Limelight Forums

Full Version: Dev Blog #4 - /drop exploit, a post-mortem.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
/drop exploit, a post-mortem.

How we were alerted.
I was bored and checking various automated systems, and comparing them against stored logs. The system had flagged up some suspect accounts, where there was a difference between the items spawned with / picked up / bought, and the items that they had in their inventory on the next spawn. Looking into this further, I saw masses of weapon drops, a single weapon being used, followed by an inventory manager transaction, a weapon /drop, and the weapons being picked back up. So myself and Nightmare hopped on staging, started testing, and I started looking through the inventory manager, item drop and weapon drop codes.

How did the exploit work?
The exploit worked by using the interaction between two unrelated systems, the inventory manager and the /drop command. When dropping weapons from the inventory, if you drop all the weapons in your inventory, you automatically de-equip the weapon you're holding too. The inventory manager doesn't do that, however. This meant you could have no weapons in your inventory, but still have one equipped in your hand. /drop didn't care about that, it would always create a weapon item anyway. So, as long as an exploiter had a friend they could get their other weapon back from, they could repeatdly do this (albiet only with single weapons, and each round could take up to 60 seconds).

However, the inventory manager was only a single method of being able to exploit this. Administrators could have used it by spawning weapons from the Q menu (though I found no evidence of this), or if players have had items removed with the item take command, this condition could also have been present.

Has it been fixed?
No, I'm telling everyone how to do it because I specifically didn't patch it. /s
Yeah, it's been pached. And the fix was Q/A'd. I'm shocked.

How was this fixed?
/drop was patched. If the player doesn't have any of the selected weapons in their inventory, /drop acts as /holster.

What have we learnt?
Well,
1. Old code doesn't always do what you expect it to do when you integrate it with new systems.
2. We should always check for edge cases, even when other systems should prevent those edge cases.
Will those who used the glitch to dupe weapons be punished?
What have we learnt?
Even though there's tonnes of suggestions being made every week, Doctor Internet still has chance to be bored.
(Nov 28, 2018, 07:42 PM)Armard Wrote: [ -> ]Will those who used the glitch to dupe weapons be punished?

^
(Nov 28, 2018, 07:55 PM)StephanGH Wrote: [ -> ]
(Nov 28, 2018, 07:42 PM)Armard Wrote: [ -> ]Will those who used the glitch to dupe weapons be punished?

^

That'd be a yes-siry. Any exploit being used is against the TOS.
(Nov 28, 2018, 10:21 PM)Dicky Wrote: [ -> ]
(Nov 28, 2018, 07:55 PM)StephanGH Wrote: [ -> ]
(Nov 28, 2018, 07:42 PM)Armard Wrote: [ -> ]Will those who used the glitch to dupe weapons be punished?

^

That'd be a yes-siry. Any exploit being used is against the TOS.

...So has anyone?
How can you proved they used it?
(Nov 28, 2018, 10:26 PM)Quest Wrote: [ -> ]
(Nov 28, 2018, 10:21 PM)Dicky Wrote: [ -> ]
(Nov 28, 2018, 07:55 PM)StephanGH Wrote: [ -> ]^

That'd be a yes-siry. Any exploit being used is against the TOS.

...So has anyone?
How can you proved they used it?

Logs, by seeing people dropping weapons, transferring the weapon to their friend and then transferring them back.
Sooo... Ban wave inc?
(Nov 28, 2018, 11:38 PM)StephanGH Wrote: [ -> ]Sooo... Ban wave inc?

That's up to the SA team for specifics. Though just with a cursory glance, there were a couple of people using it. If you have used it, it may be a good time to drop them a PM confessing to it, rather than making them trawl through logs to find exact details.
This is why Doctor Internet is Doctor.

He has a fucking post-mortem for game bugs.

kewl!!
If only code was tested before hand
(Nov 29, 2018, 02:19 AM)Hungames Wrote: [ -> ]If only code was tested before hand "Doctor Internet"

Aye, gosh-darn. If only those people back in 2008 had realised their code would come in and interfere with this totally different system 10 years later. You got me good there Hungames.
i would like to confess yes
(Nov 29, 2018, 02:19 AM)Hungames Wrote: [ -> ]If only code was tested before hand

If only people didn't try to exploit and abuse every little bug they find instead of just reporting it to a Staff Member/Dev
It baffles me how people manage to find such weird exploits in the CityRP systems. Good thing it's patched now I guess.
Pages: 1 2