Crusades Age

Game Name: Crusades Age

Genre: Medieval Strategy MMO (Devana Clone)

Technology Stack: PHP (4.x/5.x), MySQL, JavaScript, CSS, Flash (SWF)

Database: MySQL with 24 tables

Total Files: 349 files (3.44 MB)

Architecture: Custom MVC-style with template system

License: Custom (unlicensed redistribution by "This email address is being protected from spambots. You need JavaScript enabled to view it.")

Development Status: Modified Devana clone - development snapshot captured

Installation: Manual (install.php, configuration required)

Historical Context: 2008-2011 era medieval strategy game, part of post-Travian browser MMO wave

Primary Language: Multi-language support (English default, language/ folder system)

Evidence of Use: 5 INSERT statements in database dump (minimal sample/test data)

Analysis: Graphics-heavy distribution (66% images: PNG 49%, GIF 11%, JPG 6%) indicates polished visual presentation. Flash usage (14%) suggests circa 2008-2010 development era. Five .BAK files reveal active development/modification phase. Compressed database (mysql.sql.gz) with minimal INSERT statements (5 total) indicates clean distribution with sample data only.

Core Framework

• Language: PHP 4.x/5.x (deprecated mysql_* functions, split() instead of explode())
• Database: MySQL MyISAM (24 tables, gzip-compressed schema)
• Template System: Custom template engine (template/ folder, CSS-based themes)
• Session Management: PHP sessions (session_start() in antet.php)
• Resource Management: Real-time resource calculation with production rates
• Anti-Bot: CAPTCHA system (captcha.php)
• Compression: Output buffering with gzip (ob_start('ob_gzhandler'))

File Structure

`

Crusadesage/

├── include/

│ ├── antet.php # Bootstrap, DB config, session init

│ ├── func.php # 2,278 lines - core game functions

│ ├── meta.php # HTML meta tags

│ └── indexmenu.php # Navigation menu

├── template/

│ ├── css/main.css # Stylesheet

│ └── index/ # Index page assets (menu_sword_right.jpg)

├── language/ # Internationalization

│ ├── en.php # English language file

│ └── ch_lang.php # Language switcher

├── mysql/

│ └── mysql.sql.gz # Database schema (24 tables)

├── admin/ # Admin panel files

├── owner/ # Game owner control panel

├── forum/ # Integrated forum system

├── [130+ game pages] # Core functionality (barracks.php, marketplace.php, etc.)

├── install.php # Installation wizard

├── install.txt # Setup instructions

├── config.php # Owner-only configuration

├── prem.php # Premium system (game points)

├── captcha.php # Anti-bot verification

└── map.dat # Map data file (103 KB)

`

Key Systems Identified

• Building System (20+ buildings): Barracks, Academy, Marketplace, Cathedral, Tower, Wall, Granary, Warehouse, Embassy, Palace, 15+ resource/production buildings
• Military System: Unit training, upgrades (weapons/armor), queue management
• Alliance System: Create/join/quit alliances, embassies, pacts, alliance statistics
• Economic System: 5 resources (crop, lumber, stone, iron, gold), marketplace trading, NPC merchants, resource production/limits
• Map System: 49x49 grid ($m=49; $n=49), map.dat data file, coordinate-based town placement
• Communication: Chat (timed messages), private messages, forums, battle reports
• Upgrade Trees: Unit HP (tree 17), weapons (tree 18), armor (tree 19), each with 10 levels
• Premium System: Game points (g_points.php), resource packs (1k/5k/10k for 2/9/17 points), construction speed boosts
• Administration: 3-tier access (admin, owner, player), game configuration panel
• Anti-Cheat: CAPTCHA, duplicate account detection (name/email/IP), sitter system

Core Gameplay Loop

Crusadesage is a persistent medieval strategy MMO where players:

• Build and upgrade 20+ buildings in their towns
• Manage 5 resource types with production rates and storage limits
• Train units from barracks (multi-tier queue system)
• Research upgrades at academy (10 levels per unit: HP, weapons, armor)
• Trade resources via marketplace (NPC and player trades)
• Form alliances and wage wars on 49x49 map
• Compete in leaderboards (individual/alliance rankings by population/army/resources)

Unique Features

• Faction System: Multiple civilizations with unique unit sets, buildings, and graphics ($faction[2] determines image folder: 1/, 2/, etc.)
• Cathedral System: Religious building (cathedral.php) - unique to this Devana variant
• Multi-Level Upgrades: 10-tier progression for unit stats (HP/ATK/DEF), unlike standard Travian's 20 levels
• Dynamic Resource Cost: $mcost=1.5 multiplier, exponential costs via $r=$faction[3] (faction-specific growth rate)
• Construction Speed Calculation: Time differences between MySQL and HTTP server compensated (timediff calculations in func.php)
• Integrated Forum: Full forum system (threads, posts, categories) within game
• Sitter System: Account sharing for vacations (sitter field in users table)

Progression Systems

• Town Growth: 20+ building levels, exponential costs, population-based expansion limits
• Military Power: 3 parallel upgrade trees (HP, weapons, armor) per unit type
• Economic Scaling: Production buildings increase output, warehouses increase storage capacity
• Alliance Prestige: Combined member statistics, diplomatic pacts
• Premium Acceleration: Game points reduce construction time, buy resource packs

24 Tables Identified:

Database Activity Evidence:

• 5 INSERT statements in mysql.sql.gz (minimal sample data: likely default buildings, factions, units)
• No player data: Clean distribution without existing user accounts
• Production-ready schema: All queues, indexes, and relations defined

Strengths

• Modular Architecture: 130+ single-purpose PHP files (barracks.php, marketplace.php, etc.) rather than monolithic code
• Separation of Concerns: include/ folder centralizes DB connection (antet.php), functions (func.php), and templates
• Comprehensive func.php: 2,278 lines of reusable game logic functions
• Multi-Language Support: language/ folder with switchable localization (ch_lang.php)
• Queue Management: Separate tables for all time-based actions (construction, training, upgrades, trades, attacks)
• Theme System: Template-based graphics ($imgs.$fimgs paths allow faction-specific sprites)
• Calculation Accuracy: Time synchronization between MySQL and PHP servers (timediff compensation)

Critical Weaknesses

• SQL Injection Everywhere: Direct variable insertion in queries (where name='".$name."' with only basic clean() function)
• Example: $query="select * from users where name='".$name."' and pass='".$pass."'"; (func.php:116)
• clean() function uses strip_tags() + htmlspecialchars() + mysql_real_escape_string() but applied after SQL construction in many cases
• No prepared statements anywhere in codebase
• Weak Password Security: MD5 hashing (login.php checks $_SESSION["user"][2]==md5(clean($_POST["pass"])))
• MD5 is cryptographically broken, trivially reversed via rainbow tables
• No salting mechanism
• Deprecated Functions:
• mysql_* functions (removed in PHP 7.0, replaced by MySQLi/PDO)
• split() function (deprecated in PHP 5.3, removed in PHP 7.0) used extensively in prem.php
• XSS Vulnerabilities: Output encoding inconsistent, user input echoed without proper escaping
• No CSRF Protection: Forms lack tokens, vulnerable to cross-site request forgery
• Session Fixation: No session regeneration after login
• Hardcoded Credentials: Database config in antet.php: $db_host="your_db_host" (placeholders, but poor practice)
• Information Disclosure: Error messages reveal database structure (mysql_error() exposed to users)
• Race Conditions: No transaction handling for resource transfers or queue operations

Code Smell Examples

// SQL Injection (marketplace.php)
$_GET["town"]=clean($_GET["town"]);  // Basic sanitization
check_r($_GET["town"]);              // But still used directly in queries

// Deprecated split() (prem.php:4)
$data=split("-", $town[8]);  // Should be explode()

// MD5 passwords (func.php:116)
$query="select * from users where name='".$name."' and pass='".$pass."' and level>0";
// $pass is MD5 hash stored in DB

// Direct $_GET usage in queries
if (isset($_GET["target"])) { $target=town($_GET["target"]); }

Overall Code Quality: 3.5/10

• Functional but fundamentally insecure
• Good architecture undermined by 2000s-era security practices
• Would require complete rewrite of authentication, database layer, and input handling for production use

Viability for 2025 Deployment: 2/5

Showstoppers:

• PHP 7+ Incompatibility: Deprecated mysql_* functions cause fatal errors (PHP 7.0 removed these)
• split() Function: Removed in PHP 7.0, breaks resource parsing in prem.php and dozens of other files
• Security Catastrophe: SQL injection vulnerabilities make public deployment reckless
• MD5 Passwords: Legally and ethically problematic to store user passwords in broken hashing algorithm

Path to Modernization:

• Database Layer ($8,000-12,000): Rewrite all queries using prepared statements (PDO/MySQLi), 148 PHP files affected
• Password System ($1,200): Implement bcrypt/Argon2, migrate existing users, add salting
• PHP 8 Compatibility ($3,500): Replace mysql_* → MySQLi, split() → explode(), fix deprecated syntax
• XSS/CSRF Protection ($4,000): Add CSRF tokens to all forms, implement context-aware output encoding
• Flash Replacement ($2,500): Convert 2 SWF files to HTML5/Canvas
• Mobile Optimization ($10,000): Responsive CSS, touch-friendly UI (current design is desktop-only)
• Testing & QA ($6,000): Comprehensive security audit, penetration testing, load testing

Total Modernization Cost: $35,200-45,000

Competitive Analysis (2025 Market)

• Genre: Medieval strategy MMOs face fierce competition from Tribal Wars, Forge of Empires, Elvenar
• Graphics: 2008-era sprites (GIF/PNG) look dated compared to modern WebGL games
• Gameplay: Solid mechanics but derivative of Travian/Devana (no unique hook)
• Monetization: Premium system exists (game points for resources/speed) but needs expansion (cosmetics, VIP tiers)
• Mobile Market: Zero mobile optimization, losing 70%+ of potential audience

Positive Aspects

• Feature-Complete: All core systems implemented (alliances, wars, trading, forums)
• Proven Gameplay: Devana/Travian mechanics have 15+ years of validation
• Multi-Language Infrastructure: Easy to localize for international markets
• Faction System: Replayability through different civilizations
• Low Server Requirements: Lightweight PHP/MySQL, could host 1,000+ players on modest VPS

Critical Vulnerabilities

1. SQL Injection (CVSS 9.8 - Critical)

// func.php:116 - Login function
$query="select * from users where name='".$name."' and pass='".$pass."' and level>0";
// Attacker input: name=' OR '1'='1' --
// Resulting query: SELECT * FROM users WHERE name='' OR '1'='1' -- ' AND pass='...'
// Result: Authentication bypass, full database access

Impact: Complete database compromise, account takeover, privilege escalation

2. Weak Password Hashing (CVSS 7.5 - High)

// func.php - User record
$_SESSION["user"][2]==md5(clean($_POST["pass"]))  // MD5 with no salt

Impact: Offline rainbow table attacks, mass account compromise if database leaked

3. Mass Assignment Vulnerability (CVSS 8.1 - High)

// User input directly modifies game state
$_GET["town"]=clean($_GET["town"]);  // Minimal validation
$town=town($_GET["town"]);           // Direct database fetch
// Attacker can manipulate town IDs to access other players' towns

Impact: Resource theft, unauthorized town access, economic manipulation

4. Premium Currency Manipulation (CVSS 7.3 - High)

// prem.php:8-28 - Resource purchase
if($usr[7]>=2){  // Check if user has 2+ points
    $query="update users set points=points-2 where id=".$_SESSION["user"][0];
    // No transaction - race condition allows double-spend
}

Impact: Infinite premium currency via concurrent requests

5. XSS in Chat/Forums (CVSS 6.1 - Medium)

• clean() function applies htmlspecialchars() but many output paths skip encoding
• User-generated content (chat, forum posts, messages) can inject JavaScript

Impact: Session hijacking, phishing, malware distribution

6. Information Disclosure (CVSS 5.3 - Medium)

• .BAK files exposed (5 backup files in production directory)
• mysql_error() reveals database schema
• Stack traces in error messages

Exploitation Scenario

• SQL Injection on login.php → Dump users table (MD5 hashes)
• Rainbow Table Attack → Crack 60%+ of passwords overnight
• Account Takeover → Access admin account (level=5)
• Premium Manipulation → Generate infinite game points
• XSS Persistence → Inject keylogger in forum
• Mass Compromise → Steal all player accounts

Security Rating: 1/10 (Catastrophic)

• Every major OWASP Top 10 vulnerability present
• No modern security controls (WAF, rate limiting, MFA, encryption)
• Public deployment would violate data protection laws (GDPR, CCPA)

Derivative Elements (Points Lost)

• Core Gameplay (-2): Pure Devana clone, itself a Travian derivative
• Building System (-1): Standard resource-production-military tree from 2004 Travian
• Alliance Mechanics (-0.5): NAP/War pacts copied from every browser MMO
• Map System (-0.5): 49x49 grid identical to Travian's quad system

Innovative Elements (Points Earned)

• Cathedral System (+0.5): Unique religious building not in base Devana/Travian
• Faction-Specific Growth Rates (+1): $r=$faction[3] multiplier creates asymmetric balance (high-tier factions pay exponentially more)
• Three-Tree Upgrades (+0.5): Parallel HP/Weapon/Armor research (Travian uses single-track leveling)
• Marketplace Weapon Trading (+0.5): Separate weapons table suggests item economy beyond resources
• Time Synchronization (+0.5): MySQL/PHP server time compensation shows attention to distributed system challenges
• Premium Resource Tiers (+0.5): 1k/5k/10k packs with scaling point costs (2/9/17) shows economic tuning

Historical Context

• Devana Origin: Open-source Travian clone from 2008 Polish developers
• Crusadesage Modification: "Custom devana game" per install.txt, by "This email address is being protected from spambots. You need JavaScript enabled to view it." (PayPal donation requested)
• Clone Epidemic: Travian's 2004 success spawned 100+ clones (Ikariam, Tribal Wars 2, Age of Knights, etc.)
• Innovation Deficit: Post-2008 clones rarely added meaningful features, focused on reskinning/minor tweaks

Creative Execution

• Theme: Medieval Crusades aesthetic (menu_sword graphics, cathedral, faction names)
• Polish Level: Professional UI graphics (1.7 MB PNG assets, Flash animations)
• Completeness: All systems fully implemented (no placeholder/stub code)

Market Differentiation

In 2008-2011 context: Competent clone among sea of identical Travian derivatives. Cathedral + weapon trading were minor differentiators, but insufficient to capture market share from Travian/Tribal Wars dominance.

In 2025 context: Historical artifact with zero competitive advantage. Modern players expect Clash of Clans-level production values, not 2008 browser sprites.

Final Innovation Score: 5.5/10

• Competent execution of proven formula
• Minor creative additions (cathedral, faction growth rates)
• Lacks disruptive innovation needed for market success

For Historical Preservation

• Archive as Open-Source: Document this variant of Devana for browser game history
• Create Playable Demo: Dockerize with PHP 5.6, MySQL 5.5 for nostalgia/research purposes
• Security Sandbox: Run in isolated VM, never expose to public internet
• Academic Study: Analyze as case study in 2000s-era MMO architecture patterns

For Commercial Use (NOT RECOMMENDED)

Verdict: Abandon This Codebase

Why Resurrection is Unfeasible:

• Sunk Cost Fallacy: $35,000+ modernization cost exceeds building from scratch with Laravel/React ($25,000-30,000)
• Security Debt: Every function requires security rewrite - preserves nothing of original code
• Market Reality: Medieval strategy MMOs are saturated ($100M+ Clash of Clans clones dominate)
• Legal Liability: Deploying known-vulnerable auth system exposes to lawsuits under GDPR/CCPA
• Technical Debt: PHP 4/5 patterns (globals, direct DB access) incompatible with modern DevOps (Docker, CI/CD, microservices)

Alternative Paths

• Asset Extraction: 170+ GIF/PNG graphics (1.7 MB) have commercial value - license to other indie developers ($500-2,000)
• Game Design Study: Cathedral + faction growth rate systems show clever balancing - adapt concepts to new project
• Educational Tool: Use as teaching example of SQL injection/security anti-patterns in CS courses

If Attempting Modernization (Against Advice)

Phase 1: Critical Fixes ($15,000, 6 weeks)

• Rewrite database layer with PDO prepared statements (148 files)
• Replace MD5 with bcrypt/Argon2 + salt
• Add CSRF tokens to all 80+ forms
• Fix PHP 8 compatibility (split() → explode(), mysql_* → MySQLi)

Phase 2: Essential Upgrades ($12,000, 4 weeks)

• Implement XSS protection (context-aware escaping)
• Add input validation framework (server-side)
• Convert Flash to HTML5 Canvas
• Basic responsive CSS for tablets

Phase 3: Competitive Features ($25,000, 10 weeks)

• Mobile-first UI redesign
• WebSocket real-time updates
• Social integration (Discord, Facebook)
• Enhanced monetization (battle passes, cosmetics)

Total: $52,000 and 20 weeks - Exceeds building modern alternative from scratch.

Final Recommendation

Preserve as historical artifact, do NOT commercialize. The browser strategy MMO market in 2025 demands WebGL graphics, mobile-first design, and social gameplay loops. Crusadesage represents a 2008 paradigm that cannot compete with $100M studio productions (Clash of Clans, Game of War) or indie hits (BitHeroes, Melvor Idle). Extract assets, study mechanics, build new.

---

Crusadesage is a competent 2008-era Devana/Travian clone with 349 files implementing a feature-complete medieval strategy MMO. Technical execution is adequate for the era (24-table database, queue management, faction system), but security is catastrophic (SQL injection, MD5 passwords, XSS). Innovation is minimal (5.5/10) - cathedral system and faction growth rates are the only differentiators from countless other Travian clones. Modern viability is extremely low (2/5) due to PHP 7+ incompatibilities, deprecated functions, and $35,000+ modernization costs exceeding new development. The game has zero player data (5 INSERT statements in DB dump = clean distribution), suggesting this is either a fresh pirated copy or an abandoned project capture. Historical value lies in documenting Eastern European browser MMO clone practices circa 2008-2011. Do not deploy publicly - legal liability from known vulnerabilities outweighs any potential revenue. Preserve as educational artifact showcasing pre-mobile gaming era architecture.

Rating Summary