Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 ... 213 214 [215] 216 217 ... 887

Author Topic: Terraria - 1.3 released. Big Patch!  (Read 1319563 times)

eerr

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3210 on: June 06, 2011, 10:27:26 pm »

Now see, I just want to do duo terraria, from a (basically) clean start.

Who would be interested ?
« Last Edit: June 06, 2011, 11:33:06 pm by eerr »
Logged

Shadowlord

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3211 on: June 06, 2011, 11:00:30 pm »

Meh, google gives me nothing. Explain.

That's because that "I cast the Spell of Mastery" was a reference to Master of Magic. I examined Terraria's network protocol / packet system, found that it was horribly insecure, and wrote a program which sits between the client and server and does certain things, either with button presses, or automatically if checkboxes are checked or what-have-you. It was all For Science!, of course. The last thing I did was figure out a way to crash a server, because I realized I hadn't done that yet and it was kind of obligatory that I have a button to do that just as a demonstration if I was going to send this to Red. Turns out that there's code in the server's networking routines which is supposed to prevent crashes by catching all exceptions that originate from networking stuff. I found a way around it, of course, by sending a packet which changes a field to something that it shouldn't be set to, which rather than causing an exception then, instead causes an exception later when the field is used in an unprotected section of code. The reason this is possible is because there's no input validation on pretty much anything the client sends - There are almost no checks to make sure things are in any kind of bounds or have sane values, and many packets don't verify whether the client sending them is the client being acted on (some packets force the player being acted on to be the player sending the packet).

So, what do I mean? These are all possible, and I've proven them all: The client can say "I have 30000 HP and 30000 max HP" and the server will do it. The client can say "By the way, I have a velocity of 0,-100" and the server will send the client's character rocketing up towards the top of the map. The client can say "Turn on Player 2's PVP flag" and the server will do it. The client can say "Player 3 explodes into a spray of blood now" and the server will do it. Creating lava and water was fairly easy. It's just a matter of telling the server (and the client) that liquid is being created on a specific tile (it's the same thing that's done when a bucket is dumped - the same packet is sent). The server just accepts it without question and creates the liquid as instructed.

I theorize that perhaps the networking was looked at from the point of view of making it so that when the client or server did something, it needed to send packets to tell the other how to replicate the changes to its state. In this way, it makes sense, but it's terrible for security. (There are packets for things like doing damage, creating and destroying tiles and walls, killing players, changing your life and mana, setting the player's position and velocity and sending its controls and facing and such, but no packets for what you'd expect if it implemented things as the client sending actions to the server to be simulated and sent back, e.g. use bucket on tile, mine tile, hammer tile, use weapon, etc - combat and all these things are all client-side, with the client determining the results and sending messages indicating changes to the worldstate to the server. The client-side simulation of the world goes so far that you can remove items from the world and put them in your inventory after the server crashes, and they'll still be in the world when the server comes back up because you only removed them in the client's simulation of the world. There was no server listening to the client saying "So I just dismantled this hellforge in the world, and there's a hellforge in my inventory now," and the lack of a server on the other end doesn't stop the client from letting you do it, if you do it before your client realizes that nobody's answering it (which takes several minutes).)

I intend to send my source code to Red at some point so he can see what weaknesses I've found, but first I'll have to upload it somewhere (preferably using svn or something) and second find an email address for him or the like. Or perhaps PM him on the Terraria Online forums.

Note: The program I wrote for this is a separate program which I wrote from scratch, not a modified version of Terraria, and is not based on Terraria, unlike what I have heard other people have done (I don't know if anyone has done anything as comprehensive, either, but it would be difficult to know, considering the rules on the Terraria Online forums forbid talking about this kind of thing).
Logged
<Dakkan> There are human laws, and then there are laws of physics. I don't bike in the city because of the second.
Dwarf Fortress Map Archive

Micro102

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3212 on: June 06, 2011, 11:06:59 pm »

Ok, I'm a little disappointed. My area has no caves and has large corrupted areas on both sides making it nearly impossible to pass through.

Next is that you have to walk too far away from your spawn to reach new stuff. Take minecraft for example. You had multiple new directions to travel in because it was 3D, so you have to walk at least 7 times the distance in Terraria to find new stuff.

And then I found out you lose money when you die... a lot of money.


So I am in my world with a nice little town built and some starter stuff that I don't want to lose. Yet I am surrounded by deadly terrain in which I can't pass less I lose all my money (urg I just realized I can put the money in a chest, o well, continuing), and I'm not digging a mineshaft till I hit stuff.

So here are the questions.

1) Can I bring my guy and all his items over to another world?

2) Can I turn off money loss at death?

3) Do I need something other then that special powder to cleanse corruption?

4) How to you place sunflowers?

3) Don't even need that. Just use a pick, dig it away.

Yeah I figured that out in my new world  like, 5 minutes before checking this thread XD

And skybridges are just cheap, doesn't give me the satisfaction.



Another question. To get an NPC to move in, do you need a door leading tot he outside? Because I've got a room on my second floor connected to a main stairway and no one has moved in for days despite filling all the requirements.
« Last Edit: June 06, 2011, 11:10:12 pm by Micro102 »
Logged

Shadowlord

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3213 on: June 06, 2011, 11:09:13 pm »

Skybridges are great for collecting falling stars, though. Hmm, I wonder, if they're placed at the very top of the map...
Logged
<Dakkan> There are human laws, and then there are laws of physics. I don't bike in the city because of the second.
Dwarf Fortress Map Archive

eerr

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3214 on: June 06, 2011, 11:17:30 pm »

Skybridges are great for collecting falling stars, though. Hmm, I wonder, if they're placed at the very top of the map...

Too high, you'll miss most of the stars.
Stars, and probably meteors, spawn high, but not from the very top of the map. I know this because I saw a star spawn under my skybridge, falling somewhere underneath.

I also have a theory that even though mobs spawn up to 5-10 normally, they can que up to spawn on you thus holding the max for quite awhile. Also, when they despawn they roam invisible and unspawned.

goblins are the epitome of this
you can meeet that goblin army coming from the west if you are in the same spot as the invisible traveling goblin army.
Logged

Thexor

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3215 on: June 06, 2011, 11:32:40 pm »

Meh, google gives me nothing. Explain.

*snip*


I have but a single word response: lol.

...to expand, I'm split between crediting you for exploiting their netcode that easily, and being really, really shocked that it's that vulnerable. Seriously, there's no excuse for sending anything besides raw instruction packets back and forth to the server. Throw in a bit of client-side prediction so the player still gets instant feedback on their actions, consider adding some lag prediction to the server if latency is a threat, and volia, you've got a passable online game. Having anything besides input commands being sent client --> server is a recipe for disaster. (Decent reading on the subject: here.)

Of course, to be honest, from the snatches of code I've seen Terraria is a horribly-written piece of code, so perhaps the insecure netcode shouldn't be a surprise. A while ago, we talked about the Shadow Orb counting code. They have one boolean for "has a shadow orb been smashed?", and a second integer for "number of shadow orbs smashed". "But why," you might ask, "do they need this? After all, couldn't you just check if the count of smashed shadow orbs is greater than 0?" Well, because the counter actually resets every time it hits three, summoning an EoW and reverting to 0. Now, the sane solution here is to have a single integer value that maintains an accurate count of shadow orbs smashed, using the check "X > 0" instead of a boolean for goblin invasions and "X%3 == 0" to summon EoWs. Instead, they have two specialized variables for two different conditions, and adding a third shadow-orb-based condition later in development would require a third variable to be tracked.  ::)
Logged

Koja

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3216 on: June 06, 2011, 11:51:18 pm »

@eerr- I would. Rook42 on steam.
Logged
~~<BR>"Zombie fish have the added benefit of not needing to breath. Thus they can wade out of the water with little to fear but bigger zombie fish" -Willfor

Max White

  • Bay Watcher
  • Still not hollowed!
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3217 on: June 07, 2011, 12:11:12 am »

~Code rant~
WELL AT LEAST IT ALL RUNS AND THAT IS THE REAL MEASURE OF GOOD CODE, AMIRITE?
/Sarcastic yelling.

Yea, from the released code, there seems to be a lot more wrong then right. I have been on rants about what was done wrong myself (IT IS CALLED STATE PATTERN DAMN IT! GET RID OF THOSE BLOCKS OF IFS AND DO IT RIGHT!!!)

Ah well, Redigit really is more of a game developer than a programmer, because it is a good game, but from a programming point of view, it is like watching a pile of junk stand up and walk around the room, Howls Moving Castle style. You are in awe of how badly it was made, yet somehow, beyond all reason, it still works.

EDIT: Wait. Wait... You were talking about how they handled shadow orbs and the eater of worlds... Neither of these things were in the early alpha source leek. Was a more recent version, with code for bosses and such, released?

Urist Imiknorris

  • Bay Watcher
  • In the flesh, on the phone and in your account...
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3218 on: June 07, 2011, 12:19:37 am »

There was a second leak. IIRC it was from about when the falling stars were bugged.
Logged
Quote from: LordSlowpoke
I don't know how it works. It does.
Quote from: Jim Groovester
YOU CANT NOT HAVE SUSPECTS IN A GAME OF MAFIA

ITS THE WHOLE POINT OF THE GAME
Quote from: Cheeetar
If Tiruin redirected the lynch, then this means that, and... the Illuminati! Of course!

Max White

  • Bay Watcher
  • Still not hollowed!
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3219 on: June 07, 2011, 12:20:35 am »

While I know about the second leek, it came with code?
I got the first one just for the code, but the second had none. Was I missing something?

Thexor

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3220 on: June 07, 2011, 12:39:36 am »

No, this wasn't from the leak - it was reverse-engineered from the release code. Someone was digging around for information about Goblin Invasions, namely what conditions must be met to trigger them. There was a link to it a while back in this thread, but I can't find it and TerrariaOnline seems to be down at the moment, so here's a Google Cache of the page. The post in question is number 12, by OkieSmokie. The second page of that thread is cached here, where it's mentioned he used ILDASM to disassemble the code and manually reconstructed the C# from that.
Logged

Shadowlord

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3221 on: June 07, 2011, 01:03:43 am »

I don't think there's ever been a leak at all, if the program got out at the same time as the source appeared to (or shortly before). .NET programs can be easily decompiled, and there are several programs available to do it, both free and otherwise. (Using ILDASM and reconstructing the source is the hard way, all the work has been done so that you (a theoretical you) don't actually have to do that.)

I think there are actual steps that Red could take to improve Terraria's client-server security in the next few versions, without having to rewrite the network protocol altogether (which may end up being too much work to be acceptable). Of course, it probably wouldn't be possible to completely lock everything down without rewriting the networking protocol, simply due to the way it's written now...
Logged
<Dakkan> There are human laws, and then there are laws of physics. I don't bike in the city because of the second.
Dwarf Fortress Map Archive

Jay

  • Bay Watcher
  • ☼Not Dead Yet☼
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3222 on: June 07, 2011, 01:10:30 am »

I don't think there's ever been a leak at all
What exactly do you call the two versions that were leaked before the release, then?

And on an entirely different note...
leek
...
Logged
Mishimanriz: Histories of Pegasi and Dictionaries

Shadowlord

  • Bay Watcher
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3223 on: June 07, 2011, 01:18:00 am »

I don't think there's ever been a leak at all
What exactly do you call the two versions that were leaked before the release, then?

OBJECTION! There was an if statement in my post which invalidates your question!
Logged
<Dakkan> There are human laws, and then there are laws of physics. I don't bike in the city because of the second.
Dwarf Fortress Map Archive

Max White

  • Bay Watcher
  • Still not hollowed!
    • View Profile
Re: Terraria - Updated: Sunglasses, console server, and more!
« Reply #3224 on: June 07, 2011, 02:12:17 am »

Tells you how to get tied to a project, and that may or may not be a good thing, depending on what you want.
Pages: 1 ... 213 214 [215] 216 217 ... 887