WAP Online

Name: WAP-online

Developer: Unknown (Lithuanian)

Year: ~2005-2006

Genre: Mobile WAP Mafia/Crime RPG

Type: WAP-based browser game (WAP = Wireless Application Protocol)

Language: Lithuanian

License: Unlicensed/Abandoned

---

Total Files: 1,574

File Breakdown:

• 775 GIF images (49.2%)
• 518 TXT files (32.9%) - High text content!
• 78 PNG images (5.0%)
• 54 PHP files (3.4%)
• 52 JPG images (3.3%)
• 43 BMP images (2.7%)
• 23 LST files (list data)
• 12 ADM files (admin data)
• 12 STR files (string/data files)
• 2 HTML files
• 1 SQL file
• 1 .htaccess file
• 1 KLS file
• 1 ATS file
• 1 MSG file

Total PHP Lines: 6,022

Database Schema: 246 lines, 24 tables

Average File Size: 112 lines per PHP file

Key Files:

• sql.sql - 246-line database
• mysql.php - Database connection WITH HARDCODED CREDENTIALS!
• index.php - Login/registration (229 lines)
• prisijungus.php - Main menu
• mano.php - Private messages (381 lines)
• gaujos.php - Gangs
• plesimai.php - Robberies
• puolimai.php - Attacks
• forumas.php - Forums
• chat.php - Chat
• casino.php - Casino
• viktorina.php - Trivia

Technology Stack:

• PHP 4.x-5.x
• MySQL with MyISAM tables
• WML (Wireless Markup Language) for mobile phones!
• MD5 password hashing ✓
• Lithuanian language
• Cookie sessions

---

WAP/Mobile Design

WAP Online uses WML (Wireless Markup Language) for old mobile phones:

`

wap_online/

├── index.php # Login/registration

├── prisijungus.php # Main menu

├── mysql.php # DB connection (HARDCODED!)

├── nustatymai.php # Settings

├── user_check.php # Session check

│

├── mano.php # Private messages

├── gaujos.php # Gangs

├── plesimai.php # Robberies

├── puolimai.php # Attacks

├── narkotikai.php # Drugs

├── ginklai.php # Weapons

│

├── bankas.php # Bank

├── casino.php # Casino

├── parduotuve.php # Shop

├── prekybos_centras.php # Trading center

├── transportas.php # Transport

├── pastatai.php # Buildings

│

├── chat.php # Chat

├── forumas.php # Forums

├── forumas_class.php # Forum class

├── laikrastis.php # Newspaper

├── online.php # Who's online

├── ref.php # Referrals

│

├── viktorina.php # Trivia game

├── ligonine.php # Hospital

├── picerija.php # Pizza place

├── topai.php # Rankings

│

├── data/ # Data files

├── narkotikai/ # Drug data

├── ginklai/ # Weapon data

├── casino/ # Casino data

├── plesimai/ # Robbery data

├── list/ # List files

└── images/ # Images

`

WML Output (index.php):

`php

header("Content-type: text/vnd.wap.wml");

header("Cache-Control: no-store, no-cache, must-revalidate");

echo "

\"http://www.wapforum.org/DTD/wml_1.1.xml\">

WAP-online

----------

Prisijungimas

Registracija

----------

";

?>

`

Database Connection (mysql.php) - CRITICAL ISSUE:

`php

$db = mysql_connect("localhost", "jusufx", "kukuszka");

if (!$db) {

die("Negali prisijungti prie db: ".mysql_error());

} else {

$selected = mysql_select_db("jusufx");

if (!$selected) {

die("Negali pasirinkti db: ".mysql_error());

}

}

?>

`

Database credentials HARDCODED in source code!

• Username: jusufx
• Password: kukuszka
• Database: jusufx

Authentication:

`php

// Registration with MD5

mysql_query("INSERT INTO users

(nick,pass,pinigai,stiprumas,lygis,givybes,laikas)

VALUES ('$username','".md5($password1)."','0','5','1','100','".time()."')");

// Login with MD5

if(!mysql_fetch_row(mysql_query("SELECT nick FROM users

WHERE nick LIKE '".$_GET['nn']."'

AND pass='".md5($_GET['pas'])."'")))

`

---

24 Tables - Lithuanian Mafia/Crime Theme:

Core System:

• users - Player accounts
• nick (username)
• pass (MD5 password)
• pinigai (money)
• stiprumas (strength)
• lygis (level)
• givybes (health/lives)
• miestas (city)
• nusikaltimai (crimes committed)
• ieskomumas (wanted level)
• avatar (profile picture ID)
• Equipment: krutine, kojos, bicas, sparnai, sportas

• online - Who's online
• nick, timestamp

• logas - Log/activity feed
• nick, tekstas (text), rodyti (show)

• error_log - Error tracking

Gangs/Guilds:

• gaujos - Gangs
• raktas (key/ID)
• pavadinimas (name)
• bosas (boss)
• pinigai (money)
• stiprumas (strength)
• nusikaltimai (crimes)
• puolimai (attacks)

• gaujos_nariai - Gang members
• gauja (gang)
• vardas (name)
• nusikaltimai (crimes)

Combat & Crime:

• puolimai - Attacks
• kas_puole (attacker)
• ka_puole (victim)
• kada (when)
• tekstas (text result)

• plesimai - Robberies (data in files)

• narkotikai - Drugs (data in files)

• ginklai - Weapons
• kieno (owner)
• ginklas (weapon)
• taiklumas (accuracy)
• aktyvuotas (activated)
• kaina (price)

• gezai - Bodyguards/Henchmen
• nick (owner)
• vardas (name)
• ginklas (weapon)
• aktiv (active)
• stiprumas (strength)
• kaina (price)

Economy:

• bankas - Bank
• kieno (owner)
• kiekis (amount)

• pastatai - Buildings
• kieno (owner)
• kaina (price)
• uzdarbis (income)
• pastatas (building type)

• keksynas - Bakery/Business
• kieno (owner)
• vardas (name)
• kaina (price)
• uzdarbis (income)

• prekes - Goods/Items
• vardas (owner)
• preke (item)
• raktas (key/ID)
• kaina (price)
• tipas (type)

• transportas - Transport/Vehicles
• vardas (owner)
• priemone (vehicle)
• raktas (key)
• kaina (price)

Casino:

• casino_bonus - Casino bonuses
• nick, kiek (amount), bonus

Communication:

• privacios_msg - Private messages
• siuntejas (sender)
• gavejas (receiver)
• zinute (message)
• raktas (key)
• tema (subject)
• ziureta (read status)

• chatas - Chat
• laikas (time)
• nick
• zinute (message)
• kanalas (channel)

• forumai - Forums
• forumo_id
• forumo_name (name)
• apie (about)

• forumas_temos - Forum topics
• nick, forumo_id, tema (topic), laikas

• forumas_zinutes - Forum posts
• zinute (message), forumo_id, tema, laikas, nick

• forumas_banai - Forum bans
• nick, laikas (time), kodel (why)

Other:

• viktorina - Trivia (via dabartinis_klausimas)

• dabartinis_klausimas - Current question
• klausimas (question)
• atsakymas (answer)
• laikas (time)
• laukti (wait)
• kas_atsake (who answered)
• kelinta_karta (which attempt)

• zona - Zone/Area
• vardas (name)
• laikas (time)

• d_temos - Discussion topics
• d_zinutes - Discussion messages

---

1. Mobile Phone Gaming

WAP Technology:

• WML (Wireless Markup Language)
• Pre-smartphone era (2005-2006)
• Flip phones, Nokia, Sony Ericsson
• Text-based menus
• Simple navigation
• Minimal graphics

WML Features:

`wml

Prisijungimas

`

2. Mafia/Crime RPG

Character Stats:

• Pinigai - Money
• Stiprumas - Strength (starts at 5)
• Lygis - Level (starts at 1)
• Givybes - Health/Lives (starts at 100)
• Nusikaltimai - Crimes committed
• Ieskomumas - Wanted level

Equipment:

• Krutine (chest armor)
• Kojos (leg armor)
• Bicas (?)
• Sparnai (wings?)
• Sportas (sports gear)

3. Gang System

Gangs (Gaujos):

• Create/join gang
• Gang boss (bosas)
• Gang money pool
• Gang strength
• Gang crimes
• Gang attacks
• Member management

Gang Activities:

• Recruit members
• Commit crimes together
• Attack other gangs
• Collect taxes (gaujos_mokesciai.php)
• Gang attacks (gaujos_puolimai.php)

4. Combat & Crime

Attacks (Puolimai):

• Attack other players
• Steal money
• Lose health
• Win/loss tracking
• Attack log

Robberies (Plesimai):

• Multiple robbery types (plesimai.php, plesimai2.php, plesimai3.php)
• Risk vs reward
• Chance of failure
• Police encounters

Weapons (Ginklai):

• Buy weapons
• Weapon accuracy (taiklumas)
• Activate weapons
• Price varies

Bodyguards (Gezai):

• Hire bodyguards/henchmen
• Give them weapons
• Set active/inactive
• Strength rating
• Purchase cost

5. Economy

Money Sources:

• Crimes
• Robberies
• Businesses
• Buildings
• Gang income

Banking:

• Deposit money
• Withdraw money
• Secure from attacks

Businesses:

• Buildings (pastatai) - passive income
• Bakery (keksynas) - business income
• Shops - trading

Shop/Trading:

• Parduotuve (shop)
• Prekybos centras (trading center)
• Buy/sell items
• Set prices

Transport:

• Buy vehicles
• Mopedas (moped)
• Various vehicles
• Status symbol

6. Drugs

Drug System:

• narkotikai.php - Drug dealing
• narkotikai2.php - More drug features
• narkotikai_poveikis/ - Drug effects
• Buy/sell drugs
• Drug effects on stats

7. Social Features

Private Messages:

• Inbox system
• Send messages
• Subject/content
• Read/unread tracking
• Delete messages

Chat:

• Channel system (kanalas)
• Real-time chat
• Chat zones

Forums:

• Multiple forums:
• Pasiulymai (Suggestions)
• Failu keitykla (File exchange)
• Saitu kurejai (Website creators)
• Sex (Sex discussions)
• Mokykla (School)
• Topics and posts
• Ban system

Newspaper (Laikrastis):

• Game news
• Player activities
• Announcements

8. Mini-Games

Casino:

• Gambling games
• Casino bonuses
• Win/lose money

Trivia (Viktorina):

• Questions and answers
• Geography quiz (e.g., "LABIAUSIAI I SIAURE NUTOLES ATARKTIDOS TASKAS: ... KYSULYS" = "SIFRES")
• Point rewards
• Cooldown system

Other Locations:

• Ligonine (Hospital) - Heal
• Picerija (Pizza) - Food/boost
• Sale (Hall/Bar) - Social

9. Rankings

Topai (Top Lists):

• Richest players
• Strongest players
• Most crimes
• Top gangs
• Various rankings

10. Referral System

Referrals:

• Invite friends
• Track referrals
• Referral counter in files
• ref/ folder with .txt counters

---

CRITICAL VULNERABILITIES:

1. HARDCODED DATABASE CREDENTIALS (CRITICAL+++)

`php

// mysql.php - PUBLICLY ACCESSIBLE!

$db = mysql_connect("localhost", "jusufx", "kukuszka");

$selected = mysql_select_db("jusufx");

`

• Database password in source code!
• Username: jusufx
• Password: kukuszka
• Anyone with file access has full DB control!
• Same as Vice Warz disaster!

2. SQL INJECTION EVERYWHERE (CRITICAL)

`php

// No sanitization at all!

if(!mysql_fetch_row(mysql_query("SELECT nick FROM users

WHERE nick LIKE '".$_GET['nn']."'

AND pass='".md5($_GET['pas'])."'")))

`

• Direct variable insertion from $_GET
• No mysql_real_escape_string()
• No prepared statements
• addslashes() used inconsistently
• Trivial to exploit

3. LIKE OPERATOR IN LOGIN (HIGH)

`php

WHERE nick LIKE '".$_GET['nn']."'

// Should be = not LIKE!

// LIKE allows wildcards (%, _)

// Can login as wrong user!

`

4. MD5 PASSWORD HASHING (MEDIUM)

• Better than plain-text
• But deprecated (use bcrypt)
• Rainbow tables exist

5. NO INPUT VALIDATION (HIGH)

`php

if(isset($_POST['username'])){$username = addslashes($_POST['username']);}

// Only addslashes, no validation!

`

6. DEPRECATED MYSQL FUNCTIONS (MEDIUM)

`php

mysql_connect()

mysql_query()

mysql_fetch_row()

`

• Removed in PHP 7.0

7. REGISTER_GLOBALS ERA CODE (HIGH)

`php

// Uses short PHP tags

if($id == "")

// Relies on register_globals

`

8. NO CSRF PROTECTION (MEDIUM)

• No tokens
• All actions via GET
• Easy to forge requests

9. NO XSS PROTECTION (MEDIUM)

• No htmlspecialchars()
• Raw output of user data
• Forum/chat vulnerable

10. ERROR MESSAGES IN DATABASE (LOW)

`sql

INSERT INTO error_log VALUES

(1,'Can\'t open file: \'bankas.MYI\'. (errno: 145)');

`

• Shows database corruption
• Unprofessional

Overall Security Rating: 1/10

• Worst security in collection (tied with Vice Warz!)
• Hardcoded DB credentials
• SQL injection everywhere
• LIKE in login = bypass possible
• No validation, no sanitization

---

2005-2006: Mobile WAP Gaming Era

WAP Online represents Lithuanian mobile gaming:

WAP Technology:

• Wireless Application Protocol (1999-2010)
• Pre-iPhone/Android era
• Flip phones, Nokia, Sony Ericsson
• Text menus, minimal graphics
• Slow data speeds (GPRS, EDGE)
• Expensive data plans

WML (Wireless Markup Language):

• Similar to HTML but simpler
• Card/deck metaphor
• , , ,
• Input forms for phones
• Dead technology (replaced by mobile HTML)

Lithuanian Gaming Scene:

• Small local game community
• Lithuanian language only
• Mafia/crime theme popular
• WAP games common
• Text-based due to bandwidth

Cultural Context:

• Forums discuss Lithuanian topics
• School (Mokykla) forum
• Sex discussion forum
• File sharing (piracy era)
• Local references

Domain: Midnex.Net

• Hosting provider or game site
• Top100.lt counter (Lithuanian top sites)
• Local hosting only

---

Feature Completeness: 75%

FULLY IMPLEMENTED:

Registration/login with MD5

User stats (money, strength, level, health)

Gang system

Gang boss/members

Attack system

Robbery system

Weapon system

Bodyguard system

Banking

Buildings for income

Businesses

Shop system

Transport/vehicles

Private messages

Chat with channels

Forums (5 categories)

Forum bans

Casino

Trivia game

Rankings

Who's online

Referral system

Hospital

Pizza place

Newspaper

Activity log

Avatar system

UNCLEAR:

⚠️ Drug system (files exist, usage unclear)

⚠️ Robbery types (3 files, mechanics unknown)

⚠️ Equipment effects (armor, wings, etc.)

⚠️ City system (miestas field exists)

MISSING:

Admin panel (only .adm files)

Quest system

Achievement system

Playability: 60%

What Works:

• Login/register
• Join gang
• Attack players
• Buy weapons
• Send messages
• Chat
• Forums

What's Broken:

• Requires WAP phone (ancient technology!)
• Won't work on modern browsers
• Lithuanian language barrier
• Database credentials exposed
• SQL injection easy
• No English version

Performance:

• Designed for slow mobile networks
• Minimal data transfer
• Text-only content
• Optimized for old phones

---

Unique Aspects:

Feature	WAP Online	Others
Platform	WAP/Mobile phones	Desktop browsers
Language	Lithuanian	English
Markup	WML	HTML
Target	2005 flip phones	Computers
Security	1/10	Various

Security Comparison:

Game	DB Credentials	SQL Injection	Rating
Vallheru	Separate config	Protected	9/10
vPet Engine	Separate config	Vulnerable	3/10
Vice Warz	HARDCODED	NONE	2/10
WAP Online	HARDCODED	NONE	1/10

WAP Online = Worst security in collection!

Unique Features:

Only Game With:

• WAP/WML mobile phone support
• Lithuanian language
• Bodyguard/henchmen system
• LIKE operator in login (vulnerability!)
• Gang tax system
• 518 TXT data files
• Pizza place location
• Newspaper feature
• .adm, .lst, .str data files

---

Rating: 3/10

Breakdown:

• Security: 1/10 (CATASTROPHIC - hardcoded credentials!)
• Code Quality: 3/10 (basic procedural, no organization)
• Features: 7/10 (comprehensive mafia game)
• Completeness: 75/10 (most features work)
• Innovation: 6/10 (WAP mobile gaming unique)
• Historical: 8/10 (rare WAP game preserved!)

Strengths:

• WAP/Mobile gaming - Unique in collection!
• WML markup - Proper mobile phone support
• Comprehensive mafia features - Gangs, attacks, robberies
• Gang system - Boss, members, taxes, wars
• Bodyguard system - Unique mechanic
• Multiple communication - Messages, chat, forums
• Economy system - Bank, businesses, buildings
• Mini-games - Casino, trivia
• Lithuanian culture - Local gaming scene
• Historical value - WAP era preservation

Weaknesses:

• HARDCODED DATABASE PASSWORD 🔥🔥🔥 (username: jusufx, password: kukuszka)
• SQL INJECTION EVERYWHERE - Zero protection
• LIKE in login - Can bypass authentication!
• Lithuanian only - No English
• Requires WAP phone - Dead technology
• WML markup - Won't work on modern devices
• No input validation - Trivial exploits
• Deprecated MySQL functions - PHP 7 incompatible
• No admin panel - Just .adm files
• Database corruption - Error log shows issues
• No XSS protection - Vulnerable forums/chat
• Register_globals era - Ancient PHP

Historical Significance:

The WAP Era:

• 1999-2010: Mobile web standard
• Pre-smartphone revolution
• Text-based mobile games
• Slow data, expensive
• Replaced by mobile HTML/apps

Rare Preservation:

• Few WAP games survive
• Dead technology
• Historical artifact
• Shows mobile gaming evolution
• Lithuanian gaming culture

Cultural Snapshot:

• 2005-2006 Lithuania
• Mobile gaming scene
• Mafia game popularity
• Forum culture
• File sharing era

Modern Revival Feasibility: 1/10 (IMPOSSIBLE)

Why It Can't Be Revived:

• WML is dead - No browser support
• Requires WAP phones - Don't exist anymore
• Security disaster - Complete rewrite needed
• Lithuanian only - Limited audience
• Database exposed - Already compromised
• SQL injection everywhere - Unfixable without rewrite
• Deprecated everything - PHP 7+ incompatible

If You Tried:

• Convert WML to HTML
• Translate to English
• Rewrite all database code
• Add input validation
• Fix authentication
• Remove hardcoded credentials
• Estimated effort: 200+ hours
• Recommendation: DON'T. Build new game instead.

---

The Mobile Gaming Relic

WAP Online is a time capsule from 2005:

What It Represents:

• Pre-smartphone era
• Mobile gaming's awkward phase
• Eastern European gaming scene
• Amateur development
• Security ignorance

The Triple Disaster:

• Hardcoded database password (kukuszka)
• SQL injection everywhere
• LIKE operator in login (authentication bypass!)

If WAP Online Had Gone Live:

• Hacked within hours
• All accounts stolen
• Database hijacked
• Game destroyed
• Financial loss (if monetized)

The Technology Gap:

`wml

Prisijungimas

Login

`

The Security Gap:

`php

// 2005: "Security"

$db = mysql_connect("localhost", "jusufx", "kukuszka");

WHERE nick LIKE '".$_GET['nn']."'

// 2024: Actual security

$pdo = new PDO($dsn, $user, $pass);

$stmt = $pdo->prepare("SELECT * FROM users WHERE nick = ?");

`

Why It Matters

WAP Online is historically significant despite being terrible:

Preservation Value:

• Shows WAP gaming era
• Documents dead technology
• Lithuanian gaming culture
• Mobile gaming evolution
• Security anti-patterns

Educational Value:

• "What NOT to do" examples
• Security horror stories
• Technology obsolescence
• Cultural gaming differences
• Authentication vulnerabilities

The Lesson:

"Technology moves fast. Security is forever. WAP died, but SQL injection still kills."

Comparison to Vice Warz

Both share catastrophic security:

Issue	Vice Warz	WAP Online
Hardcoded DB password	"thisisme"	"kukuszka"
SQL injection	Everywhere	Everywhere
Plain-text passwords	YES	No (MD5)
Authentication bypass	No	YES (LIKE)
Final Rating	2/10	1/10

WAP Online is WORSE because:

• LIKE operator allows login bypass
• Lithuanian only (smaller audience)
• Dead technology (WML)
• Can't even be deployed today

---

Database Size: 246 lines SQL (24 tables)

PHP Version Required: 4.x-5.6

MySQL Version: 4.x-5.x

Platform: WAP phones ONLY (Nokia, Sony Ericsson, etc.)

Markup: WML 1.1 (Wireless Markup Language)

Browser Support: NONE (requires WAP browser)

Language: Lithuanian

Deployment Difficulty: 10/10 (IMPOSSIBLE - no WAP support exists!)

Maintenance Difficulty: 10/10 (security nightmare)

Revival Difficulty: IMPOSSIBLE (dead technology)

Historical Status:

• ⚠️ WAP technology obsolete (died ~2010)
• ⚠️ WML not supported by any modern browser
• ⚠️ Database credentials exposed
• ⚠️ SQL injection everywhere
• 🏆 Unique mobile gaming artifact
• 🏆 Rare WAP game preservation
• 💀 Cannot be deployed or played

---

Analysis Date: December 11, 2024

Game #73 of 79 in the Vintage Browser RPG Collection

Status: Dead technology, catastrophic security, historical artifact

Verdict: DO NOT DEPLOY - Study only

Nickname: "The WAP Relic" 📱💀