|
| 05 Feb 2015 01:27 PM |
Alright, I made a custom services script, and I need to make sure people can't accidentally break it. I would like you to do everything in your will power (except modifying the script source) to change a read-only value of a service.
Here's a bit of code to start you off:
local Services = require(workspace.Services) local game = Services:Setup()
local serv = Services.new("Name", {})
--Try to change serv.Name or serv.ClassName or serv.Parent
Anybody who can break into this will be helping me solve a security vulnerability, thanks to anyone who tries. |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:42 PM |
For people too lazy to grab it from my models:
http://www.roblox.com/ServicesModule-3-0-item?id=211206714
I suppose it's a good sign nobody has posted code here that can break in. I must've done my job properly :D |
|
|
| Report Abuse |
|
|
eLunate
|
  |
| Joined: 29 Jul 2014 |
| Total Posts: 13268 |
|
|
| 05 Feb 2015 05:43 PM |
| I can't be bothered to look but wrapper. |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:46 PM |
lemmie see... i liek dis kinda stuff :333 prepare to die securiti :3 |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:47 PM |
| @Elite lol, I look forward to watching you try (and hopefully fail) to modify the properties. |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 05 Feb 2015 05:48 PM |
You mean hopefully pass so you can patch it? I'll attempt once studio decides to be nice and finish updating |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:50 PM |
@cnt No, I hope he fails and there is no vulnerabilities I have to fix :D
Hopefully it's already completely secure, but then again, the purpose of this thread is to make sure someone don't accidentally break the script somehow :D |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:50 PM |
umm... I think I did something wrong?
local serv = require(script.Services) local gam = serv:Setup()
serv.new = function() print("PAINCAKES") end
local derb = serv.new("SCRUUUUUUB",{}) |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:52 PM |
well this script also doesn't work...
local Services = require(workspace.Services) local game = Services:Setup()
local serv = Services.new("Name", {})
--> 00:51:45.031 - Workspace.Script:4: Attempt to create service 'Name' that already exists |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:52 PM |
serv.new = function() print("PAINCAKES") end
Yeaaaaaaa no.
Also you're supposed to change it to
local game = Services:Setup()
so it can wrap up game and you can properly access the services from game |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:54 PM |
Obviously the service Name already exists.
Possiblities:
A) You created a service called Name already OR B) ROBLOX has a service called Name. |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:54 PM |
BTW Attempting to add/change indexes in Services will error ;D
Don't even attempt rawset, it's a userdata :D |
|
|
| Report Abuse |
|
|
| |
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 05 Feb 2015 05:57 PM |
The __newindex event doesn't fire if the key already exists.
local service = Services.new("Name", { Hacked = false }) print(service.Hacked) --> false service.Hacked = true print(service.Hacked) --> true |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:58 PM |
| So Elite, have you tried any further investigations? Cause obviously creating multiple services with the same name has failed you, and so has attempting to change a userdata's .new function (located in a table which the __index metamethod of the locked userdata's metatable directs you too :D) |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 05:59 PM |
@Seranok You're allowed to change and add properties you've added. The point here is to modify .ClassName .Name or .Parent :D
Hope you enjoy this exercise as it helps me and you :D |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 06:02 PM |
ohhh yus I do :3
local Services = require(script.Services) local game = Services:Setup()
local serv = Services.new(nil, {})
serv.Changed:connect(function() serv.Parent = game.Workspace end) |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 06:03 PM |
so long its not a string it'll break I guess...
this means no numbers (not sure about that), also no tables, booleans, ... |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 05 Feb 2015 06:03 PM |
local service = Services.new("CustomService", {}) game:FindFirstChild("CustomService").Parent = nil
|
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 06:09 PM |
@Ser You have to use
local game = Services:Setup()
in order for the game wrapper to work. The point here is to change the read-only properties after you use the require and setup (and create a service)
Trying to bypass by not using the initial functions required technically isn't a bypass, it's neglect to read the documentation included :D |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 06:13 PM |
I DID IT :D
First script: local Services = require(script.Services) local game = Services:Setup()
local serv = Services.new("paincakedeliveri", {})
Second script: local scr = script.Parent.LOL.Services
scr.Parent = game.Lighting wait() game.paincakedeliveri.Parent = game.Workspace wait() scr.Parent = script |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 05 Feb 2015 06:13 PM |
| But if someone is using this module in their game, and wants to bypass its security, they can easily do so. So I don't see what you're trying to protect against. |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 06:13 PM |
@Elite
That's interesting, I guess I forgot to check if that's a string or not.
Besides, that would error anyway. So it don't matter anyway, you didn't change it, you actually just errored. |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 05 Feb 2015 06:15 PM |
local Services = require(workspace.Services) local game = Services:Setup()
local serv = Services.new("asd", {}) local z = Instance.new("Part") serv.x = 5; serv:Add(z); print(serv.Parent); z.Parent.Parent = nil; print(z.Parent);
Will change the real property |
|
|
| Report Abuse |
|
|
|
| 05 Feb 2015 06:16 PM |
| Actually it really placed it into the workspace. |
|
|
| Report Abuse |
|
|