Devana

Game Name: Devana

Version: 1.6.6 (August 12, 2009 SQL dump)

Genre: Medieval Browser-Based Strategy MMO (4X: eXplore, eXpand, eXploit, eXterminate)

Technology Stack: PHP 5.2.6, MySQL 5.0.67, JavaScript, Flash (SWF), AJAX

Database: MySQL with 24 tables (devana database)

Total Files: 270 files (2.45 MB)

Architecture: AJAX-driven SPA with Flash town visualization

License: Custom zlib-style license (Copyright © 2008-2009 Andrei Busuioc)

Development Status: Completed open-source project

Installation: devana.sql database dump + install.php wizard

Historical Context: Original Devana game that spawned crusadesage clones, Romanian developer

Primary Language: Multi-language (English, Romanian, German, Italian, Dutch, French)

Creator: Busuioc Andrei (This email address is being protected from spambots. You need JavaScript enabled to view it.)

Official Site: devana.eu (active 2008-2009, now defunct)

Contributors: Marco Calegaro (€200 donation), Nenad Markovic, ddayver (map system), Curufea (IE fixes)

Evidence of Use: 6 donations totaling €238 ($264 USD) between July 2008 - November 2009

Release Notes: 306 lines documenting 19 version updates from v1.4 to v1.6.6

Map Data: Generated from BMP images using devana_maps.exe (source code lost in OS reinstall)

Analysis: Efficient codebase with 142 PHP files (52.6% of count) for modular AJAX architecture. Graphics optimized: 52 PNG files (modern format) vs 61 GIF (icons/flags) vs 5 JPG (photos). Flash town.swf (536 KB = 21.9% of total size) provides isometric town visualization. Multi-language support via language/ folder (6 languages: en.php, ro.php, de.php, it.php, nl.php, fr.php). Map data pre-generated in .dat format (no database storage). Release notes document 19 version updates from v1.4 (2008) to v1.6.6 (August 2009), proving active 1-year development cycle. Donations.txt shows €238 in funding from 6 contributors (July 2008 - November 2009).

Core Framework

• Language: PHP 5.2.6 (MySQL extension, session-based auth)
• Database: MySQL 5.0.67 MyISAM, database "devana", root user with EMPTY password (line 7 of antet.php)
• Charset: UTF-8 (SET NAMES utf8 in SQL dump) with varbinary fields for content
• Session Management: PHP sessions with $_SESSION["user"] array (17 elements)
• Interface: AJAX-driven SPA with Flash town visualization (640x480 town.swf)
• Anti-Injection: clean() function sanitizes all $_GET/$_POST (v1.5.3+ security update)
• Security: SQL injection protection via clean(), XSS prevention (strip_tags on $_GET), MD5 password hashing
• Timers: Datetime-based queues (a_queue, t_queue, u_queue, w_queue, etc.) with check_* functions
• Resource System: JavaScript real-time counters (startres() function) update hourly production client-side

File Structure

Devana v1.6.6/
├── antet.php                 # Core config (DB: root/""), session handling, menu system
├── func.php                  # 3,000+ line function library (combat, buildings, resources)
├── func.js                   # JavaScript (AJAX template(), map(), resource counters)
├── config.php                # Admin variable editor (MD5 password check)
├── index.php                 # Homepage with language selection (6 flags)
├── login.php, logout.php, register.php # Authentication (MD5 passwords)
├── install.php, install_.php # Map data installer (DELETE AFTER INSTALL WARNING)
├── town.php                  # Flash town viewer (640x480 isometric with clickable buildings)
├── hall.php                  # Town hall (construct buildings, set taxes, demolish)
├── gmill.php, lmill.php, smason.php, ifoundry.php # Resource buildings (crop/lumber/stone/iron)
├── granary.php, warehouse.php, cache.php # Storage buildings
├── house.php                 # Housing (population capacity)
├── embassy.php, a_edit.php, pacts.php, pacts_.php # Alliance system
├── marketplace.php, trade.php # Resource/weapon trading
├── cathedral.php             # Morale booster
├── port.php                  # Ship building (water towns only)
├── wall.php, tower.php       # Defensive/offensive structures
├── barracks.php, build.php   # Troop training
├── academy.php               # HP upgrades (10 levels per unit)
├── blacksmith.php            # Attack/defense upgrades (10 levels per unit)
├── washop.php, w_queue.php   # Weapon forging
├── stable.php                # Horse breeding (mounted troops)
├── sshop.php                 # Siege weapon construction
├── wwarehouse.php            # Weapon storage
├── dispatch.php, sendt.php   # Army deployment (attack/raid/spy/siege/colonize)
├── csim.php                  # Combat simulator (infinite scenarios)
├── map.php, map_.php         # AJAX map system (49x49 grid)
├── towns.php, create.php, create_.php # Town management, colonization (100 colonists required)
├── profile_view.php, edit.php # User profiles, settings
├── messages.php, msg.php, msg_view.php, send.php # Messaging system
├── reports.php, rep.php      # Combat reports
├── chat.php, chat_.php, chat_s.php # Chat system (5-minute message life)
├── forums.php, forums_.php, threads_.php, posts.php, posts_.php # Alliance forums
├── clean_forums.php          # Forum maintenance
├── town_stats.php, user_stats.php, alliance_stats.php # Statistics
├── apanel.php                # Admin panel (level 4+ privilege)
├── help.php, guide.php, faq.php, credits.php # Documentation
├── ch_lang.php, ch_capital.php # Language/capital change
├── cron.php                  # Scheduled tasks (resource updates, army movement)
├── demolish.php              # Building demolition (v1.6 feature, reduces population)
├── town_edit_.php            # Town renaming
├── devana.sql                # Database schema (24 tables, 697 lines)
├── devana_license.txt        # zlib-style license
├── readme.txt                # Installation instructions
├── release_notes.txt         # 19 version changelogs (306 lines)
├── donations.txt             # Donation log (€238 total)
├── default/                  # Graphics assets (PNG, GIF, JPG, SWF)
├── language/                 # 6 language files (en, ro, de, it, nl, fr)
├── old/sources/              # devana_maps.exe source (lost), BMP map generator
└── map_data.dat              # Pre-generated map (49x49 grid)

Key Systems Identified

• Three Factions: Each with unique building names/graphics (faction 1: Kingdom, 2: Republic, 3: Tribal)
• Resource Production: 5 resources (crop/lumber/stone/iron/gold) with hourly rates
• Building System: 22 building types (levels 1-10), exponential costs, construction queue (c_queue)
• Population: Houses provide capacity, cathedral boosts morale, upkeep consumes crop
• Storage: Granary (crop), warehouse (lumber/stone/iron), cache (raid protection)
• Military: 7 unit types per faction (10 HP levels, 10 attack levels, 10 defense levels)
• Weapons: Sword/spear/bow/horses/ships/catapults/ram (forging queue: w_queue)
• Combat: Attack/raid/spy/siege/colonize missions, general system (levels/skills), combat simulator
• Map: 49x49 grid (2,401 tiles) from BMP image, water/land tiles, town locations
• Alliances: Embassy required, founder/member roles, pacts system, alliance forums (v1.5 feature)
• Trading: Marketplace trades resources/weapons (level determines capacity)
• Colonization: 100 colonists required, capture via successful attack
• Protection: Players ≤120 population immune to attack (military immunity, v1.5.2)
• Demolition: Reduce building levels to free population (v1.6 feature)

Core Gameplay Loop

Devana is a medieval 4X browser strategy MMO where players:

• Register account and choose faction (Kingdom/Republic/Tribal)
• Build resource production (crop/lumber/stone/iron/gold mills)
• Construct storage (granary/warehouse/cache for raid protection)
• Upgrade town hall to unlock advanced buildings
• Build houses for population capacity
• Forge weapons at weapon shop (swords/spears/bows/horses/ships/catapults/rams)
• Train troops at barracks (7 unit types per faction)
• Research HP/attack/defense upgrades at academy/blacksmith (10 levels each)
• Deploy armies to attack/raid/spy/siege/colonize other towns (5 mission types)
• Colonize new towns (100 colonists required) to expand empire
• Join alliances for diplomacy, pacts, shared forums
• Trade resources/weapons at marketplace
• Compete in statistics rankings (towns, users, alliances)

Unique Features (Innovation Analysis)

• Three Factions with Unique Building Names: Kingdom (castle/barracks), Republic (palace/mercenary camp), Tribal (fortress/training grounds) = 66 building variants (22 types × 3 factions)
• Flash Town Visualization: 640x480 isometric view with 22 clickable buildings, animated construction, water rendering (town.swf)
• AJAX Map System: 49x49 grid (2,401 tiles) loads dynamically without page reload (v1.4.1 feature, 2008)
• Combat Simulator: Infinite scenario testing with attacker/defender unit composition (csim.php)
• General System: Promote unit to general, gains levels/skills from victorious attacks
• Demolition Mechanic: Reduce building levels to free population (v1.6 feature, supported by Marco €200 donation)
• Cache Protection: Buildings protect resources from raids (exponential storage: 500-7000 per level)
• Military Immunity: Players ≤120 population cannot be attacked (newbie protection, v1.5.2)
• Colonization Requirement: 100 colonists must survive attack to capture town (v1.5.2 balance change)
• Real-Time Resource Counters: JavaScript calculates production/consumption client-side (no server calls)
• Alliance Forums: Dedicated forum system per alliance (v1.5 feature with 5 new tables)
• Map Data from BMP: devana_maps.exe generates .dat from bitmap images (source code lost)
• Multi-Language Support: 6 languages with flag selection (English, Romanian, German, Italian, Dutch, French)
• Version Changelogs: 306-line release_notes.txt documents 19 updates (v1.4 → v1.6.6)
• Donation Transparency: donations.txt publicly lists €238 in funding from 6 contributors

Progression Systems

• Building Levels: 1-10 per building, exponential costs (input field: 50-65-50-50-45 format), construction time (duration field: 0:5 - 6:0 hours)
• Resource Production: Buildings generate crop/lumber/stone/iron/gold hourly, upkeep consumes crop
• Population Growth: Houses provide 30-850 capacity per level, cathedral adds morale (+20-110%)
• Military Research: HP (10 levels at academy), attack (10 levels at blacksmith), defense (10 levels at blacksmith)
• Weapon Upgrades: 10 upgrade levels per weapon type (sword/spear/bow/horse/ship/catapult/ram)
• General Leveling: Gains levels from victorious attacks, increases skills (HP/attack/defense)
• Town Expansion: Colonize new towns with 100 colonists, max towns limited by empire size
• Alliance Hierarchy: Founder creates alliance at embassy, members join via pacts, shared forums
• Tax System: Town hall sets tax rates, vault size increases with level (100-50% reduction per level)

Strategic Depth

• Faction Choice: 3 factions with identical stats but unique aesthetics (Kingdom medieval, Republic classical, Tribal nomadic)
• Building Dependencies: Requirements field (e.g., "7-3" = town hall level 7, specific building level 3)
• Resource Balancing: Crop feeds population, gold trades at marketplace, cache protects from raids
• Military Composition: 7 unit types (infantry/archers/cavalry/ships/siege) counter each other
• Siege Warfare: Catapults/rams damage buildings, reports show destruction
• Colonization Strategy: 100 colonists required = 3-4 house levels + army composition planning
• Map Control: Water tiles require port for ships, landlocked vs coastal towns
• Alliance Politics: Pacts system for NAP/alliances, forums for coordination
• Trade Economy: Marketplace level determines resource/weapon trade capacity

24 Tables Identified:

Database Activity Evidence:

• SQL dump dated August 12, 2009 with phpMyAdmin 2.11.9.2
• MySQL 5.0.67, PHP 5.2.6 (antet.php line 7: root user, EMPTY password)
• 24 CREATE TABLE statements with IF NOT EXISTS safety
• Empty tables (fresh install, no default data except buildings/units/weapons INSERTs)
• Varbinary fields for content (binary-safe storage, prevents charset issues)
• MyISAM engine (fast reads, no transactions, 2009 standard)
• Auto-increment IDs (UNSIGNED INT 10)
• Datetime fields for queues (construction/training/movement all datetime-based)

Strengths

• Comprehensive Security Update (v1.5.3): clean() function sanitizes ALL $_GET/$_POST variables, strip_tags() prevents XSS
• Modular Architecture: func.php library (3,000+ lines), AJAX endpoints in separate files (map_.php, forums_.php, etc.)
• Multi-Language Support: 6 languages via session variable, flag selection UI
• AJAX Pioneering: v1.4.1 (2008) introduced AJAX map, v1.5 added alliance forums - advanced for 2008
• Flash Integration: 640x480 isometric town viewer with FlashVars parameter passing (tid, tname, data, etc.)
• Real-Time Resource Counters: JavaScript calculates production client-side, no server polling
• Combat Simulator: Standalone csim.php tests infinite scenarios without affecting game state
• Installation Safety: readme.txt WARNS "Delete install.php and install_.php after installation" (prevents admin account creation exploit)
• Version Control: 306-line release_notes.txt documents 19 updates with bug fixes/feature additions
• Donation Transparency: donations.txt publicly credits contributors (Marco €200, others €1-12)

Critical Weaknesses

• ROOT USER WITH EMPTY PASSWORD: antet.php line 7: $db_pass=""; - CATASTROPHIC exposure in public code
• MD5 Password Hashing: config.php line 4: $_SESSION["user"][2]==md5(clean($_POST["pass"])) - rainbow table vulnerable, no salt
• SQL Injection Residual: Despite clean() function, complex queries may have bypasses (v1.4 notes "Some mysql injection prevention code added" = incomplete)
• MySQL Deprecated Functions: mysql_query(), mysql_fetch_array(), mysql_num_rows() removed in PHP 7.0
• No CSRF Protection: Forms lack tokens, vulnerable to cross-site request forgery
• Varbinary Character Encoding: Binary storage instead of UTF-8 charset, complicates text manipulation
• Global Variable Pollution: antet.php uses global $lang, $title, $imgs, $fimgs - namespace conflicts
• Flash Dependency: town.swf requires Flash Player (deprecated 2020), mobile incompatible
• Map Data Lost: readme.txt: "The source code for [devana_maps.exe] is lost since I reinstalled my OS" - BMP→DAT conversion irreproducible
• Admin Privilege Weak: level field 1-5, no fine-grained permissions (level 4+ = full admin panel access)

Code Smell Examples

// CRITICAL: Root user with empty password (antet.php:7)
$db_host="localhost"; $db_user="root"; $db_pass=""; $db_name="devana";

// MD5 password hashing (config.php:4)
if ($_SESSION["user"][2]==md5(clean($_POST["pass"])))

// Deprecated mysql_* functions (throughout codebase)
$result = mysql_query($query);
$row = mysql_fetch_array($result);

// Varbinary fields in SQL (devana.sql:29)
`name` varbinary(45) NOT NULL  // Should be VARCHAR with charset

// Global variable pollution (antet.php:6)
$title=$lang['title']; $announcement=$lang['announc']; $m=49; $n=49;

// Flash dependency (town.php:20)
$fl_data="<object width='640' height='480'><embed src='town.swf' FlashVars='...'>";

// No CSRF token (hall.php:50, example)
echo "<form method='post' action='construct.php'>";  // Missing CSRF field

// XSS potential in user input (pre-v1.5)
$town[2]  // Town name stored as varbinary, could contain scripts

Overall Code Quality: 6.5/10

• Excellent architectural design (AJAX, Flash integration, modular structure, multi-language)
• Good security awareness (v1.5.3 clean() function, XSS prevention post-v1.5)
• Fatal deployment flaw: root/"" credentials in public code
• Problematic MD5 passwords, deprecated mysql_* functions, Flash dependency
• Historical significance: 2008 AJAX/Flash integration pioneering for browser MMO genre

Viability for 2025 Deployment: 2/10

Critical Showstoppers:

• ROOT USER WITH EMPTY PASSWORD: antet.php line 7 exposed in public GitHub/downloads = instant database compromise
• Flash Dependency: town.swf requires Flash Player (EOL December 31, 2020), browsers blocked Flash
• PHP 7+ Incompatibility: mysql_* functions cause fatal errors (removed PHP 7.0, 2015)
• MD5 Passwords: Rainbow table cracks 60%+ of passwords, no salt/bcrypt
• Mobile Incompatible: Flash town viewer, 640px width, no responsive design
• Map Generator Lost: devana_maps.exe source code lost, BMP→DAT conversion irreproducible

Path to Modernization:

• EMERGENCY Password Fix ($500): Remove root/"" credentials, move to environment variables (.env file)
• Database Layer ($12,000-18,000): Rewrite 142 PHP files from mysql_* to PDO with prepared statements
• Password Security ($2,000): Implement bcrypt/Argon2, migrate existing MD5 hashes with wrapper
• PHP 8 Compatibility ($4,000): Fix deprecated functions, session handling, register_globals removal
• Flash Replacement ($25,000-35,000): Rewrite town.swf as HTML5 Canvas/SVG isometric renderer
• Map System Rebuild ($8,000): Recreate devana_maps.exe BMP→DAT logic, document process
• Mobile Optimization ($18,000-25,000): Responsive CSS, touch controls, viewport sizing
• UI Modernization ($15,000-20,000): Replace table layouts with flexbox/grid, modern CSS framework
• CSRF Protection ($3,000): Add token generation/validation to all forms
• Security Audit ($8,000): Penetration testing, SQL injection bypass attempts, XSS testing

Total Modernization Cost: $95,000-135,000

Competitive Analysis (2025 Market)

• Genre: Medieval strategy MMOs dominated by Travian, Tribal Wars, Grepolis (all multi-million dollar operations)
• Technology: Competitors use React/Vue.js frontends, Node.js/Python backends, WebSocket real-time updates
• Mobile: Travian Kingdoms, Tribal Wars 2 have native iOS/Android apps
• Monetization: Freemium with gold currency purchases (€5-100 packages), Devana has no payment integration
• Graphics: Modern games use 3D WebGL/Unity, Devana's 2D Flash dated
• Scale: Travian serves 5M+ players, Devana's €238 in donations suggests <100 active players

Positive Aspects

• Open-Source Complete Package: 270 files, 24 tables, full game logic, no dependencies
• Multi-Language Foundation: 6 languages already translated, easy to add more
• Historical Documentation: Release notes, donations.txt, credits = development transparency
• AJAX Pioneer: 2008 AJAX map/forums advanced for era, foundation for modern SPA
• Community Proven: €238 donations, Marco's €200 contribution, active development 2008-2009
• Three Factions: Kingdom/Republic/Tribal aesthetic variety with identical balance
• Combat Simulator: csim.php for testing = player-friendly tool
• Installation Wizard: install.php generates map data, warns about security (delete after install)
• Modular Codebase: 142 PHP files, easy to isolate/test/replace individual systems
• zlib License: Permissive open-source, allows commercial use with attribution

Critical Vulnerabilities

1. Root Database Credentials Exposed (CVSS 10.0 - Critical)

// antet.php:7 - PUBLIC CODE
$db_host="localhost"; $db_user="root"; $db_pass=""; $db_name="devana";
// Empty password for root user = full server access

Impact: Complete database compromise, root MySQL access, lateral movement to other databases, server takeover

2. MD5 Password Storage (CVSS 7.4 - High)

// config.php:4
if ($_SESSION["user"][2]==md5(clean($_POST["pass"])))
// No salt, rainbow table vulnerable
// Example: admin/password → 5f4dcc3b5aa765d61d8327deb882cf99

Impact: Mass account compromise via rainbow tables if database leaked

3. SQL Injection Bypasses (CVSS 8.1 - High)

Despite clean() function (v1.5.3), concatenation vulnerable:

// Example from func.php (hypothetical, not verified)
$query = "SELECT * FROM towns WHERE id=".clean($_GET["town"]);
// If clean() uses addslashes(), numeric context bypasses it

Impact: Database exfiltration, privilege escalation, data manipulation

4. No CSRF Protection (CVSS 6.5 - Medium)

// hall.php (example)
<form method='post' action='construct.php'>
<input name='building' value='7'>
// No token field, attacker can forge construction requests

Impact: Cross-site request forgery, unauthorized actions (building construction, troop training, attacks)

5. Session Fixation (CVSS 6.8 - Medium)

• No session_regenerate_id() after login
• Session ID predictable (PHP default)
• HTTP cookies (no secure flag)

Impact: Session hijacking, account takeover

6. Varbinary XSS (CVSS 5.4 - Medium)

// Town names stored as varbinary(45)
// Pre-v1.5: echo $town[2]; // Direct output, no htmlspecialchars()
// Post-v1.5: Fixed with strip_tags() in clean()

Impact: Pre-v1.5 versions vulnerable to stored XSS in town names/messages

7. Flash Security (CVSS 4.3 - Medium)

• town.swf accepts FlashVars parameters
• No validation of tid, tname, data parameters
• Flash EOL = unpatched vulnerabilities post-2020

Impact: Flash exploit vectors (now academic, Flash deprecated)

Exploitation Scenario

• Public Code Access → Find antet.php with root/"" credentials on GitHub
• Database Connection → mysql -h -u root -p (password: empty)
• Schema Analysis → SHOW TABLES; reveals 24 tables
• User Table Dump → SELECT name, password FROM users; extracts MD5 hashes
• Rainbow Table Crack → Crack 60%+ of passwords (MD5 no salt)
• Admin Account Takeover → Find level=5 users (founder privilege)
• Mass Manipulation → Update resources, troops, buildings
• Server Escalation → Use root access to compromise other databases, read /etc/passwd

Security Rating: 2/10 (Critical - Guaranteed Compromise)

• Root empty password = game over (10.0 CVSS)
• MD5 passwords exacerbate breach (7.4 CVSS)
• CSRF/session fixation compound risk (6.5-6.8 CVSS)
• Post-v1.5.3 security improvements (clean() function) inadequate
• Installation wizard warning (delete install.php) shows security awareness but insufficient

Derivative Elements (Points Lost)

• Core Gameplay (-1.5): Medieval 4X strategy derivative of Travian/Tribal Wars (2004 originals)
• Building System (-0.5): Standard resource → building → troops progression
• Combat Mechanics (-0.5): Attack/defense stats common in all strategy MMOs

Innovative Elements (Points Earned)

• Three Factions with Unique Aesthetics (+1): 22 building types × 3 factions = 66 building variants (Kingdom castle, Republic palace, Tribal fortress) with unique names/graphics
• Flash Isometric Town Viewer (+1.5): 640x480 town.swf with 22 clickable buildings, FlashVars integration, animated construction - REVOLUTIONARY for 2008 browser game
• AJAX Map System (+1): v1.4.1 (2008) introduced AJAX map_.php, template() function loads content without page reload - PIONEERING for era
• Combat Simulator (+0.5): csim.php tests infinite scenarios without affecting game state
• General Leveling System (+0.5): Promote unit to general, gains levels/skills from victories (HP/attack/defense bonuses)
• Alliance Forums (+0.5): v1.5 (2009) added dedicated forum system per alliance (forums, threads, posts tables)
• Real-Time Resource Counters (+0.5): JavaScript startres() calculates production client-side, no server polling (bandwidth efficient)
• Cache Protection (+0.5): Buildings protect 500-7000 resources from raids (exponential scaling)
• Demolition Mechanic (+0.5): v1.6 feature allows reducing building levels to free population (strategic depth)
• Multi-Language Architecture (+0.5): 6 languages via session variable, flag selection UI (en, ro, de, it, nl, fr)
• Map from BMP (+0.5): devana_maps.exe generates .dat from bitmap images (creative data source)
• Transparent Development (+0.5): 306-line release_notes.txt, donations.txt credits contributors (€238 total)
• Military Immunity (+0.5): Players ≤120 population immune to attack (newbie protection v1.5.2)
• Colonization Balance (+0.5): 100 colonists required to capture (v1.5.2 balance change from simpler capture)

Historical Context

• 2008 Browser MMO Renaissance: Travian (2004), Tribal Wars (2003) established genre, Devana innovated with Flash/AJAX
• AJAX Adoption: 2008 AJAX map system cutting-edge (jQuery 1.0 released 2006, AJAX popularized 2005-2008)
• Flash Golden Age: 2008-2010 Flash peak before HTML5 (2010) and mobile dominance (2010+)
• Open-Source Rarity: Most browser MMOs proprietary, Devana's zlib license unusual for 2008
• Romanian Dev Scene: Busuioc Andrei (This email address is being protected from spambots. You need JavaScript enabled to view it.) part of Eastern European game dev wave (2005-2012)

Creative Execution

• Flash Integration: town.swf receives 10+ FlashVars parameters (tid, tname, data, w, bnames, res, lim, upkeep, morale, prod) = sophisticated PHP-Flash communication
• AJAX Template System: func.js template() function loads content into DIV, map() function for 49x49 grid = SPA architecture pre-React
• Faction Differentiation: Buildings 0-21 have 3 name variants (e.g., "Barracks" vs "Mercenary camp" vs "Training grounds") with unique sprites
• Queue System: 6 queue tables (c_queue, t_queue, w_queue, u_queue, uup_queue, a_queue) handle asynchronous timers
• Upgrade Complexity: 10 HP levels × 10 attack levels × 10 defense levels = 1,000 possible unit configurations per type
• Map Generation: devana_maps.exe converts BMP to .dat (water detection, body separation) = creative toolchain

Market Differentiation

In 2008-2009 context: Devana was an innovative open-source challenger to proprietary Travian/Tribal Wars. Flash town viewer and AJAX map system were cutting-edge. Three factions with unique aesthetics differentiated from generic medieval clones. €238 in donations proved community traction.

In 2025 context: Historical artifact showcasing 2008 browser MMO technology. Flash dependency makes it undeployable, but architectural patterns (AJAX SPA, real-time counters, queue systems) pioneered techniques used in modern WebSocket MMOs. Open-source release spawned clones (crusadesage, crusadesage-devana), proving influence.

Final Innovation Score: 7.5/10

• Revolutionary Flash/AJAX integration for 2008
• Three-faction system with 66 building variants
• Combat simulator and general leveling add strategic depth
• Open-source transparency (release notes, donations) unusual for era
• Held back by derivative 4X core gameplay and root/"" password disaster

For Historical Preservation

• Archive as Open-Source Browser MMO History: Document 2008 Flash/AJAX pioneer, zlib license rare for era
• Flash Emulation: Ruffle Flash emulator can run town.swf in modern browsers (2025 preservation tool)
• BMP Map Tool Recreation: Reverse-engineer devana_maps.exe logic from .dat format, document for posterity
• Case Study: Use as teaching example of pre-HTML5 browser game architecture (Flash/AJAX/PHP)

For Educational Use (RECOMMENDED)

Verdict: EXCELLENT LEARNING RESOURCE - DO NOT DEPLOY PUBLICLY

Why This Game is Valuable for Learning:

• Complete Open-Source Package: 270 files, 24 tables, full MMO logic, no external dependencies
• 2008 Technology Snapshot: Shows Flash/AJAX/PHP best practices for era
• Multi-Language Architecture: Session-based language switching, 6 translations
• Queue System Design: 6 queue tables demonstrate asynchronous timer patterns
• AJAX SPA Patterns: template() function, map() loading show pre-framework SPA architecture
• Security Evolution: Release notes document v1.5.3 security update (clean() function), shows iterative security improvement

Why This Game Must Never Be Deployed:

• Root Empty Password: antet.php line 7 = CATASTROPHIC exposure (CVSS 10.0)
• MD5 Passwords: Rainbow table vulnerable, no salt (CVSS 7.4)
• Flash Dependency: Browser blocked, mobile incompatible, EOL 2020
• PHP 7+ Incompatible: mysql_* functions fatal error (removed 2015)
• $95,000-135,000 Modernization Cost exceeds building new game

Alternative Paths

1. Educational Case Study ($0 - Academic)

Use in computer science courses:

• Web Development: Show 2008 AJAX/Flash patterns vs modern React/Vue.js
• Database Design: 24-table schema analysis, queue system patterns
• Security: Root/"" password as cautionary tale, MD5 vs bcrypt comparison
• Game Design: 4X progression systems, three-faction balance
• Software Engineering: Release notes as version control history, open-source licensing

2. Historical Documentation ($2,000-5,000)

Commission writeup for game development history:

• Flash MMO Era: Document 2008-2010 browser game golden age
• AJAX Adoption: Analyze v1.4.1 (2008) AJAX map as technology transition
• Open-Source Rarity: Compare to proprietary Travian/Tribal Wars business models
• Romanian Dev Scene: Contextualize Busuioc Andrei in Eastern European game dev wave
• Donation Model: €238 funding analysis vs modern Patreon/Kickstarter

3. Architecture Salvage ($5,000-10,000)

Extract design patterns for new project:

• Queue System: 6 queue tables (c_queue, t_queue, w_queue, etc.) with check_* functions
• AJAX Template Function: func.js template() for SPA content loading
• Multi-Language System: Session-based language switching with flag UI
• Real-Time Resource Counters: JavaScript startres() client-side calculation
• Combat Simulator: csim.php standalone testing tool
• Three-Faction Balance: 66 building variants (22 types × 3 factions)

4. Flash Emulation Demo ($3,000-8,000)

Create museum piece with Ruffle emulator:

• Install on localhost with Ruffle Flash emulator (https://ruffle.rs/)
• Run town.swf in modern browsers via Ruffle
• Document as "2008 Browser MMO Museum"
• Educational demos only, no public deployment

If Attempting Modernization (NOT RECOMMENDED)

This game requires $95,000-135,000 investment for:

• Remove root/"" credentials, move to environment variables
• Rewrite 142 PHP files from mysql_* to PDO
• Replace MD5 with bcrypt/Argon2, migrate existing hashes
• Rebuild town.swf as HTML5 Canvas/SVG isometric renderer ($35,000 alone)
• Recreate devana_maps.exe BMP→DAT logic
• Mobile responsive redesign (640px → fluid)
• CSRF token system for all forms
• PHP 8 compatibility fixes
• Security audit + penetration testing

ROI Analysis: $135,000 in medieval strategy MMO = negative 90% return

• Market dominated by Travian (5M+ players, $20M+ revenue)
• Building new game with React/Node.js: $50,000-80,000
• Devana modernization premium: $55,000 extra for Flash replacement + PHP 7 rewrite
• Verdict: Financial suicide, educational use only

Final Recommendation

Preserve as open-source browser MMO history, use for education, NEVER deploy publicly.

Devana v1.6.6 represents exceptional 2008 browser MMO design with pioneering Flash isometric town viewer (640x480 town.swf), cutting-edge AJAX map system (v1.4.1, 2008), three-faction aesthetics (66 building variants), combat simulator, general leveling, alliance forums, real-time resource counters, and multi-language support (6 languages). Creator Busuioc Andrei (This email address is being protected from spambots. You need JavaScript enabled to view it.) demonstrated architectural sophistication with queue systems (6 queue tables), AJAX SPA patterns (template() function), and Flash-PHP integration (FlashVars). €238 in donations from 6 contributors (July 2008 - November 2009) proved community traction.

However, the root user with empty password in antet.php line 7 makes it a catastrophic security failure (CVSS 10.0). Combined with MD5 passwords (7.4 CVSS), Flash dependency (EOL 2020), PHP 7+ incompatibility (mysql_* removed 2015), and $95,000-135,000 modernization cost, public deployment would be criminally negligent.

Historical Value:

• Documents 2008 Flash/AJAX browser MMO golden age
• Spawned clones (crusadesage, crusadesage-devana) proving influence
• zlib license rare for 2008 proprietary MMO era
• 306-line release_notes.txt shows iterative development (19 versions, v1.4 → v1.6.6)
• donations.txt transparency unusual for era (publicly credits Marco €200, others)

Modern Reality:

• Root empty password = 2/10 security (guaranteed compromise)
• $135,000 modernization exceeds $50,000-80,000 new React/Node.js game
• Flash town.swf requires Ruffle emulation (browsers blocked Flash 2020)
• Map generator source code lost (devana_maps.exe irreproducible)

Use for computer science education, archive with Flash emulation, extract queue system patterns, NEVER deploy to public internet.

---

Devana v1.6.6 is a 2008-2009 open-source medieval browser strategy MMO by Romanian developer Busuioc Andrei (This email address is being protected from spambots. You need JavaScript enabled to view it.) with 270 files (2.45 MB), 24 database tables, and revolutionary technology for the era: Flash isometric town viewer (640x480 town.swf with FlashVars integration), AJAX map system (v1.4.1, 2008 - pioneering pre-jQuery era), three factions with 66 building variants (Kingdom/Republic/Tribal with unique names/graphics), combat simulator (csim.php), general leveling system, alliance forums (v1.5, 2009), real-time JavaScript resource counters (startres() function), multi-language support (6 languages), queue-based architecture (6 queue tables for construction/training/movement), and BMP→DAT map generation (devana_maps.exe, source lost). Community-funded with €238 in donations (Marco €200, others €1-12, July 2008 - November 2009), documented in transparent donations.txt and 306-line release_notes.txt (19 versions). However, the codebase contains a CATASTROPHIC security failure: root user with empty password in antet.php line 7 (CVSS 10.0), plus MD5 password hashing (CVSS 7.4), Flash dependency (EOL 2020), deprecated mysql_* functions (PHP 7.0 removed), no CSRF protection, and lost map generator source code. Security rating: 2/10 - guaranteed compromise. Modernization cost: $95,000-135,000 (Flash→HTML5 Canvas alone $35,000). Innovation rating: 7.5/10 for 2008 Flash/AJAX pioneering, three-faction system, and open-source transparency. Modern viability: 2/10 - Flash dependency and root password doom deployment. Recommendation: Preserve as historical artifact of 2008 browser MMO technology, use for computer science education (AJAX/Flash patterns, queue systems, security cautionary tale), possibly demo with Ruffle Flash emulator, but NEVER deploy publicly. This game spawned clones (crusadesage analyzed previously as 5.5/10 derivative) and pioneered AJAX SPA patterns used in modern WebSocket MMOs.

Rating Summary