08-05-2004, 09:45 PM
There is one way in which foreign clients can cause your base statistics to be modified as part of normal gameplay; I have not researched whether they could invoke this arbitrarily, or whether they need certain additional circumstances. Also, with regard to the sending of foreign character data: it sounds rather silly to support it at all, as Lemming suggested.
To extend on his statement, I just checked through the character-data-received handler. The index into which the data is stored is derived from the sending player's ID, which is computed from his IP address. In short, he'd need to convince your system that it had received the data from itself to even begin. It gets better. Not only would this be a very difficult task on account of getting the sequence numbers right (and relying on the client to even process self-sent datagrams, which is a bit unlikely except as a possible accident of insufficient checking), but the receipt handler explicitly ignores data sent from the local ID#. In short, it is impossible to overwrite the local character using a character-data-properties command.
If anyone would like to suggest other commands which might be useful in remotely hacking character data, please feel free to suggest it so I can check the code and debunk it. Also, DiabloSaver does have a habit of screwing up characters when you try to modify them with it. As a very minor counterpoint to Lemming's challenge of Blizzard adding useless things, I'd like to point out how many half-finished features Diablo has in it. So, there *are* quite a few things that are in the game that you can't use on account of them being turned off (such as Incinerators, Reality Weavers, Undead Balrogs, The Mangler, etc.)
To extend on his statement, I just checked through the character-data-received handler. The index into which the data is stored is derived from the sending player's ID, which is computed from his IP address. In short, he'd need to convince your system that it had received the data from itself to even begin. It gets better. Not only would this be a very difficult task on account of getting the sequence numbers right (and relying on the client to even process self-sent datagrams, which is a bit unlikely except as a possible accident of insufficient checking), but the receipt handler explicitly ignores data sent from the local ID#. In short, it is impossible to overwrite the local character using a character-data-properties command.
If anyone would like to suggest other commands which might be useful in remotely hacking character data, please feel free to suggest it so I can check the code and debunk it. Also, DiabloSaver does have a habit of screwing up characters when you try to modify them with it. As a very minor counterpoint to Lemming's challenge of Blizzard adding useless things, I'd like to point out how many half-finished features Diablo has in it. So, there *are* quite a few things that are in the game that you can't use on account of them being turned off (such as Incinerators, Reality Weavers, Undead Balrogs, The Mangler, etc.)