generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
We use cookies to offer you a better experience. By using Roblox.com, you are agreeing to our Privacy and Cookie Policy.
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Break into the Read-Only Properties.

Previous Thread :: Next Thread 
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
05 Feb 2015 06:17 PM
NVM changing the real property isn't breaking into read-only
Report Abuse
DrMathematica is not online. DrMathematica
Joined: 29 Aug 2008
Total Posts: 27268
05 Feb 2015 06:17 PM
I'm not sure what your point here is.

Maybe you're not familiar enough with Lua to understand how 'userdata' is a special protected case introduced for C-sided work (hence why it went undocumented in Lua 5.1).

The userdata you've created cannot be "hacked," as you put it, because that is simply why userdata was made. Notice ROBLOX's objects are actually all carefully crafted C-data using a userdata to represent them. This protects them from Lua editing - which is why Lua libraries were also changed to be userdata.

Essentially, using a userdata is equivalent to creating an OOP-like object in the parent language (C++).

If you would have read up on userdata implementation or documentation (on the C side of the code) you would have already known this cannot be changed from a Lua script (not being its own).
Report Abuse
EliteDerper is not online. EliteDerper
Joined: 05 Feb 2012
Total Posts: 2288
05 Feb 2015 06:17 PM
weird....
it now sometimes does and sometimes gives me a error
Report Abuse
EliteDerper is not online. EliteDerper
Joined: 05 Feb 2012
Total Posts: 2288
05 Feb 2015 06:21 PM
nvm got it, placed a wait() at the beginning of script2

it now places the service into the workspace
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
05 Feb 2015 06:22 PM
The point is to change a property from the read-only table, which I think is impossible right now. Changing the actual folder property is not doing what the OP is asking.
Report Abuse
warspyking is not online. warspyking
Joined: 15 Nov 2011
Total Posts: 13947
05 Feb 2015 06:22 PM
@Elite (about your next solution)

That wouldn't work either, your just changing the real folder's .Name

In your second script you also have to use these lines:

local Services = require(workspace.Services)
local game = Services:Setup()


cntkillme found a way to change the real folder's .Name even with the above, however I don't consider it valid since he never affected the read-only table.


@Seranok Just making sure people can't accidentally (no matter how bizarre it is, accidents happen) modify secure read-only values.
Report Abuse
warspyking is not online. warspyking
Joined: 15 Nov 2011
Total Posts: 13947
05 Feb 2015 06:25 PM
@DrMath

I understand that, also newproxy is completely removed in 5.2 (I'm glad we're on 5.1 atm on roblox)

I just wanted to make sure there was no haxxy use to allow bypassing into my read-only table. I've already acknowledged your points while creating it, but there are clever things out there, so you never know.
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
05 Feb 2015 06:27 PM
Well the 'clever things' come from the programmer's side, not the userdata :)
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
05 Feb 2015 06:34 PM
I can think of numerous ways to bypass this. Here's one.

local Services = require(workspace.Services:Clone())
local game = Services:Setup()
local service = Services.new("Test", {})
getfenv(Services.new).rawget = function() end
print(service.Name)
--> Test
service.Name = "44"
print(service.Name)
--> 44

The problem is you will patch this and think "it's secure now." No it's not. There are numerous other ways to bypass this security, some of which no one knows about.
Report Abuse
EliteDerper is not online. EliteDerper
Joined: 05 Feb 2012
Total Posts: 2288
05 Feb 2015 06:39 PM
Well mine worked, it really placed it into workspace.
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
05 Feb 2015 06:39 PM
God damnit I over thought this... How are you sera, I got in via him calling error and table.insert :(
Report Abuse
warspyking is not online. warspyking
Joined: 15 Nov 2011
Total Posts: 13947
05 Feb 2015 06:45 PM
@seranok

You are right, I did patch that, and I do think it's secure now. I also patched other things based around what you just did.

I challenge you to bypass it now.
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
05 Feb 2015 06:47 PM
Oh my gosh, what did I just say.

"You are right, I did patch that, and I do think it's secure now."

...

IT'S NOT SECURE! THERE ARE PROBABLY AT LEAST A DOZEN WAYS TO BYPASS IT. WHY ARE YOU TRYING TO SECURE THIS WHEN IT DOESN'T EVEN NEED SECURING? If the game creator wants to screw with your system, he can easily do it simply by removing the fake service from the data model etc.
Report Abuse
warspyking is not online. warspyking
Joined: 15 Nov 2011
Total Posts: 13947
05 Feb 2015 06:49 PM
@Elite you didn't modify a read-only property

You modified the real Folder object.

It don't count ;D
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
05 Feb 2015 06:49 PM
sera it's probably for practice for him, obv. anyone can just edit the script.
Report Abuse
warspyking is not online. warspyking
Joined: 15 Nov 2011
Total Posts: 13947
05 Feb 2015 06:51 PM
@Sera It's an exercise for you to find bypasses, while it's practice for me to patch them.

Not to mention I think I patched most of your ideas.
Report Abuse
BowtieMod is not online. BowtieMod
Joined: 01 Apr 2013
Total Posts: 804
05 Feb 2015 06:52 PM
Bug: Manual modification of user memory causes value to change

Fix please
Report Abuse
EliteDerper is not online. EliteDerper
Joined: 05 Feb 2012
Total Posts: 2288
05 Feb 2015 06:54 PM
Guess what... game.Workspace.Services:Destroy()

end of the story :3
Report Abuse
warspyking is not online. warspyking
Joined: 15 Nov 2011
Total Posts: 13947
05 Feb 2015 06:57 PM
@Seranok I just patched an Instance table exploit, either pretend Instance is local, or reinsert :D
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
05 Feb 2015 06:58 PM
It's not worth my time.

You are ignoring obvious vulnerabilities because you expect attackers to only attack a very specific part of your script.

You think you can make your script secure by patching all the vulnerabilities you know about. Well this doesn't work. You know why? Because I can see vulnerabilities in your code right now, and I'm not going to tell you what they are. So you're going to have to live with the knowledge that your code is insecure.
Report Abuse
warspyking is not online. warspyking
Joined: 15 Nov 2011
Total Posts: 13947
05 Feb 2015 07:06 PM
@seranok

I honestly don't think you can change the ClassName atm. I patched many of the exploits you can probably find.
Report Abuse
EliteDerper is not online. EliteDerper
Joined: 05 Feb 2012
Total Posts: 2288
05 Feb 2015 07:08 PM
I think Seranok says its not possible.
And that you can't stop game developers from messing up your script.
Report Abuse
secretidagent is not online. secretidagent
Joined: 07 Nov 2010
Total Posts: 1600
05 Feb 2015 07:16 PM
Seranok is also saying that whatever patches you make, there will always be ways to bypass it. This is completely true.
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
05 Feb 2015 07:18 PM
There are a bunch of vulnerabilities I can see but not sure if there is a way to write to the readonly table. :[
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
05 Feb 2015 07:21 PM
Hehe figured it out hooray for global variables
Report Abuse
Previous Thread :: Next Thread 
Page 2 of 3Go to page: 1, [2], 3 Prev Next
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image