Criminalz

Game Name: Criminalz (also styled as "Criminolz" in Polish version)

Genre: Mafia/Crime Browser RPG

Theme: Organized crime simulator with families (mafia clans), robbery, murder, drug/alcohol trading, car theft, and territory control

License: Unknown (no license file found, likely proprietary or pirated)

Version: Unknown (no version number in files)

Original Source: PIRATED - Downloaded from WebGraf.ru (Russian piracy site)

Evidence: 4x VivaPrograms.net.nfo files with Russian text: "Ýòîò àðõèâ áûë ñêà÷åí ñ ñàéòà WebGraf.ru" ("This archive was downloaded from WebGraf.ru site")

Developer: Unknown original author (Polish origin based on language/ranks)

Modified by: Polish community (config shows "This email address is being protected from spambots. You need JavaScript enabled to view it." contact, "car-race.ugu.pl" domain)

Language: Dual language - Dutch UI (berichten, afzender, geaddresseerde) + Polish ranks/content (Tchórz, Więźień, Kryminalista)

Technology: PHP 5.x, MySQL 5.x (MyISAM engine), AJAX, Template_Lite templating engine, Mollie payment integration

Database: phpMyAdmin export dated August 11, 2009

Distribution Status: Pirated script, redistributed via Russian warez site, modified for Polish server

Analysis: This is a feature-rich mafia game with 426 files totaling 8.17 MB. The 106 JPG images (6.4 MB) show extensive graphical content for cars, houses, and avatars. The 201 PHP files indicate complex systems. The 4 .nfo files are smoking-gun piracy evidence from WebGraf.ru (Russian warez site). The 6 TTF fonts suggest internationalization. Template_Lite (.tpl files) shows semi-professional architecture. Mixed Dutch/Polish language indicates community localization of pirated script.

Database Schema (24 tables - 23 in main schema + 1 additional):

• autos (Cars) - Car theft game mechanic
• 11 default cars: Opel Kadett ($3K) → Bugatti Veyron ($360K)
• Fields: naam (name), afbeelding (image), kans (chance %), waarde (value)
• Theft success rates: 150% (Opel) decreasing to 26% (Bugatti)
• Progressive difficulty curve

• berichten (Messages) - Private messaging system
• Fields: onderwerp (subject), bericht (message), afzender (sender), geaddresseerde (addressee)
• Inbox/outbox flags, read status tracking
• Empty table (no messages)

• clicks - Click-for-money referral system
• IP tracking, gever (giver), ontvanger (receiver), family clicks
• Anti-fraud IP logging

• contacts - Contact list/friends system
• eigenaar (owner), persoon (person), status
• Empty table

• cron - Scheduled task automation
• 2 tasks: hourly (10:00), daily (20:00)
• Timestamp: August 11, 2009 20:00 (database creation date)

• detectives - Detective hire system
• Track players: persoon, slachtoffer (victim), tijd (time), stad (city), uren (hours), detectives, gevonden (found)
• Empty table

• donaties (Donations) - Family donation log
• Track family contributions: familie, afzender (sender), bedrag (amount), datum (date)
• Empty table

• drank (Drinks) - Alcohol trading system
• 6 drink types: Bier (Beer), Bacardi Breezer, Wijn (Wine), Cognac, Whisky, Rum
• 7-city price system: koersen_0 through koersen_6 (prices in 7 cities)
• Dynamic economy: Price ranges 693-5864 (fluctuating markets)
• Stock market-style trading mechanic

• emails - Email verification/whitelist
• login, email pairs
• Empty table

• families (Mafia Families/Clans)
• Fields: naam (name), eigenaar (owner), power, cash, bank, maxleden (max members), killers, info, roven (robbery timer)
• Default 10 members, expandable
• Empty table (no families created)

• forum_cat - Forum categories
• 6 default categories:
• "Mededelingen en updates" (Announcements & updates) - rank 2 required
• "Tips & ideeën" (Tips & ideas) - rank 1
• "Fouten & bugs" (Errors & bugs) - rank 1
• "Vragen rondom het spel" (Questions about game) - rank 1
• "Het café" (The café) - rank 1
• "Moderator forum" - rank 1 (type 2 = private)
• Rank-based access control

• forum_post - Forum replies (empty)

• forum_topic - Forum topics
• Sticky post support, reaction counts, type flags
• Empty table

• garage - Car storage
• soort (type), schade (damage), eigenaar (owner)
• Empty table

• hitlist - Assassination contracts
• plaatser (poster), houder (holder - target), bedrag (amount), anoniem (anonymous flag)
• Empty table (AUTO_INCREMENT=4 suggests 3 previous entries deleted)

• kluis (Safe) - Safe cracking minigame
• 1 active safe: number 913, pot 390,000 (jackpot from default 50,000)
• Safe cracking mechanic with growing pot

• missions - Quest system
• 5 default missions:
• "Beroof een omaatje" (Rob a granny) - $500, 100 power, rank 0
• "Upload een avatar" (Upload avatar) - $750, 120 power, rank 0
• "Jat een auto" (Steal a car) - $1,500, 200 power, rank 0
• "Doe 'MSN invite'" (Do MSN invite) - $2,000, 225 power, rank 0
• "Beroof een medegangster" (Rob a fellow gangster) - $5,000, 600 power, rank 0
• Reward: geld (money) + power progression

• mollie - Mollie payment gateway integration
• partnerid field (partner ID for real-money transactions)
• Default 0 (not configured)
• Dutch payment provider (iDEAL, credit cards)

• stations - Territory control system
• stad (city), eigenaar (owner), prijs (price)
• Empty table (7 cities available from config)

• transacties (Transactions) - Payment transaction log
• persoon (person), land (country), code, datum (date)
• Empty table
• Tracks real-money purchases

• users - Primary player data table (extensive fields, 60+ columns)
• Authentication: login, pass (varbinary 255), pass_v2 (varchar), email, ip, activatiecode (activation code)
• Core stats: health (100 default), power, cash ($20,000 start), bank ($100,000 start)
• Combat: kogels (bullets: 10 default), killers, backfire
• Progression: rank (0-9), rankvordering (rank progress %), respectr/respectg (respect received/given)
• Location: stad (city: 1-7), bestemming (destination), aankomst (arrival time)
• Family: maffia (family ID), familie (family name), familierang (family rank: 0-3)
• Timers: moord (murder timer), misdaad (crime timer), gijzelen (hostage timer), fraude (fraud timer), autostelen (car theft timer), roven (robbery timer), geluksrad (wheel timer), pimped (pimp timer), ban (ban date)
• Inventory (30 weapon types):
• Melee: boksbeugel (brass knuckles), pepperspray, knuppel (club), vlindermes (butterfly knife)
• Pistols: deserteagle, electroshocker
• Explosives: c4
• Rifles: cornershot, uzi, m16, ak47, sniper
• Heavy: minigun, bazooka, tank, battleship, f16, atoombom (nuke), moab (mother of all bombs)
• Resources: safe (safe slots: 12 default), plantages (plantations), drugs, bitches (pimping system), bitcheswerken (working bitches), ramen (windows)
• Drinks inventory: bier, breezer, wijn, cognac, whisky, rum (6 types)
• Economy: storten (deposits: 15 daily), stortenreset (15 default), rentedagen (rent days), callcredits (phone credits)
• Special items: item_satteliet (satellite), bankpas (bank card)
• System: admin, moderator, vip (VIP days), vakantie (vacation mode), gevangenis (prison time), nieuwsbrief (newsletter)
• Profile: info (bio text), avatar (default empty.jpg), notes (admin notes), missiesvolbracht (missions completed)
• Roulette/gambling: roulette (10 default), kluiskraken (safe cracks: 5 default)
• Referrals: refferals (referral count)
• AUTO_INCREMENT=244 (243 users registered)

• woningen (Houses) - Player-owned real estate
• soort (type), schade (damage), eigenaar (owner), coordinaten_x/y (coordinates), geplaatst (placed), stad (city), uitbetalen (payout)
• Map-based placement system
• Empty table

• woningenmarkt (Housing Market) - Real estate for sale
• 6 house types:
• Schuur (Shed) - $500 buy, $25 rent, 10 power
• Caravan - $2K buy, $500 rent, 50 power
• Huis (House) - $10K buy, $2,250 rent, 300 power
• Villa - $100K buy, $10K rent, 3,500 power
• Landhuis (Manor) - $500K buy, $100K rent, 18,750 power
• Paleis (Palace) - $1M buy, $150K rent, 40,000 power
• Progressive rent income + power bonuses

PHP Architecture:

• Template_Lite engine: Professional templating with compilation, caching
• MVC-style structure:
• includes/ - Core functions, config, classes
• ingame/ - 80+ game feature pages
• outgame/ - Registration, login pages
• ajax/ - Asynchronous requests
• templates/ - UI templates (.tpl files)
• compiled/ - Compiled template cache
• Session-based auth: $_SESSION['id'] for logged-in users
• Mollie payment integration: Real-money VIP system via class.micropayment-mollie.php
• Cron automation: Scheduled hourly/daily tasks
• AJAX functionality: Modern (for 2009) asynchronous features
• Captcha system: Anti-bot protection
• Filter class: Input validation/sanitization (class.filter.php)
• Jail statement: Special jail page handling
• Auto-update Demo account: mysql_query("UPDATE users SET vakantie = '0', pass = 'demo' WHERE login = 'Demo'"); on every page load

Combat/Crime Systems:

• 30 weapon types: From brass knuckles → MOAB (Mother of All Bombs)
• Attack mechanics: attack.php, attackhouse.php, familyattack.php
• Murder system: murder.php with moord timer
• Crime activities: crimes.php, orgcrime.php (organized crime)
• Hostage taking: hostage.php with gijzelen timer
• Fraud: fraud.php with fraude timer
• Car theft: carstealing.php with autostelen timer
• Safe cracking: cracksafe.php (5 attempts default)
• Robbery: roven timer (cooldown system)
• Hitlist: Assassination contracts (hitlist.php)
• Backfire mechanic: Attacks can fail and harm attacker

Economic Systems:

• Dual currency: Cash + Bank (separate accounts)
• 7-city economy: New York, Detroit, Los Angeles, Chicago, San Diego, Portland, San Francisco
• Alcohol trading: 6 drink types with fluctuating prices across 7 cities (42 price points)
• Drug trading: drugs.php, plantages (plantations) system
• Car market: 11 cars, theft mechanic with chance percentages
• Real estate: 6 house types with rent income
• Territory control: Station ownership (stations.php)
• Auction system: auction.php
• Weapon trading: weapontrade.php
• Bank deposits: 15 daily deposit limit
• Call credits: Phone system currency
• VIP premium: Real-money purchases via Mollie

Core Game Loop:

• Character Creation:
• Choose username (15 char max)
• Password (varbinary storage suggests encryption attempt)
• Email verification (activatiecode system)
• Starting resources: $20,000 cash, $100,000 bank, 10 bullets, 12 safe slots
• Default location: City 1 (New York)
• Rank 0: "Tchórz" (Coward - Polish) / "Cieć" variant

• Rank Progression (10 ranks):
• Polish ranks: Tchórz, Cieć, Pies na Posyłki (Errand Dog), Złodziej (Thief), Przestępca (Criminal), Morderca (Murderer), Więźień (Prisoner), Kryminalista (Gangster), Uciekinier (Escapee), Ojciec (Godfather)
• Progress via rankvordering (rank progress %)
• 100% = rank up (automatic via cron)
• Missions, crimes, murder grant progress

• Criminal Activities:
• Missions (5 quests): Rob granny → Upload avatar → Steal car → MSN invite → Rob player
• Crimes: crimes.php - Random crimes with misdaad cooldown timer
• Organized Crime: orgcrime.php - Family-based heists
• Murder: murder.php - Kill players, moord timer prevents spamming
• Hostage Taking: gijzelen timer, ransom system
• Fraud: fraude timer, financial crimes
• Car Theft: autostelen timer, 11 car types with success rates
• Safe Cracking: 5 attempts per session, jackpot 390,000
• Robbery: roven timer, steal from players
• Hitlist Contracts: Place bounties on enemies

• Combat System:
• 30 weapon tiers: Brass knuckles → MOAB nuke
• Weapon categories:
• Melee (4): Brass knuckles, pepperspray, club, butterfly knife
• Light firearms (2): Desert Eagle, electroshocker
• Explosives (1): C4
• Assault (5): Cornershot, Uzi, M16, AK-47, Sniper
• Heavy (5): Minigun, Bazooka, Tank, Battleship, F16
• Superweapons (2): Atoombom (nuke), MOAB
• Health system: 100 HP, hospital recovery
• Kogels (bullets): Ammunition tracking
• Backfire: Attacks can fail and harm attacker
• Killers stat: Murder count tracking
• Respect: respectr (received) + respectg (given) reputation system

• Family (Mafia Clan) System:
• Create family: newfamily.php ($250K+ investment likely)
• 4 ranks: Lider (Leader), Manager, Boss, Don
• Max members: 10 default, expandable (maxleden field)
• Family resources: Shared cash, bank account
• Family power: Collective strength
• Activities:
• Organized crime (orgcrime.php)
• Family attacks (familyattack.php)
• Family bank (familybank.php)
• Donations (familiedonatie.php)
• Family shop (familyshop.php)
• Click system: click_family.php - Members generate money via clicks

• Economic Gameplay:
• Alcohol Trading:
• 6 drink types: Beer, Breezer, Wine, Cognac, Whisky, Rum
• 7 cities with different prices (koersen_0 to koersen_6)
• Buy low city, sell high city
• Dynamic market (prices 693-5864 range)
• Drug System:
• plantages (plantations) field - grow drugs
• drugs inventory field
• drugs.php trading interface
• Real Estate:
• 6 house types: Shed ($500) → Palace ($1M)
• Rent income: $25/day → $150K/day
• Power bonuses: 10 → 40,000
• Map placement (coordinaten_x/y)
• Damage system (schade field)
• Car Collection:
• 11 cars: Opel Kadett ($3K) → Bugatti Veyron ($360K)
• Garage storage
• Theft success rates: 150% → 26%
• Territory Control:
• 7 cities available
• Station ownership (stations table)
• Control prices/access

• Social Features:
• Private Messaging: berichten table, inbox/outbox system
• Forums: 6 categories, topics, posts, sticky threads
• Contacts: Contact list/friends system
• Profiles: profile.php, info text, avatar
• Members list: members.php, members_online.php
• Crew system: crew.php (separate from families?)
• Notes: Private admin notes on users

• Gambling/Games:
• Wheel of Fortune: wheel.php, geluksrad timer (Dutch: fortune wheel)
• Roulette: roulette.php, 10 default spins
• Safe Cracking: cracksafe.php, 5 attempts, jackpot 390K
• Rock Paper Scissors: rockpaper.php
• Guess Game: guess.php
• Racing: race.php (car racing likely)

• Pimping System:
• bitches field: Number of prostitutes owned
• bitcheswerken field: Number currently working
• bitch.php: Management interface
• Income generation: Passive money via pimping

• Detective System:
• Hire detectives: detectives.php
• Track players: persoon, slachtoffer (victim)
• City-based searches: stad field
• Time-based: uren (hours), tijd (time)
• Success/failure: gevonden (found) status

• Premium/VIP System:
• vip field: Days of VIP remaining
• Mollie payment: Real-money purchases
• Benefits:
• Reduced page load delay (no usleep(600000) for VIP)
• spendcredits.php interface
• callcredits currency
• Credits shop: credits.php

• Time-Lock Systems:
• moord: Murder cooldown
• misdaad: Crime cooldown
• gijzelen: Hostage cooldown
• fraude: Fraud cooldown
• autostelen: Car theft cooldown
• roven: Robbery cooldown
• geluksrad: Wheel cooldown
• pimped: Pimp cooldown
• ban: Ban expiration
• gevangenis: Prison sentence

• Admin/Moderator System:
• admin field: Admin status (Ja/Nee)
• moderator field: Moderator status
• notes field: Admin notes on users
• panel.php: Admin panel
• Moderator forum: Private category (type 2)

Signs of Active Usage:

• 243 users registered: AUTO_INCREMENT=244 in users table (1 is default Demo account)
• Safe jackpot growth: kluis table shows pot at 390,000 (up from 50,000 default) - evidence of 340,000 in failed crack attempts
• Hitlist activity: AUTO_INCREMENT=4 in hitlist table (3 contracts placed and completed/deleted)
• Cron timestamps: August 11, 2009 timestamps show database snapshot date
• Demo account auto-reset: Code resets Demo account on every page load - suggests public demo server
• Alcohol price fluctuations: drank table has varied prices (693-5864 range) across 7 cities - evidence of market activity or seeded random values

Player Activity Assessment: MODERATE - The game shows evidence of real usage:

• 243 registered users (significant community)
• Safe jackpot grown 680% (many crack attempts)
• 3 hitlist contracts (active PvP)
• Demo account system (public testing/demo server)
• Database dated August 2009 (likely production snapshot before server closure)

This was an active mafia game server with 200+ users, likely running for months before August 2009 snapshot.

Rating: 5/10 (Average - Functional but Insecure and Pirated)

Strengths:

• Professional architecture: Template_Lite templating engine, MVC-style separation
• AJAX integration: Modern (for 2009) asynchronous features
• Comprehensive systems: 80+ game pages, 24 database tables, 30 weapon types
• Real-money integration: Mollie payment gateway (professional Dutch payment provider)
• Time-lock mechanics: 8+ cooldown timers preventing action spam
• Cron automation: Scheduled tasks for rank-ups, maintenance
• Dual authentication: pass (varbinary) + pass_v2 (varchar) suggests password upgrade system
• Filter class: Dedicated input filtering (class.filter.php)
• Captcha protection: Anti-bot registration
• Multi-language support: 6 TTF fonts, Dutch/Polish mixed content
• Extensive content: 11 cars, 6 houses, 6 drinks, 30 weapons, 7 cities, 10 ranks
• Template compilation: compiled/ directory shows performance optimization

Critical Weaknesses:

• PIRATED SOFTWARE:
• 4x VivaPrograms.net.nfo files prove download from WebGraf.ru (Russian warez site)
• Copyright infringement
• Ethical/legal violation
• Unknown original author (credit stripped)

• Plaintext password vulnerabilities:

// Demo account reset with plaintext password
mysql_query("UPDATE users SET vakantie = '0', pass = 'demo' WHERE login = 'Demo'");

• pass field is varbinary (suggests encryption), but pass_v2 is varchar (plaintext?)
• Dual password system indicates migration but unclear implementation

• SQL injection risks:

$own = mysql_fetch_assoc(mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'"));

• Direct variable interpolation in queries
• No prepared statements visible
• Relies on filter class, but implementation unclear

• Deprecated mysql_* functions:
• Uses mysql_query(), mysql_fetch_assoc()
• Removed in PHP 7.0 (non-functional since 2015)

• Hardcoded credentials in config.php:

define("database_pass", "messi8");

• Database password "messi8" in cleartext source code
• Anyone with source access has database access

• Suspicious sleep delays:

if($own['vip'] <= 0) {
    usleep(600000); // 0.6 second delay for non-VIP users
}

• Artificial page load slowdown to encourage VIP purchases
• Predatory monetization design

• Time-based session timeout flaw:

if(time() - strtotime($own['online']) >= 900) {
    unset($_SESSION['id']); // 15-minute auto-logout
}

• Unconditional session destruction
• No "remember me" option
• Annoying user experience

• Character encoding issues:
• Mixed Dutch (berichten, afzender) + Polish (Tchórz, Więźień)
• Latin1 charset in database
• Not UTF-8 (modern standard)

• Security through obscurity:
• No apparent CSRF protection
• No visible XSS filtering
• Relies on filter class without visible implementation

• Mollie partner ID at 0:
• Payment system configured but partnerid = 0 (invalid)
• Suggests incomplete setup or test configuration

Code Maturity: This is a feature-complete, professionally-architected mafia game with sophisticated systems. However, it's pirated software from a Russian warez site, modified by Polish community. The Template_Lite engine, AJAX, and Mollie integration show professional development, but fundamental security issues (deprecated APIs, SQL injection risks, hardcoded passwords) and piracy taint the entire codebase. The 243 registered users prove market demand, but legal/ethical concerns overshadow technical merits.

Innovation Rating: 5/10 (Average - Standard Mafia Game with Some Unique Elements)

Novel Elements:

• 7-city alcohol trading: Stock market-style economy with 6 drinks × 7 cities = 42 dynamic price points
• 30-weapon progression: Extremely deep weapon tiers from brass knuckles → MOAB nuke (most mafia games have 10-15)
• Pimping system: bitches/bitcheswerken mechanics (morally questionable but mechanically unique)
• Safe cracking jackpot: Growing pot system (390K from 50K default) - lottery-style mechanic
• Dual password system: pass (varbinary) + pass_v2 (varchar) suggests migration/upgrade path
• VIP speed boost: Non-VIP users get 0.6s delay (predatory but innovative monetization)
• Mollie payment integration: Professional Dutch payment gateway (iDEAL, credit cards) - advanced for 2009
• Detective hiring: Track players across cities with time-based searches
• Map-based housing: coordinaten_x/y placement system for real estate
• Family donation logs: Transparent audit trail for clan contributions

Derivative Elements:

• Basic mafia theme: Murder, robbery, organized crime - standard genre
• Rank progression: 10 ranks with % progress - common system
• Bullet economy: kogels (ammunition) - standard mechanic
• Car theft minigame: Random success % - seen in Mafia Wars, Crime City
• Hitlist contracts: Assassination bounties - universal mafia feature
• Forum integration: Standard social feature
• Private messaging: Universal communication
• Respect system: respectr/respectg - common reputation mechanic
• Time-lock cooldowns: Prevents spam - standard anti-abuse

Overall Innovation: Mid-tier. The 7-city alcohol trading with 42 price points is genuinely innovative (most mafia games have 1-3 cities). The 30-weapon progression is excessive but unique. The safe cracking jackpot and detective system show creativity. However, core gameplay (murder, robbery, families) is standard mafia fare copied from MySpace/Facebook mafia games (2007-2009 era). The piracy taint also reduces innovation credit - unclear if novel elements are original or copied from pirated source.

Security Assessment: CATASTROPHIC + PIRACY

This game violates both technical and legal security:

Technical Vulnerabilities:

• Deprecated mysql_* API (non-functional PHP 7+)
• SQL injection risks (no prepared statements visible)
• Hardcoded database password ("messi8" in config.php)
• Plaintext password exposure (Demo account, pass_v2 field)
• No CSRF protection (no tokens visible)
• XSS vulnerabilities (no output encoding visible)
• Session fixation (no session regeneration)

Legal Violations:

• PIRATED SOFTWARE (WebGraf.ru warez distribution)
• Copyright infringement (4x VivaPrograms.net.nfo proof)
• Stripped credits (original author unknown)
• Mollie ToS violation (payment gateway misuse for pirated software)

Danger Level: EXTREME - Deployment is both technically insecure AND illegal. Database compromise, account theft, credit card fraud (via Mollie), and legal prosecution (copyright infringement) are all immediate risks.

Modern Viability: 0/5 (ABSOLUTE ZERO)

Why This Game CANNOT Be Used:

• ILLEGAL: Pirated software from Russian warez site - deployment = copyright infringement lawsuit
• Non-functional PHP 7+: mysql_* functions removed 2015
• Security disaster: SQL injection, hardcoded passwords, deprecated APIs
• Mollie integration dead: Partner ID 0, likely outdated API
• Dutch/Polish mix: Confused localization limits market
• Predatory VIP delays: 0.6s slowdown for non-VIP users violates modern UX standards
• Morally questionable content: Pimping system (bitches mechanics) could violate app store policies
• Character encoding: Latin1 not UTF-8

Modernization is IMPOSSIBLE:

This game cannot be modernized because:

• Piracy: You cannot legally modernize stolen software
• Unknown author: No permission to modify/redistribute
• Copyright claims: Original author could sue for any use
• Payment fraud: Mollie partner ID 0 suggests stolen/fake merchant account

Any deployment = Legal liability

Better Alternative: Build legal mafia game from scratch for $30,000-$50,000 with:

• Licensed IP or original theme
• Modern tech stack (Laravel + React)
• Legal payment gateway (Stripe/PayPal with proper merchant account)
• UTF-8 multi-language support
• No predatory mechanics
• 2024 security standards

Historical Value:

This game is an important but TAINTED artifact of 2009 Eastern European browser gaming piracy networks:

• WebGraf.ru distribution: Documents Russian warez site operations (2009)
• VivaPrograms.net branding: Identifies piracy release group
• Community localization: Polish community modified Dutch-language pirated script
• Mollie integration: Shows professional payment gateway adoption by pirate servers
• Template_Lite architecture: Demonstrates sophisticated templating in pirated scripts
• 243-user community: Proves pirated games could sustain real player bases
• Mafia Wars era: Captures 2007-2009 Facebook/MySpace mafia game boom
• Eastern European market: Polish ranks/language show regional gaming culture

The game represents the dark side of 2009 browser gaming - professional-quality software stolen, redistributed, and profited from via Mollie payments. The 243 users paid real money (via Mollie) to Polish operators of a stolen script. This is both technically impressive and ethically horrifying.

Critical Vulnerabilities:

• A1: Piracy (Legal Vulnerability)
• Evidence: 4x VivaPrograms.net.nfo files with WebGraf.ru branding
• Content: "Ýòîò àðõèâ áûë ñêà÷åí ñ ñàéòà WebGraf.ru" (Russian: "This archive was downloaded from WebGraf.ru site")
• Implication: Copyright infringement, legal liability, potential lawsuits
• Risk: Cease-and-desist, DMCA takedown, criminal charges (commercial use)

• A2: Injection - SQL Injection

// Direct session variable in query
$own = mysql_fetch_assoc(mysql_query("SELECT * FROM users WHERE id = '" . $_SESSION['id'] . "'"));
// Attack: Manipulate session to inject SQL

• No prepared statements visible
• Relies on filter class (implementation unknown)
• Deprecated mysql_* functions

• A3: Broken Authentication

// Hardcoded plaintext password for Demo account
mysql_query("UPDATE users SET vakantie = '0', pass = 'demo' WHERE login = 'Demo'");
// Dual password system (pass + pass_v2) unclear implementation
// 15-minute auto-logout without remember-me

• A4: Sensitive Data Exposure

// Hardcoded database password in config.php
define("database_pass", "messi8");
// Anyone with source code has database access

• Database credentials in cleartext
• pass_v2 field (varchar) suggests plaintext password storage
• No HTTPS enforcement visible

• A7: XSS (Cross-Site Scripting)
• No output encoding visible in templates
• Private messages (berichten) likely vulnerable
• Forum posts (forum_post) vulnerable
• User info/bio text vulnerable
• Family info text vulnerable

• A8: CSRF (Cross-Site Request Forgery)
• No CSRF tokens visible
• Money transfers, attacks, murders unprotected
• Mollie payments potentially CSRF-vulnerable

Additional Vulnerabilities:

• Deprecated API (mysql_*):
• All queries use mysql_* functions
• Removed PHP 7.0 (2015)
• No upgrade path without full rewrite

• Predatory monetization:

if($own['vip'] <= 0) {
    usleep(600000); // 0.6 second artificial delay
}

• Pay-to-remove-annoyance model
• Could violate consumer protection laws
• Unethical design pattern

• Mollie fraud risk:
• partnerid = 0 (invalid/test configuration)
• Pirated software using legitimate payment gateway
• Potential merchant account fraud
• Mollie ToS violation

• Character encoding vulnerabilities:
• Latin1 charset (not UTF-8)
• Mixed Dutch/Polish text
• Potential for encoding-based injection attacks

Exploitation Scenarios:

• Copyright Infringement Lawsuit:

Original author discovers pirated game → DMCA takedown → Hosting provider terminates server → Mollie freezes merchant account → All user data lost

• SQL Injection → Database Dump:

Manipulate $_SESSION['id'] → Inject SQL → Extract all 243 user passwords → Dump payment history → Steal identities

• XSS → Session Hijacking:

Post forum message with <script>steal_session()</script> → All readers' sessions stolen → Attacker controls 243 accounts

• CSRF → Unauthorized Payments:

<img src="/victim-game.com/spendcredits.php?amount=1000"> → Victim unknowingly buys VIP

• Hardcoded Credentials → Database Breach:

Read config.php (via LFI or source leak) → Connect with "messi8" password → Dump entire database → 243 user identities stolen

• Mollie Fraud:

Pirated software + fake merchant account → Players pay real money → Operators profit from stolen IP → Mollie terminates account → Players lose purchases

PRIMARY RECOMMENDATION: DO NOT USE

This game is PIRATED SOFTWARE and MUST NOT BE DEPLOYED under any circumstances:

• Legal liability: Copyright infringement, DMCA violations, potential criminal charges
• Ethical violation: Profiting from stolen intellectual property
• Payment fraud: Using Mollie payment gateway with pirated software
• Original author rights: Unknown author's intellectual property stolen

For Legal/Ethical Reasons ONLY:

If you are the ORIGINAL author:

• DMCA takedowns: Issue cease-and-desist to WebGraf.ru, Polish operators
• Reclaim IP: Assert copyright, demand removal of pirated versions
• Legal action: Sue Polish operators for Mollie payment fraud (243 users × payments)
• Modernize legitimately: Rewrite with modern PHP 8+, proper security

If you are NOT the original author:

• DELETE IMMEDIATELY: Remove all copies, do not redistribute
• Report piracy: Contact original author (if identifiable), WebGraf.ru host
• Build legal alternative: Create original mafia game from scratch
• Ethical gaming: Support legitimate game developers, purchase licenses

Historical/Academic Use Only:

• Document piracy networks:
• WebGraf.ru operations (2009)
• VivaPrograms.net release group
• Russian→Polish distribution pipeline
• Mollie payment fraud patterns

• Legal case studies:
• Copyright infringement in browser games
• Payment gateway misuse
• Cross-border piracy (Russia→Poland→players)

• Technical analysis:
• Study Template_Lite architecture (legitimately)
• Analyze 2009-era AJAX patterns
• Examine 7-city economy design (original elements)

• Ethical education:
• "Why Piracy Harms Indies" curriculum
• Payment fraud case study
• Legal consequences of warez distribution

Preservation (IF LEGAL):

• Remove piracy evidence:
• Delete 4x VivaPrograms.net.nfo files
• Remove WebGraf.ru references
• Credit original author (if known)

• Archive as cautionary tale:
• Label clearly as "PIRATED VERSION - DO NOT USE"
• Include legal warning
• Document 243-user community impact

• Research applications:
• Gaming history (Eastern European piracy)
• Payment fraud patterns
• Browser gaming economics (2009)

For Building Legal Alternative:

If inspired by mechanics (7-city economy, 30 weapons, alcohol trading):

• Original implementation: Write all code from scratch, do not copy
• Licensed art: Purchase legal car/house graphics, do not use pirated assets
• Ethical monetization: No predatory VIP delays, transparent pricing
• Modern stack: Laravel 10+ + Vue 3, PDO prepared statements, bcrypt passwords
• Legal payments: Stripe/PayPal with legitimate merchant account, proper ToS
• Moral content review: Remove pimping system, ensure family-friendly (or age-gated)
• Multi-language: UTF-8 from day one, professional translations

Cost for Legal Alternative:

Result: Legal, secure, modern mafia game with:

• Original IP (no piracy)
• PHP 8.3 + MySQL 8.0
• bcrypt passwords, prepared statements
• Stripe payments (legal merchant account)
• Mobile-responsive design
• UTF-8 multi-language
• Ethical monetization
• 2024 security standards

Return on Investment: POSITIVE (vs NEGATIVE for pirated version)

• No legal liability
• Can advertise publicly
• App store distribution possible
• Long-term sustainable business

Game Type: Feature-rich mafia/crime browser RPG with 7-city alcohol trading, 30-weapon progression, family clans, and real-money VIP system

Development Status: PIRATED - Stolen from unknown author, redistributed via WebGraf.ru (Russian warez), modified by Polish community

Completion Level: ~85% (feature-complete but Mollie partnerid=0, some systems untested)

Code Quality: 5/10 (professional architecture, Template_Lite, AJAX, but deprecated APIs, security flaws, and PIRACY)

Innovation: 5/10 (7-city trading, 30 weapons, safe jackpot novel; core gameplay derivative)

Security: CATASTROPHIC + ILLEGAL (SQL injection, hardcoded passwords, deprecated API, COPYRIGHT INFRINGEMENT)

Modern Viability: 0/5 (ABSOLUTE ZERO - cannot legally use pirated software)

Historical Significance: High (documents 2009 Eastern European browser gaming piracy, WebGraf.ru distribution, Mollie payment fraud, 243-user community)

Best Use Case Today: NONE - DELETE IMMEDIATELY

This game MUST NOT BE USED for any purpose:

• Deployment: Copyright infringement lawsuit
• Modification: Still pirated after edits
• Redistribution: Further piracy
• Payment processing: Merchant fraud

Only acceptable use: Academic research on browser gaming piracy (with legal disclaimers)

Unique Characteristics:

Innovative Mechanics:

• 7-city alcohol trading: 42 price points (6 drinks × 7 cities) - stock market economy
• 30-weapon progression: Brass knuckles → MOAB nuke (deepest tier seen in analysis)
• Safe cracking jackpot: Growing pot (50K → 390K) - lottery mechanic
• Detective hiring: Track players across cities with time/success rates
• Pimping economy: bitches/bitcheswerken passive income (morally questionable)
• VIP speed penalty: 0.6s delay for non-VIP (predatory but innovative)
• Map-based housing: coordinaten_x/y placement system
• Dual password system: pass (varbinary) + pass_v2 (varchar) migration path

Piracy Indicators:

• 4x VivaPrograms.net.nfo files with WebGraf.ru Russian text
• Mixed Dutch/Polish language (community localization of stolen script)
• Mollie integration with partnerid=0 (payment fraud setup)
• 243 registered users who paid real money to pirate operators
• Stripped credits (original author unknown)

Bottom Line: Criminalz is a professionally-architected mafia game with sophisticated systems (Template_Lite, AJAX, 7-city economy, 30 weapons, real-money payments). The game achieved 243 registered users, proving market demand and functional gameplay. However, IT IS PIRATED SOFTWARE downloaded from WebGraf.ru (Russian warez site), as proven by 4 .nfo files. Polish operators modified and monetized stolen IP via Mollie payments, committing payment fraud. The technical quality is irrelevant because DEPLOYMENT IS ILLEGAL - copyright infringement with lawsuit risk.

Technical merits: 7-city trading system, 30-weapon tiers, safe jackpot, detective system show creative design. Template_Lite + AJAX demonstrate 2009-era best practices. The 243-user community proves the game was fun and engaging.

Fatal flaws: (1) PIRACY - stolen software, cannot legally use; (2) Deprecated mysql_* API (non-functional PHP 7+); (3) SQL injection, hardcoded passwords, XSS/CSRF vulnerabilities; (4) Predatory VIP delays; (5) Mollie payment fraud.

Historical value: Extremely high as primary source documenting:

• Eastern European browser gaming piracy networks (2009)
• WebGraf.ru warez distribution operations
• VivaPrograms.net release group
• Mollie payment gateway fraud
• Polish community localization of Russian-distributed scripts
• 243-user community built on stolen software

Recommendation: Archive with "PIRATED - DO NOT USE" warning for legal/ethical research only. If inspired by mechanics, build ORIGINAL, LEGAL game from scratch ($28,500 investment). DO NOT DEPLOY THIS GAME - copyright infringement prosecution risk is ABSOLUTE.

Legacy: Criminalz represents the ethical dilemma of piracy - a fun, technically competent game (243 happy players) built on theft and fraud. It's a cautionary tale about browser gaming's dark side (2009): professional pirates monetizing stolen IP via real payment gateways, harming original developers while providing actual value to players. The game is simultaneously impressive (7-city economy) and reprehensible (copyright infringement). Preserve as warning, not inspiration.

Rating Summary