This forum uses cookies

**Doctor Internet** · **Nov 28, 2018, 01:36 PM**

/drop exploit, a post-mortem.

How we were alerted.
I was bored and checking various automated systems, and comparing them against stored logs. The system had flagged up some suspect accounts, where there was a difference between the items spawned with / picked up / bought, and the items that they had in their inventory on the next spawn. Looking into this further, I saw masses of weapon drops, a single weapon being used, followed by an inventory manager transaction, a weapon /drop, and the weapons being picked back up. So myself and Nightmare hopped on staging, started testing, and I started looking through the inventory manager, item drop and weapon drop codes.

How did the exploit work?
The exploit worked by using the interaction between two unrelated systems, the inventory manager and the /drop command. When dropping weapons from the inventory, if you drop all the weapons in your inventory, you automatically de-equip the weapon you're holding too. The inventory manager doesn't do that, however. This meant you could have no weapons in your inventory, but still have one equipped in your hand. /drop didn't care about that, it would always create a weapon item anyway. So, as long as an exploiter had a friend they could get their other weapon back from, they could repeatdly do this (albiet only with single weapons, and each round could take up to 60 seconds).

However, the inventory manager was only a single method of being able to exploit this. Administrators could have used it by spawning weapons from the Q menu (though I found no evidence of this), or if players have had items removed with the item take command, this condition could also have been present.

Has it been fixed?
No, I'm telling everyone how to do it because I specifically didn't patch it. /s
Yeah, it's been pached. And the fix was Q/A'd. I'm shocked.

How was this fixed?
/drop was patched. If the player doesn't have any of the selected weapons in their inventory, /drop acts as /holster.

What have we learnt?
Well,
1. Old code doesn't always do what you expect it to do when you integrate it with new systems.
2. We should always check for edge cases, even when other systems should prevent those edge cases.

Armard · **Nov 28, 2018, 07:42 PM**

Will those who used the glitch to dupe weapons be punished?

Kvatch · **Nov 28, 2018, 07:44 PM**

What have we learnt?
Even though there's tonnes of suggestions being made every week, Doctor Internet still has chance to be bored.

StephanGH · **Nov 28, 2018, 07:55 PM**

(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?

^

**Dick** · **Nov 28, 2018, 10:21 PM**

(Nov 28, 2018, 07:55 PM)StephanGH Wrote:
(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?

^

That'd be a yes-siry. Any exploit being used is against the TOS.

Quest · **Nov 28, 2018, 10:26 PM**

(Nov 28, 2018, 10:21 PM)Dicky Wrote:
(Nov 28, 2018, 07:55 PM)StephanGH Wrote:
(Nov 28, 2018, 07:42 PM)Armard Wrote: Will those who used the glitch to dupe weapons be punished?

^

That'd be a yes-siry. Any exploit being used is against the TOS.

...So has anyone?
How can you proved they used it?

**Jen** · **Nov 28, 2018, 10:34 PM**

(Nov 28, 2018, 10:26 PM)Quest Wrote:
(Nov 28, 2018, 10:21 PM)Dicky Wrote:
(Nov 28, 2018, 07:55 PM)StephanGH Wrote: ^

That'd be a yes-siry. Any exploit being used is against the TOS.

...So has anyone?
How can you proved they used it?

Logs, by seeing people dropping weapons, transferring the weapon to their friend and then transferring them back.

StephanGH · **Nov 28, 2018, 11:38 PM**

Sooo... Ban wave inc?

**Doctor Internet** · **Nov 29, 2018, 12:42 AM**

(Nov 28, 2018, 11:38 PM)StephanGH Wrote: Sooo... Ban wave inc?

That's up to the SA team for specifics. Though just with a cursory glance, there were a couple of people using it. If you have used it, it may be a good time to drop them a PM confessing to it, rather than making them trawl through logs to find exact details.

Lewwings · **Nov 29, 2018, 12:52 AM**

This is why Doctor Internet is Doctor.

He has a fucking post-mortem for game bugs.

kewl!!

Hungames · **Nov 29, 2018, 02:19 AM**

If only code was tested before hand @Doctor Internet

**Doctor Internet** · **Nov 29, 2018, 02:23 AM**

(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand "Doctor Internet"

Aye, gosh-darn. If only those people back in 2008 had realised their code would come in and interfere with this totally different system 10 years later. You got me good there Hungames.

pufitee · **Nov 29, 2018, 02:01 PM**

i would like to confess yes

StephanGH · **Nov 29, 2018, 06:12 PM**

(Nov 29, 2018, 02:19 AM)Hungames Wrote: If only code was tested before hand @Doctor Internet

If only people didn't try to exploit and abuse every little bug they find instead of just reporting it to a Staff Member/Dev

Cole · **Nov 29, 2018, 06:36 PM**

It baffles me how people manage to find such weird exploits in the CityRP systems. Good thing it's patched now I guess.

Development Blog:

Development Contributor Workflow

HR Blog:

What are they doing over there?

Teacher Blog:

Insight into the Teacher Team

Development Blog:

Infrastructure Upgrade 11/2019

Development Blog:

how suggestions???

Development Blog:

Planning for the future.

Username

Password

Username

Password

receiptDevelopment Blog:

Development Contributor Workflow

receiptHR Blog:

What *are* they doing over there?

receiptTeacher Blog:

Insight into the Teacher Team

receiptDevelopment Blog:

Infrastructure Upgrade 11/2019

receiptDevelopment Blog:

how suggestions???

receiptDevelopment Blog:

Planning for the future.

Development Blog:

HR Blog:

What are they doing over there?

Teacher Blog:

Development Blog:

Development Blog:

Development Blog: