Ozzypig
|
  |
| Joined: 27 Mar 2008 |
| Total Posts: 4906 |
|
|
| 26 Mar 2012 09:50 AM |
In the sticky, a lot of players have been going off on a tangent about protecting your scripts from prying eyes by various means.
One of the means described is to use loadstring() and have bytecode in your script to load it and run the code. Another was to use _G and stuff functions in that , then remove the script that did the stuffing.
ITT we talk about making sure that if a place were stolen in any way, how you would protect the code. Also, the pros/cons of each method of doing so. |
|
|
| Report Abuse |
|
|
Ozzypig
|
  |
| Joined: 27 Mar 2008 |
| Total Posts: 4906 |
|
|
| 26 Mar 2012 09:57 AM |
Compiling scripts to bytecode for use in loadstring:
pros: - No source is left in the place, ever (guaranteed protection of code) - Pretty much impossible to edit - Takes no major editing of source code if you do it automatically cons: - You have to keep a copy of the source to edit it - Hard to debug if used in development verison - Should only be used in final, non-development copies of places - Goes out of date with changes in Lua versions (but can be re-compiled to be updated) - Admins are being needlessly and blatantly encouraged to remove this
Using _G/shared stuffing to remove scripts:
pros: - No source is left in the place after the first few seconds of loading - No scripts are even in the place cons: - You can use string.dump() to get bytecode of the functions stuffed anyways - You have to edit your code a lot for this to work - If something goes awry, you could lose your code - Hard to do run-time debugging if used in development copy - Source is available in the place before any script is run |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 02:43 PM |
| Manual (or automatic) name obfuscation & program restructuring is a possibility. Has anyone written one for Lua? |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 03:15 PM |
"Takes no major editing of source code if you do it automatically"
Huh..
You _CAN'T_ do it automatically, lol?
I mean, you can indeed compile it and remove the source from the chunk name, but it's not like you can remove the debugging information...
"You can use string.dump() to get bytecode of the functions stuffed anyways"
Not with Cheat Engine. And you need to know how the system works. Beside, it's not that simple, you need to create a server script that will replicate to the server, get the source from _G and then bring it to the client. It's more complicated than you'd think.
"You have to edit your code a lot for this to work"
Not if you make a nice system for it to work.
"Hard to do run-time debugging if used in development copy"
What? I totally disagree! It makes debugging FAR easier than using bytecode!
"Source is available in the place before any script is run"
Unless some user somehow has access to ROBLOX's databases, that changes nothing. Who cares that the source is available there? The only thing that changes is that the ROBLOX admins have access to your place's source code. |
|
|
| Report Abuse |
|
|
Ozzypig
|
  |
| Joined: 27 Mar 2008 |
| Total Posts: 4906 |
|
|
| 26 Mar 2012 05:33 PM |
"Huh..
You _CAN'T_ do it automatically, lol?"
Using plugins, yes, you could do this by making a button that obfuscates all code in a place. That place is the one you upload, while you yourself keep the good code.
"Not with Cheat Engine. And you need to know how the system works. Beside, it's not that simple, you need to create a server script that will replicate to the server, get the source from _G and then bring it to the client. It's more complicated than you'd think."
Assuming that the client has full view and control of everything that is replicated to them, they could steal anything potentially. Even though it is a "worst-case" situation, using bytecode will prevent it regardless.
"Not if you make a nice system for it to work."
I'm talking about pre-existing code, it takes much more work than just a precompilation plugin described earlier.
"What? I totally disagree! It makes debugging FAR easier than using bytecode!"
In actuality you should not debug anything in a production copy of a place. Debugging should be done in a development copy. Either way, debugging implementing either method is harder than having the source.
"Unless some user somehow has access to ROBLOX's databases, that changes nothing. Who cares that the source is available there? The only thing that changes is that the ROBLOX admins have access to your place's source code."
...You would not have to worry about that if it wasn't there at all? It may be a worst-case scenario, but still - how cautious could you get?
I challenge you to make a system that allows a place to begin running without the original code used to program it. That means that if your place is to print("Hello, world"), that exact line could not be in the place itself. |
|
|
| Report Abuse |
|
|
Ozzypig
|
  |
| Joined: 27 Mar 2008 |
| Total Posts: 4906 |
|
|
| 26 Mar 2012 05:35 PM |
Forgot this...
@Blue, Yes, I did make a plugin for it but I have not released it. It does what I describe in my earlier post - it recurses the game for all scripts and obfuscates each one.
And also: bytecode is the only obfuscation method that allows you to distribute a model but not have the source changed, yet still have it work the way you programmed it to. Apply the concept of models to places, and boom, a perfectly legitimate argument for keeping the functionality of loadstring() the same. |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 06:19 PM |
"Using plugins, yes, you could do this by making a button that obfuscates all code in a place. That place is the one you upload, while you yourself keep the good code."
Unless you rewrite a big part of the Lua compiler in Lua or write your own thingy to do it, you can't remove the debugging information.
"Assuming that the client has full view and control of everything that is replicated to them, they could steal anything potentially. Even though it is a "worst-case" situation, using bytecode will prevent it regardless."
Huh.. No. Using bytecode won't prevent the exploiters from stealing the bytecode. And by that, we were talking about stealing the bytecode.
"I'm talking about pre-existing code, it takes much more work than just a precompilation plugin described earlier."
Just like you can make a plugin to obfuscate the code, you can easily make one to apply this to the code..
"...You would not have to worry about that if it wasn't there at all?"
Why would I worry about the admins possibly takikng the source of my place from their servers and releasing it publicly?
"It may be a worst-case scenario, but still - how cautious could you get?"
In a logical way. Seriously, I don't think the admins are going to take the source code of your place and release it publicly. As for an hacker getting access to the ROBLOX database, trust me, if that ever happened, he wouldn't bother about your place, he would probably bother more about all the accounts he could steal and all the private information he could leak or sell to a company.
"And also: bytecode is the only obfuscation method that allows you to distribute a model but not have the source changed, yet still have it work the way you programmed it to."
Indeed, there is no way to prevent the stealing of models. But what's wrong with models being stolen? Models that are free to take are also called by ROBLOX as "public domain models"... Models that you release for free are meant to be just models you're giving away to the community so they do whatever they want with them. If you want the model to stay private, then just don't release it to the community. |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 06:20 PM |
| btw, crazyman32 released something to obfuscate your scripts using my method: http://www.roblox.com/Protecting-Your-Scripts-item?id=75823914 |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 26 Mar 2012 06:38 PM |
Actually Julien covered everything that I wanted to say, nevermind.
~Sorcus |
|
|
| Report Abuse |
|
|
MrNicNac
|
  |
| Joined: 29 Aug 2008 |
| Total Posts: 26567 |
|
|
| 26 Mar 2012 06:49 PM |
The whole point of dumping your functions with coding was to prevent the cheap little thieves who have no experience in scripting and like to play as a puppet.
If someone get the source from a pre-compiled chunk, then I say let them have it. They won a bit of source code. |
|
|
| Report Abuse |
|
|
Legend26
|
  |
| Joined: 08 Sep 2008 |
| Total Posts: 10586 |
|
|
| 26 Mar 2012 07:18 PM |
"Unless you rewrite a big part of the Lua compiler in Lua or write your own thingy to do it, you can't remove the debugging information."
Who cares about the debug info? If they're smart enough to figure out how to decompile it then they deserve the code. |
|
|
| Report Abuse |
|
|
Legend26
|
  |
| Joined: 08 Sep 2008 |
| Total Posts: 10586 |
|
|
| 26 Mar 2012 07:18 PM |
| And then I read MNN's post.... |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 07:21 PM |
| I was referring to /non/ bytecode obfuscation. Obfuscation that would still work when they nuke loadstring due to security vulnerabilities in 5.2. |
|
|
| Report Abuse |
|
|
Varp
|
  |
| Joined: 18 Nov 2009 |
| Total Posts: 5333 |
|
|
| 26 Mar 2012 07:32 PM |
| Even if there were a real threat of someone taking your scripts, what they want is the function; they're really not interested in the source. If you obfuscate it, so be it, but it doesn't actually get in the way of someone stealing it. |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 07:36 PM |
@Varp
Well, if you add something to it that checks if you're the owner of the place, they won't be able to remove it... |
|
|
| Report Abuse |
|
|
ZackZak
|
  |
| Joined: 26 Jul 2009 |
| Total Posts: 2811 |
|
|
| 26 Mar 2012 08:43 PM |
What if we make a plugin that takes code and outputs it all on one line with the following tweaks: -complete renaming of variables/functions A1, A2, A3, etc -condense everything -a function that checks if the place the script is in is yours or a copy |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 08:47 PM |
@ZackZak
And don't forget to remove comments too! |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 09:03 PM |
Other than checking if the creatorid is right, there isn't much you can do. People can copy-paste your scripts without so much as reading them, it won't even matter if you write your code in brainfreeze as long as it functions.
The biggest issue for me is how to hide the "check if the creatorid is right" code, because any semi-compitent person would be able to locate and delete it if its a discrete function. |
|
|
| Report Abuse |
|
|
|
| 26 Mar 2012 09:05 PM |
| Would it work if you uploaded the script as a model, then your place insert-service'd it in? The model would be private so nobody can take it, and if they steal the entire place they won't have privileges to insert it. |
|
|
| Report Abuse |
|
|
ZackZak
|
  |
| Joined: 26 Jul 2009 |
| Total Posts: 2811 |
|
|
| 27 Mar 2012 01:10 AM |
To hide the creator ID stuff just check it really secretly.
|
|
|
| Report Abuse |
|
|
ZackZak
|
  |
| Joined: 26 Jul 2009 |
| Total Posts: 2811 |
|
|
| 27 Mar 2012 01:10 AM |
| The way Person299 adds himself to every copy of his admin commands and no-one notices. :P |
|
|
| Report Abuse |
|
|
BenBonez
|
  |
| Joined: 29 Aug 2008 |
| Total Posts: 19362 |
|
|
| 27 Mar 2012 06:51 AM |
@ZackZak
Although it's rather obvious if you actually bother reading through the script. |
|
|
| Report Abuse |
|
|
Oysi
|
  |
| Joined: 06 Jul 2009 |
| Total Posts: 9058 |
|
| |
|
Alkan
|
  |
| Joined: 04 Dec 2008 |
| Total Posts: 907 |
|
|
| 27 Mar 2012 07:33 PM |
If I had to protect my place from script thieves, I'd write a converter that transforms letters/numbers/characters into random things(that only the converter understands), and then put the result of that in a global function(ex loadstring(_G.deconvert(csource)))
|
|
|
| Report Abuse |
|
|
Oysi
|
  |
| Joined: 06 Jul 2009 |
| Total Posts: 9058 |
|
| |
|