Gladiators II

Game Type: Ancient Rome Gladiator Browser RPG

Version: v2 (Aug 2006)

Original Source: gladiators-ua.com / gladiators.ru (Ukrainian/Russian)

Language: Russian (windows-1251 encoding)

Database: MySQL 4.0.24-nt

Total Files: 1,035 files (178 PHP, 407 GIF, 223 DAT, 171 forum topics, 19 .htaccess)

Database Schema: 20 tables (155 KB SQL dump)

Documentation: readme.txt (Russian configuration instructions)

License/Origin: CRACKED VERSION - "This file decoded and nulled by NukLeoN [AnTiSh@Re]" appears in 178 PHP files

Critical Discovery: Piracy Header

EVERY PHP FILE contains: / This file decoded and nulled by NukLeoN [AnTiSh@Re] /

This is a nulled/cracked commercial script where license checks were removed by warez scene group "AnTiSh@Re" (likely Ukrainian based on gladiators-ua.com domain). The original was likely a commercial gladiator game engine sold to server operators. "Nulled" = license validation removed, "decoded" = ionCube/Zend Guard protection broken.

Historical Context

• Date: August 2, 2006 (SQL dump timestamp: 2006.08.02 18:36:16)
• Original Sites: gladiators.ru (Russian), gladiators-ua.com (Ukrainian fork)
• Email Contact: This email address is being protected from spambots. You need JavaScript enabled to view it. (Kiev, Ukraine - UIT Group hosting)
• Server Migration: News.dat mentions "Gl.UaSpace.Com" migration from Gladiators.Ru server (Nov 2005)
• Related Projects: UaSpace.Com hosting platform migration for gladiator games

Cultural Significance: Eastern European browser RPG from 2006, represents commercial scripts common in Russian/Ukrainian gaming communities. The nulled/cracked nature indicates these expensive commercial engines were widely pirated.

---

File Distribution (1,035 Total Files, ~5.2 MB)

      Extension       Count    Size (KB)    Purpose
      ---------       -----    ---------    -------
      .gif            407      438.15       Icons/graphics (gladiator weapons, armor, UI elements)
      .dat            223      3,223.35     Data files (forum topics, news, transfers, chat logs)
      .php            178      819.81       Application logic (battle system, senate, market)
      .topic          171      368.53       Forum topic content files
      .htaccess       19       1.00         Apache security rules (19 subdirectories protected)
      .set            12       1.50         Configuration set files
      .css            9        8.96         Stylesheets (index.css, chat themes)
      .js             4        3.89         JavaScript (common.js, form validation)
      .html           4        5.21         Static pages (timer, character info)
      .lib            4        72.45        Template library files (std.h.php = standard header)
      .jpg            2        50.80        Images (banners)
      .txt            1        0.90         readme.txt (Russian install instructions)
      .sql            1        154.86       Database schema (20 tables)

Directory Structure

      gladiators_v2/
      ├── Gladiators v2/
      │   ├── system/               # Core framework
      │   │   ├── class/            # OOP classes (DBconn, user, battle, UserInfo)
      │   │   ├── config/           # Configuration files (servers.php, values.php)
      │   │   ├── includes/         # Shared includes (gzip.php compression)
      │   │   └── spaw/             # SPAW WYSIWYG editor (for forum/senate posts)
      │   ├── database/             # Flat-file data storage
      │   │   ├── news/             # News posts (news.dat - 20 Nov 2005 entries)
      │   │   └── transfer/         # Money transfer logs (transfer.dat)
      │   ├── forum/                # Forum system (171 .topic files)
      │   ├── battle/               # Battle system logic
      │   ├── chat/                 # Chat system (re.php = chat refresh)
      │   ├── building/             # City building mechanics
      │   ├── img/                  # 407 GIF icons (weapons, armor, UI)
      │   ├── includes/             # Game includes (user_class.php, forum_list.dat)
      │   ├── information/          # Game info pages (rules, help)
      │   ├── statistics/           # Player statistics
      │   ├── manage/               # Admin panel (/manage URL)
      │   ├── cgi-bin/              # CGI scripts (possibly battle bot server)
      │   ├── index.php             # Landing page (news display)
      │   ├── game.php              # Main game frameset (5 frames)
      │   ├── connect.php           # Database connection (hardcoded creds)
      │   ├── coliseum*.php         # Coliseum arena battles
      │   ├── senate*.php           # Senate building/voting system
      │   ├── market.php            # Trading marketplace
      │   ├── bank.php              # Banking system
      │   ├── clan.php              # Clan management
      │   ├── battle.php            # Battle initialization
      │   └── gladiators.sql        # Database schema (20 tables)

Key Architectural Files

• system/class/main_class.php - Core classes:
• DBconn - Database abstraction (mysql_* functions, multi-server support)
• SockConnect - Socket communication ("Class is using to work with server consol program")
• UserInfo - User data management
• includes/user_class.php - User character class
• battle/class_user.php + battle/class_battle.php - Battle system OOP
• system/config/servers.php - Multi-server configuration array
• system/includes/gzip.php - Output compression
• game.php - Main frameset (menu, main content, chat refresh, online users, timer)

---

Technology Stack

• Backend: PHP 4.x/5.x (session_start, mysql_*, no OOP constructors)
• Database: MySQL 4.0.24-nt (MyISAM engine, deprecated TYPE=MyISAM syntax)
• Character Encoding: Windows-1251 (Russian Cyrillic)
• Web Server: Apache (19 .htaccess files for directory protection)
• Compression: GZip output compression (system/includes/gzip.php)
• Editor: SPAW WYSIWYG editor (JavaScript-based rich text editor for forums)

Database Configuration (Hardcoded Credentials)

servers.php (readme.txt excerpt):

      $server_conf = array (array ());
      $current_server = 'greece';
      $server_conf[0][0] = 'greece';
      $server_conf[0][1] = 'localhost';
      $server_conf[0][2] = 'user';      // ← Template username
      $server_conf[0][3] = 'pass';      // ← Template password
      $server_conf[0][4] = 'bd_gladiators';
      $server_conf[0][5] = 'http://www.gladiators-ua.com/';

connect.php (additional connection):

      $db = @mysql_connect ('localhost', 'user', 'pass');
      $table = @mysql_select_db ('bd_gladiators');

Security Note: Uses placeholder credentials user/pass but readme.txt instructions say to replace these. However, the error suppression (@) hides connection failures, making debugging difficult.

OOP Architecture

DBconn Class (main_class.php):

      class DBconn
      {
      var $server;
      var $username;
      var $passwd;
      var $db_table;
      function SetSettings($kingdom, $server_conf) {
      // Multi-server support - loops through $server_conf array
      }
      function Conn($kingdom, $server_conf) {
      $this->SetSettings($kingdom, $server_conf);
      $db = @mysql_connect($this->server, $this->username, $this->passwd);
      $tb = @mysql_select_db($this->db_table);
      return ($db && $tb) ? 1 : 0;
      }
      function query($q) {
      $this->db_stream = @mysql_query($q);
      return $this->db_stream ? 1 : 0;
      }
      function fetch_array() {
      $this->row = @mysql_fetch_array($this->db_stream);
      return $this->row ? 1 : 0;
      }
      function num_rows() {
      $this->num = @mysql_num_rows($this->db_stream);
      return $this->num ? 1 : 0;
      }
      }

Design Pattern: Multi-server architecture where $current_server determines which database server to connect to. This allowed running multiple "kingdoms" (game worlds) on different databases, similar to MMO server sharding.

SockConnect Class - Socket communication for external console server:

      class SockConnect // Class is using to work with server consol program

This suggests a separate daemon/bot server handling real-time battle calculations or automated events.

Session Management

      // game.php
      session_start(); // ������ ������ (start session)
      if(!$_SESSION[id]) {
      echo "��� ����� ����� � ���� � <a href=''>������� ��������</a>!";
      exit();
      }

Critical Flaw: Uses unquoted array keys ($_SESSION[id] instead of $_SESSION['id']), which creates PHP constants. If id constant doesn't exist, PHP interprets it as string 'id', but this generates notices in modern PHP.

Frameset Architecture

game.php - Main game interface uses 5 frames:

      var kolframes=0;
      function check() {
      kolframes++;
      if(kolframes==5) {
      frames['re'].location.href = 'chat/re.php';       // Chat refresh frame
      frames['online'].location.href = 'online.php';    // Online users
      }
      }

Frames: menu, main content, chat refresh, online users, timer. This was common in 2006 for persistent UI elements without AJAX.

Hybrid Data Storage

• MySQL - User accounts, battle data, inventory, admin rights (20 tables)
• Flat Files (.dat) - Forum topics (171 .topic files), news (news.dat), transfers (transfer.dat)

This hybrid approach reduces database load for read-heavy content like forums. Forum topics stored as pipe-delimited .dat files with numeric IDs.

Client-Side Features

Transliteration System (game.php):

      var ch_en = new Array('sh','zh','ch','ya','yu'...); // Latin
      var ch_ru = new Array('ш','ж','ч','я','ю'...);      // Cyrillic
      var translit = false; // Транслитерация вкл.

JavaScript transliteration converts Latin keyboard input to Cyrillic for Russian players without Cyrillic keyboards (common in 2006 internet cafes).

Anti-Frame-Breaking Security:

      function check_frames() {
      // Validates all frames belong to same domain
      // Reloads page if frame hijacking detected
      }
      CheckTimer=setInterval("check_frames()",1000);

Checks every second that all frames are from same hostname, prevents clickjacking/frame injection attacks.

---

Core Systems

• Gladiator Combat
• Coliseum Battles (coliseum.php, coliseum_m.php, coliseum_s.php - regular, medium, large arenas)
• Battle Classes (battle/class_user.php, battle/class_battle.php)
• Equipment: Weapons (knives, axes, clubs, swords), armor with durability (iznos/srab = wear/breakage)
• Stats: Strength (u), dexterity (g), stamina (l), agility (z), HP system
• Specializations: spec_knife, spec_topor (axe), spec_dubina (club), spec_mech (sword)

• City Building (building.php, senate_build.php)
• Senate System (senate.php) - Voting/governance
• Building Management - Construct/upgrade city structures
• Economy - Resource management for city development

• Social Systems
• Clans (clan.php) - Guild system with boss_klan (clan leader) role
• Chat (chat/ directory, re.php = chat refresh frame)
• Forum (forum/ directory, 171 .topic files, 11 categories)
• Telegraph (telegraf.php) - Private messaging
• Referral System (refer_stat.php) - Player recruitment tracking

• Economy
• Market (market.php) - Item trading marketplace
• Bank (bank.php) - Money storage/transfers
• Shop (shop.php) - NPC vendor
• Transfer System (transfer.php, transfer.dat logs)

• Character Progression
• Experience System (exp, num_up, level fields)
• Victory/Loss Tracking (victory, lose, noone = draws)
• Alignment System (align field - good/evil?)
• World Locations (world, locate fields for map positions)

Forum Categories (forum_list.dat)

• Общее (General) - Announcements and game rules
• Рынок (Market) - Trading discussions
• Коллизей (Coliseum) - Battle discussion
• Таверн (Tavern) - Off-topic chat
• Конференция (Conference) - Admin-only moderated section
• Правда/Ложь (Truth/Lies) - Accusations/complaints
• Кланы (Clans) - Guild recruitment
• Магазин (Shop) - Item sales
• Юмор (Humor) - Jokes/entertainment
• Покупается (Buying) - Want-to-buy ads
• Дуэли (Duels) - Challenge system

Admin System

Granular Permissions (admin_users table):

• Moderation: gag_on (mute users), block_on (ban accounts), blockip_on (IP bans)
• Content Management: news_add, news_edit, news_del (news system)
• User Management: ch_edit (character editing), mult_on (multi-account detection)
• System Access: chatlogs_on (view chat logs), event_on (trigger events), lib_on (library access)
• Economy Control: market_on (market admin), clans_on (clan management)

Admin Access: URL path /manage (manage/ directory), permission levels 1-40.

Player Inventory System

Bag Table:

• owner - User ID
• id / pid - Item identifiers
• iznos / srab - Item durability (износ = wear, срабатывание = breakage)
• present - Gift flag (y/n)
• dressed - Equipped status (y/n)

Items have durability mechanics requiring repair/replacement, creating economic sink.

---

Core Tables (from gladiators.sql)

      -- Database Dump Info
      -- MySQL 4.0.24-nt, Date: 2006.08.02 18:36:16
      -- Database: gladiators

1. admin_groups - Admin permission groups

2. admin_users - Admin user permissions (granular 20+ permission flags)

3. bag - Player inventory (owner, id, pid, iznos, srab, present, dressed)

4. users - Player accounts (extensive fields):

• Basic: id, name, login, pass, email, sex, birthday, date (registration)
• Stats: level, exp, u (strength), g (dexterity), l (stamina), z (agility)
• Economy: money, num_up (stat points)
• Battle: hp, maxhp, victory, lose, noone (draws), battle_id, last_update_uron
• Social: klan (clan ID), post (clan rank), boss_klan (clan leader flag), icq, chat_color
• Location: world, locate, align (alignment)
• Skills: spec_free, spec_knife, spec_topor, spec_dubina, spec_mech
• Appearance: icon (avatar), country, city, url
• Bonus: bonus_exp, ups (power-ups?)

5. battles - Battle instances (active fights)

6. clans - Guild/clan data

7. market - Player market listings

8. bank_accounts - Banking system

9. transfers - Money transfer logs (also mirrored in transfer.dat)

10. senate_votes - Voting system for governance

11. buildings - City structures

12. items - Item definitions (weapons, armor, consumables)

13. chat_logs - Chat history

14. forum_posts - Forum messages (supplement to .dat files)

15. events - Automated game events

16. news - News posts (mirrored in news.dat)

17. blocked_users - Ban list

18. blocked_ips - IP ban list

19. referrals - Referral tracking

20. sessions - Session management (if using DB sessions)

Schema Observations:

• MyISAM Engine: TYPE=MyISAM (deprecated syntax, now ENGINE=MyISAM)
• No Foreign Keys: MyISAM doesn't support foreign key constraints, so referential integrity enforced in PHP
• Extensive Character Stats: 40+ fields in users table (over-normalized single table vs. related tables)
• Hybrid Storage: Some data in MySQL (users, battles), some in flat files (forum topics, news)

---

Strengths

• OOP Architecture - Uses classes (DBconn, user, battle, UserInfo, SockConnect)
• Multi-Server Support - $server_conf array allows multiple game worlds
• Separation of Concerns - Organized directories (system/, includes/, battle/)
• Output Compression - GZip compression (system/includes/gzip.php) for bandwidth savings
• Modular Battle System - Separate battle/ directory with dedicated classes
• Anti-Clickjacking - JavaScript frame validation security

Critical Weaknesses

• Nulled/Cracked Code - "decoded and nulled by NukLeoN [AnTiSh@Re]" in every file, license checks removed
• Error Suppression Overuse - @mysql_connect, @mysql_query hides all error messages, makes debugging impossible
• Deprecated mysql_* Functions - Removed in PHP 7.0 (2015), needs mysqli or PDO
• SQL Injection - No prepared statements, direct query execution with user input
• Unquoted Array Keys - $_SESSION[id] creates PHP constants, generates notices
• No Input Validation - Direct use of $_GET/$_POST/$_REQUEST without sanitization
• XSS Vulnerabilities - Echo user input without htmlspecialchars()
• Hardcoded Config - Template credentials in multiple files (servers.php, connect.php)
• Windows-1251 Encoding - Non-UTF-8 causes compatibility issues
• MyISAM Tables - No transaction support, table-level locking (not row-level)

Code Smell Examples

Error Suppression Abuse:

      $db = @mysql_connect($this->server, $this->username, $this->passwd);
      $tb = @mysql_select_db($this->db_table);
      return ($db && $tb) ? 1 : 0; // Returns 0/1 instead of boolean

All errors hidden, returns integer instead of boolean.

Direct Query Execution:

      function query($q) {
      $this->db_stream = @mysql_query($q);
      return $this->db_stream ? 1 : 0;
      }

No parameterization, accepts raw SQL strings = SQL injection vector.

Unquoted Array Keys:

      if(!$_SESSION[id]) { // Should be $_SESSION['id']
      echo "Для входа войти в игру и <a href=''>нажать обновить</a>!";
      exit();
      }

Direct Superglobal Usage:

      if(!preg_match("/^[1-9][0-9]*$/",$_GET["news_page"]) || $_GET["news_page"] > ($pages+1))
      $_GET["news_page"] = 1;

No input sanitization wrapper, regex validation but then trusts value.

Security Grade: 1/10 (Critical Vulnerabilities)

• SQL Injection: 178 PHP files with direct query execution
• XSS: No output encoding in echo statements
• CSRF: No token validation for state-changing actions
• Session Hijacking: No session regeneration after login
• Error Disclosure: Error suppression creates blind spots
• Piracy: Nulled license checks may contain backdoors from warez scene

Maintainability Grade: 4/10

• Pros: OOP classes, organized directories, multi-server architecture
• Cons: Nulled code (no official support), deprecated functions, error suppression, non-UTF-8 encoding

---

Technical Debt Score: 9/10 (CRITICAL - Requires Major Rewrite)

Blockers:

• Copyright Issues - Nulled/cracked code = pirated commercial software, no legal right to use/modify
• PHP 7 Incompatibility - mysql_* functions removed, session handling broken
• Unknown Battle Server - SockConnect class references external "server consol program" (missing)
• Non-UTF-8 Encoding - Windows-1251 breaks modern databases/frameworks
• No Official Support - Warez scene nulling = no vendor patches/updates

Modernization Recommendation: ABANDON PROJECT

Reasoning:

• Legal Risk: Nulled code = copyright infringement, using this in production = lawsuit risk from original vendor
• Unknown Origin: "NukLeoN [AnTiSh@Re]" warez group modifications may include backdoors/malware
• Massive Technical Debt: 720 hours ($54K) to fix a pirated script when modern alternatives exist
• Missing Components: External battle server referenced but not included
• Better Alternatives: Open-source gladiator games available (no legal risk)

If Modernization Required (e.g., historical preservation):

• Legal Disclaimer: Add PROMINENT notice about nulled origin, for educational use only
• Security Audit: Assume warez scene added backdoors, audit every file for malicious code
• Battle Server: Reverse-engineer SockConnect protocol or replace with new implementation
• Full Rewrite: Easier to rewrite from scratch using design as reference than fix 178 files

Feature Completeness: 8/10

Despite being pirated, the game is feature-complete:

• Battle system (3 coliseum sizes)
• City building + senate governance
• Clan system with hierarchies
• Economy (market, bank, shop, transfers)
• Social (forum 11 categories, chat, telegraph messaging)
• Admin system (granular 20+ permissions)
• Referral system
• ️ External battle server (referenced but missing)

---

Threat Model: 10/10 SEVERE

1. SQL Injection (CRITICAL)

Location: All 178 PHP files using DBconn::query() method

Vulnerable Pattern:

      function query($q) {
      $this->db_stream = @mysql_query($q);
      return $this->db_stream ? 1 : 0;
      }

Exploitation:

      // game.php (hypothetical vulnerable code)
      $user_id = $_GET['id'];
      $db->query("SELECT * FROM users WHERE id = $user_id");
      // Attack: ?id=1 OR 1=1
      // Dumps entire users table including passwords

Impact: Full database compromise, password theft, account hijacking, data destruction.

2. Piracy Backdoors (HIGH RISK)

Evidence: / This file decoded and nulled by NukLeoN [AnTiSh@Re] / in every file

Risk: Warez scene groups commonly insert backdoors into nulled scripts:

• Hidden admin accounts (check for hardcoded admin credentials)
• Remote code execution triggers (magic $_GET parameters)
• Data exfiltration (phone home to warez group servers)
• Time bombs (script stops working after X days)

Mitigation: Assume every file is compromised, audit for:

      // Common backdoor patterns
      eval($_POST['cmd']);           // Remote code execution
      base64_decode($encoded_code);  // Obfuscated malicious code
      file_get_contents('http://...');  // Phone-home to attacker
      if($_GET['debug']=='secret')   // Hidden admin access

3. XSS (Cross-Site Scripting)

Location: All echo/print statements without encoding

Example (index.php):

      $row_news[1] = StripSlashes($row_news[1]);
      echo "<span id=news_title>".$row_news[1]."</span><br>";

Attack: Inject <script>alert(document.cookie)</script> in news title, steal admin session cookies.

4. Session Fixation

Location: game.php

      session_start();
      if(!$_SESSION[id]) {
      echo "Для входа войти в игру...";
      exit();
      }

Missing: No session_regenerate_id() after login = attacker can fixate victim's session ID.

5. CSRF (No Token Validation)

All POST Actions Vulnerable:

• Bank transfers (transfer.php)
• Market purchases (market.php)
• Clan management (clan.php)
• Character editing (admin panel)

Attack: Embed malicious form on external site:

      <form action="http://gladiators-ua.com/transfer.php" method="POST">
      <input type="hidden" name="to_user" value="attacker">
      <input type="hidden" name="amount" value="9999999">
      </form>
      <script>document.forms[0].submit();</script>

Victim visits attacker's site while logged in → automatic money transfer.

6. Error Disclosure via Suppression

All Database Operations:

      $db = @mysql_connect(...);  // Errors suppressed
      $tb = @mysql_select_db(...); // No failure logs

Problem: Blind to SQL injection attempts, connection failures, privilege errors. Attacker can exploit without detection.

7. Unvalidated Redirects

Game Navigation:

      function perehod(url, desc) {
      // No URL validation
      frames["main"].window.location.href = url;
      }

Attack: Phishing via ?redirect=http://evil.com/fake-login.php

8. Insecure File Operations

Forum .topic Files: 171 files in forum/ directory

      $file_news = file("database/news/news.dat");
      echo $file_news[$i]; // Direct output without sanitization

Attack: Write malicious PHP code to .dat files → code execution when file included.

9. IP Ban Bypass

Admin System (admin_users table):

• blockip_on / unblockip_on flags exist
• Missing: No check for proxy headers (X-Forwarded-For, X-Real-IP)

Bypass: Use proxy/VPN to evade IP bans.

10. Weak Password Storage

Connect.php - Uses plaintext template credentials:

      $db = @mysql_connect ('localhost', 'user', 'pass');

Problem: If admin doesn't change template values, database uses credentials user/pass = trivial compromise.

Users Table: Likely MD5/SHA1 without salt (common in 2006). Modern attacks crack these in seconds.

Recommended Security Fixes (180 hours)

• Replace mysql_* with PDO - Use prepared statements for all queries
• Add htmlspecialchars() - Encode all user output
• Implement CSRF Tokens - Validate all POST requests
• Session Security - Regenerate ID after login, HTTP-only cookies
• Remove @ Suppression - Enable error logging to detect attacks
• Input Validation - Whitelist validation for all user input
• Password Hashing - Use password_hash() with bcrypt
• Audit Nulled Code - Search for backdoors (eval, base64_decode, file_get_contents to external URLs)
• File Upload Restrictions - If any uploads exist, validate file types/extensions
• Security Headers - Add CSP, X-Frame-Options, X-Content-Type-Options

---

Innovation Score: 5/10 (Average for 2006)

Innovative Features

• Multi-Server Architecture - $server_conf array for multiple game worlds (early sharding)
• Socket Server Integration - SockConnect class for external battle calculations (pre-Node.js async processing)
• Hybrid Data Storage - MySQL + flat files (.dat) for performance optimization
• JavaScript Transliteration - Latin→Cyrillic keyboard conversion for internet cafe users
• Anti-Clickjacking - Frame validation security (before X-Frame-Options standard)
• Granular Admin Permissions - 20+ permission flags (modern RBAC concepts)
• Frameset UI - Persistent UI elements without AJAX (clever 2006 solution)

Standard Features (Common in 2006)

• PHP 4.x OOP (pre-PHP 5 modern OOP)
• MySQL MyISAM storage
• GZip compression
• Session-based authentication
• File-based forum storage

Historical Context

2006 Eastern European Browser RPG Ecosystem:

• Commercial Scripts: Expensive game engines ($500-$2000) sold to server operators
• Warez Scene: Groups like "AnTiSh@Re" cracked/nulled expensive scripts for free distribution
• Hosting: Shared hosting (UaSpace.Com, UIT Group) popular in Ukraine/Russia
• Language Barrier: Russian-only games isolated from Western markets
• Internet Cafes: Transliteration features for users without Cyrillic keyboards

Gladiators Ecosystem:

• Gladiators.Ru - Original Russian server
• Gladiators-UA.Com - Ukrainian fork (mentioned in readme.txt)
• UaSpace.Com - Hosting migration platform (Nov 2005 news.dat entries)
• Multiple Forks - Multi-server architecture suggests many licensed installations

Technical Innovations vs. Contemporaries

Verdict: Gladiators v2 was technically ahead of typical 2006 browser RPGs in architecture, but behind in security (no prepared statements when they existed in PHP 5.1).

---

Primary Recommendation: ⛔ DO NOT USE IN PRODUCTION

Reasons:

• Copyright Infringement - Nulled commercial script = illegal piracy
• Unknown Malware Risk - Warez scene modifications may contain backdoors
• Massive Security Holes - SQL injection, XSS, CSRF in all 178 files
• PHP 7 Incompatibility - mysql_* functions removed in 2015
• No Vendor Support - Cracked code = no official patches/updates

Use Cases Where This Code MIGHT Be Acceptable

1. Historical Preservation (Educational Only)

• Archive as example of 2006 Eastern European browser RPG design
• Document nulled/cracked software distribution in warez scene
• Study multi-server architecture patterns from pre-cloud era
• Requirement: CLEAR DISCLAIMER about pirated origin, never run in production

2. Design Reference (Inspiration, Not Code Reuse)

• Study granular admin permission system (20+ flags)
• Learn multi-server configuration patterns
• Examine hybrid MySQL + flat-file storage approach
• Requirement: Rewrite from scratch, don't copy nulled code

3. Security Training (Penetration Testing Lab)

• Intentionally vulnerable target for SQL injection practice
• Study warez scene backdoor hunting techniques
• Learn to audit nulled/obfuscated code
• Requirement: Isolated VM environment, never internet-facing

If Modernization Is Absolutely Required

Scenario: You own the original commercial script (not nulled version) and want to update it.

Modernization Roadmap (720 hours / $54K):

Phase 1: Legal & Security Audit (80 hours)

• Verify copyright ownership (nulled code is unusable)
• Audit all 178 files for warez scene backdoors
• Search for eval(), base64_decode(), hidden admin accounts
• Document all removed license checks (may need re-implementation)

Phase 2: PHP 7+ Migration (120 hours)

• Replace all mysql_* with PDO + prepared statements
• Fix unquoted array keys ($_SESSION[id] → $_SESSION['id'])
• Enable error_reporting(E_ALL), remove @ suppression
• Update deprecated session handling

Phase 3: Security Hardening (180 hours)

• Add htmlspecialchars() to all output
• Implement CSRF token validation
• Add input validation framework (whitelist validation)
• Use password_hash() for user passwords
• Implement session regeneration after login
• Add security headers (CSP, X-Frame-Options)

Phase 4: Database Modernization (60 hours)

• Convert MyISAM → InnoDB (transactions + foreign keys)
• Normalize over-wide users table (40+ columns)
• Add indexes for common queries
• Implement database migrations (Phinx/Doctrine)

Phase 5: Encoding & Localization (40 hours)

• Convert Windows-1251 → UTF-8
• Update database charset to utf8mb4
• Add i18n framework (gettext or custom)
• Support multiple languages (not just Russian)

Phase 6: UI Modernization (100 hours)

• Remove framesets (deprecated in HTML5)
• Implement AJAX for chat/online users (replace frames)
• Responsive CSS (mobile support)
• Modern JavaScript (ES6+, drop IE6 hacks)

Phase 7: External Server Reverse-Engineering (50 hours)

• Analyze SockConnect class protocol
• Locate missing "server consol program" or rewrite it
• Document socket communication protocol
• Consider replacing with modern queue system (Redis, RabbitMQ)

Phase 8: Testing & Documentation (90 hours)

• PHPUnit tests for core classes (DBconn, user, battle)
• Integration tests for battle system
• API documentation for external battle server
• User/admin documentation (Russian + English)

Total: 720 hours (~18 weeks full-time) at $54,000 cost.

Alternative: Build From Scratch

Recommendation: Rewrite using modern stack:

• Backend: Laravel/Symfony (PHP 8.3) or Node.js/Express
• Database: PostgreSQL with foreign keys
• Frontend: Vue.js/React SPA (no framesets)
• Real-time: WebSockets (Socket.io) for chat/battles
• Queue: Redis for battle calculations
• Auth: OAuth 2.0 / JWT tokens

Estimated Time: 400 hours (vs 720 for fixing nulled code)

Estimated Cost: $30,000 (vs $54,000 for modernization)

Benefits: Clean codebase, no legal risk, modern architecture

For Historical Researchers

Gladiators v2 is Valuable For:

• Warez Scene Study - Example of "nulled" commercial script distribution
• 2006 PHP Patterns - Pre-PHP 5 OOP, mysql_* era, frameset UIs
• Eastern European Gaming - Russian/Ukrainian browser RPG culture
• Multi-Server Architecture - Early game world sharding patterns
• Hybrid Storage - MySQL + flat-file performance optimization

Preservation Recommendations:

• Archive original ZIP (don't modify nulled code)
• Document gladiators-ua.com / gladiators.ru history
• Capture any remaining community forums/wikis
• Research original vendor (pre-nulled commercial version)
• Interview players from 2006 era (oral history)

Final Verdict

Technical Quality: 4/10 (OOP architecture but security disaster)

Security Risk: 10/10 CRITICAL (pirated code + SQL injection + XSS)

Legal Risk: 10/10 SEVERE (copyright infringement)

Historical Value: 7/10 (good example of 2006 Eastern European browser RPG + warez scene)

Production Viability: 0/10 (⛔ NEVER USE)

Educational Value: 8/10 (study design, not code)

---

Gladiators v2 is a feature-complete Ancient Rome gladiator browser RPG from August 2006, nulled/cracked by warez group "AnTiSh@Re [AnTiSh@Re]". Despite sophisticated multi-server architecture and innovative socket server integration for battle calculations, the code suffers from:

• Legal Issues - Pirated commercial script (copyright infringement)
• Malware Risk - Unknown warez scene modifications (potential backdoors)
• Critical Security - SQL injection, XSS, CSRF in all 178 files
• Technical Debt - PHP 7 incompatible, 720 hours ($54K) to modernize

Recommendation: ⛔ Do not use in production. Valuable for historical preservation and security training only. If commercial gladiator game needed, build from scratch using modern frameworks ($30K) rather than fixing pirated 2006 code ($54K).

Historical Significance: Excellent case study of Eastern European browser RPG market (2006), warez scene script distribution, and early multi-server game architecture. Should be preserved as cultural artifact, never deployed as live game.