/******************************************************* * * * Details of a major bug in Rom code, as discovered * * by Ichike from World of Naruto in January 2009. * * * * The intended audience of the detail are people * * who are running MUDs or who are developing MUD * * code, which includes, but is not limited to, * * the Diku team, the Merc team, the Rom consortium, * * the RaM group, Circle code creators, as well as * * anyone else with a long-term, established MUD. * * Because of the obvious potential for abuse, this * * code will not be given freely either on a web * * page or in e-mail to people who cannot establish * * their identity. * * * * If you think that you can prove your identity, * * then send me an e-mail to * * therealadrian@hotmail.com * * * * The purpose of this document is to warn people * * about the dangers of this bug, and how much * * damage it can cause. * * * ******************************************************/ /******************************************************* * * * Section 1: Why you need to remove this bug * * * *******************************************************/ This bug, when activated, gives a player double their normal physical attacks per round, and it can be activated every single round. Whilst this is not particularly useful for spellcaster types (mages etc), it is devastatingly powerful for warriors. They do 6 attacks instead of 3, 8 instead of 4, and so forth. The sacrifice for this bug is that the player who is abusing it can't do anything else. Thus they won't learn any of your attacking skills and the commands that you likely spent ages working on. They won't explore the game, won't enjoy the game, and likely will be spending most of their time complaining. It is bad for everyone involved. /****************************************************** * * * Section 2: Why you won't be able to catch it * * * *****************************************************/ This bug does show up in your logs as BUG (a certain message), although it is actually possible to make a fix that gets rid of the bug message but does not actually fix the bug! Furthermore, that same BUG message you could easily get from a myriad of other commands. It doesn't look important, but it is. If you see a player abusing this bug, right in front of you, you can see the double attacks, but you likely will think that it is an optical illusion, a display bug, and that they aren't really getting double attacks. Actually, they are. Just the same, players abusing this bug will know that it is a bug, and will likely go to lengths to hide it. The one that we caught was refusing to abuse it in front of any players or even with an imm logged on at all, and created a whole fake personality pretended to be a victim so as to hide this. /**************************************************** * * * Section 3: Why you won't find it in the code * * * ***************************************************/ This bug exists in DikuMUD code, which was first created in 1990. It still exists in the code derived from Diku, Merc, created in 1991, still had the bug. Rom, created from 1993-1998, still had the bug. Indeed, the first evidence that the bug was discovered was in 2002 when the Rom consortium admitted to finding the bug, but refused to get rid of it. They said that the only way to fix it was to delete the command, which is otherwise a very useful command, and that a MUD was better off simply to keep it a secret and hope that players don't notice it. /**************************************************** * * * Section 4: What is wrong with the code * * * ***************************************************/ The command that causes the bug is written poorly. Basically, they forget to set 1 variable properly (which is what causes the bug messages in your log files, but is not what allows the bug to be abused), and secondly they have forgotten to put in an exception. The fixes for both (it should be noted that the bug messages indicate that there is a possible overflow, and this bit should be fixed too) are 1 line each. In other words, to get rid of this bug, you have to add 1 line of code. To get rid of the overflow affect, you should add a 2nd line of code. The problem is that the exception is quite tricky, and required a complex if statement, checking just the right settings but not too much. The Rom consortium wasn't able to manage it. The exception was first discovered by me, Ichike, in January 2009. /************************************************** * * * Section 5: Our example - difficulty catching * * * *************************************************/ In our example, the cheater put up such a front of "woe is me" and paranoia that we didn't dare snoop them. Really, the only reason that we even looked at all was because we were getting unexplained crashes, which were actually being caused by other things, including putting in 2 lots of END IF at the end of a mob program. It took ages to find all of that. At the end of that, I discovered that we were no longer getting crashes and yet were still getting the bug messages. I had also seen, in trying to figure out what was causing the crashes, these bug messages and the odd-looking stock code. I was only concerned about its potential to cause a crash through overflowing variables (by not setting things properly), and indeed, in theory, it could cause a crash. Overflows can do all sorts of things, including messing up player files, and should be avoided at all costs. The other reason that it twigged with me is because I had accidentally created a command which, because I set things up incorrectly, gave mobs double hits every time that you activated it, which was the exact same thing that this bugged command did - but in reverse. Players DO report it (and complain A LOT!) if you put in a command that gives them double hits against, yet they are less likely to report it giving them double hits themselves. As such, I knew that this wasn't an optical illusion. Or, put simply, I found this bug because I had made errors in my own coding and was able to see their bug because I had done the same thing. /************************************************* * * * Section 6: It also endagers the MUD * * * ************************************************/ Whilst the bug that causes double hits can be fixed by adding a single if statement, the bug that gives the bug message in the log file is in many ways more dangerous, because it fails to set a variable correctly. Both of these are only set off when a player abuses this bug. By failing to set a variable correctly, it creates an overflow. Once you have an overflow in your code, who knows what it will do? It could cause a crash, but that is in many ways the least of your worries. More of a concern is that it could get into your player files and move numbers around, so that they have mana instead of stamina or vice versa, or all manner of other bad things. The player who is doing this isn't just getting themselves unfair levels and a big advantage - they are doing so at the expense of every player on the MUD and the MUD itself. /*********************************************** * * * Section 7: The cheater's attitude * * * **********************************************/ Ultimately, because this bug is so severe, the cheater knows that if the immortals find out, then they are going to be severely punished, maybe having their character wiped or banned, or perhaps if they are lucky just losing some levels and equipment. As such, the cheater is likely to go out of their way to pretend that they are not doing it. Our cheater that we caught created a false persona that accused all of the imms on the MUD of cheating, whilst simultaneously encouraging other players to break the rules and generally try to create an uprising of sorts, and accusing senior players of doing the wrong thing. It just basically creates a bad attitude everywhere. Your cheaters may vary a little, but one thing is for sure - they aren't going to let any immortals know about their little cheat. This is such a big advantage that no imm is going to tolerate it, and, if they can't find a fix, they are going to get rid of the whole command. /********************************************* * * * Section 8: What we did with our cheater * * * ********************************************/ Our cheater had got up to level 135 on our MUD. To put that into perspective, that was the 5th highest level player on the MUD. To put that into perspective, our MUD has 600 characters, and has been open for 11 months. They had only played for 2 months, but had got that high up in the rankings that they were number 5 - all illegitimately gained. Whilst we considered removing levels down to somewhere between 50-90, in the end the player was so rude about it, and lying so much when confronted, that their character was deleted entirely. /********************************************** * * * Section 9: Do you need the fix? * * * *********************************************/ If you need the fix, or think that you need it, then you need to prove that you are someone who could legitimately need this (our aim is that all MUDs have this fix), then you need to provide some proof that you are legitimate, and e-mail me, Ichike, for the information. /*********************************************** * * * send e-mail to: therealadrian@hotmail.com * * * **********************************************/ Please pass on this information to any others who need it, but try to keep it away from people who might abuse it and DO NOT post it publically (at least not saying what the command is and how to abuse it).