something this before release:
#!/bin/sh
rgrep -he '^...-.\.gat.*| *shop' ~/tmwAthena/tmwa-server-data/w
cut -d '|' -f 4- | cut -d ',' -f 2- | sed 's/:\*/ /g' | tr
sort | while read -r item; do
price=$( tmww item -cn show sell by names "${item%% *}" )
printf "%s %s\n" "${item}" "${price:-error}"
done | awk '$2 < ($3 + 0) { print }'
to compare buy/sell fixed prices from NPCs.
One peculiar bug inherent to how tmw server worked was char switc
same account. You could bring noob character with tank char into
level map, switch noob char on same account to damage dealer in
party with tank, did damage with DD, switch char back to noob an
last blow with tank, This yielded unbelievable leveling rate, ri
noobs for abusing seasonal quests.
Particularly good application was bug in illia sister's quest
character switch on same account allowing noob to enter without l
restriction. Since there was still requirement for some middle leve
barely survive, it opened doors to most expensive game items grindi
Saying of illia sisters, another good bug was cumulative time
doing first quest chapters giving final delay to collect unimpor
but pricey drops in pretty dangerous area, providing order of magni
higher income than any botting.
Sometimes we were that bored that finished illia sisters with
ragers:
|
| 
|
|
and what's incomparably harder - all banshees being only 3 wit
cheating.
|
| 
|
|
But some just didn't share our passion:
|
| dyna-takeover-drama |
| hatespeach |
|
|
| Community
|
|
Some words about ruling council of developers and community ele
moderators, which was expected to prevent chaos.
Wushin broke things multiple times a day on production and painte
as achievement for fixing shit to previous state or using follo
release cycle: "we introduce shit", "shit broken", "shit breaks
shit", "shit removed". There was manipulation about him being queer
not about his chaotic behaviour because of overdosing speed. At the
of 2016 year there was no functional test cycle, and day I che
there was 50 minutes main server downtime, because noone bothere
try release on test server to see if it boots at all.
Noone could explain how player "previously known as skyggen" got to
ruling position and why it was approved by TMWC. You shouldn't
breath on content not being power player. Same goes to gumi, initi
introduced to make cosmetic changes. Guys! Noone give a fuck how
rub your dicks when you can't clearly answer how you introduce new
drop rate or sword stat numbers.
|
| meko under RAYS OF FUCKING HATRED |
|
You can't get technical decisions done required to be popular
approved among non-technical community, so I consider this model wr
contrary to local dictatorship of Platyna's model.
Now for real world views intervention into project. I'm too suspic
when someone holding power explains events with god's will. This
to wushin and o11c and Frost as person responsible for data migra
from platynium, delegation of privileges and fast disappearance.
what caught me by surprise was introduction of 3rd gender, with con
dialogs fixed to reflect change. And no, it wasn't because
introduced some explanative content. That's not how you become cla
"innovative".
And last word about platinum. There was open source project. There
hoster. Hoster ran instance and owner player's data. Have courag
call things their names. I didn't get meaningful explanation
Platyna's quirks except for impossibly delayed release cycle. Th
behaviour I inspected years after data move - sticking to weird pe
Now that these idiots merged TMW with Evol. Shrugs.
I must admit the only thing: now I'm against reintroduction
unobtainables which I stayed for.
Now blowed steam off on pricks, there were plenty of good pe
dropping in occasionally, doing some insane stuff, like Daneel stud
ban frequencies ("bans time had a sinus wave pattern", that's us
for botting surely but he did observe much more things) or Toby d
trade analyses. Damn, even fools delivered much fun:
|
| cinderweb_vs_o11c |
|
|
| Afterword
|
|
I should have pay attention to hercules server community earl
marker being vim completion with gnu global wrapper for NPC script
though manaplus being only comfortable open source client AFAIK is
yet fully compatible.
Resources links:
|
| imagebin |
| logs |
| pastebin |
| src |
| tmww |
|
Assembled 2018-02-02
|