|
| 12 Jan 2017 04:51 PM |
| Since I'm using FE in all of my projects at this point, RemoteEvents and RemoteFunctions are super important to anything I make. But, it seems really insecure to send a string "GiveMoney" and an attached value to the server, because then it barely even takes intelligence to exploit. Instead of using "GiveMoney" as my passing argument between the server and the client, how can I encrypt the string so it's far less obvious? Thanks! :^) |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 04:53 PM |
| Don't name it "GiveMoney". |
|
|
| Report Abuse |
|
|
TaaRt
|
  |
| Joined: 26 Apr 2009 |
| Total Posts: 5039 |
|
|
| 12 Jan 2017 04:53 PM |
| BASE64 is inexpensive and would outsmarten your average skid by far |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 04:54 PM |
@Intended
You're right... I'll name it "DontGiveMoney"
these nerds won't know what hit them >:^) |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 04:59 PM |
If you're that concerned, here's a random naming function I wrote that's not really "encryption" (Because you can't decrypt) but it will hide your stuff. It's probably inefficient too, as somebody will say:
function generatesafename() local letters = {"A", "B", "C", "D", "E", "F", "G", "H###################L", "M", "N", "O", "P", "Q", "R", "S,", "T", "U", "V", "W", "X", "Y", "Z"} local specialchars = {"!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "-", "_", "+", "=", "[", "]", "|", "~", "`", "{", "}", "[", "]", "/", "?", ":", ";", ",", "."} local numbers = {0,1,2,3,4,5,6,7,8,9} local string1 = "" for i = 1, math.random(1, 100) do local x = math.random(1, 3) local rl = letters[math.random(1, #letters)] local sc = specialchars[math.random(1, #specialchars)] local n = numbers[math.random(1, #numbers)] if x == 1 then string1 = string1..rl string1 = string1..sc string1 = string1..n elseif x == 2 then string1 = string1..sc string1 = string1..n elseif x == 3 then string1 = string1..rl string1 = string1..n end end return string1 end |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:00 PM |
| Exceptional. Now they're censoring the alphabet. |
|
|
| Report Abuse |
|
|
noliCAIKS
|
  |
| Joined: 08 Mar 2010 |
| Total Posts: 917 |
|
|
| 12 Jan 2017 05:00 PM |
You could try using this: http://wiki.roblox.com/index.php?title=User:NoliCAIKS/Code/Encryption
It works by using the same key during both the encryption and decryption. I don't think it's possible to decrypt without knowing the key. A key can be any string but try not to make it too long or it might slow things down, but try to make it as random as possible so people can't guess it. |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:03 PM |
I had no idea you were still around, Noli. :v
You're the reason I now understand metatables. |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:04 PM |
Ooh, noli, that's cool! I'm totally going to use that |
|
|
| Report Abuse |
|
|
noliCAIKS
|
  |
| Joined: 08 Mar 2010 |
| Total Posts: 917 |
|
|
| 12 Jan 2017 05:07 PM |
I forgot to mention, but using this you can use a different key for every client as well. Just let the LocalScript generate a key using math.random(255) combined with string.char, then send that to the server once and keep it stored in a table to memorize it.
For generating the key you could do something like this:
local length = 8 local t = {} for i = 1, length do t[i] = string.char(math.random(255)) end local key = table.concat(t)
Then pass that key to the server with a RemoteEvent or RemoteFunction, and store it in a lookup table: keys[player] = key |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:11 PM |
Your network model sucks. You're better off disabling FE than creating a remote event which allows the client to give themselves currency lol
handle that stuff on the server |
|
|
| Report Abuse |
|
|
noliCAIKS
|
  |
| Joined: 08 Mar 2010 |
| Total Posts: 917 |
|
|
| 12 Jan 2017 05:11 PM |
One more thing, I'm not sure if this is necessary but just to be safe it's best to enable weak table keys for the encryption keys table. This ensures that memory leaks don't occur when players leave the game.
keys = setmetatable({}, {__mode = "k"}) |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:15 PM |
Sounds good, but doesn't sending the key through the server defeat the whole purpose? Since potential exploiters will be monitoring the remote events...
My idea is to use a function that uses their username (which can be understood by both the client and server) and have the same function on both sides that makes the encryption/decryption key (with the contents of their username).
This way, both the server and the client will know the key without it ever being passed, which makes it very unlikely that it can be monitored. |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:15 PM |
If you have a RemoteEvent that allows the client to give themselves money, you are doing it all wrong and need to learn how to do networking properly.
|
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:16 PM |
| You wouldn't have to worry about encryption in the first place if you just handled important values on the server |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:17 PM |
Also... guys...
What I said in OP was an exaggeration. Clearly I could make things more complicated with varied names, using multiple events, etc, to confuse whoever is exploiting. My point is that if I wanted to send a message that is supposed to be hidden from the server to the client, it would be easier (and more ba imo) to encrypt it. |
|
|
| Report Abuse |
|
|
noliCAIKS
|
  |
| Joined: 08 Mar 2010 |
| Total Posts: 917 |
|
|
| 12 Jan 2017 05:21 PM |
| @Void_Optics That should work as long as people don't figure out their username is being used as the key. However, yes, it is indeed an option to literally use the username as the key. Alternatively you could convert the UserId to a string using string.format("%08x", player.UserId). Perhaps you could even do something like string.format("%08x", (player.UserId * player.AccountAge + MAGIC_NUMBER) % ############ where you replace MAGIC_NUMBER by a secret number of your liking between 0 and ########### as long as you don't reveal the number you chose on the forums, people won't be able to use this thread to hack your game either. |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:22 PM |
| Your network model still sucks if there's any way to meaningfully exploit through your game's remotes |
|
|
| Report Abuse |
|
|
noliCAIKS
|
  |
| Joined: 08 Mar 2010 |
| Total Posts: 917 |
|
|
| 12 Jan 2017 05:22 PM |
| The thing that got censored in my previous message was the decimal notation of 2^32. Just wanted to clear that up. |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:22 PM |
| Thanks, you've been very helpful :^) |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:24 PM |
| ###### I'm not sure what you mean... At some point along the line (in this HYPOTHETICAL situation) the client will have to tell the server to reward the client. |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:25 PM |
| It actually just censored the name bob by. This is ridiculous. (remove space between bob and by SHHH DONT TELL ANYONE I TYPED THAT) |
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:26 PM |
Then you're doing it wrong. The server should decide to reward the client and let the client know they've been rewarded.
You should only be handling interfaces, input and stuff like client-side animations and physics on the client, not sensitive data. |
|
|
| Report Abuse |
|
|
TimeTicks
|
  |
| Joined: 27 Apr 2011 |
| Total Posts: 27115 |
|
|
| 12 Jan 2017 05:27 PM |
String Encryption is stupip and a waste of time. If you are seriously paranoid just setup a key database for each player who joins the game. If their 'hash' key is different from the one received, then kick them.
Besides, proper server verification is literally all you need anyways. So many people are paranoid its ridiculous.
|
|
|
| Report Abuse |
|
|
|
| 12 Jan 2017 05:27 PM |
"At some point along the line (in this HYPOTHETICAL situation) the client will have to tell the server to reward the client."
Nope
|
|
|
| Report Abuse |
|
|