P.S. I never did find any way to contact Red via email about the exploits that I had found. Happily, most of them were fixed or blocked in 1.0.4. There are a couple that still work, however, and some that I'm not certain why they aren't working, and one that is... strange. I wouldn't be surprised if he or Blue has been checking this thread, though, so that might make this as good a place as any to report on it.
Things that still work:
Placing hellstone brick wall tiles still works, which means it's still possible to manipulate tiles and stuff. The Terraria Online forums have reports of people being kicked for spamming tile removal or adding, so clearly that's addressing a different exploit (or mass dynamiting?).
Modified max mana and life remain as they were. So (a) anyone that already had ludicrous amounts of life or mana will still have them, (b) anyone who modifies their copy of Terraria or uses 1.0.3 in order to gain ludicrous amounts of life or mana will be able to have them, or (c) anyone who edits their character file to give themselves ludicrous amounts of life or mana can still get them as well. (d) They could probably also use a memory editor. The server should probably be checking to make sure everyone has no more than 400 life/maxlife and 200 mana/maxmana. Of course, at the moment, if it told a client to change its life or mana, the client would probably ignore it...
The instakill button can instakill you, not that that's terribly useful.
Things that appear to have been fixed:
Life and mana (and max life and mana) manipulation aren't working, but the fix for it appears to be client-side (as in the client ignores all life and mana update packets from the server which are about its own character, effectively stopping anyone from telling it that its client's amount of life/mana has changed), which is a bizarre way to implement security, and the only reason it would even work is if (and apparently this is so) all the cases where the client's character can gain maxlife or maxmana, or gain life or mana, are all handled client-side rather than server-side. If someone was modifying the client that check would not be a problem. I think I see another way to get around it, but haven't tested it - it might not work. (That would be by sending a packet to change the variable that's blocking it before setting life/maxLife, then changing it back, but I have no idea what kind of horrible gamebreaking problems it might cause, and obviously there's an easy fix: making the client ignore that packet after it receives it the first time)
Creating items in the world isn't working, and so far it isn't obvious why.
Altering velocity to enable flight was cleverly blocked.
NPC polymorphing no longer works (not that it ever fully worked, since it caused clients to desync / lose connection), since the server ignores the packet which does it now - it was only ever intended to be listened to by clients.
The lava and water creation exploit is also not working, but it appears that this is probably because it is doing a check for the lava or water being out of bounds, and in my case it must be.
You can no longer toggle the PVP flag on other players.
You can no longer use the instakill packet on other players.
The server crash exploit I found no longer works either
- and, since it's fixed, I can now say that it worked by setting selectedItem to a negative value. I used -10 at random. (That crash exploit only took a few minutes to find, by the way)
Author
Topic: Terraria - 1.3 released. Big Patch! (Read 1320086 times)