MAngband

1) Start a character with a character name that is longer than 8 characters (for example, a high elf mage named LongCharName); you will be connected as LongCharName, the high elf mage.
2) Start a second character with a name that starts with the same 8 characters (for example, a human warrior named LongCharNam); you will be connected as LongCharName, the high elf mage too!!!
So now you have 2 characters totally identical on the server...
Here comes the lamest way to exploit this...
- sell everything that both chars have
- take one char and buy a bow and arrows
- kill the other char
- pick up the cash
- now you have doubled your starting cash
- reconnect the second character (LongCharNam)
- check that the 2 chars are identical (sometimes the bug doesn't occur and a 'real' char is created)
- kill the second char again
- you now have 4x your starting cash
- repeat over and over... you only need 11x to get 1 million cash, 22x to get 1 billion and so on...

More testing reveals that the character name must be longer than 8 characters, maybe 10 or 11. The bug exploit worked with 'LongCharName' but not with 'LongChar'.
Moreover, it wouldn't be so easy to get infinite cash. The max amount a dead char can drop is 32k. So you would need around 40x to get a million, and then 30x more to get an additionnal million.

More testing reveals of course that the 'spare' cash can be used to buy endless amounts of items from the BM... that can be duplicated like the rest. Imagine getting endless amounts of stat pots, xp pots, weapons, armor parts... then connect a 'real' character and harvest the cheezed (at this point it's even the CHEATED) loot.
I hope this bug doesn't exist in all versions of Mang source... IIRC someone got banned on TomeNET for exploiting a bug like this and getting endless amounts of items and cash (including artifacts!).

That's a real problem.

Thank you for bringing this to our attention. I may see if I can find it myself.

Other developers, please don't wait for me to locate the problem. Let's get on this quickly, especially since the full details of the exploit are now published.

I suspect the mechanism that checks to see if a player is already in the game is flawed.

And while we're at it - PowerWyrm, that is a really insane find! Excellent work!

BTW, this only seems to occur on the ironman server. I tried to reproduce the bug on other servers but couldn't.
Probably related to the modifications Jug made.

Thanks for reporting this bug PowerWyrm.

It is likely that this is a bug with the Windows version of the MAngband server, as there are some differences in how names and such are handled.  I will investigate and fix this.

- Jug