Amazing Collection of online role playing games for your website!

Vice Warz

HOT
Only registered and logged in users can download this file.
Rating
(0 votes)
Technical Details
Filename vice_warz.zip
Size 1.23 MB
Downloads 101
Author Unknown
Created 2006-04-10
Changed 2025-12-11
System PHP 5.x
Price $0.00
Screenshot
Vice Warz

Vice Warz is a fast-moving mafia RPG built around crews, cashflow, and conflict. Assemble your gang, declare wars and raids, work patrols for steady income, and climb rankings through PvP attacks and hitlists. The flow is constant: train, equip, attack, bank, and brag as your crew builds reputation and power.

With point sales, VIP, and aggressive monetization, it captures the 2006 browser-RPG zeitgeist where social rivalry and daily timers defined the loop. Expect shoutbox drama, crew politics, and cron-driven events that keep the streets hot.

File Verification
MD5 Checksum
a73e245715739e7a8a8ad76e9b676511
SHA1 Checksum
7f40e664bd6b6faf2679c9046242e00ee4fb14dc

GAME 70: VICE WARZ - Game Analysis Report

IDENTITY

Name: Vice Warz

Developer: Kyle Piontek (ViceWars.com)

Year: 2006 (SQL dump dated April 11, 2006)

Genre: Online Mafia/Crime RPG with crews (gangs)

Type: Text-based browser crime game with monetization

License: Proprietary with restrictive ToS

---

STATISTICS

Total Files: 195

File Breakdown:

  • 88 PHP files (45.1%)
  • 47 JPG images (24.1%)
  • 47 GIF images (24.1%)
  • 3 PNG images
  • 2 HTM files
  • 1 SQL file
  • 1 JS file (tooltip.js)
  • 1 CSS file
  • 1 .htaccess file
  • 1 Flash SWF file
  • 1 TMP file
  • 1 BAK file

Total PHP Lines: 7,577

Database Schema: 644 lines, 33 tables

Average File Size: 86 lines per PHP file

Key Files:

  • config.php - HARDCODED DATABASE CREDENTIALS!
  • vice_main.sql - 644-line database schema
  • index.php - 297 lines (homepage with rankings)
  • attack.php - 272 lines (PvP combat)
  • crews.php - Crew (gang) management
  • register.php - 241 lines (massive ToS wall)

Technology Stack:

  • PHP 4.x-5.x with short tags ()
  • MySQL 4.0 with MyISAM tables
  • No password hashing (plain-text!)
  • Cookie-based authentication
  • Captcha system (image.php)
  • Tooltip JavaScript
  • PayPal integration

---

ARCHITECTURE

Basic Procedural Design

Vice Warz follows a simple page-per-feature architecture:

`

vice_warz/

├── index.php # Homepage (news, rankings, shoutbox)

├── register.php # Registration with massive ToS

├── login.php # Authentication

├── config.php # EXPOSED DATABASE CREDENTIALS

├── header.php # Common header

├── footer.php # Common footer

├── attack.php # PvP combat system

├── crews.php # Gang management

├── shop.php # Item purchases

├── training.php # Stat training

├── battle.php # Team battles

├── mail.php # Messaging

├── bank.php # Banking system

├── patrol.php # Income missions

├── hitlist.php # Bounty system

├── forums.php # Forums

├── cron_*.php # 6 cron jobs!

└── finalize-*.php # Payment processing

Database Connection (config.php):

`php

$username = "vice_kp"; // HARDCODED!

$password = "thisisme"; // PLAINTEXT IN SOURCE!

$hostname = "localhost"; // PUBLIC IN CODEBASE!

$dbh = mysql_connect($hostname, $username, $password);

$selected = mysql_select_db("vice_main",$dbh);

// Cookie authentication - NO VALIDATION!

if ($_COOKIE['user']) {

$stat = mysql_fetch_array(mysql_query(

"select * from users where name='$user' and pass='$pass'"

));

}

`

Security Disasters:

  • Hardcoded DB credentials in source code
  • Plain-text passwords (no MD5, no hashing)
  • SQL injection everywhere (unsanitized $_COOKIE in queries)
  • No session management (relies on cookies)

---

DATABASE STRUCTURE

33 Tables - Crime/Mafia Focus:

User Management:

  • users - 70+ fields (level, money, bank, class, VIP, profile pic)
  • login_log - IP tracking
  • mail - Private messaging

Combat & Competition:

  • attack_log - PvP battle records
  • attacks - Attack tracking (daily limits)
  • battle_arena - Team battles
  • battle_team1, battle_team2 - Team rosters
  • battle_log - Battle history
  • hitlist - Bounty system

Crew System (Gangs):

  • crews - Gang data (70+ fields!)
  • 5 custom ranks
  • 10 ally slots
  • Permissions per rank (boot, invite, bank, etc.)
  • War system
  • 6 elemental stones (fire, water, ice, earth, sand, stone)
  • crew_allies - Gang alliances
  • crew_bank_log - Crew banking
  • crew_forums - Private crew forums
  • crew_hitlist - Crew bounties
  • crew_invites - Recruitment system
  • crew_money_log - Crew transactions
  • crew_raids - Cooperative raids
  • crew_upgrades - Crew enhancements
  • crew_war_req - War declarations
  • crew_wars - Active wars

Economy:

  • shop - Item shop
  • upgrades - Character upgrades
  • money_log - Transaction tracking
  • bank - Banking (not shown in CREATE TABLE list, may be in users)

Monetization:

  • point_log - Points (premium currency) tracking
  • paypal_raw - PayPal IPN data
  • VIP membership system

Content & Social:

  • news - Announcements
  • shoutbox - Public chat (buy shoutbox posts!)
  • forums - Forum system
  • poll - Voting
  • support - Ticket system

Gameplay:

  • patrol - Income missions
  • turn - Turn-based timer
  • click_log - Anti-cheat (click tracking)
  • underlings - Referral system

Mysterious:

  • core - Purpose unclear (possible game core settings)

---

GAMEPLAY MECHANICS

1. Crime RPG Core

Character Progression:

  • Level system (start level 1)
  • Experience points (exp/exp_needed)
  • Class selection (tinyint 1-?)
  • Stats: Unknown (not in visible SQL)

Money System:

  • Cash - $10,000,000 starting money (!!)
  • Bank - Secure storage (3 deposits per day max)
  • Income - Passive earnings ($100 base, $20,000 every turn)
  • Income Turn - Timer tracking

2. Combat System

PvP Attacks:

`php

// attack.php

// - Attack limit per day

// - Max 10 attacks per action

// - Cannot attack crew members

// - Cannot attack allied crews

// - Captcha verification required

// - Steals cash on win

`

Attack Mechanics:

  • Attacks per day limit (configurable)
  • Attacks per person per day limit
  • Attack check system (anti-cheat)
  • Winner steals cash
  • Win/loss/defense tracking
  • Attack logs with messages

Team Battles:

  • Battle arena system
  • Team 1 vs Team 2
  • Leader designation
  • 60-second timer
  • Battle log recording

3. Crew System (Gangs)

Crew Structure:

  • Leader (owner)
  • 5 customizable ranks
  • Member count tracking
  • Experience points
  • Money pool
  • Crew points (ranking)
  • Crew image upload

Rank Permissions:

  • Boot members
  • Edit crew profile
  • Manage hitlist
  • Invite members
  • Buy upgrades
  • Access bank
  • Message crew

Crew Features:

  • Alliances - 10 ally slots
  • Wars - Declare war, hit goals
  • Raids - Cooperative PvE
  • Forums - Private discussion
  • Bank - Shared vault
  • Hitlist - Crew bounties
  • Upgrades - Crew improvements

Elemental System:

`sql

fire bigint(255)

water bigint(255)

ice bigint(255)

earth bigint(255)

sand bigint(255)

stone bigint(255)

`

Purpose: Likely crew power-ups or collectibles

4. Economy & Monetization

Cash Flow:

  • Starting: $10,000,000 (!!)
  • Income: $20,000 per turn
  • Attacks: Steal from victims
  • Patrols: Mission rewards
  • Shop: Purchase items/upgrades

Points System (Premium Currency):

  • Purchase with real money (PayPal)
  • Point log tracking
  • "DOUBLE Points" sales
  • Transfer between players
  • Used for premium features

VIP Membership:

  • vip_days_left field
  • Finalize-vip.php processing
  • Premium benefits

Banking:

  • Deposit limit (3/day default)
  • Secure from attacks
  • Transfer system
  • Transaction logs

5. Social Features

Shoutbox:

  • Buy posts for visibility
  • Limited to 15 recent messages
  • Date tooltip on hover
  • Admin/Mod deletion
  • Promotes paid posts

Mail System:

  • Private messages
  • Inbox tracking
  • Read/unread status
  • Sender/recipient/owner fields

Forums:

  • Public discussion
  • Categories
  • Posts and replies

Polls:

  • 2-option voting
  • Vote counts
  • Single poll system

Profiles:

  • Custom profile text
  • Image upload (GIF format)
  • Sex (Male/Female)
  • Security question/answer
  • IP tracking
  • Last action timestamp

6. Miscellaneous Features

Hitlist (Bounties):

  • Place bounties on enemies
  • Collect rewards
  • Crew hitlists separate

Referral System:

  • Parent/child relationships
  • parentid/parentname tracking
  • "Underlings" page

Patrol System:

  • Income missions
  • Current patrol tracking
  • Stone collection (stone1-stone5)

Security Questions:

  • Password recovery
  • Custom Q&A

Support Tickets:

  • Category selection
  • Pending/Answered status
  • Admin responses

Inactive System:

  • Days inactive counter
  • Automatic deletions?

7. Cron Jobs

Six automated tasks:

  • cron_minute.php - Every minute
  • cron_five.php - Every 5 minutes
  • cron_ten.php - Every 10 minutes
  • cron_eleven.php - Every 11 minutes (?)
  • cron_hour.php - Every hour
  • cron_day.php - Daily reset

Likely handle:

  • Income distribution
  • Turn regeneration
  • Attack reset
  • Inactive account cleanup
  • VIP expiration
  • War/raid timers

---

SECURITY ANALYSIS

CATASTROPHIC Vulnerabilities:

1. HARDCODED DATABASE CREDENTIALS (CRITICAL+++)

`php

// config.php - PUBLICLY ACCESSIBLE!

$username = "vice_kp";

$password = "thisisme";

$hostname = "localhost";

`

  • Database password in source code
  • No .htaccess protection visible
  • Anyone with file access has full DB control
  • WORST security issue in entire collection

2. PLAIN-TEXT PASSWORDS (CRITICAL)

`php

// NO PASSWORD HASHING ANYWHERE!

$stat = mysql_fetch_array(mysql_query(

"select * from users where name='$user' and pass='$pass'"

));

`

  • Passwords stored as plain text
  • Not even MD5
  • Complete compromise if DB leaked

3. SQL INJECTION EVERYWHERE (CRITICAL)

`php

// Cookie values used directly in SQL!

$stat = mysql_fetch_array(mysql_query(

"select * from users where name='$user' and pass='$pass'"

));

// $user and $pass come from $_COOKIE - UNSANITIZED!

$attack1 = mysql_query("select * from users where name = '$aname'");

// $aname from $_POST - UNSANITIZED!

`

  • Zero input sanitization
  • No mysql_real_escape_string()
  • No prepared statements
  • Trivial to exploit

4. COOKIE-BASED AUTHENTICATION (HIGH)

`php

if ($_COOKIE['user']) {

// Logged in!

}

`

  • No session management
  • Cookies easily forged
  • No CSRF protection
  • No secure/httponly flags

5. SHORT PHP TAGS (LOW)

`php

`

  • Requires short_open_tag = On
  • Breaks on modern PHP

6. DEPRECATED MYSQL FUNCTIONS (MEDIUM)

`php

mysql_connect()

mysql_query()

mysql_fetch_array()

// All deprecated in PHP 5.5, removed in PHP 7.0

`

7. NO INPUT VALIDATION (HIGH)

`php

if (is_numeric($attacks) == False) // Only numeric check found

// No other validation

// XSS possible in shoutbox, profile, messages

`

8. CAPTCHA BYPASS RISK (MEDIUM)

`php

$det=base64_decode($det);

if ($det != $imgcode) {

// Fail

}

// Base64 encoding for security? Really?

`

Overall Security Rating: 0/10

  • WORST security in entire 79-game collection
  • Would be compromised within hours of going live
  • Database credentials exposed in source
  • Plain-text passwords
  • SQL injection trivial

---

HISTORICAL CONTEXT

2006: Peak Browser RPG Era

Vice Warz represents commercial browser RPG development circa 2006:

Business Model:

  • Freemium (free to play, pay to win)
  • Point sales ("DOUBLE points sale!")
  • VIP membership
  • PayPal integration
  • Heavy monetization focus

Common Practices (for 2006):

  • MySQL without abstraction
  • Cookie authentication
  • Short PHP tags
  • MyISAM tables
  • Inline SQL queries

Uncommon (even for 2006):

  • Hardcoded DB credentials (amateur mistake)
  • Plain-text passwords (MD5 was standard by 2006)
  • Zero sanitization (mysql_real_escape_string existed)

Developer: Kyle Piontek

From ToS:

  • Solo developer operation
  • Heavy legal disclaimers
  • Point refund policy (no refunds)
  • Arbitrary account suspension rights
  • "We can delete anything at any time"

Red Flags:

  • Extensive legal CYA language
  • No liability for lost money
  • Rights to take purchased points away
  • Prohibition on "rebellious groups"
  • "Slain language" prohibition (??)

The Monetization Focus

Buy Everything:

  • Points (premium currency)
  • VIP membership
  • Shoutbox posts (!!)
  • Likely crew upgrades
  • Likely premium items

Pay-to-Win Indicators:

  • Point system pervasive
  • VIP benefits
  • Transfer points to crew
  • Crew points for ranking

---

COMPLETENESS ASSESSMENT

Feature Completeness: 85%

FULLY IMPLEMENTED:

Registration with ToS wall

Login/authentication (insecure but functional)

Character system (level, exp, money)

PvP combat with captcha

Crew system (create, join, manage)

Crew ranks and permissions

Crew wars and alliances

Attack logging

Team battles

Hitlist/bounty system

Banking system (deposits, transfers)

Shop system

Upgrades system

Mail/messaging

Shoutbox

Forums

Polls

Support tickets

Profile customization

Image uploads

Patrol missions

Income system

Turn-based mechanics

Referral system

PayPal integration

Point sales

VIP membership

Cron jobs (6!)

Admin/Moderator tools

IP logging

Anti-cheat (click log, attack check)

UNCLEAR:

⚠️ Patrol mission content

⚠️ Stone collection purpose

⚠️ Raid mechanics

⚠️ Class differences

⚠️ Upgrade effects

MISSING/INCOMPLETE:

Stat training details

Item descriptions

Battle calculations (damage formulas)

Playability: 75%

What Works:

  • Create account
  • Join/create crew
  • Attack other players
  • Use hitlist
  • Send messages
  • Post in forums
  • Buy VIP/points
  • Everything monetized!

What's Broken:

  • Security - everything compromised
  • Database - credentials exposed
  • Password recovery - plain-text stored

Performance Issues:

  • No query optimization
  • No caching
  • Loops through all users frequently
  • No indexes on most columns

---

COMPARISON TO COLLECTION

Security Comparison:

Game Password Hash SQL Injection DB Credentials Rating
Vallheru MD5 Protected (ADOdb) Separate config 7/10
VA-RPG MD5 Partial escape Separate config 2/10
Ugamela TT MD5 Partial escape Separate config 4/10
Vice Warz PLAIN TEXT NONE HARDCODED 0/10

Unique Features:

Only Game With:

  • Hardcoded database credentials in source (!!)
  • Plain-text password storage
  • Zero input sanitization
  • Buy shoutbox posts
  • 6 different cron jobs
  • Elemental stone collection
  • Crew war system with hit goals

Monetization Leader:

  • Most aggressive monetization
  • Point sales
  • VIP membership
  • PayPal integration
  • Premium everything

---

VERDICT

Rating: 2/10

Breakdown:

  • Security: 0/10 (catastrophic failures)
  • Code Quality: 3/10 (basic procedural, no organization)
  • Features: 7/10 (comprehensive crew/PvP system)
  • Completeness: 8/10 (everything implemented)
  • Innovation: 5/10 (standard mafia game)
  • Playability: 6/10 (works but insecure)

Strengths:

  • Feature-complete - Everything implemented
  • Comprehensive crew system - 5 ranks, permissions, wars
  • Multiple gameplay loops - Combat, patrol, upgrades, wars
  • Social features - Forums, mail, shoutbox, crews
  • Monetization - Full payment integration
  • Anti-cheat attempts - Captcha, click log, attack limits
  • 6 cron jobs - Automated maintenance

Weaknesses:

  • HARDCODED DATABASE PASSWORD IN SOURCE CODE 🔥🔥🔥
  • PLAIN-TEXT PASSWORD STORAGE - Not even MD5
  • SQL INJECTION EVERYWHERE - Zero sanitization
  • No password hashing - Worst in collection
  • Exposed credentials - config.php publicly accessible
  • Cookie-only auth - No sessions
  • Deprecated MySQL functions - PHP 7 incompatible
  • No input validation - XSS vulnerable
  • Short PHP tags - Modern PHP breaks
  • Pay-to-win design - Heavy monetization

Historical Significance:

Vice Warz is a cautionary tale in browser game security:

What NOT to Do:

  • Never hardcode database credentials
  • Never store plain-text passwords
  • Always sanitize user input
  • Use session management
  • Don't skip basic security 101

Business Model:

  • Aggressive monetization (2006 F2P era)
  • Legal CYA everywhere
  • "No refunds" policy
  • Arbitrary account control

Code Quality:

  • Amateur developer
  • No security knowledge
  • Basic PHP skills
  • Functional but dangerous

Modern Revival Feasibility: IMPOSSIBLE (-10/10)

Cannot Be Revived:

  • Security rewrite required - 100% of code
  • Database credentials exposed - Already compromised
  • Plain-text passwords - Cannot migrate safely
  • SQL injection everywhere - Complete rewrite needed
  • No framework - Start from scratch easier

If Attempting Revival:

  • Throw away entire codebase
  • Keep database schema only
  • Rewrite from scratch with framework
  • Use Laravel, Symfony, or similar
  • Implement proper auth (passwords, sessions)
  • Add CSRF protection
  • Parameterize all queries
  • Never hardcode credentials
  • Estimated effort: 200+ hours
  • Recommendation: DON'T. Build new game instead.

Educational Value:

Perfect Teaching Example:

  • "What NOT to do in web security"
  • SQL injection demonstration
  • Plain-text password dangers
  • Hardcoded credential risks
  • Cookie hijacking
  • Business model over security

Use Cases:

  • Security training
  • Code review exercises
  • Penetration testing labs
  • "Exploit This" challenges
  • Web security courses

---

FINAL THOUGHTS

The Most Insecure Game in the Collection

Vice Warz holds the dubious honor of being the least secure game out of 79:

The Triple Threat:

  • Hardcoded database password in source code
  • Plain-text password storage (not even MD5)
  • Zero SQL injection protection

If Vice Warz Had Gone Live:

  • Compromised within hours
  • All passwords stolen (plain-text!)
  • Database hijacked (credentials exposed)
  • User accounts taken over (cookie forgery)
  • Financial data at risk (PayPal integration)

Why It Matters:

  • Shows dangers of prioritizing features over security
  • Demonstrates amateur development risks
  • Illustrates 2006 F2P monetization tactics
  • Proves security cannot be afterthought

Comparison:

  • VA-RPG: Brilliant spell system, terrible architecture (4/10)
  • Vallheru: Professional architecture, minor security issues (9/10)
  • Vice Warz: Working features, catastrophic security (2/10)

If You Remember One Thing:

Vice Warz is the game where the database password was literally "thisisme" and stored in the publicly-accessible config.php file.

---

TECHNICAL NOTES

Database Size: 644 lines SQL (33 tables)

PHP Version Required: 5.2-5.6 (short_open_tag, mysql_* functions)

MySQL Version: 4.0-5.7 (MyISAM tables)

Browser Requirements: Cookies, JavaScript (tooltips)

Security Status: COMPROMISED BY DESIGN

Cannot Deploy:

  • Security too poor to go live
  • Would violate responsible disclosure
  • Puts users at risk immediately
  • Database credentials already exposed

Deployment Difficulty: 2/10 (easy to deploy, impossible to secure)

Maintenance Difficulty: 10/10 (security nightmare)

Revival Difficulty: IMPOSSIBLE (complete rewrite required)

---

Analysis Date: December 11, 2024

Game #70 of 79 in the Vintage Browser RPG Collection

Status: Feature-complete but catastrophically insecure

Verdict: DO NOT DEPLOY - Security teaching tool only

Special Distinction: Worst security in entire collection 🏆💀

Security Warning

Running many of the scripts in this archive on a live server presents a serious security risk. These projects were created before modern hardening practices and may contain vulnerabilities that can compromise your system.

We strongly recommend using this code for reference and analysis only, or in isolated local environments. By downloading these files, you accept full responsibility for their use.