+- Limelight Forums (https://limelightgaming.net/forums)
+-- Forum: Community (https://limelightgaming.net/forums/forum-195.html)
+--- Forum: Announcements (https://limelightgaming.net/forums/forum-200.html)
+---- Forum: Blog (https://limelightgaming.net/forums/forum-529.html)
+---- Thread: Dev Blog #4 - /drop exploit, a post-mortem. (/thread-23740.html)
Pages:
1
2
Dev Blog #4 - /drop exploit, a post-mortem. - Doctor Internet - Nov 28, 2018
/drop exploit, a post-mortem.
How we were alerted.
I was bored and checking various automated systems, and comparing them against stored logs. The system had flagged up some suspect accounts, where there was a difference between the items spawned with / picked up / bought, and the items that they had in their inventory on the next spawn. Looking into this further, I saw masses of weapon drops, a single weapon being used, followed by an inventory manager transaction, a weapon /drop, and the weapons being picked back up. So myself and Nightmare hopped on staging, started testing, and I started looking through the inventory manager, item drop and weapon drop codes.
How did the exploit work?
The exploit worked by using the interaction between two unrelated systems, the inventory manager and the /drop command. When dropping weapons from the inventory, if you drop all the weapons in your inventory, you automatically de-equip the weapon you're holding too. The inventory manager doesn't do that, however. This meant you could have no weapons in your inventory, but still have one equipped in your hand. /drop didn't care about that, it would always create a weapon item anyway. So, as long as an exploiter had a friend they could get their other weapon back from, they could repeatdly do this (albiet only with single weapons, and each round could take up to 60 seconds).
However, the inventory manager was only a single method of being able to exploit this. Administrators could have used it by spawning weapons from the Q menu (though I found no evidence of this), or if players have had items removed with the item take command, this condition could also have been present.
Has it been fixed?
No, I'm telling everyone how to do it because I specifically didn't patch it. /s
Yeah, it's been pached. And the fix was Q/A'd. I'm shocked.
How was this fixed?
/drop was patched. If the player doesn't have any of the selected weapons in their inventory, /drop acts as /holster.
What have we learnt?
Well,
1. Old code doesn't always do what you expect it to do when you integrate it with new systems.
2. We should always check for edge cases, even when other systems should prevent those edge cases.
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Armard - Nov 28, 2018
Will those who used the glitch to dupe weapons be punished?
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Kvatch - Nov 28, 2018
What have we learnt?
Even though there's tonnes of suggestions being made every week, Doctor Internet still has chance to be bored.
RE: Dev Blog #4 - /drop exploit, a post-mortem. - StephanGH - Nov 28, 2018
(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?
^
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Dick - Nov 28, 2018
(Nov 28, 2018, 07:55 PM)StephanGH Wrote:(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?
^
That'd be a yes-siry. Any exploit being used is against the TOS.
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Quest - Nov 28, 2018
(Nov 28, 2018, 10:21 PM)Dicky Wrote:(Nov 28, 2018, 07:55 PM)StephanGH Wrote:(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?
^
That'd be a yes-siry. Any exploit being used is against the TOS.
...So has anyone?
How can you proved they used it?
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Jen - Nov 28, 2018
(Nov 28, 2018, 10:26 PM)Quest Wrote:(Nov 28, 2018, 10:21 PM)Dicky Wrote:(Nov 28, 2018, 07:55 PM)StephanGH Wrote: ^
That'd be a yes-siry. Any exploit being used is against the TOS.
...So has anyone?
How can you proved they used it?
Logs, by seeing people dropping weapons, transferring the weapon to their friend and then transferring them back.
RE: Dev Blog #4 - /drop exploit, a post-mortem. - StephanGH - Nov 28, 2018
Sooo... Ban wave inc?
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Doctor Internet - Nov 29, 2018
(Nov 28, 2018, 11:38 PM)StephanGH Wrote: Sooo... Ban wave inc?
That's up to the SA team for specifics. Though just with a cursory glance, there were a couple of people using it. If you have used it, it may be a good time to drop them a PM confessing to it, rather than making them trawl through logs to find exact details.
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Lewwings - Nov 29, 2018
This is why Doctor Internet is Doctor.
He has a fucking post-mortem for game bugs.
kewl!!
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Hungames - Nov 29, 2018
If only code was tested before hand @Doctor Internet
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Doctor Internet - Nov 29, 2018
(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand "Doctor Internet"
Aye, gosh-darn. If only those people back in 2008 had realised their code would come in and interfere with this totally different system 10 years later. You got me good there Hungames.
RE: Dev Blog #4 - /drop exploit, a post-mortem. - pufitee - Nov 29, 2018
i would like to confess yes
RE: Dev Blog #4 - /drop exploit, a post-mortem. - StephanGH - Nov 29, 2018
(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand @Doctor Internet
If only people didn't try to exploit and abuse every little bug they find instead of just reporting it to a Staff Member/Dev
RE: Dev Blog #4 - /drop exploit, a post-mortem. - Cole - Nov 29, 2018
It baffles me how people manage to find such weird exploits in the CityRP systems. Good thing it's patched now I guess.